diff --git a/Makefile b/Makefile index 2ebdfc2..fa04f5b 100644 --- a/Makefile +++ b/Makefile @@ -47,6 +47,11 @@ update_theme: hugo mod npm pack npm install +tidy: + rm -rf _vendor + hugo mod tidy + hugo mod vendor + ## See: ## - https://cspell.org/docs/getting-started/ ## - https://cspell.org/configuration/ diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/config.toml b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/config.toml new file mode 100644 index 0000000..f57cfe4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/config.toml @@ -0,0 +1,2 @@ +[params.inspec-alicloud] +gh_path = "https://github.com/inspec/inspec-alicloud/tree/main/docs-chef-io/content/" diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/_index.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/_index.md new file mode 100644 index 0000000..10887c6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/_index.md @@ -0,0 +1,83 @@ ++++ +title = "About the Chef InSpec Alibaba Cloud resource pack" + +draft = false + +linkTitle = "Alibaba Cloud resource pack" +summary = "Chef InSpec resources for auditing Alibaba Cloud." + +[cascade] + [cascade.params] + platform = "alicloud" + +[menu.alicloud] + title = "About Alibaba Cloud resources" + identifier = "inspec/resources/alicloud/about" + parent = "inspec/resources/alicloud" + weight = 10 ++++ + +Chef InSpec has resources for auditing Alibaba. + +You will need to install Alibaba Cloud SDK version 0.8.0 and require Alibaba Cloud credentials to use the Chef InSpec Alibaba Cloud resources. + +## Prerequisites + +Before you begin you will need to: + +- [Install the Alibaba Cloud CLI](https://www.alibabacloud.com/help/en/cli/installation-guide/) +- [Configure the Alibaba Cloud credentials](https://www.alibabacloud.com/help/en/cli/configure-credentials) + +## Use the Alibaba Cloud resources + +To use these resources in your controls, follow these steps: + +1. Define your Alibaba Cloud credentials in an [`envrc` file](https://github.com/inspec/inspec-alicloud/blob/main/.envrc_example) or export them in your shell. + + ```bash + # Example Alibaba Cloud Configuration + export ALICLOUD_ACCESS_KEY="" + export ALICLOUD_SECRET_KEY="" + export ALICLOUD_REGION="eu-west-1" + ``` + +1. Create a profile: + + ```bash + inspec init profile --platform Alibaba Cloud + ``` + + In the generated profile, `inspec.yml` defines the `inspec/inspec-alicloud` repository tar file as a dependency: + + ```yaml + name: + title: Ali Cloud InSpec Profile + maintainer: The Authors + copyright: The Authors + copyright_email: you@example.com + license: Apache-2.0 + summary: An InSpec Compliance Profile For Ali CLoud + version: 0.1.0 + inspec_version: '~> 5' + depends: + - name: inspec-alicloud + url: https://github.com/inspec/inspec-alicloud/archive/main.tar.gz + supports: + - platform: alicloud + ``` + +1. In the controls directory, add controls using the InSpec Alibaba Cloud resources listed below to audit your Alibaba Cloud resources. + +1. Run the profile: + + ```bash + inspec exec -t alicloud:// + ``` + +## Alibaba Cloud resources + +{{< inspec_resources_filter >}} + +The following Chef InSpec Alibaba Cloud resources are available in this resource pack. + +{{< inspec_resources section="alicloud" platform="alicloud" >}} diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_apsaradb_rds_instance.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_apsaradb_rds_instance.md new file mode 100644 index 0000000..57c1bd7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_apsaradb_rds_instance.md @@ -0,0 +1,170 @@ ++++ +title = "alicloud_apsaradb_rds_instance resource" + +draft = false + + +[menu.alicloud] +title = "alicloud_apsaradb_rds_instance" +identifier = "inspec/resources/alicloud/alicloud_apsaradb_rds_instance resource" +parent = "inspec/resources/alicloud" ++++ + +Use the `alicloud_apsaradb_rds_instance` InSpec audit resource to test detailed properties of an individual ApsaraDB RDS instance. + +ApsaraDB RDS supports the MySQL, SQL Server, PostgreSQL, PPAS (highly compatible with Oracle) and MariaDB database engines. + +## Syntax + +An `alicloud_apsaradb_rds_instance` resource block uses resource parameters to search for an ApsaraDB RDS instance, and then tests that +RDS instance. If no RDS instances match, no error is raised, but the `exists` matcher will return `false` and all properties will be `nil`. + +```ruby +describe alicloud_apsaradb_rds_instance('test-instance-id') do + it { should exist } +end +``` + +You can also use hash syntax: + +```ruby +describe alicloud_apsaradb_rds_instance(db_instance_id: 'test-instance-id') do + it { should exist } +end +``` + +## Parameters + +`db_instance_id` _(required)_ + +: This resource accepts a single parameter, the user-supplied instance identifier. + This can be passed either as a string if it is the only parameter, or using hash syntax, `db_instance_id: 'value'`. + +`region` _(optional)_ + +: The Alibaba Cloud Region ID - see the [Alibaba Cloud documentation on Regions and Zones](https://www.alibabacloud.com/help/doc-detail/40654.htm). + If provided, it must be passed as `region: 'value'`. + If not provided, the `ALICLOUD_REGION` environment variable will be used. + +See also the [Alibaba Cloud documentation on ApsaraDB RDS](https://www.alibabacloud.com/help/doc-detail/26092.htm). + +## Properties + +`instance_id` +: The ID of the database instance, for example 'rm-uf6wjk5xxxxxxxxxx'. + +`description` +: The display name of the instance, e.g 'test-database'. + +`instance_type` +: The role of the instance: 'Primary'/'Readonly'/'Guard'/'Temp'. + +`category` +: RDS edition of the instance: 'Basic'/'HighAvailability'/'AlwaysOn'/'Finance'. + +`engine` +: The database engine the instance runs, for example 'MySQL'. + +`engine_version` +: The version of the database engine that the instance runs, for example '5.5'. + +`allocated_storage` +: The storage capacity of the instance in GB, for example 10. + +`storage_type` +: One of 'local_ssd'/'ephemeral_ssd'/'cloud_ssd'/'cloud_essd'. + +`memory` +: The memory capacity of the instance in MB, for example 4096. + +`cpus` +: The number of CPUs configured for the instance, for example 2. + +`instance_class` +: The type of the instance, for example 'mysql.n2.medium.1'. + +`pay_type` +: The billing method of the instance: 'Postpaid'/'Prepaid'. + +`status` +: The status of the instance, for example 'Running'/'Rebooting' etc. + +`network_type` +: One of 'Classic or 'VPC'. + +`net_type` +: Either 'Internet' (connected over the Internet) or 'Intranet' (connected over an internal network). + +`vpc_id` +: The ID of the VPC to which the instance belongs. + +`in_default_vpc` +: True if the instance is in the default VPC, else false. + +`zone_id` +: The ID of the zone to which the instance belongs, for example 'cn-hangzhou-a'. + +`security_ips` +: The list of IP addresses allowed to access all databases of an instance, for example '10.23.12.24/16, 192.168.0.0/24'. + +`security_ip_mode` +: The network isolation mode of the instance: 'normal'/'safety'. + +## Examples + +Test the engine used with an ApsaraDB RDS instance: + +```ruby +describe alicloud_apsaradb_rds_instance(db_instance_id: 'alicloudrds123') do + its ('engine') { should eq 'mysql' } + its ('engine_version') { should eq '5.6.37' } +end +``` + +Test the storage allocated to an RDS instance: + +```ruby +describe alicloud_apsaradb_rds_instance(db_instance_id: 'alicloudrds123') do + its ('storage_type') { should eq 'gp2' } + its ('allocated_storage') { should eq 10 } +end +``` + +Test the network accessibility of the RDS instance: + +```ruby +describe alicloud_asparadb_rds_instance(db_instance_id: 'alicloudrds123') do + its ('in_default_vpc') { should be false } + its ('net_type') { should eq 'Intranet' } + its ('security_ips') { should_not eq '' } + its ('security_ips') { should_not include '0.0.0.0/0' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe alicloud_apsaradb_rds_instance(db_instance_id: 'AnExistingRDS') do + it { should exist } +end +``` + +```ruby +describe alicloud_apsaradb_rds_instance(db_instance_id: 'ANonExistentRDS') do + it { should_not exist } +end +``` + +### Alibaba Cloud Permissions + +Your Principal will need the `rds:DescribeDBInstanceAttribute` and `vpc:DescribeVpcs` actions with Effect set to Allow. + +You can find documentation at [Use RAM to manage ApsaraDB for RDS permissions](https://www.alibabacloud.com/help/doc-detail/58932.htm#section-rhd-4ll-5gb). diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_apsaradb_rds_instances.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_apsaradb_rds_instances.md new file mode 100644 index 0000000..138db75 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_apsaradb_rds_instances.md @@ -0,0 +1,153 @@ ++++ +title = "alicloud_apsaradb_rds_instances resource" + +draft = false + + +[menu.alicloud] +title = "alicloud_apsaradb_rds_instances" +identifier = "inspec/resources/alicloud/alicloud_apsaradb_rds_instances resource" +parent = "inspec/resources/alicloud" ++++ + +Use the `alicloud_apsaradb_rds_instances` InSpec audit resource to test properties of a collection of ApsaraDB RDS instances. + +ApsaraDB RDS supports the MySQL, SQL Server, PostgreSQL, PPAS (highly compatible with Oracle) and MariaDB database engines. + +## Syntax + +Ensure you have exactly 3 instances. + +```ruby +describe alicloud_apsaradb_rds_instances do + its('db_instance_ids.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`db_instance_ids` +: The unique IDs of the ApsaraDB RDS instances returned. + +`descriptions` +: The display names of the returned instances. + +`resource_groups` +: The IDs of the resource groups to which read-only instances belong. + +`net_types` +: The network types of the returned instances: one of 'Internet' or 'Intranet'. + +`instance_types` +: The roles of the returned instances: 'Primary'/'Readonly'/'Guard'/'Temp'. + +`multiple_zone_deployments` +: Boolean values indicating whether the instances are deployed in multiple zones (MutriORsignle API call). + +`network_types` +: The network types of the returned instances: one of 'Classic' or 'VPC'. + +`read_only_instance_ids` +: Lists of read-only instances attached to instances returned that are primary instances. + +`engines` +: The database engines the instances run, for example 'MySQL'. + +`engine_versions` +: The versions of the database engine that the instances run. + +`statuses` +: The status of the instances, for example 'Running'/'Rebooting' etc. + +`zone_ids` +: The IDs of the zones to which the instances belong. + +`instance_classes` +: The instance classes of the returned instances, for example 'mysql.n2.medium.1'. + +`create_times` +: The times when the returned instances were created. + +`vswitch_ids` +: The IDs of the vSwitches associated with the VPCs to which the returned instances belong. + +`pay_types` +: The billing methods of the returned instances: 'Postpaid'/'Prepaid'. + +`lock_modes` +: The lock status of the returned instances: 'Unlock'/'ManualLock'/'LockByExpiration'/'LockByRestoration'/'LockByDiskQuota'/'Released'. + +`storage_types` +: The types of disk storage of the returned instances: 'local_ssd'/'ephemeral_ssd'/'cloud_ssd'/'cloud_essd'. + +`vpc_ids` +: The IDs of the VPCs to which the instances belong. + +`connection_modes` +: The connection modes of the returned instances: 'Standard'/'Safe'. + +`vpc_cloud_instance_ids` +: The IDs of the read-only instances returned, that reside in VPCs. + +`region_ids` +: The region IDs of the returned instances. + +`expire_times` +: The expiration times of the returned instances. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure a specific instance exists: + +```ruby +describe alicloud_apsaradb_rds_instances do + its('db_instance_ids') { should include 'rm-a1b2c3d4e5f6' } +end +``` + +Use the InSpec resource to request the IDs of all ApsaraDB RDS instances, then test in-depth using `alicloud_apsaradb_rds_instance` to ensure all instances have the expected network security settings: + +```ruby +alicloud_apsaradb_rds_instances.db_instance_ids.each do |db_instance_id| + describe alicloud_apsaradb_rds_instance(db_instance_id) do + its('in_default_vpc') { should be false } + its('security_ips') { should_not cmp '' } + its('security_ips') { should_not include '0.0.0.0/0' } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. + +```ruby +describe alicloud_apsaradb_rds_instances do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe alicloud_apsaradb_rds_instances do + it { should_not exist } +end +``` + +### Alibaba Cloud Permissions + +{{% inspec-alicloud/alicloud_principal_action action="rds:DescribeDBInstances" %}} + +You can find documentation at [Use RAM to manage ApsaraDB for RDS permissions](https://www.alibabacloud.com/help/doc-detail/58932.htm#section-rhd-4ll-5gb). diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_disk.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_disk.md new file mode 100644 index 0000000..bf8fa0b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_disk.md @@ -0,0 +1,144 @@ ++++ +title = "alicloud_disk resource" + +draft = false + + +[menu.alicloud] +title = "alicloud_disk" +identifier = "inspec/resources/alicloud/alicloud_disk resource" +parent = "inspec/resources/alicloud" ++++ + +Use the `alicloud_disk` InSpec audit resource to test properties of a single Alibaba Cloud Elastic Block Storage (EBS) cloud disk. + +## Syntax + +Ensure a cloud disk exists + +```ruby +describe alicloud_disk('d-d7ohfbhzs8cli0iacz7j') do + it { should exist } +end +``` + +You may also use hash syntax to pass the disk name + +```ruby +describe alicloud_disk(disk_name: 'd-vol') do + it { should exist } +end +``` + +## Parameters + +This resource accepts a single parameter, either the cloud disk ID or name. Only one of these must be provided. + +`disk_id` _(required if `disk_name` not provided)_ + +: The disk ID which uniquely identifies the disk. + This can be passed as either a string, a `disk_id: 'value'` key-value entry in a hash, or an `id: 'value'` key-value entry in a hash. + (`id` is an alias for `disk_id`). + +`disk_name` _(required if `disk_id` not provided)_ + +: The disk name which uniquely identifies the disk. + This must be passed as a `disk_name: 'value'` key-value entry in a hash, or a `name: 'value'` key-value entry in a hash. + (`name` is an alias for `disk_name`). + +See also the [Alibaba Cloud documentation on cloud disks](https://www.alibabacloud.com/help/doc-detail/25383.htm). + +## Properties + +`id` +: The ID of the cloud disk. + +`name` +: The name of the cloud disk. + +`description` +: The description of the cloud disk. + +`size` +: The size of the cloud disk, in GiBs. + +`category` +: The category of the cloud disk. Valid values: cloud, cloud_efficiency, cloud_ssd, cloud_essd, local_ssd_pro, local_hdd_pro, ephemeral, ephemeral_ssd. + +`encrypted` +: Boolean that indicates whether the cloud disk was encrypted. + +`kms_key_id` +: The ID of the KMS key used by the cloud disk. + +`enable_auto_snapshot` +: Boolean that indicates whether the automatic snapshot policy feature was enabled for the cloud disk. + +`delete_auto_snapshot` +: Boolean that indicates whether automatic snapshots of the cloud disk are deleted when the disk is released. + +`delete_with_instance` +: Boolean that indicates whether the cloud disk is released when its associated instance is released. + +## Examples + +Test that a cloud disk does not exist: + +```ruby +describe alicloud_disk(disk_name: 'data_vol') do + it { should_not exist } +end +``` + +Test that a cloud disk is encrypted: + +```ruby +describe alicloud_disk(disk_name: 'secure_data_vol') do + it { should be_encrypted } +end +``` + +Test that a cloud disk has the correct size: + +```ruby +describe alicloud_disk(name: 'data_vol') do + its('size') { should cmp 32 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe alicloud_disk(name: 'data_vol') do + it { should exist } +end +``` + +```ruby +describe alicloud_disk(name: 'data_vol') do + it { should_not exist } +end +``` + +#### be_encrypted + +The `be_encrypted` matcher tests if the described cloud disk is encrypted. + +```ruby +it { should be_encrypted } +``` + +### Alibaba Cloud Permissions + +{{% inspec-alicloud/alicloud_principal_action action="ecs:DescribeDisks" %}} + +{{< readfile file="content/reusable/md/alibaba_access_management_doc.md" >}} +{{< readfile file="content/reusable/md/alibaba_authentication_ecs_api_doc.md" >}} diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_disks.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_disks.md new file mode 100644 index 0000000..2a906ec --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_disks.md @@ -0,0 +1,124 @@ ++++ +title = "alicloud_disks resource" + +draft = false + + +[menu.alicloud] +title = "alicloud_disks" +identifier = "inspec/resources/alicloud/alicloud_disks resource" +parent = "inspec/resources/alicloud" ++++ + +Use the `alicloud_disks` InSpec audit resource to test properties of a collection of Alibaba Cloud EBS cloud disks. + +Cloud disks are persistent block storage volumes for use with Alibaba Cloud ECS instances in the Alibaba Cloud. + +## Syntax + + Ensure you have exactly 3 cloud disks + +```ruby +describe alicloud_disks do + its('ids.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The IDs of the cloud disks. + +`names` +: The names of each cloud disk. + +`descriptions` +: The description of each cloud disk. + +`sizes` +: The size of each cloud disk, in GiBs. + +`categories` +: The category of each cloud disk. Valid values: cloud, cloud_efficiency, cloud_ssd, cloud_essd, local_ssd_pro, local_hdd_pro, ephemeral, ephemeral_ssd. + +`encrypted_disks` +: Boolean that indicates whether each cloud disk was encrypted. + +`kms_key_ids` +: The ID of the KMS key used by each cloud disk. + +`enable_auto_snapshot` +: Boolean that indicates whether the automatic snapshot policy feature was enabled for each cloud disk. + +`delete_auto_snapshot` +: Boolean that indicates whether automatic snapshots of the cloud disk are deleted when each disk is released. + +`delete_with_instance` +: Boolean that indicates whether each cloud disk is released when its associated instance is released. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure a specific cloud disk exists: + +```ruby +describe alicloud_disks do + its('ids') { should include 'd-a1b2c3d4e5f6g7h8' } +end +``` + +Use the InSpec resource to request the IDs of all cloud disks, then test in-depth using `alicloud_disk` to ensure all volumes are encrypted, have a sensible size, and have snapshots enabled: + +```ruby +alicloud_disks.ids.each do |disk_id| + describe alicloud_disk(disk_id: disk_id) do + it { should be_encrypted } + its('size') { should be > 10 } + its('enable_auto_snapshot') { should be true } + end +end +``` + +Another way to check that enable auto snapshot is turned on for all disks: + +```ruby +describe alicloud_disks.where(enable_auto_snapshot: false) do + it { should_not exist } + its('ids') { should cmp [] } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe alicloud_ebs_volumes do + it { should exist } +end +``` + +```ruby +describe alicloud_ebs_volumes do + it { should_not exist } +end +``` + +### Alibaba Cloud Permissions + +{{% inspec-alicloud/alicloud_principal_action action="ecs:DescribeDisks" %}} + +{{< readfile file="content/reusable/md/alibaba_access_management_doc.md" >}} +{{< readfile file="content/reusable/md/alibaba_authentication_ecs_api_doc.md" >}} diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ecs_instance.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ecs_instance.md new file mode 100644 index 0000000..f6f35e2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ecs_instance.md @@ -0,0 +1,183 @@ ++++ +title = "alicloud_ecs_instance resource" + +draft = false + + +[menu.alicloud] +title = "alicloud_ecs_instance" +identifier = "inspec/resources/alicloud/alicloud_ecs_instance resource" +parent = "inspec/resources/alicloud" ++++ + +Use the `alicloud_ecs_instance` InSpec audit resource to test properties of a single Alibaba Cloud ECS instance. + +## Syntax + +An `alicloud_ecs_instance` resource block declares the tests for a single Alibaba Cloud ECS instance by instance id. + +```ruby +describe alicloud_ecs_instance('i-01a2349e94458a507') do + it { should exist } +end +``` + +## Parameters + +`instance_id` _(required)_ + +: The ID of the ECS instance. This can be passed either as a string or as an `instance_id: 'value'` key-value entry in a hash. + +```ruby +describe alicloud_ecs_instance(instance_id: 'i-01a2349e94458a507') do + it { should exist } +end +``` + +See also the [documentation on Alibaba Cloud ECS instances](https://www.alibabacloud.com/help/doc-detail/25374.htm?spm=a2c63.l28256.b99.60.36277453JrAX8s). + +## Properties + +`instance_id` +: The unique instance ID of the ECS instance. + +`instance_name` +: The name of the instance. + +`host_name` +: The host name of the instance. + +`description` +: The description of the instance. + +`memory` +: The memory size of the instance, in MiB. + +`cpu` +: The number of vCPUs. + +`instance_network_type` +: The network type of the instance: 'Classic' or 'VPC'. + +`public_ip_address` +: The public IP address of the instance. + +`eip_address` +: The Elastic IP address associated with the instance. + +`inner_ip_address` +: The internal IP address of the classic network-type instance. + +`expired_time` +: The expiration time of the instance, for example '2020-12-10T04:04Z'. + +`image_id` +: The ID of the image that the instance is running. + +`instance_type` +: The instance type of the instance, for example 'ecs.g5.large'. + +`vlan_id` +: The virtual local area network (VLAN) of the instance. + +`vpc_attributes` +: The VPC attributes of the instance. + +`status` +: The current state of the ECS Instance, for example 'running'. + +`io_optimized` +: Boolean that specifies whether the instance is I/O optimized. + +`zone_id` +: The zone ID of the instance. + +`cluster_id` +: The ID of the cluster to which the instance belongs. + +`stopped_mode` +: Indicates whether the instance continues to be billed after it is stopped: 'KeepCharging'/'StopCharging'/'Not-applicable'. + +`dedicated_host_attribute` +: Details about dedicated hosts: an array consiting of the DedicatedHostClusterId, DedicatedHostId, and DedicatedHostName parameters. + +`security_group_ids` +: The security group ids associated with the instance. + +`operation_locks` +: The reasons why the instance was locked. + +`instance_charge_type` +: The billing method of the instance: 'Prepaid' or 'Postpaid'. + +`internet_charge_type` +: The billing method of the EIP: 'PayByBandwidth' or 'PayByTraffic'. + +`internet_max_bandwidth_\out` +: The maximum outbound public bandwidth, in Mbit/s. + +`internet_max_bandwidth_in` +: The maximum outbound inbound bandwidth, in Mbit/s. + +`serial_number` +: The serial number of the instance. + +`creation_time` +: The time when the instance was created, for example '2020-12-10T04:04Z'. + +`region_id` +: The region ID of the instance. + +`credit_specification` +: The performance mode of the burstable instance: 'Standard' or 'Unlimited'. + +`deletion_protection` +: Boolean value which indicates whether you can delete the instance. + +`ram_roles` +: The RAM roles attached to the instance. + +## Examples + +Test that an ECS instance is running, it is using the correct image ID, and its deletion protection is turned on: + +```ruby +describe alicloud_ecs_instance('i-090c29e4f4c165b74') do + it { should be_running } + its('image_id') { should eq 'ubuntu_18_04_64_20G_alibase_20190624.vhd' } + its('deletion_protection') { should be true } +end +``` + +Test that an ECS instance has exactly one RAM role attached: + +```ruby +describe alicloud_ecs_instance('i-090c29e4f4c165b74') do + its('ram_roles.count') { should eq 1 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +it { should exist } +``` + +```ruby +it { should_not exist } +``` + +### Alibaba Cloud Permissions + +Your Principal will need the `ecs:DescribeInstances`, `ecs:DescribeInstanceAttribute` and `ecs:DescribeInstanceRamRole` actions with Effect set to Allow. + +{{< readfile file="content/reusable/md/alibaba_access_management_doc.md" >}} +{{< readfile file="content/reusable/md/alibaba_authentication_ecs_api_doc.md" >}} diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ecs_instances.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ecs_instances.md new file mode 100644 index 0000000..50244f0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ecs_instances.md @@ -0,0 +1,219 @@ ++++ +title = "alicloud_ecs_instances resource" + +draft = false + + +[menu.alicloud] +title = "alicloud_ecs_instances" +identifier = "inspec/resources/alicloud/alicloud_ecs_instances resource" +parent = "inspec/resources/alicloud" ++++ + +Use the `alicloud_ecs_instances` InSpec audit resource to test properties of a collection of Alibaba Cloud ECS instances. + +## Syntax + +An `alicloud_ecs_instances` resource block declares the tests a collection of Alibaba Cloud ECS instances. + +```ruby +describe alicloud_ecs_instances + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`instance_ids` +: The unique instance IDs of the returned ECS instances. + +`instance_names` +: The names of the instances. + +`host_names` +: The host names of the instances. + +`descriptions` +: The descriptions of the instances. + +`memory` +: The memory sizes of the instances, in MiB. + +`cpus` +: The numbers of vCPUs the instances have. + +`cpu_options` +: The CPU options of the instances. + +`gpu_specs` +: The categories of GPU for the instance types. + +`image_ids` +: The IDs of the images that the instances are running. + +`instance_types` +: The instance types of the instances, for example 'ecs.g5.large'. + +`instance_type_families` +: The instance families of the instances. + +`io_optimized` +: Booleans that specify whether the instances are I/O optimized. + +`os_names` +: The names of the operating systems for the instances. + +`os_types` +: The types of operating systems for the instances: 'windows' or 'linux'. + +`instance_network_types` +: The network types of the instances: 'Classic' or 'VPC'. + +`public_ip_addresses` +: The public IP addresses of the instances. + +`inner_ip_addresses` +: The internal IP addresses of the instances. + +`eip_addresses` +: The Elastic IP addresses associated with the instances. + +`network_interfaces` +: The ENIs bound to the instances. + +`vlan_ids` +: The virtual local area network (VLAN) of the instance. + +`vpc_attributes` +: The VPC attributes of the instance. + +`internet_max_bandwidth_out` +: The maximum outbound public bandwidth, in Mbit/s. + +`internet_max_bandwidth_in` +: The maximum outbound inbound bandwidth, in Mbit/s. + +`instance_charge_types` +: The billing method of the instance: 'Prepaid' or 'Postpaid'. + +`internet_charge_types` +: The billing method of the EIP: 'PayByBandwidth' or 'PayByTraffic'. + +`spot_price_limits` +: Maximum hourly prices for the instances, accurate to 3 decimal places. + +`spot_strategies` +: The bidding policies for the preemptible instances: 'NoSpot'/'SpotWithPriceLimit'/'SpotAsPriceGo'. + +`sale_cycles` +: The billing cycles of the instances, for example 'month'. + +`creation_times` +: The time when the instance was created, for example '2020-12-10T04:04Z'. + +`start_times` +: The times when the instances were started. + +`expired_times` +: The expiration times of the instances. + +`auto_release_times` +: The automatic release times of pay-as-you-go instances. + +`statuses` +: The current state of the instances, for example 'running'. + +`stopped_modes` +: Indicates whether the instances continue to be billed after they are stopped: 'KeepCharging'/'StopCharging'/'Not-applicable'. + +`metadata_options` +: The metadata options of the instances. + +`zone_ids` +: The zone ID of the instances. + +`cluster_ids` +: The ID of the cluster to which the instance belongs. + +`security_group_ids` +: The security group ids associated with the instance. + +`deployment_set_ids` +: The IDs of the deployment sets of the instances. + +`serial_numbers` +: The serial number of the instances. + +`dedicated_instance_attributes` +: The attributes of the instances on dedicated hosts. + +`devices_available` +: Boolean value indicating whether data disks can be attached to the instances. + +`deletion_protection` +: Boolean value which indicates whether instances can be deleted. + +`ram_roles` +: The RAM roles attached to the instances. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure that you have less than 100 ECS instances: + +```ruby +describe alicloud_ecs_instances do + its('instance_ids.count') { should be < 100 } +end +``` + +Ensure that no instances have deletion protection turned off: + +```ruby +describe alicloud_ecs_instances.where(deletion_protection: false) do + it { should not exist } +end +``` + +Ensure that instances have exactly one RAM role attached: + +```ruby +describe(alicloud_ecs_instances.where { ram_role.count != 1 }) do + it { should not exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe alicloud_ecs_instances do + it { should exist } +end +``` + +```ruby +describe alicloud_ecs_instances do + it { should_not exist } +end +``` + +### Alibaba Cloud Permissions + +Your Principal will need the `ecs:DescribeInstances` and `ecs:DescribeInstanceRamRole` actions with Effect set to Allow. + +{{< readfile file="content/reusable/md/alibaba_access_management_doc.md" >}} +{{< readfile file="content/reusable/md/alibaba_authentication_ecs_api_doc.md" >}} diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ims_user.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ims_user.md new file mode 100644 index 0000000..51bf8d0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ims_user.md @@ -0,0 +1,112 @@ ++++ +title = "alicloud_ims_user resource" + +draft = false + + +[menu.alicloud] +title = "alicloud_disk" +identifier = "inspec/resources/alicloud/alicloud_ims_user resource" +parent = "inspec/resources/alicloud" ++++ + +Use the `alicloud_ims_user` InSpec audit resource to test properties of a single Alibaba Cloud IAM User information. + +## Syntax + +Ensure an user exists** + +```ruby +describe alicloud_ims_user("USER_PRINCIPAL_NAME") do + it { should exist } +end +``` + +You may also use hash syntax to pass the user principal name** + +```ruby +describe alicloud_ims_user(user_principal_name: "USER_PRINCIPAL_NAME") do + it { should exist } +end +``` + +## Parameters + +This resource accepts a single parameter, `user_principal_name`. + +`user_principal_name` _(required) + +: The user name of the IMS user. + +See also the [Alibaba Cloud documentation on cloud disks](https://www.alibabacloud.com/help/doc-detail/25383.htm). + +## Properties + +`status` +: The status of the IAM user. + +`update_date` +: The update date of the IAM user. + +`password_reset_required` +: The password reset required of the IAM user. It accepts boolean value. + +`user_principal_name` +: The user name of the IAM user. + +`mfa_bind_required` +: The mfa bind required of the IAM user. It accepts boolean value. + +## Examples + +Test that an user does not exist: + +```ruby +describe alicloud_ims_user("USER_PRINCIPAL_NAME") do + it { should_not exist } +end +``` + +Test that an user is MFA bind: + +```ruby +describe alicloud_ims_user("USER_PRINCIPAL_NAME") do + its('mfa_bind_required') { should eq true } +end +``` + +Test that an user has an `ACTIVE` status: + +```ruby +describe alicloud_ims_user("USER_PRINCIPAL_NAME") do + its('status') { should eq 'Active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. + +Use `should` to test the entity should not exist. + +```ruby +describe alicloud_ims_user("USER_PRINCIPAL_NAME") do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe alicloud_ims_user("USER_PRINCIPAL_NAME") do + it { should_not exist } +end +``` + +### Alibaba Cloud Permissions + +{{% inspec-alicloud/alicloud_principal_action action="ims:GetLoginProfile" %}} diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_policies.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_policies.md new file mode 100644 index 0000000..f2a5dc0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_policies.md @@ -0,0 +1,113 @@ ++++ +title = "alicloud_ram_policies resource" + +draft = false + + +[menu.alicloud] +title = "alicloud_ram_policies" +identifier = "inspec/resources/alicloud/alicloud_ram_policies resource" +parent = "inspec/resources/alicloud" ++++ + +Use the `alicloud_ram_policies` InSpec audit resource to test properties of a collection of Alibaba Cloud RAM Policies. + +## Syntax + +An `alicloud_ram_policies` resource returns a collection of RAM Policies and allows testing of that collection. + +```ruby +describe alicloud_ram_policies do + its('policy_names') { should include('test-policy-1') } +end +``` + +## Parameters + +`type` _(optional)_ + +: This resource allows filtering by PolicyType. + To list only Alibaba Cloud managed policies, set `type` to `System`. To list only the customer managed policies in your Alibaba Cloud account, set `type` to `Custom`. If type is not supplied, both types of policies are returned. + +`only_attached` _(optional)_ + +: This resource allows filtering by attached entities. + When `only_attached` is `true`, the returned list contains only the policies that are attached to a RAM user, group, or role. When `only_attached` is `false`, or when the parameter is not included, all policies of the specified type(s) (`System` and/or `Custom`) are returned, whether they are attached to any RAM users, groups, or roles, or not. + +`region` _(optional)_ + +: The Alibaba Cloud Region ID - see the [Alibaba Cloud documentation on Regions and Zones](https://www.alibabacloud.com/help/doc-detail/40654.htm). + If provided, it must be passed as `region: 'value'`. + If not provided, the `ALICLOUD_REGION` environment variable will be used. + +See also the [Alibaba Cloud documentation on RAM Policy](https://partners-intl.aliyun.com/help/doc-detail/93732.htm). + +## Properties + +`policy_names` +: The policy names. + +`default_versions` +: The 'default_version' value of each policy. + +`attachment_counts` +: The count of attached entities for each policy. + +`attached_groups` +: The list of group names of the groups attached to each policy. + +`attached_roles` +: The list of role names of the roles attached to each policy. + +`attached_users` +: The list of usernames of the users attached to each policy. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure a policy exists: + +```ruby +describe alicloud_ram_policies do + its('policy_names') { should include('test-policy-1') } +end +``` + +Allow at most 100 RAM Policies on the account: + +```ruby +describe alicloud_ram_policies do + its('entries.count') { should be <= 100} +end +``` + +## Matchers + +For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe alicloud_ram_policies.where( : ) do + it { should exist } +end +``` + +```ruby +describe alicloud_ram_policies.where( : ) do + it { should_not exist } +end +``` + +### Alibaba Cloud Permissions + +Your Principal will need the `ram:ListPolicies` and `ram:ListEntitiesForPolicy` actions with Effect set to Allow. + +{{< readfile file="content/reusable/md/alibaba_access_management_doc.md" >}} +{{< readfile file="content/reusable/md/alibaba_authentication_ram_api_doc.md" >}} diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_policy.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_policy.md new file mode 100644 index 0000000..430886a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_policy.md @@ -0,0 +1,301 @@ ++++ +title = "alicloud_ram_policy resource" + +draft = false + + +[menu.alicloud] +title = "alicloud_ram_policy" +identifier = "inspec/resources/alicloud/alicloud_ram_policy resource" +parent = "inspec/resources/alicloud" ++++ + +Use the `alicloud_ram_policy` InSpec audit resource to test properties of a single managed Alibaba Cloud RAM Policy. + +## Syntax + +An `alicloud_ram_policy` resource block identifies a policy by policy name. + + # Find a policy by name +```ruby +describe alicloud_ram_policy(policy_name: 'AliyunSupportFullAccess') do + it { should exist } +end +``` + +## Parameters + +This resource requires the `policy_name` to be provided. + +`policy_name` _(required)_ + +: The Policy Name which uniquely identifies the Policy. + It can be passed as a string if it is the only parameter, or using hash syntax, `policy_name: 'value'`. + +`type` _(optional)_ + +: The type of policy: 'System' or 'Custom'. + If provided, it must be passed as `type: 'value'` . + If not provided, both types of policies will be searched. + +`region` _(optional)_ + +: The Alibaba Cloud Region ID - see the [Alibaba Cloud documentation on Regions and Zones](https://www.alibabacloud.com/help/doc-detail/40654.htm). + If provided, it must be passed as `region: 'value'`. + If not provided, the `ALICLOUD_REGION` environment variable will be used. + +See also the [Alibaba Cloud documentation on RAM Policy](https://partners-intl.aliyun.com/help/doc-detail/93732.htm). + +## Properties + +`policy_name` +: The name of the specified policy. + +`attachment_count` +: The count of attached entities for the specified policy. + +`attached_groups` +: The list of group names of the groups attached to the policy. + +`attached_group_count` +: The count of attached groups for the specified policy. + +`attached_roles` +: The list of ARNs of the roles attached to the policy. + +`attached_role_count` +: The count of attached roles for the specified policy. + +`attached_users` +: The list of usernames of the users attached to the policy. + +`attached_user_count` +: The count of attached users for the specified policy. + +`default_version` +: The default version value of the specified policy. + +`policy_document` +: Returns the default version of the policy document after decoding as a Ruby hash. This hash contains the policy statements and is useful for performing checks that cannot be expressed using higher-level matchers like `have_statement`. + +`statement_count` +: Returns the number of statements present in the `policy`. + +## Examples + +Test that a policy does exist: + +```ruby +describe alicloud_ram_policy(policy_name: 'AliyunSupportFullAccess', type: 'System') do + it { should exist } +end +``` + +Test that a policy is attached to at least one entity: + +```ruby +describe alicloud_ram_policy(policy_name: 'AliyunSupportFullAccess') do + it { should be_attached } +end +``` + +Examine the policy statements: + +```ruby +describe alicloud_ram_policy(policy_name: 'my-policy', type: 'Custom') do +Verify that there is at least one statement allowing access to OSS: + + it { should have_statement(Action: 'oss:PutObject', Effect: 'allow') } +``` + +```ruby +have_statement does not expand wildcards. If you want to verify: +they are absent, an explicit check is required: + +it { should_not have_statement(Action: 'oss:*') } +``` + +```ruby +You can also check NotAction: + +it { should_not have_statement(NotAction: 'ram:*') } +``` + +```ruby +Check number of statements in policy: + +its('statement_count') { should be > 1 } + end +``` + +Examine attached users, groups and roles: + +```ruby +describe alicloud_ram_policy(policy_name: 'my-policy') do + it { should be_attached_to_user('user-1') } + its{'attached_users') { should include 'user-1' } +``` + +```ruby +it { should be_attached_to_group('group-1') } +its{'attached_groups') { should include 'group-1' } +``` + +```ruby +it { should be_attached_to_role('acs:ram::12345:role/role-1') } +its{'attached_roles') { should include 'acs:ram::12345:role/role-1' } +``` + +```ruby +its('attached_user_count') { should eq 5 } +its('attached_group_count') { should eq 1 } +its('attached_role_count') { should be > 0 } +its('attachment_count') { should be eq 7 } + end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +it { should exist } +``` + +```ruby +it { should_not exist } +``` + +#### be_attached + +The test will pass if the identified policy is attached to at least one RAM user, group, or role. + +```ruby +describe alicloud_ram_policy(policy_name: 'AliyunSupportFullAccess') do + it { should be_attached } +end +``` + +#### be_attached_to_group(GROUPNAME) + +The test will pass if the identified policy is attached to the specified group. + +```ruby +describe alicloud_ram_policy(policy_name: 'AliyunSupportFullAccess') do + it { should be_attached_to_group(GROUPNAME) } +end +``` + +#### be_attached_to_user(USERNAME) + +The test will pass if the identified policy is attached to the specified user. + +```ruby +describe alicloud_ram_policy(policy_name: 'AliyunSupportFullAccess') do + it { should be_attached_to_user(USERNAME) } +end +``` + +#### be_attached_to_role(ROLEARN) + +The test will pass if the identified policy is attached to the specified role ARN. + +```ruby +describe alicloud_ram_policy(policy_name: 'AliyunSupportFullAccess') do + it { should be_attached_to_role(ROLEARN) } +end +``` + +#### have_statement + +Examines the list of statements contained in the policy and passes if at least one of the statements matches. This matcher does _not_ interpret the policy in a request authorization context, as Alibaba Cloud does when a request processed. Rather, `have_statement` examines the literal contents of the RAM policy, and reports on what is present (or absent, when used with `should_not`). + +`have_statement` accepts the following criteria to search for matching statements. If any statement matches all the criteria, the test is successful. All keys in criteria may be used as Titlecase or lowercase, string or symbol. Values must be in the expected case. + +* `Action` - Expresses the requested operation. Acceptable literal values are any Alibaba Cloud operation name, including the '*' wildcard character. `Action` may also use a list of Alibaba Cloud operation names. +* `Effect` - Expresses if the operation is permitted. Acceptable values are 'Deny' and 'Allow'. +* `Sid` - A user-provided string identifier for the statement. +* `Resource` - Expresses the operation's target. Acceptable values are ARNs, including the '*' wildcard. `Resource` may also use a list of ARN values. + +Please note the following about the behavior of `have_statement`: +* `Action`, `Sid`, and `Resource` allow using a regular expression as the search critera instead of a string literal. +* It does not support wildcard expansion; to check for a wildcard value, check for it explicitly. For example, if the policy includes a statement with `"Action": "oss:*"` and the test checks for `Action: "oss:PutObject"`, the test _will not match_. You must write an additional test checking for the wildcard case. +* It supports searching list values. For example, if a statement contains a list of 3 resources, and a `have_statement` test specifes _one_ of those resources, it will match. +* `Action` and `Resource` allow using a list of string literals or regular expressions in a test, in which case _all_ must match on the _same_ statement for the test to match. Order is ignored. +* It does not support the Principal or Condition policy elements. + +Examples: + + # Verify there is no full-admin statement +```ruby +describe alicloud_ram_policy(policy_name: 'kryptonite') do + it { should_not have_statement('Effect' => 'Allow', 'Resource' => '*', 'Action' => '*')} +end +``` + + # Symbols and lowercase also allowed as criteria +```ruby +describe alicloud_ram_policy(policy_name: 'kryptonite') do + # All 4 the same + it { should_not have_statement('Effect' => 'Allow', 'Resource' => '*', 'Action' => '*')} + it { should_not have_statement('effect' => 'Allow', 'resource' => '*', 'action' => '*')} + it { should_not have_statement(Effect: 'Allow', Resource: '*', Action: '*')} + it { should_not have_statement(effect: 'Allow', resource: '*', action: '*')} +end +``` + + # Verify bob is allowed to manage things on OSS buckets that start with bobs-stuff +```ruby +describe alicloud_ram_policy(policy_name: 'bob-is-a-packrat') do + it { should have_statement(Effect: 'Allow', + # Using the Alibaba Cloud wildcard - this must match exactly + Resource: 'acs:oss:::bobs-stuff*', + # Specify a list of actions - all must match, no others, order isn't important + Action: ['oss:PutObject', 'oss:GetObject', 'oss:DeleteObject'])} +``` + +```ruby +# Bob would make new buckets constantly if we let him. +it { should_not have_statement(Effect: 'Allow', Action: 'oss:CreateBucket')} +it { should_not have_statement(Effect: 'Allow', Action: 'oss:*')} +it { should_not have_statement(Effect: 'Allow', Action: '*')} +``` + +```ruby +# An alternative to checking for wildcards is to specify the +# statements you expect, then restrict statement count +its('statement_count') { should cmp 1 } + end +``` + + # Use regular expressions to examine the policy +```ruby +describe alicloud_ram_policy(policy_name: 'regex-demo') do + # Check to see if anything mentions RDS at all. + # This catches `rds:CreateDBinstance` and `rds:*`, but would not catch '*'. + it { should_not have_statement(Action: /^rds:.+$/)} +``` + +```ruby +# This policy should refer to both sally and kim's OSS buckets. +# This will only match if there is a statement that refers to both resources. +it { should have_statement(Resource: [/acs:oss.+:sally/, /acs:oss.+:kim/]) } +# The following also matches on a statement mentioning only one of them +it { should have_statement(Resource: /acs:oss.+:(sally|kim)/) } + end +``` + +### Alibaba Cloud Permissions + +Your Principal will need the `ram:GetPolicy` and `ram:ListEntitiesForPolicy` actions with Effect set to Allow. + +{{< readfile file="content/reusable/md/alibaba_access_management_doc.md" >}} +{{< readfile file="content/reusable/md/alibaba_authentication_ram_api_doc.md" >}} diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_user.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_user.md new file mode 100644 index 0000000..799ec31 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_user.md @@ -0,0 +1,146 @@ ++++ +title = "alicloud_ram_user resource" + +draft = false + + +[menu.alicloud] +title = "alicloud_ram_user" +identifier = "inspec/resources/alicloud/alicloud_ram_user resource" +parent = "inspec/resources/alicloud" ++++ + +Use the `alicloud_ram_user` InSpec audit resource to test properties of a single Alibaba Cloud RAM user. + +## Syntax + +An `alicloud_ram_user` resource block declares the tests for a single Alibaba Cloud RAM user by user name. + +```ruby +describe alicloud_ram_user(user_name: 'psmith') do + it { should exist } +end +``` + +## Parameters + +`user_name` _(required)_ + +: This resource accepts a single parameter, the RAM user's user name which uniquely identifies the user. + This can be passed either as a string or as a `user_name: 'value'` key-value entry in a hash. + +See also the [Alibaba Cloud documentation on RAM users](https://www.alibabacloud.com/help/doc-detail/122148.htm?spm=a2c63.p38356.b99.20.12456fb6z4r7Hz). + +## Properties + +`user_name` +: The RAM user's username. + +`user_id` +: The RAM user's unique ID. + +`display_name` +: The RAM user's display name. + +`comments` +: Comments about the user. + +`email` +: The RAM user's email address. + +`mobile_phone` +: The RAM user's mobile phone number. + +`create_date` +: The time when the RAM user was created. + +`update_date` +: The time when the information about the RAM user was last updated. + +`last_login_date` +: The time when the RAM user last logged on to the console using their password. + +`access_keys` +: An array of hashes each containing metadata about the user's access keys (active and inactive). + +`active_access_keys` +: An array of hashes each containing metadata about the user's active access keys. + +## Examples + +The following examples show how to use this InSpec audit resource. + +Test that a RAM user does not exist: + +```ruby +describe alicloud_ram_user(user_name: 'invalid-user') do + it { should_not exist } +end +``` + +Ensure a RAM user has no active access keys: + +```ruby +describe alicloud_ram_user('psmith') do + it { should exist } + it { should not have_active_access_key } + its('active_access_keys.count') { should eq 0 } +end +``` + +Ensure a RAM user has 0 or 1 active access keys: + +```ruby +describe alicloud_ram_user('psmith') do + its('active_access_keys.count') { should be <= 1 } +end +``` + +Ensure that a RAM user does not have both console access and active access key(s): + +```ruby +describe alicloud_ram_user('psmith') do + it { should_not have_console_and_key_access } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +it { should exist } +``` + +#### has_console_access + +This will check whether the requested user has a login profile for console access. + +```ruby +it { should have_console_access } +``` + +#### has_active_access_key + +This will check whether the requested user has at least one active access key and secret key. + +```ruby +it { should have_active_access_key } +``` + +#### has_console_and_key_access + +This will check whether the requested user has a login profile for console access, as well as at least one active access key/secret key pair. + +### Alibaba Cloud Permissions + +Your Principal will need the following permissions action with Effect set to Allow: `ram:Getuser`, `ram:GetLoginProfile`, `ram:ListAccessKeys`. + +{{< readfile file="content/reusable/md/alibaba_access_management_doc.md" >}} +{{< readfile file="content/reusable/md/alibaba_authentication_ram_api_doc.md" >}} diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_user_mfa.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_user_mfa.md new file mode 100644 index 0000000..461ee08 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_user_mfa.md @@ -0,0 +1,82 @@ ++++ +title = "alicloud_ram_user_mfa resource" + +draft = false + + +[menu.alicloud] +title = "alicloud_ram_user_mfa" +identifier = "inspec/resources/alicloud/alicloud_ram_user_mfa resource" +parent = "inspec/resources/alicloud" ++++ + +Use the `alicloud_ram_user_mfa` InSpec audit resource to test properties of a single Alibaba Cloud RAM user's MFA settings. + +## Syntax + +An `alicloud_ram_user_mfa` resource block declares the tests for a single Alibaba Cloud RAM user's MFA settings by user name. + +```ruby +describe alicloud_ram_user_mfa(user_name: 'rpatel') do + it { should exist } +end +``` + +## Parameters + +`user_name` _(required)_ + +: This resource accepts a single parameter, the RAM user's username which uniquely identifies the user. + This can be passed either as a string or as a `user_name: 'value'` key-value entry in a hash. + +See also the [Alibaba Cloud documentation on RAM users](https://www.alibabacloud.com/help/doc-detail/122148.htm?spm=a2c63.p38356.b99.20.12456fb6z4r7Hz). + +## Properties + +`user_name` +: The RAM user's username. + +`serial_number` +: The serial number of the RAM User's MFA device. + +`type` +: The MFA type (VMFA: virtual NFA device, or U2F: Universal 2nd Factor security key). + +## Examples + +The following example shows how to use this InSpec audit resource. + +Test that a user has MFA configured: + +```ruby +describe alicloud_ram_user_mfa(user_name: 'jakobp') do + it { should exist } + its('serial_number') { should eq 'acs:ram::1234567890123456:mfa/jakobp' } + its('type') { should eq 'VMFA' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. + +```ruby +it { should exist } +``` + +Use `should_not` to test the entity should not exist. + +```ruby +it { should_not exist } +``` + +### Alibaba Cloud Permissions + +{{% inspec-alicloud/alicloud_principal_action action="ram:GetUserMFAInfo" %}} + +{{< readfile file="content/reusable/md/alibaba_access_management_doc.md" >}} +{{< readfile file="content/reusable/md/alibaba_authentication_ram_api_doc.md" >}} diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_users.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_users.md new file mode 100644 index 0000000..3dc6077 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/alicloud_ram_users.md @@ -0,0 +1,142 @@ ++++ +title = "alicloud_ram_users resource" + +draft = false + + +[menu.alicloud] +title = "alicloud_ram_users" +identifier = "inspec/resources/alicloud/alicloud_ram_users resource" +parent = "inspec/resources/alicloud" ++++ + +Use the `alicloud_ram_users` InSpec audit resource to test properties of some or all Alibaba Cloud RAM users. + +## Syntax + +An `alicloud_ram_users` resource block returns all RAM users and allows the testing of that group of RAM users. + +```ruby +describe alicloud_ram_users do + its('user_names') { should include 'payroll-admin' } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`user_names` +: The user names of the returned RAM users. + +`user_ids` +: The unique IDs of the returned RAM users. + +`display_names` +: Display names of the returned RAM users. + +`comments` +: Comments about the returned RAM users. + +`create_dates` +: The times when the returned RAM users were created. + +`update_dates` +: The times when the information about the returned RAM users was last updated. + +`access_keys` +: An array of hashes each containing metadata about a user's access keys (active and inactive). + +`active_access_keys` +: An array of hashes each containing metadata about a user's active access keys. + +`has_access_key` +: Boolean indicating whether each user has any access keys or not. + +`has_active_access_key` +: Boolean indicating whether each user has any active access keys or not. + +`has_console_access` +: Boolean indicating whether each user has console access. + +`has_console_and_key_access` +: Boolean indicating whether each user has both console access as well as one or more active access keys. + +`has_mfa_enabled` +: Boolean indicating whether each user has MFA enabled or not. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure there are no RAM users who do not have MFA enabled: + +```ruby +describe alicloud_ram_users.where(has_mfa_enabled: false) do + it { should_not exist } +less readable test, but it gives better output: + +end +``` + +Ensure there are no RAM users who have console access and do not have MFA enabled: + +```ruby +alicloud_ram_users.where(has_console_access: true).user_names.each do |u| + describe alicloud_ram_user_mfa(u) do + it { should exist } + end +end +``` + +Ensure there are no RAM users with console access and one or more active access keys: + +```ruby +describe alicloud_ram_users.where(has_console_and_key_access: true) do + its('user_names') { should be_empty } +end +``` + +```ruby +or +``` + +```ruby +alicloud_ram_users.where { active_access_keys.count > 0 }.user_names.each do |u| + describe alicloud_ram_user(u) do + its('has_console_access') { should be false } + end +end +``` + +## Matchers + +For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe alicloud_ram_users.where( : ) do + it { should exist } +end +``` + +```ruby +describe alicloud_ram_users.where( : ) do + it { should_not exist } +end +``` + +### Alibaba Cloud Permissions + +Your Principal will need the following permissions action with Effect set to Allow: `ram:Listusers`, `ram:GetLoginProfile`, `ram:ListAccessKeys`, `ram:GetUserMFAInfo` + +{{< readfile file="content/reusable/md/alibaba_access_management_doc.md" >}} +{{< readfile file="content/reusable/md/alibaba_authentication_ram_api_doc.md" >}} diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/reusable/index.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/reusable/index.md new file mode 100644 index 0000000..41de90a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/reusable/index.md @@ -0,0 +1,5 @@ ++++ +headless = true +## headless = true makes this directory a headless bundle. +## See https://gohugo.io/content-management/page-bundles/#headless-bundle ++++ diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/reusable/md/alibaba_access_management_doc.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/reusable/md/alibaba_access_management_doc.md new file mode 100644 index 0000000..eb904e0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/reusable/md/alibaba_access_management_doc.md @@ -0,0 +1,2 @@ + +See the [Alibaba Cloud Resource Access Management documentation](https://www.alibabacloud.com/help/doc-detail/57445.htm?spm=a2c63.p38356.b99.12.51ef1b28W18VZd). diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/reusable/md/alibaba_authentication_ecs_api_doc.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/reusable/md/alibaba_authentication_ecs_api_doc.md new file mode 100644 index 0000000..e7f5702 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/reusable/md/alibaba_authentication_ecs_api_doc.md @@ -0,0 +1,2 @@ + +See the [documentation on authentication rules for ECS APIs](https://partners-intl.aliyun.com/help/doc-detail/25497.htm?spm=a2c63.p38356.b99.657.7b9f3481VdEA4g). diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/reusable/md/alibaba_authentication_ram_api_doc.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/reusable/md/alibaba_authentication_ram_api_doc.md new file mode 100644 index 0000000..2ceda0b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/content/reusable/md/alibaba_authentication_ram_api_doc.md @@ -0,0 +1,2 @@ + +See the [documentation on authentication to RAM APIs](https://partners-intl.aliyun.com/help/doc-detail/102666.htm). diff --git a/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/layouts/shortcodes/inspec-alicloud/alicloud_principal_action.md b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/layouts/shortcodes/inspec-alicloud/alicloud_principal_action.md new file mode 100644 index 0000000..75a443a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-alicloud/docs-chef-io/layouts/shortcodes/inspec-alicloud/alicloud_principal_action.md @@ -0,0 +1,2 @@ + +Your Principal will need the `{{ .Get "action" }}` action with `Effect` set to `Allow`. diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/assets/release-notes/inspec-aws/release-dates.json b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/assets/release-notes/inspec-aws/release-dates.json new file mode 100644 index 0000000..f476510 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/assets/release-notes/inspec-aws/release-dates.json @@ -0,0 +1,7 @@ +[ + "2021-10-01", + "2021-10-13", + "2021-11-08", + "2021-11-30", + "2022-01-07" +] diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/config.toml b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/config.toml new file mode 100644 index 0000000..23ba27a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/config.toml @@ -0,0 +1,2 @@ +[params.inspec-aws] +gh_path = "https://github.com/inspec/inspec-aws/tree/main/docs-chef-io/content/" diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/_index.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/_index.md new file mode 100644 index 0000000..052fff3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/_index.md @@ -0,0 +1,110 @@ ++++ +title = "About the Chef InSpec Amazon Web Services (AWS) resource pack" +draft = false + +linkTitle = "AWS resource pack" +summary = "Chef InSpec resources for auditing AWS infrastructure." + +[cascade] + [cascade.params] + platform = "aws" + +[menu.aws] + title = "About AWS resources" + identifier = "inspec/resources/aws/About" + parent = "inspec/resources/aws" + weight = 10 ++++ + +Chef InSpec provides resources for auditing Amazon Web Services (AWS) infrastructure, helping you check security, compliance, and configuration across your cloud environment. + +## Create a Chef InSpec profile for AWS auditing + +To audit AWS resources, use Chef InSpec 4 or later to create a new profile with `inspec init profile`: + +```bash +inspec init profile --platform aws +``` + +After adding your AWS project ID to the `inputs.yml` file, run this sample profile: + +```bash +inspec exec --input-file=/inputs.yml -t aws:// +``` + +## Set AWS credentials + +Chef InSpec uses standard AWS authentication mechanisms. +Follow these steps to create an IAM user specifically for auditing activities: + +1. In the AWS console, create an IAM user with your choice of username and select **Programmatic Access**. + +1. On the **Permissions** screen, select **Attach policies directly** and choose the AWS-managed **ReadOnlyAccess** policy. To restrict the user further, review individual Chef InSpec resources to identify which permissions each resource requires. + +1. After generating the key, record the access key ID and secret key. + +### Provide credentials using environment variables + +Set the following environment variables to provide credentials to Chef InSpec: + +- `AWS_REGION` +- `AWS_ACCESS_KEY_ID` +- `AWS_SECRET_ACCESS_KEY`. + +You can also use `AWS_PROFILE`, or `AWS_SESSION_TOKEN` if you use multi-factor authentication. + +For more details, see the [AWS Command Line Interface Docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html). + +After setting your environment variables, verify your credentials: + +```bash +$ inspec detect -t aws:// + +== Platform Details +Name: aws +Families: cloud, api +Release: aws-sdk-v2.10.125 +``` + +### Provide credentials using the Chef InSpec target option + +In the `~/.aws/credentials` file in your home directory, add your credentials as a new profile in INI format: + +```ini +[] +aws_access_key_id = AKIA.... +aws_secret_access_key = 1234....abcd +``` + +Replace `` with name defined in your profile's `inspec.yml` file. + +### Verify AWS credentials + +To verify your credentials, run: + +```bash +$ inspec detect -t aws:// + +== Platform Details +Name: aws +Families: cloud, api +Release: aws-sdk-v2.10.125 +``` + +## Run the profile + +Run Chef InSpec using the `--target` / `-t` option in the following format: + +```sh +inspec exec --input-file=/inputs.yml -t aws:/// +``` + +For example, to connect to the Ohio region using a profile named 'auditing', use `-t aws://us-east-2/auditing`. + +## Chef InSpec AWS resources + +{{< inspec_resources_filter >}} + +This resource pack includes the following Chef InSpec AWS resources: + +{{< inspec_resources section="aws" platform="aws" >}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_alb.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_alb.md new file mode 100644 index 0000000..790731f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_alb.md @@ -0,0 +1,142 @@ ++++ +title = "aws_alb resource" + +draft = false + + +[menu.aws] +title = "aws_alb" +identifier = "inspec/resources/aws/aws_alb resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_alb` InSpec audit resource to test properties of a single AWS Application Load Balancer (ALB). + +For additional information, including details on parameters and properties, see the [AWS documentation on Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference). + +## Syntax + +Ensure that an `aws_alb` exists + +```ruby +describe aws_alb('arn:aws:elasticloadbalancing') do + it { should exist } +end +``` + +```ruby +describe aws_alb(load_balancer_arn: 'arn:aws:elasticloadbalancing') do + it { should exist } +end +``` + +## Parameters + +`load_balancer_arn` _(required)_ + +: This resource accepts a single parameter, the ALB Arn which uniquely identifies the ALB. + This can be passed either as a string or as a `load_balancer_arn: 'value'` key-value entry in a hash. + +## Properties + +`load_balancer_name` +: The name of the load balancer. + +`load_balancer_addresses` +: A collectionm of the load balancer addresses. + +`canonical_hosted_zone_id` +: The ID of the Amazon Route 53 hosted zone for the load balancer. + +`dns_name` +: The DNS name of the load balancer. + +`availability_zones` +: The Availability Zones for the load balancer. + +`security_groups` +: The security groups for the load balancer. Valid only for load balancers in a VPC. + +`scheme` +: The type of load balancer. Valid only for load balancers in a VPC. + +`state` +: The state of the load balancer. + +`subnets` +: A collection of the subnet ids. + +`type` +: The type of the load balancer. + +`access_log_enabled` +: Whether the access log for the load balancer is enabled. + +`vpc_id` +: The ID of the VPC for the load balancer. + +`zone_names` +: A collection of the names of the availability zones. + +`listeners` +: A collection of the listeners for the load balancer. + +`ssl_policies` +: A list of the SSL Policies configured for the listeners of the load balancer. + +`external_ports` +: A list of the ports configured for the listeners of the load balancer. + +`protocols` +: A list of the protocols configured for the listeners of the load balancer. + +## Examples + +Test that an ALB has its availability zones configured correctly: + +```ruby +describe aws_alb('arn::alb') do + its('zone_names.count') { should be > 1 } + its('zone_names') { should include 'us-east-2a' } + its('zone_names') { should include 'us-east-2b' } +end +``` + +Test whether the access log is enabled for the Application Load Balancer: + +```ruby +describe aws_alb('load_balancer_arn::alb') do + it { should exist } + its ('access_log_enabled') { should eq true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_alb('AnExistingALB') do + it { should exist } +end +``` + +```ruby +describe aws_alb('ANonExistentALB') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticLoadBalancing:Client:DescribeLoadBalancers" %}} + +You can find detailed documentation at [Authentication and Access Control for Your Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_albs.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_albs.md new file mode 100644 index 0000000..c5edd81 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_albs.md @@ -0,0 +1,104 @@ ++++ +title = "aws_albs resource" + +draft = false + + +[menu.aws] +title = "aws_albs" +identifier = "inspec/resources/aws/aws_albs resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_albs` InSpec audit resource to test the configuration of a collection of Application Load Balancers. + +For additional information, including details on parameters and properties, see the [AWS documentation on Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference). + +## Syntax + +Ensure that an `aws_albs` exists + +```ruby +describe aws_albs do + its('load_balancer_arns') { should include 'arn:aws:elasticloadbalancing' } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`load_balancer_names` +: The names of the load balancers. + +`load_balancer_addresses` +: A collection of the load balancers addresses. + +`canonical_hosted_zone_ids` +: The IDs of the Amazon Route 53 hosted zone for the load balancers. + +`dns_names` +: The DNS names of the load balancers. + +`availability_zones` +: The Availability Zones for the load balancers. + +`security_groups` +: The security groups for the load balancers. Valid only for load balancers in a VPC. + +`schemes` +: The types of load balancers. Valid only for load balancers in a VPC. + +`states` +: The states of the load balancers. + +`subnets` +: A collection of the subnet ids. + +`types` +: The types of the load balancers. + +`vpc_ids` +: The IDs of the VPCs for the load balancers. + +`zone_names` +: A collection of the names of the availability zones. + +## Examples + +Test that an ALB has its availability zones configured correctly: + +```ruby +describe aws_alb('arn::alb') do + its('zone_names.count') { should be > 1 } + its('zone_names') { should include 'us-east-2a' } + its('zone_names') { should include 'us-east-2b' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_albs do + it { should exist } + its('availability_zones') { should_not include 'us-east-1a'} +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticLoadBalancing:Client:DescribeLoadBalancers" %}} + +You can find detailed documentation at [Authentication and Access Control for Your Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ami.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ami.md new file mode 100644 index 0000000..cbca0c8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ami.md @@ -0,0 +1,170 @@ ++++ +title = "aws_ami resource" + +draft = false + + +[menu.aws] +title = "aws_ami" +identifier = "inspec/resources/aws/aws_ami resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ami` InSpec audit resource to test properties of a single AWS AMI. + +For additional information, including details on parameters and properties, see the [AWS documentation on EC2 Amazon Machine Images](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html). + +## Syntax + +An `aws_ami` resource block declares the tests for a single AWS AMI by image id. + +```ruby +describe aws_ami(image_id: 'aki-2349e94458a507') do + it { should exist } +end +``` + +## Parameters + +`image_id` _(required)_ + +: This resource accepts a single parameter, the AMI Image ID. + This can be passed either as a string or as a `image_id: 'value'` key-value entry in a hash. + +## Properties + +`architecture` +: The architecture of the image. + +`creation_date` +: The date and time the image was created. + +`image_id` +: The ID of the AMI. + +`image_location` +: The location of the AMI. + +`image_type` +: The type of image. + +`public` +: Indicates whether the image has public launch permissions. + +`kernel_id` +: The kernel associated with the image, if any. Only applicable for machine images. + +`owner_id` +: The AWS account ID of the image owner. + +`platform` +: This value is set to windows for Windows AMIs; otherwise, it is blank. + +`platform_details` +: The platform details associated with the billing code of the AMI. + +`usage_operation` +: The operation of the Amazon EC2 instance and the billing code that is associated with the AMI. + +`product_codes` +: Any product codes associated with the AMI. + +`ramdisk_id` +: The RAM disk associated with the image, if any. Only applicable for machine images. + +`state` +: The state of the AMI. + +`block_device_mappings` +: Any block device mapping entries. + +`description` +: The description of the AMI that was provided during image creation. + +`ena_support` +: Specifies whether enhanced networking with ENA is enabled. + +`hypervisor` +: The hypervisor type of the image. + +`image_owner_alias` +: The AWS account alias or the AWS account ID of the AMI owner. + +`name` +: The name of the AMI that was provided during image creation. + +`root_device_name` +: The device name of the root device volume. + +`root_device_type` +: The type of root device used by the AMI. + +`sriov_net_support` +: Specifies whether enhanced networking with the Intel 82599 Virtual Function interface is enabled. + +`state_reason` +: Provides the reason for the state change. + +`tags` +: Provides any tags assigned to the image. + +`virtualization_type` +: The type of virtualization of the AMI. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Image.html) + +## Examples + +Check if an AMI is public: + +```ruby +describe aws_ami(image_id: 'aki-25348fd4323') do + it { should be_public } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### be_public + +The `be_public` matcher tests if the AMI has public launch permissons. + +```ruby +describe aws_ami(image_id: 'aki-1234') do + it { should be_public } +end +``` + +```ruby +describe aws_ami(image_id: 'aki-6789') do + it { should_not be_public } +end +``` + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ami(image_id: 'aki-1234') do + it { should exist } +end +``` + +```ruby +describe aws_ami(image_id: 'aki-6789') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeImages" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amis.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amis.md new file mode 100644 index 0000000..510dae0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amis.md @@ -0,0 +1,217 @@ ++++ +title = "aws_amis resource" + +draft = false + + +[menu.aws] +title = "aws_amis" +identifier = "inspec/resources/aws/aws_amis resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_amis` InSpec audit resource to test properties of some or all AWS AMIs. + +## Syntax + + Ensure you have exactly 3 AMIs available to you. + +```ruby +describe aws_amis(all_amis: 'true') do + its('image_ids.count') { should cmp 3 } +end +``` + + Check if you have a public AMI for the Linux/UNIX platform available to you. + +```ruby +describe aws_amis(is_public: 'true', platform_details: 'Linux/UNIX') do + it { should exist } +end +``` + +## Parameters + +This resource must be provided with the parameter 'all_amis' (returns ALL AMIs available to you) OR a combination of the following. + +`all_amis` _(optional)_ + +: _OR_ + +`architecture` _(optional)_ + +`creation_date` _(optional)_ +`image_id` _(optional)_ +`image_type` _(optional)_ +`is_public` _(optional)_ +`kernel_id` _(optional)_ +`owner_id` _(optional)_ +`owners` _(optional)_ + +: - Scopes the results to images with the specified owners. You can specify a combination of AWS account IDs, `self`, `amazon`, and `aws-marketplace`. + + ```ruby + If you omit this parameter, the results include all images for which you have launch permissions, regardless of ownership. + ``` + +`owner_alias` _(optional)_ +`platform` _(optional)_ + +`product_code` _(optional)_ +`platform_details` _(optional)_ +`usage_operation` _(optional)_ +`ramdisk_id` _(optional)_ +`state` _(optional)_ + +`state_reason_code` _(optional)_ +`state_reason_message` _(optional)_ +`description` _(optional)_ + +`ena_support` _(optional)_ +`hypervisor` _(optional)_ + +`name` _(optional)_ + +`root_device_name` _(optional)_ +`root_device_type` _(optional)_ +`sriov_net_support` _(optional)_ +`virtualization_type` _(optional)_ + +: This can be passed either as a string or as a `all_amis: 'value'` key-value entry in a hash. + +## Properties + +`architectures` +: The architecture of the image. + +`creation_dates` +: The date and time the image was created. + +`image_ids` +: The ID of the AMI. + +`image_locations` +: The location of the AMI. + +`image_types` +: The type of image. + +`public` +: Indicates whether the image has public launch permissions. + +`kernel_ids` +: The kernel associated with the image, if any. Only applicable for machine images. + +`owner_ids` +: The AWS account ID of the image owner. + +`platforms` +: This value is set to windows for Windows AMIs; otherwise, it is blank. + +`platform_details` +: The platform details associated with the billing code of the AMI. + +`usage_operations` +: The operation of the Amazon EC2 instance and the billing code that is associated with the AMI. + +`product_codes` +: Any product codes associated with the AMI. + +`ramdisk_ids` +: The RAM disk associated with the image, if any. Only applicable for machine images. + +`states` +: The state of the AMI. + +`block_device_mappings` +: Any block device mapping entries. + +`descriptions` +: The description of the AMI that was provided during image creation. + +`ena_support` +: Specifies whether enhanced networking with ENA is enabled. + +`hypervisors` +: The hypervisor type of the image. + +`image_owner_alias` +: The AWS account alias or the AWS account ID of the AMI owner. + +`names` +: The name of the AMI that was provided during image creation. + +`root_device_names` +: The device name of the root device volume. + +`root_device_types` +: The type of root device used by the AMI. + +`sriov_net_supports` +: Specifies whether enhanced networking with the Intel 82599 Virtual Function interface is enabled. + +`state_reasons` +: Provides the reason for the state change. + +`tags` +: Provides any tags assigned to the image. + +`virtualization_types` +: The type of virtualization of the AMI. + +## Examples + +Ensure ID of an AMI exists: + +```ruby +describe aws_amis(all_amis: 'true') do + its('image_ids') { should include 'image-id-43542' } +end +``` + +Interrogate AMIs Belong to the Current User Only: + +```ruby +describe aws_amis(owners: 'self') do + its('owner_ids.uniq.size') { should be 1 } + its('owner_ids.uniq.first') { should eq 12345678 } +end +``` + +Interrogate AMIs Belong to the Current User and the Amazon: + +```ruby +describe aws_amis(owners: ['self', 'amazon']) do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_amis(all_amis: 'true').where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_amis(all_amis: 'true').where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeImages" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amplify_app.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amplify_app.md new file mode 100644 index 0000000..486095f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amplify_app.md @@ -0,0 +1,131 @@ ++++ +title = "aws_amplify_app resource" + +draft = false + + +[menu.aws] +title = "aws_amplify_app" +identifier = "inspec/resources/aws/aws_amplify_app resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_amplify_app` InSpec audit resource to test the properties of a single specific AWS Amplify app. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Amplify App](https://docs.aws.amazon.com/amplify/latest/APIReference/API_App.html). + +## Syntax + +Ensure that AWS Amplify App exists. + +```ruby +describe aws_amplify_app(app_id: 'APP_ID') do + it { should exist } +end +``` + +## Parameters + +`app_id` _(required)_ + +: The unique ID of the Amplify app. + +## Properties + +`app_arn` +: The Amazon Resource Name (ARN) of the Amplify app. + +`app_id` +: The unique ID of the Amplify app. + +`app_arn` +: The app's Amazon Resource app_id (ARN). + +`name` +: The name for the Amplify app. + +`description` +: The description for the Amplify app. + +`repository` +: The repository for the Amplify app. + +`platform` +: The platform for the Amplify app. + +`create_time` +: Creates a date and time for the Amplify app. + +`update_time` +: Updates the date and time for the Amplify app. + +`environment_variables` +: The environment variables for the Amplify app. + +`pending_engine_versions` +: The app engine version to upgrade to. + +`default_domain` +: The default domain for the Amplify app. + +`enable_branch_auto_build` +: Automatically disconnect a branch in the Amplify Console when you delete a branch from your Git repository. + +`enable_basic_auth` +: Enables basic authorization for the Amplify app's branches. + +## Examples + +Ensure a app ID is available: + +```ruby +describe aws_amplify_app(app_id: 'APP_ID') do + its('app_id') { should eq 'APP_ID' } +end +``` + +Ensure a app name is available: + +```ruby +describe aws_amplify_app(app_id: 'APP_ID') do + its('app_name') { should eq 'APP_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_amplify_app(app_id: 'APP_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_amplify_app(app_id: 'APP_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the Amplify App is available. + +```ruby +describe aws_amplify_app(app_id: 'APP_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Amplify:Client:GetAppResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amplify_apps.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amplify_apps.md new file mode 100644 index 0000000..69ed20c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amplify_apps.md @@ -0,0 +1,157 @@ ++++ +title = "aws_amplify_apps resource" + +draft = false + + +[menu.aws] +title = "aws_amplify_apps" +identifier = "inspec/resources/aws/aws_amplify_apps resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_amplify_apps` InSpec audit resource to test the properties of Multiple AWS Amplify apps. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Amplify App](https://docs.aws.amazon.com/amplify/latest/APIReference/API_App.html). + +## Syntax + +Ensure that AWS Amplify app exists. + +```ruby +describe aws_amplify_apps do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`app_arns` +: The Amazon Resource Name (ARN) of the Amplify app. + +: **Field**: `app_arn` + +`app_ids` +: The unique ID of the Amplify app. + +: **Field**: `app_id` + +`app_arns` +: The app's Amazon Resource app_id (ARN). + +: **Field**: `app_arn` + +`names` +: The name for the Amplify app. + +: **Field**: `name` + +`description` +: The description for the Amplify app. + +: **Field**: `description` + +`repositories` +: The repository for the Amplify app. + +: **Field**: `repository` + +`platforms` +: The platform for the Amplify app. + +: **Field**: `platform` + +`create_time` +: Creates a date and time for the Amplify app. + +: **Field**: `create_time` + +`update_time` +: Updates the date and time for the Amplify app. + +: **Field**: `update_time` + +`environment_variables` +: The environment variables for the Amplify app. + +: **Field**: `environment_variables` + +`pending_engine_versions` +: The app engine version to upgrade to. + +: **Field**: `pending_engine_version` + +`default_domains` +: The default domain for the Amplify app. + +: **Field**: `default_domain` + +`enable_branch_auto_build` +: Automatically disconnect a branch in the Amplify Console when you delete a branch from your Git repository. + +: **Field**: `enable_branch_auto_build` + +`enable_basic_auth` +: Enables basic authorization for the Amplify app's branches. + +: **Field**: `enable_basic_auth` + +## Examples + +Ensure a app ID is available: + +```ruby +describe aws_amplify_apps do + its('app_ids') { should include 'app_id' } +end +``` + +Ensure a app name is available: + +```ruby +describe aws_amplify_apps do + its('app_names') { should include 'app_name' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `List` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_amplify_apps do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_amplify_apps do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the Amplify App is available. + +```ruby +describe aws_amplify_apps do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Amplify:Client:ListAppsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amplify_branch.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amplify_branch.md new file mode 100644 index 0000000..64c99ef --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amplify_branch.md @@ -0,0 +1,135 @@ ++++ +title = "aws_amplify_branch resource" + +draft = false + + +[menu.aws] +title = "aws_amplify_branch" +identifier = "inspec/resources/aws/aws_amplify_branch resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_amplify_branch` InSpec audit resource to test the properties of a single specific AWS Amplify Branch. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Amplify Branch](https://docs.aws.amazon.com/amplify/latest/APIReference/API_App.html). + +## Syntax + +Ensure that AWS Amplify Branch exists. + +```ruby +describe aws_amplify_branch(app_id: 'APP_ID', branch_name: 'BRANCH_NAME') do + it { should exist } +end +``` + +## Parameters + +`app_id` _(required)_ + +: The unique ID for an Amplify app. + +`branch_name` _(required)_ + +: The name for the branch that is part of an Amplify app. + +## Properties + +`branch_arn` +: The Amazon Resource Name (ARN) for a branch that is part of an Amplify app. + +`branch_name` +: The name for the branch that is part of an Amplify app. + +`description` +: The description for the branch that is part of an Amplify app. + +`tags` +: The tag for the branch of an Amplify app. + +`stage` +: The current stage for the branch that is part of an Amplify app. + +`display_name` +: The display_name for the Amplify Branch. + +`platform` +: The platform for the Amplify Branch. + +`create_time` +: Creates a date and time for the Amplify Branch. + +`update_time` +: Updates the date and time for the Amplify Branch. + +`environment_variables` +: The environment variables for the Amplify Branch. + +`enable_pull_request_preview` +: The app engine version to upgrade to. + +`custom_domain` +: The custom domain for the Amplify Branch. + +`pull_request_environment_name` +: Automatically disconnect a branch in the Amplify Console when you delete a branch from your Git repository. + +`enable_basic_auth` +: Enables basic authorization for the Amplify Branch's branches. + +## Examples + +Ensure a branch arn is available: + +```ruby +describe aws_amplify_branch(app_id: 'APP_ID', branch_name: 'BRANCH_NAME') do + its('branch_arn') { should eq 'BRANCH_ARN' } +end +``` + +Ensure a branch name is available.: + +```ruby +describe aws_amplify_branch(app_id: 'APP_ID', branch_name: 'BRANCH_NAME') do + its('branch_name') { should eq 'BRANCH_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_amplify_branch(app_id: 'APP_ID', branch_name: 'BRANCH_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_amplify_branch(app_id: 'APP_ID', branch_name: 'BRANCH_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the Amplify Branch is available. + +```ruby +describe aws_amplify_branch(app_id: 'APP_ID', branch_name: 'BRANCH_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Amplify:Client:GetBranchResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amplify_branches.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amplify_branches.md new file mode 100644 index 0000000..a5573c9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_amplify_branches.md @@ -0,0 +1,159 @@ ++++ +title = "aws_amplify_branches resource" + +draft = false + + +[menu.aws] +title = "aws_amplify_branches" +identifier = "inspec/resources/aws/aws_amplify_branches resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_amplify_branches` InSpec audit resource to test the properties of multiple AWS Amplify branches. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Amplify branch](https://docs.aws.amazon.com/amplify/latest/APIReference/API_App.html). + +## Syntax + +Ensure that AWS Amplify branch exists. + +```ruby +describe aws_amplify_branches(app_id: 'APP_ID') do + it { should exist } +end +``` + +## Parameters + +`app_id` _(required)_ + +: The unique ID for an Amplify app. + +## Properties + +`branch_arns` +: The Amazon Resource Name (ARN) for a branch that is part of an Amplify app. + +: **Field**: `branch_arn` + +`branch_names` +: The name for the branch that is part of an Amplify app. + +: **Field**: `branch_name` + +`descriptions` +: The description for the branch that is part of an Amplify app. + +: **Field**: `description` + +`tags` +: The tag for the branch of an Amplify app. + +: **Field**: `tags` + +`stage` +: The current stage for the branch that is part of an Amplify app. + +: **Field**: `stage` + +`display_names` +: The display_name for the Amplify branch. + +: **Field**: `display_name` + +`platforms` +: The platform for the Amplify branch. + +: **Field**: `platform` + +`create_time` +: Creates a date and time for the Amplify branch. + +: **Field**: `create_time` + +`update_time` +: Updates the date and time for the Amplify branch. + +: **Field**: `update_time` + +`environment_variables` +: The environment variables for the Amplify branch. + +: **Field**: `environment_variables` + +`enable_pull_request_preview` +: The app engine version to upgrade to. + +: **Field**: `enable_pull_request_preview` + +`custom_domains` +: The custom domain for the Amplify branch. + +: **Field**: `custom_domain` + +`pull_request_environment_names` +: Automatically disconnect a branch in the Amplify Console when you delete a branch from your Git repository. + +: **Field**: `pull_request_environment_name` + +`enable_basic_auth` +: Enables basic authorization for the Amplify branch's branches. + +: **Field**: `enable_basic_auth` + +## Examples + +Ensure a branch ID is available: + +```ruby +describe aws_amplify_branches(app_id: 'APP_ID') do + its('branch_arns') { should include 'BranchARN' } +end +``` + +Ensure a branch name is available: + +```ruby +describe aws_amplify_branches(app_id: 'APP_ID') do + its('branch_names') { should include 'BranchName' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_amplify_branches(app_id: 'APP_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_amplify_branches(app_id: 'dummy') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the Amplify branch is available. + +```ruby +describe aws_amplify_branches(app_id: 'APP_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Amplify:Client:ListBranchesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_deployment.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_deployment.md new file mode 100644 index 0000000..367077e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_deployment.md @@ -0,0 +1,113 @@ ++++ +title = "aws_api_gateway_deployment resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_deployment" +identifier = "inspec/resources/aws/aws_api_gateway_deployment resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_deployment` InSpec audit resource to test properties of a single AWS ApiGateway Deployment. + +The AWS::ApiGateway::Deployment resource deploys an API Gateway RestApi resource to a stage so that clients can call the API over the internet. The stage acts as an environment. + +For additional information, including details on parameters and properties, see the [AWS ApiGateway Deployment documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-deployment.html). + +## Syntax + +Ensure that the deployment exists. + +```ruby +describe aws_api_gateway_deployment(rest_api_id: 'REST_API_ID', deployment_id: 'DEPLOYMENT_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The string identifier of the associated RestApi. + +`deployment_id` _(required)_ + +: The identifier of the deployment resource to get information about. + +## Properties + +`id` +: The identifier for the deployment resource. + +`description` +: The description for the deployment resource. + +`created_date` +: The date and time that the deployment resource was created. + +`api_summary` +: A summary of the RestAPI at the date and time that the deployment resource was created. + +`api_summary (authorization_type)` +: The method's authorization type. Valid values are `NONE` for open access, `AWS_IAM` for using AWS IAM permissions, `CUSTOM` for using a custom authorizer, or `COGNITO_USER_POOLS` for using a Cognito user pool. + +`api_summary (api_key_required)` +: Specifies whether the method requires a valid ApiKey . + +## Examples + +Ensure that the deployment ID exists: + +```ruby +describe aws_api_gateway_deployment(rest_api_id: 'REST_API_ID', deployment_id: 'DEPLOYMENT_ID') do + its('id') { should eq 'DEPLOYMENT_IDENTIFIER' } +end +``` + +Check whether the API key is required for a particular deployment: + +```ruby +describe aws_api_gateway_deployment(rest_api_id: 'REST_API_ID', deployment_id: 'DEPLOYMENT_ID') do + its('api_summary.api_key_required') { should eq false } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_deployment(rest_api_id: 'REST_API_ID', deployment_id: 'DEPLOYMENT_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_deployment(rest_api_id: 'REST_API_ID', deployment_id: 'DEPLOYMENT_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_api_gateway_deployment(rest_api_id: 'REST_API_ID', deployment_id: 'DEPLOYMENT_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:Deployment" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_deployments.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_deployments.md new file mode 100644 index 0000000..b7a8ce4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_deployments.md @@ -0,0 +1,93 @@ ++++ +title = "aws_api_gateway_deployments resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_deployments" +identifier = "inspec/resources/aws/aws_api_gateway_deployments resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_deployments` InSpec audit resource to test properties of multiple AWS ApiGateway Deployments. + +The AWS::ApiGateway::Deployment resource deploys an API Gateway RestAPI resource to a stage so that clients can call the API over the internet. The stage acts as an environment. + +For additional information, including details on parameters and properties, see the [AWS ApiGateway Deployment documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-deployment.html). + +## Syntax + +Ensure that the deployment exists. + +```ruby +describe aws_api_gateway_deployments(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +## Properties + +`ids` +: The identifier for the deployment resource. + +`descriptions` +: The description for the deployment resource. + +`created_dates` +: The date and time that the deployment resource was created. + +`api_summaries` +: A summary of the RestApi at the date and time that the deployment resource was created. + +## Examples + +Ensure that the deployment ID exists: + +```ruby +describe aws_api_gateway_deployments(rest_api_id: 'REST_API_ID') do + its('ids') { should include 'DEPLOYMENT_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_deployments(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_deployments(rest_api_id: 'REST_API_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the deployment is available. + +```ruby +describe aws_api_gateway_deployments(rest_api_id: 'REST_API_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client::Deployments" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_documentation_part.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_documentation_part.md new file mode 100644 index 0000000..2b8a2ea --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_documentation_part.md @@ -0,0 +1,116 @@ ++++ +title = "aws_api_gateway_documentation_part resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_documentation_part" +identifier = "inspec/resources/aws/aws_api_gateway_documentation_part resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_documentation_part` InSpec audit resource to test properties of a single documentation part for an AWS API Gateway. + +The `AWS::ApiGateway::DocumentationPart` resource creates a documentation part for an API. + +For additional information, including details on parameters and properties, see the [AWS ApiGateway Documentation Part](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-documentationpart.html). + +## Syntax + +Ensure that the documentation part exists. + +```ruby +describe aws_api_gateway_documentation_part(rest_api_id: 'REST_API_ID', documentation_part_id: 'DOCUMENTATION_PART_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The string identifier of the associated REST API. + +`documentation_part_id` _(required)_ + +: The identifier of the documentation part resource to get information about. + +## Properties + +`id` +: The identifier for the documentation part resource. + +`location.type` +: The type of API entity to which the documentation content applies. + +`location.path` +: The URL path of the target. + +`location.method` +: The HTTP verb of a method. + +`location.status_code` +: The HTTP status code of a response. + +`location.name` +: The name of the targeted API entity. + +`properties` +: A content map of API-specific key-value pairs describing the targeted API entity. + +## Examples + +Ensure that the documentation part ID exists: + +```ruby +describe aws_api_gateway_documentation_part(rest_api_id: 'REST_API_ID', documentation_part_id: 'DOCUMENTATION_PART_ID') do + its('id') { should eq 'DOCUMENTATION_PART_ID' } +end +``` + +Check whether the API path exists for a documentation part: + +```ruby +describe aws_api_gateway_documentation_part(rest_api_id: 'REST_API_ID', documentation_part_id: 'DOCUMENTATION_PART_ID') do + its('location.path') { should eq 'REQUEST_BODY' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_documentation_part(rest_api_id: 'REST_API_ID', documentation_part_id: 'DOCUMENTATION_PART_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_documentation_part(rest_api_id: 'REST_API_ID', documentation_part_id: 'DOCUMENTATION_PART_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_api_gateway_documentation_part(rest_api_id: 'REST_API_ID', documentation_part_id: 'DOCUMENTATION_PART_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:DocumentationPart" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_documentation_parts.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_documentation_parts.md new file mode 100644 index 0000000..f475912 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_documentation_parts.md @@ -0,0 +1,104 @@ ++++ +title = "aws_api_gateway_documentation_parts resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_documentation_parts" +identifier = "inspec/resources/aws/aws_api_gateway_documentation_parts resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_documentation_parts` InSpec audit resource to test properties of multiple documentation parts for an AWS API Gateway. + +The `AWS::ApiGateway::DocumentationParts` resource creates a documentation part for an API. + +For additional information, including details on parameters and properties, see the [AWS ApiGateway Documentation Part documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-documentationpart.html). + +## Syntax + +Ensure that the documentation part exists. + +```ruby +describe aws_api_gateway_documentation_parts(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The string identifier of the associated REST API. + +## Properties + +`ids` +: The identifier for the documentation part resource. + +`types` +: The type of API entity to which the documentation content applies. + +`paths` +: The URL path of the target. + +`methods` +: The HTTP verb of a method. + +`status_codes` +: The HTTP status code of a response. + +`names` +: The name of the targeted API entity. + +`properties` +: A content map of API-specific key-value pairs describing the targeted API entity. + +## Examples + +Ensure that the documentation part ID exists: + +```ruby +describe aws_api_gateway_documentation_parts(rest_api_id: 'REST_API_ID') do + its('ids') { should include 'DOCUMENTATION_PART_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_documentation_parts(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_documentation_parts(rest_api_id: 'REST_API_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the documentation part is available. + +```ruby +describe aws_api_gateway_documentation_parts(rest_api_id: 'REST_API_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client::DocumentationParts" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_documentation_version.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_documentation_version.md new file mode 100644 index 0000000..f9e246a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_documentation_version.md @@ -0,0 +1,104 @@ ++++ +title = "aws_api_gateway_documentation_version resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_documentation_version" +identifier = "inspec/resources/aws/aws_api_gateway_documentation_version resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_documentation_version` InSpec audit resource to test properties of a single AWS API Gateway documentation version. + +The `AWS::ApiGateway::DocumentationVersion` resource creates a documentation version for an API. + +For additional information, including details on parameters and properties, see the [AWS ApiGateway documentation version documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-documentationversion.html). + +## Syntax + +Ensure that the documentation version exists. + +```ruby +describe aws_api_gateway_documentation_version(rest_api_id: 'REST_API_ID', documentation_version: 'DOCUMENTATION_VERSION') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The string identifier of the associated RestApi. + +`documentation_version` _(required)_ + +: The identifier of the documentation version resource to get information about. + +## Properties + +`created_date` +: The date when the API documentation snapshot is created. + +`version` +: The version identifier of the API documentation snapshot. + +`description` +: The description of the API documentation snapshot. + +## Examples + +Ensure that the documentation version ID exists: + +```ruby +describe aws_api_gateway_documentation_version(rest_api_id: 'REST_API_ID', documentation_version: 'DOCUMENTATION_VERSION') do + its('version') { should eq 'VERSION' } +end +``` + +Check whether the API path exist for a documentation version: + +```ruby +describe aws_api_gateway_documentation_version(rest_api_id: 'REST_API_ID', documentation_version: 'DOCUMENTATION_VERSION') do + its('description') { should eq 'DESCRIPTION' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_documentation_version(rest_api_id: 'REST_API_ID', documentation_version: 'DOCUMENTATION_VERSION') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_documentation_version(rest_api_id: 'REST_API_ID', documentation_version: 'DOCUMENTATION_VERSION') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_api_gateway_documentation_version(rest_api_id: 'REST_API_ID', documentation_version: 'DOCUMENTATION_VERSION') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:DocumentationVersion" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_documentation_versions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_documentation_versions.md new file mode 100644 index 0000000..9ab9150 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_documentation_versions.md @@ -0,0 +1,96 @@ ++++ +title = "aws_api_gateway_documentation_versions resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_documentation_versions" +identifier = "inspec/resources/aws/aws_api_gateway_documentation_versions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_documentation_versions` InSpec audit resource to test properties of multiple AWS API Gateway documentation versions. + +The `AWS::ApiGateway::DocumentationParts` resource creates a documentation versions for an API. + +For additional information, including details on parameters and properties, see the [AWS ApiGateway Documentation Version documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-documentationversion.html). + +## Syntax + +Ensure that the documentation version exists. + +```ruby +describe aws_api_gateway_documentation_versions(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +## Properties + +`created_dates` +: The date when the API documentation snapshot is created. + +: **Field**: `created_date` + +`versions` +: The version identifier of the API documentation snapshot. + +: **Field**: `version` + +`descriptions` +: The description of the API documentation snapshot. + +: **Field**: `description` + +## Examples + +Ensure that the documentation versions ID exists: + +```ruby +describe aws_api_gateway_documentation_versions(rest_api_id: 'REST_API_ID') do + its('versions') { should include 'VERSION' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_documentation_versions(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_documentation_versions(rest_api_id: 'REST_API_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the documentation versions is available. + +```ruby +describe aws_api_gateway_documentation_versions(rest_api_id: 'REST_API_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client::DocumentationVersions" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_domain_name.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_domain_name.md new file mode 100644 index 0000000..b11cac4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_domain_name.md @@ -0,0 +1,186 @@ ++++ +title = "aws_api_gateway_domain_name resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_domain_name" +identifier = "inspec/resources/aws/aws_api_gateway_domain_name resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_domain_name` InSpec audit resource to test the properties of a single specific AWS API Gateway domain name. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGateway DomainName](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html). + +## Syntax + +Ensure that the domain name exists. + +```ruby +describe aws_api_gateway_domain_name(domain_name: 'DOMAIN_NAME') do + it { should exist } +end +``` + +## Parameters + +`domain_name` _(required)_ +: The custom domain name as an API hostname. For example, my-api.example.com. + +## Properties + +`domain_name` +: The custom domain name as an API hostname. For example, my-api.example.com. + +: **Field**: `domain_name` + +`certificate_name` +: The certificate name used by the edge-optimized endpoint for this domain name. + +: **Field**: `certificate_name` + +`certificate_arn` +: The reference to an AWS-managed certificate for use by the edge-optimized endpoint for this domain name. AWS Certificate Manager is the only supported source. + +: **Field**: `certificate_arn` + +`certificate_upload_date` +: The timestamp when the certificate used by the edge-optimized endpoint for this domain name is uploaded. + +: **Field**: `certificate_upload_date` + +`regional_domain_name` +: The domain name associated with the regional endpoint for this custom domain name. You can set up this association by adding a DNS record that points the custom domain name to this regional domain name. The regional domain name is returned by API Gateway when creating a regional endpoint. + +: **Field**: `regional_domain_name` + +`regional_hosted_zone_id` +: The region-specific Amazon Route 53 Hosted Zone ID of the regional endpoint. For more information, see [Set up a Regional Custom Domain Name and AWS Regions and Endpoints for API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-regional-api-custom-domain-create.html). + +: **Field**: `regional_hosted_zone_id` + +`regional_certificate_name` +: The certificate name used for validating the regional domain name. + +: **Field**: `regional_certificate_name` + +`regional_certificate_arn` +: The reference to an AWS-managed certificate that is used to validate the regional domain name. AWS Certificate Manager is the only supported source. + +: **Field**: `regional_certificate_arn` + +`distribution_domain_name` +: The Amazon CloudFront distribution domain name associated with this custom domain name for an edge-optimized endpoint. You can set up this association when adding a DNS record pointing the custom domain name to this distribution name. For more information about CloudFront distributions, see the [Amazon CloudFront documentation](https://docs.aws.amazon.com/cloudfront/index.html). + +: **Field**: `distribution_domain_name` + +`distribution_hosted_zone_id` +: The region-agnostic Amazon Route 53 Hosted Zone ID of the edge-optimized endpoint. The valid value is `Z2FDTNDATAQYW2` for all the regions. + +: **Field**: `distribution_hosted_zone_id` + +`endpoint_configuration_types` +: A list of the endpoint types of the domain name. The valid values are `EDGE` for edge-optimized API setup, most suitable for mobile applications; `REGIONAL` for regional API endpoint setup, most suitable for calling from AWS Region; and `PRIVATE` for private APIs. + +: **Field**: `endpoint_configuration.types` + +`endpoint_configuration_vpc_endpoint_ids` +: A list of VpcEndpointIds of an API (RestApi) against which to create Route53 ALIASes. It is only supported for the `PRIVATE` endpoint type. + +: **Field**: `endpoint_configuration.vpc_endpoint_ids` + +`domain_name_status` +: The status of the domain name migration. The valid values are `AVAILABLE` and `UPDATING`. If the status is `UPDATING`, the domain cannot be modified further until the existing operation is complete. If it is `AVAILABLE`, the domain can be updated. + +: **Field**: `domain_name_status` + +`domain_name_status_message` +: An optional text message containing detailed information about the status of the domain name migration. + +: **Field**: `domain_name_status_message` + +`security_policy` +: The Transport Layer Security (TLS) version and cipher suite for this domain name. The valid values are `TLS_1_0` and `TLS_1_2`. + +: **Field**: `security_policy` + +`tags` +: The collection of tags. + +: **Field**: `tags` + +`mutual_tls_authentication.truststore_uri` +: An Amazon S3 URL that specifies the truststore for mutual TLS authentication. For example, `s3://bucket-name/key-name`. The truststore can contain certificates from public or private certificate authorities. To update the truststore, upload a new version to S3 and update your custom domain name to use the new version. To update the truststore, you must have permission to access the S3 object. + +: **Field**: `mutual_tls_authentication.truststore_uri` + +`mutual_tls_authentication.truststore_version` +: The version of the S3 object that contains your truststore. To specify a version, you must have versioning enabled for the S3 bucket. + +: **Field**: `mutual_tls_authentication.truststore_version` + +`mutual_tls_authentication_truststore_warnings` +: A list of warnings that API Gateway returns while processing your truststore. Invalid certificates produce warnings. Mutual TLS is still enabled, but some clients might not be able to access your API. To resolve warnings, upload a new truststore to S3 and update your domain name to use the new version. + +: **Field**: `mutual_tls_authentication.truststore_warnings` + +`ownership_verification_certificate_arn` +: The ARN of the public certificate issued by ACM to validate ownership of your custom domain. + +: **Field**: `ownership_verification_certificate_arn` + +## Examples + +### Test to ensure the domain name is available + +```ruby +describe aws_api_gateway_domain_name(domain_name: 'DOMAIN_NAME') do + its('domain_name') { should eq 'DOMAIN_NAME' } +end +``` + +### Test to ensure a regional hosted zone ID is available + +```ruby +describe aws_api_gateway_domain_name(domain_name: 'DOMAIN_NAME') do + its('regional_hosted_zone_id') { should eq 'REGIONAL_HOSTED_ZONE_ID' } +end +``` + +### Test to ensure the domain name status is `AVAILABLE` + +```ruby +describe aws_api_gateway_domain_name(domain_name: 'DOMAIN_NAME') do + its('domain_name_status') { should eq 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_domain_name(domain_name: 'DOMAIN_NAME') do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_domain_name(domain_name: 'DOMAIN_NAME') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:DomainName" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_domain_names.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_domain_names.md new file mode 100644 index 0000000..e2e0f48 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_domain_names.md @@ -0,0 +1,170 @@ ++++ +title = "aws_api_gateway_domain_names resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_domain_names" +identifier = "inspec/resources/aws/aws_api_gateway_domain_names resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_domain_names` InSpec audit resource to test the properties of multiple AWS API Gateway domain names. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGateway DomainName](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html). + +## Syntax + +Ensure that the domain name exists. + +```ruby +describe aws_api_gateway_domain_names do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`domain_names` +: The custom domain name as an API hostname. For example, my-api.example.com. + +: **Field**: `domain_name` + +`certificate_names` +: The certificate name used by the edge-optimized endpoint for this domain name. + +: **Field**: `certificate_name` + +`certificate_arns` +: The reference to an AWS-managed certificate that is used by the edge-optimized endpoint for this domain name. AWS Certificate Manager is the only supported source. + +: **Field**: `certificate_arn` + +`certificate_upload_dates` +: The timestamp when the certificate used by the edge-optimized endpoint for this domain name is uploaded. + +: **Field**: `certificate_upload_date` + +`regional_domain_names` +: The domain name associated with the regional endpoint for this custom domain name. You can set up this association by adding a DNS record that points the custom domain name to this regional domain name. The regional domain name is returned by API Gateway when creating a regional endpoint. + +: **Field**: `regional_domain_name` + +`regional_hosted_zone_ids` +: The region-specific Amazon Route 53 Hosted Zone ID of the regional endpoint. For more information, see [Set up a Regional Custom Domain Name and AWS Regions and Endpoints for API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-regional-api-custom-domain-create.html). + +: **Field**: `regional_hosted_zone_id` + +`regional_certificate_names` +: The certificate name used for validating the regional domain name. + +: **Field**: `regional_certificate_name` + +`regional_certificate_arns` +: The reference to an AWS-managed certificate used to validate the regional domain name. AWS Certificate Manager is the only supported source. + +: **Field**: `regional_certificate_arn` + +`distribution_domain_names` +: The Amazon CloudFront distribution domain name associated with this custom domain name for an edge-optimized endpoint. You can set up this association when adding a DNS record pointing the custom domain name to this distribution name. For more information about CloudFront distributions, see the [Amazon CloudFront documentation](https://docs.aws.amazon.com/cloudfront/index.html). + +: **Field**: `distribution_domain_name` + +`distribution_hosted_zone_ids` +: The region-agnostic Amazon Route 53 Hosted Zone ID of the edge-optimized endpoint. + +: **Field**: `distribution_hosted_zone_id` + +`endpoint_configurations` +: The endpoint configuration of the domain name showing the endpoint types of the domain name. + +: **Field**: `endpoint_configuration` + +`domain_name_statuses` +: The status of the domain name migration. The valid values are `AVAILABLE` and `UPDATING`. If the status is `UPDATING`, the domain cannot be modified further until the existing operation is complete. If it is `AVAILABLE`, the domain can be updated. + +: **Field**: `domain_name_status` + +`domain_name_status_messages` +: An optional text message containing detailed information about the status of the domain name migration. + +: **Field**: `domain_name_status_message` + +`security_policies` +: The Transport Layer Security (TLS) version and cipher suite for this domain name. The valid values are `TLS_1_0` and `TLS_1_2`. + +: **Field**: `security_policy` + +`tags` +: The collection of tags. + +: **Field**: `tags` + +`mutual_tls_authentications` +: The mutual TLS authentication configuration for a custom domain name. If specified, API Gateway performs two-way authentication between the client and the server. Clients must present a trusted certificate to access your API. + +: **Field**: `mutual_tls_authentication` + +`ownership_verification_certificate_arns` +: The ARN of the public certificate issued by ACM to validate ownership of your custom domain. + +: **Field**: `ownership_verification_certificate_arn` + +## Examples + +### Test to ensure the domain name is available + +```ruby +describe aws_api_gateway_domain_names do + its('domain_names') { should include 'DOMAIN_NAME' } +end +``` + +### Test to ensure a regional hosted zone ID is available + +```ruby +describe aws_api_gateway_domain_names do + its('regional_hosted_zone_ids') { should include 'REGIONAL_HOSTED_ZONE_ID' } +end +``` + +### Test to ensure that the domain name status includes `AVAILABLE` + +```ruby +describe aws_api_gateway_domain_names do + its('domain_name_statuses') { should include 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_domain_names do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_domain_names do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:DomainNames" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_method.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_method.md new file mode 100644 index 0000000..0e68538 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_method.md @@ -0,0 +1,200 @@ ++++ +title = "aws_api_gateway_method resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_method" +identifier = "inspec/resources/aws/aws_api_gateway_method resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_method` InSpec audit resource to test properties of a single API Gateway method. + +The AWS::ApiGateway::Method resource creates API Gateway methods that define the parameters and body that clients must send in their requests. + +For additional information, including details on parameters and properties, see the [AWS APIGateway Method documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html). + +## Syntax + +Ensure that an API Gateway method exists. + +```ruby +describe aws_api_gateway_method(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID', http_method: 'HTTP_METHOD') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The ID of the RestApi resource in which API Gateway creates the method. + +`resource_id` _(required)_ + +: The ID of an API Gateway resource. For root resource methods, specify the RestApi root resource ID, such as `{ "Fn::GetAtt": ["MyRestApi", "RootResourceId"] }`. + +`http_method` _(required)_ + +: The HTTP method that clients use to call this method. + +## Properties + +`http_method` +: The HTTP method that clients use to call this method. + +`authorization_type` +: The method's authorization type. Valid values are `NONE` for open access, `AWS_IAM` for using AWS IAM permissions, `CUSTOM` for using a custom authorizer, or `COGNITO_USER_POOLS` for using a Cognito user pool. + +`authorizer_id` +: The identifier of an Authorizer to use on this method. The authorizationType must be `CUSTOM`. + +`api_key_required` +: A boolean flag specifying whether a valid ApiKey is required to invoke this method. + +`request_validator_id` +: The identifier of a `RequestValidator` for request validation. + +`operation_name` +: A human-friendly operation identifier for the method. + +`request_parameters` +: A key-value map defining required or optional method request parameters that can be accepted by API Gateway. + + A key is a method request parameter name matching the pattern of `method.request.{location}.{name}`, where the `location` is querystring, path, or header, and `name` is a valid and unique parameter name. + + The value associated with the key is a Boolean flag indicating whether the parameter is required (`true`) or optional (`false`). + + The method request parameter names defined here are available in `Integration` to be mapped to integration request parameters or templates. + +`request_models` +: A key-value map specifying data schemas, represented by `Model` resources, (as the mapped value) of the request payloads of given content types (as the mapping key). + +`method_responses (status_code)` +: The method response's status code. + +`method_responses (response_parameters)` +: A key-value map specifying required or optional response parameters that API Gateway can send back to the caller. + +`method_responses (response_models)` +: Specifies the `Model` resources used for the response's content-type. Response models are represented as a key/value map, with a content-type as the key and a Model name as the value. + +`method_integration (type)` +: Specifies an API method integration type. + +`method_integration (http_method)` +: Specifies the integration's HTTP method type. + +`method_integration (uri)` +: Specifies Uniform Resource Identifier (URI) of the integration endpoint. + +`method_integration (connection_type)` +: The type of the network connection to the integration endpoint. The valid value is `INTERNET` for connections through the public routable internet or `VPC_LINK` for private connections between API Gateway and a network load balancer in a VPC. The default value is `INTERNET`. + +`method_integration (connection_id)` +: The ID of the VpcLink used for the integration when `connectionType=VPC_LINK`, otherwise undefined. + +`method_integration (credentials)` +: Specifies the credentials required for the integration, if any. For AWS integrations, three options are available. To specify an IAM Role for API Gateway to assume, use the role's Amazon Resource Name (ARN). To require that the caller's identity be passed through from the request, specify the string `arn:aws:iam::*:user/*`. To use resource-based permissions on supported AWS services, specify `null`. + +`method_integration (request_parameters)` +: A key-value map specifying request parameters that are passed from the method request to the back end. The key is an integration request parameter name and the associated value is a method request parameter value or static value that must be enclosed within single quotes and pre-encoded as required by the back end. The method request parameter value must match the pattern of `method.request.{location}.{name}`, where the `location` is querystring, path, or header, and `name` must be a valid and unique method request parameter name. + +`method_integration (request_templates)` +: Represents a map of Velocity templates that are applied on the request payload based on the value of the Content-Type header sent by the client. The content type value is the key in this map, and the template (as a String) is the value. + +`method_integration (passthrough_behavior)` +: Specifies how the method request body of an unmapped content type will be passed through the integration request to the back end without transformation. + +`method_integration (content_handling)` +: Specifies how to handle request payload content type conversions. Supported values are `CONVERT_TO_BINARY` and `CONVERT_TO_TEXT`. + +`method_integration (timeout_in_millis)` +: Custom timeout between 50 and 29,000 milliseconds as an integer. The default value is 29,000 milliseconds or 29 seconds. + +`method_integration (cache_namespace)` +: Specifies a group of related cached parameters. By default, API Gateway uses the resource ID as the `cacheNamespace`. You can specify the same `cacheNamespace` across resources to return the same cached data for requests to different resources. + +`method_integration (cache_key_parameters)` +: A list of request parameters whose values API Gateway caches. To be valid, values for `cacheKeyParameters` must also be specified `requestParameters`. + +`method_integration (integration_responses (status_code))` +: Specifies the status code that is used to map the integration response to a `MethodResponse`. + +`method_integration (integration_responses (selection_pattern))` +: Specifies the regular expression pattern used to choose an integration response based on the response from the back end. + +`method_integration (integration_responses (response_parameters))` +: A key-value map specifying response parameters that are passed to the method response from the back end. + + The key is a method response header parameter name, and the mapped value is an integration response header value, a static value enclosed within a pair of single quotes, or a JSON expression from the integration response body. The mapping key must match the pattern of `method.response.header.{name}`, where `name` is a valid and unique header name. The mapped non-static value must match the pattern of `integration.response.header.{name}` or `integration.response.body.{JSON-expression}`, where `name` is a valid and unique response header name and `JSON-expression` is a valid JSON expression without the `$` prefix. + +`method_integration (integration_responses (response_templates))` +: Specifies the templates used to transform the integration response body. Response templates are represented as a key/value map, with a content-type as the key and a template as the value. + +`method_integration (integration_responses (content_handling))` +: Specifies how to handle response payload content type conversions. Supported values are `CONVERT_TO_BINARY` and `CONVERT_TO_TEXT`. + +`method_integration (tls_config (insecure_skip_verification))` +: Specifies whether or not API Gateway skips verification that the certificate for an integration endpoint is issued by a supported certificate authority. + +`authorization_scopes` +: A list of authorization scopes configured on the method. + +## Examples + +Ensure a HTTP method is a GET request: + +```ruby +describe aws_api_gateway_method(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID', http_method: 'GET') do + its('http_method') { should eq 'GET' } +end +``` + +Ensure that the connection type is 'INTERNET': + +```ruby +describe aws_api_gateway_method(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID', http_method: 'HTTP_METHOD') do + its('method_integration.connection_type') { should eq 'INTERNET' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_method(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID', http_method: 'HTTP_METHOD') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_method(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID', http_method: 'HTTP_METHOD') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_api_gateway_method(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID', http_method: 'HTTP_METHOD') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client::client:Method" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_methods.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_methods.md new file mode 100644 index 0000000..a0e76c0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_methods.md @@ -0,0 +1,130 @@ ++++ +title = "aws_api_gateway_methods resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_methods" +identifier = "inspec/resources/aws/aws_api_gateway_methods resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_methods` InSpec audit resource to test properties of multiple API Gateway methods. + +The AWS::ApiGateway::Method resource creates API Gateway methods that define the parameters and body that clients must send in their requests. + +For additional information, including details on parameters and properties, see the [AWS APIGateway Method documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html). + +## Syntax + +Ensure that a API Gateway method exists. + +```ruby +describe aws_api_gateway_method(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID', http_method: 'HTTP_METHOD') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The ID of the RestApi resource in which API Gateway creates the method. + +`resource_id` _(required)_ + +: The ID of an API Gateway resource. For root resource methods, specify the RestApi root resource ID, such as `{ "Fn::GetAtt": ["MyRestApi", "RootResourceId"] }`. + +`http_method` _(required)_ + +: The HTTP method that clients use to call this method. + +## Properties + +`http_methods` +: The HTTP method that clients use to call this method. + +`authorization_types` +: The method's authorization type. Valid values are `NONE` for open access, `AWS_IAM` for using AWS IAM permissions, `CUSTOM` for using a custom authorizer, or `COGNITO_USER_POOLS` for using a Cognito user pool. + +`authorizer_ids` +: The identifier of an Authorizer to use on this method. The authorizationType must be `CUSTOM`. + +`api_key_required` +: A boolean flag specifying whether a valid ApiKey is required to invoke this method. + +`request_validator_ids` +: The identifier of a `RequestValidator` for request validation. + +`operation_names` +: A human-friendly operation identifier for the method. + +`request_parameters` +: A key-value map defining required or optional method request parameters that can be accepted by API Gateway. + + A key is a method request parameter name matching the pattern of `method.request.{location}.{name}`, where the `location` is querystring, path, or header, and `name` is a valid and unique parameter name. + + The value associated with the key is a Boolean flag indicating whether the parameter is required (`true`) or optional (`false`). + + The method request parameter names defined here are available in `Integration` to be mapped to integration request parameters or templates. + +`request_models` +: A key-value map specifying data schemas, represented by `Model` resources, (as the mapped value) of the request payloads of given content types (as the mapping key). + +`method_responses` +: Gets a method response associated with a given HTTP status code. + +`method_integrations` +: Gets the method's integration responsible for passing the client-submitted request to the back end and performing necessary transformations to make the request compliant with the back end. + +`authorization_scopes` +: A list of authorization scopes configured on the method. + +## Examples + +Ensure an HTTP method is a GET request: + +```ruby +describe aws_api_gateway_methods(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID', http_method: 'HTTP_METHOD') do + its('http_method') { should include 'GET' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_methods(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID', http_method: 'HTTP_METHOD') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_methods(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID', http_method: 'HTTP_METHOD') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the method name is available. + +```ruby +describe aws_api_gateway_methods(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID', http_method: 'HTTP_METHOD') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:Methods" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_model.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_model.md new file mode 100644 index 0000000..14ba708 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_model.md @@ -0,0 +1,116 @@ ++++ +title = "aws_api_gateway_model resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_model" +identifier = "inspec/resources/aws/aws_api_gateway_model resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_model` Chef InSpec audit resource to test properties of a single AWS API Gateway model. + +The `AWS::ApiGateway::Model` resource defines the structure of a request or response payload for an API method. + +For additional information, including details on parameters and properties, see the [AWS documentation on `AWS::APIGateway::Model` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-model.html). + +## Syntax + +Ensure that the model exists. + +```ruby +describe aws_api_gateway_model(rest_api_id: 'REST_API_ID', model_name: 'MODEL_NAME') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The ID of a REST API associated with this model. + +`model_name` _(required)_ + +: A name for the model. + +## Properties + +`id` +: The identifier for the model resource. + +`name` +: The name of the model. Must be an alphanumeric string. + +`description` +: The description of the model. + +`schema` +: The schema for the model. For `application/json` models, this should be [JSON schema draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) model. + +`content_type` +: The content-type for the model. + +## Examples + +Ensure an ID is available: + +```ruby +describe aws_api_gateway_model(rest_api_id: 'REST_API_ID', model_name: 'MODEL_NAME') do + its('id') { should eq 'MODEL_ID' } +end +``` + +Ensure a name is available: + +```ruby +describe aws_api_gateway_model(rest_api_id: 'REST_API_ID', model_name: 'MODEL_NAME') do + its('name') { should eq 'MODEL_NAME' } +end +``` + +Ensure a description is available: + +```ruby +describe aws_api_gateway_model(rest_api_id: 'REST_API_ID', model_name: 'MODEL_NAME') do + its('description') { should eq 'MODEL_DESCRIPTION' } +end +``` + +Ensure a content type is available: + +```ruby +describe aws_api_gateway_model(rest_api_id: 'REST_API_ID', model_name: 'MODEL_NAME') do + its('content_type') { should eq 'CONTENT_TYPE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_model(rest_api_id: 'REST_API_ID', model_name: 'MODEL_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_model(rest_api_id: 'REST_API_ID', model_name: 'MODEL_NAME') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ApiGateway:Client:Model" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_models.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_models.md new file mode 100644 index 0000000..b103b80 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_models.md @@ -0,0 +1,122 @@ ++++ +title = "aws_api_gateway_models resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_models" +identifier = "inspec/resources/aws/aws_api_gateway_models resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_models` Chef InSpec audit resource to test properties of the plural resource of AWS API Gateway model. + +The `AWS::ApiGateway::Model` resource defines the structure of a request or response payload for an API method. + +For additional information, including details on parameters and properties, see the [AWS documentation on `AWS::APIGateway::Model` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-model.html). + +## Syntax + +Ensure that the model exists. + +```ruby +describe aws_api_gateway_models(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The ID of a REST API associated with this model. + +## Properties + +`ids` +: The identifier for the model resource. + +: **Field**: `id` + +`names` +: The name of the model. Must be an alphanumeric string. + +: **Field**: `name` + +`descriptions` +: The description of the model. + +: **Field**: `description` + +`schemas` +: The schema for the model. For `application/json` models, this should be [JSON schema draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) model. + +: **Field**: `schema` + +`content_types` +: The content-type for the model. + +: **Field**: `content_type` + +## Examples + +Ensure an ID is available: + +```ruby +describe aws_api_gateway_model(rest_api_id: 'REST_API_ID', model_name: 'MODEL_NAME') do + its('ids') { should include 'MODEL_ID' } +end +``` + +Ensure a name is available: + +```ruby +describe aws_api_gateway_model(rest_api_id: 'REST_API_ID', model_name: 'MODEL_NAME') do + its('names') { should include 'MODEL_NAME' } +end +``` + +Ensure a description is available: + +```ruby +describe aws_api_gateway_model(rest_api_id: 'REST_API_ID', model_name: 'MODEL_NAME') do + its('descriptions') { should include 'MODEL_DESCRIPTION' } +end +``` + +Ensure a content type is available: + +```ruby +describe aws_api_gateway_model(rest_api_id: 'REST_API_ID', model_name: 'MODEL_NAME') do + its('content_types') { should include 'CONTENT_TYPE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_models(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_models(rest_api_id: 'REST_API_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ApiGateway:Client:Models" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_request_validator.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_request_validator.md new file mode 100644 index 0000000..bb2d767 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_request_validator.md @@ -0,0 +1,97 @@ ++++ +title = "aws_api_gateway_request_validator resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_request_validator" +identifier = "inspec/resources/aws/aws_api_gateway_request_validator resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_request_validator` InSpec audit resource to test the properties of a single API Gateway request validator. + +The AWS::ApiGateway::RequestValidator resource sets up basic validation rules for incoming integration requests to your API. + +For additional information, including details on parameters and properties, see the [AWS APIGateway RequestValidator documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-requestvalidator.html). + +## Syntax + +Ensure that an API Gateway request validator exists. + +```ruby +describe aws_api_gateway_request_validator(rest_api_id: 'API_ID', request_validator_id: 'API_REQUEST_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The string identifier of the associated RestApi entity. + +`request_validator_id` _(required)_ + +: The identifier of the RequestValidator to be retrieved. + +## Properties + +`id` +: The identifier of this RequestValidator. + +`name` +: The name of this RequestValidator. + +`validate_request_body` +: A Boolean flag to indicate whether to validate a request body according to the configured model schema for the method (`true`) or not (`false`). + +`validate_request_parameters` +: A Boolean flag to indicate whether to validate request parameters (`true`) or not (`false`). + +## Examples + +### Test to ensure a request validator ID is present + +```ruby +describe aws_api_gateway_request_validator(rest_api_id: 'API_ID', request_validator_id: 'API_REQUEST_ID') do + its('id') { should eq 'REQUEST_ID' } +end +``` + +### Test to ensure that the request body is 'true' + +```ruby +describe aws_api_gateway_request_validator(rest_api_id: 'API_ID', request_validator_id: 'API_REQUEST_ID') do + its('validate_request_body') { should eq true } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_request_validator(rest_api_id: 'API_ID', request_validator_id: 'API_REQUEST_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_request_validator(rest_api_id: 'API_ID', request_validator_id: 'API_REQUEST_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:RequestValidator" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_request_validators.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_request_validators.md new file mode 100644 index 0000000..ec45a12 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_request_validators.md @@ -0,0 +1,111 @@ ++++ +title = "aws_api_gateway_request_validators resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_request_validators" +identifier = "inspec/resources/aws/aws_api_gateway_request_validators resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_request_validators` Chef InSpec audit resource to the test properties of multiple AWS API Gateway request validators. + +The AWS::ApiGateway::RequestValidator resource sets up basic validation rules for incoming requests to your API. + +For additional information, including details on parameters and properties, see the [AWS APIGateway RequestValidator documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-requestvalidator.html). + +## Syntax + +Ensure that an API Gateway request validator exists. + +```ruby +describe aws_api_gateway_request_validators(rest_api_id: 'API_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The string identifier of the associated RestApi. + +## Properties + +`id` +: The identifier of this RequestValidator. + +: **Field**: `id` + +`name` +: The name of this RequestValidator. + +: **Field**: `name` + +`validate_request_body` +: A Boolean flag to indicate whether to validate a request body according to the configured model schema. + +: **Field**: `validate_request_body` + +`validate_request_parameters` +: A Boolean flag to indicate whether to validate request parameters (`true`) or not (`false`). + +: **Field**: `validate_request_parameters` + +## Examples + +### Test to ensure a request validator ID is present + +```ruby +describe aws_api_gateway_request_validators(rest_api_id: 'API_ID') do + its('ids') { should include 'REQUEST_ID' } +end +``` + +### Test to ensure the request body is 'true' + +```ruby +describe aws_api_gateway_request_validators(rest_api_id: 'API_ID') do + its('validate_request_bodies') { should include true } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_method(rest_api_id: 'API_ID', resource_id: 'RESOURCE_ID', http_method: 'HTTP') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_method(rest_api_id: 'API_ID', resource_id: 'RESOURCE_ID', http_method: 'HTTP') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_api_gateway_method(rest_api_id: 'API_ID', resource_id: 'RESOURCE_ID', http_method: 'HTTP') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:RequestValidators" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_resource.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_resource.md new file mode 100644 index 0000000..e1d039d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_resource.md @@ -0,0 +1,116 @@ ++++ +title = "aws_api_gateway_resource resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_resource" +identifier = "inspec/resources/aws/aws_api_gateway_resource resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_resource` InSpec audit resource to test the properties of a single specific AWS API Gateway Resource. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGateway Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-resource.html). + +## Syntax + +Ensure that the resource exists. + +```ruby +describe aws_api_gateway_resource(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The string identifier of the associated RestApi. + +`resource_id` _(required)_ + +: The identifier for the Resource resource. + +## Properties + +`id` +: The resource's identifier. + +: **Field**: `id` + +`parent_id` +: The parent resource's identifier. + +: **Field**: `parent_id` + +`path_part` +: The last path segment for this resource. + +: **Field**: `path_part` + +`path` +: The full path for this resource. + +: **Field**: `path` + +`resource_methods` +: Gets an API resource's method of a given HTTP verb. + +: **Field**: `resource_methods` + +## Examples + +### Test to ensure a resource ID is available + +```ruby +describe aws_api_gateway_resource(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID') do + its('id') { should eq 'RESOURCE_ID' } +end +``` + +### Test to ensure a resource path is available + +```ruby +describe aws_api_gateway_resource(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID') do + its('path') { should eq '/' } +end +``` + +### Test to ensure a resource parent ID is available + +```ruby +describe aws_api_gateway_resource(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID') do + its('parent_id') { should eq 'PARENT_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_resource(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID') do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_resource(rest_api_id: 'REST_API_ID', resource_id: 'RESOURCE_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:Resource" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_resources.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_resources.md new file mode 100644 index 0000000..e872051 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_resources.md @@ -0,0 +1,112 @@ ++++ +title = "aws_api_gateway_resources resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_resources" +identifier = "inspec/resources/aws/aws_api_gateway_resources resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_resources` Chef InSpec audit resource to test the properties of multiple AWS API Gateway Resources. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGateway Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-resource.html). + +## Syntax + +Ensure that the resource exists. + +```ruby +describe aws_api_gateway_resources(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The string identifier of the associated RestApi. + +## Properties + +`ids` +: The resource's identifier. + +: **Field**: `id` + +`parent_ids` +: The parent resource's identifier. + +: **Field**: `parent_id` + +`path_parts` +: The last path segment for this resource. + +: **Field**: `path_part` + +`paths` +: The full path for this resource. + +: **Field**: `path` + +`resource_methods` +: Gets an API resource's method of a given HTTP verb. + +: **Field**: `resource_methods` + +## Examples + +### Test to ensure the resource is present + +```ruby +describe aws_api_gateway_resources(rest_api_id: 'REST_API_ID') do + its('ids') { should include 'RESOURCE_ID' } +end +``` + +### Test to ensure the parent ID is present + +```ruby +describe aws_api_gateway_resources(rest_api_id: 'REST_API_ID') do + its('parent_ids') { should include 'PARENT_ID' } +end +``` + +### Test to ensure the path includes `/` + +```ruby +describe aws_api_gateway_resources(rest_api_id: 'REST_API_ID') do + its('paths') { should include "/" } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_resources(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_resources(rest_api_id: 'REST_API_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:Resources" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_response.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_response.md new file mode 100644 index 0000000..91d1ac0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_response.md @@ -0,0 +1,100 @@ ++++ +title = "aws_api_gateway_response resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_response" +identifier = "inspec/resources/aws/aws_api_gateway_response resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_response` Chef InSpec audit resource to test properties of a single AWS API Gateway gateway response. + +The `AWS::ApiGateway::GatewayResponse` resource creates a gateway response for your API. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::APIGateway::GatewayResponse` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-gatewayresponse.html). + +## Syntax + +Ensure that the response exists. + +```ruby +describe aws_api_gateway_response(rest_api_id: 'REST_API_ID', response_type: 'RESPONSE_TYPE') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The string identifier of the associated REST API. + +`response_type` _(required)_ + +: The response type of the associated gateway response. + +## Properties + +`response_type` +: The response type of the associated GatewayResponse. + +`status_code` +: The HTTP status code for this GatewayResponse. + +`response_parameters` +: Response parameters (paths, query strings and headers) of the GatewayResponse as a string-to-string map of key-value pairs. + +`response_templates` +: Response templates of the GatewayResponse as a string-to-string map of key-value pairs. + +`default_response` +: A Boolean flag to indicate whether this GatewayResponse is the default gateway response (true ) or not (false ). + +## Examples + +Ensure a response type is 'DEFAULT_4XX': + +```ruby +describe aws_api_gateway_response(rest_api_id: 'REST_API_ID', response_type: 'DEFAULT_4XX') do + its('response_type') { should eq 'DEFAULT_4XX' } +end +``` + +Ensure a status code is `200`: + +```ruby +describe aws_api_gateway_response(rest_api_id: 'REST_API_ID', response_type: 'RESPONSE_TYPE') do + its('status_code') { should eq '200' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_response(rest_api_id: 'REST_API_ID', response_type: 'RESPONSE_TYPE') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_response(rest_api_id: 'REST_API_ID', response_type: 'RESPONSE_TYPE') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:GatewayResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_responses.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_responses.md new file mode 100644 index 0000000..3659c95 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_responses.md @@ -0,0 +1,106 @@ ++++ +title = "aws_api_gateway_responses resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_responses" +identifier = "inspec/resources/aws/aws_api_gateway_responses resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_responses` Chef InSpec audit resource to test properties of multiple AWS API Gateway gateway responses. + +The `AWS::ApiGateway::GatewayResponse` resource creates a gateway response for your API. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::APIGateway::GatewayResponse` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-gatewayresponse.html). + +## Syntax + +Ensure that a response exists. + +```ruby +describe aws_api_gateway_responses(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The string identifier of the associated REST API. + +## Properties + +`response_type` +: The response type of the associated GatewayResponse. + +: **Field**: `response_type` + +`status_code` +: The HTTP status code for this GatewayResponse. + +: **Field**: `status_code` + +`response_parameters` +: Response parameters (paths, query strings and headers) of the GatewayResponse as a string-to-string map of key-value pairs. + +: **Field**: `response_parameters` + +`response_templates` +: Response templates of the GatewayResponse as a string-to-string map of key-value pairs. + +: **Field**: `response_templates` + +`default_response` +: A Boolean flag to indicate whether this GatewayResponse is the default gateway response (true ) or not (false ). + +: **Field**: `default_response` + +## Examples + +Ensure a response type is `DEFAULT_4XX`: + +```ruby +describe aws_api_gateway_responses(rest_api_id: 'REST_API_ID') do + its('response_types') { should include 'DEFAULT_4XX' } +end +``` + +Ensure a status code is `200`: + +```ruby +describe aws_api_gateway_responses(rest_api_id: 'REST_API_ID') do + its('status_codes') { should include '200' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_responses(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_responses(rest_api_id: 'REST_API_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:GatewayResponses" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_restapi.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_restapi.md new file mode 100644 index 0000000..c88acc6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_restapi.md @@ -0,0 +1,131 @@ ++++ +title = "aws_api_gateway_restapi resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_restapi" +identifier = "inspec/resources/aws/aws_api_gateway_restapi resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_restapi` InSpec audit resource to test properties of a single AWS API Gateway REST API. + +The AWS::ApiGateway::RestApi resource creates a REST API. + +For additional information, including details on parameters and properties, see the [AWS API Gateway REST API documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html). + +## Syntax + +Ensure the rest api exists. + +```ruby +describe aws_api_gateway_restapi(rest_api_id: "REST_API_ID") do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +## Properties + +`id` +: The API's identifier. This identifier is unique across all of your APIs in API Gateway. + +`name` +: The API's name. + +`description` +: The API's description. + +`created_date` +: The timestamp when the API was created. + +`version` +: A version identifier for the API. + +`warnings` +: The warning messages reported when `failonwarnings` is turned on during API import. + +`binary_media_types` +: The list of binary media types supported by the REST API. By default, the REST API supports only UTF-8-encoded text payloads. + +`minimum_compression_size` +: A nullable integer that is used to enable compression (with non-negative between 0 and 10485760 (10M) bytes, inclusive) or disable compression (with a null value) on an API. When compression is enabled, compression or decompression is not applied on the payload if the payload size is smaller than this value. Setting it to zero allows compression for any payload size. + +`api_key_source` +: The source of the API key for metering requests according to a usage plan. Valid values are `HEADER` and `AUTHORIZER`. + +`endpoint_configuration (types)` +: A list of endpoint types of an API or its custom domain name. For an edge-optimized API and its custom domain name, the endpoint type is `EDGE`. For a regional API and its custom domain name, the endpoint type is `REGIONAL`. For a private API, the endpoint type is `PRIVATE`. + +`endpoint_configuration (vpc_endpoint_ids)` +: A list of `VpcEndpointIds` of an API against which to create Route53 aliases. It is only supported for `PRIVATE` endpoint type. + +`policy` +: A stringified JSON policy document that applies to this REST API regardless of the caller and method configuration. + +`tags` +: The collection of tags. Each tag element is associated with a given resource. + +`disable_execute_api_endpoint` +: Specifies whether clients can invoke your API by using the default execute-api endpoint. + +## Examples + +Ensure the REST API exists: + +```ruby +describe aws_api_gateway_restapi(rest_api_id: "REST_API_ID") do + its('name') { should eq 'API_NAME' } +end +``` + +Ensure that the source of the API key is `HEADER`: + +```ruby +describe aws_api_gateway_restapi(rest_api_id: "REST_API_ID") do + its('api_key_source') { should eq 'HEADER' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_restapi(rest_api_id: "REST_API_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_restapi(rest_api_id: "REST_API_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_api_gateway_restapi(rest_api_id: "REST_API_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:RestApi" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_restapis.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_restapis.md new file mode 100644 index 0000000..7b0c9a6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_restapis.md @@ -0,0 +1,110 @@ ++++ +title = "aws_api_gateway_restapis resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_restapis" +identifier = "inspec/resources/aws/aws_api_gateway_restapis resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_restapis` InSpec audit resource to test properties of multiple AWS API Gateway REST APIs. + +The AWS::ApiGateway::RestApi resource creates a REST API. + +For additional information, including details on parameters and properties, see the [AWS API Gateway REST API documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html). + +## Syntax + +Ensure the rest api exists. + +```ruby +describe aws_api_gateway_restapis do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The API's identifier. This identifier is unique across all of your APIs in API Gateway. + +`names` +: The API's name. + +`descriptions` +: The API's description. + +`created_dates` +: The timestamp when the API was created. + +`versions` +: A version identifier for the API. + +`warnings` +: The warning messages reported when `failonwarnings` is turned on during API import. + +`binary_media_types` +: The list of binary media types supported by the REST API. By default, the REST API supports only UTF-8-encoded text payloads. + +`minimum_compression_sizes` +: A nullable integer that is used to enable compression (with non-negative between 0 and 10485760 (10M) bytes, inclusive) or disable compression (with a null value) on an API. When compression is enabled, compression or decompression is not applied on the payload if the payload size is smaller than this value. Setting it to zero allows compression for any payload size. + +`api_key_sources` +: The source of the API key for metering requests according to a usage plan. Valid values are `HEADER` and `AUTHORIZER`. + +`endpoint_configurations` +: The endpoint configuration of this REST API showing the endpoint types of the API. + +`policies` +: A stringified JSON policy document that applies to this REST API regardless of the caller and method configuration. + +`tags` +: The collection of tags. Each tag element is associated with a given resource. + +`disable_execute_api_endpoints` +: Specifies whether clients can invoke your API by using the default execute-api endpoint. + +## Examples + +Ensure a specific REST API exists: + +```ruby +describe aws_api_gateway_restapis do + its('names') { should include 'API_NAME' } +end +``` + +Ensure that `HEADER` is a source for a REST API key: + +```ruby +describe aws_api_gateway_restapis do + its('api_key_source') { should include 'HEADER' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_restapis do + it { should exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:RestApis" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_stage.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_stage.md new file mode 100644 index 0000000..96a5002 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_stage.md @@ -0,0 +1,188 @@ ++++ +title = "aws_api_gateway_stage resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_stage" +identifier = "inspec/resources/aws/aws_api_gateway_stage resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_stage` InSpec audit resource to test properties of a single AWS API Gateway stage. + +The `AWS::ApiGateway::Stage` resource deploys an API Gateway REST API resource to a stage so that clients can call the API over the internet. The stage acts as an environment. + +For additional information, including details on parameters and properties, see the [AWS API Gateway stage documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html). + +## Syntax + +Ensure that the stage exists. + +```ruby +describe aws_api_gateway_stage(rest_api_id: 'REST_API_ID', stage_name: 'STAGE_NAME') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The ID of the REST API resource that you're deploying with this stage. + +`stage_name` _(required)_ + +: The API Gateway stage name. + +## Properties + +`deployment_id` +: The identifier for the deployment attached to stage resource. + +`description` +: The description for the stage resource. + +`created_date` +: The date and time that the stage resource was created. + +`stage_name` +: The name for the stage resource. + +`client_certificate_id` +: The client certificate identifier for the stage resource. + +`cache_cluster_enabled` +: Specifies whether a cache cluster is enabled for the stage. + +`cache_cluster_size` +: The size of the cache cluster for the stage, if enabled. + +`cache_cluster_status` +: The status of the cache cluster for the stage, if enabled. + +`method_settings` +: A map that defines the method settings for a stage resource. + +`method_settings (metrics_enabled)` +: Specifies whether Amazon CloudWatch metrics are enabled for this method. + +`method_settings (logging_level)` +: Specifies the logging level for this method, which affects the log entries pushed to Amazon CloudWatch Logs. + +`method_settings (data_trace_enabled)` +: Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs. + +`method_settings (throttling_burst_limit)` +: Specifies the throttling burst limit. + +`method_settings (throttling_rate_limit)` +: Specifies the throttling rate limit. + +`method_settings (caching_enabled)` +: Specifies whether responses should be cached and returned for requests. + +`method_settings (cache_ttl_in_seconds)` +: Specifies the time to live (TTL), in seconds, for cached responses. + +`method_settings (cache_data_encrypted)` +: Specifies whether the cached responses are encrypted. + +`method_settings (require_authorization_for_cache_control)` +: Specifies whether authorization is required for a cache invalidation request. + +`method_settings (unauthorized_cache_control_header_strategy)` +: Specifies how to handle unauthorized requests for cache invalidation. + +`variables` +: A map that defines the stage variables for a stage resource. + +`documentation_version` +: The version of the associated API documentation. + +`access_log_settings.format` +: A single line format of the access logs of data. + +`access_log_settings.destination_arn` +: The Amazon Resource Name (ARN) of the CloudWatch Logs log group or Kinesis Data Firehose delivery stream to receive access logs. + +`canary_settings.percent_traffic` +: The percent (0-100) of traffic diverted to a canary deployment. + +`canary_settings.deployment_id` +: The identifier for the canary settings deployment. + +`canary_settings.stage_variable_overrides` +: Stage variables overridden for a canary release deployment, including new stage variables introduced in the canary. + +`canary_settings.use_stage_cache` +: A boolean flag to indicate whether the canary deployment uses the stage cache or not. + +`tracing_enabled` +: Specifies whether active tracing with X-ray is enabled for the Stage. + +`web_acl_arn` +: The ARN of the WebAcl associated with the Stage. + +`tags` +: The collection of tags. Each tag element is associated with a given resource. + +`last_updated_date` +: The timestamp when the stage last updated. + +## Examples + +Ensure that the stage name exists: + +```ruby +describe aws_api_gateway_stage(rest_api_id: 'REST_API_ID', stage_name: 'STAGE_NAME') do + its('stage_name') { should eq 'STAGE_NAME' } +end +``` + +Ensure that the client certificate ID exists: + +```ruby +describe aws_api_gateway_stage(rest_api_id: 'REST_API_ID', stage_name: 'STAGE_NAME') do + its('client_certificate_id') { should eq 'CLIENT_CERTIFICATE_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_stage(rest_api_id: 'REST_API_ID', stage_name: 'STAGE_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_stage(rest_api_id: 'REST_API_ID', stage_name: 'STAGE_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_api_gateway_stage(rest_api_id: 'REST_API_ID', stage_name: 'STAGE_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:Stage" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_stages.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_stages.md new file mode 100644 index 0000000..9f7e7c2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_stages.md @@ -0,0 +1,95 @@ ++++ +title = "aws_api_gateway_stages resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_stages" +identifier = "inspec/resources/aws/aws_api_gateway_stages resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_stages` InSpec audit resource to test properties of multiple AWS API Gateway stages. + +The 'AWS::ApiGateway::Stage' resource deploys an API Gateway REST API resource to a stage so that clients can call the API over the internet. The stage acts as an environment. + +For additional information, including details on parameters and properties, see the [AWS API Gateway stage Stage documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html). + +## Syntax + +Ensure that the stage exists. + +```ruby +describe aws_api_gateway_stages(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The ID of the REST API resource that you're deploying with this stage. + +## Properties + +`deployment_ids` +: The identifier for the deployment attached to stage resource. + +`descriptions` +: The description for the stage resource. + +`created_dates` +: The date and time that the stage resource was created. + +`stage_names` +: The name for the stage resource. + +## Examples + +Ensure that the stage name exists: + +```ruby +describe aws_api_gateway_stages(rest_api_id: 'REST_API_ID') do + its('stage_names') { should include 'STAGE_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_stages(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_api_gateway_stages(rest_api_id: 'REST_API_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the stage is available. + +```ruby +describe aws_api_gateway_stages(rest_api_id: 'REST_API_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client::Stages" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_usage_plan.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_usage_plan.md new file mode 100644 index 0000000..592fc18 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_usage_plan.md @@ -0,0 +1,166 @@ ++++ +title = "aws_api_gateway_usage_plan resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_usage_plan" +identifier = "inspec/resources/aws/aws_api_gateway_usage_plan resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_usage_plan` InSpec audit resource to test the properties of a single specific AWS API Gateway usage plan. A usage plan sets a target for the throttling and quota limits on individual client API keys. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGateway UsagePlan](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-usageplan.html). + +## Syntax + +Ensure that a usage plan exists. + +```ruby +describe aws_api_gateway_usage_plan(usage_plan_id: 'USAGE_PLAN_ID') do + it { should exist } +end +``` + +## Parameters + +`usage_plan_id` _(required)_ +: The identifier of a usage plan resource. + +## Properties + +`id` +: The identifier of a usage plan resource. + +: **Field**: `id` + +`name` +: The name of a usage plan. + +: **Field**: `name` + +`description` +: The description of a usage plan. + +: **Field**: `description` + +`api_stages` +: The associated API stages of a usage plan. + +: **Field**: `api_stages` + +`api_stages_api_ids` +: API ID of the associated API stage in a usage plan. + +: **Field**: `api_stages[0].api_id` + +`api_stages_stages` +: API stage name of the associated API stage in a usage plan. + +: **Field**: `api_stages[0].stage` + +`api_stages_throttles` +: Map containing method level throttling information for API stage in a usage plan. + +: **Field**: `api_stages[0].throttle` + +`throttle` +: The overall request rate (average requests per second) and burst capacity. A map containing method level throttling information for the API stage in a usage plan. + +: **Field**: `throttle` + +`throttle.burst_limit` +: The API target request burst rate limit. This allows more requests for a period of time than the target rate limit. + +: **Field**: `throttle.burst_limit` + +`throttle.rate_limit` +: The API target request rate limit. + +: **Field**: `throttle.rate_limit` + +`quota` +: The maximum target number of permitted requests that the user can make within a given time interval. + +: **Field**: `quota` + +`quota.limit` +: The target maximum number of requests that can be made in a given time period. + +: **Field**: `quota.limit` + +`quota.offset` +: The number of requests subtracted from the given limit in the initial time period. + +: **Field**: `quota.offset` + +`quota.period` +: The time period in which the limit applies. Valid values are `DAY`, `WEEK`, or `MONTH`. + +: **Field**: `quota.period` + +`product_code` +: The AWS Markeplace product identifier to associate with the usage plan as a SaaS product on AWS Marketplace. + +: **Field**: `product_code` + +`tags` +: The collection of tags. Each tag element is associated with a given resource. + +: **Field**: `tags` + +## Examples + +### Test to ensure a usage plan ID is available + +```ruby +describe aws_api_gateway_usage_plan(usage_plan_id: 'USAGE_PLAN_ID') do + its('id') { should eq 'USAGE_PLAN_ID' } +end +``` + +### Test to ensure a usage plan name is available + +```ruby +describe aws_api_gateway_usage_plan(usage_plan_id: 'USAGE_PLAN_ID') do + its('name') { should eq 'USAGE_PLAN_NAME' } +end +``` + +### Test to verify the quota limit is set to `2` in the usage plan API gateway + +```ruby +describe aws_api_gateway_usage_plan(usage_plan_id: 'USAGE_PLAN_ID') do + its('quota.limit') { should eq 2 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_usage_plan(usage_plan_id: 'USAGE_PLAN_ID') do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_usage_plan(usage_plan_id: 'USAGE_PLAN_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:UsagePlan" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_usage_plan_key.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_usage_plan_key.md new file mode 100644 index 0000000..69ca4d0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_usage_plan_key.md @@ -0,0 +1,95 @@ ++++ +title = "aws_api_gateway_usage_plan_key resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_usage_plan_key" +identifier = "inspec/resources/aws/aws_api_gateway_usage_plan_key resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_usage_plan_key` InSpec audit resource to test the properties of a specific AWS API Gateway usage plan key. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGateway UsagePlanKey](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-usageplankey.html). + +## Syntax + +Ensure that a usage plan key exists. + +```ruby +describe aws_api_gateway_usage_plan_key(usage_plan_id: 'USAGE_PLAN_ID', key_id: 'USAGE_PLAN_KEY_ID') do + it { should exist } +end +``` + +## Parameters + +`usage_plan_id` _(required)_ + +: The usage plan resource ID represents the usage plan containing the to-be-retrieved usage plan's key resource and a plan customer. + +`key_id` _(required)_ + +: The key ID of the to-be-retrieved usage plan key resource representing a plan customer. + +## Properties + +`id` +: The usage plan key ID. + +`type` +: The usage plan key type. Currently, the valid key type is `API_KEY`. + +`value` +: The value of a usage plan key. + +`name` +: The usage plan key name. + +## Examples + +### Test to ensure a usage plan key ID is available + +```ruby +describe aws_api_gateway_usage_plan_key(usage_plan_id: 'USAGE_PLAN_ID', key_id: 'USAGE_PLAN_KEY_ID') do + its('id') { should eq 'USAGE_PLAN_KEY_ID' } +end +``` + +### Test to ensure a usage plan key name is available + +```ruby +describe aws_api_gateway_usage_plan_key(usage_plan_id: 'USAGE_PLAN_ID', key_id: 'USAGE_PLAN_KEY_ID') do + its('name') { should eq 'USAGE_PLAN_KEY_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_usage_plan(usage_plan_id: 'USAGE_PLAN_ID') do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_usage_plan(usage_plan_id: 'USAGE_PLAN_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:UsagePlanKey" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_usage_plan_keys.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_usage_plan_keys.md new file mode 100644 index 0000000..b9a7360 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_usage_plan_keys.md @@ -0,0 +1,99 @@ ++++ +title = "aws_api_gateway_usage_plan_keys resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_usage_plan_keys" +identifier = "inspec/resources/aws/aws_api_gateway_usage_plan_keys resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_usage_plan_keys` InSpec audit resource to test the properties of multiple AWS API Gateway usage plan keys. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGateway UsagePlanKey](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-usageplankey.html). + +## Syntax + +Ensure that the usage plan key exists. + +```ruby +describe aws_api_gateway_usage_plan_keys(usage_plan_id: 'USAGE_PLAN_ID') do + it { should exist } +end +``` + +## Parameters + +`usage_plan_id` _(required)_ + +: The usage plan resource ID represents the usage plan containing the to-be-retrieved usage plan's key resource and a plan customer. + +## Properties + +`ids` +: The usage plan key ID. + +: **Field**: `id` + +`types` +: The usage plan key type. Currently, the valid key type is `API_KEY`. + +: **Field**: `type` + +`values` +: The usage plan key value. + +: **Field**: `value` + +`names` +: The usage plan key name. + +: **Field**: `name` + +## Examples + +### Test to ensure a usage plan key ID is available + +```ruby +describe aws_api_gateway_usage_plan_keys(usage_plan_id: 'USAGE_PLAN_ID') do + its('ids') { should include 'USAGE_PLAN_KEY_ID' } +end +``` + +### Test to ensure a usage plan key name is available + +```ruby +describe aws_api_gateway_usage_plan_keys(usage_plan_id: 'USAGE_PLAN_ID') do + its('names') { should include 'USAGE_PLAN_KEY_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_usage_plan_keys(usage_plan_id: 'USAGE_PLAN_ID') do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_usage_plan_keys(usage_plan_id: 'USAGE_PLAN_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:UsagePlanKeys" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_usage_plans.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_usage_plans.md new file mode 100644 index 0000000..bc6dea6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_usage_plans.md @@ -0,0 +1,117 @@ ++++ +title = "aws_api_gateway_usage_plans resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_usage_plans" +identifier = "inspec/resources/aws/aws_api_gateway_usage_plans resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_usage_plans` InSpec audit resource to test the properties of multiple AWS API Gateway usage plans. A usage plan sets a target for the throttling and quota limits on individual client API keys. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGateway UsagePlan](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-usageplan.html). + +## Syntax + +Ensure that the usage plan exists. + +```ruby +describe aws_api_gateway_usage_plans do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The identifier of a usage plan resource. + +: **Field**: `id` + +`names` +: The name of a usage plan. + +: **Field**: `name` + +`descriptions` +: The description of a usage plan. + +: **Field**: `description` + +`api_stages` +: The associated API stages of a usage plan. + +: **Field**: `api_stages` + +`throttles` +: A map containing method level throttling information for the API stage in a usage plan. + +: **Field**: `throttle` + +`quotas` +: The maximum target number of permitted requests that the user can make within a given time interval + +: **Field**: `quota` + +`product_codes` +: The AWS Marketplace product identifier to associate with the usage plan as a SaaS product on AWS Marketplace. + +: **Field**: `product_code` + +`tags` +: The collection of tags. Each tag element is associated with a given resource. + +: **Field**: `tags` + +## Examples + +### Test to ensure a usage plan ID is available + +```ruby +describe aws_api_gateway_usage_plans do + its('ids') { should include 'USAGE_PLAN_ID' } +end +``` + +### Test to ensure a usage plan name is available + +```ruby +describe aws_api_gateway_usage_plans do + its('names') { should include 'USAGE_PLAN_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_usage_plans do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_usage_plans do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:UsagePlans" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_api.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_api.md new file mode 100644 index 0000000..a48fc0f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_api.md @@ -0,0 +1,152 @@ ++++ +title = "aws_api_gateway_v2_api resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_api" +identifier = "inspec/resources/aws/aws_api_gateway_v2_api resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_api` InSpec audit resource to test the properties of a single specific AWS API Gateway V2 API. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 API](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-api.html). + +## Syntax + +Ensure that the API exists. + +```ruby +describe aws_api_gateway_v2_api(api_id: 'REST_API_ID') do + it { should exist } +end +``` + +## Parameters + +`api_id` _(required)_ +: The API ID. + +## Properties + +`api_endpoint` +: The URI of the API, of the form `{api-id}.execute-api.{region}.amazonaws.com`. The stage name is typically appended to this URI to form a complete path to a deployed API stage. + +`api_gateway_managed` +: Specifies whether an API is managed by API Gateway. You cannot update or delete a managed API by using API Gateway. A managed API can be deleted only through the tooling or service that created it. + +`api_id` +: The API ID. + +`api_key_selection_expression` +: An API key selection expression. Supported only for WebSocket APIs. + +`cors_configuration` +: A CORS configuration. Supported only for HTTP APIs. + +`cors_configuration.allow_credentials` +: Specifies whether credentials are included in the CORS request. Supported only for HTTP APIs. + +`cors_configuration.allow_headers` +: Specifies whether credentials are included in the CORS request. Supported only for HTTP APIs. + +`cors_configuration.allow_methods` +: Represents a collection of allowed HTTP methods. Supported only for HTTP APIs. + +`cors_configuration.allow_origins` +: Represents a collection of allowed origins. Supported only for HTTP APIs. + +`cors_configuration.expose_headers` +: Represents a collection of exposed headers. Supported only for HTTP APIs. + +`cors_configuration.max_age` +: The number of seconds that the browser should cache preflight request results. Supported only for HTTP APIs. + +`created_date` +: The timestamp when the API is created. + +`description` +: The description of the API. + +`disable_schema_validation` +: Avoid validating models when creating a deployment. Supported only for WebSocket APIs. + +`disable_execute_api_endpoint` +: Specifies whether clients can invoke your API using the default execute-api endpoint. By default, clients can invoke your API with the default `https://{api_id}.execute-api.{region}.amazonaws.com` endpoint. To require that clients use a custom domain name to invoke your API, disable the default endpoint. + +`import_info` +: The validation information during API import. Supported only for HTTP APIs. + +`name` +: The name of the API. + +`protocol_type` +: The API protocol. Valid values are WEBSOCKET or HTTP. + +`route_selection_expression` +: The route selection expression for the API. For HTTP APIs, the `routeSelectionExpression` must be `${request.method} ${request.path}`. If not provided, this defaults for HTTP APIs. This property is required for WebSocket APIs. + +`tags` +: A collection of tags associated with the API. + +`version` +: A version identifier for the API. + +`warnings` +: The warning messages are reported when `failonwarnings` is turned on during API import. The `failonwarnings` specifies to roll back the API creation when a warning is encountered. By default, API creation continues if a warning is encountered. + +## Examples + +### Test to ensure an API ID is available + +```ruby +describe aws_api_gateway_v2_api(api_id: 'REST_API_ID') do + its('api_id') { should eq 'REST_API_ID' } +end +``` + +### Test to ensure an API name is available + +```ruby +describe aws_api_gateway_v2_api(api_id: 'REST_API_ID') do + its('name') { should eq 'REST_API_NAME' } +end +``` + +### Test to ensure a protocol type is `HTTP` + +```ruby +describe aws_api_gateway_v2_api(api_id: 'REST_API_ID') do + its('protocol_type') { should eq 'HTTP' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_api(api_id: 'REST_API_ID') do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_api(api_id: 'REST_API_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetApiResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_api_mapping.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_api_mapping.md new file mode 100644 index 0000000..647e3a7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_api_mapping.md @@ -0,0 +1,109 @@ ++++ +title = "aws_api_gateway_v2_api_mapping resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_api_mapping" +identifier = "inspec/resources/aws/aws_api_gateway_v2_api_mapping resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_api_mapping` InSpec audit resource to test the properties of a specific AWS API Gateway V2 API mapping. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 ApiMapping](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-apimapping.html). + +## Syntax + +Ensure that an API mapping exists. + +```ruby +describe aws_api_gateway_v2_api_mapping(api_mapping_id: 'API_MAPPING_ID', domain_name: 'DOMAIN_NAME') do + it { should exist } +end +``` + +## Parameters + +`api_mapping_id` _(required)_ +: The API mapping identifier. + +`domain_name` _(required)_ +: The domain name. + +## Properties + +`api_id` +: The API identifier. + +`api_mapping_id` +: The API mapping identifier. + +`api_mapping_key` +: The API mapping key. + +`stage` +: The API stage. + +## Examples + +### Test to ensure an API ID is available + +```ruby +describe aws_api_gateway_v2_api_mapping(api_mapping_id: 'API_MAPPING_ID', domain_name: 'DOMAIN_NAME') do + its('api_id') { should eq 'REST_API_ID' } +end +``` + +### Test to ensure an API mapping ID is available + +```ruby +describe aws_api_gateway_v2_api_mapping(api_mapping_id: 'API_MAPPING_ID', domain_name: 'DOMAIN_NAME') do + its('api_mapping_id') { should eq 'API_MAPPING_ID' } +end +``` + +### Test to ensure an API mapping key is available + +```ruby +describe aws_api_gateway_v2_api_mapping(api_mapping_id: 'API_MAPPING_ID', domain_name: 'DOMAIN_NAME') do + its('api_mapping_key') { should eq 'API_MAPPING_KEY' } +end +``` + +### Test to ensure an API mapping stage is available + +```ruby +describe aws_api_gateway_v2_api_mapping(api_mapping_id: 'API_MAPPING_ID', domain_name: 'DOMAIN_NAME') do + its('stage') { should eq 'API_STAGE_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_api_mapping(api_mapping_id: 'API_MAPPING_ID', domain_name: 'DOMAIN_NAME') do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_api_mapping(api_mapping_id: 'API_MAPPING_ID', domain_name: 'DOMAIN_NAME') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetApiMappingResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_api_mappings.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_api_mappings.md new file mode 100644 index 0000000..024b146 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_api_mappings.md @@ -0,0 +1,114 @@ ++++ +title = "aws_api_gateway_v2_api_mappings resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_api_mappings" +identifier = "inspec/resources/aws/aws_api_gateway_v2_api_mappings resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_api_mappings` InSpec audit resource to test the properties of multiple AWS API Gateway V2 API mappings. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 ApiMapping](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-apimapping.html). + +## Syntax + +Ensure the API mappings exist. + +```ruby +describe aws_api_gateway_v2_api_mappings(domain_name: 'DOMAIN_NAME') do + it { should exist } +end +``` + +## Parameters + +`domain_name` _(required)_ +: The domain name. + +## Properties + +`api_ids` +: The API identifier. + +: **Field**: `api_id` + +`api_mapping_ids` +: The API mapping identifier. + +: **Field**: `api_mapping_id` + +`api_mapping_keys` +: The API mapping key. + +: **Field**: `api_mapping_key` + +`stages` +: The API stage. + +: **Field**: `stage` + +## Examples + +### Test to ensure an API ID is available + +```ruby +describe aws_api_gateway_v2_api_mappings(domain_name: 'DOMAIN_NAME') do + its('api_ids') { should include 'REST_API_ID' } +end +``` + +### Test to ensure an API mapping ID is available + +```ruby +describe aws_api_gateway_v2_api_mappings(domain_name: 'DOMAIN_NAME') do + its('api_mapping_ids') { should include 'API_MAPPING_ID' } +end +``` + +### Test to ensure an API mapping key is available + +```ruby +describe aws_api_gateway_v2_api_mappings(domain_name: 'DOMAIN_NAME') do + its('api_mapping_keys') { should include 'API_MAPPING_KEY' } +end +``` + +### Test to ensure an API mapping stage is available + +```ruby +describe aws_api_gateway_v2_api_mappings(domain_name: 'DOMAIN_NAME') do + its('stages') { should include 'API_STAGE_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_api_mappings(domain_name: 'DOMAIN_NAME') do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_api_mappings(domain_name: 'DOMAIN_NAME') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetApiMappingsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_apis.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_apis.md new file mode 100644 index 0000000..7605482 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_apis.md @@ -0,0 +1,165 @@ ++++ +title = "aws_api_gateway_v2_apis resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_apis" +identifier = "inspec/resources/aws/aws_api_gateway_v2_apis resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_apis` InSpec audit resource to test properties of multiple AWS API Gateway V2 APIs. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 API](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-api.html). + +## Syntax + +Ensure the API exists. + +```ruby +describe aws_api_gateway_v2_apis do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`api_endpoints` +: The URI of the API, of the form `{api-id}.execute-api.{region}.amazonaws.com`. The stage name is typically appended to this URI to form a complete path to a deployed API stage. + +: **Field**: `api_endpoint` + +`api_gateway_managed` +: Specifies whether an API is managed by API Gateway. You cannot update or delete a managed API by using API Gateway. A managed API can be deleted only through the tooling or service that created it. + +: **Field**: `api_gateway_managed` + +`api_ids` +: The API ID. + +: **Field**: `api_id` + +`api_key_selection_expressions` +: An API key selection expression. Supported only for WebSocket APIs. + +: **Field**: `api_key_selection_expression` + +`cors_configurations` +: A CORS configuration. Supported only for HTTP APIs. + +: **Field**: `cors_configuration` + +`created_dates` +: The timestamp when the API is created. + +: **Field**: `created_date` + +`descriptions` +: The description of the API. + +: **Field**: `description` + +`disable_schema_validations` +: Avoid validating models when creating a deployment. Supported only for WebSocket APIs. + +: **Field**: `disable_schema_validation` + +`disable_execute_api_endpoints` +: Specifies whether clients can invoke your API using the default execute-api endpoint. By default, clients can invoke your API with the default `https://{api_id}.execute-api.{region}.amazonaws.com` endpoint. To require that clients use a custom domain name to invoke your API, disable the default endpoint. + +: **Field**: `disable_execute_api_endpoint` + +`import_infos` +: The validation information during API import. Supported only for HTTP APIs. + +: **Field**: `import_info` + +`names` +: The name of the API. + +: **Field**: `name` + +`protocol_types` +: The API protocol. Valid values are WEBSOCKET or HTTP. + +: **Field**: `protocol_type` + +`route_selection_expressions` +: The route selection expression for the API. For HTTP APIs, the `routeSelectionExpression` must be `${request.method} ${request.path}`. If not provided, this will be the default for HTTP APIs. This property is required for WebSocket APIs. + +: **Field**: `route_selection_expression` + +`tags` +: A collection of tags associated with the API. + +: **Field**: `tags` + +`versions` +: A version identifier for the API. + +: **Field**: `version` + +`warnings` +: The warning messages are reported when `failonwarnings` is turned on during API import. The `failonwarnings` specifies to roll back the API creation when a warning is encountered. By default, API creation continues if a warning is encountered. + +: **Field**: `warnings` + +## Examples + +### Test to ensure an API ID is available + +```ruby +describe aws_api_gateway_v2_apis do + its('api_ids') { should include 'REST_API_ID' } +end +``` + +### Test to ensure an API name is available + +```ruby +describe aws_api_gateway_v2_apis do + its('names') { should include 'REST_API_NAME' } +end +``` + +### Test to ensure a protocol type is `HTTP` + +```ruby +describe aws_api_gateway_v2_apis do + its('protocol_types') { should include 'HTTP' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_apis do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_apis do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetApisResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_authorizer.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_authorizer.md new file mode 100644 index 0000000..c9f6919 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_authorizer.md @@ -0,0 +1,146 @@ ++++ +title = "aws_api_gateway_v2_authorizer resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_authorizer" +identifier = "inspec/resources/aws/aws_api_gateway_v2_authorizer resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_authorizer` InSpec audit resource to test the properties of a single specific AWS API Gateway V2 authorizer. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 Authorizer](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-authorizer.html). + +## Syntax + +Ensure that the authorizer exists. + +```ruby +describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do + it { should exist } +end +``` + +## Parameters + +`api_id` _(required)_ +: The API identifier. + +`authorizer_id` _(required)_ +: The authorizer identifier. + +## Properties + +`authorizer_credentials_arn` +: Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer. + +`authorizer_id` +: The authorizer identifier. + +`authorizer_result_ttl_in_seconds` +: The time to live (TTL) for cached authorizer results in seconds. If it equals 0, authorization caching is disabled. If it is greater than 0, API Gateway caches authorizer responses. The maximum value is **3600**, or **1 hour**. Supported only for HTTP API Lambda authorizers. + +`authorizer_type` +: The authorizer type. Specify `REQUEST` for a Lambda function using incoming request parameters. Specify `JWT` to use JSON Web Tokens (supported only for HTTP APIs). + +`authorizer_uri` +: The authorizer's Uniform Resource Identifier (URI). + +`identity_source` +: The identity source for which authorization is requested. + +`identity_validation_expression` +: The validation expression does not apply to the `REQUEST` authorizer. + +`jwt_configuration` +: Represents the configuration of a JWT authorizer. Required for the `JWT` authorizer type. Supported only for HTTP APIs. + +`jwt_configuration.audience` +: A list of the intended recipients of the `JWT`. A valid JWT must provide an `aud` that matches at least one entry in this list. Supported only for HTTP APIs. + +`jwt_configuration.issuer` +: The base domain of the identity provider that issues JSON Web Tokens. + +`name` +: The name of the authorizer. + +`authorizer_payload_format_version` +: Specifies the payload format sent to an HTTP API Lambda authorizer. Required for HTTP API Lambda authorizers. Supported values are **1.0** and **2.0**. + +`enable_simple_responses` +: Specifies whether a Lambda authorizer returns a response in a simple format. + +## Examples + +### Test to ensure an authorizer ID is available + +```ruby +describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do + its('authorizer_id') { should eq 'AUTHORIZER_ID' } +end +``` + +### Verify the authorizer result + +```ruby +describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do + its('authorizer_result_ttl_in_seconds') { should eq 15 } +end +``` + +### Verify the authorizer type + +```ruby +describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do + its('authorizer_type') { should eq 'JWT' } +end +``` + +### Verify the authorizer's name + +```ruby +describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do + its('name') { should eq 'AUTHORIZER_NAME' } +end +``` + +### Verify the simple responses enabling status + +```ruby +describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do + its('enable_simple_responses') { should eq true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do + it { should exist } +end +``` + +### not exist + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetAuthorizerResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_authorizers.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_authorizers.md new file mode 100644 index 0000000..2024aae --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_authorizers.md @@ -0,0 +1,167 @@ ++++ +title = "aws_api_gateway_v2_authorizers resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_authorizers" +identifier = "inspec/resources/aws/aws_api_gateway_v2_authorizers resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_authorizers` InSpec audit resource to test the properties of multiple AWS API Gateway V2 authorizers. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 Authorizer](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-authorizer.html). + +## Syntax + +Ensure the authorizers exist. + +```ruby +describe aws_api_gateway_v2_authorizers(api_id: 'API_ID') do + it { should exist } +end +``` + +## Parameters + +`api_id` _(required)_ +: The API identifier. + +## Properties + +`authorizer_credentials_arns` +: Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer. + +: **Field**: `authorizer_credentials_arn` + +`authorizer_ids` +: The authorizer identifier. + +: **Field**: `authorizer_id` + +`authorizer_result_ttl_in_seconds` +: The time to live (TTL) for cached authorizer results in seconds. If it equals 0, authorization caching is disabled. If it is greater than 0, API Gateway caches authorizer responses. The maximum value is **3600**, or **1 hour**. Supported only for HTTP API Lambda authorizers. + +: **Field**: `authorizer_result_ttl_in_seconds` + +`authorizer_types` +: The authorizer type. Specify `REQUEST` for a Lambda function using incoming request parameters. Specify `JWT` to use JSON Web Tokens (supported only for HTTP APIs). + +: **Field**: `authorizer_type` + +`authorizer_uris` +: The authorizer's Uniform Resource Identifier (URI). + +: **Field**: `authorizer_uri` + +`identity_sources` +: The identity source for which authorization is requested. + +: **Field**: `identity_source` + +`identity_validation_expressions` +: The validation expression does not apply to the REQUEST authorizer. + +: **Field**: `identity_validation_expression` + +`jwt_configurations` +: Represents the configuration of a JWT authorizer. Required for the `JWT` authorizer type. Supported only for HTTP APIs. + +: **Field**: `jwt_configuration` + +`names` +: The name of the authorizer. + +: **Field**: `name` + +`authorizer_payload_format_versions` +: Specifies the payload format sent to an HTTP API Lambda authorizer. Required for HTTP API Lambda authorizers. Supported values are **1.0** and **2.0**. + +: **Field**: `authorizer_payload_format_version` + +`enable_simple_responses` +: Specifies whether a Lambda authorizer returns a response in a simple format. + +: **Field**: `enable_simple_responses` + +## Examples + +### Check the number of authorizers in an API + +```ruby +describe aws_api_gateway_v2_authorizers(api_id: 'API_ID') do + its('count') { should eq 4 } +end +``` + +### Test to ensure an authorizer ID is available + +```ruby +describe aws_api_gateway_v2_authorizers(api_id: 'API_ID') do + its('authorizer_ids') { should include 'AUTHORIZER_ID' } +end +``` + +### Verify the authorizer result + +```ruby +describe aws_api_gateway_v2_authorizers(api_id: 'API_ID') do + its('authorizer_result_ttl_in_seconds') { should include 15 } +end +``` + +### Verify the authorizer type + +```ruby +describe aws_api_gateway_v2_authorizers(api_id: 'API_ID') do + its('authorizer_types') { should include 'JWT' } +end +``` + +### Verify the authorizer's name + +```ruby +describe aws_api_gateway_v2_authorizers(api_id: 'API_ID') do + its('names') { should include 'AUTHORIZER_NAME' } +end +``` + +### Verify the simple responses enabling status + +```ruby +describe aws_api_gateway_v2_authorizers(api_id: 'API_ID') do + its('enable_simple_responses') { should include true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_authorizers(api_id: 'API_ID') do + it { should exist } +end +``` + +### not exist + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_authorizers(api_id: 'API_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetAuthorizersResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_deployment.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_deployment.md new file mode 100644 index 0000000..86c8c0e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_deployment.md @@ -0,0 +1,125 @@ ++++ +title = "aws_api_gateway_v2_deployment resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_deployment" +identifier = "inspec/resources/aws/aws_api_gateway_v2_deployment resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_deployment` InSpec audit resource to test the properties of a specific AWS API Gateway V2 deployment. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 Deployment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-deployment.html). + +## Syntax + +Ensure that the deployment exists. + +```ruby +describe aws_api_gateway_v2_deployment(api_id: 'APP_ID', deployment_id: 'DEPLOYMENT_ID') do + it { should exist } +end +``` + +## Parameters + +`api_id` _(required)_ +: The API identifier. + +`deployment_id` _(required)_ +: The identifier for the deployment. + +## Properties + +`auto_deployed` +: Specifies whether the deployment was automatically released. + +`created_date` +: The date and time when the deployment resource was created. + +`deployment_id` +: The identifier for the deployment. + +`deployment_status` +: The status of the deployment. The valid values are `PENDING`, `FAILED`, or `SUCCEEDED`. + +`deployment_status_message` +: May contain additional feedback on the status of an API deployment. + +`description` +: The description for the deployment. + +## Examples + +### Test to ensure a deployment ID is available + +```ruby +describe aws_api_gateway_v2_deployment(api_id: 'APP_ID', deployment_id: 'DEPLOYMENT_ID') do + its('deployment_id') { should eq 'DEPLOYMENT_ID' } +end +``` + +### Test to verify the deployment status + +```ruby +describe aws_api_gateway_v2_deployment(api_id: 'APP_ID', deployment_id: 'DEPLOYMENT_ID') do + its('deployment_status') { should eq 'DEPLOYED' } +end +``` + +### Test to ensure an authorizer type is `JWT` for a deployment + +```ruby +describe aws_api_gateway_v2_deployment(api_id: 'APP_ID', deployment_id: 'DEPLOYMENT_ID') do + its('authorizer_type') { should eq 'JWT' } +end +``` + +### Test to ensure a description is available + +```ruby +describe aws_api_gateway_v2_deployment(api_id: 'APP_ID', deployment_id: 'DEPLOYMENT_ID') do + its('description') { should eq 'DEPLOYMENT_DESCRIPTION' } +end +``` + +### Test to ensure an auto-deployment is enabled for a deployment + +```ruby +describe aws_api_gateway_v2_deployment(api_id: 'APP_ID', deployment_id: 'DEPLOYMENT_ID') do + its('auto_deployed') { should eq true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_deployment(api_id: 'APP_ID', deployment_id: 'DEPLOYMENT_ID') do + it { should exist } +end +``` + +### not exists + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_deployment(api_id: 'APP_ID', deployment_id: 'DEPLOYMENT_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetDeploymentResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_deployments.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_deployments.md new file mode 100644 index 0000000..e9ca6a9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_deployments.md @@ -0,0 +1,135 @@ ++++ +title = "aws_api_gateway_v2_deployments resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_deployments" +identifier = "inspec/resources/aws/aws_api_gateway_v2_deployments resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_deployments` InSpec audit resource to test properties of multiple AWS API Gateway V2 deployments. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 Deployment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-deployment.html). + +## Syntax + +Ensure that the deployment exists. + +```ruby +describe aws_api_gateway_v2_deployments(api_id: 'APP_ID') do + it { should exist } +end +``` + +## Parameters + +`api_id` _(required)_ + +: The API identifier. + +## Properties + +`auto_deployeds` +: Specifies whether the deployment was automatically released. + +: **Field**: `auto_deployed` + +`created_dates` +: The date and time when the Deployment resource was created. + +: **Field**: `created_date` + +`deployment_ids` +: The identifier for the deployment. + +: **Field**: `deployment_id` + +`deployment_statuses` +: The status of the deployment: PENDING, FAILED, or SUCCEEDED. + +: **Field**: `deployment_status` + +`deployment_status_messages` +: May contain additional feedback on the status of an API deployment. + +: **Field**: `deployment_status_message` + +`descriptions` +: The description for the deployment. + +: **Field**: `description` + +## Examples + +### Test to ensure a deployment ID is available + +```ruby +describe aws_api_gateway_v2_deployments(api_id: 'APP_ID') do + its('deployment_ids') { should include 'DEPLOYMENT_ID' } +end +``` + +### Test to verify the deployment status + +```ruby +describe aws_api_gateway_v2_deployments(api_id: 'APP_ID') do + its('deployment_statuses') { should include 'DEPLOYED' } +end +``` + +### Test to ensure an authorizer type has `JWT` + +```ruby +describe aws_api_gateway_v2_deployments(api_id: 'APP_ID') do + its('authorizer_types') { should include 'JWT' } +end +``` + +### Test to ensure a description is available + +```ruby +describe aws_api_gateway_v2_deployments(api_id: 'APP_ID') do + its('descriptions') { should include 'DEPLOYMENT_DESCRIPTION' } +end +``` + +### Test to ensure an auto-deployment is enabled for a deployment + +```ruby +describe aws_api_gateway_v2_deployments(api_id: 'APP_ID') do + its('auto_deployeds') { should include true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_deployments(api_id: 'APP_ID') do + it { should exist } +end +``` + +### not exists + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_deployments(api_id: 'APP_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetDeploymentsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_domain_name.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_domain_name.md new file mode 100644 index 0000000..88430bd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_domain_name.md @@ -0,0 +1,160 @@ ++++ +title = "aws_api_gateway_v2_domain_name resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_domain_name" +identifier = "inspec/resources/aws/aws_api_gateway_v2_domain_name resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_domain_name` InSpec audit resource to test the properties of a specific AWS API Gateway V2 domain name. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 DomainName](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-domainname.html). + +## Syntax + +Ensure that the domain name exists. + +```ruby +describe aws_api_gateway_v2_domain_name(domain_name: 'DOMAIN_NAME') do + it { should exist } +end +``` + +## Parameters + +`domain_name` _(required)_ +: The domain name. + +## Properties + +`api_mapping_selection_expression` +: The API mapping selection expression. + +: **Field**: `api_mapping_selection_expression` + +`domain_name` +: A domain name for the API. + +: **Field**: `domain_name` + +`api_gateway_domain_names` +: A domain name for the API. + +: **Field**: `domain_name_status_messages[0].api_gateway_domain_name` + +`certificate_arns` +: An AWS-managed certificate is used by the edge-optimized endpoint for this domain name. AWS Certificate Manager is the only supported source. + +: **Field**: `domain_name_status_messages[0].certificate_arn` + +`certificate_names` +: The user-friendly name of the certificate used by the edge-optimized endpoint for this domain name. + +: **Field**: `domain_name_status_messages[0].certificate_name` + +`certificate_upload_dates` +: The timestamp when the certificate has been used by the edge-optimized endpoint for this domain name when uploaded. + +: **Field**: `domain_name_status_messages[0].certificate_upload_date` + +`domain_name_statuses` +: The status of the domain name migration. The valid values are `AVAILABLE`, `UPDATING`, `PENDING_CERTIFICATE_REIMPORT`, and `PENDING_OWNERSHIP_VERIFICATION`. + +: **Field**: `domain_name_status_messages[0].domain_name_status` + +`domain_name_status_messages` +: An optional text message containing detailed information about the domain name migration status. + +: **Field**: `domain_name_status_messages[0].domain_name_status_message` + +`endpoint_types` +: The endpoint type. + +: **Field**: `domain_name_status_messages[0].endpoint_type` + +`hosted_zone_ids` +: The Amazon Route 53 Hosted Zone ID of the endpoint. + +: **Field**: `domain_name_status_messages[0].hosted_zone_id` + +`security_policies` +: The Transport Layer Security (TLS) version of the security policy for this domain name. The valid values are `TLS_1_0` and `TLS_1_2`. + +: **Field**: `domain_name_status_messages[0].security_policy` + +`ownership_verification_certificate_arns` +: The ARN of the public certificate issued by ACM to validate ownership of the custom domain. + +: **Field**: `domain_name_status_messages[0].ownership_verification_certificate_arn` + +`truststore_uri` +: An Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example, s3://bucket-name/key-name. + +: **Field**: `mutual_tls_authentication.truststore_uri` + +`truststore_version` +: The version of the S3 object that contains the truststore. + +: **Field**: `mutual_tls_authentication.truststore_version` + +`truststore_warnings` +: A list of warnings that API Gateway returns while processing your truststore. Invalid certificates produce warnings. + +: **Field**: `mutual_tls_authentication.truststore_warnings` + +`tags` +: The collection of tags associated with a domain name. + +: **Field**: `tags` + +## Examples + +### Test to ensure the domain name is available + +```ruby +describe aws_api_gateway_v2_domain_name(domain_name: 'DOMAIN_NAME') do + its('domain_name') { should eq 'DOMAIN_NAME' } +end +``` + +### Test to verify the domain status + +```ruby +describe aws_api_gateway_v2_domain_name(domain_name: 'DOMAIN_NAME') do + its('domain_name_configurations[0].domain_name_status') { should eq 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_domain_name(domain_name: 'DOMAIN_NAME') do + it { should exist } +end +``` + +### not exist + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_domain_name(domain_name: 'DOMAIN_NAME') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetDomainNameResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_domain_names.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_domain_names.md new file mode 100644 index 0000000..a26fde6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_domain_names.md @@ -0,0 +1,109 @@ ++++ +title = "aws_api_gateway_v2_domain_names resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_domain_names" +identifier = "inspec/resources/aws/aws_api_gateway_v2_domain_names resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_domain_names` InSpec audit resource to test properties of multiple AWS API Gateway V2 domain names. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 DomainName](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-domainname.html). + +## Syntax + +Ensure that the domain name exists. + +```ruby +describe aws_api_gateway_v2_domain_names do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`authorizer_credentials_arns` +: Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer. + +: **Field**: `authorizer_credentials_arn` + +`api_mapping_selection_expressions` +: The API mapping selection expression. + +: **Field**: `api_mapping_selection_expression` + +`domain_names` +: A domain name for the API. + +: **Field**: `domain_name` + +`domain_name_configurations` +: The configuration of the domain name. + +: **Field**: `domain_name_configurations` + +`mutual_tls_authentications` +: This is TLS authentication. + +: **Field**: `mutual_tls_authentication` + +`tags` +: The collection of tags associated with a domain name. + +: **Field**: `tags` + +## Examples + +### Test to ensure a domain name is available + +```ruby +describe aws_api_gateway_v2_domain_names do + its('domain_names') { should eq 'DOMAIN_NAME' } +end +``` + +### Test to verify if domain configurations are set + +```ruby +describe aws_api_gateway_v2_domain_names do + its('domain_name_configurations') { should eq 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_domain_names do + it { should exist } +end +``` + +### not exist + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_domain_names do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetDomainNamesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_integration.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_integration.md new file mode 100644 index 0000000..e2194dc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_integration.md @@ -0,0 +1,178 @@ ++++ +title = "aws_api_gateway_v2_integration resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_integration" +identifier = "inspec/resources/aws/aws_api_gateway_v2_integration resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_integration` InSpec audit resource to test the properties of a specific AWS API Gateway V2 integration. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 Integration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-integration.html). + +## Syntax + +Ensure that the integration exists. + +```ruby +describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do + it { should exist } +end +``` + +## Parameters + +`api_id` _(required)_ +: The API identifier. + +`integration_id` _(required)_ +: The integration ID. + +## Properties + +`api_gateway_managed` +: Specifies whether API Gateway manages integration. + +`connection_id` +: The VPC link ID for a private integration. Supported only for HTTP APIs. + +`connection_type` +: The network connection type to the integration endpoint. Specify `INTERNET` for connections through the public routable internet or `VPC_LINK` for private connections between API Gateway and resources in a VPC. The default value is `INTERNET`. + +`content_handling_strategy` +: Supported only for WebSocket APIs. Specifies how to handle response payload content type conversions. Supported values are `CONVERT_TO_BINARY` and `CONVERT_TO_TEXT`, with the following behaviors: + +- `CONVERT_TO_BINARY`: Converts a response payload from a Base64-encoded string to the corresponding binary blob. +- `CONVERT_TO_TEXT`: Converts a response payload from a binary blob to a Base64-encoded string. + +If this property is not defined, the response payload will be passed through from the integration response to the route response or method response without modification. + +`credentials_arn` +: Specifies the credentials required for the integration, if any. + +`description` +: The description of an integration. + +`integration_id` +: The identifier of an integration. + +`integration_method` +: Specifies the integration's HTTP method type. + +`integration_response_selection_expression` +: The integration response selection expression for the integration. Supported only for WebSocket APIs. + +`integration_subtype` +: Supported only for HTTP API `AWS_PROXY` integrations. Specifies the AWS service action to invoke. + +`integration_type` +: The integration type. One of the following: + +- `AWS`: for integrating the route or method request with an AWS service action, including the Lambda function-invoking action. With the Lambda function-invoking action, this is referred to as the Lambda custom integration. With any other AWS service action, this is known as AWS integration. Supported only for WebSocket APIs. +- `AWS_PROXY`: for integrating the route or method request with a Lambda function or other AWS service action. This integration is also referred to as a Lambda proxy integration. +- `HTTP`: for integrating the route or method request with an HTTP endpoint. This integration is also referred to as the HTTP custom integration. Supported only for WebSocket APIs. +- `HTTP_PROXY`: for integrating the route or method request with an HTTP endpoint, with the client request passed through as-is. This is also referred to as `HTTP proxy` integration. +- `MOCK`: for integrating the route or method request with API Gateway as a **loopback** endpoint without invoking any backend. Supported only for WebSocket APIs. + +`integration_uri` +: For a Lambda integration, specify the URI of a Lambda function. + +For an HTTP integration, specify a fully-qualified URL. + +For an HTTP API private integration, specify the ARN of an Application Load Balancer listener, Network Load Balancer listener, or AWS Cloud Map service. If you specify the ARN of an AWS Cloud Map service, API Gateway uses `DiscoverInstances` to identify resources. You can use query parameters to target specific resources. + +`passthrough_behavior` +: Specifies the pass-through behavior for incoming requests based on the `Content-Type` header in the request, and the available mapping templates specified as the `requestTemplates` property on the `Integration` resource. There are three valid values: `WHEN_NO_MATCH`, `WHEN_NO_TEMPLATES`, and `NEVER`. Supported only for WebSocket APIs. + +- `WHEN_NO_MATCH` passes the request body for unmapped content types to the integration backend without transformation. +- `NEVER` rejects unmapped content types with an `HTTP 415 Unsupported Media Type` response. +- `WHEN_NO_TEMPLATES` allows pass-through when the integration has no content types mapped to templates. However, if at least one content type defined, unmapped content types will be rejected with the same `HTTP 415 Unsupported Media Type` response. + +`payload_format_version` +: Specifies the format of the payload sent to an integration. Required for HTTP APIs. For HTTP APIs, supported values for Lambda proxy integrations are `1.0` and `2.0`. For all other integrations, `1.0` is the only supported value. + +`request_parameters` +: For WebSocket APIs, a key-value map specifies request parameters passed from the method request to the backend. The key is an integration request parameter name. The associated value is a method request parameter value or static value that must be enclosed within single quotes and pre-encoded as required by the backend. The method request parameter value must match the pattern of `method.request.{location}.{name}`, where `{location}` is **query string, path, or header**; and `{name}` must be a valid and unique method request parameter name. + +`response_parameters` +: Supported only for HTTP APIs. You use response parameters to transform the HTTP response from a backend integration before returning the response to clients. Specify a key-value map from a selection key to response parameters. The selection key must be a valid HTTP status code within the range of 200-599. Response parameters are a key-value map. The key must match pattern `:
.` or `overwrite.statuscode`. The action can be `append`, `overwrite` or `remove`. The value can be a static value, or map to response data, stage variables, or context variables that are evaluated at runtime. + +`request_templates` +: Represents a map of Velocity templates that are applied on the request payload based on the value of the Content-Type header sent by the client. The content type value is the key in this map, and the template (as a String) is the value. Supported only for WebSocket APIs. + +`template_selection_expression` +: The template selection expression for the integration. Supported only for WebSocket APIs. + +`timeout_in_millis` +: Custom timeout between **50** and **29,000 milliseconds** for WebSocket APIs and between **50** and **30,000 milliseconds** for HTTP APIs. The default timeout is **29 seconds** for WebSocket APIs and **30 seconds** for HTTP APIs. + +`tls_config.server_name_to_verify` +: The TLS configuration for a private integration. If you specify a TLS configuration, private integration traffic uses the HTTPS protocol. Supported only for HTTP APIs. If you specify a server name, API Gateway uses it to verify the hostname on the integration's certificate. The server name is also included in the TLS handshake to support Server Name Indication (SNI) or virtual hosting. + +## Examples + +### Test to ensure an integration ID is available + +```ruby +describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do + its('integration_id') { should eq 'INTEGRATION_ID' } +end +``` + +### Verify the connection type + +```ruby +describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do + its('connection_type') { should eq 'INTERNET' } +end +``` + +### Verify the integration type + +```ruby +describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do + its('integration_type') { should eq 'AWS' } +end +``` + +### Verify the pass-through behavior + +```ruby +describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do + its('passthrough_behavior') { should eq 'NEVER' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do + it { should exist } +end +``` + +### not exist + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetIntegrationResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_integration_response.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_integration_response.md new file mode 100644 index 0000000..35a1790 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_integration_response.md @@ -0,0 +1,117 @@ ++++ +title = "aws_api_gateway_v2_integration_response resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_integration_response" +identifier = "inspec/resources/aws/aws_api_gateway_v2_integration_response resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_integration_response` InSpec audit resource to test the properties of a specific AWS API Gateway V2 integration response. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 IntegrationResponse](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-integrationresponse.html). + +## Syntax + +Ensure that the integration response exists. + +```ruby +describe aws_api_gateway_v2_integration_response(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID', integration_response_id: 'INTEGRATION_RESPONSE_ID') do + it { should exist } +end +``` + +## Parameters + +`api_id` _(required)_ +: The API identifier. + +`integration_id` _(required)_ +: The integration ID. + +`integration_response_id` _(required)_ +: The integration response ID. + +## Properties + +`content_handling_strategy` +: Supported only for WebSocket APIs. Specifies how to handle response payload content type conversions. Supported values are `CONVERT_TO_BINARY` and `CONVERT_TO_TEXT`, with the following behaviors: + +- **CONVERT_TO_BINARY**: Converts a response payload from a Base64-encoded string to the corresponding binary blob. +- **CONVERT_TO_TEXT**: Converts a response payload from a binary blob to a Base64-encoded string. + +If this property is not defined, the response payload will be passed through from the integration response to the route response or method response without modification. + +`integration_response_id` +: The integration response ID. + +`integration_response_key` +: The integration response key. + +`response_parameters` +: A key-value map specifying response parameters that are passed to the method response from the backend. The key is a method response header parameter name. The mapped value is an integration response header value, a static value enclosed within a pair of single quotes or a JSON expression from the integration response body. The mapping key must match the pattern of `method.response.header.{name}`, where **name** is a valid and unique header name. The mapped non-static value must match the pattern of `integration.response.header.{name}` or `integration.response.body.{JSON-expression}`, where the name is a valid and unique response header name and JSON-expression is a valid JSON expression without the `$` prefix. + +`response_templates` +: The collection of response templates for the integration response as a string-to-string map of key-value pairs. Response templates are represented as a key or value map, with a content type as the key and a template as the value. + +`template_selection_expression` +: The template selection expressions for the integration response. Supported only for WebSocket APIs. + +## Examples + +### Test to ensure that an integration response ID is available + +```ruby +describe aws_api_gateway_v2_integration_response(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID', integration_response_id: 'INTEGRATION_RESPONSE_ID') do + its('integration_response_id') { should eq 'INTEGRATION_RESPONSE_ID' } +end +``` + +### Test to verify the integration response key + +```ruby +describe aws_api_gateway_v2_integration_response(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID', integration_response_id: 'INTEGRATION_RESPONSE_ID') do + its('integration_response_key') { should eq 'INTEGRATION_RESPONSE_KEY' } +end +``` + +### Test to verify the content handling strategy + +```ruby +describe aws_api_gateway_v2_integration_response(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID', integration_response_id: 'INTEGRATION_RESPONSE_ID') do + its('content_handling_strategy') { should eq 'CONVERT_TO_BINARY' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least a result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_integration_response(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID', integration_response_id: 'INTEGRATION_RESPONSE_ID') do + it { should exist } +end +``` + +### not exist + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_integration_response(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID', integration_response_id: 'INTEGRATION_RESPONSE_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetIntegrationResponseResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_integration_responses.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_integration_responses.md new file mode 100644 index 0000000..d8e3460 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_integration_responses.md @@ -0,0 +1,126 @@ ++++ +title = "aws_api_gateway_v2_integration_responses resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_integration_responses" +identifier = "inspec/resources/aws/aws_api_gateway_v2_integration_responses resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_integration_responses` InSpec audit resource to test properties of multiple AWS API Gateway V2 integration responses. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 IntegrationResponse](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-integrationresponse.html). + +## Syntax + +Ensure that the integration response exists. + +```ruby +describe aws_api_gateway_v2_integration_responses(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do + it { should exist } +end +``` + +## Parameters + +`api_id` _(required)_ +: The API identifier. + +`route_id` _(required)_ +: The route identifier. + +## Properties + +`content_handling_strategies` +: Supported only for WebSocket APIs. Specifies how to handle response payload content type conversions. Supported values are `CONVERT_TO_BINARY` and `CONVERT_TO_TEXT`, with the following behaviors: + +- **CONVERT_TO_BINARY**: Converts a response payload from a Base64-encoded string to the corresponding binary blob. +- **CONVERT_TO_TEXT**: Converts a response payload from a binary blob to a Base64-encoded string. + +If this property is not defined, the response payload will be passed through from the integration response to the route response or method response without modification. + +: **Field**: `content_handling_strategy` + +`integration_response_ids` +: The integration response ID. + +: **Field**: `integration_response_id` + +`integration_response_keys` +: The integration response key. + +: **Field**: `integration_response_key` + +`response_parameters` +: A key-value map specifying response parameters that are passed to the method response from the backend. The key is a method response header parameter name. The mapped value is an integration response header value, a static value enclosed within a pair of single quotes or a JSON expression from the integration response body. The mapping key must match the pattern of `method.response.header.{name}`, where **name** is a valid and unique header name. The mapped non-static value must match the pattern of `integration.response.header.{name}` or `integration.response.body.{JSON-expression}`, where the name is a valid and unique response header name and JSON-expression is a valid JSON expression without the `$` prefix. + +: **Field**: `response_parameters` + +`response_templates` +: The collection of response templates for the integration response as a string-to-string map of key-value pairs. Response templates are represented as a key or value map, with a content type as the key and a template as the value. + +: **Field**: `response_templates` + +`template_selection_expressions` +: The template selection expressions for the integration response. Supported only for WebSocket APIs. + +: **Field**: `template_selection_expression` + +## Examples + +### Test to ensure an integration response ID is available + +```ruby +describe aws_api_gateway_v2_integration_responses(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do + its('integration_response_ids') { should include 'INTEGRATION_RESPONSE_ID' } +end +``` + +### Test to verify the integration response key + +```ruby +describe aws_api_gateway_v2_integration_responses(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do + its('integration_response_keys') { should include 'INTEGRATION_RESPONSE_KEY' } +end +``` + +### Test to verify the content handling strategy + +```ruby +describe aws_api_gateway_v2_integration_responses(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do + its('content_handling_strategy') { should include 'CONVERT_TO_BINARY' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least a result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_integration_responses(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do + it { should exist } +end +``` + +### not exist + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_integration_responses(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetIntegrationResponsesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_integrations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_integrations.md new file mode 100644 index 0000000..a022d4b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_integrations.md @@ -0,0 +1,215 @@ ++++ +title = "aws_api_gateway_v2_integrations resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_integrations" +identifier = "inspec/resources/aws/aws_api_gateway_v2_integrations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_integrations` InSpec audit resource to test properties of multiple AWS API Gateway V2 integrations. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 Integration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-integration.html). + +## Syntax + +Ensure that the integration exists. + +```ruby +describe aws_api_gateway_v2_integrations(api_id: 'APP_ID') do + it { should exist } +end +``` + +## Parameters + +`api_id` _(required)_ +: The API identifier. + +## Properties + +`api_gateway_manageds` +: Specifies whether API Gateway manages integration. + +: **Field**: `api_gateway_managed` + +`connection_ids` +: The VPC link ID for a private integration. Supported only for HTTP APIs. + +: **Field**: `connection_id` + +`connection_types` +: The network connection type to the integration endpoint. Specify `INTERNET` for connections through the public routable internet or `VPC_LINK` for private connections between API Gateway and resources in a VPC. The default value is `INTERNET`. + +: **Field**: `connection_type` + +`content_handling_strategies` +: Supported only for WebSocket APIs. Specifies how to handle response payload content type conversions. Supported values are `CONVERT_TO_BINARY` and `CONVERT_TO_TEXT`, with the following behaviors: + +- `CONVERT_TO_BINARY`: Converts a response payload from a Base64-encoded string to the corresponding binary blob. +- `CONVERT_TO_TEXT`: Converts a response payload from a binary blob to a Base64-encoded string. + +If this property is not defined, the response payload will be passed through from the integration response to the route response or method response without modification. + +: **Field**: `content_handling_strategy` + +`credentials_arns` +: Specifies the credentials required for the integration, if any. + +: **Field**: `credentials_arn` + +`descriptions` +: Represents the description of an integration. + +: **Field**: `description` + +`integration_ids` +: Represents the identifier of an integration. + +: **Field**: `integration_id` + +`integration_methods` +: Specifies the integration's HTTP method type. + +: **Field**: `integration_method` + +`integration_response_selection_expressions` +: The integration response selection expression for the integration. Supported only for WebSocket APIs. + +: **Field**: `integration_response_selection_expression` + +`integration_subtypes` +: Supported only for `HTTP API AWS_PROXY integrations`. Specifies the AWS service action to invoke. + +: **Field**: `integration_subtype` + +`integration_types` +: The integration type. One of the following: + +- `AWS`: for integrating the route or method request with an AWS service action, including the Lambda function-invoking action. With the Lambda function-invoking action, this is referred to as the Lambda custom integration. With any other AWS service action, this is known as AWS integration. Supported only for WebSocket APIs. +- `AWS_PROXY`: for integrating the route or method request with a Lambda function or other AWS service action. This integration is also referred to as a Lambda proxy integration. +`HTTP`: for integrating the route or method request with an HTTP endpoint. This integration is also referred to as the HTTP custom integration. Supported only for WebSocket APIs. +`HTTP_PROXY`: for integrating the route or method request with an HTTP endpoint, with the client request passed through as-is. This is also referred to as HTTP proxy integration. +`MOCK`: for integrating the route or method request with API Gateway as a **loopback** endpoint without invoking any backend. Supported only for WebSocket APIs. + +: **Field**: `integration_type` + +`integration_uris` +: For a Lambda integration, specify the URI of a Lambda function. + +For an HTTP integration, specify a fully-qualified URL. + +For an HTTP API private integration, specify the ARN of an Application Load Balancer listener, Network Load Balancer listener, or AWS Cloud Map service. If you specify the ARN of an AWS Cloud Map service, API Gateway uses `DiscoverInstances` to identify resources. You can use query parameters to target specific resources. To learn more, see DiscoverInstances. For private integrations, all resources must be owned by the same AWS account. + +: **Field**: `integration_uri` + +`passthrough_behaviors` +: Specifies the pass-through behavior for incoming requests based on the `Content-Type` header in the request and the available mapping templates specified as the `requestTemplates` property on the `Integration` resource. There are three valid values: `WHEN_NO_MATCH`, `WHEN_NO_TEMPLATES`, and `NEVER`. Supported only for WebSocket APIs. + +- `WHEN_NO_MATCH` passes the request body for unmapped content types to the integration backend without transformation. +- `NEVER` rejects unmapped content types with an `HTTP 415 Unsupported Media Type` response. +- `WHEN_NO_TEMPLATES` allows pass-through when the integration has no content types mapped to templates. However, if at least one content type defined, unmapped content types will be rejected with the same `HTTP 415 Unsupported Media Type` response. + +: **Field**: `passthrough_behavior` + +`payload_format_versions` +: Specifies the format of the payload sent to an integration. Required for HTTP APIs. + +: **Field**: `payload_format_version` + +`request_parameters` +: For WebSocket APIs, a key-value map specifying request parameters that are passed from the method request to the backend. The key is an integration request parameter name. The associated value is a method request parameter value or static value that must be enclosed within single quotes and pre-encoded as required by the backend. The method request parameter value must match the pattern of `method.request.{location}.{name}`, where `{location}` is **query string, path, or header**; and `{name}` must be a valid and unique method request parameter name. + +: **Field**: `request_parameters` + +`response_parameters` +: Supported only for HTTP APIs. You use response parameters to transform the HTTP response from a backend integration before returning the response to clients. Specify a key-value map from a selection key to response parameters. The selection key must be a valid HTTP status code within the range of 200-599. Response parameters are a key-value map. The key must match pattern `:
.` or `overwrite.statuscode`. The action can be `append`, `overwrite` or `remove`. The value can be a static value, or map to response data, stage variables, or context variables that are evaluated at runtime. + +: **Field**: `response_parameters` + +`request_templates` +: Represents a map of Velocity templates applied on the request payload based on the value of the Content-Type header sent by the client. The content type value is the key in this map, and the template (as a String) is the value. Supported only for WebSocket APIs. + +: **Field**: `request_templates` + +`template_selection_expressions` +: The template selection expression for the integration. Supported only for WebSocket APIs. + +: **Field**: `template_selection_expression` + +`timeout_in_millis` +: Custom timeout between **50** and **29,000** milliseconds for WebSocket APIs and between **50** and **30,000** milliseconds for HTTP APIs. The default timeout is **29 seconds** for WebSocket APIs and **30 seconds** for HTTP APIs. + +: **Field**: `timeout_in_millis` + +`tls_configs` +: The TLS configuration for a private integration. If you specify a TLS configuration, private integration traffic uses the HTTPS protocol. Supported only for HTTP APIs. + +: **Field**: `tls_config` + +## Examples + +### Test to ensure an integration ID is available + +```ruby +describe aws_api_gateway_v2_integrations(api_id: 'APP_ID') do + its('integration_ids') { should include 'INTEGRATION_ID' } +end +``` + +### Test to verify the connection type + +```ruby +describe aws_api_gateway_v2_integrations(api_id: 'APP_ID') do + its('connection_types') { should include 'INTERNET' } +end +``` + +### Test to verify the integration type + +```ruby +describe aws_api_gateway_v2_integrations(api_id: 'APP_ID') do + its('integration_types') { should include 'AWS' } +end +``` + +### Test to Verify the pass-through behavior + +```ruby +describe aws_api_gateway_v2_integrations(api_id: 'APP_ID') do + its('passthrough_behaviors') { should include 'NEVER' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_integrations(api_id: 'APP_ID') do + it { should exist } +end +``` + +### not exists + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_integrations(api_id: 'APP_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetIntegrationsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_model.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_model.md new file mode 100644 index 0000000..6d90fe3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_model.md @@ -0,0 +1,114 @@ ++++ +title = "aws_api_gateway_v2_model resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_model" +identifier = "inspec/resources/aws/aws_api_gateway_v2_model resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_model` InSpec audit resource to test the properties of a specific AWS API Gateway V2 model. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 Model](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-model.html). + +## Syntax + +Ensure that the model exists. + +```ruby +describe aws_api_gateway_v2_model(api_id: 'APP_ID', model_id: 'MODEL_ID') do + it { should exist } +end +``` + +## Parameters + +`api_id` _(required)_ +: The API identifier. + +`model_id` _(required)_ +: The model identifier. + +## Properties + +`content_type` +: The content-type for the model, for example, **application/json**. + +`description` +: The description of the model. + +`model_id` +: The model identifier. + +`name` +: The name of the model. Must be alphanumeric. + +`schema` +: The schema for the model. For application/json models, this should be JSON schema draft 4 model. + +## Examples + +### Test to ensure a model ID is available + +```ruby +describe aws_api_gateway_v2_model(api_id: 'APP_ID', model_id: 'MODEL_ID') do + its('model_id') { should eq 'MODEL_ID' } +end +``` + +### Test to verify the model name + +```ruby +describe aws_api_gateway_v2_model(api_id: 'APP_ID', model_id: 'MODEL_ID') do + its('name') { should eq 'MODEL_NAME' } +end +``` + +### Test to verify the model description + +```ruby +describe aws_api_gateway_v2_model(api_id: 'APP_ID', model_id: 'MODEL_ID') do + its('description') { should eq 'MODEL_DESCRIPTION' } +end +``` + +### Test to verify the model content type + +```ruby +describe aws_api_gateway_v2_model(api_id: 'APP_ID', model_id: 'MODEL_ID') do + its('content_type') { should eq 'application/json' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_model(api_id: 'APP_ID', model_id: 'MODEL_ID') do + it { should exist } +end +``` + +### not exist + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_model(api_id: 'APP_ID', model_id: 'MODEL_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetModelResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_models.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_models.md new file mode 100644 index 0000000..c00081d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_models.md @@ -0,0 +1,121 @@ ++++ +title = "aws_api_gateway_v2_models resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_models" +identifier = "inspec/resources/aws/aws_api_gateway_v2_models resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_models` InSpec audit resource to test the properties of multiple AWS API Gateway V2 models. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 Model](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-model.html). + +## Syntax + +Ensure that the model exists. + +```ruby +describe aws_api_gateway_v2_models(api_id: 'APP_ID') do + it { should exist } +end +``` + +## Parameters + +`api_id` _(required)_ +: The API identifier. + +## Properties + +`content_types` +: The content-type for the model, for example, **application/json**. + +: **Field**: `content_type` + +`descriptions` +: The description of the model. + +: **Field**: `description` + +`model_ids` +: The model identifier. + +: **Field**: `model_id` + +`names` +: The name of the model. Must be alphanumeric. + +: **Field**: `name` + +`schemas` +: The schema for the model. For application/json models, this should be JSON schema draft 4 model. + +: **Field**: `schema` + +## Examples + +### Test to ensure a model ID is available + +```ruby +describe aws_api_gateway_v2_models(api_id: 'APP_ID') do + its('model_ids') { should include 'MODEL_ID' } +end +``` + +### Test to verify the model name + +```ruby +describe aws_api_gateway_v2_models(api_id: 'APP_ID') do + its('names') { should include 'MODEL_NAME' } +end +``` + +### Test to verify the model description + +```ruby +describe aws_api_gateway_v2_models(api_id: 'APP_ID') do + its('descriptions') { should include 'MODEL_DESCRIPTION' } +end +``` + +### Test to verify the model content type is 'application/json' + +```ruby +describe aws_api_gateway_v2_models(api_id: 'APP_ID') do + its('content_types') { should include 'application/json' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_models(api_id: 'APP_ID') do + it { should exist } +end +``` + +### not exist + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_models(api_id: 'APP_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetModelsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_route.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_route.md new file mode 100644 index 0000000..bfc7c8d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_route.md @@ -0,0 +1,154 @@ ++++ +title = "aws_api_gateway_v2_route resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_route" +identifier = "inspec/resources/aws/aws_api_gateway_v2_route resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_route` InSpec audit resource to test the properties of a specific AWS API Gateway V2 Route. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 Route](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-route.html). + +## Syntax + +Ensure that the route exists. + +```ruby +describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do + it { should exist } +end +``` + +## Parameters + +`api_id` _(required)_ +: The API identifier. + +`route_id` _(required)_ +: The route identifier. + +## Properties + +`api_gateway_managed` +: Specifies whether a route is managed by API Gateway. If you created an API using quick create, the `$default` route is managed by API Gateway. You cannot modify the `$default` route key. + +`api_key_required` +: Specifies whether an API key is required for this route. Supported only for WebSocket APIs. + +`authorization_scopes` +: A list of authorization scopes configured on a route. The scopes are used with a JWT authorizer to authorize the method invocation. The authorization works by matching the route scopes against the scopes parsed from the access token in the incoming request. The method invocation is authorized if any route scope matches a claimed scope in the access token. Otherwise, the invocation is not authorized. When the route scope is configured, the client must provide an access token instead of an identity token for authorization purposes. + +`authorization_type` +: The authorization type for the route. For WebSocket APIs, valid values are `NONE` for open access, `AWS_IAM` for using AWS IAM permissions, and `CUSTOM` for using a Lambda authorizer. For HTTP APIs, valid values are `NONE` for open access, `JWT` for using JSON Web Tokens, `AWS_IAM` for using AWS IAM permissions, and `CUSTOM` for using a Lambda authorizer. + +`authorizer_id` +: The identifier of the Authorizer resource to be associated with this route. The authorizer identifier is generated by API Gateway when you created the authorizer. + +`model_selection_expression` +: The model selection expression for the route. Supported only for WebSocket APIs. + +`operation_name` +: The operation name for the route. + +`request_models` +: The request models for the route. Supported only for WebSocket APIs. + +`request_parameters` +: The request parameters for the route. Supported only for WebSocket APIs. + +`route_id` +: The route ID. + +`route_key` +: The route key for the route. + +`route_response_selection_expression` +: The route response selection expression for the route. Supported only for WebSocket APIs. + +`target` +: The target for the route. + +## Examples + +### Test to ensure an authorizer ID is available + +```ruby +describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do + its('authorizer_id') { should eq 'AUTHORIZER_ID' } +end +``` + +### Test to verify the requirement of the API key + +```ruby +describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do + its('api_key_required') { should eq true } +end +``` + +### Test to verify the authorization type + +```ruby +describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do + its('authorization_type') { should eq 'JWT' } +end +``` + +### Test to verify the operation name + +```ruby +describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do + its('operation_name') { should eq 'OPERATION_NAME' } +end +``` + +### Test to ensure a route key is available + +```ruby +describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do + its('route_key') { should eq 'ROUTE_KEY' } +end +``` + +### Test to verify the target + +```ruby +describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do + its('target') { should eq 'ROUTE_TARGET' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do + it { should exist } +end +``` + +### not exist + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetRouteResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_routes.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_routes.md new file mode 100644 index 0000000..13805e0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_v2_routes.md @@ -0,0 +1,161 @@ ++++ +title = "aws_api_gateway_v2_routes resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_v2_routes" +identifier = "inspec/resources/aws/aws_api_gateway_v2_routes resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_v2_routes` InSpec audit resource to test the properties of multiple AWS API Gateway V2 Routes. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGatewayV2 Route](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-route.html). + +## Syntax + +Ensure that the route exists. + +```ruby +describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do + it { should exist } +end +``` + +## Parameters + +`api_id` _(required)_ +: The API identifier. + +## Properties + +`api_gateway_manageds` +: Specifies whether a route is managed by API Gateway. If you created an API using quick create, the `$default` route is managed by API Gateway. You cannot modify the `$default` route key. + +: **Field**: `api_gateway_managed` + +`api_key_requireds` +: Specifies whether an API key is required for this route. Supported only for WebSocket APIs. + +: **Field**: `api_key_required` + +`authorization_scopes` +: A list of authorization scopes configured on a route. The scopes are used with a JWT authorizer to authorize the method invocation. The authorization works by matching the route scopes against the scopes parsed from the access token in the incoming request. The method invocation is authorized if any route scope matches a claimed scope in the access token. Otherwise, the invocation is not authorized. When the route scope is configured, the client must provide an access token instead of an identity token for authorization purposes. + +: **Field**: `authorization_scopes` + +`authorization_types` +: The authorization type for the route. For WebSocket APIs, valid values are `NONE` for open access, `AWS_IAM` for using AWS IAM permissions, and `CUSTOM` for using a Lambda authorizer. For HTTP APIs, valid values are `NONE` for open access, `JWT` for using JSON Web Tokens, `AWS_IAM` for using AWS IAM permissions, and `CUSTOM` for using a Lambda authorizer. + +: **Field**: `authorization_type` + +`authorizer_ids` +: The identifier of the Authorizer resource to be associated with this route. The authorizer identifier is generated by API Gateway when you created the authorizer. + +: **Field**: `authorizer_id` + +`model_selection_expressions` +: The model selection expression for the route. Supported only for WebSocket APIs. + +: **Field**: `model_selection_expression` + +`operation_names` +: The operation name for the route. + +: **Field**: `operation_name` + +`request_models` +: The request models for the route. Supported only for WebSocket APIs. + +: **Field**: `request_models` + +`request_parameters` +: The request parameters for the route. Supported only for WebSocket APIs. + +: **Field**: `request_parameters` + +`route_ids` +: The route ID. + +: **Field**: `route_id` + +`route_keys` +: The route key for the route. + +: **Field**: `route_key` + +`route_response_selection_expressions` +: The route response selection expression for the route. Supported only for WebSocket APIs. + +: **Field**: `route_response_selection_expression` + +`targets` +: The target for the route. + +: **Field**: `target` + +## Examples + +### Test to ensure an authorizer ID is available + +```ruby +describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do + its('authorizer_ids') { should include 'AUTHORIZER_ID' } +end +``` + +### Test to verify the requirement of the API key + +```ruby +describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do + its('api_key_requireds') { should include true } +end +``` + +### Test to verify the authorization type + +```ruby +describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do + its('authorization_types') { should include 'JWT' } +end +``` + +### Test to verify the operation name + +```ruby +describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do + its('operation_names') { should include 'OPERATION_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do + it { should exist } +end +``` + +### not exist + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGatewayv2:Client:GetRoutesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_vpc_link.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_vpc_link.md new file mode 100644 index 0000000..96fba4e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_vpc_link.md @@ -0,0 +1,108 @@ ++++ +title = "aws_api_gateway_vpc_link resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_vpc_link" +identifier = "inspec/resources/aws/aws_api_gateway_vpc_link resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_vpc_link` InSpec audit resource to test the properties of a single specific AWS API Gateway VPC link. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGateway VPCLink](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-vpclink.html). + +## Syntax + +Ensure that a VPC link exists. + +```ruby +describe aws_api_gateway_vpc_link(vpc_link_id: 'VPC_LINK_ID') do + it { should exist } +end +``` + +## Parameters + +`vpc_link_id` _(required)_ + +: The identifier of the VPC link. + +## Properties + +`id` +: The identifier of the VPC link used to integrate to reference this VPC link. + +`name` +: The name used to label and identify the VPC link. + +`description` +: The description of the VPC link. + +`target_arns` +: The ARN of the network load balancer of the VPC targeted by the VPC link. The network load balancer must be owned by the same AWS account of the API owner. + +`status` +: The status of the VPC link. The valid values are `AVAILABLE`, `PENDING`, `DELETING`, or `FAILED`. If the status is `PENDING`, the API deployment waits, and if the status is `DELETING`, the API deployment fails. + +`status_message` +: A description about the VPC link status. + +`tags` +: The collection of strings. Each tag element is associated with a given resource. + +## Examples + +### Test to ensure a VPC link ID is available + +```ruby +describe aws_api_gateway_vpc_link(vpc_link_id: 'VPC_LINK_ID') do + its('id') { should eq 'VPC_LINK_ID' } +end +``` + +### Test to ensure a VPC link name is available + +```ruby +describe aws_api_gateway_vpc_link(vpc_link_id: 'VPC_LINK_ID') do + its('name') { should eq 'VPC_LINK_NAME' } +end +``` + +### Test to verify the status as `AVAILABLE` + +```ruby +describe aws_api_gateway_vpc_link(vpc_link_id: 'VPC_LINK_ID') do + its('status') { should eq 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_vpc_link(vpc_link_id: 'VPC_LINK_ID') do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_vpc_link(vpc_link_id: 'VPC_LINK_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:VpcLink" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_vpc_links.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_vpc_links.md new file mode 100644 index 0000000..17802f1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_api_gateway_vpc_links.md @@ -0,0 +1,120 @@ ++++ +title = "aws_api_gateway_vpc_links resource" + +draft = false + + +[menu.aws] +title = "aws_api_gateway_vpc_links" +identifier = "inspec/resources/aws/aws_api_gateway_vpc_links resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_api_gateway_vpc_links` InSpec audit resource to test multiple AWS API Gateway VPC link properties. + +For additional information, including parameters and properties, see the [AWS documentation on AWS APIGateway VPCLink](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-vpclink.html). + +## Syntax + +Ensure that a VPC link exists. + +```ruby +describe aws_api_gateway_vpc_links do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The identifier of the VPC link used to integrate to reference this VPC link. + +: **Field**: `id` + +`names` +: The name used to label and identify the VPC link. + +: **Field**: `name` + +`descriptions` +: The description of the VPC link. + +: **Field**: `description` + +`target_arns` +: The ARN of the network load balancer of the VPC targeted by the VPC link. The network load balancer must be owned by the same AWS account of the API owner. + +: **Field**: `target_arns` + +`statuses` +: The status of the VPC link. The valid values are `AVAILABLE`, `PENDING`, `DELETING`, or `FAILED`. If the status is `PENDING`, the API deployment waits, and if the status is `DELETING`, the API deployment fails. + +: **Field**: `status` + +`status_messages` +: A description about the VPC link status. + +: **Field**: `status_message` + +`tags` +: The collection of tags. Each tag element is associated with a given resource. + +: **Field**: `tags` + +## Examples + +### Test to ensure a VPC link ID is available + +```ruby +describe aws_api_gateway_vpc_links do + its('ids') { should include 'VPC_LINK_ID' } +end +``` + +### Test to ensure a VPC link name is available + +```ruby +describe aws_api_gateway_vpc_links do + its('names') { should include 'VPC_LINK_NAME' } +end +``` + +### Test to verify the status as `AVAILABLE` + +```ruby +describe aws_api_gateway_vpc_links do + its('statuses') { should include 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_api_gateway_vpc_links do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_api_gateway_vpc_links do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:VpcLinks" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_account.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_account.md new file mode 100644 index 0000000..913826c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_account.md @@ -0,0 +1,104 @@ ++++ +title = "aws_apigateway_account resource" + +draft = false + + +[menu.aws] +title = "aws_apigateway_account" +identifier = "inspec/resources/aws/aws_apigateway_account resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_apigateway_account` InSpec audit resource to test properties of a single specific AWS API Gateway account. + +The `AWS::ApiGateway::Account` resource specifies the IAM role that Amazon API Gateway uses to write API logs to Amazon CloudWatch Logs. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS API Gateway accounts.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-account.html). + +## Syntax + +Ensure that the account exists. + +```ruby +describe aws_apigateway_account do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`cloudwatch_role_arn` +: The ARN of an Amazon CloudWatch role for the current account. + +`throttle_settings.burst_limit` +: The API request burst limit, the maximum rate limit over a time ranging from one to a few seconds, depending upon whether the underlying token bucket is at its full capacity. + +`throttle_settings.rate_limit` +: The API request steady-state rate limit. + +`features` +: A list of features supported for the account. When usage plans are enabled, the features list will include an entry of "UsagePlans". + +`api_key_version` +: The version of the API keys used for the account. + +## Examples + +Ensure a Cloudwatch role ARN is available: + +```ruby +describe aws_apigateway_account do + its('cloudwatch_role_arn') { should eq 'CloudWatchRoleARN' } +end +``` + +Ensure that the burst limit is `1`: + +```ruby +describe aws_apigateway_account do + its('throttle_settings.burst_limit') { should eq '1' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_apigateway_account do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_apigateway_account do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_apigateway_account do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:Account" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_api_key.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_api_key.md new file mode 100644 index 0000000..d81cb93 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_api_key.md @@ -0,0 +1,121 @@ ++++ +title = "aws_apigateway_api_key resource" + +draft = false + + +[menu.aws] +title = "aws_apigateway_api_key" +identifier = "inspec/resources/aws/aws_apigateway_api_key resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_apigateway_api_key` InSpec audit resource to test properties of a single specific AWS APIGateway ApiKey. + +The AWS::ApiGateway::ApiKey resource creates a unique key that you can distribute to clients who are executing API Gateway Method resources that require an API key. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS APIGateway ApiKey.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-apikey.html). + +## Syntax + +Ensure that the api key exists. + +```ruby +describe aws_apigateway_api_key(api_key: 'API_KEY_ID') do + it { should exist } +end +``` + +## Parameters + +`api_key` _(required)_ + +: The identifier of the API key resource. + +## Properties + +`id` +: The identifier of the API Key. + +`value` +: The value of the API Key. + +`name` +: The name of the API Key. + +`customer_id` +: An AWS Marketplace customer identifier , when integrating with the AWS SaaS Marketplace. + +`description` +: The description of the API Key. + +`enabled` +: Specifies whether the API Key can be used by callers. + +`created_date` +: The timestamp when the API Key was created. + +`last_updated_date` +: The timestamp when the API Key was last updated. + +`stage_keys` +: A list of Stage resources that are associated with the API key resource. + +`tags` +: The collection of tags. Each tag element is associated with a given resource. + +## Examples + +Ensure an ID is available: + +```ruby +describe aws_apigateway_api_key(api_key: 'API_KEY_ID') do + its('id') { should eq 'ID' } +end +``` + +Ensure that the name is available: + +```ruby +describe aws_apigateway_api_key(api_key: 'API_KEY_ID') do + its('name') { should eq 'API_KEY_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_apigateway_api_key(api_key: 'API_KEY_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_apigateway_api_key(api_key: 'API_KEY_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_apigateway_api_key(api_key: 'API_KEY_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:ApiKey" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_api_keys.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_api_keys.md new file mode 100644 index 0000000..079ce10 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_api_keys.md @@ -0,0 +1,129 @@ ++++ +title = "aws_apigateway_api_keys resource" + +draft = false + + +[menu.aws] +title = "aws_apigateway_api_keys" +identifier = "inspec/resources/aws/aws_apigateway_api_keys resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_apigateway_api_keys` InSpec audit resource to test properties of multiple AWS API Gateway API keys. + +The `AWS::ApiGateway::ApiKey` resource creates a unique key that you can distribute to clients who are executing API Gateway Method resources that require an API key. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS API Gateway API Key.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-apikey.html). + +## Syntax + +Ensure that the API key exists. + +```ruby +describe aws_apigateway_api_keys do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The identifier of the API Key. + +: **Field**: `id` + +`values` +: The value of the API Key. + +: **Field**: `value` + +`names` +: The name of the API Key. + +: **Field**: `name` + +`customer_ids` +: An AWS Marketplace customer identifier , when integrating with the AWS SaaS Marketplace. + +: **Field**: `customer_id` + +`descriptions` +: The description of the API Key. + +: **Field**: `description` + +`enabled` +: Specifies whether the API Key can be used by callers. + +: **Field**: `enabled` + +`created_dates` +: The timestamp when the API Key was created. + +: **Field**: `created_date` + +`last_updated_dates` +: The timestamp when the API Key was last updated. + +: **Field**: `last_updated_date` + +`stage_keys` +: A list of Stage resources that are associated with the ApiKey resource. + +: **Field**: `stage_keys` + +`tags` +: The collection of tags. + +: **Field**: `tags` + +## Examples + +Ensure a ID is available: + +```ruby +describe aws_apigateway_api_keys do + its('ids') { should include 'API_ID' } +end +``` + +Ensure that the name is available: + +```ruby +describe aws_apigateway_api_keys do + its('names') { should include 'API_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_apigateway_api_keys do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_apigateway_api_keys do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:ApiKeys" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_authorizer.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_authorizer.md new file mode 100644 index 0000000..6cb6f76 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_authorizer.md @@ -0,0 +1,125 @@ ++++ +title = "aws_apigateway_authorizer resource" + +draft = false + + +[menu.aws] +title = "aws_apigateway_authorizer" +identifier = "inspec/resources/aws/aws_apigateway_authorizer resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_apigateway_authorizer` InSpec audit resource to test properties of a single specific AWS API Gateway authorizer. + +The `AWS::ApiGateway::Authorizer` resource creates an authorization layer that API Gateway activates for methods that have authorization enabled. API Gateway activates the authorizer when a client calls those methods. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS APIGateway Authorizer.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html). + +## Syntax + +Ensure that the authorizer exists. + +```ruby +describe aws_apigateway_authorizer(rest_api_id: 'REST_API_ID', authorizer_id: 'AUTHORIZER_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The string identifier of the associated REST API. + +`authorizer_id` _(required)_ + +: The identifier of the authorizer resource. + +## Properties + +`id` +: The identifier for the authorizer resource. + +`name` +: The name of the authorizer. + +`type` +: The authorizer type. + +`provider_arns` +: A list of the Amazon Cognito user pool ARNs for the COGNITO_USER_POOLS authorizer. + +`auth_type` +: Optional customer-defined field, used in OpenAPI imports and exports without functional impact. + +`authorizer_uri` +: Specifies the authorizer's Uniform Resource Identifier (URI). + +`authorizer_credentials` +: Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer. + +`identity_source` +: The identity source for which authorization is requested. + +`identity_validation_expression` +: A validation expression for the incoming identity token. + +`authorizer_result_ttl_in_seconds` +: The TTL in seconds of cached authorizer results. + +## Examples + +Test that an ID is available: + +```ruby +describe aws_apigateway_authorizer(rest_api_id: 'REST_API_ID', authorizer_id: 'AUTHORIZER_ID') do + its('id') { should eq 'AUTHORIZER_ID' } +end +``` + +Test that a name is available: + +```ruby +describe aws_apigateway_authorizer(rest_api_id: 'REST_API_ID', authorizer_id: 'AUTHORIZER_ID') do + its('name') { should eq 'AUTHORIZER_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_apigateway_authorizer(rest_api_id: 'REST_API_ID', authorizer_id: 'AUTHORIZER_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_apigateway_authorizer(rest_api_id: 'REST_API_ID', authorizer_id: 'AUTHORIZER_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_apigateway_authorizer(rest_api_id: 'REST_API_ID', authorizer_id: 'AUTHORIZER_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:Authorizer" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_authorizers.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_authorizers.md new file mode 100644 index 0000000..3a57cc2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_authorizers.md @@ -0,0 +1,131 @@ ++++ +title = "aws_apigateway_authorizers resource" + +draft = false + + +[menu.aws] +title = "aws_apigateway_authorizers" +identifier = "inspec/resources/aws/aws_apigateway_authorizers resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_apigateway_authorizers` InSpec audit resource to test properties of multiple AWS API Gateway authorizers. + +The `AWS::ApiGateway::Authorizer` resource creates an authorization layer that API Gateway activates for methods that have authorization enabled. API Gateway activates the authorizer when a client calls those methods. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS APIGateway Authorizer.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html). + +## Syntax + +Ensure that the authorizer exists. + +```ruby +describe aws_apigateway_authorizers(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +## Parameters + +`rest_api_id` _(required)_ + +: The ID of the REST API. + +## Properties + +`ids` +: The identifier for the authorizer resource. + +: **Field**: `id` + +`names` +: The name of the authorizer. + +: **Field**: `name` + +`types` +: The authorizer type. + +: **Field**: `type` + +`provider_arns` +: A list of the Amazon Cognito user pool ARNs for the COGNITO_USER_POOLS authorizer. + +: **Field**: `provider_arns` + +`auth_types` +: Optional customer-defined field, used in OpenAPI imports and exports without functional impact. + +: **Field**: `auth_type` + +`authorizer_uris` +: Specifies the authorizer's Uniform Resource Identifier (URI). + +: **Field**: `authorizer_uri` + +`authorizer_credentials` +: Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer. + +: **Field**: `authorizer_credentials` + +`identity_sources` +: The identity source for which authorization is requested. + +: **Field**: `identity_source` + +`identity_validation_expressions` +: A validation expression for the incoming identity token. + +: **Field**: `identity_validation_expression` + +`authorizer_result_ttl_in_seconds` +: The TTL in seconds of cached authorizer results. + +: **Field**: `authorizer_result_ttl_in_seconds` + +## Examples + +Test that an ID is available: + +```ruby +describe aws_apigateway_authorizers(rest_api_id: 'REST_API_ID') do + its('ids') { should include 'AUTHORIZER_ID' } +end +``` + +Test that a name is available: + +```ruby +describe aws_apigateway_authorizers(rest_api_id: 'REST_API_ID') do + its('names') { should include 'AUTHORIZER_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_apigateway_authorizers(rest_api_id: 'REST_API_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_apigateway_authorizers(rest_api_id: 'REST_API_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:Authorizers" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_base_path_mapping.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_base_path_mapping.md new file mode 100644 index 0000000..519c8d2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_base_path_mapping.md @@ -0,0 +1,104 @@ ++++ +title = "aws_apigateway_base_path_mapping resource" + +draft = false + + +[menu.aws] +title = "aws_apigateway_base_path_mapping" +identifier = "inspec/resources/aws/aws_apigateway_base_path_mapping resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_apigateway_base_path_mapping` Chef InSpec audit resource to test properties of a single specific AWS API Gateway base path mapping. + +The `AWS::ApiGateway::BasePathMapping` resource creates a base path that clients who call your API must use in the invocation URL. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS APIGateway BasePathMapping.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-basepathmapping.html). + +## Syntax + +Test that the base path mapping exists. + +```ruby +describe aws_apigateway_base_path_mapping(domain_name: 'DOMAIN_NAME', base_path: 'BASE_PATH') do + it { should exist } +end +``` + +## Parameters + +`domain_name` _(required)_ + +: The domain name of the base path mapping resource to be described. + +`base_path` _(required)_ + +: The base path name that callers of the API must provide as part of the URL after the domain name. + +## Properties + +`base_path` +: The base path name that callers of the API must provide as part of the URL after the domain name. + +`rest_api_id` +: The string identifier of the associated RestApi. + +`stage` +: The name of the associated stage. + +## Examples + +Test that a base path is available: + +```ruby +describe aws_apigateway_base_path_mapping(domain_name: 'DOMAIN_NAME', base_path: 'BASE_PATH') do + its('base_path') { should eq 'BASE_PATH')' } +end +``` + +Test that a stage name is available: + +```ruby +describe aws_apigateway_base_path_mapping(domain_name: 'DOMAIN_NAME', base_path: 'BASE_PATH') do + its('stage') { should eq 'StageName' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_apigateway_base_path_mapping(domain_name: 'DOMAIN_NAME', base_path: 'BASE_PATH') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_apigateway_base_path_mapping(domain_name: 'DOMAIN_NAME', base_path: 'BASE_PATH') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_apigateway_base_path_mapping(domain_name: 'DOMAIN_NAME', base_path: 'BASE_PATH') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:BasePathMapping" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_base_path_mappings.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_base_path_mappings.md new file mode 100644 index 0000000..40e91bd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_base_path_mappings.md @@ -0,0 +1,96 @@ ++++ +title = "aws_apigateway_base_path_mappings resource" + +draft = false + + +[menu.aws] +title = "aws_apigateway_base_path_mappings" +identifier = "inspec/resources/aws/aws_apigateway_base_path_mappings resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_apigateway_base_path_mappings` InSpec audit resource to test properties of multiple AWS API Gateway base path mappings. + +The `AWS::ApiGateway::BasePathMapping` resource creates a base path that clients who call your API must use in the invocation URL. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS APIGateway BasePathMapping.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-basepathmapping.html). + +## Syntax + +Ensure that the base path mappings exists. + +```ruby +describe aws_apigateway_base_path_mappings(domain_name: 'DOMAIN_NAME') do + it { should exist } +end +``` + +## Parameters + +`domain_name` _(required)_ + +: The domain name of the BasePathMapping resource to be described. + +## Properties + +`base_paths` +: The base path name that callers of the API must provide as part of the URL after the domain name. + +: **Field**: `base_path` + +`rest_api_ids` +: The string identifier of the associated RestApi. + +: **Field**: `rest_api_id` + +`stages` +: The name of the associated stage. + +: **Field**: `stage` + +## Examples + +Ensure a base path is available: + +```ruby +describe aws_apigateway_base_path_mappings(domain_name: 'DOMAIN_NAME') do + its('base_paths') { should include 'BASE_PATH')' } +end +``` + +Ensure that stage name is available: + +```ruby +describe aws_apigateway_base_path_mappings(domain_name: 'DOMAIN_NAME') do + its('stages') { should include 'STAGE_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_apigateway_base_path_mappings(domain_name: 'DOMAIN_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_apigateway_base_path_mappings(domain_name: 'DOMAIN_NAME') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:BasePathMappings" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_client_certificate.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_client_certificate.md new file mode 100644 index 0000000..bd721bc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_client_certificate.md @@ -0,0 +1,109 @@ ++++ +title = "aws_apigateway_client_certificate resource" + +draft = false + + +[menu.aws] +title = "aws_apigateway_client_certificate" +identifier = "inspec/resources/aws/aws_apigateway_client_certificate resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_apigateway_client_certificate` InSpec audit resource to test properties of a single specific AWS API Gateway client certificate. + +The `AWS::ApiGateway::ClientCertificate` resource creates a client certificate that API Gateway uses to configure client-side SSL authentication for sending requests to the integration endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS APIGateway ClientCertificate.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-clientcertificate.html). + +## Syntax + +Ensure that the client certificate exists. + +```ruby +describe aws_apigateway_client_certificate(client_certificate_id: 'CLIENT_CERTIFICATE_ID') do + it { should exist } +end +``` + +## Parameters + +`client_certificate_id` _(required)_ + +: The identifier of the client certificate. + +## Properties + +`client_certificate_id` +: The identifier of the client certificate. + +`description` +: The description of the client certificate. + +`pem_encoded_certificate` +: The PEM-encoded public key of the client certificate, which can be used to configure certificate authentication in the integration endpoint . + +`created_date` +: The timestamp when the client certificate was created. + +`expiration_date` +: The timestamp when the client certificate will expire. + +`tags` +: The collection of tags. Each tag element is associated with a given resource. + +## Examples + +Ensure a client certificate id is available: + +```ruby +describe aws_apigateway_client_certificate(client_certificate_id: 'CLIENT_CERTIFICATE_ID') do + its('client_certificate_id') { should eq 'CLIENT_CERTIFICATE_ID' } +end +``` + +Ensure a pem encoded certificate is available: + +```ruby +describe aws_apigateway_client_certificate(client_certificate_id: 'CLIENT_CERTIFICATE_ID') do + its('pem_encoded_certificate') { should eq 'PEM_ENCODED_CERTIFICATE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_apigateway_client_certificate(client_certificate_id: 'CLIENT_CERTIFICATE_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_apigateway_client_certificate(client_certificate_id: 'CLIENT_CERTIFICATE_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_apigateway_client_certificate(client_certificate_id: 'CLIENT_CERTIFICATE_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:ClientCertificate" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_client_certificates.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_client_certificates.md new file mode 100644 index 0000000..13e22d6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_apigateway_client_certificates.md @@ -0,0 +1,109 @@ ++++ +title = "aws_apigateway_client_certificates resource" + +draft = false + + +[menu.aws] +title = "aws_apigateway_client_certificates" +identifier = "inspec/resources/aws/aws_apigateway_client_certificates resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_apigateway_client_certificates` InSpec audit resource to test properties of multiple AWS API Gateway client certificates. + +The `AWS::ApiGateway::ClientCertificate` resource creates a client certificate that API Gateway uses to configure client-side SSL authentication for sending requests to the integration endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS API Gateway client certificate.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-clientcertificate.html). + +## Syntax + +Ensure that the client certificate exists. + +```ruby +describe aws_apigateway_client_certificates do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`client_certificate_ids` +: The identifier of the client certificate. + +: **Field**: `client_certificate_id` + +`descriptions` +: The description of the client certificate. + +: **Field**: `description` + +`pem_encoded_certificates` +: The PEM-encoded public key of the client certificate, which can be used to configure certificate authentication in the integration endpoint . + +: **Field**: `pem_encoded_certificate` + +`created_dates` +: The timestamp when the client certificate was created. + +: **Field**: `created_date` + +`expiration_dates` +: The timestamp when the client certificate will expire. + +: **Field**: `expiration_date` + +`tags` +: The collection of tags. Each tag element is associated with a given resource. + +: **Field**: `tags` + +## Examples + +Ensure a client certificate ID is available: + +```ruby +describe aws_apigateway_client_certificates do + its('client_certificate_ids') { should include 'CLIENT_CERTIFICATE_ID' } +end +``` + +Ensure a PEM encoded certificate is available: + +```ruby +describe aws_apigateway_client_certificates do + its('pem_encoded_certificates') { should include 'PEM_ENCODED_CERTIFICATE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_apigateway_client_certificates do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_apigateway_client_certificates do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="APIGateway:Client:ClientCertificates" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_application_autoscaling_scalable_target.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_application_autoscaling_scalable_target.md new file mode 100644 index 0000000..3b8d472 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_application_autoscaling_scalable_target.md @@ -0,0 +1,109 @@ ++++ +title = "aws_application_autoscaling_scalable_target resource" + +draft = false + + +[menu.aws] +title = "aws_application_autoscaling_scalable_target" +identifier = "inspec/resources/aws/aws_application_autoscaling_scalable_target resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_application_autoscaling_scalable_target` InSpec audit resource to test properties of a resource that Application Auto Scaling can scale. + +For additional information, including details on parameters and properties, see the [AWS ApplicationAutoScaling ScalableTarget documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-applicationautoscaling-scalabletarget.html). + +## Syntax + +```ruby +describe aws_application_autoscaling_scalable_target( service_namespace: 'SERVICE_NAMESPACE' ) do + it { should exist } +end +``` + +## Parameters + +`service_namespace` _(required)_ + +: The namespace of the AWS service that provides the resource. + +## Properties + +`service_namespace` +: The namespace of the AWS service that provides the resource. + +`resource_id` +: The identifier of the resource associated with the scalable target. + +`scalable_dimension` +: The scalable dimension associated with the scalable target. + +`min_capacity` +: The minimum value to scale to in response to a scale-in activity. + +`max_capacity` +: The maximum value to scale to in response to a scale-out activity. + +`role_arn` +: The ARN of an IAM role that allows Application Auto Scaling to modify the scalable target on your behalf. + +`creation_time` +: The Unix timestamp for when the scalable target was created. + +`suspended_state (dynamic_scaling_in_suspended)` +: Whether scale in by a target tracking scaling policy or a step scaling policy is suspended. Set the value to `true` if you don't want Application Auto Scaling to remove capacity when a scaling policy is triggered. The default is `false`. + +`suspended_state (dynamic_scaling_out_suspended)` +: Whether scale out by a target tracking scaling policy or a step scaling policy is suspended. Set the value to `true` if you don't want Application Auto Scaling to add capacity when a scaling policy is triggered. The default is `false`. + +`suspended_state (scheduled_scaling_suspended)` +: Whether scheduled scaling is suspended. Set the value to `true` if you don't want Application Auto Scaling to add or remove capacity by initiating scheduled actions. The default is `false`. + +## Examples + +Ensure a service namespace is available: + +```ruby +describe aws_application_autoscaling_scalable_target( service_namespace: 'SERVICE_NAMESPACE' ) do + its('service_namespace') { should eq 'ec2' } +end +``` + +Verify the min scale capacity: + +```ruby +describe aws_application_autoscaling_scalable_target( service_namespace: 'SERVICE_NAMESPACE' ) do + its('min_capacity') { should eq 1 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_application_autoscaling_scalable_target( service_namespace: 'SERVICE_NAMESPACE' ) do + it { should exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_application_autoscaling_scalable_target( service_namespace: 'SERVICE_NAMESPACE' ) do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ApplicationAutoScaling:Client:DescribeScalableTargetsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_application_autoscaling_scalable_targets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_application_autoscaling_scalable_targets.md new file mode 100644 index 0000000..1b9cb3d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_application_autoscaling_scalable_targets.md @@ -0,0 +1,103 @@ ++++ +title = "aws_application_autoscaling_scalable_targets resource" + +draft = false + + +[menu.aws] +title = "aws_application_autoscaling_scalable_targets" +identifier = "inspec/resources/aws/aws_application_autoscaling_scalable_targets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_application_autoscaling_scalable_targets` InSpec audit resource to test properties of multiple resourcese that Application Auto Scaling can scale. + +For additional information, including details on parameters and properties, see the [AWS ApplicationAutoScaling ScalableTarget documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-applicationautoscaling-scalabletarget.html). + +## Syntax + +```ruby +describe aws_application_autoscaling_scalable_targets( service_namespace: 'SERVICE_NAMESPACE' ) do + it { should exist } +end +``` + +## Parameters + +`service_namespace` _(required)_ + +: The namespace of the AWS service that provides the resource. + +## Properties + +`service_namespaces` +: The namespace of the AWS service that provides the resource. + +`resource_ids` +: The identifier of the resource associated with the scalable target. + +`scalable_dimensions` +: The scalable dimension associated with the scalable target. + +`min_capacities` +: The minimum value to scale to in response to a scale-in activity. + +`max_capacities` +: The maximum value to scale to in response to a scale-out activity. + +`role_arns` +: The ARN of an IAM role that allows Application Auto Scaling to modify the scalable target on your behalf. + +`creation_times` +: The Unix timestamp for when the scalable target was created. + +`suspended_states` +: The suspended state of the scalable target. + +## Examples + +Ensure a service namespace is available: + +```ruby +describe aws_application_autoscaling_scalable_targets( service_namespace: 'SERVICE_NAMESPACE' ) do + its('service_namespace') { should include 'ec2' } +end +``` + +Verify the minimum scale capacity: + +```ruby +describe aws_application_autoscaling_scalable_targets( service_namespace: 'SERVICE_NAMESPACE' ) do + its('min_capacity') { should include 1 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_application_autoscaling_scalable_targets( service_namespace: 'SERVICE_NAMESPACE' ) do + it { should exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_application_autoscaling_scalable_targets( service_namespace: 'SERVICE_NAMESPACE' ) do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ApplicationAutoScaling:Client:DescribeScalableTargetsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_application_autoscaling_scaling_policies.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_application_autoscaling_scaling_policies.md new file mode 100644 index 0000000..e3f5e6e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_application_autoscaling_scaling_policies.md @@ -0,0 +1,111 @@ ++++ +title = "aws_application_autoscaling_scaling_policies resource" + +draft = false + + +[menu.aws] +title = "aws_application_autoscaling_scaling_policies" +identifier = "inspec/resources/aws/aws_application_autoscaling_scaling_policies resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_application_autoscaling_scaling_policies` InSpec audit resource to test properties of multiple AWS Application Auto Scaling scaling policies. + +For additional information, including details on parameters and properties, see the [AWS ApplicationAutoScaling ScalingPolicy documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-applicationautoscaling-scalingpolicy.html). + +## Syntax + +Ensure a scaling policy exists. + +```ruby +describe aws_application_autoscaling_scaling_policies( service_namespace: 'SERVICE_NAMESPACE' ) do + it { should exist } +end +``` + +## Parameters + +`service_namespace` _(required)_ + +: The namespace of the AWS service that provides the resource, or a custom-resource. + +## Properties + +`policy_arns` +: The Amazon Resource Name (ARN) of the scaling policy. + +`policy_names` +: The name of the scaling policy. + +`service_namespaces` +: The namespace of the AWS service that provides the resource, or a custom-resource. + +`resource_ids` +: The identifier of the resource associated with the scaling policy. This string consists of the resource type and unique identifier. + +`scalable_dimensions` +: The scalable dimension. This string consists of the service namespace, resource type, and scaling property. + +`policy_types` +: The scaling policy type. + +`step_scaling_policy_configurations` +: A step scaling policy. + +`target_tracking_scaling_policy_configurations` +: A target tracking scaling policy. + +`alarms` +: The CloudWatch alarms associated with the scaling policy. + +`creation_times` +: The Unix timestamp for when the scaling policy was created. + +## Examples + +Ensure a policy name is available: + +```ruby +describe aws_application_autoscaling_scaling_policies( service_namespace: 'SERVICE_NAMESPACE' ) do + its('policy_names') { should include 'POLICY_NAME' } +end +``` + +Ensure a policy type is available: + +```ruby +describe aws_application_autoscaling_scaling_policies( service_namespace: 'SERVICE_NAMESPACE' ) do + its('policy_types') { should include "POLICY_TYPE" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_application_autoscaling_scaling_policies( service_namespace: 'SERVICE_NAMESPACE' ) do + it { should exist } +end +``` + +### be_available + +Use `should` to check if the scalable policy is available. + +```ruby +describe aws_application_autoscaling_scaling_policies( service_namespace: 'SERVICE_NAMESPACE' ) do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ApplicationAutoScaling:Client:DescribeScalingPoliciesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_application_autoscaling_scaling_policy.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_application_autoscaling_scaling_policy.md new file mode 100644 index 0000000..bda97dc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_application_autoscaling_scaling_policy.md @@ -0,0 +1,168 @@ ++++ +title = "aws_application_autoscaling_scaling_policy resource" + +draft = false + + +[menu.aws] +title = "aws_application_autoscaling_scaling_policy" +identifier = "inspec/resources/aws/aws_application_autoscaling_scaling_policy resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_application_autoscaling_scaling_policy` InSpec audit resource to test properties of a single AWS Application Auto Scaling scaling policy. + +For additional information, including details on parameters and properties, see the [AWS ApplicationAutoScaling ScalingPolicy documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-applicationautoscaling-scalingpolicy.html). + +## Syntax + +Ensure a scaling policy exists. + +```ruby +describe aws_application_autoscaling_scaling_policy( service_namespace: 'SERVICE_NAMESPACE' ) do + it { should exist } +end +``` + +## Parameters + +`service_namespace` _(required)_ + +: The namespace of the AWS service that provides the resource, or a custom-resource. + +## Properties + +`policy_arn` +: The Amazon Resource Name (ARN) of the scaling policy. + +`policy_name` +: The name of the scaling policy. + +`service_namespace` +: The namespace of the AWS service that provides the resource, or a custom-resource. + +`resource_id` +: The identifier of the resource associated with the scaling policy. This string consists of the resource type and unique identifier. + +`scalable_dimension` +: The scalable dimension. This string consists of the service namespace, resource type, and scaling property. + +`policy_type` +: The Application Auto Scaling policy type. + +`step_scaling_policy_configuration (adjustment_type)` +: Specifies how the `ScalingAdjustment` value in a `StepAdjustment` is interpreted (for example, an absolute number or a percentage). The valid values are `ChangeInCapacity` , `ExactCapacity` , and `PercentChangeInCapacity`. + +`step_scaling_policy_configuration (step_adjustments)` +: A set of adjustments that enable you to scale based on the size of the alarm breach. + +`step_scaling_policy_configuration (step_adjustments (metric_interval_lower_bound))` +: The lower bound for the difference between the alarm threshold and the CloudWatch metric. + +`step_scaling_policy_configuration (step_adjustments (metric_interval_upper_bound))` +: The upper bound for the difference between the alarm threshold and the CloudWatch metric. + +`step_scaling_policy_configuration (step_adjustments (scaling_adjustment))` +: The amount by which to scale, based on the specified adjustment type. + +`step_scaling_policy_configuration (min_adjustment_magnitude)` +: The minimum value to scale by when the adjustment type is `PercentChangeInCapacity`. + +`step_scaling_policy_configuration (cooldown)` +: The amount of time, in seconds, to wait for a previous scaling activity to take effect. + +`step_scaling_policy_configuration (metric_aggregation_type)` +: The aggregation type for the CloudWatch metrics. Valid values are `Minimum`, `Maximum`, and `Average`. + +`target_tracking_scaling_policy_configuration (target_value)` +: The target value for the metric. + +`target_tracking_scaling_policy_configuration (predefined_metric_specification (predefined_metric_type))` +: The metric type. The `ALBRequestCountPerTarget` metric type applies only to Spot Fleet requests and ECS services. + +`target_tracking_scaling_policy_configuration (predefined_metric_specification (resource_label))` +: Identifies the resource associated with the metric type. You can't specify a resource label unless the metric type is `ALBRequestCountPerTarget` and there is a target group attached to the Spot Fleet request or ECS service. + +`target_tracking_scaling_policy_configuration (customized_metric_specification (metric_name))` +: The name of the metric. + +`target_tracking_scaling_policy_configuration (customized_metric_specification (namespace))` +: The namespace of the metric. + +`target_tracking_scaling_policy_configuration (customized_metric_specification (dimensions (name)))` +: The name of the dimension. + +`target_tracking_scaling_policy_configuration (customized_metric_specification (dimensions (value)))` +: The value of the dimension. + +`target_tracking_scaling_policy_configuration (customized_metric_specification (statistic))` +: The statistic of the metric. + +`target_tracking_scaling_policy_configuration (customized_metric_specification (unit))` +: The unit of the metric. + +`target_tracking_scaling_policy_configuration (scale_out_cooldown)` +: The amount of time, in seconds, to wait for a previous scale-out activity to take effect. + +`target_tracking_scaling_policy_configuration (scale_in_cooldown)` +: The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start. + +`target_tracking_scaling_policy_configuration (disable_scale_in)` +: Indicates whether scale in by the target tracking scaling policy is disabled. + +`alarms (alarm_name)` +: The name of the alarm. + +`alarms (alarm_arn)` +: The Amazon Resource Name (ARN) of the alarm. + +`creation_time` +: The Unix timestamp for when the scaling policy was created. + +## Examples + +Ensure a policy name is available: + +```ruby +describe aws_application_autoscaling_scaling_policy( service_namespace: 'SERVICE_NAMESPACE' ) do + its('policy_name') { should eq 'POLICY_NAME' } +end +``` + +Ensure a policy type is available: + +```ruby +describe aws_application_autoscaling_scaling_policy( service_namespace: 'SERVICE_NAMESPACE' ) do + its('policy_type') { should eq "POLICY_TYPE" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_application_autoscaling_scaling_policy( service_namespace: 'SERVICE_NAMESPACE' ) do + it { should exist } +end +``` + +### be_available + +Use `should` to check if the scalable policy is available. + +```ruby +describe aws_application_autoscaling_scaling_policy( service_namespace: 'SERVICE_NAMESPACE' ) do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ApplicationAutoScaling:Client:DescribeScalingPoliciesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_athena_work_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_athena_work_group.md new file mode 100644 index 0000000..45d2495 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_athena_work_group.md @@ -0,0 +1,121 @@ ++++ +title = "aws_athena_work_group resource" + +draft = false + + +[menu.aws] +title = "aws_athena_work_group" +identifier = "inspec/resources/aws/aws_athena_work_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_athena_work_group` InSpec audit resource to test properties of a single specific Amazon Athena workgroup. + +For additional information, including details on parameters and properties, see the [AWS Athena workgroup documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-athena-workgroup.html). + +## Syntax + +```ruby +describe aws_athena_work_group(work_group: 'WORK_GROUP') do + it { should exist } +end +``` + +## Parameters + +`work_group` _(required)_ + +## Properties + +`name` +: The workgroup name. + +`state` +: The state of the workgroup. Valid values are: `ENABLED` or `DISABLED`. + +`description` +: The workgroup description. + +`creation_time` +: The workgroup creation time. Format: YYYY-MM-DD HH:MM:SS ZZZZ. + +`tags` +: An array of key-value pairs to apply to this resource. + +`configuration (result_configuration)` +: The location and encryption of query results of the workgroup. + +`configuration (enforce_work_group_configuration)` +: Whether workgroup settings override client-side settings. + +`configuration (publish_cloud_watch_metrics_enabled)` +: Whether Amazon CloudWatch metrics are enabled in the workgroup. + +`configuration (bytes_scanned_cutoff_per_query)` +: The limit in bytes that a query is allowed to scan in the workgroup. + +`configuration (requester_pays_enabled)` +: Whether the workgroup can reference Requester Pays buckets. + +`configuration (engine_version (selected_engine_version))` +: The user-selected engine version. + +`configuration (engine_version (effective_engine_version))` +: The engine version on which a query runs. + +## Examples + +Ensure a workgroup name is available: + +```ruby +describe aws_athena_work_group(work_group: 'WORK_GROUP') do + its('name') { should eq 'WORK_GROUP_NAME' } +end +``` + +Ensure that the state is `ENABLED` or `DISABLED`: + +```ruby +describe aws_athena_work_group(work_group: 'WORK_GROUP') do + its('state') { should eq 'ENABLED' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_athena_work_group(work_group: 'WORK_GROUP') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_athena_work_group(work_group: 'WORK_GROUP') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_athena_work_group(work_group: 'WORK_GROUP') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Athena:Client:GetWorkGroupOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_athena_work_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_athena_work_groups.md new file mode 100644 index 0000000..028f81d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_athena_work_groups.md @@ -0,0 +1,97 @@ ++++ +title = "aws_athena_work_groups resource" + +draft = false + + +[menu.aws] +title = "aws_athena_work_groups" +identifier = "inspec/resources/aws/aws_athena_work_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_athena_work_groups` InSpec audit resource to test properties of multiple Amazon Athena workgroups. + +For additional information, including details on parameters and properties, see the [AWS Athena workgroup documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-athena-workgroup.html). + +## Syntax + +```ruby +describe aws_athena_work_groups do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`names` +: The workgroup name. + +`states` +: The state of the workgroup. Valid values are: `ENABLED` or `DISABLED`. + +`descriptions` +: The workgroup description. + +`creation_times` +: The workgroup creation time. Format: YYYY-MM-DD HH:MM:SS ZZZZ. + +## Examples + +Ensure a work_group name is available: + +```ruby +describe aws_athena_work_groups do + its('names') { should include 'WORK_GROUP_NAME' } +end +``` + +Ensure that the state is `ENABLED` or `DISABLED`: + +```ruby +describe aws_athena_work_groups do + its('states') { should include 'ENABLED' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_athena_work_groups do + it { should exist } +end +``` + +Use `should_not` to test that an entity does not exist. + +```ruby +describe aws_athena_work_groups do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_athena_work_groups do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Athena:Client:ListWorkGroupsOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_auto_scaling_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_auto_scaling_group.md new file mode 100644 index 0000000..a1edd59 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_auto_scaling_group.md @@ -0,0 +1,112 @@ ++++ +title = "aws_auto_scaling_group resource" + +draft = false + + +[menu.aws] +title = "aws_auto_scaling_group" +identifier = "inspec/resources/aws/aws_auto_scaling_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_auto_scaling_group` InSpec audit resource to test properties of a single AWS Auto Scaling group. + +For additional information, including details on parameters and properties, see the [AWS documentation on Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html). + +## Syntax + +Ensure that an auto scaling group exists and has the correct scale sizes + +```ruby +describe aws_auto_scaling_group('MyAutoScalingGroup') do + it { should exist } + its('min_size') { should be 1} + its('max_size') { should be 4} +end +``` + +You may also use hash syntax to pass the auto scaling group name + +```ruby +describe aws_auto_scaling_group(name: 'MyAutoScalingGroup') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: This resource accepts a single parameter, the Auto Scaling Group Name which uniquely identifies the auto scaling group. + This can be passed either as a string or as a `name: 'value'` key-value entry in a hash. + +## Properties + +`min_size` +: An integer indicating the minimum number of instances in the auto scaling group. + +`maximum_size` +: An integer indicating the maximum number of instances in the auto scaling group. + +`desired_capacity` +: An integer indicating the desired number of instances in the auto scaling group. + +`launch_configuration_name` +: The name of the auto scaling launch configuration associated with the auto scaling group. + +`vpc_zone_identifier` +: An array of strings corresponding to the subnet IDs associated with the auto scaling group. + +`tags` +: An hash with each key-value pair corresponding to a tag associated with the entity. + +## Examples + +Ensure that an auto scaling group has the correct desired capacity: + +```ruby +describe aws_auto_scaling_group('MyAutoScalingGroup') do + it { should exist } + its('desired_capacity') { should be 2 } +end +``` + +Ensure that an auto scaling group has the correct Launch Configuration name and VPC identifier: + +```ruby +describe aws_auto_scaling_group('MyAutoScalingGroup') do + it { should exist } + its('launch_configuration_name') { should eq 'MyLaunchConfiguration'} + its('vpc_zone_identifier') { should include 'subnet-1234'} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_auto_scaling_group('AnExistingASG') do + it { should exist } +end +``` + +```ruby +describe aws_auto_scaling_group('ANonExistentASG') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="AutoScaling:Client:AutoScalingGroupsType" %}} +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Auto Scaling Groups](https://docs.aws.amazon.com/autoscaling/ec2/userguide/control-access-using-iam.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_auto_scaling_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_auto_scaling_groups.md new file mode 100644 index 0000000..6da4d8c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_auto_scaling_groups.md @@ -0,0 +1,93 @@ ++++ +title = "aws_auto_scaling_groups resource" + +draft = false + + +[menu.aws] +title = "aws_auto_scaling_groups" +identifier = "inspec/resources/aws/aws_auto_scaling_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_auto_scaling_groups` InSpec audit resource to test the properties of a collection of AWS Auto Scaling Groups. + +For additional information, including details on parameters and properties, see the [AWS documentation on Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html). + +## Syntax + +An `aws_auto_scaling_groups` resource block returns all Auto Scaling Groups and allows the testing of those ASGs. + +```ruby +describe aws_auto_scaling_groups do + its('names') { should include 'group-name' } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`min_sizes` +: An integer indicating the minimum number of instances in the auto scaling group. + +`max_sizes` +: An integer indicating the maximum number of instances in the auto scaling group. + +`desired_capacities` +: An integer indicating the desired number of instances in the auto scaling group. + +`launch_configuration_names` +: The name of the auto scaling launch configuration associated with the auto scaling group. + +`vpc_zone_identifiers` +: An array of strings corresponding to the subnet IDs associated with the auto scaling group. + +`health_check_types` +: The service to use for the health checks. The valid values are EC2 and ELB. + +`tags` +: A hash of key-value pairs corresponding to the tags associated with the entity. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure there are no groups with incorrect vpc_zone_identifiers: + +```ruby +describe aws_auto_scaling_groups do + it { should exist } + its('vpc_zone_identifiers') { should_not include 'UNDESIRED-ZONE'} +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_auto_scaling_groups.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_auto_scaling_groups.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="AutoScaling:Client:AutoScalingGroupsType" %}} +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Auto Scaling Groups](https://docs.aws.amazon.com/autoscaling/ec2/userguide/control-access-using-iam.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_autoscaling_scaling_policies.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_autoscaling_scaling_policies.md new file mode 100644 index 0000000..cbf7446 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_autoscaling_scaling_policies.md @@ -0,0 +1,126 @@ ++++ +title = "aws_autoscaling_scaling_policies resource" + +draft = false + + +[menu.aws] +title = "aws_autoscaling_scaling_policies" +identifier = "inspec/resources/aws/aws_autoscaling_scaling_policies resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_autoscaling_scaling_policies` InSpec audit resource to test properties of multiple Amazon EC2 Auto Scaling scaling policies. + +For additional information, including details on parameters and properties, see the [AWS AutoScaling Scaling Policy documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-policy.html). + +## Syntax + +Ensure that an auto scaling group name exists. + +```ruby +describe aws_autoscaling_scaling_policies do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`auto_scaling_group_names` +: The name of an Auto Scaling group. + +`policy_names` +: The names of one or more policies. If you omit this parameter, all policies are described. + +`policy_arns` +: The ARN of the Auto Scaling group. + +`policy_types` +: One or more policy types. The valid values are `SimpleScaling`, `StepScaling`, and `TargetTrackingScaling`. + +`adjustment_types` +: The adjustment type of the Auto Scaling group. + +`min_adjustment_steps` +: The minimum adjustment step of the Auto Scaling group. + +`min_adjustment_magnitudes` +: The minimum adjustment magnitude of the Auto Scaling group. + +`scaling_adjustments` +: The scaling adjustment of the Auto Scaling group. + +`cooldowns` +: The cooldown period of the Auto Scaling group. + +`step_adjustments` +: The step adjustments of the Auto Scaling group. + +`metric_aggregation_types` +: The aggregation type for CloudWatch metrics of the Auto Scaling group. + +`estimated_instance_warmups` +: The estimated warmup time of the Auto Scaling group until a new instance can contribute to CloudWatch metrics. + +`target_tracking_configurations` +: The target tracking configuration of the Auto Scaling group. + +## Examples + +Ensure an auto scaling group name is available: + +```ruby +describe aws_autoscaling_scaling_policies do + its('auto_scaling_group_names') { should include 'AUTO_SCALING_GROUP_NAME' } +end +``` + +Ensure that the policy types are available: + +```ruby +describe aws_autoscaling_scaling_policies do + its('policy_types') { should include 'POLICY_TYPE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_autoscaling_scaling_policies do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_autoscaling_scaling_policies do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_autoscaling_scaling_policies do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="AutoScaling:client:PoliciesType" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_autoscaling_scaling_policy.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_autoscaling_scaling_policy.md new file mode 100644 index 0000000..a6f743e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_autoscaling_scaling_policy.md @@ -0,0 +1,134 @@ ++++ +title = "aws_autoscaling_scaling_policy resource" + +draft = false + + +[menu.aws] +title = "aws_autoscaling_scaling_policy" +identifier = "inspec/resources/aws/aws_autoscaling_scaling_policy resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_autoscaling_scaling_policy` InSpec audit resource to test properties of a single Amazon EC2 Auto Scaling scaling policy. + +For additional information, including details on parameters and properties, see the [AWS AutoScaling Scaling Policy documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-policy.html). + +## Syntax + +Ensure that an auto scaling group name exists. + +```ruby +describe aws_autoscaling_scaling_policy(auto_scaling_group_name: 'AUTO_SCALING_GROUP_NAME') do + it { should exist } +end +``` + +## Parameters + +`auto_scaling_group_name` _(required)_ + +: The name or Amazon Resource Name (ARN) of the Auto Scaling group that has a scaling policy. + +## Properties + +`auto_scaling_group_name` +: The name of the Auto Scaling group. + +`policy_name` +: The names of one or more policies. If you omit this parameter, all policies are described. + +`policy_arn` +: The ARN of the Auto Scaling group. + +`policy_type` +: One or more policy types. The valid values are `SimpleScaling`, `StepScaling`, and `TargetTrackingScaling`. + +`adjustment_type` +: The adjustment type of the Auto Scaling group. + +`min_adjustment_step` +: The minimum adjustment step of the Auto Scaling group. + +`min_adjustment_magnitude` +: The minimum adjustment magnitude of the Auto Scaling group. + +`scaling_adjustment` +: The scaling adjustment of the Auto Scaling group. + +`cooldown` +: The cooldown period of the Auto Scaling group. + +`step_adjustments` +: The step adjustments of the Auto Scaling group. + +`metric_aggregation_type` +: The aggregation type for CloudWatch metrics of the Auto Scaling group. + +`estimated_instance_warmup` +: The estimated warmup time of the Auto Scaling group until a new instance can contribute to CloudWatch metrics. + +`target_tracking_configuration` +: The target tracking configuration of the Auto Scaling group. + +`enabled` +: Whether the scaling policy is enabled or disabled. + +`alarms` +: The alarms of the Auto Scaling group. + +## Examples + +Ensure an auto scaling group name is available: + +```ruby +describe aws_autoscaling_scaling_policy(auto_scaling_group_name: 'AUTO_SCALING_GROUP_NAME') do + its('auto_scaling_group_name') { should eq 'AUTO_SCALING_GROUP_NAME' } +end +``` + +Ensure that the policy type is available: + +```ruby +describe aws_autoscaling_scaling_policy(auto_scaling_group_name: 'AUTO_SCALING_GROUP_NAME') do + its('policy_type') { should eq 'TargetTrackingScaling' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_autoscaling_scaling_policy(auto_scaling_group_name: 'AUTO_SCALING_GROUP_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_autoscaling_scaling_policy(auto_scaling_group_name: 'AUTO_SCALING_GROUP_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the auto scaling group name is available. + +```ruby +describe aws_autoscaling_scaling_policy(auto_scaling_group_name: 'AUTO_SCALING_GROUP_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="AutoScaling:client:PoliciesType" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_compute_environment.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_compute_environment.md new file mode 100644 index 0000000..c7d6c37 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_compute_environment.md @@ -0,0 +1,170 @@ ++++ +title = "aws_batch_compute_environment resource" + +draft = false + + +[menu.aws] +title = "aws_batch_compute_environment" +identifier = "inspec/resources/aws/aws_batch_compute_environment resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_batch_compute_environment` InSpec audit resource to test the properties of a single AWS Batch compute environment. + +For additional information, including details on parameters and properties, see the [AWS documentation on Batch compute environment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-batch-computeenvironment.html). + +## Syntax + +Ensure that a compute_environment name exists. + +```ruby +describe aws_batch_compute_environment(compute_environment_name: 'COMPUTE_ENVIRONMENT_NAME') do + it { should exist } +end +``` + +## Parameters + +`compute_environment_name` _(required)_ + +: The name of the Batch compute environment. + +## Properties + +`compute_environment_name` +: The name of the compute environment. + +`compute_environment_arn` +: The ARN of the compute environment. + +`ecs_cluster_arn` +: The ECS cluster ARN of the compute environment. + +`tags` +: The tags of the compute environment. + +`type` +: The type of the compute environment. + +`state` +: The state of the compute environment. + +`status` +: The status of the compute environment. + +`status_reason` +: The status reason of the compute environment. + +`compute_resources (type)` +: The type of compute resource for the compute environment. + +`compute_resources (allocation_strategy)` +: The allocation strategy for the compute resources of the compute environment. + +`compute_resources (minv_cpus)` +: The minimum number of vCPUs of the compute environment. + +`compute_resources (maxv_cpus)` +: The maximum number of vCPUs of the compute environment. + +`compute_resources (desiredv_cpus)` +: The desired number of vCPUs of the compute environment. + +`compute_resources (instance_types)` +: The instance types of the compute environment. + +`compute_resources (image_id)` +: The Amazon Machine Image (AMI) ID for instances launched in the compute environment. + +`compute_resources (subnets)` +: The VPC subnets where the compute resources are launched. + +`compute_resources (security_group_ids)` +: The EC2 security group IDs of the compute resources of the compute environment. + +`compute_resources (ec2_key_pair)` +: The EC2 key pair for instances launched in the compute environment. + +`compute_resources (instance_role)` +: The ECS instance profile of EC2 instances in the compute environment. + +`compute_resources (tags)` +: The tags applied to EC2 instances in the compute environment. + +`compute_resources (placement_group)` +: The EC2 placement group of the compute resources in the compute environment. + +`compute_resources (bid_percentage)` +: The bid percentage of an instance in the compute environment. + +`compute_resources (spot_iam_fleet_role)` +: The ARN of the EC2 Spot Fleet IAM role applied to a SPOT compute environment. + +`compute_resources (launch_template (launch_template_id))` +: The ID of the launch template of the compute resources of the compute environment. + +`compute_resources (launch_template (launch_template_name))` +: The name of the launch template of the compute resources of the compute environment. + +`compute_resources (launch_template (version))` +: The version of the launch template of the compute resources of the compute environment. + +`service_role` +: The service role of the compute environment. + +## Examples + +Ensure a compute environment name is available: + +```ruby +describe aws_batch_compute_environment(compute_environment_name: 'COMPUTE_ENVIRONMENT_NAME') do + its('compute_environment_name') { should eq 'COMPUTE_ENVIRONMENT_NAME' } +end +``` + +Ensure that the state is `ENABLED` or `DISABLED`: + +```ruby +describe aws_batch_compute_environment(compute_environment_name: 'COMPUTE_ENVIRONMENT_NAME') do + its('state') { should eq 'ENABLED' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_batch_compute_environment(compute_environment_name: 'COMPUTE_ENVIRONMENT_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_batch_compute_environment(compute_environment_name: 'COMPUTE_ENVIRONMENT_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the compute environment name is available. + +```ruby +describe aws_batch_compute_environment(compute_environment_name: 'COMPUTE_ENVIRONMENT_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Batch:Client:DescribeComputeEnvironmentsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_compute_environments.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_compute_environments.md new file mode 100644 index 0000000..27b5b07 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_compute_environments.md @@ -0,0 +1,114 @@ ++++ +title = "aws_batch_compute_environments resource" + +draft = false + + +[menu.aws] +title = "aws_batch_compute_environments" +identifier = "inspec/resources/aws/aws_batch_compute_environments resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_batch_compute_environments` InSpec audit resource to test properties of multiple AWS Batch compute environments. + +For additional information, including details on parameters and properties, see the [AWS documentation on Batch compute environment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-batch-computeenvironment.html). + +## Syntax + +Ensure that a compute environment exists. + +```ruby +describe aws_batch_compute_environments do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`compute_environment_names` +: The name of the compute environment. + +`compute_environment_arns` +: The ARN of the compute environment. + +`ecs_cluster_arns` +: The ECS cluster ARN of the compute environment. + +`tags` +: The tags of the compute environment. + +`types` +: The type of the compute environment. + +`states` +: The state of the compute environment. + +`statuses` +: The status of the compute environment. + +`status_reasons` +: The status reason of the compute environment. + +`service_roles` +: The service role of the compute environment. + +## Examples + +Ensure a work group name is available: + +```ruby +describe aws_batch_compute_environments do + its('compute_environment_names') { should include 'COMPUTE_ENVIRONMENT_NAME' } +end +``` + +Ensure that the state is `ENABLED` or `DISABLED`: + +```ruby +describe aws_batch_compute_environments do + its('states') { should include 'ENABLED' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of the available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_batch_compute_environments do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_batch_compute_environments do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the compute environments are available. + +```ruby +describe aws_batch_compute_environments do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Batch:Client:DescribeComputeEnvironmentsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_job_definition.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_job_definition.md new file mode 100644 index 0000000..051a87f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_job_definition.md @@ -0,0 +1,196 @@ ++++ +title = "aws_batch_job_definition resource" + +draft = false + + +[menu.aws] +title = "aws_batch_job_definition" +identifier = "inspec/resources/aws/aws_batch_job_definition resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_batch_job_definition` InSpec audit resource to test the properties of a single specific Batch job definition. + +The AWS::Batch::JobDefinition resource specifies the parameters for an AWS Batch job definition. + +For additional information, including details on parameters and properties, see the [AWS documentation on Batch Job Definition](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-batch-jobdefinition.html). + +## Syntax + +Ensure that a job definition name exists. + +```ruby +describe aws_batch_job_definition(job_definition_name: 'JOB_DEFINITION_NAME') do + it { should exist } +end +``` + +## Parameters + +`job_definition_name` _(required)_ + +: The name of the job definition. + +## Properties + +`job_definition_name` +: The name of the job definition. + +`job_definition_arn` +: The ARN of the job definition. + +`revision` +: The revision of the job definition. + +`status` +: The status of the job definition. + +`type` +: The type of the job definition. + +`parameters` +: The parameters of the job definition. + +`container_properties (image)` +: The container image in the job definition. + +`container_properties (vcpus)` +: The number of vCPUs reserved for the container in the job definition. + +`container_properties (memory)` +: The hard limit of the container's memory in the job definition. + +`container_properties (command)` +: The command passed to the container in the job definition. + +`container_properties (job_role_arn)` +: The ARN of the IAM role that the container can assume for AWS permissions in the job definition. + +`container_properties (execution_role_arn)` +: The execution role ARN that the AWS Batch can assume in the job definition. + +`container_properties (volumes)` +: The list of the data volumes in the job definition. + +`container_properties (environment)` +: The environment variables to pass to a container in the job definition. + +`container_properties (mount_points)` +: The mount points for the data volumes in the container in the job definition. + +`container_properties (readonly_root_filesystem)` +: Whether the container is given read-only access to its root file system in the job definition. + +`container_properties (privileged)` +: Whether the container is given elevated permissions on the host container instance. + +`container_properties (ulimits)` +: The list of ulimits to set in the container in the job definition. + +`container_properties (user)` +: The user name to use in the container in the job definition. + +`container_properties (instance_type)` +: The instance type to use for a multi-node parallel job. + +`container_properties (resource_requirements)` +: The type and amount of resources to assign to a container in the job definition. + +`container_properties (linux_parameters (shared_memory_size))` +: The value in MiB of the `/dev/shm` volume for the container in the job definition. + +`container_properties (linux_parameters (tmpfs))` +: The container path, mount options, and size (in MiB) of the tmpfs mount for the container in the job definition. + +`container_properties (linux_parameters (max_swap))` +: The total amount of swap memory (in MiB) a container can use. + +`container_properties (linux_parameters (swappiness))` +: The container's memory swappiness behavior in the job definition. + +`container_properties (linux_parameters (shared_memory_size))` +: The shared_memory_size of the log configuration of the container properties of the job definition. + +`container_properties (log_configuration (options))` +: The log configuration options to send to the log driver for the container in the job. + +`container_properties (secrets)` +: The secrets for the job that are exposed as environment variables. + +`timeout (attempt_duration_seconds)` +: The timeout duration in seconds of the job definition. + +`node_properties (num_nodes)` +: The number of nodes that are associated with a multi-node parallel job in the job definition. + +`node_properties (main_node)` +: The node index for the main node of a multi-node parallel job. + +`node_properties (node_range_properties)` +: A list of node ranges and their properties that are associated with a multi-node parallel job. + +`tags` +: The tags of the job definition. + +`propagate_tags` +: Whether to propagate tags from the job definition to the ECS task. + +`platform_capabilities` +: The platform capabilities required by the job definition. + +## Examples + +Ensure a job definition name is available: + +```ruby +describe aws_batch_job_definition(job_definition_name: 'JOB_DEFINITION_NAME') do + its('job_definition_name') { should eq 'JOB_DEFINITION_NAME' } +end +``` + +Ensure that the status is `ACTIVE`: + +```ruby +describe aws_batch_job_definition(job_definition_name: 'JOB_DEFINITION_NAME') do + its('status') { should eq 'ACTIVE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_batch_job_definition(job_definition_name: 'JOB_DEFINITION_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_batch_job_definition(job_definition_name: 'JOB_DEFINITION_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the job definition name is available. + +```ruby +describe aws_batch_job_definition(job_definition_name: 'JOB_DEFINITION_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Batch:Client:DescribeJobDefinitionsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_job_definitions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_job_definitions.md new file mode 100644 index 0000000..ed61be1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_job_definitions.md @@ -0,0 +1,116 @@ ++++ +title = "aws_batch_job_definitions resource" + +draft = false + + +[menu.aws] +title = "aws_batch_job_definitions" +identifier = "inspec/resources/aws/aws_batch_job_definitions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_batch_job_definitions` InSpec audit resource to test properties of multiple AWS Batch job definitions. + +The AWS::Batch::JobDefinition resource specifies the parameters for an AWS Batch job definition. + +For additional information, including details on parameters and properties, see the [AWS documentation on Batch Job Definition](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-athena-workgroup.html). + +## Syntax + +Ensure that a job definition exists. + +```ruby +describe aws_batch_job_definitions do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`job_definition_names` +: The name of the job definition. + +`job_definition_arns` +: The ARN of the job definition. + +`revisions` +: The revision of the job definition. + +`statuses` +: The status of the job definition. + +`types` +: The type of the job definition. + +`parameters` +: The parameter of the job definition. + +`tags` +: The tags of the job definition. + +`propagate_tags` +: Whether to propagate tags from the job definition to the ECS task. + +`platform_capabilities` +: The platform capabilities required by the job definition. + +## Examples + +Ensure a job definition name is available: + +```ruby +describe aws_batch_job_definitions do + its('job_definition_names') { should include 'JOB_DEFINITION_NAME' } +end +``` + +Ensure that the status is `ACTIVE`: + +```ruby +describe aws_batch_job_definitions do + its('statuses') { should include 'ACTIVE' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of the available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_batch_job_definitions do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_batch_job_definitions do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the job_definition name is available. + +```ruby +describe aws_batch_job_definitions do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Batch:Client:DescribeJobDefinitionsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_job_queue.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_job_queue.md new file mode 100644 index 0000000..6d509bc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_job_queue.md @@ -0,0 +1,116 @@ ++++ +title = "aws_batch_job_queue resource" + +draft = false + + +[menu.aws] +title = "aws_batch_job_queue" +identifier = "inspec/resources/aws/aws_batch_job_queue resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_batch_job_queue` InSpec audit resource to test the properties of a single AWS Batch job queue. + +For additional information, including details on parameters and properties, see the [AWS Batch job queues documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-batch-jobqueue.html). + +## Syntax + +Ensure that a job_queue name exists. + +```ruby +describe aws_batch_job_queue(job_queue_name: 'JOB_QUEUE_NAME') do + it { should exist } +end +``` + +## Parameters + +`job_queue_name` _(required)_ + +: The name of the job queue. + +## Properties + +`job_queue_name` +: The name of the job queue. + +`job_queue_arn` +: The ARN of the job queue. + +`state` +: The state of the job queue. + +`status` +: The status of the job queue. + +`status_reason` +: The status_reason of the job queue. + +`priority` +: The priority of the job queue. + +`compute_environment_order (order)` +: The order of the compute environment of the job queue. + +`compute_environment_order (compute_environment)` +: The ARN of the compute environment of the job queue. + +`tags` +: The tags of the job queue. + +## Examples + +Ensure a job queue name is available: + +```ruby +describe aws_batch_job_queue(job_queue_name: 'JOB_QUEUE_NAME') do + its('job_queue_name') { should eq 'JOB_QUEUE_NAME' } +end +``` + +Ensure that the state is `ENABLED` or `DISABLED`: + +```ruby +describe aws_batch_job_queue(job_queue_name: 'JOB_QUEUE_NAME') do + its('state') { should eq 'ENABLED' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_batch_job_queue(job_queue_name: 'JOB_QUEUE_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_batch_job_queue(job_queue_name: 'JOB_QUEUE_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the job_queue name is available. + +```ruby +describe aws_batch_job_queue(job_queue_name: 'JOB_QUEUE_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Batch:Client:DescribeJobQueuesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_job_queues.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_job_queues.md new file mode 100644 index 0000000..1fde82d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_batch_job_queues.md @@ -0,0 +1,108 @@ ++++ +title = "aws_batch_job_queues resource" + +draft = false + + +[menu.aws] +title = "aws_batch_job_queues" +identifier = "inspec/resources/aws/aws_batch_job_queues resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_batch_job_queues` InSpec audit resource to test the properties of multiple AWS Batch job queues. + +For additional information, including details on parameters and properties, see the [AWS Batch job queues documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-batch-jobqueue.html). + +## Syntax + +Ensure that a job queue exists. + +```ruby +describe aws_batch_job_queues do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`job_queue_names` +: The name of the job queue. + +`job_queue_arns` +: The ARN of the job queue. + +`states` +: The state of the job queue. + +`statuses` +: The status of the job queue. + +`status_reasons` +: The status_reason of the job queue. + +`priorities` +: The priority of the job queue. + +`tags` +: The tags of the job queue. + +## Examples + +Ensure a job queue name is available: + +```ruby +describe aws_batch_job_queues do + its('job_queue_names') { should include 'JOB_QUEUE_NAME' } +end +``` + +Ensure that the state is `ENABLED` or `DISABLED`: + +```ruby +describe aws_batch_job_queues do + its('states') { should include 'ENABLED' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_batch_job_queues do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_batch_job_queues do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the job_queue name is available. + +```ruby +describe aws_batch_job_queues do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Batch:Client:DescribeJobQueuesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloud_formation_stack_set.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloud_formation_stack_set.md new file mode 100644 index 0000000..36668ea --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloud_formation_stack_set.md @@ -0,0 +1,174 @@ ++++ +title = "aws_cloud_formation_stack_set resource" + +draft = false + + +[menu.aws] +title = "aws_cloud_formation_stack_set" +identifier = "inspec/resources/aws/aws_cloud_formation_stack_set resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloud_formation_stack_set` InSpec audit resource to test properties of the singular Cloud Formation stack set. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudFormation stack set](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-stackset.html). + +## Syntax + +Ensure that the stack set exists. + +```ruby +describe aws_cloud_formation_stack_set(stack_set_name: "STACK_SET_NAME") do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`stack_set_name` +: The name that's associated with the stack set. + +`stack_set_id` +: The ID of the stack set. + +`description` +: A description of the stack set that you specify when the stack set is created or updated. + +`status` +: The status of the stack set. + +`template_body` +: The structure that contains the body of the template that was used to create or update the stack set. + +`parameters` +: A list of input parameters for a stack set. + +`parameter_keys` +: The key associated with the parameter. + +`parameter_values` +: The input value associated with the parameter. + +`use_previous_values` +: During a stack update, use the existing parameter value that the stack is using for a given parameter key. If you specify `true`, do not specify a parameter value. + +`resolved_values` +: The value that corresponds to a Systems Manager parameter key. + +`capabilities` +: The capabilities that are allowed in the stack set. Some stack set templates might include resources that can affect permissions in your Amazon Web Services account—for example, by creating new Identity and Access Management (IAM) users. + +`tags` +: A list of tags that specify information about the stack set. + +`stack_set_arn` +: The Amazon Resource Number (ARN) of the stack set. + +`administration_role_arn` +: The Amazon Resource Number (ARN) of the IAM role used to create or update the stack set. + +`execution_role_name` +: The name of the IAM execution role used to create or update the stack set. + +`stack_set_drift_detection_details.drift_status` +: Status of the stack set's actual configuration compared to its expected template and parameter configuration. + +`stack_set_drift_detection_details.drift_detection_status` +: The status of the stack set drift detection operation. + +`stack_set_drift_detection_details.last_drift_check_timestamp` +: Most recent time when CloudFormation performed a drift detection operation on the stack set. + +`stack_set_drift_detection_details.total_stack_instances_count` +: The total number of stack instances belonging to this stack set. + +`stack_set_drift_detection_details.drifted_stack_instances_count` +: The number of stack instances that have drifted from the expected template and parameter configuration of the stack set. + +`stack_set_drift_detection_details.in_sync_stack_instances_count` +: The number of stack instances which match the expected template and parameter configuration of the stack set. + +`stack_set_drift_detection_details.in_progress_stack_instances_count` +: The number of stack instances that are currently being checked for drift. + +`stack_set_drift_detection_details.failed_stack_instances_count` +: The number of stack instances for which the drift detection operation failed. + +`auto_deployment.enabled` +: If set to `true`, StackSets automatically deploys additional stack instances to AWS Organizations accounts that are added to a target organization or organizational unit (OU) in the specified Regions. + +`auto_deployment.retain_stacks_on_account_removal` +: If set to `true`, stack resources are retained when an account is removed from a target organization or OU. If set to `false`, stack resources are deleted. Specify only if `Enabled` is set to True. + +`permission_model` +: Describes how the IAM roles required for stack set operations are created. + +`organizational_unit_ids` +: The organization root ID or organizational unit (OU) IDs that you specified for deployment targets. + +## Examples + +Ensure a stack set ID is available: + +```ruby +describe aws_cloud_formation_stack_set(stack_set_name: "STACK_SET_NAME") do + its('stack_set_id') { should eq 'StackSetId' } +end +``` + +Verify the description of the stack set: + +```ruby +describe aws_cloud_formation_stack_set(stack_set_name: "STACK_SET_NAME") do + its('description') { should eq 'test-description'} +end +``` + +Verify the parameter keys of the stack set: + +```ruby +describe aws_cloud_formation_stack_set(stack_set_name: "STACK_SET_NAME") do + its('parameter_keys') { should include 'ParameterKey'} +end +``` + +Verify the in-progress stack instances count of the stack set: + +```ruby +describe aws_cloud_formation_stack_set(stack_set_name: "STACK_SET_NAME") do + its('stack_set_drift_detection_details.in_progress_stack_instances_count') { should eq 1} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloud_formation_stack_set(stack_set_name: "STACK_SET_NAME") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloud_formation_stack_set(stack_set_name: "STACK_SET_NAME") do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFormation:Client:DescribeStackSetOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloud_formation_stack_sets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloud_formation_stack_sets.md new file mode 100644 index 0000000..1a07a30 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloud_formation_stack_sets.md @@ -0,0 +1,117 @@ ++++ +title = "aws_cloud_formation_stack_sets resource" + +draft = false + + +[menu.aws] +title = "aws_cloud_formation_stack_sets" +identifier = "inspec/resources/aws/aws_cloud_formation_stack_sets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloud_formation_stack_sets` InSpec audit resource to test properties of multiple AWS Cloud Formation stack sets. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudFormation Stack Set.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-stackset.html). + +## Syntax + +Ensure that the stack set exists. + +```ruby +describe aws_cloud_formation_stack_sets do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`stack_set_names` +: The name of the stack set. + +: **Field**: `stack_set_name` + +`stack_set_ids` +: The ID of the stack set. + +: **Field**: `stack_set_ids` + +`descriptions` +: A description of the stack set that you specify when the stack set is created or updated. + +: **Field**: `description` + +`status` +: The status of the stack set. + +: **Field**: `status` + +`auto_deployments` +: Describes whether StackSets automatically deploys to Organizations accounts that are added to a target organizational unit (OU). + +: **Field**: `auto_deployment` + +`permission_models` +: Describes how the IAM roles required for stack set operations are created. + +: **Field**: `permission_model` + +`drift_statuses` +: Status of the stack set's actual configuration compared to its expected template and parameter configuration. + +: **Field**: `drift_status` + +`last_drift_check_timestamps` +: Most recent time when CloudFormation performed a drift detection operation on the stack set. + +: **Field**: `last_drift_check_timestamp` + +## Examples + +Verify that a stack set ID is available: + +```ruby +describe aws_cloud_formation_stack_sets do + its('stack_set_ids') { should include 'STACK_SET_ID' } +end +``` + +Verify the descriptions of the stack set: + +```ruby +describe aws_cloud_formation_stack_sets do + its('descriptions') { should include 'DESCRIPTION_STRING'} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloud_formation_stack_sets do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloud_formation_stack_sets do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFormation:Client:ListStackSetsOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudformation_stack.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudformation_stack.md new file mode 100644 index 0000000..30037d7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudformation_stack.md @@ -0,0 +1,146 @@ ++++ +title = "aws_cloudformation_stack resource" + +draft = false + + +[menu.aws] +title = "aws_cloudformation_stack" +identifier = "inspec/resources/aws/aws_cloudformation_stack resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudformation_stack` InSpec audit resource to test properties of a single AWS Cloud Formation Stack. + +For additional information, including details on parameters and properties, see the [AWS documentation on Cloud Formation](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/Welcome.html). + +## Syntax + +Ensure that an `aws_cloudformation_stack` exists + +```ruby +describe aws_cloudformation_stack('stack-name') do + it { should exist } +end +``` + +```ruby +describe aws_cloudformation_stack(stack_name: 'stack-name') do + it { should exist } +end +``` + +## Parameters + +`stack_name` _(required)_ + +: This resource accepts a single parameter, the CloudFormation Stack name which uniquely identifies the stack. + This can be passed either as a string or as a `stack_name: 'value'` key-value entry in a hash. + +## Properties + +`stack_id` +: Unique identifier of the stack. + +`stack_name` +: The name associated with the stack. + +`change_set_id` +: The unique ID of the change set. + +`description` +: A user-defined description associated with the stack. + +`parameters` +: A list of Parameter structures. + +`creation_time` +: The time at which the stack was created. + +`deletion_time` +: The time the stack was deleted. + +`last_updated_time` +: The time the stack was last updated. + +`rollback_configuration` +: The rollback triggers for AWS CloudFormation to monitor during stack creation and updating operations, and for the specified monitoring period afterwards. + +`stack_status` +: Current status of the stack. + +`stack_status_reason` +: Success/failure message associated with the stack status. + +`drift_information` +: Information on whether a stack's actual configuration differs, or has drifted, from it's expected configuration, as defined in the stack template and any values specified as template parameters. + +`disable_rollback` +: Boolean to enable or disable rollback on stack creation failures:. + +`notification_arns` +: SNS topic ARNs to which stack related events are published. + +`timeout_in_minutes` +: The amount of time within which stack creation should complete. + +`capabilities` +: The capabilities allowed in the stack. + +`outputs` +: A list of output structures. + +`role_arn` +: The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that is associated with the stack. + +`tags` +: A list of Tags that specify information about the stack. + +`enable_termination_protection` +: Whether termination protection is enabled for the stack. + +`parent_id` +: For nested stacks--stacks created as resources for another stack--the stack ID of the direct parent of this stack. + +`root_id` +: For nested stacks--stacks created as resources for another stack--the stack ID of the the top-level stack to which the nested stack ultimately belongs. + +## Examples + +Test that a CloudFormation Stack has its stack_status configured correctly: + +```ruby +describe aws_cloudformation_stack('stack_name') do +its ('stack_status') { should eq 'CREATE_COMPLETE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_cloudformation_stack('AnExistingStack') do + it { should exist } +end +``` + +```ruby +describe aws_cloudformation_stack('ANonExistentStack') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFormation:Client:DescribeStacksOutput" %}} + +You can find detailed documentation at [Authentication and Access Control for CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudformation_stacks.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudformation_stacks.md new file mode 100644 index 0000000..e10e56e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudformation_stacks.md @@ -0,0 +1,106 @@ ++++ +title = "aws_cloudformation_stacks resource" + +draft = false + + +[menu.aws] +title = "aws_cloudformation_stacks" +identifier = "inspec/resources/aws/aws_cloudformation_stacks resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudformation_stacks` InSpec audit resource to test properties of an AWS CloudFormation stack in bulk. + +## Syntax + +Ensure that `aws_cloudformation_stacks` exists + +```ruby +describe aws_cloudformation_stacks do + it { should exist } +end +``` + +See the [AWS documentation on CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/Welcome.html) for additional information. + +## Parameters + +This resource does not require any parameters. + +## Properties + +`stack_name` +: The name associated with the stack. + +`stack_id` +: Unique identifier of the stack. + +`creation_time` +: The time at which the stack was created. + +`notification_arns` +: SNS topic ARNs to which stack related events are published. + +`role_arn` +: The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that is associated with the stack. + +`parent_id` +: For nested stacks--stacks created as resources for another stack--the stack ID of the direct parent of this stack. + +`root_id` +: For nested stacks--stacks created as resources for another stack--the stack ID of the top-level stack to which the nested stack ultimately belongs. + +## Examples + +Request the names of all CloudFormation stacks, then test in-depth using the aws_cloudformation_stack resource: + +```ruby +aws_cloudformation_stacks.names.each do |stack| + describe aws_cloudformation_stack(stack_name: stack) do + it { should exist } + its ('notification_arns') { should_not be_empty} + its ('stack_status') { should eq 'CREATE_COMPLETE' } + end +end +``` + +Request the names of all CloudFormation stacks created at a certain time, then test in-depth using the aws_cloudformation_stack resource: + +```ruby +aws_cloudformation_stacks.where(creation_time: 'creation time') do |stack| + describe aws_cloudformation_stack(stack) do + it { should exist } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +```ruby +describe aws_cloudformation_stacks do + it { should exist } +end +``` + +Use `should_not` to test that an entity should not exist. + +```ruby +describe aws_cloudformation_stacks do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFormation:Client:DescribeStacksOutput" %}} + +You can find detailed documentation at [Authentication and Access Control for CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudformation_template.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudformation_template.md new file mode 100644 index 0000000..6950635 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudformation_template.md @@ -0,0 +1,221 @@ ++++ +title = "aws_cloudformation_template resource" + +draft = false + + +[menu.aws] +title = "aws_cloudformation_template" +identifier = "inspec/resources/aws/aws_cloudformation_template resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudformation_template` InSpec audit resource to test a single AWS CloudFormation template. + +The above resource returns information about a new or existing template. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudFormation templates](https://aws.amazon.com/cloudformation/resources/templates/). + +## Syntax + +Ensure that the template exists by passing the `stack_name` parameter. + +```ruby +describe aws_cloudformation_template(stack_name: 'STACK_NAME') do + it { should exist } +end +``` + +Ensure that the template exists by passing the `stack_set_name` parameter. + +```ruby +describe aws_cloudformation_template(stack_set_name: 'STACK_SET_NAME') do + it { should exist } +end +``` + +Ensure that the template exists by passing the `template_url` parameter. + +```ruby +describe aws_cloudformation_template(template_url: 'TEMPLATE_URL') do + it { should exist } +end +``` + +Ensure that the template exists by passing the `template_body` parameter. + +```ruby +describe aws_cloudformation_template(template_body: 'TEMPLATE_BODY') do + it { should exist } +end +``` + +## Parameters + +: This resource requires one of the following parameters. + It must be passed as a `PARAMETER: 'PARAMETER_VALUE'` key-value entry in a hash. + +`stack_name` _(required if another parameter not provided)_ + +: The name or the stack ID that is associated with the stack, which are not always interchangeable. + +`stack_set_name` _(required if another parameter not provided)_ + +: The name or unique ID of the stack set from which the stack was created. + +`template_url` _(required if another parameter not provided)_ + +: Location of file containing the template body. The URL must point to a template (max size: 460,800 bytes) that is located in an Amazon S3 bucket. + +`template_body` _(required if another parameter not provided)_ + +: Structure containing the template body with a minimum length of 1 byte and a maximum length of 51,200 bytes. + +## Properties + +`parameter_keys` +: The name that is associated with the parameter. + +`default_values` +: The default value of the parameter. + +`parameter_types` +: The type of parameter. + +`no_echos` +: Flag that indicates whether the parameter value is shown as plain text in logs and in the AWS Management Console. + +`descriptions` +: The description that is associate with the parameter. + +`parameter_constraints_allowed_values` +: A list of values that are permitted for a parameter. + +`description` +: The value that is defined in the Description property of the template. + +`capabilities` +: The capabilities found within the template. + +`capabilities_reason` +: The list of resources that generated the values in the Capabilities response element. + +`resource_types` +: A list of all the template resource types that are defined in the template, such as `AWS::EC2::Instance`, `AWS::Dynamo::Table`, and `Custom::MyCustomInstance`. + +`version` +: The AWS template format version, which identifies the capabilities of the template. + +`metadata` +: The value that is defined for the Metadata property of the template. + +`declared_transforms` +: A list of the transforms that are declared in the template. + +`resource_types(resource_identifier_summaries)` +: The resource types of the resource identifier summaries. + +`logical_resource_ids` +: The logical resource id of the resource identifier summaries. + +`resource_identifiers` +: The resource identifier of the resource identifier summaries. + +`template_body` +: The structure that contains the body of the template. The `stack_name` must be passed as a parameter to access this property. + +## Examples + +Ensure that the parameter keys exists by passing the required parameter `stack_name`: + +```ruby +describe aws_cloudformation_template(stack_name: 'STACK_NAME') do + its('parameter_keys') {should include 'HttpsCACertificates' } + end +``` + +Ensure that the parameter keys exists by passing the required parameter `template_url`: + +```ruby +describe aws_cloudformation_template(template_url: 'TEMPLATE_URL') do + its('parameter_keys') {should include 'HttpsCACertificates' } +end +``` + +Ensure that the resource_types exists by passing the required parameter `stack_name`: + +```ruby +describe aws_cloudformation_template(stack_name: 'STACK_NAME') do + its('resource_types') {should include 'AWS::EC2::Instance' } + end +``` + +Ensure that the resource_types exists by passing the required parameter `template_url`: + +```ruby +describe aws_cloudformation_template(template_url: 'TEMPLATE_URL') do + its('resource_types') {should include 'AWS::EC2::Instance' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists by passing the required parameter `stack_name`. + +```ruby +describe aws_cloudformation_template(stack_name: 'STACK_NAME') do + it { should exist } +end +``` + +Use `should` to test that the entity exists by passing the required parameter `template_url`. + +```ruby +describe aws_cloudformation_template(template_url: 'TEMPLATE_URL') do + it { should exist } +end +``` + +Use `should_not` to test that the entity exists by passing the required parameter `stack_name`. + +```ruby +describe aws_cloudformation_template(stack_name: 'STACK_NAME') do + it { should_not exist } +end +``` + +Use `should_not` to test that the entity exists by passing the required parameter `template_url`. + +```ruby +describe aws_cloudformation_template(template_url: 'TEMPLATE_URL') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to test that the entity is available by passing the required parameter `stack_name`. + +```ruby +describe aws_cloudformation_template(stack_name: 'STACK_NAME') do + it { should be_available } +end +``` + +Use `should` to test that the entity is available by passing the required parameter `template_url`. + +```ruby +describe aws_cloudformation_template(template_url: 'TEMPLATE_URL') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFormation:Client:GetTemplateSummaryOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_cache_policies.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_cache_policies.md new file mode 100644 index 0000000..54a1eb3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_cache_policies.md @@ -0,0 +1,117 @@ ++++ +title = "aws_cloudfront_cache_policies resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_cache_policies" +identifier = "inspec/resources/aws/aws_cloudfront_cache_policies resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_cache_policies` InSpec audit resource to test properties of multiple AWS CloudFront cache policies. + +The `AWS::CloudFront::CachePolicy` resource describes the CloudFront cache policy. + +## Syntax + +Ensure that the custom resource exists. + +```ruby +describe aws_cloudfront_cache_policies do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`types` +: The type for the cache policy. + +: **Field**: `type` + +`ids` +: The unique identifier for the cache policy. + +: **Field**: `id` + +`last_modified_times` +: The date and time when the cache policy was last modified. + +: **Field**: `last_modified_time` + +`comments` +: A comment to describe the cache policy. + +: **Field**: `comment` + +`names` +: A unique name to identify the cache policy. + +: **Field**: `name` + +`default_ttls` +: The default amount of time, in seconds, that you want objects to stay in the CloudFront cache before CloudFront sends another request to the origin to see if the object has been updated. + +: **Field**: `default_ttl` + +`max_ttls` +: The maximum amount of time, in seconds, that objects stay in the CloudFront cache before CloudFront sends another request to the origin to see if the object has been updated. + +: **Field**: `max_ttl` + +`min_ttls` +: The minimum amount of time, in seconds, that you want objects to stay in the CloudFront cache before CloudFront sends another request to the origin to see if the object has been updated. + +: **Field**: `min_ttl` + +## Examples + +Test that an ID is available: + +```ruby +describe aws_cloudfront_cache_policies do + its('ids') { should include 'ID' } +end +``` + +Verify the maximum TTL of the policy: + +```ruby +describe aws_cloudfront_cache_policies do + its('max_ttls') { should include 1 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudfront_cache_policies do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudfront_cache_policies do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:ListCachePoliciesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_cache_policy.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_cache_policy.md new file mode 100644 index 0000000..16f2464 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_cache_policy.md @@ -0,0 +1,145 @@ ++++ +title = "aws_cloudfront_cache_policy resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_cache_policy" +identifier = "inspec/resources/aws/aws_cloudfront_cache_policy resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_cache_policy` InSpec audit resource to test properties of a single specific AWS CloudFront cache policy. + +The `AWS::CloudFront::CachePolicy` resource describes the CloudFront cache policy. + +## Syntax + +Ensure that the custom resource exists. + +```ruby +describe aws_cloudfront_cache_policy(id: 'ID') do + it { should exist } +end +``` + +## Parameters + +`id` _(required)_ + +: The unique identifier for the cache policy. + + For additional information, see the [AWS CloudFormation cache policy documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-cachepolicy.html). + +## Properties + +`id` +: The unique identifier for the cache policy. + +`last_modified_time` +: The date and time when the cache policy was last modified. + +`cache_policy_config.comment` +: A comment to describe the cache policy. + +`cache_policy_config.name` +: A unique name to identify the cache policy. + +`cache_policy_config.default_ttl` +: The default amount of time, in seconds, that you want objects to stay in the CloudFront cache before CloudFront sends another request to the origin to see if the object has been updated. + +`cache_policy_config.max_ttl` +: The maximum amount of time, in seconds, that objects stay in the CloudFront cache before CloudFront sends another request to the origin to see if the object has been updated. + +`cache_policy_config.min_ttl` +: The minimum amount of time, in seconds, that you want objects to stay in the CloudFront cache before CloudFront sends another request to the origin to see if the object has been updated. + +`cache_policy_config.parameters_in_cache_key_and_forwarded_to_origin.enable_accept_encoding_gzip` +: A flag that can affect whether the Accept-Encoding HTTP header is included in the cache key and included in requests that CloudFront sends to the origin. + +`cache_policy_config.parameters_in_cache_key_and_forwarded_to_origin.enable_accept_encoding_brotli` +: A flag that can affect whether the Accept-Encoding HTTP header is included in the cache key and included in requests that CloudFront sends to the origin. + +`cache_policy_config.parameters_in_cache_key_and_forwarded_to_origin.headers_config.header_behavior` +: Determines whether any HTTP headers are included in the cache key and automatically included in requests that CloudFront sends to the origin. + +`cache_policy_config.parameters_in_cache_key_and_forwarded_to_origin.headers_config.headers.quantity` +: The number of header names in the Items list. + +`cache_policy_config.parameters_in_cache_key_and_forwarded_to_origin.headers_config.headers.items` +: A list of HTTP header names. + +`cache_policy_config.parameters_in_cache_key_and_forwarded_to_origin.cookies_config.cookie_behavior` +: Determines whether any cookies in viewer requests are included in the cache key and automatically included in requests that CloudFront sends to the origin. + +`cache_policy_config.parameters_in_cache_key_and_forwarded_to_origin.cookies_config.cookies.quantity` +: The number of cookie names in the Items list. + +`cache_policy_config.parameters_in_cache_key_and_forwarded_to_origin.cookies_config.cookies.items` +: A list of cookie names. + +`cache_policy_config.parameters_in_cache_key_and_forwarded_to_origin.query_strings_config.query_string_behavior` +: Determines whether any URL query strings in viewer requests are included in the cache key and automatically included in requests that CloudFront sends to the origin. + +`cache_policy_config.parameters_in_cache_key_and_forwarded_to_origin.query_strings_config.query_strings.quantity` +: The number of query string names in the Items list. + +`cache_policy_config.parameters_in_cache_key_and_forwarded_to_origin.query_strings_config.query_strings.items` +: A list of query string names. + +## Examples + +Ensure a ID is available: + +```ruby +describe aws_cloudfront_cache_policy(id: 'ID') do + its('id') { should eq 'ID' } +end +``` + +Verify the max TTL of the policy: + +```ruby +describe aws_cloudfront_cache_policy(id: 'ID') do + its('cache_policy_config.max_ttl') { should eq 1 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudfront_cache_policy(id: 'ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudfront_cache_policy(id: 'ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudfront_cache_policy(id: 'ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:GetCachePolicyResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_distribution.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_distribution.md new file mode 100644 index 0000000..f1acc07 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_distribution.md @@ -0,0 +1,192 @@ ++++ +title = "aws_cloudfront_distribution resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_distribution" +identifier = "inspec/resources/aws/aws_cloudfront_distribution resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_distribution` InSpec audit resource to test the properties of a single AWS CloudFront distribution. + +For additional information, including details on parameters and properties, see the [AWS API reference for CloudFront distributions](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_distribution.html) documentation. For available SSL/TLS version identifiers, see [OriginSslProtocols](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_OriginSslProtocols.html) and [AWS::CloudFront::distribution ViewerCertificate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html) documentation. + +## Syntax + +Ensure that an `aws_cloudfront_distribution` exists: + +```ruby +describe aws_cloudfront_distribution('DISTRIBUTION') do + it { should exist } +end +``` + +```ruby +describe aws_cloudfront_distribution(distribution_id: 'DISTRIBUTION') do + it { should exist } +end +``` + +## Parameters + +`distribution_id` _(required)_ + +: The CloudFront distribution ID, which can be passed either as a string or as a `name: 'value'` key-value entry in a hash. + +`disallowed_ssl_protocols` _(optional)_ + +: If provided, this parameter is expected to be an array of strings identifying SSL/TLS protocols that you wish not to allow. + +: Included in the array should be the union of disallowed identifiers for: + +: - custom origin SSL/TLS protocols (currently SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2) + +- identifiers for the minimum SSL/TLS protocol in the Viewer Certificate that CloudFront can use to communicate with viewers (currently SSLv3 | TLSv1 | TLSv1_1026 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 | TLSv1.2_2021). + +: Newer protocol identification strings (when available) may be provided in the set, as validity is not checked. The default value for disallowed_ssl_protocols is `%w{SSLv3 TLSv1 TLSv1_2016}`. + +`origin_domain_name` _(optional)_ + +: The domain name for the origin. + +: Provide the `origin_domain_name` if you want to validate the `s3_origin_path` property. + +## Properties + +`distribution_id` +: The identifier for the CloudFront distribution. + +`viewer_protocol_policies` +: An array of viewer protocol policies for all caches in this distribution; valid policy names are `allow-all` (which allows HTTP and HTTPS), `https-only` or `redirect-to-https`. + +`custom_origin_ssl_protocols` +: An array containing SSL/TLS protocols allowed by custom origins in this distribution. Empty if there are no custom origins (one or more standard S3 bucket origins). Current valid values are `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. + +`viewer_certificate_minimum_ssl_protocol` +: The minimum SSL/TLS protocol version in the Viewer Certificate. Current valid values: `SSLv3`, `TLSv1`, `TLSv1_2016`, `TLSv1.1_2016`, `TLSv1.2_2018`, `TLSv1.2_2019`, `TLSv1.2_2021`. + +`s3_origin_config` +: `True`: if there are any S3 origin configs in the distribution (i.e. standard S3 bucket origins), else `False`. + +`s3_origin_path` +: The S3 origin path if `origin_domain_name` is specified in the resource parameters. + +`s3_origin_access` +: The origin access identity for s3 origin config. + +`access_logging` +: Access logging for CloudFront distribution. + +`ssl_certificate` +: The viewer certificate certificate source of CloudFront distribution. + +## Examples + +Test that a CloudFront distribution has secure protocols configured: + +```ruby +describe aws_cloudfront_distribution('DISTRIBUTION_ID') do + its('viewer_certificate_minimum_ssl_protocol') { should_not match /SSLv3|TLSv1$|TLSv1_2016/ } + its('viewer_protocol_policies') { should_not include 'allow-all' } + {SSLv3 TLSv1}.each do |protocol| + its('custom_origin_ssl_protocols') { should_not include protocol } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### have_viewer_protocol_policies_allowing_http + +The `have_viewer_protocol_policies_allowing_http` matcher tests if any of the caches for origins, including the default cache, has its viewer_protocol_policy set to 'allow-all'. + +```ruby +it { should_not have_viewer_protocol_policies_allowing_http } +``` + +### have_disallowed_custom_origin_ssl_protocols + +The `have_disallowed_custom_origin_ssl_protocols` matcher tests whether any of the SSL/TLS protocols defined in the ssl_protocols for all custom origins in the distribution are present in the `disallowed_ssl_protocols` parameter (if provided), or in the default disallowed SSL/TLS protocol list (if not). + +```ruby +it { should_not have_disallowed_custom_origin_ssl_protocols } +``` + +### have_disallowed_viewer_certificate_minimum_ssl_protocol + +The `have_disallowed_viewer_minimum_ssl_protocol` matcher tests whether the minimum SSL/TLS protocol for the distribution's Viewer Certificate is in the `disallowed_ssl_protocols` parameter (if provided), or in the default disallowed SSL/TLS protocol list (if not). + +```ruby +it { should_not have_disallowed_viewer_certificate_minimum_ssl_protocol } +``` + +### have_s3_origin_configs + +The `have_s3_origin_configs` matcher tests whether the distribution has a non-nil s3_origin_configs setting in any of its origins. + +```ruby +it { should_not have_s3_origin_configs } +``` + +### have_access_logging_enabled + +The `have_access_logging_enabled` matcher tests whether the distribution has access logging enabled. + +```ruby +it { should have_access_logging_enabled } +``` + +### exist + +The control will pass if the describe returns at least one result. + +```ruby +describe aws_cloudfront_distribution('EXISTING_DISTRIBUTION_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe cloudfront_distribution('NONEXISTING_DISTRIBUTION_ID') do + it { should_not exist } +end +``` + +### s3_origin_path + +Use `s3_origin_path` to return an origin path for the specified origin domain name if the origin path is configured, otherwise it returns an empty string. + +```ruby +describe aws_cloudfront_distribution(distribution_id: 'DISTRIBUTION_ID', origin_domain_name: 'ORIGIN_DOMAIN_NAME') do + its ('s3_origin_path') { should include '/next' } +end +``` + +```ruby +describe aws_cloudfront_distribution(distribution_id: 'DISTRIBUTION_ID', origin_domain_name: 'ORIGIN_DOMAIN_NAME') do + its ('s3_origin_path') { should include '/release' } +end +``` + +For the default origin path: + +```ruby +describe aws_cloudfront_distribution(distribution_id: 'DISTRIBUTION_ID', origin_domain_name: 'ORIGIN_DOMAIN_NAME') do + its ('s3_origin_path') { should include '' } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:GetDistributionResult" %}} + +You can find detailed documentation at [Identity and Access Management (IAM) in CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/auth-and-access-control.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_distributions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_distributions.md new file mode 100644 index 0000000..e140423 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_distributions.md @@ -0,0 +1,112 @@ ++++ +title = "aws_cloudfront_distributions resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_distributions" +identifier = "inspec/resources/aws/aws_cloudfront_distributions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_distributions` InSpec audit resource to test the properties of a collection of an AWS CloudFront distributions. + +For additional information, including details on parameters and properties, see the [AWS API reference for CloudFront distributions](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_distribution.html). + +## Syntax + +Ensure that a particular CloudFront distribution exists in `aws_cloudfront_distributions`: + +```ruby +describe aws_cloudfront_distributions do + its('distribution_ids') { should include 'DISTRIBUTION_ID' } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`distribution_ids` +: The names of the CloudFront distributions. + +`distribution_arns` +: The Amazon Resource Name (ARN) of the CloudFront distributions. + +`statuses` +: The statuses of the CloudFront distributions (`InProgress` or `Deployed`). + +`domain_names` +: The domain names for the CloudFront distributions. + +`origin_domains_names` +: The domain names for the CloudFront distributions' origins (an array for each distribution). + +`default_cache_viewer_protocol_policies` +: The viewer protocol policy for the default cache for each of the CloudFront distributions. Values: `http-only`, `redirect-to-https` or `allow-all`. + +`cache_viewer_protocol_policies` +: The viewer protocol policy for all non-default caches for each of the CloudFront distributions (an array for each distribution). Values: `http-only`, `redirect-to-https` or `allow-all`. There may be an empty array for a distribution if no non-default caches are present. + +`custom_origin_ssl_protocols` +: An array for each CloudFront distribution containing SSL/TLS protocols allowed by all of the custom origins in that distribution, empty where no custom origins exist for a distribution. Current SSL/TLS protocol identifiers: `SSLv3`, `TLSv1`, `TLSv1_1026`, `TLSv1.1_2016`, `TLSv1.2_2018`, `TLSv1.2_2019` and `TLSv1.2_2021`. + +`s3_origin_config` +: Booleans indicating whether there are any S3 origin configs in a particular distribution (non-custom S3 bucket origins). + +`price_classes` +: The price classes for distributions, which corresponds with the maximum price that you want to pay for CloudFront service. Valid Values: `PriceClass_100`, `PriceClass_200`, `PriceClass_All`. + +`enabled` +: Booleans indicating whether the distributions are enabled. + +`viewer_certificate_ssl_support_methods` +: The SSL support methods for Viewer Certificates for the distributions, only set for distributions with aliases. Valid values: `sni-only`, `vip` or `static-ip`. + +`viewer_certificate_minimum_ssl_protocols` +: The minimum SSL/TLS protocol allowed by the Viewer Certificate in each distribution. Current valid values: `SSLv3`, `TLSv1`, `TLSv1_2016`, `TLSv1.1_2016`, `TLSv1.2_2018`, `TLSv1.2_2019`, `TLSv1.2_2021`. + +`http_versions` +: The maximum HTTP versions that viewers may to use to communicate with CloudFront distributions. Valid values: `http1.1` or `http2`. + +`ipv6_enabled` +: Booleans indicating whether IPv6 is enabled for CloudFront distributions. + +## Examples + +Test that a particular CloudFront distribution exists, and that no cache viewer protocol policies allow HTTP: + +```ruby +describe aws_cloudfront_distributions do + its('distribution_ids') { should include 'DISTRIBUTION_ID' } + its('default_cache_viewer_protocol_policies') { should_not include 'allow-all' } + its('cache_viewer_protocol_policies') { should_not include 'allow-all' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_cloudfront_distributions do + it { should exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:ListDistributionsResult" %}} + +You can find detailed documentation at [Identity and Access Management (IAM) in CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/auth-and-access-control.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_key_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_key_group.md new file mode 100644 index 0000000..bcd1a88 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_key_group.md @@ -0,0 +1,104 @@ ++++ +title = "aws_cloudfront_key_group resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_key_group" +identifier = "inspec/resources/aws/aws_cloudfront_key_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_key_group` InSpec audit resource to test properties of a single AWS CloudFront key group. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudFront key group.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-keygroup.html). + +## Syntax + +Ensure that the key group exists. + +```ruby +describe aws_cloudfront_key_group(id: "ID") do + it { should exist } +end +``` + +## Parameters + +`id` _(required)_ + +: The identifier for the key group. + +## Properties + +`id` +: The identifier for the key group. + +`last_modified_time` +: The date and time when the key group was last modified. + +`key_group_config.name` +: A name to identify the key group. + +`key_group_config.items` +: A list of the identifiers of the public keys in the key group. + +`key_group_config.comment` +: A comment to describe the key group. The comment cannot be longer than 128 characters. + +## Examples + +Ensure an ID is available: + +```ruby +describe aws_cloudfront_key_group(id: "ID") do + its('id') { should eq 'ID' } +end +``` + +Ensure that the key group name is available: + +```ruby +describe aws_cloudfront_key_group(id: "ID") do + its('key_group_config.name') { should eq 'KEY_GROUP_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudfront_key_group(id: "ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudfront_key_group(id: "ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudfront_key_group(id: "ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:GetKeyGroupResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_key_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_key_groups.md new file mode 100644 index 0000000..b28ff32 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_key_groups.md @@ -0,0 +1,102 @@ ++++ +title = "aws_cloudfront_key_groups resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_key_groups" +identifier = "inspec/resources/aws/aws_cloudfront_key_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_key_groups` InSpec audit resource to test properties of multiple AWS CloudFront key groups. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudFront key group.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-keygroup.html). + +## Syntax + +Ensure that the key group exists. + +```ruby +describe aws_cloudfront_key_groups do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The identifier for the key group. + +: **Field**: `id` + +`last_modified_times` +: The date and time when the key group was last modified. + +: **Field**: `last_modified_time` + +`names` +: A name to identify the key group. + +: **Field**: `name` + +`items` +: A list of the identifiers of the public keys in the key group. + +: **Field**: `items` + +`comments` +: A comment to describe the key group. The comment cannot be longer than 128 characters. + +: **Field**: `comment` + +## Examples + +Ensure an ID is available: + +```ruby +describe aws_cloudfront_key_groups do + its('ids') { should include 'ID' } +end +``` + +Ensure that the key group name is available: + +```ruby +describe aws_cloudfront_key_groups do + its('names') { should include 'KEY_GROUP_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudfront_key_groups do + it { should exist } +end +``` + +Use `should_not` to test that an entity does not exist. + +```ruby +describe aws_cloudfront_key_groups do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:ListKeyGroupsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_origin_access_identities.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_origin_access_identities.md new file mode 100644 index 0000000..d2bae47 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_origin_access_identities.md @@ -0,0 +1,99 @@ ++++ +title = "aws_cloudfront_origin_access_identities resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_origin_access_identities" +identifier = "inspec/resources/aws/aws_cloudfront_origin_access_identities resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_origin_access_identities` InSpec audit resource to test properties of multiple AWS CloudFront origin access identities. + +An origin access identity is a special CloudFront user that you can associate with Amazon S3 origins, so that you can secure all or just some of your Amazon S3 content. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudFront CloudFrontOriginAccessIdentity.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-cloudfrontoriginaccessidentity.html). + +## Syntax + +Ensure that the identity exists. + +```ruby +describe aws_cloudfront_origin_access_identities do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The ID for the origin access identity. + +: **Field**: `id` + +`s3_canonical_user_ids` +: The Amazon S3 canonical user ID for the origin access identity, used when giving the origin access identity read permission to an object in Amazon S3. + +: **Field**: `s3_canonical_user_id` + +`caller_references` +: A unique value (for example, a date-time stamp) that ensures that the request can't be replayed. + +: **Field**: `caller_reference` + +`comments` +: A comment to describe the origin access identity. + +: **Field**: `comment` + +## Examples + +Test that an ID is available: + +```ruby +describe aws_cloudfront_origin_access_identities do + its('ids') { should include 'ID' } +end +``` + +Test that an s3 canonical user ID is available: + +```ruby +describe aws_cloudfront_origin_access_identities do + its('s3_canonical_user_ids') { should include 'S3_CANONICAL_USER_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudfront_origin_access_identities do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudfront_origin_access_identities do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:ListCloudFrontOriginAccessIdentitiesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_origin_access_identity.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_origin_access_identity.md new file mode 100644 index 0000000..af9b343 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_origin_access_identity.md @@ -0,0 +1,103 @@ ++++ +title = "aws_cloudfront_origin_access_identity resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_origin_access_identity" +identifier = "inspec/resources/aws/aws_cloudfront_origin_access_identity resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_origin_access_identity` InSpec audit resource to test properties of a single specific AWS CloudFront origin access identity. + +An origin access identity is a special CloudFront user that you can associate with Amazon S3 origins, so that you can secure all or just some of your Amazon S3 content. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudFront CloudFrontOriginAccessIdentity.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-cloudfrontoriginaccessidentity.html). + +## Syntax + +Ensure that the identity exists. + +```ruby +describe aws_cloudfront_origin_access_identity(id: 'ID') do + it { should exist } +end +``` + +## Parameters + +`id` _(required)_ + +: The ID for the origin access identity. + +## Properties + +`id` +: The ID for the origin access identity. + +`s3_canonical_user_id` +: The Amazon S3 canonical user ID for the origin access identity, used when giving the origin access identity read permission to an object in Amazon S3. + +`cloud_front_origin_access_identity_config.caller_reference` +: A unique value (for example, a date-time stamp) that ensures that the request can't be replayed. + +`cloud_front_origin_access_identity_config.comment` +: A comment to describe the origin access identity. + +## Examples + +Test that an ID is available: + +```ruby +describe aws_cloudfront_origin_access_identity(id: 'ID') do + its('id') { should eq 'ID' } +end +``` + +Test that an s3 canonical user ID is available: + +```ruby +describe aws_cloudfront_origin_access_identity(id: 'ID') do + its('s3_canonical_user_id') { should eq 'S3_CANONICAL_USER_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudfront_origin_access_identity(id: 'ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudfront_origin_access_identity(id: 'ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudfront_origin_access_identity(id: 'ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:GetCloudFrontOriginAccessIdentityResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_origin_request_policy.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_origin_request_policy.md new file mode 100644 index 0000000..8a4bd61 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_origin_request_policy.md @@ -0,0 +1,128 @@ ++++ +title = "aws_cloudfront_origin_request_policy resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_origin_request_policy" +identifier = "inspec/resources/aws/aws_cloudfront_origin_request_policy resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_origin_request_policy` InSpec audit resource to test properties of a single specific AWS CloudFront origin request policy. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudFront origin request policy.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-originrequestpolicy.html). + +## Syntax + +Ensure that the origin request policy exists. + +```ruby +describe aws_cloudfront_origin_request_policy(id: 'ID') do + it { should exist } +end +``` + +## Parameters + +`id` _(required)_ + +: The unique identifier for the origin request policy. + +## Properties + +`id` +: The unique identifier for the origin request policy. + +`last_modified_time` +: The date and time when the origin request policy was last modified. + +`origin_request_policy_config.comment` +: A comment to describe the origin request policy. + +`origin_request_policy_config.name` +: A unique name to identify the origin request policy. + +`origin_request_policy_config.headers_config.header_behavior` +: Determines whether any HTTP headers are included in requests that CloudFront sends to the origin. + +`origin_request_policy_config.headers_config.headers.quantity` +: The number of header names in the Items list. + +`origin_request_policy_config.headers_config.headers.items` +: A list of HTTP header names. + +`origin_request_policy_config.cookies_config.cookie_behavior` +: Determines whether cookies in viewer requests are included in requests that CloudFront sends to the origin. + +`origin_request_policy_config.cookies_config.cookies.quantity` +: The number of cookie names in the Items list. + +`origin_request_policy_config.cookies_config.cookies.items` +: A list of cookie names. + +`origin_request_policy_config.query_strings_config.query_string_behavior` +: Determines whether any URL query strings in viewer requests are included in requests that CloudFront sends to the origin. + +`origin_request_policy_config.query_strings_config.query_strings.quantity` +: The number of query string names in the Items list. + +`origin_request_policy_config.query_strings_config.query_strings.items` +: A list of query string names. + +## Examples + +Test that an ID is available: + +```ruby +describe aws_cloudfront_origin_request_policy(id: 'ID') do + its('id') { should eq 'ID' } +end +``` + +Verify the number of cookies: + +```ruby +describe aws_cloudfront_origin_request_policy(id: 'ID') do + its('origin_request_policy_config.cookies_config.cookies.quantity') { should eq 1 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudfront_origin_request_policy(id: 'ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudfront_origin_request_policy(id: 'ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudfront_origin_request_policy(id: 'ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:GetOriginRequestPolicyResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_public_key.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_public_key.md new file mode 100644 index 0000000..3def0f3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_public_key.md @@ -0,0 +1,109 @@ ++++ +title = "aws_cloudfront_public_key resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_public_key" +identifier = "inspec/resources/aws/aws_cloudfront_public_key resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_public_key` InSpec audit resource to test properties of a single AWS CloudFront public key. + +The `AWS::CloudFront::PublicKey` resource type creates a public key that you can use with signed URLs and signed cookies, or with field-level encryption. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Logs public key.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-publickey.html). + +## Syntax + +Ensure that the public key exists. + +```ruby +describe aws_cloudfront_public_key(id: "PUBLIC_KEY_ID") do + it { should exist } +end +``` + +## Parameters + +`id` _(required)_ + +: The identifier of the public key. + +## Properties + +`id` +: The identifier of the public key. + +`created_time` +: The date and time when the public key was uploaded. + +`public_key_config.caller_reference` +: A string included in the request to help make sure that the request can’t be replayed. + +`public_key_config.name` +: A name to help identify the public key. + +`public_key_config.encoded_key` +: The public key that you can use with signed URLs and signed cookies , or with field-level encryption. + +`public_key_config.comment` +: A comment to describe the public key. The comment cannot be longer than 128 characters. + +## Examples + +Ensure a public key ID is available: + +```ruby +describe aws_cloudfront_public_key(id: "PUBLIC_KEY_ID") do + its('id') { should eq 'ID' } +end +``` + +Ensure a public key name is available: + +```ruby +describe aws_cloudfront_public_key(id: "PUBLIC_KEY_ID") do + its('public_key_config.name') { should eq 'PUBLIC_KEY_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudfront_public_key(id: "PUBLIC_KEY_ID") do + it { should exist } +end +``` + +Use `should_not` to test that an entity does not exist. + +```ruby +describe aws_cloudfront_public_key(id: "PUBLIC_KEY_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudfront_public_key(id: "PUBLIC_KEY_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:GetPublicKeyResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_public_keys.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_public_keys.md new file mode 100644 index 0000000..94715df --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_public_keys.md @@ -0,0 +1,109 @@ ++++ +title = "aws_cloudfront_public_keys resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_public_keys" +identifier = "inspec/resources/aws/aws_cloudfront_public_keys resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_public_keys` InSpec audit resource to test properties of multiple AWS CloudFront public keys. + +The `AWS::CloudFront::PublicKey` resource type creates a public key that you can use with signed URLs and signed cookies, or with field-level encryption. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudFront public key.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-publickey.html). + +## Syntax + +Ensure that the public key exists. + +```ruby +describe aws_cloudfront_public_keys do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The identifier of the public key. + +: **Field**: `id` + +`created_times` +: The date and time when the public key was uploaded. + +: **Field**: `created_time` + +`caller_references` +: A string included in the request to help make sure that the request can’t be replayed. + +: **Field**: `caller_reference` + +`names` +: A name to help identify the public key. + +: **Field**: `name` + +`encoded_keys` +: The public key that you can use with signed URLs and signed cookies , or with field-level encryption. + +: **Field**: `encoded_key` + +`comments` +: A comment to describe the public key. The comment cannot be longer than 128 characters. + +: **Field**: `comment` + +## Examples + +Ensure a public key ID is available: + +```ruby +describe aws_cloudfront_public_keys do + its('ids') { should include 'ID' } +end +``` + +Ensure a public key name is available: + +```ruby +describe aws_cloudfront_public_keys do + its('names') { should include 'PUBLIC_KEY_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudfront_public_keys do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudfront_public_keys do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:ListPublicKeysResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_realtime_log_config.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_realtime_log_config.md new file mode 100644 index 0000000..31d7f61 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_realtime_log_config.md @@ -0,0 +1,131 @@ ++++ +title = "aws_cloudfront_realtime_log_config resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_realtime_log_config" +identifier = "inspec/resources/aws/aws_cloudfront_realtime_log_config resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_realtime_log_config` InSpec audit resource to test properties of a single specific AWS CloudFront real-time log configuration. + +The `AWS::CloudFront::RealtimeLogConfig` resource creates a real-time log configuration. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudFront RealtimeLogConfig.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-realtimelogconfig.html). + +## Syntax + +Ensure that the config exists. + +```ruby +describe aws_cloudfront_realtime_log_config(name: 'CONFIG_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: The unique name of this real-time log configuration. + +## Properties + +`arn` +: The Amazon Resource Name (ARN) of this real-time log configuration. + +`name` +: The unique name of this real-time log configuration. + +`sampling_rate` +: The sampling rate for this real-time log configuration. + +`end_points` +: Contains information about the Amazon Kinesis data stream where you are sending real-time log data for this real-time log configuration. + +`end_points_stream_types` +: The type of data stream where you are sending real-time log data. The only valid value is Kinesis. + +`end_points_kinesis_stream_config_role_arns` +: The Amazon Resource Name (ARN) of an Identity and Access Management (IAM) role that CloudFront can use to send real-time log data to your Kinesis data stream. + +`end_points_kinesis_stream_config_stream_arns` +: The Amazon Resource Name (ARN) of the Kinesis data stream where you are sending real-time log data. + +`fields` +: A list of fields that are included in each real-time log record. + +## Examples + +Ensure an ARN is available: + +```ruby +describe aws_cloudfront_realtime_log_config(name: 'CONFIG_NAME') do + its('arn') { should eq 'ARN' } +end +``` + +Ensure a name is available: + +```ruby +describe aws_cloudfront_realtime_log_config(name: 'CONFIG_NAME') do + its('name') { should eq 'CONFIG_NAME' } +end +``` + +Ensure a stream type is `Kinesis`: + +```ruby +describe aws_cloudfront_realtime_log_config(name: 'CONFIG_NAME') do + its('end_points_stream_types') { should include 'Kinesis' } +end +``` + +Ensure a stream ARN is available: + +```ruby +describe aws_cloudfront_realtime_log_config(name: 'CONFIG_NAME') do + its('end_points_kinesis_stream_config_stream_arns') { should include 'STREAM_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudfront_realtime_log_config(name: 'CONFIG_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudfront_realtime_log_config(name: 'CONFIG_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudfront_realtime_log_config(name: 'CONFIG_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:GetRealtimeLogConfigResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_realtime_log_configs.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_realtime_log_configs.md new file mode 100644 index 0000000..22317ba --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_realtime_log_configs.md @@ -0,0 +1,114 @@ ++++ +title = "aws_cloudfront_realtime_log_configs resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_realtime_log_configs" +identifier = "inspec/resources/aws/aws_cloudfront_realtime_log_configs resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_realtime_log_configs` InSpec audit resource to test multiple AWS CloudFront real-time log configurations. + +The `AWS::CloudFront::RealtimeLogConfig` resource creates a real-time log configuration. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudFront RealtimeLogConfig.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-realtimelogconfig.html). + +## Syntax + +Ensure that the config exists. + +```ruby +describe aws_cloudfront_realtime_log_configs do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`arns` +: The Amazon Resource Name (ARN) of this real-time log configuration. + +: **Field**: `arn` + +`names` +: The unique name of this real-time log configuration. + +: **Field**: `name` + +`sampling_rates` +: The sampling rate for this real-time log configuration. + +: **Field**: `sampling_rate` + +`end_points` +: Contains information about the Amazon Kinesis data stream where you are sending real-time log data for this real-time log configuration. + +: **Field**: `end_points` + +`fields` +: A list of fields that are included in each real-time log record. + +: **Field**: `fields` + +## Examples + +Ensure an ARN is available: + +```ruby +describe aws_cloudfront_realtime_log_configs do + its('arns') { should include 'ARN' } +end +``` + +Ensure a name is available: + +```ruby +describe aws_cloudfront_realtime_log_configs do + its('names') { should include 'CONFIG_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudfront_realtime_log_configs do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudfront_realtime_log_configs do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudfront_realtime_log_configs do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:ListRealtimeLogConfigsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_streaming_distribution.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_streaming_distribution.md new file mode 100644 index 0000000..4ab4911 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_streaming_distribution.md @@ -0,0 +1,164 @@ ++++ +title = "aws_cloudfront_streaming_distribution resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_streaming_distribution" +identifier = "inspec/resources/aws/aws_cloudfront_streaming_distribution resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_streaming_distribution` InSpec audit resource to test properties of a single specific AWS CloudFront streaming distribution. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudFront streaming distribution.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-streamingdistribution.html). + +## Syntax + +Ensure that the distribution exists. + +```ruby +describe aws_cloudfront_streaming_distribution(id: 'ID') do + it { should exist } +end +``` + +## Parameters + +`id` _(required)_ + +: The streaming distribution's ID. + +## Properties + +`id` +: The streaming distribution's ID. + +`arn` +: The ARN (Amazon Resource Name) for the distribution. + +`status` +: The current status of the RTMP distribution. + +`last_modified_time` +: The date and time that the distribution was last modified. + +`domain_name` +: The domain name that corresponds to the streaming distribution. + +`active_trusted_signers.enabled` +: This field is true if any of the accounts in the list have active CloudFront key pairs that CloudFront can use to verify the signatures of signed URLs and signed cookies. + +`active_trusted_signers.quantity` +: The number of accounts in the list. + +`active_trusted_signers.items` +: A list of accounts and the identifiers of active CloudFront key pairs in each account that CloudFront can use to verify the signatures of signed URLs and signed cookies. + +`active_aws_account_numbers` +: An account number that contains active CloudFront key pairs that CloudFront can use to verify the signatures of signed URLs and signed cookies. + +`active_key_pair_id_quantities` +: The number of key pair identifiers in the list. + +`active_key_pair_id_items` +: A list of CloudFront key pair identifiers. + +`streaming_distribution_config.caller_reference` +: A unique value (for example, a date-time stamp) that ensures that the request can't be replayed. + +`streaming_distribution_config.s3_origin.domain_name` +: The DNS name of the Amazon S3 origin. + +`streaming_distribution_config.s3_origin.origin_access_identity` +: The CloudFront origin access identity to associate with the distribution. Use an origin access identity to configure the distribution so that end users can only access objects in an Amazon S3 bucket through CloudFront. + +`streaming_distribution_config.aliases.quantity` +: The number of CNAME aliases, if any, that you want to associate with this distribution. + +`streaming_distribution_config.aliases.items` +: A complex type that contains the CNAME aliases, if any, that you want to associate with this distribution. + +`streaming_distribution_config.comment` +: Any comments you want to include about the streaming distribution. + +`streaming_distribution_config.logging.enabled` +: Specifies whether you want CloudFront to save access logs to an Amazon S3 bucket. + +`streaming_distribution_config.logging.bucket` +: The Amazon S3 bucket to store the access logs in. + +`streaming_distribution_config.logging.prefix` +: An optional string that you want CloudFront to prefix to the access log filenames for this streaming distribution. + +`streaming_distribution_config.trusted_signers.enabled` +: This field is true if any of the accounts have public keys that CloudFront can use to verify the signatures of signed URLs and signed cookies. If not, this field is false. + +`streaming_distribution_config.trusted_signers.quantity` +: The number of accounts in the list. + +`streaming_distribution_config.trusted_signers.items` +: A list of account identifiers. + +`streaming_distribution_config.price_class` +: A complex type that contains information about price class for this streaming distribution. + +`streaming_distribution_config.enabled` +: Whether the streaming distribution is enabled to accept user requests for content. + +## Examples + +Ensure an ID is available: + +```ruby +describe aws_cloudfront_streaming_distribution(id: 'ID') do + its('id') { should eq 'ID' } +end +``` + +Ensure a status is `Deployed`: + +```ruby +describe aws_cloudfront_streaming_distribution(id: 'ID') do + its('status') { should eq 'Deployed' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudfront_streaming_distribution(id: 'ID') do + it { should exist } +end +``` + +Use `should_not` to test that an entity does not exist. + +```ruby +describe aws_cloudfront_streaming_distribution(id: 'ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudfront_streaming_distribution(id: 'ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:GetStreamingDistributionResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_streaming_distributions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_streaming_distributions.md new file mode 100644 index 0000000..8ee80c9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudfront_streaming_distributions.md @@ -0,0 +1,132 @@ ++++ +title = "aws_cloudfront_streaming_distributions resource" + +draft = false + + +[menu.aws] +title = "aws_cloudfront_streaming_distributions" +identifier = "inspec/resources/aws/aws_cloudfront_streaming_distributions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudfront_streaming_distributions` InSpec audit resource to test plural properties of AWS CloudFront streaming distribution. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudFront streaming distribution.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-streamingdistribution.html). + +## Syntax + +Ensure that the distribution exists. + +```ruby +describe aws_cloudfront_streaming_distributions do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The streaming distribution's ID. + +: **Field**: `id` + +`arns` +: The ARN (Amazon Resource Name) for the distribution. + +: **Field**: `arn` + +`statuses` +: The current status of the RTMP distribution. + +: **Field**: `status` + +`last_modified_time` +: The date and time that the distribution was last modified. + +: **Field**: `last_modified_time` + +`domain_names` +: The domain name corresponding to the distribution. + +: **Field**: `domain_names` + +`s3_origins` +: A complex type that contains information about the Amazon S3 bucket from which you want CloudFront to get your media files for distribution. + +: **Field**: `s3_origin` + +`aliases` +: A complex type that contains information about CNAMEs (alternate domain names), if any, for this streaming distribution. + +: **Field**: `aliases` + +`trusted_signers` +: A complex type that specifies the accounts. + +: **Field**: `trusted_signers` + +`comments` +: The comment originally specified when this distribution was created. + +: **Field**: `comment` + +`price_classes` +: A complex type that contains information about price class for this streaming distribution. + +: **Field**: `price_class` + +`enabled` +: Whether the distribution is enabled to accept end user requests for content. + +: **Field**: `enabled` + +## Examples + +Ensure an ID is available: + +```ruby +describe aws_cloudfront_streaming_distributions do + its('ids') { should include 'ID' } +end +``` + +Ensure a status is `Deployed`: + +```ruby +describe aws_cloudfront_streaming_distributions do + its('statuses') { should include 'Deployed' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudfront_streaming_distributions do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudfront_streaming_distributions do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:ListStreamingDistributionsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudtrail_trail.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudtrail_trail.md new file mode 100644 index 0000000..95f7e76 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudtrail_trail.md @@ -0,0 +1,197 @@ ++++ +title = "aws_cloudtrail_trail resource" + +draft = false + + +[menu.aws] +title = "aws_cloudtrail_trail" +identifier = "inspec/resources/aws/aws_cloudtrail_trail resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudtrail_trail` Chef InSpec audit resource to test properties of a single AWS CloudTrail trail. + +## Syntax + +An `aws_cloudtrail_trail` resource block identifies a trail by `TRAIL_NAME`. + +Find a trail by name:** + +```ruby +describe aws_cloudtrail_trail('TRAIL_NAME') do + it { should exist } +end +``` + +Use hash syntax to find a trail by trail name:** + +```ruby +describe aws_cloudtrail_trail(trail_name: 'TRAIL_NAME') do + it { should exist } +end +``` + +## Parameters + +`trail_name` _(required)_ +: This resource expects a single parameter, the CloudTrail name which uniquely identifies it. + This can be passed either as a string or as a `trail_name: 'value'` key-value entry in a hash. + +See the [AWS documentation on CloudTrail](https://docs.aws.amazon.com/cloudtrail/index.html#lang/en_us). + +## Properties + +`trail_arn` +: Specifies the ARN of the trail. + +`TRAIL_NAME` +: Name of the trail. + +`home_region` +: The region in which the trail was created. + +`s3_bucket_name` +: Name of the Amazon S3 bucket into which CloudTrail delivers your trail files. + +`cloud_watch_logs_role_arn` +: Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group. + +`cloud_watch_logs_log_group_arn` +: Specifies an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs will be delivered. + +`kms_key_id` +: Specifies the KMS key ID that encrypts the logs delivered by CloudTrail. + +`s3_key_prefix` +: Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery. + +`is_organization_trail` +: Specifies whether the trail is an organization trail. It returns boolean value. + +## Examples + +Test that the specified trail does exist: + +```ruby +describe aws_cloudtrail_trail('TRAIL_NAME') do + it { should exist } +end +``` + +```ruby +describe aws_cloudtrail_trail(trail_name: 'TRAIL_NAME') do + it { should exist } +end +``` + +Check the KMS key used to encrypt: + +```ruby +describe aws_cloudtrail_trail('TRAIL_NAME') do + its('kms_key_id') { should eq "KMS_KEY_ID" } +end +``` + +Check the home region is correct: + +```ruby +describe aws_cloudtrail_trail('TRAIL_NAME') do + its('home_region') { should eq 'us-east-1' } +end +``` + +Test that the specified trail is a multi-region trail: + +```ruby +describe aws_cloudtrail_trail('TRAIL_NAME') do + it { should be_multi_region_trail } +end +``` + +Test that the specified trail is an organization trail: + +```ruby +describe aws_cloudtrail_trail('TRAIL_NAME') do + its("is_organization_trail") { should eq true } + it { should be_organization_trail } +end +``` + +Test that the specified trail has a S3 Key Prefix: + +```ruby +describe aws_cloudtrail_trail('TRAIL_NAME') do + its("s3_key_prefix") { should eq 'S3_KEY_PREFIX_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` with the `exist` matcher to verify that the CloudTrail trail exists. + +```ruby +describe aws_cloudtrail_trail('TRAIL_NAME') do + it { should exist } +end +``` + +Use `should_not` to verify that a CloudTrail trail does not exists. + +```ruby +describe aws_cloudtrail_trail('TRAIL_NAME') do + it { should_not exist } +end +``` + +### be_multi_region_trail + +The test will pass if the identified trail is a multi-region trail. + +```ruby +describe aws_cloudtrail_trail('TRAIL_NAME') do + it { should be_multi_region_trail } +end +``` + +### be_encrypted + +The test will pass if the logs delivered by the identified trail are encrypted. + +```ruby +describe aws_cloudtrail_trail('TRAIL_NAME') do + it { should be_encrypted } +end +``` + +### be_log_file_validation_enabled + +The test will pass if the identified trail has log file integrity validation enabled. + +```ruby +describe aws_cloudtrail_trail('TRAIL_NAME') do + it { should be_log_file_validation_enabled } +end +``` + +### be_organization_trail + +The test will pass if the identified trail has organization trail is enabled. + +```ruby +describe aws_cloudtrail_trail('TRAIL_NAME') do + it { should be_organization_trail } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudTrail:Client:DescribeTrailsResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloudtrail.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudtrail_trails.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudtrail_trails.md new file mode 100644 index 0000000..77668ef --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudtrail_trails.md @@ -0,0 +1,88 @@ ++++ +title = "aws_cloudtrail_trails resource" + +draft = false + + +[menu.aws] +title = "aws_cloudtrail_trails" +identifier = "inspec/resources/aws/aws_cloudtrail_trails resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudtrail_trails` InSpec audit resource to test properties of a collection of AWS CloudTrail Trails. + +For additional information, including details on parameters and properties, see the [AWS documentation on Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html). + +## Syntax + +An `aws_cloudtrail_trails` resource block returns all CloudTrail Trails and allows the testing of those trails. + +```ruby +describe aws_cloudtrail_trails do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`trail_arns` +: Specifies the ARNs of the trails. + +`names` +: The names of the trails. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure a CloudTrail with a specific name exists: + +```ruby +describe aws_cloudtrail_trails do + its('names') { should include('trail-1') } +end +``` + +Ensure a CloudTrail with a specific arn exists: + +```ruby +describe aws_cloudtrail_trails do + its('trail_arns') { should include('arn:aws:cloudtrail:us-east-1::trail/trail-1') } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_cloudtrail_trails do + it { should exist } +end +``` + +```ruby +describe aws_cloudtrail_trails do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudTrail:Client:DescribeTrailsResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloudtrail.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_alarm.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_alarm.md new file mode 100644 index 0000000..63657ef --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_alarm.md @@ -0,0 +1,101 @@ ++++ +title = "aws_cloudwatch_alarm resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatch_alarm" +identifier = "inspec/resources/aws/aws_cloudwatch_alarm resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatch_alarm` InSpec audit resource to test properties of a single CloudWatch alarm. + +If more than one alarm matches, an error will be raised. + +## Syntax + +Ensure an alarm exists: + +```ruby +aws_cloudwatch_alarm(metric_name: 'my-metric-name', metric_namespace: 'my-metric-namespace') do + it { should exist } +end +``` + +## Parameters + +`metric_name` _(required)_ + +: The metric name used by this alarm. This must be passed as a `metric_name: 'value'` key-value entry in a hash. + +`metric_namespace` _(required)_ + +: The metric namespace used by this alarm. This must be passed as a `metric_namespace: 'value'` key-value entry in a hash. + +`dimensions` _(optional)_ + +: The dimensions associated with this alarm. This must be passed as an array of hashes `dimensions: [{key:'value'}]` . + +## Properties + +`alarm_actions` +: The actions to execute when this alarm transitions to the ALARM state from any other state. Each action is specified as an Amazon Resource Name (ARN). + +`alarm_name` +: The name of the alarm. + +`metric_name` +: The name of the metric. + +`metric_namespace` +: The namespace of the metric. + +## Examples + +Ensure an Alarm has at least one alarm action: + +```ruby +describe aws_cloudwatch_alarm(metric_name: 'my-metric-name', metric_namespace: 'my-metric-namespace') do + its('alarm_actions') { should_not be_empty } +end +``` + +Ensure an Alarm with Dimensions exists: + +```ruby +describe aws_cloudwatch_alarm(metric_name: 'my-metric-name', metric_namespace: 'my-metric-namespace', dimensions: [{key: 'value'}]) do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_cloudwatch_alarm(metric_name: 'good-metric', metric_namespace: 'my-metric-namespace') do + it { should exist } +end +``` + +```ruby +describe aws_cloudwatch_alarm(metric_name: 'bed-metric', metric_namespace: 'my-metric-namespace') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatch:Client:DescribeAlarmsForMetricOutput" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon CloudWatch](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncloudwatch.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_anomaly_detector.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_anomaly_detector.md new file mode 100644 index 0000000..52e206c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_anomaly_detector.md @@ -0,0 +1,129 @@ ++++ +title = "aws_cloudwatch_anomaly_detector resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatch_anomaly_detector" +identifier = "inspec/resources/aws/aws_cloudwatch_anomaly_detector resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatch_anomaly_detector` InSpec audit resource to test properties of a single specific AWS CloudWatch anomaly detector. + +The `AWS::CloudWatch::AnomalyDetector` type specifies an anomaly detection band for a certain metric and statistic. The band represents the expected "normal" range for the metric values. Anomaly detection bands can be used for visualization of a metric's expected values, and for alarms. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudWatch AnomalyDetector.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudwatch-anomalydetector.html). + +## Syntax + +Ensure that the anomaly detector exists. + +```ruby +describe aws_cloudwatch_anomaly_detector(metric_name: 'METRIC_NAME') do + it { should exist } +end +``` + +## Parameters + +`metric_name` _(required)_ + +: The name of the metric associated with the anomaly detection model. + +## Properties + +`namespace` +: The namespace of the metric associated with the anomaly detection model. + +`metric_name` +: The name of the metric associated with the anomaly detection model. + +`dimensions` +: The metric dimensions associated with the anomaly detection model. + +`dimensions_names` +: The name of the dimension. + +`dimensions_values` +: The value of the dimension. + +`stat` +: The statistic associated with the anomaly detection model. + +`configuration_start_time` +: The start time of the range to exclude. + +`configuration_end_time` +: The end time of the range to exclude. + +`configuration.metric_timezone` +: The time zone to use for the metric. + +`state_value` +: he current status of the anomaly detector's training. The possible values are TRAINED, PENDING_TRAINING and TRAINED_INSUFFICIENT_DATA. + +## Examples + +Ensure a namespace is available: + +```ruby +describe aws_cloudwatch_anomaly_detector(metric_name: 'METRIC_NAME') do + its('namespace') { should eq 'NAMESPACE' } +end +``` + +Ensure a config name is available: + +```ruby +describe aws_cloudwatch_anomaly_detector(metric_name: 'METRIC_NAME') do + its('name') { should eq 'CONFIG_NAME' } +end +``` + +Ensure a dimension name is available: + +```ruby +describe aws_cloudwatch_anomaly_detector(metric_name: 'METRIC_NAME') do + its('dimensions_names') { should include 'DIMENSION_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatch_anomaly_detector(metric_name: 'METRIC_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudwatch_anomaly_detector(metric_name: 'METRIC_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudwatch_anomaly_detector(metric_name: 'METRIC_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatch:Client:DescribeAnomalyDetectorsOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_anomaly_detectors.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_anomaly_detectors.md new file mode 100644 index 0000000..0398e1f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_anomaly_detectors.md @@ -0,0 +1,119 @@ ++++ +title = "aws_cloudwatch_anomaly_detectors resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatch_anomaly_detectors" +identifier = "inspec/resources/aws/aws_cloudwatch_anomaly_detectors resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatch_anomaly_detectors` InSpec audit resource to test properties of multiple AWS CloudWatch anomaly detectors. + +The `AWS::CloudWatch::AnomalyDetector` type specifies an anomaly detection band for a certain metric and statistic. The band represents the expected "normal" range for the metric values. Anomaly detection bands can be used for visualization of a metric's expected values, and for alarms. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudWatch AnomalyDetector.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudwatch-anomalydetector.html). + +## Syntax + +Ensure that the anomaly detector exists. + +```ruby +describe aws_cloudwatch_anomaly_detectors do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`namespaces` +: The namespace of the metric associated with the anomaly detection model. + +: **Field**: `namespace` + +`metric_names` +: The name of the metric associated with the anomaly detection model. + +: **Field**: `metric_name` + +`dimensions` +: The metric dimensions associated with the anomaly detection model. + +: **Field**: `dimensions` + +`stats` +: The statistic associated with the anomaly detection model. + +: **Field**: `stat` + +`configurations` +: The configuration. + +: **Field**: `start_time` + +`state_values` +: he current status of the anomaly detector's training. The possible values are TRAINED, PENDING_TRAINING and TRAINED_INSUFFICIENT_DATA. + +: **Field**: `state_value` + +## Examples + +Ensure a namespace is available: + +```ruby +describe aws_cloudwatch_anomaly_detectors do + its('namespaces') { should include 'NAMESPACE' } +end +``` + +Ensure a metric name is available: + +```ruby +describe aws_cloudwatch_anomaly_detectors do + its('metric_names') { should include 'METRIC_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatch_anomaly_detectors do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudwatch_anomaly_detectors do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudwatch_anomaly_detectors do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatch:Client:DescribeAnomalyDetectorsOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_composite_alarm.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_composite_alarm.md new file mode 100644 index 0000000..e1cd987 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_composite_alarm.md @@ -0,0 +1,138 @@ ++++ +title = "aws_cloudwatch_composite_alarm resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatch_composite_alarm" +identifier = "inspec/resources/aws/aws_cloudwatch_composite_alarm resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatch_composite_alarm` InSpec audit resource to test properties of a single specific AWS CloudWatch composite alarm. + +The `AWS::CloudWatch::CompositeAlarm` resource type creates or updates a composite alarm. When you create a composite alarm, you specify a rule expression for the alarm that takes into account the alarm states of other alarms that you have created. The composite alarm goes into ALARM state only if all conditions of the rule are met. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudWatch composite alarm.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudwatch-compositealarm.html). + +## Syntax + +Ensure that the config exists. + +```ruby +describe aws_cloudwatch_composite_alarm(alarm_name: 'COMPOSITE_ALARM_NAME') do + it { should exist } +end +``` + +## Parameters + +`alarm_name` _(required)_ + +: The name of the alarm. + +## Properties + +`actions_enabled` +: Indicates whether actions should be executed during any changes to the alarm state. + +`alarm_actions` +: The actions to execute when this alarm transitions to the ALARM state from any other state. Each action is specified as an Amazon Resource Name (ARN). + +`alarm_arn` +: The Amazon Resource Name (ARN) of the alarm. + +`alarm_configuration_updated_timestamp` +: The time stamp of the last update to the alarm configuration. + +`alarm_description` +: The description of the alarm. + +`alarm_name` +: The name of the alarm. + +`alarm_rule` +: The rule that this alarm uses to evaluate its alarm state. + +`insufficient_data_actions` +: The actions to execute when this alarm transitions to the INSUFFICIENT_DATA state from any other state. Each action is specified as an Amazon Resource Name (ARN). + +`ok_actions` +: The actions to execute when this alarm transitions to the OK state from any other state. Each action is specified as an Amazon Resource Name (ARN). + +`state_reason` +: An explanation for the alarm state, in text format. + +`state_reason_data` +: An explanation for the alarm state, in JSON format. + +`state_updated_timestamp` +: The time stamp of the last update to the alarm state. + +`state_value` +: The state value for the alarm. + +## Examples + +Ensure an actions is enabled: + +```ruby +describe aws_cloudwatch_composite_alarm(alarm_name: 'COMPOSITE_ALARM_NAME') do + its('actions_enabled') { should eq true } +end +``` + +Ensure an alarm ARN is available: + +```ruby +describe aws_cloudwatch_composite_alarm(alarm_name: 'COMPOSITE_ALARM_NAME') do + its('alarm_arn') { should eq 'ALARM_ARN' } +end +``` + +Ensure an alarm name is available: + +```ruby +describe aws_cloudwatch_composite_alarm(alarm_name: 'COMPOSITE_ALARM_NAME') do + its('alarm_name') { should eq 'ALARM_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatch_composite_alarm(alarm_name: 'COMPOSITE_ALARM_NAME') do + it { should exist } +end +``` + +Use `should_not` to test that an entity does not exist. + +```ruby +describe aws_cloudwatch_composite_alarm(alarm_name: 'COMPOSITE_ALARM_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudwatch_composite_alarm(alarm_name: 'COMPOSITE_ALARM_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatch:Client:DescribeAlarmsOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_composite_alarms.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_composite_alarms.md new file mode 100644 index 0000000..7441265 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_composite_alarms.md @@ -0,0 +1,152 @@ ++++ +title = "aws_cloudwatch_composite_alarms resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatch_composite_alarms" +identifier = "inspec/resources/aws/aws_cloudwatch_composite_alarms resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatch_composite_alarms` InSpec audit resource to test properties of multiple AWS CloudWatch composite alarms. + +The `AWS::CloudWatch::CompositeAlarm` resource type creates or updates a composite alarm. When you create a composite alarm, you specify a rule expression for the alarm that takes into account the alarm states of other alarms that you have created. The composite alarm goes into ALARM state only if all conditions of the rule are met. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudWatch composite alarm.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudwatch-compositealarm.html). + +## Syntax + +Ensure that the alarms exists. + +```ruby +describe aws_cloudwatch_composite_alarms do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`actions_enabled` +: Indicates whether actions should be executed during any changes to the alarm state. + +: **Field**: `actions_enabled` + +`alarm_actions` +: The actions to execute when this alarm transitions to the ALARM state from any other state. Each action is specified as an Amazon Resource Name (ARN). + +: **Field**: `alarm_actions` + +`alarm_arns` +: The Amazon Resource Name (ARN) of the alarm. + +: **Field**: `alarm_arn` + +`alarm_configuration_updated_timestamp` +: The time stamp of the last update to the alarm configuration. + +: **Field**: `alarm_configuration_updated_timestamp` + +`alarm_descriptions` +: The description of the alarm. + +: **Field**: `alarm_description` + +`alarm_names` +: The name of the alarm. + +: **Field**: `alarm_name` + +`alarm_rules` +: The rule that this alarm uses to evaluate its alarm state. + +: **Field**: `alarm_rule` + +`insufficient_data_actions` +: The actions to execute when this alarm transitions to the INSUFFICIENT_DATA state from any other state. Each action is specified as an Amazon Resource Name (ARN). + +: **Field**: `insufficient_data_actions` + +`ok_actions` +: The actions to execute when this alarm transitions to the OK state from any other state. Each action is specified as an Amazon Resource Name (ARN). + +: **Field**: `ok_actions` + +`state_reasons` +: An explanation for the alarm state, in text format. + +: **Field**: `state_reason` + +`state_reason_data` +: An explanation for the alarm state, in JSON format. + +: **Field**: `state_reason_data` + +`state_updated_timestamp` +: The time stamp of the last update to the alarm state. + +: **Field**: `state_updated_timestamp` + +`state_values` +: The state value for the alarm. + +: **Field**: `state_value` + +## Examples + +Ensure an actions is enabled: + +```ruby +describe aws_cloudwatch_composite_alarms do + its('actions_enabled') { should include true } +end +``` + +Ensure an alarm arn is available: + +```ruby +describe aws_cloudwatch_composite_alarms do + its('alarm_arns') { should include 'ALARM_ARN' } +end +``` + +Ensure an alarm name is available: + +```ruby +describe aws_cloudwatch_composite_alarms do + its('alarm_names') { should include 'ALARM_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatch_composite_alarms do + it { should exist } +end +``` + +Use `should_not` to test that an entity does not exist. + +```ruby +describe aws_cloudwatch_composite_alarms do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatch:Client:DescribeAlarmsOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_dashboard.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_dashboard.md new file mode 100644 index 0000000..cc43aaa --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_dashboard.md @@ -0,0 +1,88 @@ ++++ +title = "aws_cloudwatch_dashboard resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatch_dashboard" +identifier = "inspec/resources/aws/aws_cloudwatch_dashboard resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatch_dashboard` InSpec audit resource to test properties of the plural AWS CloudWatch dashboard. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudWatch Dashboard.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudwatch-dashboard.html). + +## Syntax + +Ensure that the dashboard exists. + +```ruby +describe aws_cloudwatch_dashboard(dashboard_name: 'DASHBOARD_NAME') do + it { should exist } +end +``` + +## Parameters + +`dashboard_name` _(required)_ + +: The name of a dashboard. + +## Properties + +`dashboard_arn` +: The Amazon Resource Name (ARN) of the dashboard. + +`dashboard_body` +: The detailed information about the dashboard, including what widgets are included and their location on the dashboard. + +`dashboard_name` +: The name of the dashboard. + +## Examples + +Ensure a dashboard ARN is available: + +```ruby +describe aws_cloudwatch_dashboard(dashboard_name: 'DASHBOARD_NAME') do + its('dashboard_arn') { should eq 'ARN' } +end +``` + +Ensure a dashboard body is available: + +```ruby +describe aws_cloudwatch_dashboard(dashboard_name: 'DASHBOARD_NAME') do + its('dashboard_body') { should eq 'BODY' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatch_dashboard(dashboard_name: 'DASHBOARD_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudwatch_dashboard(dashboard_name: 'DASHBOARD_NAME') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatch:Client:GetDashboardOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_dashboards.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_dashboards.md new file mode 100644 index 0000000..c17afca --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_dashboards.md @@ -0,0 +1,97 @@ ++++ +title = "aws_cloudwatch_dashboards resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatch_dashboards" +identifier = "inspec/resources/aws/aws_cloudwatch_dashboards resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatch_dashboards` InSpec audit resource to test properties of the plural AWS CloudWatch dashboard. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudWatch dashboard.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudwatch-dashboard.html). + +## Syntax + +Ensure that the dashboard exists. + +```ruby +describe aws_cloudwatch_dashboards do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`dashboard_names` +: The name of the dashboard. + +: **Field**: `dashboard_name` + +`dashboard_arns` +: The Amazon Resource Name (ARN) of the dashboard. + +: **Field**: `dashboard_arn` + +`last_modified` +: The time stamp of when the dashboard was last modified, either by an API call or through the console. + +: **Field**: `last_modified` + +`sizes` +: The size of the dashboard, in bytes. + +: **Field**: `size` + +## Examples + +Ensure a dashboard ARN is available: + +```ruby +describe aws_cloudwatch_dashboards do + its('dashboard_arns') { should include 'ARN' } +end +``` + +Ensure a dashboard name is available: + +```ruby +describe aws_cloudwatch_dashboards do + its('dashboard_names') { should include 'DASHBOARD_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatch_dashboards do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudwatch_dashboards do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatch:Client:ListDashboardsOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_insight_rules.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_insight_rules.md new file mode 100644 index 0000000..5edb1a0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_insight_rules.md @@ -0,0 +1,97 @@ ++++ +title = "aws_cloudwatch_insight_rules resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatch_insight_rules" +identifier = "inspec/resources/aws/aws_cloudwatch_insight_rules resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatch_insight_rules` InSpec audit resource to test properties of the plural AWS CloudWatch Insight rules. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudWatch Insight rules.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudwatch-insightrule.html). + +## Syntax + +Ensure that the Insight rule exists. + +```ruby +describe aws_cloudwatch_insight_rules do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`names` +: The name of the rule. + +: **Field**: `name` + +`states` +: Indicates whether the rule is enabled or disabled. + +: **Field**: `schema` + +`schemas` +: For rules that you create, this is always {"Name": "CloudWatchLogRule", "Version": 1} . For built-in rules, this is {"Name": "ServiceLogRule", "Version": 1}. + +: **Field**: `dashboard_name` + +`definitions` +: The definition of the rule, as a JSON object. + +: **Field**: `definition` + +## Examples + +Ensure a rule name is available: + +```ruby +describe aws_cloudwatch_insight_rules do + its('names') { should include 'RuleName' } +end +``` + +Ensure a state is available: + +```ruby +describe aws_cloudwatch_insight_rules do + its('states') { should include 'enabled' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatch_insight_rules do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudwatch_insight_rules do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatch:Client:DescribeInsightRulesOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_log_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_log_group.md new file mode 100644 index 0000000..7b0d9b3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_log_group.md @@ -0,0 +1,71 @@ ++++ +title = "aws_cloudwatch_log_group resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatch_log_group" +identifier = "inspec/resources/aws/aws_cloudwatch_log_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatch_log_group` InSpec audit resource to test properties of a single AWS CloudWatch Log Group. + +For additional information, including details on parameters and properties, see the [AWS documentation on CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeLogGroups.html). + +## Syntax + +Ensure that an `aws_cloudwatch_log_group` exists + +```ruby +describe aws_cloudwatch_log_group('my_log_group') do + it { should exist } +end +``` + +```ruby +describe aws_cloudwatch_log_group(log_group_name: 'my_log_group') do + it { should exist } +end +``` + +## Parameters + +`log_group_name` _(required)_ + +: This resource accepts a single parameter, the log group name which uniquely identifies the CloudWatch Log Group. + This can be passed either as a string or as a `log_group_name: 'value'` key-value entry in a hash. + +`limit` _(optional)_ + +: This resource accepts a single parameter, an integer representing the number of results allowed to return. If not passed, in, this defaults to `1`, which will only return the first match to the `log_group_name`. + This can be passed as a `limit: 'value'` key-value entry in a hash. + +## Properties + +`retention_in_days` +: The number of days to retain the log events in the specified log group. + +`kms_key_id` +: The Amazon Resource Name (ARN) of the CMK to use when encrypting log data. + +`tags` +: The tags for the log group. + +## Examples + +Test tags on the CloudWatch Log Group: + +```ruby +describe aws_cloudwatch_log_group('my_log_group') do + its('tags') { should include(:Environment => 'env-name', + :Name => 'my_log_group')} +end +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `CloudWatchLogs:Client:DescribeLogGroupsResponse` and `CloudWatchLogs:Client:ListTagsLogGroupResponse` actions with Effect set to Allow. + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon CloudWatch Logs](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncloudwatchlogs.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_log_metric_filter.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_log_metric_filter.md new file mode 100644 index 0000000..87e0b33 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_log_metric_filter.md @@ -0,0 +1,134 @@ ++++ +title = "aws_cloudwatch_log_metric_filter resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatch_log_metric_filter" +identifier = "inspec/resources/aws/aws_cloudwatch_log_metric_filter resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatch_log_metric_filter` InSpec audit resource to search for and test properties of individual AWS Cloudwatch Log Metric Filters. + +For additional information, including details on parameters and properties, see the [AWS documentation on CloudWatch](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncloudwatch.html). + +## Syntax + +```ruby +describe aws_cloudwatch_log_metric_filter(filter_name: 'my-filter', log_group_name: 'my-log-group') do + it { should exist } +end +``` + +```ruby +describe aws_cloudwatch_log_metric_filter(log_group_name: 'my-log-group', pattern: 'my-filter') do + it { should exist } +end +``` + +## Parameters + +Note**: _While all parameters are optional, at least one must be provided. In practice, the more parameters you provide the narrower a result you will return._ + +`filter_name` _(optional)_ + +: The name of the Log Metric Filter. Expected in a hash as `filter_name: 'value'`. + +`log_group_name` _(optional)_ + +: The log group of the filter. Expected in a hash as `log_group_name: 'value'`. + +`pattern` _(optional)_ + +: A pattern by which to narrow down the result-set, if you expect multiple results. Expected in a hash as `pattern: 'value'`. + +## Properties + +`filter_name` +: The name of the metric filter. + +`log_group_name` +: The name of the log group. + +`metric_name` +: The name of the metric. + +`metric_namespace` +: The namespace of the metric. + +`pattern` +: A symbolic description of how CloudWatch Logs should interpret the data in each log event. For example, a log event may contain timestamps, IP addresses, strings, and so on. You use the filter pattern to specify what to look for in the log event message. + +## Examples + +Ensure a Filter exists: + +```ruby +describe aws_cloudwatch_log_metric_filter(filter_name: 'my-filter', log_group_name: 'my-log-group') do + it { should exist } +end +``` + +Ensure a Filter exists for a specific pattern: + +```ruby +describe aws_cloudwatch_log_metric_filter(pattern: '"ERROR" - "Exiting"') do + it { should exist } +end +``` + +Check the name of a Filter: + +```ruby +describe aws_cloudwatch_log_metric_filter(log_group_name: 'app-log-group', pattern: 'KERBLEWIE') do + its('filter_name') { should eq 'kaboom_lmf' } +end +``` + +Check the Log Group name of a Filter: + +```ruby +describe aws_cloudwatch_log_metric_filter(filter_name: 'error-watcher') do + its('log_group_name') { should eq 'app-log-group' } +end +``` + +Check a filter has the correct pattern: + +```ruby +describe aws_cloudwatch_log_metric_filter(filter_name: 'error-watcher', log_group_name: 'app-log-group') do + its('pattern') { should cmp 'ERROR' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_cloudwatch_log_metric_filter(log_group_name: 'my-log-group') do + it { should exist } +end +``` + +```ruby +describe aws_cloudwatch_log_metric_filter(log_group_name: 'i-dont-exist') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatchLogs:Client:DescribeMetricFiltersResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon CloudWatch](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncloudwatch.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_metric_stream.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_metric_stream.md new file mode 100644 index 0000000..b4c47f0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_metric_stream.md @@ -0,0 +1,98 @@ ++++ +title = "aws_cloudwatch_metric_stream resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatch_metric_stream" +identifier = "inspec/resources/aws/aws_cloudwatch_metric_stream resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatch_metric_stream` InSpec audit resource to test properties of a single AWS CloudWatch metric stream. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudWatch metric stream.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudwatch-metricstream.html). + +## Syntax + +Ensure that the metric stream exists. + +```ruby +describe aws_cloudwatch_metric_stream(metric_stream_name: 'METRIC_STREAM_NAME') do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`arn` +: The ARN of the metric stream. + +`creation_date` +: The date that the metric stream was originally created. + +`last_update_date` +: The date that the configuration of this metric stream was most recently updated. + +`names` +: The name of the metric stream. + +`firehose_arn` +: The ARN of the Kinesis Firehose delivery stream that is used for this metric stream. + +`state` +: The current state of this stream. Valid values are running and stopped. + +`output_format` +: The output format of this metric stream. Valid values are `json` and `opentelemetry0.7`. + +## Examples + +Ensure an ARN is available: + +```ruby +describe aws_cloudwatch_metric_stream (metric_stream_name: 'METRIC_STREAM_NAME' ) do + its('arn') { should eq 'ARN' } +end +``` + +Ensure a firehose_ARN is available: + +```ruby +describe aws_cloudwatch_metric_stream (metric_stream_name: 'METRIC_STREAM_NAME' ) do + its('firehose_arn') { should eq 'FIREHOSE_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatch_metric_stream (metric_stream_name: 'METRIC_STREAM_NAME' ) do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_cloudwatch_metric_stream (metric_stream_name: 'METRIC_STREAM_NAME' ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:GetMetricStreamsOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_metric_streams.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_metric_streams.md new file mode 100644 index 0000000..ab4c463 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatch_metric_streams.md @@ -0,0 +1,112 @@ ++++ +title = "aws_cloudwatch_metric_streams resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatch_metric_streams" +identifier = "inspec/resources/aws/aws_cloudwatch_metric_streams resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatch_metric_streams` InSpec audit resource to test properties of multiple AWS CloudWatch metric streams. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS CloudWatch metric stream.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudwatch-metricstream.html). + +## Syntax + +Ensure that the metric streams exists. + +```ruby +describe aws_cloudwatch_metric_streams do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`arns` +: The ARN of the metric stream. + +: **Field**: `arn` + +`creation_date` +: The date that the metric stream was originally created. + +: **Field**: `creation_date` + +`last_update_date` +: The date that the configuration of this metric stream was most recently updated. + +: **Field**: `last_update_date` + +`names` +: The name of the metric stream. + +: **Field**: `name` + +`firehose_arns` +: The ARN of the Kinesis Firehose delivery stream that is used for this metric stream. + +: **Field**: `firehose_arn` + +`states` +: The current state of this stream. Valid values are running and stopped . + +: **Field**: `state` + +`output_formats` +: The output format of this metric stream. Valid values are 'json' and 'opentelemetry0.7'. + +: **Field**: `output_format` + +## Examples + +Ensure an ARN is available: + +```ruby +describe aws_cloudwatch_metric_streams do + its('arns') { should include 'ARN' } +end +``` + +Ensure a Firehose ARN is available: + +```ruby +describe aws_cloudwatch_metric_streams do + its('firehose_arns') { should include 'FIREHOSE_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatch_metric_streams do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_cloudwatch_metric_streams do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudFront:Client:ListMetricStreamsOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_destination.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_destination.md new file mode 100644 index 0000000..560da4b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_destination.md @@ -0,0 +1,109 @@ ++++ +title = "aws_cloudwatchlogs_destination resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatchlogs_destination" +identifier = "inspec/resources/aws/aws_cloudwatchlogs_destination resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatchlogs_destination` InSpec audit resource to test properties of a single specific AWS Logs destination. + +The `AWS::Logs::Destination` resource type specifies a CloudWatch Logs destination. A destination encapsulates a physical resource (such as an Amazon Kinesis data stream) and enables you to subscribe that resource to a stream of log events. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS::Logs::Destination.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-destination.html). + +## Syntax + +Ensure that the destination name exists. + +```ruby +describe aws_cloudwatchlogs_destination(destination_name_prefix: "DESTINATION_NAME") do + it { should exist } +end +``` + +## Parameters + +`destination_name_prefix` _(required)_ + +: The name of the destination. + +## Properties + +`destination_name` +: The name of the destination. + +`target_arn` +: The Amazon Resource Name (ARN) of the physical target where the log events are delivered (for example, a Kinesis stream). + +`role_arn` +: The ARN of an IAM role that permits CloudWatch Logs to send data to the specified AWS resource. + +`access_policy` +: An IAM policy document governing the Amazon Web Services accounts, which can create subscription filters against this destination. + +`arn` +: The ARN of this destination. + +`creation_time` +: The creation time of the destination, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC. + +## Examples + +Ensure destination name is available: + +```ruby +describe aws_cloudwatchlogs_destination(destination_name_prefix: "DESTINATION_NAME") do + its('destination_name') { should eq 'DESTINATION_NAME' } +end +``` + +Ensure that the IAM role ARN is available: + +```ruby +describe aws_cloudwatchlogs_destination(destination_name_prefix: "DESTINATION_NAME") do + its('role_arn') { should eq 'ROLE_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatchlogs_destination(destination_name_prefix: "DESTINATION_NAME") do + it { should exist } +end +``` + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_cloudwatchlogs_destination(destination_name_prefix: "DESTINATION_NAME") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudwatchlogs_destination(destination_name_prefix: "DESTINATION_NAME") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatchLogs:Client:DescribeDestinationsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_destinations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_destinations.md new file mode 100644 index 0000000..6a4ecc7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_destinations.md @@ -0,0 +1,109 @@ ++++ +title = "aws_cloudwatchlogs_destinations resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatchlogs_destinations" +identifier = "inspec/resources/aws/aws_cloudwatchlogs_destinations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatchlogs_destinations` InSpec audit resource to test properties of multiple AWS Logs destinations. + +The `AWS::Logs::Destination` resource type specifies a CloudWatch Logs destination. A destination encapsulates a physical resource (such as an Amazon Kinesis data stream) and enables you to subscribe that resource to a stream of log events. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS::Logs::Destination.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-destination.html). + +## Syntax + +Ensure that the destination name exists. + +```ruby +describe aws_cloudwatchlogs_destinations do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`destination_names` +: The name of the destination. + +: **Field**: `destination_name` + +`target_arns` +: The Amazon Resource Name (ARN) of the physical target where the log events are delivered (for example, a Kinesis stream). + +: **Field**: `target_arn` + +`role_arns` +: The ARN of an IAM role that permits CloudWatch Logs to send data to the specified AWS resource. + +: **Field**: `role_arn` + +`access_policies` +: An IAM policy document governing the Amazon Web Services accounts, which can create subscription filters against this destination. + +: **Field**: `access_policy` + +`arns` +: The ARN of this destination. + +: **Field**: `arn` + +`creation_time` +: The creation time of the destination, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC. + +: **Field**: `creation_time` + +## Examples + +Ensure a destination name is available: + +```ruby +describe aws_cloudwatchlogs_destinations do + its('destination_names') { should include 'DESTINATION_NAME' } +end +``` + +Ensure a destination role ARN is available: + +```ruby +describe aws_cloudwatchlogs_destinations do + its('role_arns') { should include 'ROLE_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that an entity exists. + +```ruby +describe aws_cloudwatchlogs_destinations do + it { should exist } +end +``` + +Use `should_not` to test that an entity does not exist. + +```ruby +describe aws_cloudwatchlogs_destinations do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatchLogs:Client:DescribeDestinationsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_log_stream.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_log_stream.md new file mode 100644 index 0000000..049d41d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_log_stream.md @@ -0,0 +1,119 @@ ++++ +title = "aws_cloudwatchlogs_log_stream resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatchlogs_log_stream" +identifier = "inspec/resources/aws/aws_cloudwatchlogs_log_stream resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatchlogs_log_stream` InSpec audit resource to test properties of the singular resource of AWS Logs log stream. + +The AWS::Logs::LogStream resource specifies an Amazon CloudWatch Logs log stream in a specific log group. A log stream represents the sequence of events coming from an application instance or resource you are monitoring. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Logs LogStream.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-logstream.html). + +## Syntax + +Ensure that the log stream exists. + +```ruby +describe aws_cloudwatchlogs_log_stream(log_group_name: "LOG_GROUP_NAME", log_stream_name_prefix: 'LOG_STREAM_NAME') do + it { should exist } +end +``` + +## Parameters + +`log_group_name` and `log_stream_name_prefix` _(required)_ + +`log_group_name` +: The name of the log group where the log stream is created. + +`log_stream_name_prefix` +: The name of the log stream. + +## Properties + +`log_stream_name` +: The name of the log stream. The name must be unique within the log group. + +`creation_time` +: The creation time of the stream, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC. + +`first_event_timestamp` +: The time of the first event, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC. + +`last_event_timestamp` +: The time of the most recent log event in the log stream in CloudWatch Logs. + +`last_ingestion_time` +: The ingestion time, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC. + +`upload_sequence_token` +: The sequence token. + +`arn` +: The Amazon Resource Name (ARN) of the log stream. + +`stored_bytes` +: The number of bytes stored. + +## Examples + +Ensure a log stream name is available: + +```ruby +describe aws_cloudwatchlogs_log_stream(log_group_name: "LOG_GROUP_NAME", log_stream_name_prefix: 'LOG_STREAM_NAME') do + its('log_stream_name') { should eq 'LOG_STREAM_NAME' } +end +``` + +Ensure a log stream ARN is available: + +```ruby +describe aws_cloudwatchlogs_log_stream(log_group_name: "LOG_GROUP_NAME", log_stream_name_prefix: 'LOG_STREAM_NAME') do + its('arn') { should eq 'LOG_STREAM_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatchlogs_log_stream(log_group_name: "LOG_GROUP_NAME", log_stream_name_prefix: 'LOG_STREAM_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudwatchlogs_log_stream(log_group_name: "LOG_GROUP_NAME", log_stream_name_prefix: 'LOG_STREAM_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudwatchlogs_log_stream(log_group_name: "LOG_GROUP_NAME", log_stream_name_prefix: 'LOG_STREAM_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatchLogs:Client:DescribeLogStreamsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_log_streams.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_log_streams.md new file mode 100644 index 0000000..666628f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_log_streams.md @@ -0,0 +1,121 @@ ++++ +title = "aws_cloudwatchlogs_log_streams resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatchlogs_log_streams" +identifier = "inspec/resources/aws/aws_cloudwatchlogs_log_streams resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatchlogs_log_streams` InSpec audit resource to test properties of the plural resource of AWS Logs log stream. + +The AWS::Logs::LogStream resource specifies an Amazon CloudWatch Logs log stream in a specific log group. A log stream represents the sequence of events coming from an application instance or resource that you are monitoring. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Logs LogStream.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-logstream.html). + +## Syntax + +Ensure that the log stream exists. + +```ruby +describe aws_cloudwatchlogs_log_streams(log_group_name: "LOG_GROUP_NAME") do + it { should exist } +end +``` + +## Parameters + +`log_group_name` _(required)_ + +: The name of the log group. + +## Properties + +`log_stream_names` +: The name of the log stream. + +: **Field**: `log_stream_name` + +`creation_times` +: The creation time of the stream, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC. + +: **Field**: `creation_time` + +`first_event_timestamps` +: The time of the first event, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC. + +: **Field**: `first_event_timestamp` + +`last_event_timestamps` +: The time of the most recent log event in the log stream in CloudWatch Logs. + +: **Field**: `last_event_timestamp` + +`last_ingestion_times` +: The ingestion time, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC. + +: **Field**: `last_ingestion_time` + +`upload_sequence_tokens` +: The sequence token. + +: **Field**: `upload_sequence_token` + +`arns` +: The Amazon Resource Name (ARN) of the log stream. + +: **Field**: `arn` + +`stored_bytes` +: The number of bytes stored. + +: **Field**: `stored_bytes` + +## Examples + +Ensure a log stream name is available: + +```ruby +describe aws_cloudwatchlogs_log_streams(log_group_name: "LOG_GROUP_NAME") do + its('log_stream_names') { should include 'LOG_STREAM_NAME' } +end +``` + +Ensure a log stream arn is available: + +```ruby +describe aws_cloudwatchlogs_log_streams(log_group_name: "LOG_GROUP_NAME") do + its('arns') { should include 'LOG_STREAM_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatchlogs_log_streams(log_group_name: "LOG_GROUP_NAME") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudwatchlogs_log_streams(log_group_name: "LOG_GROUP_NAME") do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatchLogs:Client:DescribeLogStreamsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_subscription_filter.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_subscription_filter.md new file mode 100644 index 0000000..90daa1f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_subscription_filter.md @@ -0,0 +1,116 @@ ++++ +title = "aws_cloudwatchlogs_subscription_filter resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatchlogs_subscription_filter" +identifier = "inspec/resources/aws/aws_cloudwatchlogs_subscription_filter resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatchlogs_subscription_filter` InSpec audit resource to test properties of a single specific AWS Logs Subscription Filter. + +The AWS::Logs::SubscriptionFilter specifies a subscription filter and associates it with the specified log group. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Logs SubscriptionFilter.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-subscriptionfilter.html). + +## Syntax + +Ensure that the subscription filter exists. + +```ruby +describe aws_cloudwatchlogs_subscription_filter(log_group_name: "LOG_GROUP_NAME", filter_name_prefix: "FILTER_NAME") do + it { should exist } +end +``` + +## Parameters + +`log_group_name` and `filter_name_prefix` _(required)_ + +`log_group_name` +: The name of the log group to associate with the subscription filter. All log events that are uploaded to this log group are filtered and delivered to the specified AWS resource if the filter pattern matches the log events. + +`filter_name_prefix` +: The name of the subscription filter. + +## Properties + +`filter_name` +: The name of the subscription filter. + +`log_group_name` +: The name of the log group. + +`filter_pattern` +: A symbolic description of how CloudWatch Logs should interpret the data in each log event. + +`destination_arn` +: The Amazon Resource Name (ARN) of the destination. + +`role_arn` +: The ARN of the IAM role. + +`distribution` +: The method used to distribute log data to the destination, which can be either random or grouped by log stream. + +`creation_time` +: The creation time of the subscription filter, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC. + +## Examples + +Ensure a filter name is available: + +```ruby +describe aws_cloudwatchlogs_subscription_filter(log_group_name: "LOG_GROUP_NAME", filter_name_prefix: "FILTER_NAME") do + its('filter_name') { should eq 'FILTER_NAME' } +end +``` + +Ensure a filter log group name is available: + +```ruby +describe aws_cloudwatchlogs_subscription_filter(log_group_name: "LOG_GROUP_NAME", filter_name_prefix: "FILTER_NAME") do + its('log_group_name') { should eq 'LOG_GROUP_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatchlogs_subscription_filter(log_group_name: "LOG_GROUP_NAME", filter_name_prefix: "FILTER_NAME") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudwatchlogs_subscription_filter(log_group_name: "LOG_GROUP_NAME", filter_name_prefix: "FILTER_NAME") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudwatchlogs_subscription_filter(log_group_name: "LOG_GROUP_NAME", filter_name_prefix: "FILTER_NAME") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatchLogs:Client:DescribeSubscriptionFiltersResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_subscription_filters.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_subscription_filters.md new file mode 100644 index 0000000..f7e2751 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cloudwatchlogs_subscription_filters.md @@ -0,0 +1,126 @@ ++++ +title = "aws_cloudwatchlogs_subscription_filters resource" + +draft = false + + +[menu.aws] +title = "aws_cloudwatchlogs_subscription_filters" +identifier = "inspec/resources/aws/aws_cloudwatchlogs_subscription_filters resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cloudwatchlogs_subscription_filters` InSpec audit resource to test properties of the plural resource of AWS Logs Subscription Filters. + +The AWS::Logs::SubscriptionFilter specifies a subscription filter and associates it with the specified log group. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Logs SubscriptionFilter.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-subscriptionfilter.html). + +## Syntax + +Ensure that the subscription filter exists. + +```ruby +describe aws_cloudwatchlogs_subscription_filters(log_group_name: "LOG_GROUP_NAME") do + it { should exist } +end +``` + +## Parameters + +`log_group_name` _(required)_ + +: The name of the log group. + +## Properties + +`filter_names` +: The name of the subscription filters. + +: **Field**: `filter_name` + +`log_group_names` +: The name of the log group. + +: **Field**: `log_group_name` + +`filter_patterns` +: A symbolic description of how CloudWatch Logs should interpret the data in each log event. + +: **Field**: `filter_pattern` + +`destination_arns` +: The Amazon Resource Name (ARN) of the destination. + +: **Field**: `destination_arn` + +`role_arns` +: The ARN of the IAM role. + +: **Field**: `role_arn` + +`distributions` +: The method used to distribute log data to the destination, which can be either random or grouped by log stream. + +: **Field**: `distribution` + +`creation_times` +: The creation time of the subscription filter, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC. + +: **Field**: `creation_time` + +## Examples + +Ensure a filter name is available: + +```ruby +describe aws_cloudwatchlogs_subscription_filters(log_group_name: "LOG_GROUP_NAME") do + its('filter_names') { should include 'FilterName' } +end +``` + +Ensure a filter log group name is available: + +```ruby +describe aws_cloudwatchlogs_subscription_filters(log_group_name: "LOG_GROUP_NAME") do + its('log_group_names') { should include 'LOG_GROUP_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cloudwatchlogs_subscription_filters(log_group_name: "LOG_GROUP_NAME") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cloudwatchlogs_subscription_filters(log_group_name: "LOG_GROUP_NAME") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_cloudwatchlogs_subscription_filters(log_group_name: "LOG_GROUP_NAME") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatchLogs:Client:DescribeSubscriptionFiltersResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_identity_pool.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_identity_pool.md new file mode 100644 index 0000000..5e9ba24 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_identity_pool.md @@ -0,0 +1,120 @@ ++++ +title = "aws_cognito_identity_pool resource" + +draft = false + + +[menu.aws] +title = "aws_cognito_identity_pool" +identifier = "inspec/resources/aws/aws_cognito_identity_pool resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cognito_identity_pool` InSpec audit resource to test properties of a single Cognito identity pool. + +For additional information, including details on parameters and properties, see the [AWS documentation on Cognito identity pool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html). + +## Syntax + +Ensure that an identity pool exists. + +```ruby +describe aws_cognito_identity_pool(identity_pool_id: 'IDENTITY_POOL_ID') do + it { should exist } +end +``` + +## Parameters + +`identity_pool_id` _(required)_ + +## Properties + +`identity_pool_id` +: An identity pool ID in the format REGION:GUID. + +`identity_pool_name` +: The name of your Amazon Cognito identity pool. + +`allow_unauthenticated_identities` +: Specifies whether the identity pool supports unauthenticated logins. + +`supported_login_providers` +: Key-value pairs that map provider names to provider app IDs. + +`developer_provider_name` +: The "domain" Amazon Cognito uses when referencing your users. This name acts as a placeholder that allows your backend and the Amazon Cognito service to communicate about the developer provider. For the DeveloperProviderName, you can use letters and periods (.), underscores (_), and dashes (-). + +`open_id_connect_provider_arns` +: The Amazon Resource Names (ARNs) of the OpenID connect providers. + +`cognito_identity_providers (provider_name)` +: The Amazon Cognito user pools and their client IDs. The provider name of the cognito identity providers. + +`cognito_identity_providers (client_id)` +: The Amazon Cognito user pools and their client IDs. The client ID of the cognito identity providers. + +`cognito_identity_providers (server_side_token_check)` +: The Amazon Cognito user pools and their client IDs. The server side token check of the cognito identity providers. + +`saml_provider_arns` +: The Amazon Resource Names (ARNs) of the Security Assertion Markup Language (SAML) providers. + +`identity_pool_tags` +: The tags of your Amazon Cognito identity pool. + +## Examples + +Ensure an identity pool ID is available: + +```ruby +describe aws_cognito_identity_pool(identity_pool_id: 'IDENTITY_POOL_ID') do + its('identity_pool_id') { should eq 'IDENTITY_POOL_ID' } +end +``` + +Ensure that the identity pool name is available: + +```ruby +describe aws_cognito_identity_pool(identity_pool_id: 'IDENTITY_POOL_ID') do + its('identity_pool_name') { should eq 'IDENTITY_POOL_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cognito_identity_pool(identity_pool_id: 'IDENTITY_POOL_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cognito_identity_pool(identity_pool_id: 'IDENTITY_POOL_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the identity pool id is available. + +```ruby +describe aws_cognito_identity_pool(identity_pool_id: 'IDENTITY_POOL_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CognitoIdentity:Client:IdentityPool" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_identity_pools.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_identity_pools.md new file mode 100644 index 0000000..d9681ca --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_identity_pools.md @@ -0,0 +1,93 @@ ++++ +title = "aws_cognito_identity_pools resource" + +draft = false + + +[menu.aws] +title = "aws_cognito_identity_pools" +identifier = "inspec/resources/aws/aws_cognito_identity_pools resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cognito_identity_pools` InSpec audit resource to test properties of multiple Cognito identity pools. + +For additional information, including details on parameters and properties, see the [AWS documentation on Cognito identity pool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html). + +## Syntax + +Ensure that an identity pool exists. + +```ruby +describe aws_cognito_identity_pools do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`identity_pool_ids` +: The IDs of the identity pool. + +`identity_pool_names` +: The names of the identity pool. + +## Examples + +Ensure an identity pool is available: + +```ruby +describe aws_cognito_identity_pools do + its('identity_pool_ids') { should include 'IDENTITY_POOL_ID' } +end +``` + +Ensure that the state is `ENABLED` or `DISABLED`: + +```ruby +describe aws_cognito_identity_pools do + its('identity_pool_names') { should include 'IDENTITY_POOL_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cognito_identity_pools do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cognito_identity_pools do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the identity pool is available. + +```ruby +describe aws_cognito_identity_pools do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CognitoIdentity:Client:ListIdentityPoolsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_userpool.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_userpool.md new file mode 100644 index 0000000..81f3ac5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_userpool.md @@ -0,0 +1,173 @@ ++++ +title = "aws_cognito_userpool resource" + +draft = false + + +[menu.aws] +title = "aws_cognito_userpool" +identifier = "inspec/resources/aws/aws_cognito_userpool resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cognito_userpool` InSpec audit resource to test properties of a single specific Cognito user pool. + +For additional information, including details on parameters and properties, see the [AWS documentation on Cognito user pool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html). + +## Syntax + +Ensure that an user pool ID exists. + +```ruby +describe aws_cognito_userpool(user_pool_id: 'USER_POOL_ID') do + it { should exist } +end +``` + +## Parameters + +`user_pool_id` _(required)_ + +: The ID of the user pool. + +## Properties + +`user_pool_id` +: The user pool ID. + +`client_name` +: The client name of the user pool. + +`client_id` +: The client ID of the user pool. + +`client_secret` +: The client secret of the user pool. + +`last_modified_date` +: The last modified date of the user pool. + +`creation_date` +: The creation date of the user pool. + +`refresh_token_validity` +: The refresh token validity of the user pool. + +`access_token_validity` +: The access token validity of the user pool. + +`id_token_validity` +: The ID token validity of the user pool. + +`token_validity_units (access_token)` +: The access token in the token validity units of the user pool. + +`token_validity_units (id_token)` +: The ID token in the token validity units of the user pool. + +`token_validity_units (refresh_token)` +: The refresh token in the token validity units of the user pool. + +`read_attributes` +: The read attributes of the user pool. + +`write_attributes` +: The write attributes of the user pool. + +`explicit_auth_flows` +: The explicit auth flows of the user pool. + +`supported_identity_providers` +: The supported identity providers of the user pool. + +`callback_urls` +: The callback URLs of the user pool. + +`logout_urls` +: The logout urls of the user pool. + +`default_redirect_uri` +: The default redirect URI of the user pool. + +`allowed_o_auth_flows` +: The allowed_o_auth_flows of the user pool. + +`allowed_o_auth_scopes` +: The allowed_o_auth_scopes of the user pool. + +`allowed_o_auth_flows_user_pool_client` +: The allowed_o_auth_flows_user_pool_client of the user pool. + +`analytics_configuration (application_id)` +: The application ID of the analytics configuration of the user pool. + +`analytics_configuration (application_arn)` +: The application ARN of the analytics configuration of the user pool. + +`analytics_configuration (role_arn)` +: The role ARN of the analytics configuration of the user pool. + +`analytics_configuration (external_id)` +: The external ID of the analytics configuration of the user pool. + +`analytics_configuration (user_data_shared)` +: The user data shared of the analytics configuration of the user pool. + +`prevent_user_existence_errors` +: The prevent user existence errors of the user pool. + +## Examples + +Ensure a user pool ID is available: + +```ruby +describe aws_cognito_userpool(user_pool_id: 'USER_POOL_ID') do + its('user_pool_id') { should eq 'USER_POOL_ID' } +end +``` + +Ensure a client name is available: + +```ruby +describe aws_cognito_userpool(user_pool_id: 'USER_POOL_ID') do + its('client_name') { should eq 'CLIENT_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cognito_userpool(user_pool_id: 'USER_POOL_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cognito_userpool(user_pool_id: 'USER_POOL_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the client name is available. + +```ruby +describe aws_cognito_userpool(user_pool_id: 'USER_POOL_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CognitoIdentityProvider:Client:DescribeUserPoolResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_userpool_client.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_userpool_client.md new file mode 100644 index 0000000..6cddcf6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_userpool_client.md @@ -0,0 +1,177 @@ ++++ +title = "aws_cognito_userpool_client resource" + +draft = false + + +[menu.aws] +title = "aws_cognito_userpool_client" +identifier = "inspec/resources/aws/aws_cognito_userpool_client resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cognito_userpool_client` InSpec audit resource to test properties of a single Cognito user pool client. + +For additional information, including details on parameters and properties, see the [AWS documentation on Cognito user pool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html). + +## Syntax + +Ensure that a user pool exists. + +```ruby +describe aws_cognito_userpool_client(user_pool_id: 'USER_POOL_ID', client_id: 'CLIENT_ID') do + it { should exist } +end +``` + +## Parameters + +`user_pool_id` _(required)_ + +: The ID of the user pool. + +`client_id` _(required)_ + +: The client ID of the user pool. + +## Properties + +`user_pool_id` +: The user pool ID. + +`client_name` +: The app client name associated with the user pool. + +`client_id` +: The app client ID associated with the user pool. + +`client_secret` +: The app client secret of the user pool client. + +`last_modified_date` +: The last modified date of the user pool client. + +`creation_date` +: The creation date of the user pool client. + +`refresh_token_validity` +: The time limit value that the refresh token is valid in token_validity_units. + +`access_token_validity` +: The time limit value of the access token in token_validity_units. + +`id_token_validity` +: The time limit value of the refresh token in token_validity_units. + +`token_validity_units (access_token)` +: The time unit for the access_token_validity. + +`token_validity_units (id_token)` +: The time unit for the id_token_validity. + +`token_validity_units (refresh_token)` +: The time unit for the refresh_token_validity. + +`read_attributes` +: A list of the read-only attributes of the user pool. + +`write_attributes` +: A list of writeable attributes of the user pool. + +`explicit_auth_flows` +: The authentication flows supported by the user pool client. + +`supported_identity_providers` +: The list of provider names for the identity providers supported by the user pool client. + +`callback_urls` +: The list of callback URLs for the identity providers. + +`logout_urls` +: The list of logout URLs for the identity providers. + +`default_redirect_uri` +: The default redirect URI. This must be in the callback_urls list. + +`allowed_o_auth_flows` +: The allowed_o_auth_flows of the user pool. + +`allowed_o_auth_scopes` +: The allowed_o_auth_scopes of the user pool. + +`allowed_o_auth_flows_user_pool_client` +: Whether the client is allowed to follow the OAuth protocol when interacting with user pools. Valid values: `true`, `false`. + +`analytics_configuration (application_id)` +: The Amazon Pinpoint analytics application ID. + +`analytics_configuration (application_arn)` +: The Amazon Pinpoint ARN. + +`analytics_configuration (role_arn)` +: The ARN of an IAM role that authorizes Cognito to publish events to Pinpoint. + +`analytics_configuration (external_id)` +: The Amazon Pinpoint analytics external ID. + +`analytics_configuration (user_data_shared)` +: Whether Cognito will include user data if it publishes to Pinpoint analytics. Valid values: `true`, `false`. + +`prevent_user_existence_errors` +: Select which errors are returned by Cognito APIs. Valid values: `ENABLED`, `LEGACY`. + +## Examples + +Ensure an client name is available: + +```ruby +describe aws_cognito_userpool_client(user_pool_id: 'USER_POOL_ID', client_id: 'CLIENT_ID') do + its('client_name') { should eq 'CLIENT_NAME' } +end +``` + +Ensure an client secret is available: + +```ruby +describe aws_cognito_userpool_client(user_pool_id: 'USER_POOL_ID', client_id: 'CLIENT_ID') do + its('client_secret') { should eq 'CLIENT_SECRET' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cognito_userpool_client(user_pool_id: 'USER_POOL_ID', client_id: 'CLIENT_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cognito_userpool_client(user_pool_id: 'USER_POOL_ID', client_id: 'CLIENT_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the user pool is available. + +```ruby +describe aws_cognito_userpool_client(user_pool_id: 'USER_POOL_ID', client_id: 'CLIENT_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CognitoIdentityProvider:Client:DescribeUserPoolClientResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_userpool_clients.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_userpool_clients.md new file mode 100644 index 0000000..357daac --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_userpool_clients.md @@ -0,0 +1,96 @@ ++++ +title = "aws_cognito_userpool_clients resource" + +draft = false + + +[menu.aws] +title = "aws_cognito_userpool_clients" +identifier = "inspec/resources/aws/aws_cognito_userpool_clients resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cognito_userpool_clients` InSpec audit resource to test properties of multiple Cognito user pool clients. + +For additional information, including details on parameters and properties, see the [AWS documentation on Cognito user pool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html). + +## Syntax + +Ensure that a user pool client exists. + +```ruby +describe aws_cognito_userpool_clients(user_pool_id: 'USER_POOL_ID') do + it { should exist } +end +``` + +## Parameters + +`user_pool_id` _(required)_ + +## Properties + +`client_ids` +: The client IDs of the user pools. + +`user_pool_ids` +: The user pool IDs of the user pools. + +`client_names` +: The client names of the user pools. + +## Examples + +Ensure that the specific client ID is available: + +```ruby +describe aws_cognito_userpool_clients(user_pool_id: 'USER_POOL_ID') do + its('client_ids') { should include 'CLIENT_ID' } +end +``` + +Ensure that the specific client name is available: + +```ruby +describe aws_cognito_userpool_clients(user_pool_id: 'USER_POOL_ID') do + its('client_names') { should include 'CLIENT_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cognito_userpool_clients(user_pool_id: 'USER_POOL_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cognito_userpool_clients(user_pool_id: 'USER_POOL_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the user pool clients are available. + +```ruby +describe aws_cognito_userpool_clients(user_pool_id: 'USER_POOL_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CognitoIdentityProvider:Client:ListUserPoolClientsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_userpools.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_userpools.md new file mode 100644 index 0000000..588a1f2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_cognito_userpools.md @@ -0,0 +1,105 @@ ++++ +title = "aws_cognito_userpools resource" + +draft = false + + +[menu.aws] +title = "aws_cognito_userpools" +identifier = "inspec/resources/aws/aws_cognito_userpools resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_cognito_userpools` InSpec audit resource to test properties of multiple Cognito user pools. + +For additional information, including details on parameters and properties, see the [AWS documentation on Cognito user pool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html). + +## Syntax + +Ensure that a user pool exists. + +```ruby +describe aws_cognito_userpools do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The IDs of the user pools. + +`names` +: The names of the user pools. + +`lambda_configs` +: The lambda trigger configuration of the user pools. + +`statuses` +: The statuses of the user pools. + +`last_modified_dates` +: The last_modified_dates of the user pools. + +`creation_dates` +: The creation_dates of the user pools. + +## Examples + +Ensure an ID is available: + +```ruby +describe aws_cognito_userpools do + its('ids') { should include 'USER_POOL_ID' } +end +``` + +Ensure a name is available: + +```ruby +describe aws_cognito_userpools do + its('names') { should include 'USER_POOL_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_cognito_userpools do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_cognito_userpools do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the user pool is available. + +```ruby +describe aws_cognito_userpools do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CognitoIdentityProvider:Client:ListUserPoolsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_config_delivery_channel.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_config_delivery_channel.md new file mode 100644 index 0000000..84c7849 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_config_delivery_channel.md @@ -0,0 +1,111 @@ ++++ +title = "aws_config_delivery_channel resource" + +draft = false + + +[menu.aws] +title = "aws_config_delivery_channel" +identifier = "inspec/resources/aws/aws_config_delivery_channel resource" +parent = "inspec/resources/aws" ++++ + +The AWS Config service can monitor and record changes to your AWS resource configurations. A Delivery Channel can record the changes +to an S3 Bucket, an SNS or both. + +Use the `aws_config_delivery_channel` InSpec audit resource to examine how the AWS Config service delivers those change notifications. + +One delivery channel is allowed per region per AWS account, and the delivery channel is required to use AWS Config. + +For additional information, including details on parameters and properties, see the [AWS documentation on Delivery Channels](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html). + +## Syntax + +```ruby +describe aws_config_delivery_channel('my_channel') do + it { should exist } +end +``` + +```ruby +describe aws_config_delivery_channel(channel_name: 'my-channel') do + it { should exist } +end +``` + +Since you may only have one Delivery Channel per region, and InSpec connections are per-region, you may also omit the `channel_name` to obtain the one Delivery Channel (if any) that exists: + +```ruby +describe aws_config_delivery_channel do + it { should exist } +end +``` + +## Parameters + +`channel_name` _(optional)_ + +: This resource accepts a single parameter, the channel name. + This can be passed either as a string or as a `channel_name: 'value'` key-value entry in a hash. + +## Properties + +`channel_name` +: The name of the delivery channel. By default, AWS Config assigns the name "default" when creating the delivery channel. + +`s3_bucket_name` +: The name of the Amazon S3 bucket to which AWS Config delivers configuration snapshots and configuration history files. + +`s3_key_prefix` +: The prefix for the specified Amazon S3 bucket. + +`sns_topic_arn` +: The Amazon Resource Name (ARN) of the Amazon SNS topic to which AWS Config sends notifications about configuration changes. + +`delivery_frequency_in_hours` +: Specifies how often the AWS Config sends configuration changes to the s3 bucket in the delivery channel. + +## Examples + +Test how frequently the channel writes configuration changes to the s3 bucket: + +```ruby +describe aws_config_delivery_channel(channel_name: 'my-recorder') do + its('delivery_frequency_in_hours') { should be > 3 } +end +``` + +Ensure configuration change notifications are being delivered to the correct bucket and key: + +```ruby +describe aws_config_delivery_channel(channel_name: 'my_channel') + its('s3_bucket_name') { should eq 'my_bucket' } + its('s3_key_prefix') { should eq 'logs/' } +end +``` + +## Matchers + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_config_delivery_channel('my_channel') do + it { should exist } +end +``` + +```ruby +describe aws_config_delivery_channel('my-nonexistent-channel') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ConfigService:Client:DescribeDeliveryChannelsResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS Config](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsconfig.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_config_recorder.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_config_recorder.md new file mode 100644 index 0000000..e3b2776 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_config_recorder.md @@ -0,0 +1,135 @@ ++++ +title = "aws_config_recorder resource" + +draft = false + + +[menu.aws] +title = "aws_config_recorder" +identifier = "inspec/resources/aws/aws_config_recorder resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_config_recorder` InSpec audit resource to test properties of your AWS Config service. + +The AWS Config service can monitor and record changes to your AWS resource configurations. The AWS Config recorder is used to detect changes in resource configurations and capture these changes as configuration items. + +As of April 2018, you are only permitted one configuration recorder per region. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::Config::ConfigurationRecorder` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationrecorder.html). + +## Syntax + +An `aws_config_recorder` resource block declares the tests for a single AWS Config resource by recorder name. + +```ruby +describe aws_config_recorder('RECORDER_NAME') do + it { should exist } +end +``` + +You may also use hash syntax to pass the recorder name + +```ruby +describe aws_config_recorder(recorder_name: 'RECORDER_NAME') do + it { should exist } +end +``` + +Since you may only have one recorder per region, and InSpec connections are per-region, you may also omit the recorder name to obtain the one recorder (if any) that exists: + +```ruby +describe aws_config_recorder do + it { should exist } +end +``` + +## Parameters + +`recorder_name` _(optional)_ + +: This resource accepts a single parameter, the Configuration recorder name. + This can be passed either as a string or as a `recorder_name: 'value'` key-value entry in a hash. + +## Properties + +`recorder_name` +: The name of the recorder. By default, AWS Config automatically assigns the name "default" when creating the configuration recorder. You cannot change the assigned name. + +`role_arn` +: Amazon Resource Name (ARN) of the IAM role used to describe the AWS resources associated with the account. + +`resource_types` +: A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (i.e. AWS::EC2::Instance). + +`last_status` +: The last (previous) status of the recorder. + +## Examples + +Test if the recorder is active and recording: + +```ruby +describe aws_config_recorder do + it { should be_recording } +end +``` + +Ensure the role_arn is correct for the recorder: + +The role is used to grant permissions to S3 Buckets, SNS topics and to get configuration details for supported AWS resources. + +```ruby +describe aws_config_recorder do + its('role_arn') { should eq 'arn:aws:iam::721741954427:role/My_Recorder' } +end +``` + +Test the recorder is monitoring changes to the correct resources: + +```ruby +describe aws_config_recorder do + its('resource_types') { should include 'AWS::EC2::CustomerGateway' } + its('resource_types') { should include 'AWS::EC2::EIP' } +end +``` + +Test the recorder's last status: + +```ruby +describe aws_config_recorder do + its('last_status') { should eq 'SUCCESS' } +end +``` + +## Matchers + +### be_recording + +Ensure the recorder is active + +```ruby +it { should be_recording } +``` + +### be_recording_all_resource_types + +Indicates if the configuration recorder will record changes for all resources, regardless of type. If this is true, resource_types is ignored. + +```ruby +it { should be_recording_all_resource_types } +``` + +### be_recording_all_global_types + +Indicates whether the configuration recorder will record changes for global resource types (such as [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)s). + +```ruby +it { should be_recording_all_global_types } +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ConfigService:Client:DescribeConfigurationRecordersResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS Config](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsconfig.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_db_parameter_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_db_parameter_group.md new file mode 100644 index 0000000..f86ecd1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_db_parameter_group.md @@ -0,0 +1,91 @@ ++++ +title = "aws_db_parameter_group resource" + +draft = false + + +[menu.aws] +title = "aws_db_parameter_group" +identifier = "inspec/resources/aws/aws_db_parameter_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_db_parameter_group` InSpec audit resource to test properties of an AWS DB parameter group. + +#### db_parameter_group_name _(required)_ + +This resource accepts a single parameter, the DB parameter group name. This can be passed either as a string or as a `aws_db_parameter_group: 'value'` key-value entry in a hash. + +For additional information, including details on parameters and properties, see the [AWS documentation on DB parameter groups](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbparametergroup.html). + +## Syntax + +An `aws_db_parameter_group` resource block uses the parameter to select a parameter group. + +```ruby +describe aws_db_parameter_group(db_parameter_group_name: 'parameter-group-name-12345') do + it { should exist } +end +``` + +## Parameters + +`db_parameter_group_name` _(required)_ + +: This resource accepts a single parameter, the DB parameter group name. This can be passed either as a string or as a `aws_db_parameter_group: 'value'` key-value entry in a hash. + +## Properties + +`db_parameter_group_name` +: The name of the DB parameter group. + +`db_parameter_group_family` +: The name of the DB parameter group family that this DB parameter group is compatible with. + +`description` +: The customer-specified description for this DB parameter group. + +`db_parameter_group_arn` +: The Amazon Resource Name (ARN) for the DB parameter group. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DBParameterGroup.html) + +## Examples + +Verify the group name of a DB parameter group: + +```ruby +describe aws_db_parameter_group(db_parameter_group_name: 'parameter-group-name-12345') do + its('db_parameter_group_name') { should eq 'parameter-group-name-12345' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +```ruby +describe aws_db_parameter_group(db_parameter_group_name: 'parameter-group-name-12345') do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_db_parameter_group(db_parameter_group_name: 'parameter-group-name-6789') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DBParameterGroupsMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_db_parameter_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_db_parameter_groups.md new file mode 100644 index 0000000..32069cb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_db_parameter_groups.md @@ -0,0 +1,87 @@ ++++ +title = "aws_db_parameter_groups resource" + +draft = false + + +[menu.aws] +title = "aws_db_parameter_groups" +identifier = "inspec/resources/aws/aws_db_parameter_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_db_parameter_groups` InSpec audit resource to test properties of a collection of AWS DB parameter groups. + +This resource does not expect any parameters. + +For additional information, including details on parameters and properties, see the [AWS documentation on DB parameter groups](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbparametergroup.html). + +## Syntax + +Ensure you have exactly three DB parameter groups: + +```ruby +describe aws_db_parameter_groups do + its('db_parameter_group_names.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`db_parameter_group_names` +: The name of the DB parameter group. + +`db_parameter_group_families` +: The name of the DB parameter group family that this DB parameter group is compatible with. + +`descriptions` +: Provides the customer-specified description for this DB parameter group. + +`db_parameter_group_arns` +: The Amazon Resource Name (ARN) for the DB parameter group. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DBParameterGroup.html) + +## Examples + +Ensure the group name of a DB parameter group exists: + +```ruby +describe aws_db_parameter_groups do + its('db_parameter_group_names') { should include 'parameter-group-name' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe method returns at least one result. + +```ruby +describe aws_db_parameter_groups.where( : ) do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_db_parameter_groups.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DBParameterGroupsMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_db_subnet_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_db_subnet_group.md new file mode 100644 index 0000000..2f386b5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_db_subnet_group.md @@ -0,0 +1,94 @@ ++++ +title = "aws_db_subnet_group resource" + +draft = false + + +[menu.aws] +title = "aws_db_subnet_group" +identifier = "inspec/resources/aws/aws_db_subnet_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_db_subnet_group` InSpec audit resource to test properties of a db subnet group. + +## Syntax + + An `aws_db_subnet_group` resource block uses the parameter to select a subnet group. + +```ruby +describe aws_db_subnet_group(db_subnet_group_name: 'subnet-group-name-12345') do + it { should exist } +end +``` + +## Parameters + +`db_subnet_group_name` _(required)_ + +: This resource accepts a single parameter, the DB Subnet Group Name. + This can be passed either as a string or as a `aws_db_subnet_group: 'value'` key-value entry in a hash. + +See the [AWS documentation on DB Subnet Groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Subnets). + +## Properties + +`db_subnet_group_name` +: The name of the DB subnet group. + +`db_subnet_group_description` +: Provides the description of the DB subnet group. + +`vpc_id` +: Provides the VPC ID of the DB subnet group. + +`subnet_group_status` +: Provides the status of the DB subnet group. + +`subnets` +: Contains a list of Subnet elements. + +`db_subnet_group_arn` +: The Amazon Resource Name for the DB subnet group. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DBSubnetGroup.html) + +## Examples + +Check DB Subnet Group Name of a subnet group: + +```ruby +describe aws_db_subnet_group(db_subnet_group_name: 'subnet-group-name-12345') do + its('db_subnet_group_name') { should eq 'subnet-group-name-12345' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_db_subnet_group(db_subnet_group_name: 'subnet-group-name-12345') do + it { should exist } +end +``` + +```ruby +describe aws_rds_cluster(db_cluster_identifier: 'subnet-group-name-6789') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DBSubnetGroupMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_db_subnet_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_db_subnet_groups.md new file mode 100644 index 0000000..79c1d12 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_db_subnet_groups.md @@ -0,0 +1,91 @@ ++++ +title = "aws_db_subnet_groups resource" + +draft = false + + +[menu.aws] +title = "aws_db_subnet_groups" +identifier = "inspec/resources/aws/aws_db_subnet_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_db_subnet_groups` InSpec audit resource to test properties of a collection of AWS RDS subnet groups. + +RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server. + +## Syntax + + Ensure you have exactly 3 subnet groups + +```ruby +describe aws_db_subnet_groups do + its('db_subnet_group_names.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`db_subnet_group_names` +: The name of the DB subnet group. + +`db_subnet_group_descriptions` +: Provides the description of the DB subnet group. + +`vpc_ids` +: Provides the VPC ID of the DB subnet group. + +`subnet_group_status` +: Provides the status of the DB subnet group. + +`subnets` +: Contains a list of Subnet elements. + +`db_subnet_group_arns` +: The Amazon Resource Name for the DB subnet group. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DBSubnetGroup.html) + +## Examples + +Ensure DB Subnet Group Name of a subnet group exists: + +```ruby +describe aws_db_subnet_groups do + its('db_subnet_group_names') { should include 'subnet-group-name' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_db_subnet_groups.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_db_subnet_groups.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DBSubnetGroupMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dhcp_options.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dhcp_options.md new file mode 100644 index 0000000..9c18663 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dhcp_options.md @@ -0,0 +1,72 @@ ++++ +title = "aws_dhcp_options resource" + +draft = false + + +[menu.aws] +title = "aws_dhcp_options" +identifier = "inspec/resources/aws/aws_dhcp_options resource" +parent = "inspec/resources/aws" ++++ +DEPRECATION NOTICE** + +The **aws_dhcp_options** InSpec audit resource is deprecated and replaced by the `aws_ec2_dhcp_option` and `aws_ec2_dhcp_options` resources. + +Use the `aws_dhcp_options` InSpec audit resource to test properties of a single AWS DHCP Options. + +For additional information, including details on parameters and properties, see the [AWS documentation on EC2](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeDhcpOptions.html). + +## Syntax + +Ensure that an `aws_dhcp_options` exists + +```ruby +describe aws_dhcp_options('dopt-0123456789abcdefg') do + it { should exist } +end +``` + +```ruby +describe aws_dhcp_options(dhcp_options_id: 'dopt-0123456789abcdefg') do + it { should exist } +end +``` + +## Parameters + +`dhcp_options_id` _(required)_ + +: This resource accepts a single parameter, the DHCP Options ID which uniquely identifies the DHCP Options. + This can be passed either as a string or as a `dhcp_options_id: 'value'` key-value entry in a hash. + +## Properties + +`dhcp_configurations` +: The list of dhcp configurations. + +`domain_name_servers` +: The list of domain name servers in the dhcp configuration. + +`ntp_servers` +: The list of ntp servers in the dhcp configuration. + +`tags` +: The tags of the DHCP Options. + +## Examples + +Test tags on the DHCP options: + +```ruby +describe aws_dhcp_options('dopt-0123456789abcdefg') do + its('tags') { should include(:Environment => 'env-name', + :Name => 'dhcp-options-name')} +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeDhcpOptionsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_endpoint.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_endpoint.md new file mode 100644 index 0000000..2d6a534 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_endpoint.md @@ -0,0 +1,188 @@ ++++ +title = "aws_dms_endpoint resource" + +draft = false + + +[menu.aws] +title = "aws_dms_endpoint" +identifier = "inspec/resources/aws/aws_dms_endpoint resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_dms_endpoint` InSpec audit resource to test properties of a single specific AWS Database Migration Service (DMS) endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on DMS endpoints](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-endpoint.html). + +## Syntax + +Ensure that an arn exists. + +```ruby +describe aws_dms_endpoint(endpoint_arn: 'test-arn') do + it { should exist } +end +``` + +## Parameters + +`endpoint_arn` _(required)_ + +: The ARN of the DMS endpoint. + +## Properties + +`endpoint_identifier` +: The database endpoint identifier. + +`endpoint_type` +: The endpoint type. + +`engine_name` +: The type of engine for the endpoint. Valid values: `mysql`, `oracle`, `postgres`, `mariadb`, `aurora`, `aurora-postgresql`, `redshift`, `s3`, `db2`, `azuredb`, `sybase`, `dynamodb`, `mongodb`, `kinesis`, `kafka`, `elasticsearch`, `docdb`, `sqlserver`, and `neptune`. + +`engine_display_name` +: The expanded name for the engine name. + +`username` +: The user name used to connect to the endpoint. + +`server_name` +: The name of the server at the endpoint. + +`port` +: The port value used to access the endpoint. + +`database_name` +: The name of the database at the endpoint. + +`extra_connection_attributes` +: Additional connection attributes used to connect to the endpoint. + +`status` +: The status of the endpoint. + +`kms_key_id` +: An AWS KMS key identifier that is used to encrypt the connection parameters for the endpoint. + +`endpoint_arn` +: The ARN of the endpoint. + +`certificate_arn` +: The ARN used for SSL connection to the endpoint. + +`ssl_mode` +: The SSL mode used to connect to the endpoint. + +`service_access_role_arns` +: The ARN used by the service access IAM role. + +`external_table_definition` +: The external table definition. + +`external_id` +: Value returned by a call to CreateEndpoint that can be used for cross-account validation. + +`dynamo_db_settings` +: Settings in JSON format for the target Amazon DynamoDB endpoint. + +`s3_settings` +: Settings in JSON format for the target Amazon S3 endpoint. + +`dms_transfer_settings` +: The settings in JSON format for the DMS transfer type of source endpoint. + +`mongo_db_settings` +: The settings for the MongoDB source endpoint. + +`kinesis_settings` +: The settings for the Amazon Kinesis target endpoint. + +`kafka_settings` +: The settings for the Apache Kafka endpoint. + +`elasticsearch_settings` +: The settings for the Elasticsearch endpoint. + +`neptune_settings` +: The settings for the Amazon Neptune target endpoint. + +`redshift_settings` +: The settings for the Amazon Redshift endpoint. + +`postgre_sql_settings` +: The settings for the PostgreSQL source and target endpoint. + +`my_sql_settings` +: The settings for the MySQL source and target endpoint. + +`oracle_settings` +: The settings for the Oracle source and target endpoint. + +`sybase_settings` +: The settings for the SAP ASE source and target endpoint. + +`microsoft_sql_server_settings` +: The settings for the Microsoft SQL Server source and target endpoint. + +`ibm_db_2_settings` +: The settings for the IBM Db2 LUW source endpoint. + +`doc_db_settings` +: The settings for the DocumentDB endpoint. + +## Examples + +Ensure an engine name is available: + +```ruby +describe aws_dms_endpoint(endpoint_arn: 'ENDPOINT_ARN') do + its('engine_name') { should eq 'ENDPOINT_ENGINE_NAME' } +end +``` + +Ensure that the endpoint listens to a specific port: + +```ruby +describe aws_dms_endpoint(endpoint_arn: 'ENDPOINT_ARN') do + its('port') { should eq 3306 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_dms_endpoint(endpoint_arn: 'ENDPOINT_ARN') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_dms_endpoint(endpoint_arn: 'ENDPOINT_ARN') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the endpoint is available. + +```ruby +describe aws_dms_endpoint(endpoint_arn: 'ENDPOINT_ARN') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="DatabaseMigrationService:Client:DescribeEndpointsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_endpoints.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_endpoints.md new file mode 100644 index 0000000..395a6ed --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_endpoints.md @@ -0,0 +1,186 @@ ++++ +title = "aws_dms_endpoints resource" + +draft = false + + +[menu.aws] +title = "aws_dms_endpoints" +identifier = "inspec/resources/aws/aws_dms_endpoints resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_dms_endpoints` InSpec audit resource to test properties of a single specific AWS Database Migration Service (DMS) endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on DMS Endpoint](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-endpoint.html). + +## Syntax + +Ensure that an endpoint exists. + +```ruby +describe aws_dms_endpoints do + it { should exist } +end +``` + +## Parameters + +There are no required parameters. + +## Properties + +`endpoint_identifiers` +: The database endpoint identifiers. + +`endpoint_types` +: The endpoint types. + +`engine_names` +: The type of engine for an endpoint. Valid values: `mysql`, `oracle`, `postgres`, `mariadb`, `aurora`, `aurora-postgresql`, `redshift`, `s3`, `db2`, `azuredb`, `sybase`, `dynamodb`, `mongodb`, `kinesis`, `kafka`, `elasticsearch`, `docdb`, `sqlserver`, and `neptune`. + +`engine_display_names` +: An expanded name for an engine name. + +`usernames` +: The user names used to connect to an endpoint. + +`server_names` +: The name of the server at an endpoint. + +`ports` +: The port value used to access an endpoint. + +`database_names` +: The name of the database at an endpoint. + +`extra_connection_attributes` +: Additional connection attributes used to connect to an endpoint. + +`statuses` +: The status of an endpoint. + +`kms_key_ids` +: An AWS KMS key identifier that is used to encrypt the connection parameters for an endpoint. + +`endpoint_arns` +: The ARN of an endpoint. + +`certificate_arns` +: The ARN used for SSL connection to an endpoint. + +`ssl_modes` +: The SSL mode used to connect to an endpoint. + +`service_access_role_arns` +: The ARN used by the service access IAM role. + +`external_table_definitions` +: The external table definition. + +`external_ids` +: Value returned by a call to CreateEndpoint that can be used for cross-account validation. + +`dynamo_db_settings` +: Settings in JSON format for an Amazon DynamoDB endpoint. + +`s3_settings` +: Settings in JSON format for an Amazon S3 endpoint. + +`dms_transfer_settings` +: The settings in JSON format for a DMS transfer type of source endpoint. + +`mongo_db_settings` +: The settings for a MongoDB source endpoint. + +`kinesis_settings` +: The settings for a Amazon Kinesis target endpoint. + +`kafka_settings` +: The settings for an Apache Kafka endpoint. + +`elasticsearch_settings` +: The settings for an Elasticsearch endpoint. + +`neptune_settings` +: The settings for an Amazon Neptune target endpoint. + +`redshift_settings` +: The settings for an Amazon Redshift endpoint. + +`postgre_sql_settings` +: The settings for a PostgreSQL source and target endpoint. + +`my_sql_settings` +: The settings for a MySQL source and target endpoint. + +`oracle_settings` +: The settings for an Oracle source and target endpoint. + +`sybase_settings` +: The settings for a SAP ASE source and target endpoint. + +`microsoft_sql_server_settings` +: The settings for a Microsoft SQL Server source and target endpoint. + +`ibm_db_2_settings` +: The settings for an IBM Db2 LUW source endpoint. + +`doc_db_settings` +: The settings for a DocumentDB endpoint. + +## Examples + +Ensure an engine name is available: + +```ruby +describe aws_dms_endpoints do + its('engine_names') { should include 'ENGINE_NAME' } +end +``` + +Ensure that an endpoint listens to a specific port: + +```ruby +describe aws_dms_endpoints do + its('ports') { should include 3306 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_dms_endpoints do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_dms_endpoints do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if an endpoint is available. + +```ruby +describe aws_dms_endpoints do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="DatabaseMigrationService:Client:DescribeEndpointsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_replication_instance.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_replication_instance.md new file mode 100644 index 0000000..a2a50b5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_replication_instance.md @@ -0,0 +1,116 @@ ++++ +title = "aws_dms_replication_instance resource" + +draft = false + + +[menu.aws] +title = "aws_dms_replication_instance" +identifier = "inspec/resources/aws/aws_dms_replication_instance resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_dms_replication_instance` InSpec audit resource to test properties of a single AWS DMS replication instance. + +The AWS::DMS::ReplicationInstance resource creates an AWS DMS replication instance. + +For additional information, including details on parameters and properties, see the [AWS documentation on DMS replication instances](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-replicationinstance.html). + +## Syntax + +Ensure that a replication instance exists. + +```ruby +describe aws_dms_replication_instance do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`engine_version` +: The engine version of the replication instance. + +`replication_instance_class` +: The compute and memory capacity of the replication instance as defined for the specified replication instance class. + +`storage_type` +: The storage type of the replication instance. + +`min_allocated_storage` +: The min allocated storage of the replication instance. + +`max_allocated_storage` +: The max allocated storage of the replication instance. + +`default_allocated_storage` +: The default allocated storage of the replication instance in gigabytes. + +`included_allocated_storage` +: The included allocated storage of the replication instance in gigabytes. + +`availability_zones` +: The availability zones of the replication instance. + +`release_status` +: The release status of the replication instance. + +## Examples + +Ensure an engine version is available: + +```ruby +describe aws_dms_replication_instance do + its('engine_version') { should eq '3.4.4' } +end +``` + +Ensure that the replication instance class is `dms.c4.2xlarge`: + +```ruby +describe aws_dms_replication_instance do + its('replication_instance_class') { should eq 'dms.c4.2xlarge' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_dms_replication_instance do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_dms_replication_instance do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_dms_replication_instance do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="DatabaseMigrationService:Client:DescribeOrderableReplicationInstancesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_replication_instances.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_replication_instances.md new file mode 100644 index 0000000..52f0745 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_replication_instances.md @@ -0,0 +1,116 @@ ++++ +title = "aws_dms_replication_instances resource" + +draft = false + + +[menu.aws] +title = "aws_dms_replication_instances" +identifier = "inspec/resources/aws/aws_dms_replication_instances resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_dms_replication_instances` InSpec audit resource to test properties of multiple AWS DMS replication instances. + +The AWS::DMS::ReplicationInstance resource creates an AWS DMS replication instance. + +For additional information, including details on parameters and properties, see the [AWS documentation on DMS Replication Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-replicationinstance.html). + +## Syntax + +### Ensure that a replication instance exists + +```ruby +describe aws_dms_replication_instances do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`engine_versions` +: The engine versions of the replication instance. + +`replication_instance_classes` +: The compute and memory capacity of the replication instance as defined for the specified replication instance class. + +`storage_types` +: The storage types of the replication instance. + +`min_allocated_storages` +: The min allocated storages of the replication instance. + +`max_allocated_storages` +: The max allocated storages of the replication instance. + +`default_allocated_storages` +: The default allocated storages of the replication instance in gigabytes. + +`included_allocated_storages` +: The included allocated storages of the replication instance in gigabytes. + +`availability_zones` +: The availability zones of the replication instance. + +`release_statuses` +: The release statuses of the replication instance. + +## Examples + +Ensure an engine version is available: + +```ruby +describe aws_dms_replication_instances do + its('engine_versions') { should include '3.4.4' } +end +``` + +Ensure that the classes are available: + +```ruby +describe aws_dms_replication_instances do + its('replication_instance_classes') { should include 'dms.c4.2xlarge' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +### Use `should` to test that the entity exists + +```ruby +describe aws_dms_replication_instances do + it { should exist } +end +``` + +### Use `should_not` to test the entity does not exist + +```ruby +describe aws_dms_replication_instances do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work group name is available. + +```ruby +describe aws_dms_replication_instances do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="DatabaseMigrationService:Client:DescribeOrderableReplicationInstancesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_replication_subnet_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_replication_subnet_group.md new file mode 100644 index 0000000..f32a67d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_replication_subnet_group.md @@ -0,0 +1,104 @@ ++++ +title = "aws_dms_replication_subnet_group resource" + +draft = false + + +[menu.aws] +title = "aws_dms_replication_subnet_group" +identifier = "inspec/resources/aws/aws_dms_replication_subnet_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_dms_replication_subnet_group` InSpec audit resource to test properties of a single DMS replication instance subnet group. + +For additional information, including details on parameters and properties, see the [AWS documentation on DMS Replication Subnet Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-replicationsubnetgroup.html). + +## Syntax + +Ensure that a subnet group identifier exists. + +```ruby +describe aws_dms_replication_subnet_group(replication_subnet_group_identifier: 'test1') do + it { should exist } +end +``` + +## Parameters + +`replication_subnet_group_identifier` _(required)_ + +: The identifier for the replication subnet group. + +## Properties + +`replication_subnet_group_identifier` +: The identifier of the replication subnet group. + +`replication_subnet_group_description` +: The description of the replication subnet group. + +`vpc_id` +: The ID of the virtual private cloud. + +`subnet_group_status` +: The status of the replication subnet group. + +`subnets` +: The subnets that are in the replication subnet group. + +## Examples + +Ensure a identifier is available: + +```ruby +describe aws_dms_replication_subnet_group(replication_subnet_group_identifier: 'SUBNET_GROUP_IDENTIFIER') do + its('replication_subnet_group_identifier') { should eq 'SUBNET_GROUP_IDENTIFIER' } +end +``` + +Ensure that the vpc is available: + +```ruby +describe aws_dms_replication_subnet_group(replication_subnet_group_identifier: 'SUBNET_GROUP_IDENTIFIER') do + its('vpc_id') { should eq 'VPC_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_dms_replication_subnet_group(replication_subnet_group_identifier: 'SUBNET_GROUP_IDENTIFIER') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_dms_replication_subnet_group(replication_subnet_group_identifier: 'SUBNET_GROUP_IDENTIFIER') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the identifier is available. + +```ruby +describe aws_dms_replication_subnet_group(replication_subnet_group_identifier: 'SUBNET_GROUP_IDENTIFIER') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="DatabaseMigrationService:Client:DescribeReplicationSubnetGroupsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_replication_subnet_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_replication_subnet_groups.md new file mode 100644 index 0000000..90b4c4f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dms_replication_subnet_groups.md @@ -0,0 +1,102 @@ ++++ +title = "aws_dms_replication_subnet_groups resource" + +draft = false + + +[menu.aws] +title = "aws_dms_replication_subnet_groups" +identifier = "inspec/resources/aws/aws_dms_replication_subnet_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_dms_replication_subnet_groups` InSpec audit resource to test properties of multiple DMS replication instance subnet groups. + +For additional information, including details on parameters and properties, see the [AWS documentation on DMS Replication Subnet Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-replicationsubnetgroup.html). + +## Syntax + +Ensure that a subnet group exists. + +```ruby +describe aws_dms_replication_subnet_groups do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`replication_subnet_group_identifiers` +: The identifiers of the replication subnet groups. + +`replication_subnet_group_descriptions` +: The descriptions of the replication subnet groups. + +`vpc_ids` +: The IDs of the virtual private clouds. + +`subnet_group_statuses` +: The statuses of the replication subnet groups. + +`subnets` +: The subnets that are in the replication subnet groups. + +## Examples + +Ensure an identifier is available: + +```ruby +describe aws_dms_replication_subnet_groups do + its('replication_subnet_group_identifiers') { should include 'REPLICATION_SUBNET_GROUP_IDENTIFIER' } +end +``` + +Ensure that the VPC is available: + +```ruby +describe aws_dms_replication_subnet_groups do + its('vpc_ids') { should include 'VPC_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_dms_replication_subnet_groups do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_dms_replication_subnet_groups do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_dms_replication_subnet_groups do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="DatabaseMigrationService:Client:DescribeReplicationSubnetGroupsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dynamodb_table.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dynamodb_table.md new file mode 100644 index 0000000..ff77245 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dynamodb_table.md @@ -0,0 +1,153 @@ ++++ +title = "aws_dynamodb_table resource" + +draft = false + + +[menu.aws] +title = "aws_dynamodb_table" +identifier = "inspec/resources/aws/aws_dynamodb_table resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_dynamodb_table` InSpec audit resource to test properties of a single DynamoDb Table. + +## Syntax + +### Ensure an DynamoDb Table exists + +```ruby +describe aws_dynamodb_table(table_name: 'table-name') do + it { should exist } +end +``` + +## Parameters + +`table_name` _(required)_ + +: The table name used by this DynamoDb Table. This must be passed as a `table_name: 'value'` key-value entry in a hash. + +## Properties + +`table_name` +: The name of the DynamoDb Table. + +`table_status` +: The status of the DynamoDb Table. + +`table_arn` +: The Amazon Resource Names of the DynamoDb Table. + +`creation_date` +: The date the DynamoDb Table was created. eg. `01/01/2019`. + +`number_of_decreases_today` +: The number of provisioned throughput decreases for this table during this UTC calendar day. + +`write_capacity_units` +: The maximum number of writes consumed per second before DynamoDb returns a ThrottlingException. + +`read_capacity_units` +: The maximum number of strongly consistent reads consumed per second before DynamoDb returns a ThrottlingException. + +`item_count` +: The number of entries in the DynamoDb Table. + +`attributes` +: An array of attributes that describe the key schema for the table and indexes. This is returned as a hash. Each entry is composed of: `attribute_name` - The name of this key attribute. `attribute_type` - The datatype of the attribute : `B` - Boolean, `N` - Number, `S` - string. + +`key_schema` +: Specifies the attributes that make up the primary key for a table or an index. This is returned as a hash. The attributes in KeySchema must also be defined in the Attributes array. Each element in the KeySchemaElement array is composed of: `attribute_name` - The name of this key attribute. `key_type` - The role that the key attribute will assume: `HASH` - partition key, `RANGE` - sort key. + +`global_secondary_indexes` +: A list of global secondary indexes if there is any referenced on the selected table. + +## Examples + +Ensure DynamoDb Table status is active: + +```ruby +describe aws_dynamodb_table(table_name: 'table-name') do + its('table_status') { should eq 'ACTIVE' } +end +``` + +Ensure DynamoDb Table has an attribute: + +```ruby +describe aws_dynamodb_table(table_name: 'table-name') do + its('attributes') { should_not be_empty } + its('attributes') { should include({:attribute_name =>'table_field', :attribute_type =>'N'}) } +end +``` + +Ensure DynamoDb Table has a key_schema: + +```ruby +describe aws_dynamodb_table(table_name: 'table-name') do + its('key_schema') { should_not be_empty } + its('key_schema') { should include({:attribute_name =>'table_field', :key_type =>'HASH'}) } +end +``` + +Ensure DynamoDb Table has the correct global secondary indexes set: + +```ruby +aws_dynamodb_table(table_name: 'table-name').global_secondary_indexes.each do |global_sec_idx| + describe global_sec_idx do + its('index_name') { should eq 'TitleIndex' } + its('index_status') { should eq 'ACTIVE' } + its('key_schema') { should include({:attribute_name =>'Title', :key_type =>'HASH'}) } + its('provisioned_throughput.write_capacity_units') { should cmp 10 } + its('provisioned_throughput.read_capacity_units') { should cmp 10 } + its('projection.projection_type') { should eq 'INCLUDE' } + end +end +``` + +Ensure DynamoDb Table is encrypted: + +```ruby +describe aws_dynamodb_table(table_name: 'table-name') do + it { should be_encrypted} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### be_encrypted + +The `be_encrypted` matcher tests if the DynamoDB Table is encrypted. + +```ruby +it { should be_encrypted } +``` + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_dynamodb_table(table_name: 'table-name') do + it { should exist } +end +``` + +```ruby +describe aws_dynamodb_table(table_name: 'table-name') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="DynamoDB:Client:DescribeTableOutput" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Dynamodb](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazondynamodb.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dynamodb_tables.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dynamodb_tables.md new file mode 100644 index 0000000..d9b229c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_dynamodb_tables.md @@ -0,0 +1,98 @@ ++++ +title = "aws_dynamodb_tables resource" + +draft = false + + +[menu.aws] +title = "aws_dynamodb_tables" +identifier = "inspec/resources/aws/aws_dynamodb_tables resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_dynamodb_table` InSpec audit resource to test properties of a collection of AWS DynamoDB Table. + +## Syntax + + Ensure exactly 3 DynamoDB Tables exist. + +```ruby +describe aws_dynamodb_tables do + its('names.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`table_names` +: The names of the tables associated with the current account at the current endpoint. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ListTables.html) + +## Examples + +Ensure DynamoDB Tables are encrypted: + +```ruby +aws_dynamodb_tables.table_names.each do |table| + describe aws_dynamodb_table(table_name: table) do + it { should exist } + it { should be_encrypted} + end +end +``` + +Ensure the DynamoDB Tables exists and encrypted: + +```ruby +aws_dynamodb_tables.where(table_names: 'table_name').table_names.each do |table| + describe aws_dynamodb_table(table_name: table) do + it { should exist } + it { should be_encrypted } + end +end +``` + +Ensure the DynamoDB table exist: + +```ruby +describe aws_dynamodb_tables do + its('table_names') { should include 'table_name'} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should` to test the entity should exist. + +```ruby +describe aws_dynamodb_tables.where( : ) do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_dynamodb_tables.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="DynamoDB:Client:ListTablesOutput" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Dynamodb](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazondynamodb.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ebs_snapshot.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ebs_snapshot.md new file mode 100644 index 0000000..c8205c5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ebs_snapshot.md @@ -0,0 +1,183 @@ ++++ +title = "aws_ebs_snapshot resource" + +draft = false + + +[menu.aws] +title = "aws_ebs_snapshot" +identifier = "inspec/resources/aws/aws_ebs_snapshot resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ebs_snapshot` InSpec audit resource to test properties of a single AWS EBS Snapshot. These are point-in-time +incremental backups of AWS EBS volumes that are saved to AWS S3. + +For additional information, including details on parameters and properties, see the [AWS documentation on EBS Snapshots](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html). + +## Syntax + +Ensure an EBS Snapshot exists: + +```ruby +describe aws_ebs_snapshot(snapshot_id: 'SNAPSHOT_ID') do + it { should exist } +end +``` + +You may also use hash syntax to pass the EBS volume name: + +```ruby +describe aws_ebs_snapshot(name: 'SNAPSHOT_ID') do + it { should exist } +end +``` + +## Parameters + +This resource accepts a single parameter, either the EBS Snapshot ID or name (from the Name tag). At least one must be provided. + +`snapshot_id` + +: The EBS Snapshot ID which uniquely identifies the volume. + This can be passed as either a string or an `snapshot_id: 'value'` key-value entry in a hash. + +`name` _(required if `snapshot_id` not provided)_ + +: The EBS volume name from the name tag. This must be passed as a `name: 'value'` key-value entry in a hash. + It is not advised to use this parameter if your Name tags for your snapshots are not unique, as at most one entry is returned. + +## Properties + +`snapshot_id` +: The unique ID for the EBS Snapshot. + +`encrypted` +: A boolean indicating whether the EBS Snapshot is encrypted. + +`data_encryption_key_id` +: The data encryption key identifier for the EBS Snapshot. + +`description` +: The description for the EBS Snapshot. + +`group` +: Either set to `'all'` if the EBS Snapshot is public (anyone can create a volume from the EBS Snapshot), or `nil`. + +`kms_key_id` +: The ARN of the AWS KMS customer master key that was used to protect the volume encryption key for the parent volume. + +`outpost_arn` +: The ARN of the AWS Outpost on which the EBS Snapshot is stored. + +`owner_alias` +: The AWS owner alias, from an Amazon-maintained list. + +`owner_id` +: The AWS account ID of the EBS Snapshot owner. + +`progress` +: The progress of the EBS Snapshot, as a percentage, e.g. `'100%'`. + +`start_time` +: The time stamp when the EBS Snapshot was initiated. + +`state` +: The EBS Snapshot state. + +`state_message` +: A message about the EBS Snapshot state. + +`tags` +: A hash of tags for the EBS Snapshot, e.g. `{'Name' => 'snapshot-name'}` . + +`user_ids` +: An array of user_ids (account numbers) that have been granted permission to create a volume from this EBS Snapshot. + +`volume_id` +: The ID of the volume that was used to create the EBS Snapshot. + +`volume_size` +: The size of the volume, in GiB. + +## Examples + +Test that an EBS Snapshot is encrypted: + +```ruby +describe aws_ebs_snapshot(id: 'SNAPSHOT_ID')do + its('encrypted') { should eq true } +end +``` + +Test that an EBS Snapshot has the expected Name tag: + +```ruby +describe aws_ebs_snapshot(id: 'SNAPSHOT_ID') do + its('tags') { should include(key: 'Name', value: 'SNAPSHOT_NAME') } +end +``` + +Tests that no specified accounts have been given access to create volumes from this EBS Snapshot: + +```ruby +describe aws_ebs_snapshot(id: 'SNAPSHOT_ID') do + its('user_ids') { should be_empty } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +```ruby +describe aws_ebs_snapshot(name: 'SNAPSHOT_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ebs_snapshot(id: 'SNAPSHOT_ID') do + it { should_not exist } +end +``` + +### be_encrypted + +The `be_encrypted` matcher tests whether the described EBS Snapshot is encrypted. + +```ruby +it { should be_encrypted } +``` + +### be_public + +The `be_public` matcher tests whether the described EBS Snapshot is public, i.e. if anyone may create a volume from the EBS Snapshot. + +```ruby +it { should be_public } +``` + +### be_private + +The `be_private` matcher tests whether the described EBS Snapshot is private, i.e. not open for anyone to create a volume from +the EBS Snapshot. It does not check whether specific user_ids (AWS accounts) have been given access to create a volume from the +EBS Snapshot). To check permissions for specific user_ids, see the last example in the previous section. + +```ruby +it { should be_private } +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `EC2:Client::DescribeSnapshotsResult` and `EC2:Client:DescribeSnapshotAttributeResult` actions with `Effect` set to `Allow`. + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ebs_snapshots.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ebs_snapshots.md new file mode 100644 index 0000000..7c78710 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ebs_snapshots.md @@ -0,0 +1,97 @@ ++++ +title = "aws_ebs_snapshots resource" + +draft = false + + +[menu.aws] +title = "aws_ebs_snapshots" +identifier = "inspec/resources/aws/aws_ebs_snapshots resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ebs_snapshots` InSpec audit resource to test properties of a collection of AWS EBS Snapshots. + +For additional information, including details on parameters and properties, see the [AWS documentation on EBS Snapshots](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSsnapshots.html). + +## Syntax + + Ensure you have exactly 3 EBS Snapshots: + +```ruby +describe aws_ebs_snapshots do + its('snapshot_ids.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`snapshot_ids` +: An array of the unique IDs of the EBS Snapshots that are returned. + +`owner_ids` +: An array of AWS Account IDs of the owners of the EBS Snapshots that are returned. + +`encrypted` +: An array of booleans indicating whether the EBS Snapshots returned are encrypted. + +`tags` +: An array of hashes; each hash is a set of keys and values for tags for one of the EBS Snapshots returned, and may be empty. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure a specific EBS Snapshot exists: + +```ruby +describe aws_ebs_snapshots do + its('snapshot_ids') { should include 'SNAPSHOT_ID' } +end +``` + +Use the InSpec resource to request the IDs of all EBS Snapshots, then test in-depth using `aws_ebs_snapshot` to ensure all EBS Snapshots are encrypted and not public: + +```ruby +aws_ebs_snapshots.snapshot_ids.each do |snapshot_id| + describe aws_ebs_snapshot(snapshot_id: snapshot_id) do + it { should be_encrypted } + it { should_not be_public } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +```ruby +describe aws_ebs_snapshots do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ebs_snapshots do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client::DescribeSnapshotsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ebs_volume.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ebs_volume.md new file mode 100644 index 0000000..1c1e0e0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ebs_volume.md @@ -0,0 +1,135 @@ ++++ +title = "aws_ebs_volume resource" + +draft = false + + +[menu.aws] +title = "aws_ebs_volume" +identifier = "inspec/resources/aws/aws_ebs_volume resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ebs_volume` InSpec audit resource to test the properties of a single AWS EBS volume. + +For additional information, including details on parameters and properties, see the [AWS documentation on EBS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html). + +## Syntax + +Ensure an EBS exists + +```ruby +describe aws_ebs_volume('VOLUME-01a2349e94458a507') do + it { should exist } +end +``` + +You may also use hash syntax to pass the EBS volume name. + +```ruby +describe aws_ebs_volume(name: 'DATA-VOLUME') do + it { should exist } +end +``` + +## Parameters + +This resource accepts a single parameter, either the EBS volume name or ID. _mandatory_ + +`volume_id` _(required if `name` not provided)_ + +: The EBS volume ID which uniquely identifies the volume. This can be passed as either a string or an `volume_id: 'value'` key-value entry in a hash. + +`name` _(required if `volume_id` not provided)_ + +: The EBS volume name which uniquely identifies the volume. This must be passed as a `name: 'value'` key-value entry in a hash. + +## Properties + +`availability_zone` +: The availability zone for the volume. + +`encrypted` +: Indicates whether the volume is encrypted. + +`iops` +: The number of I/O operations per second (IOPS) that the volume supports. + +`kms_key_id` +: The full ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) is used to protect the encryption key for the volume. + +`size` +: The size of the volume in GiBs. + +`snapshot_id` +: The snapshot from which the volume is created, if applicable. + +`status` +: The volume state. + +`volume_type` +: The volume type. + +## Examples + +Test that an EBS Volume does not exist: + +```ruby +describe aws_ebs_volume(name: 'DATA-VOLUME') do + it { should_not exist } +end +``` + +Test that an EBS Volume is encrypted: + +```ruby +describe aws_ebs_volume(name: 'SECURE_DATA-VOLUME') do + it { should be_encrypted } +end +``` + +Test that an EBS Volume has the correct size: + +```ruby +describe aws_ebs_volume(name: 'DATA-VOLUME') do + its('size') { should cmp 32 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ebs_volume(name: 'DATA-VOLUME') do + it { should exist } +end +``` + +```ruby +describe aws_ebs_volume(name: 'DATA-VOLUME') do + it { should_not exist } +end +``` + +#### be_encrypted + +The `be_encrypted` matcher tests if the described EBS volume is encrypted. + +```ruby +it { should be_encrypted } +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVolumesResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ebs_volumes.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ebs_volumes.md new file mode 100644 index 0000000..94ba5ec --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ebs_volumes.md @@ -0,0 +1,134 @@ ++++ +title = "aws_ebs_volumes resource" + +draft = false + + +[menu.aws] +title = "aws_ebs_volumes" +identifier = "inspec/resources/aws/aws_ebs_volumes resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ebs_volumes` InSpec audit resource to test the properties of a collection of AWS EBS volumes. + +EBS volumes are persistent block storage volumes for Amazon EC2 instances in the AWS Cloud. + +For additional information, including details on parameters and properties, see the [AWS documentation on EBS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html). + +## Syntax + + Ensure you have exactly three volumes. + +```ruby +describe aws_ebs_volumes do + its('VOLUME_ID_COUNT') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`attachments` +: The EBS volume attachments returned. + +`availability_zones` +: The list of availability zones in use by the EBS volumes. + +`create_times` +: The creation times of the EBS volumes. + +`encrypted` +: The list of true/false values indicating whether the EBS volumes are encrypted. + +`fast_restored` +: The list of true/false values indicating whether the EBS volume is created with a snapshot enabled for fast snapshot restore. + +`iops` +: The list of I/O per second for each EBS volume. + +`kms_key_ids` +: The list of ARNs for EBS volume KMS keys. + +`multi_attach_enabled` +: The list of boolean values indicating whether the EBS volume is multi-attach enabled. + +`outpost_arns` +: The list of ARNs of outposts. + +`sizes` +: The list of EBS volume sizes. + +`snapshot_ids` +: The list of snapshots from which EBS volumes are created. + +`states` +: The list of volume states returned. + +`tags` +: The list of volume tags returned. + +`volume_ids` +: The unique IDs of the EBS volumes returned. + +`volume_types` +: The list of volume types returned. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure a specific volume exists: + +```ruby +describe aws_ebs_volumes do + its('VOLUME_IDs') { should include 'VOLUME-12345678' } +end +``` + +Request the EBS volumes IDs: + +Test in-depth using `aws_ebs_volume` to ensure all volumes are encrypted and have a sensible size. + +```ruby +aws_ebs_volumes.volume_ids.each do |volume_id| + describe aws_ebs_volume(volume_id) do + it { should be_encrypted } + its('size') { should be > 10 } + its('iops') { should cmp 100 } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ebs_volumes do + it { should exist } +end +``` + +```ruby +describe aws_ebs_volumes do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVolumesResult" %}} +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_capacity_reservation.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_capacity_reservation.md new file mode 100644 index 0000000..ccd6755 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_capacity_reservation.md @@ -0,0 +1,151 @@ ++++ +title = "aws_ec2_capacity_reservation resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_capacity_reservation" +identifier = "inspec/resources/aws/aws_ec2_capacity_reservation resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_capacity_reservation` InSpec audit resource to test properties of the singular resource of AWS EC2 Capacity Reservation. + +The `AWS::EC2::CapacityReservation` resource type creates a new Capacity Reservation with the specified attributes. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Capacity Reservation.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-capacityreservation.html). + +## Syntax + +Ensure that the Capacity Reservation Id exists. + +```ruby +describe aws_ec2_capacity_reservation(capacity_reservation_id: 'CAPACITY_RESERVATION_ID') do + it { should exist } +end +``` + +## Parameters + +`capacity_reservation_id` _(required)_ + +: The ID of the Capacity Reservation. + +## Properties + +`capacity_reservation_id` +: The ID of the Capacity Reservation. + +`owner_id` +: The ID of the Amazon Web Services account that owns the Capacity Reservation. + +`capacity_reservation_arn` +: The Amazon Resource Name (ARN) of the Capacity Reservation. + +`availability_zone_id` +: The Availability Zone ID of the Capacity Reservation. + +`instance_type` +: The type of instance for which the Capacity Reservation reserves capacity. + +`instance_platform` +: The type of operating system for which the Capacity Reservation reserves capacity. + +`availability_zone` +: The Availability Zone in which the capacity is reserved. + +`tenancy` +: Indicates the tenancy of the Capacity Reservation. + +`total_instance_count` +: The total number of instances for which the Capacity Reservation reserves capacity. + +`available_instance_count` +: The remaining capacity. + +`ebs_optimized` +: Indicates whether the Capacity Reservation supports EBS-optimized instances. + +`ephemeral_storage` +: Indicates whether the Capacity Reservation supports instances with temporary, block-level storage. + +`state` +: The current state of the Capacity Reservation. + +`start_date` +: The date and time at which the Capacity Reservation was started. + +`end_date` +: The date and time at which the Capacity Reservation expires. + +`end_date_type` +: Indicates the way in which the Capacity Reservation ends. + +`instance_match_criteria` +: Indicates the type of instance launches that the Capacity Reservation accepts. + +`create_date` +: The date and time at which the Capacity Reservation was created. + +`tags` +: Any tags assigned to the Capacity Reservation. + +`outpost_arn` +: The Amazon Resource Name (ARN) of the Outpost on which the Capacity Reservation was created. + +## Examples + +Ensure a Capacity Reservation ID is available: + +```ruby +describe aws_ec2_capacity_reservation(capacity_reservation_id: 'CAPACITY_RESERVATION_ID') do + its('capacity_reservation_id') { should eq 'CAPACITY_RESERVATION_ID' } +end +``` + +Ensure that the state is `active`: + +```ruby +describe aws_ec2_capacity_reservation(capacity_reservation_id: 'CAPACITY_RESERVATION_ID') do + its('state') { should eq 'active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_capacity_reservation(capacity_reservation_id: 'CAPACITY_RESERVATION_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_capacity_reservation(capacity_reservation_id: 'CAPACITY_RESERVATION_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_capacity_reservation(capacity_reservation_id: 'CAPACITY_RESERVATION_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeCapacityReservationsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_capacity_reservations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_capacity_reservations.md new file mode 100644 index 0000000..054668e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_capacity_reservations.md @@ -0,0 +1,179 @@ ++++ +title = "aws_ec2_capacity_reservations resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_capacity_reservations" +identifier = "inspec/resources/aws/aws_ec2_capacity_reservations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_capacity_reservations` InSpec audit resource to test properties of the plural resource of AWS EC2 Capacity Reservation. + +The `AWS::EC2::CapacityReservation` resource type creates a new Capacity Reservation with the specified attributes. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Capacity Reservation.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-capacityreservation.html). + +## Syntax + +Ensure that the Capacity Reservation ID exists. + +```ruby +describe aws_ec2_capacity_reservations do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`capacity_reservation_ids` +: The ID of the Capacity Reservation. + +: **Field**: `capacity_reservation_id` + +`owner_ids` +: The ID of the Amazon Web Services account that owns the Capacity Reservation. + +: **Field**: `owner_id` + +`capacity_reservation_arns` +: The Amazon Resource Name (ARN) of the Capacity Reservation. + +: **Field**: `capacity_reservation_arn` + +`availability_zone_ids` +: The Availability Zone ID of the Capacity Reservation. + +: **Field**: `availability_zone_id` + +`instance_types` +: The type of instance for which the Capacity Reservation reserves capacity. + +: **Field**: `instance_type` + +`instance_platforms` +: The type of operating system for which the Capacity Reservation reserves capacity. + +: **Field**: `instance_platform` + +`availability_zones` +: The Availability Zone in which the capacity is reserved. + +: **Field**: `availability_zone` + +`tenancies` +: Indicates the tenancy of the Capacity Reservation. + +: **Field**: `tenancy` + +`total_instance_counts` +: The total number of instances for which the Capacity Reservation reserves capacity. + +: **Field**: `total_instance_count` + +`available_instance_counts` +: The remaining capacity. + +: **Field**: `available_instance_count` + +`ebs_optimized` +: Indicates whether the Capacity Reservation supports EBS-optimized instances. + +: **Field**: `ebs_optimized` + +`ephemeral_storages` +: Indicates whether the Capacity Reservation supports instances with temporary, block-level storage. + +: **Field**: `ephemeral_storage` + +`states` +: The current state of the Capacity Reservation. + +: **Field**: `state` + +`start_dates` +: The date and time at which the Capacity Reservation was started. + +: **Field**: `start_date` + +`end_dates` +: The date and time at which the Capacity Reservation expires. + +: **Field**: `end_date` + +`end_date_types` +: Indicates the way in which the Capacity Reservation ends. + +: **Field**: `end_date_type` + +`instance_match_criterias` +: Indicates the type of instance launches that the Capacity Reservation accepts. + +: **Field**: `instance_match_criteria` + +`create_dates` +: The date and time at which the Capacity Reservation was created. + +: **Field**: `create_date` + +`tags` +: Any tags assigned to the Capacity Reservation. + +: **Field**: `tags` + +`outpost_arns` +: The Amazon Resource Name (ARN) of the Outpost on which the Capacity Reservation was created. + +: **Field**: `outpost_arn` + +## Examples + +Ensure a Capacity Reservation ID is available: + +```ruby +describe aws_ec2_capacity_reservations do + its('capacity_reservation_ids') { should include 'CAPACITY_RESERVATION_ID' } +end +``` + +Ensure that the state is `active`: + +```ruby +describe aws_ec2_capacity_reservations do + its('states') { should include 'active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_capacity_reservations do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_capacity_reservations do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeCapacityReservationsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_carrier_gateway.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_carrier_gateway.md new file mode 100644 index 0000000..e2d7ad8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_carrier_gateway.md @@ -0,0 +1,110 @@ ++++ +title = "aws_ec2_carrier_gateway resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_carrier_gateway" +identifier = "inspec/resources/aws/aws_ec2_carrier_gateway resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_carrier_gateway` InSpec audit resource to test properties of a specific AWS EC2 carrier gateway. + +The AWS::EC2::CarrierGateway resource creates a carrier gateway. + +`carrier_gateway_id` _(required)_ + + The ID of the carrier gateway. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Carrier Gateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-carriergateway.html). + +## Syntax + +Ensure that the carrier gateway exists. + +```ruby +describe aws_ec2_carrier_gateway(carrier_gateway_id: "GATEWAY_ID") do + it { should exist } +end +``` + +## Parameters + +`carrier_gateway_id` _(required)_ + + The ID of the carrier gateway. + +## Properties + +`carrier_gateway_id` +: The ID of the carrier gateway. + +`vpc_id` +: The ID of the VPC (Virtual Private Cloud) associated with the carrier gateway. + +`state` +: The state of the carrier gateway. + +`owner_id` +: The Amazon Web Services account ID of the owner of the carrier gateway. + +`tags` +: The tags assigned to the carrier gateway. + +## Examples + +Ensure a carrier gateway ID is available: + +```ruby +describe aws_ec2_carrier_gateway(carrier_gateway_id: "GATEWAY_ID") do + its('carrier_gateway_id') { should eq 'GATEWAY_ID' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_ec2_carrier_gateway(carrier_gateway_id: "GATEWAY_ID") do + its('state') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_carrier_gateway(carrier_gateway_id: "GATEWAY_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_carrier_gateway(carrier_gateway_id: "GATEWAY_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_carrier_gateway(carrier_gateway_id: "GATEWAY_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeCarrierGatewaysResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_carrier_gateways.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_carrier_gateways.md new file mode 100644 index 0000000..92e1893 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_carrier_gateways.md @@ -0,0 +1,104 @@ ++++ +title = "aws_ec2_carrier_gateways resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_carrier_gateways" +identifier = "inspec/resources/aws/aws_ec2_carrier_gateways resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_carrier_gateways` InSpec audit resource to test properties of the plural resource of AWS EC2 carrier gateway. + +The AWS::EC2::CarrierGateway resource creates a carrier gateway. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Carrier Gateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-carriergateway.html). + +## Syntax + +Ensure that the carrier gateway exists. + +```ruby +describe aws_ec2_carrier_gateways do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`carrier_gateway_ids` +: The ID of the carrier gateway. + +: **Field**: `carrier_gateway_id` + +`vpc_ids` +: The ID of the VPC (Virtual Private Cloud) associated with the carrier gateway. + +: **Field**: `vpc_id` + +`states` +: The state of the carrier gateway. + +: **Field**: `state` + +`owner_ids` +: The Amazon Web Services account ID of the owner of the carrier gateway. + +: **Field**: `owner_id` + +`tags` +: The tags assigned to the carrier gateway. + +: **Field**: `tags` + +## Examples + +Ensure a carrier gateway ID is available: + +```ruby +describe aws_ec2_carrier_gateways do + its('carrier_gateway_ids') { should include 'GATEWAY_ID' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_ec2_carrier_gateways do + its('states') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_carrier_gateways do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_carrier_gateways do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeCarrierGatewaysResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_authorization_rule.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_authorization_rule.md new file mode 100644 index 0000000..17106df --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_authorization_rule.md @@ -0,0 +1,116 @@ ++++ +title = "aws_ec2_client_vpn_authorization_rule resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_client_vpn_authorization_rule" +identifier = "inspec/resources/aws/aws_ec2_client_vpn_authorization_rule resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_client_vpn_authorization_rule` InSpec audit resource to test properties of a single specific AWS EC2 Client VPN authorization rule. + +The `AWS::EC2::ClientVpnAuthorizationRule` specifies an ingress authorization rule to add to a Client VPN endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Client VPN authorization rule.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnauthorizationrule.html). + +## Syntax + +Ensure that the client VPN endpoint association rule exists. + +```ruby +describe aws_ec2_client_vpn_authorization_rule(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", group_id: "GROUP_ID") do + it { should exist } +end +``` + +## Parameters + +`client_vpn_endpoint_id` _(required)_ + +: The ID of the Client VPN endpoint. + +`group_id` _(required)_ + +: The ID of the Active Directory group to which the authorization rule grants access. + +## Properties + +`client_vpn_endpoint_id` +: The ID of the Client VPN endpoint with which the authorization rule is associated. + +`description` +: A brief description of the authorization rule. + +`group_id` +: The ID of the Active Directory group to which the authorization rule grants access. + +`access_all` +: Indicates whether the authorization rule grants access to all clients. + +`destination_cidr` +: The IPv4 address range, in CIDR notation, of the network to which the authorization rule applies. + +`status.code` +: The state of the authorization rule. + +`status.message` +: A message about the status of the authorization rule, if applicable. + +## Examples + +Ensure a client VPN endpoint ID is available: + +```ruby +describe aws_ec2_client_vpn_authorization_rule(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", group_id: "GROUP_ID") do + its('client_vpn_endpoint_id') { should eq 'CLIENT_VPN_ENDPOINT_ID' } +end +``` + +Ensure that the status code is `active`: + +```ruby +describe aws_ec2_client_vpn_authorization_rule(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", group_id: "GROUP_ID") do + its('status.code') { should eq 'active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_client_vpn_authorization_rule(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", group_id: "GROUP_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_client_vpn_authorization_rule(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", group_id: "GROUP_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_client_vpn_authorization_rule(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", group_id: "GROUP_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeClientVpnAuthorizationRulesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_authorization_rules.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_authorization_rules.md new file mode 100644 index 0000000..02f29be --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_authorization_rules.md @@ -0,0 +1,126 @@ ++++ +title = "aws_ec2_client_vpn_authorization_rules resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_client_vpn_authorization_rules" +identifier = "inspec/resources/aws/aws_ec2_client_vpn_authorization_rules resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_client_vpn_authorization_rules` InSpec audit resource to test properties of a single specific AWS EC2 Client VPN authorization rule. + +The AWS::EC2::ClientVpnAuthorizationRule specifies an ingress authorization rule to add to a Client VPN endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Client VPN authorization rule.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnauthorizationrule.html). + +## Syntax + +Ensure that the client VPN endpoint association rule exists. + +```ruby +describe aws_ec2_client_vpn_authorization_rules(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should exist } +end +``` + +## Parameters + +`client_vpn_endpoint_id` _(required)_ + +: The ID of the Client VPN endpoint. + +## Properties + +`client_vpn_endpoint_ids` +: The ID of the Client VPN endpoint with which the authorization rule is associated. + +: **Field**: `client_vpn_endpoint_id` + +`descriptions` +: A brief description of the authorization rule. + +: **Field**: `description` + +`group_ids` +: The ID of the Active Directory group to which the authorization rule grants access. + +: **Field**: `group_id` + +`access_all` +: Indicates whether the authorization rule grants access to all clients. + +: **Field**: `access_all` + +`destination_cidrs` +: The IPv4 address range, in CIDR notation, of the network to which the authorization rule applies. + +: **Field**: `destination_cidr` + +`status_codes` +: The status of the authorization rule. + +: **Field**: `status_code` + +`status_messages` +: A message about the status of the authorization rule, if applicable. + +: **Field**: `status_message` + +## Examples + +Ensure a client VPN endpoint ID is available: + +```ruby +describe aws_ec2_client_vpn_authorization_rules(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", group_id: "GROUP_ID") do + its('client_vpn_endpoint_ids') { should include 'CLIENT_VPN_ENDPOINT_ID' } +end +``` + +Ensure that the status code is `active`: + +```ruby +describe aws_ec2_client_vpn_authorization_rules(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", group_id: "GROUP_ID") do + its('status_codes') { should include 'active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_client_vpn_authorization_rules(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", group_id: "GROUP_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_client_vpn_authorization_rules(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", group_id: "GROUP_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_client_vpn_authorization_rules(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", group_id: "GROUP_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeClientVpnAuthorizationRulesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_endpoint.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_endpoint.md new file mode 100644 index 0000000..7e2025e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_endpoint.md @@ -0,0 +1,193 @@ ++++ +title = "aws_ec2_client_vpn_endpoint resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_client_vpn_endpoint" +identifier = "inspec/resources/aws/aws_ec2_client_vpn_endpoint resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_client_vpn_endpoint` InSpec audit resource to test properties of a single specific AWS EC2 Client VPN endpoint. + +The `AWS::EC2::ClientVpnEndpoint` specifies a Client VPN endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 ClientVpnEndpoint.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnendpoint.html). + +## Syntax + +Ensure that the client VPN endpoint exists. + +```ruby +describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should exist } +end +``` + +## Parameters + +`client_vpn_endpoint_id` _(required)_ + +: The ID of the Client VPN endpoint. + +## Properties + +`client_vpn_endpoint_id` +: The ID of the Client VPN endpoint. + +`description` +: A brief description of the endpoint. + +`status.code` +: The state of the Client VPN endpoint. + +`status.message` +: A message about the status of the Client VPN endpoint. + +`creation_time` +: The date and time the Client VPN endpoint was created. + +`deletion_time` +: The date and time the Client VPN endpoint was deleted, if applicable. + +`dns_name` +: The DNS name to be used by clients when connecting to the Client VPN endpoint. + +`client_cidr_block` +: The IPv4 address range, in CIDR notation, from which client IP addresses are assigned. + +`dns_servers` +: Information about the DNS servers to be used for DNS resolution. + +`split_tunnel` +: Indicates whether split-tunnel is enabled in the Client VPN endpoint. + +`vpn_protocol` +: The protocol used by the VPN session. + +`transport_protocol` +: The transport protocol used by the Client VPN endpoint. + +`vpn_port` +: The port number for the Client VPN endpoint. + +`associated_target_networks` +: Information about the associated target networks. A target network is a subnet in a VPC. + +`associated_target_network_id` +: The ID of the subnet. + +`associated_target_network_type` +: The target network type. + +`server_certificate_arn` +: The ARN of the server certificate. + +`authentication_options` +: Information about the authentication method used by the Client VPN endpoint. + +`authentication_options_types` +: The authentication type used. + +`authentication_options_active_directory_ids` +: The ID of the Active Directory used for authentication. + +`authentication_options_mutual_authentication.client_root_certificate_chains` +: The ARN of the client certificate. + +`authentication_options_federated_authentication_saml_provider_arns` +: The Amazon Resource Name (ARN) of the IAM SAML identity provider. + +`authentication_options_federated_authentication_self_service_saml_provider_arns` +: The Amazon Resource Name (ARN) of the IAM SAML identity provider for the self-service portal. + +`connection_log_options_enabled` +: Indicates whether client connection logging is enabled for the Client VPN endpoint. + +`connection_log_options_cloudwatch_log_groups` +: The name of the Amazon CloudWatch Logs log group to which connection logging data is published. + +`connection_log_options_cloudwatch_log_streams` +: The name of the Amazon CloudWatch Logs log stream to which connection logging data is published. + +`tags` +: Describes a tag. + +`security_group_ids` +: The IDs of the security groups for the target network. + +`vpc_id` +: The ID of the VPC. + +`self_service_portal_url` +: The URL of the self-service portal. + +`client_connect_options_enabled` +: Indicates whether client connect options are enabled. + +`client_connect_options_lambda_function_arns` +: The Amazon Resource Name (ARN) of the Lambda function used for connection authorization. + +`client_connect_options_status_codes` +: The status code. + +`client_connect_options_status_messages` +: The status message. + +## Examples + +Ensure a client VPN endpoint ID is available: + +```ruby +describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + its('client_vpn_endpoint_id') { should eq 'CLIENT_VPN_ENDPOINT_ID' } +end +``` + +Ensure that the status code is `available`: + +```ruby +describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + its('status.code') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeClientVpnEndpointsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_endpoints.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_endpoints.md new file mode 100644 index 0000000..8d1874d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_endpoints.md @@ -0,0 +1,259 @@ ++++ +title = "aws_ec2_client_vpn_endpoints resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_client_vpn_endpoints" +identifier = "inspec/resources/aws/aws_ec2_client_vpn_endpoints resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_client_vpn_endpoints` InSpec audit resource to test properties of multiple AWS EC2 Client VPN endpoint. + +The `AWS::EC2::ClientVpnEndpoint` specifies a Client VPN endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 ClientVpnEndpoint.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnendpoint.html). + +## Syntax + +Ensure that the client VPN endpoint exists. + +```ruby +describe aws_ec2_client_vpn_endpoints do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`client_vpn_endpoint_ids` +: The ID of the Client VPN endpoint. + +: **Field**: `client_vpn_endpoint_id` + +`descriptions` +: A brief description of the endpoint. + +: **Field**: `description` + +`status_codes` +: The state of the Client VPN endpoint. + +: **Field**: `status.code` + +`status_messages` +: A message about the status of the Client VPN endpoint. + +: **Field**: `status.message` + +`creation_times` +: The date and time the Client VPN endpoint was created. + +: **Field**: `creation_time` + +`deletion_times` +: The date and time the Client VPN endpoint was deleted, if applicable. + +: **Field**: `deletion_time` + +`dns_names` +: The DNS name to be used by clients when connecting to the Client VPN endpoint. + +: **Field**: `dns_name` + +`client_cidr_blocks` +: The IPv4 address range, in CIDR notation, from which client IP addresses are assigned. + +: **Field**: `client_cidr_block` + +`dns_servers` +: Information about the DNS servers to be used for DNS resolution. + +: **Field**: `dns_servers` + +`split_tunnels` +: Indicates whether split-tunnel is enabled in the Client VPN endpoint. + +: **Field**: `split_tunnel` + +`vpn_protocols` +: The protocol used by the VPN session. + +: **Field**: `vpn_protocol` + +`transport_protocols` +: The transport protocol used by the Client VPN endpoint. + +: **Field**: `transport_protocol` + +`vpn_ports` +: The port number for the Client VPN endpoint. + +: **Field**: `vpn_port` + +`associated_target_networks` +: Information about the associated target networks. A target network is a subnet in a VPC. + +: **Field**: `associated_target_networks` + +`associated_target_network_id` +: The ID of the subnet. + +: **Field**: `network_id` + +`associated_target_network_type` +: The target network type. + +: **Field**: `network_type` + +`server_certificate_arns` +: The ARN of the server certificate. + +: **Field**: `server_certificate_arn` + +`authentication_options` +: Information about the authentication method used by the Client VPN endpoint. + +: **Field**: `authentication_options` + +`authentication_options_types` +: The authentication type used. + +: **Field**: `type` + +`authentication_options_active_directory_ids` +: The ID of the Active Directory used for authentication. + +: **Field**: `directory_id` + +`authentication_options_mutual_authentication.client_root_certificate_chains` +: The ARN of the client certificate. + +: **Field**: `client_root_certificate_chain` + +`authentication_options_federated_authentication_saml_provider_arns` +: The Amazon Resource Name (ARN) of the IAM SAML identity provider. + +: **Field**: `saml_provider_arn` + +`authentication_options_federated_authentication_self_service_saml_provider_arns` +: The Amazon Resource Name (ARN) of the IAM SAML identity provider for the self-service portal. + +: **Field**: `self_service_saml_provider_arn` + +`connection_log_options_enabled` +: Indicates whether client connection logging is enabled for the Client VPN endpoint. + +: **Field**: `enabled` + +`connection_log_options_cloudwatch_log_groups` +: The name of the Amazon CloudWatch Logs log group to which connection logging data is published. + +: **Field**: `cloudwatch_log_group` + +`connection_log_options_cloudwatch_log_streams` +: The name of the Amazon CloudWatch Logs log stream to which connection logging data is published. + +: **Field**: `cloudwatch_log_stream` + +`tags` +: Describes a tag. + +: **Field**: `tags` + +`security_group_ids` +: The IDs of the security groups for the target network. + +: **Field**: `security_group_ids` + +`vpc_id` +: The ID of the VPC. + +: **Field**: `vpc_id` + +`self_service_portal_url` +: The URL of the self-service portal. + +: **Field**: `self_service_portal_url` + +`client_connect_options_enabled` +: Indicates whether client connect options are enabled. + +: **Field**: `enabled` + +`client_connect_options_lambda_function_arns` +: The Amazon Resource Name (ARN) of the Lambda function used for connection authorization. + +: **Field**: `lambda_function_arn` + +`client_connect_options_status_codes` +: The status code. + +: **Field**: `status.code` + +`client_connect_options_status_messages` +: The status message. + +: **Field**: `status.message` + +## Examples + +Ensure a client VPN endpoint ID is available: + +```ruby +describe aws_ec2_client_vpn_endpoints do + its('client_vpn_endpoint_ids') { should include 'CLIENT_VPN_ENDPOINT_ID' } +end +``` + +Ensure that the status code is `available`: + +```ruby +describe aws_ec2_client_vpn_endpoints do + its('status_codes') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_client_vpn_endpoints do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_client_vpn_endpoints do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_client_vpn_endpoints do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeClientVpnEndpointsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_route.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_route.md new file mode 100644 index 0000000..46a259b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_route.md @@ -0,0 +1,135 @@ ++++ +title = "aws_ec2_client_vpn_route resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_client_vpn_route" +identifier = "inspec/resources/aws/aws_ec2_client_vpn_route resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_client_vpn_route` InSpec audit resource to test properties of a single specific AWS EC2 Client VPN route. + +The `AWS::EC2::ClientVpnRoute` specifies a network route to add to a Client VPN endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 ClientVpnRoute.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnroute.html). + +## Syntax + +Ensure that the client VPN endpoint exists. + +```ruby +describe aws_ec2_client_vpn_route(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", target_subnet: "TARGET_SUBNET") do + it { should exist } +end +``` + +## Parameters + +`client_vpn_endpoint_id` _(required)_ + +: The ID of the Client VPN endpoint with which the route is associated. + +`target_subnet` _(required)_ + +: The ID of the subnet through which traffic is routed. + +## Properties + +`client_vpn_endpoint_id` +: The ID of the Client VPN endpoint with which the route is associated. + +: **Field**: `carrier_gateway_id` + +`destination_cidr` +: The IPv4 address range, in CIDR notation, of the route destination. + +: **Field**: `carrier_gateway_id` + +`target_subnet` +: The ID of the subnet through which traffic is routed. + +: **Field**: `carrier_gateway_id` + +`type` +: The route type. + +: **Field**: `carrier_gateway_id` + +`origin` +: Indicates how the route was associated with the Client VPN endpoint. associate indicates that the route was automatically added when the target network was associated with the Client VPN endpoint. + +: **Field**: `carrier_gateway_id` + +`status.code` +: The state of the Client VPN endpoint route. + +: **Field**: `carrier_gateway_id` + +`status.message` +: A message about the status of the Client VPN endpoint route, if applicable. + +: **Field**: `carrier_gateway_id` + +`description` +: A brief description of the route. + +: **Field**: `carrier_gateway_id` + +## Examples + +Ensure a client VPN endpoint ID is available: + +```ruby +describe aws_ec2_client_vpn_route(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", target_subnet: "TARGET_SUBNET") do + its('client_vpn_endpoint_id') { should eq 'CLIENT_VPN_ENDPOINT_ID' } +end +``` + +Ensure that the status code is `active`: + +```ruby +describe aws_ec2_client_vpn_route(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", target_subnet: "TARGET_SUBNET") do + its('status.code') { should eq 'active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_client_vpn_route(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", target_subnet: "TARGET_SUBNET") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_client_vpn_route(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", target_subnet: "TARGET_SUBNET") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_client_vpn_route(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", target_subnet: "TARGET_SUBNET") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeClientVpnRoutesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_routes.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_routes.md new file mode 100644 index 0000000..1a866e4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_routes.md @@ -0,0 +1,131 @@ ++++ +title = "aws_ec2_client_vpn_routes resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_client_vpn_routes" +identifier = "inspec/resources/aws/aws_ec2_client_vpn_routes resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_client_vpn_routes` InSpec audit resource to test properties of a single specific AWS EC2 Client VPN route. + +The `AWS::EC2::ClientVpnRoute` specifies a network route to add to a Client VPN endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 ClientVpnRoute.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnroute.html). + +## Syntax + +Ensure that the client VPN endpoint exists. + +```ruby +describe aws_ec2_client_vpn_routes(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should exist } +end +``` + +## Parameters + +`client_vpn_endpoint_id` _(required)_ + +: The ID of the Client VPN endpoint with which the route is associated. + +## Properties + +`client_vpn_endpoint_ids` +: The ID of the Client VPN endpoint with which the route is associated. + +: **Field**: `client_vpn_endpoint_id` + +`destination_cidrs` +: The IPv4 address range, in CIDR notation, of the route destination. + +: **Field**: `destination_cidr` + +`target_subnets` +: The ID of the subnet through which traffic is routed. + +: **Field**: `target_subnet` + +`types` +: The route type. + +: **Field**: `type` + +`origins` +: Indicates how the route was associated with the Client VPN endpoint. associate indicates that the route was automatically added when the target network was associated with the Client VPN endpoint. + +: **Field**: `origin` + +`status_codes` +: The state of the Client VPN endpoint route. + +: **Field**: `status.code` + +`status_messages` +: A message about the status of the Client VPN endpoint route, if applicable. + +: **Field**: `status.message` + +`descriptions` +: A brief description of the route. + +: **Field**: `carrier_gateway_id` + +## Examples + +Ensure a client VPN endpoint ID is available: + +```ruby +describe aws_ec2_client_vpn_routes(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + its('client_vpn_endpoint_ids') { should include 'CLIENT_VPN_ENDPOINT_ID' } +end +``` + +Ensure that the status code is `active`: + +```ruby +describe aws_ec2_client_vpn_routes(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + its('status_codes') { should include 'active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_client_vpn_routes(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_client_vpn_routes(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_client_vpn_routes(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeClientVpnRoutesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_target_network_association.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_target_network_association.md new file mode 100644 index 0000000..fa1fd84 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_target_network_association.md @@ -0,0 +1,116 @@ ++++ +title = "aws_ec2_client_vpn_target_network_association resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_client_vpn_target_network_association" +identifier = "inspec/resources/aws/aws_ec2_client_vpn_target_network_association resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_client_vpn_target_network_association` InSpec audit resource to test properties of a single AWS EC2 Client VPN target network association. + +The `AWS::EC2::ClientVpnTargetNetworkAssociation` checks if a target network to associated with a Client VPN endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Client VPN target network association.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpntargetnetworkassociation.html). + +## Syntax + +Ensure that the client VPN target network association exists. + +```ruby +describe aws_ec2_client_vpn_target_network_association(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", association_id: "ASSOCIATION_ID") do + it { should exist } +end +``` + +## Parameters + +`client_vpn_endpoint_id` _(required)_ + +: The ID of the Client VPN endpoint. + +`association_id` _(required)_ + +: The ID of the association. + +## Properties + +`association_id` +: The ID of the association. + +`vpc_id` +: The ID of the VPC in which the target network (subnet) is located. + +`target_network_id` +: The ID of the subnet specified as the target network. + +`client_vpn_endpoint_id` +: The ID of the Client VPN endpoint with which the target network is associated. + +`status.code` +: The state of the target network association. + +`status.message` +: A message about the status of the target network association, if applicable. + +`security_groups` +: The IDs of the security groups applied to the target network association. + +## Examples + +Ensure an association exists: + +```ruby +describe aws_ec2_client_vpn_target_network_association(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", association_id: "ASSOCIATION_ID") do + its('association_id') { should eq 'ASSOCIATION_ID' } +end +``` + +Ensure that the status code is `active`: + +```ruby +describe aws_ec2_client_vpn_target_network_association(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", association_id: "ASSOCIATION_ID") do + its('status.code') { should eq 'active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_client_vpn_target_network_association(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", association_id: "ASSOCIATION_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_client_vpn_target_network_association(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", association_id: "ASSOCIATION_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_client_vpn_target_network_association(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID", association_id: "ASSOCIATION_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeClientVpnTargetNetworksResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_target_network_associations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_target_network_associations.md new file mode 100644 index 0000000..25c252e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_client_vpn_target_network_associations.md @@ -0,0 +1,126 @@ ++++ +title = "aws_ec2_client_vpn_target_network_associations resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_client_vpn_target_network_associations" +identifier = "inspec/resources/aws/aws_ec2_client_vpn_target_network_associations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_client_vpn_target_network_associations` InSpec audit resource to test properties of multiple AWS EC2 Client VPN target network associations. + +The `AWS::EC2::ClientVpnTargetNetworkAssociation` specifies a target network to associate with a Client VPN endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 ClientVpnTargetNetworkAssociation.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpntargetnetworkassociation.html). + +## Syntax + +Ensure that the client vpn target network association exists. + +```ruby +describe aws_ec2_client_vpn_target_network_associations(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should exist } +end +``` + +## Parameters + +`client_vpn_endpoint_id` _(required)_ + +: The ID of the Client VPN endpoint. + +## Properties + +`association_ids` +: The ID of the association. + +: **Field**: `association_id` + +`vpc_ids` +: The ID of the VPC in which the target network (subnet) is located. + +: **Field**: `vpc_id` + +`target_network_ids` +: The ID of the subnet specified as the target network. + +: **Field**: `target_network_id` + +`client_vpn_endpoint_ids` +: The ID of the Client VPN endpoint with which the target network is associated. + +: **Field**: `client_vpn_endpoint_id` + +`status_codes` +: The state of the target network association. + +: **Field**: `status.code` + +`status_messages` +: A message about the status of the target network association, if applicable. + +: **Field**: `status.message` + +`security_groups` +: The IDs of the security groups applied to the target network association. + +: **Field**: `security_groups` + +## Examples + +Ensure an association exists: + +```ruby +describe aws_ec2_client_vpn_target_network_associations(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + its('association_ids') { should include 'ASSOCIATION_ID' } +end +``` + +Ensure that the status code is `active`: + +```ruby +describe aws_ec2_client_vpn_target_network_associations(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + its('status_code') { should include 'active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_client_vpn_target_network_associations(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_client_vpn_target_network_associations(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_client_vpn_target_network_associations(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeClientVpnTargetNetworksResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_customer_gateway.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_customer_gateway.md new file mode 100644 index 0000000..4406d99 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_customer_gateway.md @@ -0,0 +1,115 @@ ++++ +title = "aws_ec2_customer_gateway resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_customer_gateway" +identifier = "inspec/resources/aws/aws_ec2_customer_gateway resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_customer_gateway` InSpec audit resource to test properties of a single AWS EC2 customer gateway. + +The `AWS::EC2::CustomerGateway` resource type specifies a customer gateway. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 customer gateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customer-gateway.html). + +## Syntax + +Ensure that the customer gateway Id exists. + +```ruby +describe aws_ec2_customer_gateway(customer_gateway_id: "CUSTOMER_GATEWAY_ID") do + it { should exist } +end +``` + +## Parameters + +`customer_gateway_id` _(required)_ + +: The ID of the customer gateway. + +## Properties + +`bgp_asn` +: The customer gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN). + +`customer_gateway_id` +: The ID of the customer gateway. + +`ip_address` +: The internet-routable IP address of the customer gateway's outside interface. + +`certificate_arn` +: The Amazon Resource Name (ARN) for the customer gateway certificate. + +`state` +: The current state of the customer gateway. + +`type` +: The type of VPN connection the customer gateway supports (ipsec.1). + +`device_name` +: The name of customer gateway device. + +`tags` +: Any tags assigned to the customer gateway. + +## Examples + +Ensure a customer gateway ID is available: + +```ruby +describe aws_ec2_customer_gateway(customer_gateway_id: "CUSTOMER_GATEWAY_ID") do + its('customer_gateway_id') { should eq 'CUSTOMER_GATEWAY_ID' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_ec2_customer_gateway(customer_gateway_id: "CUSTOMER_GATEWAY_ID") do + its('state') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_customer_gateway(customer_gateway_id: "CUSTOMER_GATEWAY_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_customer_gateway(customer_gateway_id: "CUSTOMER_GATEWAY_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_customer_gateway(customer_gateway_id: "CUSTOMER_GATEWAY_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeCustomerGatewaysResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_customer_gateways.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_customer_gateways.md new file mode 100644 index 0000000..89e2b99 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_customer_gateways.md @@ -0,0 +1,129 @@ ++++ +title = "aws_ec2_customer_gateways resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_customer_gateways" +identifier = "inspec/resources/aws/aws_ec2_customer_gateways resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_customer_gateways` InSpec audit resource to test properties of the plural resource of AWS EC2 customer gateway. + +The `AWS::EC2::CustomerGateway` resource type specifies a customer gateway. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 customer gateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customer-gateway.html). + +## Syntax + +Ensure that the customer gateway exists. + +```ruby +describe aws_ec2_customer_gateways do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`bgp_asns` +: The customer gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN). + +: **Field**: `bgp_asn` + +`customer_gateway_ids` +: The ID of the customer gateway. + +: **Field**: `customer_gateway_id` + +`ip_addresses` +: The Internet-routable IP address of the customer gateway's outside interface. + +: **Field**: `ip_address` + +`certificate_arns` +: The Amazon Resource Name (ARN) for the customer gateway certificate. + +: **Field**: `certificate_arn` + +`states` +: The current state of the customer gateway. + +: **Field**: `state` + +`types` +: The type of VPN connection the customer gateway supports (ipsec.1). + +: **Field**: `type` + +`device_names` +: The name of customer gateway device. + +: **Field**: `device_name` + +`tags` +: Any tags assigned to the customer gateway. + +: **Field**: `tags` + +## Examples + +Ensure a customer gateway ID is available: + +```ruby +describe aws_ec2_customer_gateways do + its('customer_gateway_ids') { should include 'CUSTOMER_GATEWAY_ID' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_ec2_customer_gateways do + its('states') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_customer_gateways do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_customer_gateways do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_customer_gateways do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeCustomerGatewaysResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_dhcp_option.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_dhcp_option.md new file mode 100644 index 0000000..d0fe60e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_dhcp_option.md @@ -0,0 +1,88 @@ ++++ +title = "aws_ec2_dhcp_option resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_dhcp_option" +identifier = "inspec/resources/aws/aws_ec2_dhcp_option resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_dhcp_option` InSpec audit resource to test the properties of a single AWS DHCP options set. + +For additional information, including details on parameters and properties, see the [AWS documentation on EC2](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeDhcpOptions.html). + +## Syntax + +Ensure that an `aws_ec2_dhcp_option` exists. + +```ruby +describe aws_ec2_dhcp_option('dopt-0123456789abcdefg') do + it { should exist } +end +``` + +```ruby +describe aws_ec2_dhcp_option(dhcp_options_id: 'dopt-0123456789abcdefg') do + it { should exist } +end +``` + +```ruby +describe aws_ec2_dhcp_option(name: 'dopt-vpc-1') do + it { should exist } +end +``` + +## Parameters + +This resource requires either the `dhcp_options_id` or `name` parameter. + +`dhcp_options_id` + +: The DHCP options ID uniquely identifies the DHCP options set. + This can be passed either as a string or as a `dhcp_options_id: 'value'` key-value entry in a hash. + +`name` + +: The DHCP options name uniquely identifies the DHCP options set. + This can be passed as a `name: 'value'` key-value entry in a hash. + +## Properties + +`domain_name` +: The configured AWS DNS name. + +`domain_name_servers` +: The list of domain name servers in the DHCP configuration. + +`ntp_servers` +: The list of ntp servers in the DHCP configuration. + +`netbios_name_servers` +: The list of NetBIOS name servers in the DHCP configuration. + +`netbios_node_type` +: The type of NetBIOS node in the DHCP configuration. + +`tags` +: The tags of the DHCP options. + +## Examples + +Test tags on the DHCP options: + +```ruby +describe aws_ec2_dhcp_option('dopt-0123456789abcdefg') do + its('tags') { should include(:Environment => 'env-name', + :Name => 'dhcp-options-name')} +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeDhcpOptionsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_dhcp_options.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_dhcp_options.md new file mode 100644 index 0000000..523e9b6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_dhcp_options.md @@ -0,0 +1,59 @@ ++++ +title = "aws_ec2_dhcp_options resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_dhcp_options" +identifier = "inspec/resources/aws/aws_ec2_dhcp_options resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_dhcp_options` InSpec audit resource to test properties of multiple AWS DHCP options sets. + +## Syntax + +Ensure that an `aws_ec2_dhcp_options` exists. + +```ruby +describe aws_ec2_dhcp_options do + it { should exist } +end +``` + +```ruby +describe aws_ec2_dhcp_options.where(dhcp_options_id: 'dopt-0123456789abcdefg') do + it { should exist } +end +``` + +## Properties + +`domain_names` +: The list of DHCP configurations domain names. + +`domain_name_servers` +: The list of domain name servers in the DHCP configuration. + +`ntp_servers` +: The list of ntp servers in the DHCP configuration. + +`netbios_name_servers` +: The list of NetBIOS name servers in the DHCP configuration. + +`netbios_node_types` +: The list of NetBIOS node types in the DHCP configuration. + +`tags` +: The tags of the DHCP options. + +## Examples + +This resource does not have any examples. + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeDhcpOptionsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_egress_only_internet_gateway.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_egress_only_internet_gateway.md new file mode 100644 index 0000000..440c3de --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_egress_only_internet_gateway.md @@ -0,0 +1,106 @@ ++++ +title = "aws_ec2_egress_only_internet_gateway resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_egress_only_internet_gateway" +identifier = "inspec/resources/aws/aws_ec2_egress_only_internet_gateway resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_egress_only_internet_gateway` InSpec audit resource to test properties of a single specific AWS EC2 egress-only internet gateway. + +The `AWS::EC2::EgressOnlyInternetGateway` specifies an egress-only internet gateway for your VPC. + +## Syntax + +Ensure that the egress-only internet gateway Id exists. + +```ruby +describe aws_ec2_egress_only_internet_gateway(egress_only_internet_gateway_id: 'EGRESS_ONLY_INTERNET_GATEWAY_ID') do + it { should exist } +end +``` + +## Parameters + +`egress_only_internet_gateway_id` _(required)_ + +: The ID of the egress-only internet gateway. + +: For additional information, see the [AWS documentation on AWS EC2 egress-only internet gateway.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-egressonlyinternetgateway.html). + +## Properties + +`attachments` +: Information about the attachment of the egress-only internet gateway. + +`attachments_states` +: The current state of the attachment. + +`attachments_vpc_ids` +: The ID of the VPC. + +`egress_only_internet_gateway_id` +: The ID of the egress-only internet gateway. + +`tags` +: The tags assigned to the egress-only internet gateway. + +## Examples + +Ensure an egress-only internet gateway ID is available: + +```ruby +describe aws_ec2_egress_only_internet_gateway(egress_only_internet_gateway_id: 'EGRESS_ONLY_INTERNET_GATEWAY_ID') do + its('egress_only_internet_gateway_id') { should eq 'EGRESS_ONLY_INTERNET_GATEWAY_ID' } +end +``` + +Ensure that the attachments states is `attached`: + +```ruby +describe aws_ec2_egress_only_internet_gateway(egress_only_internet_gateway_id: 'EGRESS_ONLY_INTERNET_GATEWAY_ID') do + its('attachments_states') { should eq 'attached' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_egress_only_internet_gateway(egress_only_internet_gateway_id: 'EGRESS_ONLY_INTERNET_GATEWAY_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_egress_only_internet_gateway(egress_only_internet_gateway_id: 'EGRESS_ONLY_INTERNET_GATEWAY_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_egress_only_internet_gateway(egress_only_internet_gateway_id: 'EGRESS_ONLY_INTERNET_GATEWAY_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeEgressOnlyInternetGatewaysResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_egress_only_internet_gateways.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_egress_only_internet_gateways.md new file mode 100644 index 0000000..269ef4e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_egress_only_internet_gateways.md @@ -0,0 +1,112 @@ ++++ +title = "aws_ec2_egress_only_internet_gateways resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_egress_only_internet_gateways" +identifier = "inspec/resources/aws/aws_ec2_egress_only_internet_gateways resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_egress_only_internet_gateways` InSpec audit resource to test properties of multiple AWS EC2 egress-only internet gateways. + +The `AWS::EC2::EgressOnlyInternetGateway` specifies an egress-only internet gateway for your VPC. + +## Syntax + +Ensure that the egress-only internet gateway Id exists. + +```ruby +describe aws_ec2_egress_only_internet_gateways do + it { should exist } +end +``` + +## Parameters + +For additional information, see the [AWS documentation on AWS EC2 egress-only internet gateway.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-egressonlyinternetgateway.html). + +## Properties + +`attachments` +: Information about the attachment of the egress-only internet gateway. + +: **Field**: `attachments` + +`attachments_states` +: The current state of the attachment. + +: **Field**: `state` + +`attachments_vpc_ids` +: The ID of the VPC. + +: **Field**: `vpc_id` + +`egress_only_internet_gateway_id` +: The ID of the egress-only internet gateway. + +: **Field**: `egress_only_internet_gateway_id` + +`tags` +: The tags assigned to the egress-only internet gateway. + +: **Field**: `tags` + +## Examples + +Ensure an egress-only internet gateway ID is available: + +```ruby +describe aws_ec2_egress_only_internet_gateways do + its('egress_only_internet_gateway_ids') { should include 'EgressOnlyInternetGatewayId' } +end +``` + +Ensure that the attachments states is `attached`: + +```ruby +describe aws_ec2_egress_only_internet_gateways do + its('attachments_states') { should include 'attached' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_egress_only_internet_gateways do + it { should exist } +end +``` + +Use `should_not` to test that an entity does not exist. + +```ruby +describe aws_ec2_egress_only_internet_gateways do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_egress_only_internet_gateways do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeEgressOnlyInternetGatewaysResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_eip.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_eip.md new file mode 100644 index 0000000..c012b12 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_eip.md @@ -0,0 +1,129 @@ ++++ +title = "aws_ec2_eip resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_eip" +identifier = "inspec/resources/aws/aws_ec2_eip resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_eip` InSpec audit resource to test properties of a single specific Elastic IP (EIP). + +An Elastic IP (EIP) is uniquely identified by the public IPv4 address, for example `192.0.2.0`. + +For additional information, including details on parameters and properties, see the [AWS documentation on Elastic IP (EIP)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-eip.html). + +## Syntax + +Ensure that a Public IP exists. + +```ruby +describe aws_ec2_eip(public_ip: '192.0.2.0') do + it { should exist } +end +``` + +## Parameters + +`public_ip` _(required)_ + +## Properties + +`public_ip` +: The Elastic IP address, or the carrier IP address. + +`instance_id` +: The ID of the instance the address is associated with, if any. + +`allocation_id` +: The allocation ID for the address. + +`association_id` +: The association ID for the address. + +`domain` +: Indicates whether the address is for use in EC2-Classic (standard) or in a VPC (vpc). + +`network_interface_id` +: The ID of the network interface that the address is associated with, if any. + +`network_interface_owner_id` +: The AWS account ID of the owner. + +`private_ip_address` +: The private IP address associated with the Elastic IP address. + +`public_ipv_4_pool` +: The Elastic IPV4 pool address. + +`network_border_group` +: A unique set of Availability Zones, Local Zones, or Wavelength Zones from where AWS advertises IP addresses. + +## Examples + +Ensure a Public IP is available: + +```ruby +describe aws_ec2_eip(public_ip: '192.0.2.0') do + its('public_ip') { should eq '192.0.2.0' } +end +``` + +Ensure that the domain is `vpc` or `standard`: + +```ruby +describe aws_ec2_eip(public_ip: '192.0.2.0') do + its('domain') { should eq 'vpc' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_eip(public_ip: '192.0.2.0') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_vpc_endpoint(public_ip: '192.0.2.0') do + it { should_not exist } +end +``` + +### be_available + +Check if the IP address is available. + +```ruby +describe aws_ec2_eip(public_ip: '192.0.2.0') do + it { should be_available } +end +``` + +Use `should_not` to test an IP address that should not exist. + +```ruby +describe aws_ec2_eip(public_ip: '192.0.2.0') do + it { should_not be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeAddressesResult" %}} + +See the [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html) documentation for additional information. diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_eip_association.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_eip_association.md new file mode 100644 index 0000000..953098f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_eip_association.md @@ -0,0 +1,92 @@ ++++ +title = "aws_ec2_eip_association resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_eip_association" +identifier = "inspec/resources/aws/aws_ec2_eip_association resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_eip_association` InSpec audit resource to test properties of the singular resource of AWS Elastic IP association. + +An Elastic IP (EIP) is uniquely identified by the public IPv4 address, for example `association_id`. + +`association_id` _(required)_ + +The association ID for the address. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Elastic IP association](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-eip-association.html). + +## Syntax + +### Verify that the association exists + +```ruby +describe aws_ec2_eip_association(association_id: 'ASSOCIATION_ID') do + it { should exist } +end +``` + +## Parameters + +`association_id` _(required)_ + +: The association ID for the address. + +## Properties + +`association_id` +: The association ID for the address. + +## Examples + +Check association ID whether it is correct or not: + +```ruby +describe aws_ec2_eip_association(association_id: 'ASSOCIATION_ID') do + its('ASSOCIATION_ID') { should eq "ASSOCIATION_ID" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_eip_association(association_id: 'ASSOCIATION_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_eip_association(association_id: 'ASSOCIATION_ID') do + it { should_not exist } +end +``` + +### be_available + +Check if the entity is available. + +```ruby +describe aws_ec2_eip_association(association_id: 'ASSOCIATION_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeAddressesResult" %}} + +See the [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html) documentation for additional information. diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_eip_associations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_eip_associations.md new file mode 100644 index 0000000..6367f97 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_eip_associations.md @@ -0,0 +1,80 @@ ++++ +title = "aws_ec2_eip_associations resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_eip_associations" +identifier = "inspec/resources/aws/aws_ec2_eip_associations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_eip_associations` InSpec audit resource to test properties of some or all AWS Elastic IP association. + +This resource does not expect any parameters. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Elastic IP association](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-eip-association.html). + +## Syntax + +Verify that the association exists. + +```ruby +describe aws_ec2_eip_associations do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`association_ids` +: The association ID for the address. + +: **Field**: `association_id` + +## Examples + +Check association ID is available: + +```ruby +describe aws_ec2_eip_associations do + its('association_ids') { should include "ASSOCIATION_ID" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_eip_associations do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_eip_associations do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeAddressesResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_eips.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_eips.md new file mode 100644 index 0000000..3c789c3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_eips.md @@ -0,0 +1,115 @@ ++++ +title = "aws_ec2_eips resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_eips" +identifier = "inspec/resources/aws/aws_ec2_eips resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_eips` InSpec audit resource to test properties of some or all AWS Elastic IP addresses. + +This resource does not expect any parameters. + +For additional information, including details on parameters and properties, see the [AWS documentation on Elastic IP (EIP)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-eip.html). + +## Syntax + +Verify that a public IP address exists. + +```ruby +describe aws_ec2_eips do + it { should exist } +end +``` + +An `aws_eips` resource block uses an optional filter to select a group of Elastic IPs and then test that group. + +## Parameters + +This resource does not require any parameters. + +## Properties + +`public_ip` +: The Elastic IP address, or the carrier IP address. + +`instance_id` +: The ID of the instance the address is associated with, if any. + +`allocation_id` +: The allocation ID for the address. + +`association_id` +: The association ID for the address. + +`domain` +: Indicates whether the address is for use in EC2-Classic (standard) or in a VPC (vpc). + +`network_interface_id` +: The ID of the network interface that the address is associated with, if any. + +`network_interface_owner_id` +: The AWS account ID of the owner. + +`private_ip_address` +: The private IP address associated with the Elastic IP address. + +`public_ipv_4_pool` +: The Elastic IPV4 pool address. + +`network_border_group` +: A unique set of Availability Zones, Local Zones, or Wavelength Zones from where AWS advertises IP addresses. + +## Examples + +Ensure a Elastic IP(EIP) has Public IP: + +```ruby +describe aws_ec2_eips do + it { should exist } +end +``` + +Match count of Elastic IP(EIP): + +```ruby +describe aws_ec2_eips do + its('count') { should eq 5 } +end +``` + +Check Allocation ID whether it is correct or not: + +```ruby +describe aws_ec2_eips do + its('allocation_ids') { should include "eipassoc-0ew2bc8cde18191da" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ec2_eips do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeAddressesResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_fleet.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_fleet.md new file mode 100644 index 0000000..08aea38 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_fleet.md @@ -0,0 +1,199 @@ ++++ +title = "aws_ec2_fleet resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_fleet" +identifier = "inspec/resources/aws/aws_ec2_fleet resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_fleet` InSpec audit resource to test properties of a single AWS EC2 fleet. + +The `AWS::EC2::SpotFleet` resource specifies the configuration information to launch a fleet--or group--of instances. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Fleet.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-ec2fleet.html). + +## Syntax + +Ensure that the fleet ID exists. + +```ruby +describe aws_ec2_fleet(fleet_id: "FLEET_ID") do + it { should exist } +end +``` + +## Parameters + +`fleet_id` _(required)_ + +: The ID of the EC2 Fleet. + +## Properties + +`activity_status` +: The progress of the EC2 Fleet. + +`create_time` +: The creation date and time of the EC2 Fleet. + +`fleet_id` +: The ID of the EC2 Fleet. + +`fleet_state` +: The state of the EC2 Fleet. + +`client_token` +: Unique, case-sensitive identifier that you provide to ensure the idempotency of the request. + +`excess_capacity_termination_policy` +: Indicates whether running instances should be terminated if the target capacity of the EC2 Fleet is decreased below the current size of the EC2 Fleet. + +`fulfilled_capacity` +: The number of units fulfilled by this request compared to the set target capacity. + +`fulfilled_on_demand_capacity` +: The number of units fulfilled by this request compared to the set target On-Demand capacity. + +`launch_template_configs` +: The launch template and overrides. + +`target_capacity_specification.total_target_capacity` +: The number of units to request. + +`target_capacity_specification.on_demand_target_capacity` +: The number of On-Demand units to request. + +`target_capacity_specification.spot_target_capacity` +: The maximum number of Spot units to launch. + +`target_capacity_specification.default_target_capacity_type` +: The default TotalTargetCapacity , which is either Spot or On-Demand. + +`terminate_instances_with_expiration` +: Indicates whether running instances should be terminated when the EC2 Fleet expires. + +`type` +: The type of request. + +`valid_from` +: The start date and time of the request. + +`valid_until` +: The end date and time of the request. + +`replace_unhealthy_instances` +: Indicates whether EC2 Fleet should replace unhealthy Spot Instances. + +`spot_options.allocation_strategy` +: Indicates how to allocate the target Spot Instance capacity across the Spot Instance pools specified by the EC2 Fleet. + +`spot_options.maintenance_strategies.capacity_rebalance.replacement_strategy` +: To allow EC2 Fleet to launch a replacement Spot Instance when an instance rebalance notification is emitted for an existing Spot Instance in the fleet, specify launch. + +`spot_options.instance_interruption_behavior` +: The behavior when a Spot Instance is interrupted. + +`spot_options.instance_pools_to_use_count` +: The number of Spot pools across which to allocate your target Spot capacity. + +`spot_options.single_instance_type` +: Indicates that the fleet uses a single instance type to launch all Spot Instances in the fleet. + +`spot_options.single_availability_zone` +: Indicates that the fleet launches all Spot Instances into a single Availability Zone. + +`spot_options.min_target_capacity` +: The minimum target capacity for Spot Instances in the fleet. + +`spot_options.max_total_price` +: The maximum target capacity for Spot Instances in the fleet. + +`on_demand_options.allocation_strategy` +: The order of the launch template overrides to use in fulfilling On-Demand capacity. + +`on_demand_options.capacity_reservation_options.usage_strategy` +: If you specify use-capacity-reservations-first , the fleet uses unused Capacity Reservations to fulfill On-Demand capacity up to the target On-Demand capacity. + +`on_demand_options.single_instance_type` +: Indicates that the fleet uses a single instance type to launch all On-Demand Instances in the fleet. + +`on_demand_options.single_availability_zone` +: Indicates that the fleet launches all On-Demand Instances into a single Availability Zone. + +`on_demand_options.min_target_capacity` +: The minimum target capacity for On-Demand Instances in the fleet. + +`on_demand_options.max_total_price` +: The maximum amount per hour for On-Demand Instances that you're willing to pay. + +`tags` +: The tags for an EC2 Fleet resource. + +`errors` +: Information about the instances that could not be launched by the fleet. + +`instances` +: Information about the instances that were launched by the fleet. + +`context` +: The context. + +## Examples + +Ensure a fleet ID is available: + +```ruby +describe aws_ec2_fleet(fleet_id: "FLEET_ID") do + its('fleet_id') { should eq 'FLEET_ID' } +end +``` + +Ensure that the type is `instant`: + +```ruby +describe aws_ec2_fleet(fleet_id: "FLEET_ID") do + its('type') { should eq 'instant' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_fleet(fleet_id: "FLEET_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_fleet(fleet_id: "FLEET_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_fleet(fleet_id: "FLEET_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeFleetsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_fleets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_fleets.md new file mode 100644 index 0000000..bf1fda7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_fleets.md @@ -0,0 +1,189 @@ ++++ +title = "aws_ec2_fleets resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_fleets" +identifier = "inspec/resources/aws/aws_ec2_fleets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_fleets` InSpec audit resource to test properties multiple AWS EC2 fleets. + +The `AWS::EC2::SpotFleet` resource specifies the configuration information to launch a fleet--or group--of instances. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Fleet.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-ec2fleet.html). + +## Syntax + +Ensure that the fleet id exists. + +```ruby +describe aws_ec2_fleets do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`activity_statuses` +: The progress of the EC2 Fleet. + +: **Field**: `activity_status` + +`create_times` +: The creation date and time of the EC2 Fleet. + +: **Field**: `create_time` + +`fleet_ids` +: The ID of the EC2 Fleet. + +: **Field**: `fleet_id` + +`fleet_states` +: The state of the EC2 Fleet. + +: **Field**: `fleet_state` + +`client_tokens` +: Unique, case-sensitive identifier that you provide to ensure the idempotency of the request. + +: **Field**: `client_token` + +`excess_capacity_termination_policies` +: Indicates whether running instances should be terminated if the target capacity of the EC2 Fleet is decreased below the current size of the EC2 Fleet. + +: **Field**: `excess_capacity_termination_policy` + +`fulfilled_capacities` +: The number of units fulfilled by this request compared to the set target capacity. + +: **Field**: `fulfilled_capacity` + +`fulfilled_on_demand_capacities` +: The number of units fulfilled by this request compared to the set target On-Demand capacity. + +: **Field**: `fulfilled_on_demand_capacity` + +`launch_template_configs` +: The launch template and overrides. + +: **Field**: `launch_template_configs` + +`target_capacity_specifications` +: The number of units to request. + +: **Field**: `target_capacity_specifications` + +`types` +: The type of request. + +: **Field**: `type` + +`valid_from` +: The start date and time of the request. + +: **Field**: `valid_from` + +`valid_until` +: The end date and time of the request. + +: **Field**: `valid_until` + +`replace_unhealthy_instances` +: Indicates whether EC2 Fleet should replace unhealthy Spot Instances. + +: **Field**: `replace_unhealthy_instances` + +`spot_options` +: The configuration of Spot Instances in an EC2 Fleet. + +: **Field**: `spot_options` + +`on_demand_options` +: The allocation strategy of On-Demand Instances in an EC2 Fleet. + +: **Field**: `on_demand_options` + +`tags` +: The tags for an EC2 Fleet resource. + +: **Field**: `tags` + +`errors` +: Information about the instances that could not be launched by the fleet. + +: **Field**: `errors` + +`instances` +: Information about the instances that were launched by the fleet. + +: **Field**: `instances` + +`context` +: Reserved. + +: **Field**: `context` + +## Examples + +Ensure a fleet id is available: + +```ruby +describe aws_ec2_fleets do + its('fleet_ids') { should include 'FLEET_ID' } +end +``` + +Ensure that the type is `instant`: + +```ruby +describe aws_ec2_fleets do + its('types') { should include 'instant' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_fleets do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_fleets do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_fleets do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeFleetsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_host.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_host.md new file mode 100644 index 0000000..e3c23f0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_host.md @@ -0,0 +1,157 @@ ++++ +title = "aws_ec2_host resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_host" +identifier = "inspec/resources/aws/aws_ec2_host resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_host` InSpec audit resource to test properties of a single AWS EC2 host resource. + +The `AWS::EC2::host` allocates a fully dedicated physical server for launching EC2 instances. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 host.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-host.html). + +## Syntax + +Ensure that the host exists. + +```ruby +describe aws_ec2_host(host_id: 'DEDICATED_HOST_ID') do + it { should exist } +end +``` + +## Parameters + +`host_id` _(required)_ + +: The ID of the dedicated host. + +## Properties + +`auto_placement` +: Whether auto-placement is on or off. + +`availability_zone` +: The Availability Zone of the Dedicated host. + +`available_capacity.available_instance_capacity` +: The number of instances that can be launched onto the Dedicated host based on the host's available capacity. + +`available_capacity.available_v_cpus` +: The number of vCPUs available for launching instances onto the Dedicated host. + +`client_token` +: Unique, case-sensitive identifier that you provide to ensure the idempotency of the request. + +`host_id` +: The ID of the Dedicated host. + +`host_properties.cores` +: The number of cores on the Dedicated host. + +`host_properties.instance_type` +: The instance type supported by the Dedicated host. + +`host_properties.instance_family` +: The instance family supported by the Dedicated host. + +`host_properties.sockets` +: The number of sockets on the Dedicated host. + +`host_properties.total_v_cpus` +: The total number of vCPUs on the Dedicated host. + +`host_reservation_id` +: The reservation ID of the Dedicated host. + +`instances` +: The IDs and instance type that are currently running on the Dedicated host. + +`state` +: The Dedicated host's state. + +`allocation_time` +: The time that the Dedicated host was allocated. + +`release_time` +: The time that the Dedicated host was released. + +`tags` +: Any tags assigned to the Dedicated host. + +`host_recovery` +: Indicates whether host recovery is enabled or disabled for the Dedicated host. + +`allows_multiple_instance_types` +: Indicates whether the Dedicated host supports multiple instance types of the same instance family. + +`owner_id` +: The ID of the Amazon Web Services account that owns the Dedicated host. + +`availability_zone_id` +: The ID of the Availability Zone in which the Dedicated host is allocated. + +`member_of_service_linked_resource_group` +: Indicates whether the Dedicated host is in a host resource group. + +## Examples + +Ensure a host is available: + +```ruby +describe aws_ec2_host(host_id: 'DEDICATED_HOST_ID') do + its('host_id') { should eq 'DEDICATED_HOST_ID' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_ec2_host(host_id: 'DEDICATED_HOST_ID') do + its('state') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_host(host_id: 'DEDICATED_HOST_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_host(host_id: 'DEDICATED_HOST_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_host(host_id: 'DEDICATED_HOST_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeHostsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_hosts.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_hosts.md new file mode 100644 index 0000000..b07b0b4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_hosts.md @@ -0,0 +1,174 @@ ++++ +title = "aws_ec2_hosts resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_hosts" +identifier = "inspec/resources/aws/aws_ec2_hosts resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_hosts` InSpec audit resource to test properties of multiple AWS EC2 host resources. + +The `AWS::EC2::host` allocates a fully dedicated physical server for launching EC2 instances. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 host.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-host.html). + +## Syntax + +Ensure that the host exists. + +```ruby +describe aws_ec2_hosts do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`auto_placements` +: Whether auto-placement is on or off. + +: **Field**: `auto_placement` + +`availability_zones` +: The Availability Zone of the Dedicated host. + +: **Field**: `availability_zone` + +`available_capacities` +: The number of instances that can be launched onto the Dedicated host depending on the host's available capacity. + +: **Field**: `available_instance_capacity` + +`client_tokens` +: Unique, case-sensitive identifier that you provide to ensure the idempotency of the request. + +: **Field**: `client_token` + +`host_ids` +: The ID of the Dedicated host. + +: **Field**: `host_id` + +`host_properties` +: The hardware specifications of the Dedicated host. + +: **Field**: `host_properties` + +`host_reservation_ids` +: The reservation ID of the Dedicated host. + +: **Field**: `host_reservation_id` + +`instances` +: The IDs and instance type that are currently running on the Dedicated host. + +: **Field**: `instances` + +`states` +: The Dedicated host's state. + +: **Field**: `state` + +`allocation_times` +: The time that the Dedicated host was allocated. + +: **Field**: `allocation_time` + +`release_times` +: The time that the Dedicated host was released. + +: **Field**: `release_time` + +`tags` +: Any tags assigned to the Dedicated host. + +: **Field**: `tags` + +`host_recoveries` +: Indicates whether host recovery is enabled or disabled for the Dedicated host. + +: **Field**: `host_recovery` + +`allows_multiple_instance_types` +: Indicates whether the Dedicated host supports multiple instance types of the same instance family. + +: **Field**: `allows_multiple_instance_types` + +`owner_ids` +: The ID of the Amazon Web Services account that owns the Dedicated host. + +: **Field**: `owner_id` + +`availability_zone_ids` +: The ID of the Availability Zone in which the Dedicated host is allocated. + +: **Field**: `availability_zone_id` + +`member_of_service_linked_resource_groups` +: Indicates whether the Dedicated host is in a host resource group. + +: **Field**: `member_of_service_linked_resource_group` + +## Examples + +Ensure a host is available: + +```ruby +describe aws_ec2_hosts do + its('host_ids') { should include 'DEDICATED_HOST_ID' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_ec2_hosts do + its('states') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_hosts do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_hosts do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_hosts do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeHostsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_instance.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_instance.md new file mode 100644 index 0000000..7aecfd7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_instance.md @@ -0,0 +1,217 @@ ++++ +title = "aws_ec2_instance resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_instance" +identifier = "inspec/resources/aws/aws_ec2_instance resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_instance` InSpec audit resource to test properties of a single AWS EC2 instance. + +## Syntax + +An `aws_ec2_instance` resource block declares the tests for a single AWS EC2 instance by either name or instance id. + +```ruby +describe aws_ec2_instance('i-01a2349e94458a507') do + it { should exist } +end +``` + +```ruby +describe aws_ec2_instance(name: 'my-instance') do + it { should exist } +end +``` + +## Parameters + +One of either the EC2 instance's ID or name must be be provided. + +`instance_id` _(required if `name` not provided)_ + +: The ID of the EC2 instance. This is in the format of `i-` followed by 8 or 17 hexadecimal characters. + This can be passed either as a string or as an `instance_id: 'value'` key-value entry in a hash. + +`name` _(required if `instance_id` not provided)_ + +: If you have a `Name` tag applied to the EC2 instance, this can be used to lookup the instance. + This must be passed as a `name: 'value'` key-value entry in a hash. + +## Properties + +`state` +: The current state of the EC2 Instance, for example 'running'. + +`image_id` +: The id of the AMI used to launch the instance. + +`role` +: The IAM role attached to the instance. + +`launch_time` +: The time the instance was launched. + +`availability_zone` +: The availability zone of the instance. + +`security_groups` +: A hash containing the security group ids and names associated with the instance. + +`security_group_ids` +: The security group ids associated with the instance. + +`ebs_volumes` +: A hash containing the names and ids of any EBS volumes associated with the instance. + +`tags` +: A list of hashes with each key-value pair corresponding to an EC2 instance tag, e.g, `[{:key=>"Name", :value=>"Testing Box"}, {:key=>"Environment", :value=>"Dev"}]`. + +`tags_hash` +: A hash, with each key-value pair corresponding to an EC2 instance tag, e.g, `{"Name"=>"Testing Box", "Environment"=>"Dev"}`. This property is available in InSpec AWS resource pack version **[1.12.0](https://github.com/inspec/inspec-aws/releases/tag/v1.12.0)** onwards. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Instance.html) + +## Examples + +Test that an EC2 instance is running: + +```ruby +describe aws_ec2_instance(name: 'prod-database') do + it { should be_running } +end +``` + +Test that an EC2 instance is using the correct AMI: + +```ruby +describe aws_ec2_instance(name: 'my-instance') do + its('image_id') { should eq 'ami-27a58d5c' } +end +``` + +Test that an EC2 instance has the correct tag: + +```ruby +describe aws_ec2_instance('i-090c29e4f4c165b74') do + its('tags') { should include(key: 'Contact', value: 'Gilfoyle') } +end +``` + +Test that an EC2 instance has the correct tag (using the `tags_hash` property): + +```ruby +describe aws_ec2_instance('i-090c29e4f4c165b74') do + its('tags_hash') { should include('Contact' => 'Gilfoyle') } +Regardless of the value: + +end +``` + +Test that an EC2 instance has no roles: + +```ruby +describe aws_ec2_instance('i-090c29e4f4c165b74') do + it { should_not have_roles } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +it { should exist } +``` + +```ruby +it { should_not exist } +``` + +##### has_roles + +Test if the EC2 instance has any roles associated with it. + +Use `should_not` to test the entity does not have roles. + +```ruby +it { should have_roles } +``` + +```ruby +it { should_not have_roles } +``` + +#### be_pending + +The `be_pending` matcher tests if the described EC2 instance state is `pending`. This indicates that an instance is provisioning. This state should be temporary. + +```ruby +it { should be_pending } +``` + +#### be_running + +The `be_running` matcher tests if the described EC2 instance state is `running`. This indicates the instance is fully operational from AWS's perspective. + +```ruby +it { should be_running } +``` + +#### be_shutting_down + +The `be_shutting_down` matcher tests if the described EC2 instance state is `shutting-down`. This indicates the instance has received a termination command and is in the process of being permanently halted and de-provisioned. This state should be temporary. + +```ruby +it { should be_shutting_down } +``` + +#### be_stopped + +The `be_stopped` matcher tests if the described EC2 instance state is `stopped`. This indicates that the instance is suspended and may be started again. + +```ruby +it { should be_stopped } +``` + +#### be_stopping + +The `be_stopping` matcher tests if the described EC2 instance state is `stopping`. This indicates that an AWS stop command has been issued, which will suspend the instance in an OS-unaware manner. This state should be temporary. + +```ruby +it { should be_stopping } +``` + +#### be_terminated + +The `be_terminated` matcher tests if the described EC2 instance state is `terminated`. This indicates the instance is permanently halted and will be removed from the instance listing in a short period. This state should be temporary. + +```ruby +it { should be_terminated } +``` + +#### be_unknown + +The `be_unknown` matcher tests if the described EC2 instance state is `unknown`. This indicates an error condition in the AWS management system. This state should be temporary. + +```ruby +it { should be_unknown } +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeInstancesResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_instances.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_instances.md new file mode 100644 index 0000000..c62bae8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_instances.md @@ -0,0 +1,162 @@ ++++ +title = "aws_ec2_instances resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_instances" +identifier = "inspec/resources/aws/aws_ec2_instances resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_instances` InSpec audit resource to test properties of some or all AWS EC2 instances. To audit a single EC2 instance, use `aws_ec2_instance` (singular). + +## Syntax + +An `aws_ec2_instances` resource block collects a group of EC2 Instances and then tests that group. + +```ruby +describe aws_ec2_instances do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`instance_ids` +: The ID of the EC2 instance. + +: **Field**: `instance_id` + +`names` +: The value of the `Name` tag if applied to the instance. The filed name is `name`. + +: **Field**: `instance_id` + +`vpc_ids` +: The VPC with which the EC2 instance is associated. + +: **Field**: `vpc_id` + +`subnet_ids` +: The subnet with which the EC2 instance is associated. + +: **Field**: `subnet_id` + +`instance_types` +: The type of instance, for example m5.large. + +: **Field**: `instance_type` + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +: **Field**: `instance_type` + +`tags` +: A hash, with each key-value pair corresponding to an EC2 instance tag, e.g, `{"Name"=>"Testing Box", "Environment"=>"Dev"}`. This property is available in InSpec AWS resource pack version **[1.12.0](https://github.com/inspec/inspec-aws/releases/tag/v1.12.0)** onwards. + +: **Field**: `tags` + +`iam_profiles` +: The IAM instance profile associated with the instance. The `role` property of the `aws_ec2_instance` singular resource can be used to check the attached IAM role on the profile. + +: **Field**: `iam_profile` + +## Examples + +Ensure you have exactly 3 instances: + +```ruby +describe aws_ec2_instances do + its('instance_ids.count') { should cmp 3 } +end +``` + +Use this InSpec resource to request the IDs of all EC2 instances, then test in-depth using `aws_ec2_instance`: + +```ruby +aws_ec2_instances.instance_ids.each do |instance_id| + describe aws_ec2_instance(instance_id) do + it { should_not have_roles } + its('key_name') { should cmp 'admin-ssh-key' } + its('image_id') { should eq 'ami-27a58d5c' } + end +end +``` + +Filter EC2 instances with their `Environment` tags equal to `Dev`, then test in-depth using `aws_ec2_instance`: + +```ruby +aws_ec2_instances.where(tags: {"Environment" => "Dev"}).instance_ids.each do |id| + describe aws_ec2_instance(id) do + it { should be_stopped } + end +end +``` + +The filter doesn't return the EC2 instances with multiple tags. In this case use regex: `/"Environment"=>"Dev"/` + +Filter EC2 instances with multiple tags like `Environment` equal to `Dev` and `Component` equal to `API` , then test in-depth using `aws_ec2_instance`: + +```ruby +aws_ec2_instances.where(tags: /"Environment"=>"Dev"/).where(tags: /"Component"=>"API"/).instance_ids.each do |id| + describe aws_ec2_instance(id) do + it { should be_stopped } + end +end +``` + +Filter EC2 instances with a `stop-at-10-pm` tag regardless of its value, then test in-depth using `aws_ec2_instance`. : + +```ruby +aws_ec2_instances.where(tags: /"stop-at-10-pm"=>/).instance_ids.each do |id| + describe aws_ec2_instance(id) do + it { should be_stopped } + end +end +``` + +Filter EC2 instances with their `name` equal to `Test Box`, then check their role using `aws_ec2_instance`. : + +```ruby +aws_ec2_instances.where(name: "Test Box").instance_ids.each do |id| + describe aws_ec2_instance(id) do + its('role) { should eq "test-role" } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. +The field names described in the [properties](#properties) should be used for the `` in the `where` clause. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ec2_instances.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_ec2_instances.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeInstancesResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_internet_gateway.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_internet_gateway.md new file mode 100644 index 0000000..202c710 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_internet_gateway.md @@ -0,0 +1,125 @@ ++++ +title = "aws_ec2_internet_gateway resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_internet_gateway" +identifier = "inspec/resources/aws/aws_ec2_internet_gateway resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_internet_gateway` InSpec audit resource to test properties of a single specific AWS EC2 internet gateway. + +The `AWS::EC2::InternetGateway` resource allocates an internet gateway for use with a VPC. After creating the internet gateway, you then attach it to a VPC. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 internet gateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-internetgateway.html). + +## Syntax + +Ensure that internet gateway exists. + +```ruby +describe aws_ec2_internet_gateway(internet_gateway_id: 'INTERNET_GATEWAY_ID') do + it { should exist } +end +``` + +## Parameters + +`internet_gateway_id` _(required)_ + +: The ID of the internet gateway. + +## Properties + +`attachments` +: The attachment of the internet gateway. + +`attachments_states` +: The current state of the attachment. For an internet gateway, the state is available when attached to a VPC; otherwise, this value is not returned. + +`attachments_vpc_ids` +: The ID of the VPC. + +`internet_gateway_id` +: The ID of the internet gateway. + +`owner_id` +: The ID of the Amazon Web Services account that owns the internet gateway. + +`tags` +: The key/value combination of a tag assigned to the resource. + +## Examples + +Ensure an attachments is available: + +```ruby +describe aws_ec2_internet_gateway(internet_gateway_id: 'INTERNET_GATEWAY_ID') do + its('attachments') { should_not be_empty } +end +``` + +Ensure that the attachment state is `available`: + +```ruby +describe aws_ec2_internet_gateway(internet_gateway_id: 'INTERNET_GATEWAY_ID') do + its('attachments_states') { should eq 'available' } +end +``` + +Ensure an internet gateway ID is available: + +```ruby +describe aws_ec2_internet_gateway(internet_gateway_id: 'INTERNET_GATEWAY_ID') do + its('internet_gateway_id') { should eq 'INTERNET_GATEWAY_ID' } +end +``` + +Ensure an owner ID is available: + +```ruby +describe aws_ec2_internet_gateway(internet_gateway_id: 'INTERNET_GATEWAY_ID') do + its('owner_id') { should eq 'OWNER_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_internet_gateway(internet_gateway_id: 'INTERNET_GATEWAY_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_internet_gateway(internet_gateway_id: 'INTERNET_GATEWAY_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_internet_gateway(internet_gateway_id: 'INTERNET_GATEWAY_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeInternetGatewaysResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_internet_gateways.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_internet_gateways.md new file mode 100644 index 0000000..0444cf9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_internet_gateways.md @@ -0,0 +1,125 @@ ++++ +title = "aws_ec2_internet_gateways resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_internet_gateways" +identifier = "inspec/resources/aws/aws_ec2_internet_gateways resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_internet_gateways` InSpec audit resource to test properties of multiple AWS EC2 internet gateways. + +The `AWS::EC2::InternetGateway` resource allocates an internet gateway for use with a VPC. After creating the internet gateway, you then attach it to a VPC. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 internet gateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-internetgateway.html). + +## Syntax + +Ensure that an internet gateway exists. + +```ruby +describe aws_ec2_internet_gateways do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`attachments` +: The attachments of the internet gateways. + +: **Field**: `attachments` + +`attachments_states` +: The current attachment states. For an internet gateway, the state is available when attached to a VPC; otherwise, this value is not returned. + +: **Field**: `attachments (state)` + +`attachments_vpc_ids` +: The IDs of the VPCs. + +: **Field**: `attachments (vpc_id)` + +`internet_gateway_ids` +: The IDs of the internet gateways. + +: **Field**: `internet_gateway_id` + +`owner_ids` +: The IDs of the AWS accounts that own the internet gateways. + +: **Field**: `owner_id` + +`tags` +: The key/value combination of tags assigned to the resources. + +: **Field**: `tags` + +## Examples + +Ensure an attachment is available: + +```ruby +describe aws_ec2_internet_gateways do + its('attachments') { should_not be_empty } +end +``` + +Ensure that an attachment state is `available`: + +```ruby +describe aws_ec2_internet_gateways do + its('attachments_states') { should include 'available' } +end +``` + +Ensure an internet gateway ID is available: + +```ruby +describe aws_ec2_internet_gateways do + its('internet_gateway_ids') { should include 'INTERNET_GATEWAY_ID' } +end +``` + +Ensure an owner ID is available: + +```ruby +describe aws_ec2_internet_gateways do + its('owner_ids') { should include 'OWNER_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_internet_gateways do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_internet_gateways do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeInternetGatewaysResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_launch_template.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_launch_template.md new file mode 100644 index 0000000..016755f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_launch_template.md @@ -0,0 +1,89 @@ ++++ +title = "aws_ec2_launch_template resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_launch_template" +identifier = "inspec/resources/aws/aws_ec2_launch_template resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_launch_template` InSpec audit resource to test properties of a single AWS Launch Template. + +## Syntax + +An `aws_ec2_launch_template` resource block declares the tests for a single AWS Launch Template by either launch_template_name or launch_template_id. + +```ruby +describe aws_ec2_launch_template(launch_template_id: 'lt-01a2349e94458a507') do + it { should exist } +end +``` + +```ruby +describe aws_ec2_launch_template(launch_template_name: 'my-template') do + it { should exist } +end +``` + +## Parameters + +One of either the launch_template_name or launch_template_id must be be provided. + +`launch_template_id` + +: The ID of the EC2 launch_template. This is in the format of `lt-` followed by 8 or 17 hexadecimal characters. + This can be passed either as a string or as an `launch_template_id: 'value'` key-value entry in a hash. + +## Properties + +`launch_template_name` +: The name of launch template. + +`launch_template_id` +: The id of the launch template. + +`create_time` +: The create time of the launch resource. + +`created_by` +: The time the instance was launched. + +`default_version_number` +: The availability zone of the instance. + +`latest_version_number` +: A hash containing the security group ids and names associated with the instance. + +`tags` +: A list of hashes with each key-value pair corresponding to an EC2 instance tag, e.g, `[{:key=>"Name", :value=>"Testing Box"}, {:key=>"Environment", :value=>"Dev"}]`. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Instance.html) + +## Examples + +Test that an launch template should exist: + +```ruby +describe aws_ec2_launch_template(launch_template_id: 'lt-01a2349e94458a507') do + it { should exist } +end +``` + +Test that an EC2 instance is using the correct AMI: + +```ruby +describe aws_ec2_launch_template(launch_template_id: 'lt-01a2349e94458a507') do + its('default_version_number') { should eq 1 } +end +``` + +Test that an EC2 instance has the correct tag: + +```ruby +describe aws_ec2_launch_template(launch_template_id: 'lt-01a2349e94458a507') do + its('launch_template_name') { should eq 'test-lt' } +end +``` diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_launch_templates.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_launch_templates.md new file mode 100644 index 0000000..f68972f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_launch_templates.md @@ -0,0 +1,77 @@ ++++ +title = "aws_ec2_launch_templates resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_launch_templates" +identifier = "inspec/resources/aws/aws_ec2_launch_templates resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_launch_templates` InSpec audit resource to test properties of a all the AWS Launch templates. + +## Syntax + +An `aws_ec2_launch_templates` resource block declares the tests for a all the AWS Launch templates. + +describe aws_ec2_launch_templates do +it { should exist } +end + +## Parameters + +`launch_templates_id` + +: The ID of the EC2 launch_templates. This is in the format of `lt-` followed by 8 or 17 hexadecimal characters. + This can be passed either as a string or as an `launch_templates_id: 'value'` key-value entry in a hash. + +## Properties + +`launch_template_name` +: The name of launch template. + +`launch_template_id` +: The id of the launch template. + +`create_time` +: The create time of the launch template. + +`created_by` +: The name by whom the launch template is created. + +`default_version_number` +: The default_version_number of the launch template. + +`latest_version_number` +: The latest_version_number of the launch template. + +`tags` +: A list of hashes with each key-value pair corresponding to an EC2 Launch template tag, e.g, `[{:key=>"Name", :value=>"Testing Box"}, {:key=>"Environment", :value=>"Dev"}]`. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Instance.html) + +## Examples + +Test that an launch templates should exist: + + describe aws_ec2_launch_templates do + it { should exist } + end + +Test that an EC2 instance is using the correct AMI: + + describe aws_ec2_launch_templates do + its('launch_template_ids.count') { should cmp 3 } + end + +Test that an EC2 instance has the correct tag: + + describe aws_ec2_launch_templates do + its('launch_templates_names') { should include 'test-lt' } + end + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_insights_analysis.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_insights_analysis.md new file mode 100644 index 0000000..148e1ee --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_insights_analysis.md @@ -0,0 +1,130 @@ ++++ +title = "aws_ec2_network_insights_analysis resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_network_insights_analysis" +identifier = "inspec/resources/aws/aws_ec2_network_insights_analysis resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_network_insights_analysis` InSpec audit resource to test properties of a single specific AWS EC2 network insights analysis. + +The `AWS::EC2::NetworkInsightsAnalysis` resource specifies a network insights analysis. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Network Insights Analysis](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinsightsanalysis.html). + +## Syntax + +Ensure that network insights analysis ID exists. + +```ruby +describe aws_ec2_network_insights_analysis(network_insights_analysis_id: 'NETWORK_INSIGHTS_ANALYSIS_ID') do + it { should exist } +end +``` + +## Parameters + +`network_insights_analysis_id` _(required)_ + +: The ID of the network insights analysis. + +## Properties + +`network_insights_analysis_id` +: The ID of the network insights analysis. + +`network_insights_analysis_arn` +: The Amazon Resource Name (ARN) of the network insights analysis. + +`network_insights_path_id` +: The ID of the path. + +`filter_in_arns` +: The Amazon Resource Names (ARN) of the Amazon Web Services resources that the path must traverse. + +`start_date` +: The time the analysis started. + +`status` +: The status of the network insights analysis. + +`status_message` +: The status message, if the status is failed. + +`network_path_found` +: Indicates whether the destination is reachable from the source. + +`forward_path_components` +: The components in the path from source to destination. + +`return_path_components` +: The components in the path from destination to source. + +`explanations` +: The explanations. + +`alternate_path_hints` +: Potential intermediate components. + +`tags` +: The tags of the insights analysis. + +## Examples + +Ensure a Network Insights Analysis Id is available: + +```ruby +describe aws_ec2_network_insights_analysis(network_insights_analysis_id: 'NETWORK_INSIGHTS_ANALYSIS_ID') do + its('network_insights_analysis_id') { should eq 'NETWORK_INSIGHTS_ANALYSIS_ID' } +end +``` + +Ensure that the Network Insights Path Id is available: + +```ruby +describe aws_ec2_network_insights_analysis(network_insights_analysis_id: 'NETWORK_INSIGHTS_ANALYSIS_ID') do + its('network_insights_path_id') { should eq 'NETWORK_INSIGHTS_PATH_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_network_insights_analysis(network_insights_analysis_id: 'NETWORK_INSIGHTS_ANALYSIS_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_network_insights_analysis(network_insights_analysis_id: 'NETWORK_INSIGHTS_ANALYSIS_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_network_insights_analysis(network_insights_analysis_id: 'NETWORK_INSIGHTS_ANALYSIS_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNetworkInsightsAnalysesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_insights_analysis_plural.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_insights_analysis_plural.md new file mode 100644 index 0000000..51fcdcc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_insights_analysis_plural.md @@ -0,0 +1,144 @@ ++++ +title = "aws_ec2_network_insights_analysis_plural resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_network_insights_analysis_plural" +identifier = "inspec/resources/aws/aws_ec2_network_insights_analysis_plural resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_network_insights_analysis_plural` InSpec audit resource to test properties of multiple AWS EC2 network insights analyses. + +The `AWS::EC2::NetworkInsightsAnalysis` resource specifies a network insights analysis. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Network Insights Analysis](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinsightsanalysis.html). + +## Syntax + +Ensure that network insights analysis ID exists. + +```ruby +describe aws_ec2_network_insights_analysis_plural do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`network_insights_analysis_ids` +: The ID of the network insights analysis. + +: **Field**: `network_insights_analysis_id` + +`network_insights_analysis_arns` +: The Amazon Resource Name (ARN) of the network insights analysis. + +: **Field**: `network_insights_analysis_arn` + +`network_insights_path_ids` +: The ID of the path. + +: **Field**: `network_insights_path_id` + +`filter_in_arns` +: The Amazon Resource Names (ARN) of the Amazon Web Services resources that the path must traverse. + +: **Field**: `filter_in_arns` + +`start_dates` +: The time the analysis started. + +: **Field**: `start_date` + +`statuses` +: The status of the network insights analysis. + +: **Field**: `status` + +`status_messages` +: The status message, if the status is failed. + +: **Field**: `status_message` + +`network_path_found` +: Indicates whether the destination is reachable from the source. + +: **Field**: `network_path_found` + +`forward_path_components` +: The components in the path from source to destination. + +: **Field**: `forward_path_components` + +`return_path_components` +: The components in the path from destination to source. + +: **Field**: `return_path_components` + +`explanations` +: The explanations. + +: **Field**: `explanations` + +`alternate_path_hints` +: Potential intermediate components. + +: **Field**: `alternate_path_hints` + +`tags` +: The tags of the insights analysis. + +: **Field**: `tags` + +## Examples + +Ensure a network insights analysis ID is available: + +```ruby +describe aws_ec2_network_insights_analysis_plural do + its('network_insights_analysis_ids') { should include 'NETWORK_INSIGHTS_ANALYSIS_ID' } +end +``` + +Ensure that the network insights path ID is available: + +```ruby +describe aws_ec2_network_insights_analysis_plural do + its('network_insights_path_ids') { should include 'NETWORK_INSIGHTS_PATH_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_network_insights_analysis_plural do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_network_insights_analysis_plural do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNetworkInsightsAnalysesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_insights_path.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_insights_path.md new file mode 100644 index 0000000..01de5f8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_insights_path.md @@ -0,0 +1,121 @@ ++++ +title = "aws_ec2_network_insights_path resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_network_insights_path" +identifier = "inspec/resources/aws/aws_ec2_network_insights_path resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_network_insights_path` InSpec audit resource to test properties of a single specific AWS EC2 path to analyze for reachability. + +The `AWS::EC2::NetworkInsightsPath` resource specifies a path to analyze for reachability. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 network insights path](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinsightspath.html). + +## Syntax + +Ensure that network insights path ID exists. + +```ruby +describe aws_ec2_network_insights_path(network_insights_path_id: 'NETWORK_INSIGHTS_PATH_ID') do + it { should exist } +end +``` + +## Parameters + +`network_insights_path_id` _(required)_ + +: The ID of the path. + +## Properties + +`network_insights_path_id` +: The ID of the path. + +`network_insights_path_arn` +: The Amazon Resource Name (ARN) of the path. + +`created_date` +: The timestamp when the path was created. + +`source` +: The Amazon Web Services resource that is the source of the path. + +`destination` +: The Amazon Web Services resource that is the destination of the path. + +`source_ip` +: The IP address of the Amazon Web Services resource that is the source of the path. + +`destination_ip` +: The IP address of the Amazon Web Services resource that is the destination of the path. + +`protocol` +: The protocol. + +`destination_port` +: The destination port. + +`tags` +: The tags associated with the path. + +## Examples + +Ensure a network insights path ID is available: + +```ruby +describe aws_ec2_network_insights_path(network_insights_path_id: 'NETWORK_INSIGHTS_PATH_ID') do + its('network_insights_path_id') { should eq 'NETWORK_INSIGHTS_PATH_ID' } +end +``` + +Ensure a network insights path ARN is available: + +```ruby +describe aws_ec2_network_insights_path(network_insights_path_id: 'NETWORK_INSIGHTS_PATH_ID') do + its('network_insights_path_arn') { should eq 'NETWORK_INSIGHTS_PATH_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_network_insights_path(network_insights_path_id: 'NETWORK_INSIGHTS_PATH_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_network_insights_path(network_insights_path_id: 'NETWORK_INSIGHTS_PATH_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_network_insights_path(network_insights_path_id: 'NETWORK_INSIGHTS_PATH_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNetworkInsightsPathsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_insights_paths.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_insights_paths.md new file mode 100644 index 0000000..f89e101 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_insights_paths.md @@ -0,0 +1,129 @@ ++++ +title = "aws_ec2_network_insights_paths resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_network_insights_paths" +identifier = "inspec/resources/aws/aws_ec2_network_insights_paths resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_network_insights_paths` InSpec audit resource to test properties of multiple AWS EC2 paths to analyze for reachability. + +The `AWS::EC2::NetworkInsightsPath` resource specifies a path to analyze for reachability. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 network insights path](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinsightspath.html). + +## Syntax + +Ensure that network insights path ID exists. + +```ruby +describe aws_ec2_network_insights_paths do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`network_insights_path_ids` +: The ID of the path. + +: **Field**: `network_insights_path_id` + +`network_insights_path_arns` +: The Amazon Resource Name (ARN) of the path. + +: **Field**: `network_insights_path_arn` + +`created_dates` +: The time stamp when the path was created. + +: **Field**: `created_date` + +`sources` +: The Amazon Web Services resource that is the source of the path. + +: **Field**: `source` + +`destinations` +: The Amazon Web Services resource that is the destination of the path. + +: **Field**: `destination` + +`source_ips` +: The IP address of the Amazon Web Services resource that is the source of the path. + +: **Field**: `source_ip` + +`destination_ips` +: The IP address of the Amazon Web Services resource that is the destination of the path. + +: **Field**: `destination_ip` + +`protocols` +: The protocol. + +: **Field**: `protocol` + +`destination_ports` +: The destination port. + +: **Field**: `destination_port` + +`tags` +: The tags associated with the path. + +: **Field**: `tags` + +## Examples + +Ensure a network insights path ID is available: + +```ruby +describe aws_ec2_network_insights_paths do + its('network_insights_path_ids') { should include 'NETWORK_INSIGHTS_PATH_ID' } +end +``` + +Ensure a network insights path ARN is available: + +```ruby +describe aws_ec2_network_insights_paths do + its('network_insights_path_arns') { should include 'NETWORK_INSIGHTS_PATH_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_network_insights_paths do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_network_insights_paths do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNetworkInsightsPathsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface.md new file mode 100644 index 0000000..5f92201 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface.md @@ -0,0 +1,196 @@ ++++ +title = "aws_ec2_network_interface resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_network_interface" +identifier = "inspec/resources/aws/aws_ec2_network_interface resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_network_interface` InSpec audit resource to test properties of a single network interface in an Amazon EC2 instance for AWS CloudFormation. + +The `AWS::EC2::NetworkInterface` resource describes a network interface in an Elastic Compute Cloud (EC2) instance for AWS CloudFormation. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 network interface](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-interface.html). + +## Syntax + +Ensure that network interface ID exists. + +```ruby +describe aws_ec2_network_interface(network_interface_id: 'NETWORK_INTERFACE_ID') do + it { should exist } +end +``` + +## Parameters + +`network_interface_id` _(required)_ + +: The ID of the network interface. + +## Properties + +`association (allocation_id)` +: The allocation ID. + +`association (association_id)` +: The association ID. + +`association (ip_owner_id)` +: The ID of the Elastic IP address owner. + +`association (public_dns_name)` +: The public DNS name. + +`association (public_ip)` +: The address of the Elastic IP address bound to the network interface. + +`association (customer_owned_ip)` +: The customer-owned IP address associated with the network interface. + +`association (carrier_ip)` +: The carrier IP address associated with the network interface. + +`attachment (attach_time)` +: The timestamp indicating when the attachment initiated. + +`attachment (attachment_id)` +: The ID of the network interface attachment. + +`attachment (delete_on_termination)` +: Indicates whether the network interface is deleted when the instance is terminated. + +`attachment (device_index)` +: The device index of the network interface attachment on the instance. + +`attachment (network_card_index)` +: The index of the network card. + +`attachment (instance_id)` +: The ID of the instance. + +`attachment (instance_owner_id)` +: The Amazon Web Services account ID of the owner of the instance. + +`attachment (status)` +: The attachment state. Valid Values: `attaching`, `attached`, `detaching`, `detached`. + +`availability_zone` +: The availability zone. + +`description` +: A description. + +`groups` +: The security group. + +`interface_type` +: The type of network interface. + +`ipv_6_addresses` +: The IPv6 address. + +`mac_address` +: The MAC address. + +`network_interface_id` +: The ID of the network interface. + +`outpost_arn` +: The Amazon Resource Name (ARN) of the Outpost. + +`owner_id` +: The Amazon Web Services account ID of the owner of the network interface. + +`private_dns_name` +: The private DNS name. + +`private_ip_address` +: The IPv4 address of the network interface within the subnet. + +`ipv_4_prefixes` +: The IPv4 Prefix Delegation prefixes that are assigned to the network interface. + +`ipv_6_prefixes` +: The IPv6 Prefix Delegation prefixes that are assigned to the network interface. The IPv6 Prefix Delegation prefix. + +`requester_id` +: The alias or Amazon Web Services account ID of the principal or service that created the network interface. + +`requester_managed` +: Indicates whether the network interface is being managed by Amazon Web Services. + +`source_dest_check` +: Indicates whether source/destination checking is enabled. + +`status` +: The status of the network interface. + +`subnet_id` +: The ID of the subnet. + +`tag_set` +: Any tags assigned to the network interface. + +`vpc_id` +: The ID of the VPC. + +## Examples + +Ensure a network interface ID is available: + +```ruby +describe aws_ec2_network_interface(network_interface_id: 'NETWORK_INTERFACE_ID') do + its('network_interface_id') { should eq 'NETWORK_INTERFACE_ID' } +end +``` + +Ensure that the interface type is 'vpc': + +```ruby +describe aws_ec2_network_interface(network_interface_id: 'NETWORK_INTERFACE_ID') do + its('interface_type') { should eq 'vpc' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_network_interface(network_interface_id: 'NETWORK_INTERFACE_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_network_interface(network_interface_id: 'NETWORK_INTERFACE_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_network_interface(network_interface_id: 'NETWORK_INTERFACE_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNetworkInterfacesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface_attachment.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface_attachment.md new file mode 100644 index 0000000..b5b2335 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface_attachment.md @@ -0,0 +1,115 @@ ++++ +title = "aws_ec2_network_interface_attachment resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_network_interface_attachment" +identifier = "inspec/resources/aws/aws_ec2_network_interface_attachment resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_network_interface_attachment` InSpec audit resource to test properties of a single specific AWS EC2 network interface attachment. + +The `AWS::EC2::NetworkInterfaceAttachment` resource attaches an elastic network interface (ENI) to an Amazon EC2 instance. You can use this resource type to attach additional network interfaces to an instance without interruption. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 network interface attachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-interface-attachment.html). + +## Syntax + +Ensure that network interface attachment exists. + +```ruby +describe aws_ec2_network_interface_attachment(network_interface_id: 'NETWORK_INTERFACE_ID') do + it { should exist } +end +``` + +## Parameters + +`network_interface_id` _(required)_ + +: The ID of the network interface. + +## Properties + +`attach_time` +: The timestamp indicating when the attachment initiated. + +`attachment_id` +: The ID of the network interface attachment. + +`delete_on_termination` +: Indicates whether the network interface is deleted when the instance is terminated. + +`device_index` +: The device index of the network interface attachment on the instance. + +`network_card_index` +: The index of the network card. + +`instance_id` +: The ID of the instance. + +`instance_owner_id` +: The Amazon Web Services account ID of the owner of the instance. + +`status` +: The attachment state. + +## Examples + +Ensure aN attachment ID is available: + +```ruby +describe aws_ec2_network_interface_attachment(network_interface_id: 'NETWORK_INTERFACE_ID') do + its('attachment_id') { should eq 'ATTACHMENT_ID' } +end +``` + +Ensure that the status is `available`: + +```ruby +describe aws_ec2_network_interface_attachment(network_interface_id: 'NETWORK_INTERFACE_ID') do + its('status') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_network_interface_attachment(network_interface_id: 'NETWORK_INTERFACE_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_network_interface_attachment(network_interface_id: 'NETWORK_INTERFACE_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_network_interface_attachment(network_interface_id: 'NETWORK_INTERFACE_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNetworkInterfacesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface_attachments.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface_attachments.md new file mode 100644 index 0000000..ab847d5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface_attachments.md @@ -0,0 +1,119 @@ ++++ +title = "aws_ec2_network_interface_attachments resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_network_interface_attachments" +identifier = "inspec/resources/aws/aws_ec2_network_interface_attachments resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_network_interface_attachments` InSpec audit resource to test properties of multiple AWS EC2 network interface attachments. + +The `AWS::EC2::NetworkInterfaceAttachment` resource attaches an elastic network interface (ENI) to an Amazon EC2 instance. You can use this resource type to attach additional network interfaces to an instance without interruption. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Lambda Function](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html). + +## Syntax + +Ensure that a network interface attachment exists. + +```ruby +describe aws_ec2_network_interface_attachments do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`attach_times` +: The timestamp indicating when the attachment initiated. + +: **Field**: `attach_time` + +`attachment_ids` +: The ID of the network interface attachment. + +: **Field**: `attachment_id` + +`delete_on_terminations` +: Indicates whether the network interface is deleted when the instance is terminated. + +: **Field**: `delete_on_termination` + +`device_indexes` +: The device index of the network interface attachment on the instance. + +: **Field**: `device_index` + +`network_card_indexes` +: The index of the network card. + +: **Field**: `network_card_index` + +`instance_ids` +: The ID of the instance. + +: **Field**: `instance_id` + +`instance_owner_ids` +: The Amazon Web Services account ID of the owner of the instance. + +: **Field**: `instance_owner_id` + +`statuses` +: The attachment state. + +: **Field**: `status` + +## Examples + +Ensure an attachment ID is available: + +```ruby +describe aws_ec2_network_interface_attachment(network_interface_id: 'NETWORK_INTERFACE_ID') do + its('attachment_ids') { should include 'ATTACHMENT_ID' } +end +``` + +Ensure that a network interface status is `available`: + +```ruby +describe aws_ec2_network_interface_attachment(network_interface_id: 'NETWORK_INTERFACE_ID') do + its('statuses') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_network_interface_attachments do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_network_interface_attachments do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNetworkInterfacesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface_permission.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface_permission.md new file mode 100644 index 0000000..fc22939 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface_permission.md @@ -0,0 +1,104 @@ ++++ +title = "aws_ec2_network_interface_permission resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_network_interface_permission" +identifier = "inspec/resources/aws/aws_ec2_network_interface_permission resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_network_interface_permission` InSpec audit resource to test the properties of a single specific AWS EC2 network interface permission. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Network Interface Permission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinterfacepermission.html). + +## Syntax + +Ensure that network interface permission ID exists. + +```ruby +describe aws_ec2_network_interface_permission(network_interface_permission_id: 'NETWORK_INTERFACE_PERMISSION_ID') do + it { should exist } +end +``` + +## Parameters + +`network_interface_permission_id` _(required)_ + +: The ID of the network interface permission. + +## Properties + +`network_interface_permission_id` +: The ID of the network interface. + +`network_interface_id` +: The Amazon Web Services account ID. + +`aws_account_id` +: The Amazon Web Service. Currently not supported. + +`state` +: The state of the permission. Valid values are: "pending", "granted", "revoking", "revoked". + +`status_message` +: The status message of the permission state. + +## Examples + +Ensure a network interface permission ID is available: + +```ruby +describe aws_ec2_network_interface_permission(network_interface_permission_id: 'NETWORK_INTERFACE_PERMISSION_ID') do + its('network_interface_permission_id') { should eq 'NETWORK_INTERFACE_PERMISSION_ID' } +end +``` + +Ensure that the interface permission state is 'pending': + +```ruby +describe aws_ec2_network_interface_permission(network_interface_permission_id: 'NETWORK_INTERFACE_PERMISSION_ID') do + its('state') { should eq 'pending' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_network_interface_permission(network_interface_permission_id: 'NETWORK_INTERFACE_PERMISSION_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_network_interface_permission(network_interface_permission_id: 'NETWORK_INTERFACE_PERMISSION_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_network_interface_permission(network_interface_permission_id: 'NETWORK_INTERFACE_PERMISSION_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNetworkInterfacePermissionsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface_permissions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface_permissions.md new file mode 100644 index 0000000..8d9617f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interface_permissions.md @@ -0,0 +1,112 @@ ++++ +title = "aws_ec2_network_interface_permissions resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_network_interface_permissions" +identifier = "inspec/resources/aws/aws_ec2_network_interface_permissions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_network_interface_permissions` InSpec audit resource to test properties of multiple AWS EC2 network interface permission. + +## Syntax + +Ensure that network interface permission ID exists. + +```ruby +describe aws_ec2_network_interface_permissions do + it { should exist } +end +``` + +For additional information, see the [AWS documentation on AWS EC2 Network Interface Permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinterfacepermission.html). + +## Parameters + +This resource does not require any parameters. + +## Properties + +`network_interface_permission_ids` +: The ID of the network interface. + +: **Field**: `network_interface_permission_id` + +`network_interface_ids` +: The Amazon Web Services account ID. + +: **Field**: `network_interface_id` + +`aws_account_ids` +: The Amazon Web Service. Currently not supported. + +: **Field**: `aws_account_id` + +`states` +: The state of the permission. String, one of "pending", "granted", "revoking", "revoked". + +: **Field**: `state` + +`status_messages` +: The status message of the permission state. + +: **Field**: `status_message` + +## Examples + +Ensure a network interface permission ID is available: + +```ruby +describe aws_ec2_network_interface_permissions do + its('network_interface_permission_ids') { should include 'NETWORK_INTERFACE_PERMISSION_ID' } +end +``` + +Ensure that the interface permission state is 'pending': + +```ruby +describe aws_ec2_network_interface_permissions do + its('states') { should include 'pending' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_network_interface_permissions do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_network_interface_permissions do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_network_interface_permissions do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNetworkInterfacePermissionsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interfaces.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interfaces.md new file mode 100644 index 0000000..bdf437e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_network_interfaces.md @@ -0,0 +1,184 @@ ++++ +title = "aws_ec2_network_interfaces resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_network_interfaces" +identifier = "inspec/resources/aws/aws_ec2_network_interfaces resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_network_interfaces` InSpec audit resource to test properties of multiple network interfaces in an Amazon EC2 instance for AWS CloudFormation. + +The `AWS::EC2::NetworkInterface` resource describes a network interface in an Elastic Compute Cloud (EC2) instance for AWS CloudFormation. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 network interface](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-interface.html). + +## Syntax + +Ensure that network interface ID exists. + +```ruby +describe aws_ec2_network_interfaces do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`attachments` +: The attachment. + +: **Field**: `attachment` + +`availability_zones` +: The Availability Zone. + +: **Field**: `availability_zone` + +`descriptions` +: A description. + +: **Field**: `description` + +`groups` +: The security group. + +: **Field**: `groups` + +`interface_types` +: The type of network interface. + +: **Field**: `interface_type` + +`ipv_6_addresses` +: The IPv6 address. + +: **Field**: `ipv_6_addresses` + +`mac_addresses` +: The MAC address. + +: **Field**: `mac_address` + +`network_interface_ids` +: The ID of the network interface. + +: **Field**: `network_interface_id` + +`outpost_arns` +: The Amazon Resource Name (ARN) of the Outpost. + +: **Field**: `outpost_arn` + +`owner_ids` +: The Amazon Web Services account ID of the owner of the network interface. + +: **Field**: `owner_id` + +`private_dns_names` +: The private DNS name. + +: **Field**: `private_dns_name` + +`private_ip_addresses` +: The IPv4 address of the network interface within the subnet. + +: **Field**: `private_ip_address` + +`ipv_4_prefixes` +: The IPv4 Prefix Delegation prefixes that are assigned to the network interface. + +: **Field**: `ipv_4_prefixes` + +`ipv_6_prefixes` +: The IPv6 Prefix Delegation prefixes that are assigned to the network interface. The IPv6 Prefix Delegation prefix. + +: **Field**: `ipv_6_prefixes` + +`requester_ids` +: The alias or Amazon Web Services account ID of the principal or service that created the network interface. + +: **Field**: `requester_id` + +`requester_managed` +: Indicates whether the network interface is being managed by Amazon Web Services. + +: **Field**: `requester_managed` + +`source_dest_checks` +: Indicates whether source/destination checking is enabled. + +: **Field**: `source_dest_check` + +`statuses` +: The status of the network interface. + +: **Field**: `status` + +`subnet_ids` +: The ID of the subnet. + +: **Field**: `subnet_id` + +`tag_sets` +: Any tags assigned to the network interface. + +: **Field**: `tag_set` + +`vpc_ids` +: The ID of the VPC. + +: **Field**: `vpc_id` + +## Examples + +Ensure a network interface ID is available: + +```ruby +describe aws_ec2_network_interfaces do + its('network_interface_ids') { should include 'NetworkInterfaceId' } +end +``` + +Ensure that an availability zone is available: + +```ruby +describe aws_ec2_network_interfaces do + its('availability_zones') { should include "us-east-2a" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_network_interfaces do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_network_interfaces do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNetworkInterfacesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_placement_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_placement_group.md new file mode 100644 index 0000000..a613c8a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_placement_group.md @@ -0,0 +1,109 @@ ++++ +title = "aws_ec2_placement_group resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_placement_group" +identifier = "inspec/resources/aws/aws_ec2_placement_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_placement_group` InSpec audit resource to test properties of a single specific AWS EC2 placement group. + +The `AWS::EC2::PlacementGroup` resource type specifies a placement group in which to launch instances. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 placement group.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-placementgroup.html). + +## Syntax + +Ensure that the placement group exists. + +```ruby +describe aws_ec2_placement_group(placement_group_name: 'PLACEMENT_GROUP_NAME') do + it { should exist } +end +``` + +## Parameters + +`placement_group_name` _(required)_ + +: The name of the placement group. + +## Properties + +`group_name` +: The name of the placement group. + +`state` +: The state of the placement group. + +`strategy` +: The placement strategy. + +`partition_count` +: The number of partitions. + +`group_id` +: The ID of the placement group. + +`tags` +: Any tags applied to the placement group. + +## Examples + +Ensure a placement group name is available: + +```ruby +describe aws_ec2_placement_group(placement_group_name: 'PLACEMENT_GROUP_NAME') do + its('group_name') { should eq 'PLACEMENT_GROUP_NAME' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_ec2_placement_group(placement_group_name: 'PLACEMENT_GROUP_NAME') do + its('state') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_placement_group(placement_group_name: 'PLACEMENT_GROUP_NAME') do + it { should exist } +end +``` + +Use `should_not` to test that an entity does not exist. + +```ruby +describe aws_ec2_placement_group(placement_group_name: 'PLACEMENT_GROUP_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_placement_group(placement_group_name: 'PLACEMENT_GROUP_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribePlacementGroupsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_placement_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_placement_groups.md new file mode 100644 index 0000000..439ff55 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_placement_groups.md @@ -0,0 +1,119 @@ ++++ +title = "aws_ec2_placement_groups resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_placement_groups" +identifier = "inspec/resources/aws/aws_ec2_placement_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_placement_groups` InSpec audit resource to test properties of multiple AWS EC2 placement groups. + +The `AWS::EC2::PlacementGroup` resource type specifies a placement group in which to launch instances. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 placement group.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-placementgroup.html). + +## Syntax + +Ensure that the placement group exists. + +```ruby +describe aws_ec2_placement_groups do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`group_names` +: The name of the placement group. + +: **Field**: `group_name` + +`states` +: The state of the placement group. + +: **Field**: `state` + +`strategies` +: The placement strategy. + +: **Field**: `strategy` + +`partition_counts` +: The number of partitions. + +: **Field**: `partition_count` + +`group_ids` +: The ID of the placement group. + +: **Field**: `group_id` + +`tags` +: Any tags applied to the placement group. + +: **Field**: `tags` + +## Examples + +Ensure a placement group name is available: + +```ruby +describe aws_ec2_placement_groups do + its('group_names') { should include 'PLACEMENT_GROUP_NAME' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_ec2_placement_groups do + its('states') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_placement_groups do + it { should exist } +end +``` + +Use `should_not` to test that an entity does not exist. + +```ruby +describe aws_ec2_placement_groups do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_placement_groups do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribePlacementGroupsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_prefix_list.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_prefix_list.md new file mode 100644 index 0000000..012aef7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_prefix_list.md @@ -0,0 +1,129 @@ ++++ +title = "aws_ec2_prefix_list resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_prefix_list" +identifier = "inspec/resources/aws/aws_ec2_prefix_list resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_prefix_list` InSpec audit resource to test properties of a single specific AWS EC2 prefix list. + +The `AWS::EC2::PrefixList` resource specifies a managed prefix list. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 prefix lists](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-prefixlist.html). + +## Syntax + +Ensure that a prefix list exists. + +```ruby +describe aws_ec2_prefix_list(prefix_list_id: 'PREFIX_LIST_ID') do + it { should exist } +end +``` + +## Parameters + +`prefix_list_id` _(required)_ + +: The ID of the prefix list. + +## Properties + +`prefix_list_id` +: The ID of the prefix list. + +`address_family` +: The IP address version. + +`state` +: The state of the prefix list. + +`state_message` +: The state message. + +`prefix_list_arn` +: The Amazon Resource Name (ARN) for the prefix list. + +`prefix_list_name` +: The name of the prefix list. + +`max_entries` +: The maximum number of entries for the prefix list. + +`version` +: The version of the prefix list. + +`tags` +: The tags for the prefix list. + +`owner_id` +: The ID of the owner of the prefix list. + +## Examples + +Ensure a prefix list ID is available: + +```ruby +describe aws_ec2_prefix_list(prefix_list_id: 'PREFIX_LIST_ID') do + its('prefix_list_id') { should eq 'PREFIX_LIST_ID' } +end +``` + +Ensure an address family is available: + +```ruby +describe aws_ec2_prefix_list(prefix_list_id: 'PREFIX_LIST_ID') do + its('address_family') { should eq 'ADDRESS_FAMILY' } +end +``` + +Ensure that the state is `AVAILABLE`: + +```ruby +describe aws_ec2_prefix_list(prefix_list_id: 'PREFIX_LIST_ID') do + its('state') { should eq 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_prefix_list(prefix_list_id: 'PREFIX_LIST_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_prefix_list(prefix_list_id: 'PREFIX_LIST_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_prefix_list(prefix_list_id: 'PREFIX_LIST_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeManagedPrefixListsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_prefix_lists.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_prefix_lists.md new file mode 100644 index 0000000..b3364b7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_prefix_lists.md @@ -0,0 +1,117 @@ ++++ +title = "aws_ec2_prefix_lists resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_prefix_lists" +identifier = "inspec/resources/aws/aws_ec2_prefix_lists resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_prefix_lists` InSpec audit resource to test properties of multiple AWS EC2 prefix lists. + +The `AWS::EC2::PrefixList` resource specifies a managed prefix list. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 prefix lists](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-prefixlist.html). + +## Syntax + +Ensure that a prefix list exists. + +```ruby +describe aws_ec2_prefix_lists do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`prefix_list_ids` +: prefix_list_id. + +`address_families` +: address_family. + +`states` +: state. + +`state_messages` +: state_message. + +`prefix_list_arns` +: prefix_list_arn. + +`prefix_list_names` +: prefix_list_name. + +`max_entries` +: max_entries. + +`versions` +: version. + +`tags` +: tags. + +`owner_ids` +: owner_id. + +## Examples + +Ensure a prefix list ID is available: + +```ruby +describe aws_ec2_prefix_lists do + its('prefix_list_ids') { should include 'PREFIX_LIST_ID' } +end +``` + +Ensure an address family is available: + +```ruby +describe aws_ec2_prefix_lists do + its('address_families') { should include 'ADDRESS_FAMILY' } +end +``` + +Ensure that the state is `AVAILABLE`: + +```ruby +describe aws_ec2_prefix_lists do + its('states') { should include 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_prefix_lists do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_prefix_lists do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeManagedPrefixListsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_spot_fleet.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_spot_fleet.md new file mode 100644 index 0000000..1002f8b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_spot_fleet.md @@ -0,0 +1,246 @@ ++++ +title = "aws_ec2_spot_fleet resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_spot_fleet" +identifier = "inspec/resources/aws/aws_ec2_spot_fleet resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_spot_fleet` InSpec audit resource to test properties of a single specific AWS EC2 Spot Fleet. + +The `AWS::EC2::SpotFleet` resource specifies a Spot Fleet request. A Spot Fleet request contains the configuration information to launch a fleet, or group, of instances. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Spot Fleet.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-spotfleet.html). + +## Syntax + +Ensure that the spot fleet exists. + +```ruby +describe aws_ec2_spot_fleet(spot_fleet_request_id: "SpotFleetID") do + it { should exist } +end +``` + +## Parameters + +`spot_fleet_request_id` _(required)_ + +: The ID of the Spot Fleet request. + +## Properties + +`activity_status` +: The progress of the Spot Fleet request. + +: **Field**: `activity_status` + +`create_time` +: The creation date and time of the request. + +: **Field**: `create_time` + +`spot_fleet_request_config.allocation_strategy` +: Indicates how to allocate the target Spot Instance capacity across the Spot Instance pools specified by the Spot Fleet request. + +: **Field**: `spot_fleet_request_config.allocation_strategy` + +`spot_fleet_request_config.on_demand_allocation_strategy` +: The order of the launch template overrides to use in fulfilling On-Demand capacity. + +: **Field**: `spot_fleet_request_config.on_demand_allocation_strategy` + +`spot_fleet_request_config.spot_maintenance_strategies.capacity_rebalance.replacement_strategy` +: The replacement strategy to use. + +: **Field**: `spot_fleet_request_config.spot_maintenance_strategies.capacity_rebalance.replacement_strategy` + +`spot_fleet_request_config.client_token` +: A unique, case-sensitive identifier that you provide to ensure the idempotency of your listings. + +: **Field**: `spot_fleet_request_config.client_token` + +`spot_fleet_request_config.excess_capacity_termination_policy` +: Indicates whether running Spot Instances should be terminated if you decrease the target capacity of the Spot Fleet request below the current size of the Spot Fleet. + +: **Field**: `spot_fleet_request_config.excess_capacity_termination_policy` + +`spot_fleet_request_config.fulfilled_capacity` +: The number of units fulfilled by this request compared to the set target capacity. You cannot set this value. + +: **Field**: `spot_fleet_request_config.fulfilled_capacity` + +`spot_fleet_request_config.on_demand_fulfilled_capacity` +: The number of On-Demand units fulfilled by this request compared to the set target On-Demand capacity. + +: **Field**: `spot_fleet_request_config.on_demand_fulfilled_capacity` + +`spot_fleet_request_config.iam_fleet_role` +: The Amazon Resource Name (ARN) of an Identity and Access Management (IAM) role that grants the Spot Fleet the permission to request, launch, terminate, and tag instances on your behalf. + +: **Field**: `spot_fleet_request_config.iam_fleet_role` + +`spot_fleet_request_config.launch_specifications` +: The launch specifications for the Spot Fleet request. + +: **Field**: `spot_fleet_request_config.launch_specifications` + +`spot_fleet_request_config.launch_template_configs` +: The launch template and overrides. + +: **Field**: `spot_fleet_request_config.launch_template_configs` + +`spot_fleet_request_config.spot_price` +: The maximum price per unit hour that you are willing to pay for a Spot Instance. + +: **Field**: `spot_fleet_request_config.spot_price` + +`spot_fleet_request_config.target_capacity` +: The number of units to request for the Spot Fleet. + +: **Field**: `spot_fleet_request_config.target_capacity` + +`spot_fleet_request_config.on_demand_target_capacity` +: The number of On-Demand units to request. + +: **Field**: `spot_fleet_request_config.on_demand_target_capacity` + +`spot_fleet_request_config.on_demand_max_total_price` +: The maximum amount per hour for On-Demand Instances that you're willing to pay. + +: **Field**: `spot_fleet_request_config.on_demand_max_total_price` + +`spot_fleet_request_config.spot_max_total_price` +: The maximum amount per hour for Spot Instances that you're willing to pay. + +: **Field**: `spot_fleet_request_config.spot_max_total_price` + +`spot_fleet_request_config.terminate_instances_with_expiration` +: Indicates whether running Spot Instances are terminated when the Spot Fleet request expires. + +: **Field**: `spot_fleet_request_config.terminate_instances_with_expiration` + +`spot_fleet_request_config.type` +: The type of request. + +: **Field**: `spot_fleet_request_config.type` + +`spot_fleet_request_config.valid_from` +: The start date and time of the request. + +: **Field**: `spot_fleet_request_config.valid_from` + +`spot_fleet_request_config.valid_until` +: The end date and time of the request. + +: **Field**: `spot_fleet_request_config.valid_until` + +`spot_fleet_request_config.replace_unhealthy_instances` +: Indicates whether Spot Fleet should replace unhealthy instances. + +: **Field**: `spot_fleet_request_config.replace_unhealthy_instances` + +`spot_fleet_request_config.instance_interruption_behavior` +: The behavior when a Spot Instance is interrupted. The default is terminate. + +: **Field**: `spot_fleet_request_config.instance_interruption_behavior` + +`spot_fleet_request_config.load_balancers_config.classic_load_balancers_config.classic_load_balancers` +: One or more Classic Load Balancers. + +: **Field**: `spot_fleet_request_config.load_balancers_config.classic_load_balancers_config.classic_load_balancers` + +`spot_fleet_request_config.load_balancers_config.target_groups_config.target_groups` +: One or more target groups. + +: **Field**: `spot_fleet_request_config.load_balancers_config.target_groups_config.target_groups` + +`spot_fleet_request_config.instance_pools_to_use_count` +: The number of Spot pools across which to allocate your target Spot capacity. + +: **Field**: `spot_fleet_request_config.instance_pools_to_use_count` + +`spot_fleet_request_config.context` +: Reserved. + +: **Field**: `spot_fleet_request_config.context` + +`spot_fleet_request_config.tag_specifications` +: The key-value pair for tagging the Spot Fleet request on creation. + +: **Field**: `spot_fleet_request_config.tag_specifications` + +`spot_fleet_request_id` +: The ID of the Spot Fleet request. + +: **Field**: `spot_fleet_request_id` + +`spot_fleet_request_state` +: The state of the Spot Fleet request. + +: **Field**: `spot_fleet_request_state` + +`tags` +: The tags for a Spot Fleet resource. + +: **Field**: `tags` + +## Examples + +Ensure a iam fleet role is available: + +```ruby +describe aws_ec2_spot_fleet(spot_fleet_request_id: "SpotFleetID") do + its('iam_fleet_role') { should eq 'IAMFleetRole' } +end +``` + +Ensure that the state is `active`: + +```ruby +describe aws_ec2_spot_fleet(spot_fleet_request_id: "SpotFleetID") do + its('spot_fleet_request_state') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_spot_fleet(spot_fleet_request_id: "SpotFleetID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_spot_fleet(spot_fleet_request_id: 'dummy') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_spot_fleet(spot_fleet_request_id: "SpotFleetID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeSpotFleetRequestsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_spot_fleets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_spot_fleets.md new file mode 100644 index 0000000..4be84b8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_spot_fleets.md @@ -0,0 +1,109 @@ ++++ +title = "aws_ec2_spot_fleets resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_spot_fleets" +identifier = "inspec/resources/aws/aws_ec2_spot_fleets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_spot_fleets` InSpec audit resource to test properties of the plural AWS EC2 Spot Fleet. + +The `AWS::EC2::SpotFleet` resource specifies a Spot Fleet request. A Spot Fleet request contains the configuration information to launch a fleet, or group, of instances. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Spot Fleet.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-spotfleet.html). + +## Syntax + +Ensure that spot fleets exists. + +```ruby +describe aws_ec2_spot_fleets do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`activity_statuses` +: The progress of the Spot Fleet request. + +: **Field**: `activity_status` + +`create_times` +: The creation date and time of the request. + +: **Field**: `create_time` + +`spot_fleet_request_configs` +: The configs of the Spot Fleet request. + +: **Field**: `spot_fleet_request_config` + +`spot_fleet_request_ids` +: The ID of the Spot Fleet request. + +: **Field**: `spot_fleet_request_id` + +`spot_fleet_request_states` +: The state of the Spot Fleet request. + +: **Field**: `spot_fleet_request_state` + +`tags` +: The tags for a Spot Fleet resource. + +: **Field**: `tags` + +## Examples + +Ensure an activity status is there: + +```ruby +describe aws_ec2_spot_fleets do + its('activity_statuses') { should include 'error' } +end +``` + +Ensure that the state is `active`: + +```ruby +describe aws_ec2_spot_fleets do + its('spot_fleet_request_states') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_spot_fleets do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_spot_fleets do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeSpotFleetRequestsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_traffic_mirror_filter.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_traffic_mirror_filter.md new file mode 100644 index 0000000..4312bd2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_traffic_mirror_filter.md @@ -0,0 +1,107 @@ ++++ +title = "aws_ec2_traffic_mirror_filter resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_traffic_mirror_filter" +identifier = "inspec/resources/aws/aws_ec2_traffic_mirror_filter resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_traffic_mirror_filter` InSpec audit resource to test properties of a single AWS traffic mirror filter. + +## Syntax + +An `aws_ec2_traffic_mirror_filter` resource block declares the tests for a single AWS traffic mirror filter. + +```ruby +describe aws_ec2_traffic_mirror_filter(aws_ec2_traffic_mirror_filter_id: 'TRAFFIC_MIRROR_FILTER_ID') do + it { should exist } +end +``` + +```ruby +describe aws_ec2_traffic_mirror_filter('TRAFFIC_MIRROR_FILTER_ID') do + it { should exist } +end +``` + +## Parameters + +`traffic_mirror_filter_id` _(required)_ + +: The ID of the EC2 traffic mirror. This is in the format of `tmf-` followed by 8 or 17 hexadecimal characters. + This can be passed either as a string or as an `aws_ec2_traffic_mirror_filter_id: 'value'` key-value entry in a hash. + +## Properties + +`traffic_mirror_filter_id` +: The ID of a traffic mirror filter. + +`description` +: The description of a traffic mirror filter. + +`tags` +: A list of hashes with each key-value pair corresponding to a traffic mirror tag, e.g, `[{:key=>"Name", :value=>"Testing Box"}, {:key=>"Environment", :value=>"Dev"}]`. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html) + +## Examples + +Test that an EC2 traffic mirror should exist: + +```ruby +describe aws_ec2_traffic_mirror_filter(aws_ec2_traffic_mirror_filter_id: 'TRAFFIC_MIRROR_FILTER_ID') do + it { should exist } +end +``` + +Test that an EC2 traffic mirror description is correct: + +```ruby +describe aws_ec2_traffic_mirror_filter(aws_ec2_traffic_mirror_filter_id: 'TRAFFIC_MIRROR_FILTER_ID') do + its('description') { should eq "DESCRIPTION_TEXT" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_traffic_mirror_filter(aws_ec2_traffic_mirror_filter_id: 'TRAFFIC_MIRROR_FILTER_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_traffic_mirror_filter(aws_ec2_traffic_mirror_filter_id: 'TRAFFIC_MIRROR_FILTER_ID') do + it { should_not exist } +end +``` + +### be_available + +Check if the test the entity is available. + +```ruby +describe aws_ec2_traffic_mirror_filter(aws_ec2_traffic_mirror_filter_id: 'TRAFFIC_MIRROR_FILTER_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeTrafficMirrorFiltersResult" %}} + +See the [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html) documentation for additional information. diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_traffic_mirror_filters.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_traffic_mirror_filters.md new file mode 100644 index 0000000..a628aff --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_traffic_mirror_filters.md @@ -0,0 +1,96 @@ ++++ +title = "aws_ec2_traffic_mirror_filters resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_traffic_mirror_filters" +identifier = "inspec/resources/aws/aws_ec2_traffic_mirror_filters resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_traffic_mirror_filters` InSpec audit resource to test properties of multiple AWS traffic mirror filters. + +## Syntax + +An `aws_ec2_traffic_mirror_filters` resource block declares the tests for a set of AWS traffic mirror filters. + +```ruby +describe aws_ec2_traffic_mirror_filters do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`traffic_mirror_filter_ids` +: The ID of a traffic mirror filter. + +`descriptions` +: The description of a traffic mirror filter. + +`tags` +: A list of hashes with each key-value pair corresponding to an traffic mirror filter. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html) + +## Examples + +Test that an EC2 traffic mirror filter exists: + +```ruby +describe aws_ec2_traffic_mirror_filters do + it { should exist } +end +``` + +Test that EC2 traffic mirror filter's description is correct: + +```ruby +describe aws_ec2_traffic_mirror_filters do + its('descriptions') { should include 'DESCRIPTION_TEXT' } +end +``` + +Test that an EC2 traffic mirror has the correct tag: + +```ruby +describe aws_ec2_traffic_mirror_filters do + its('tags') { should include 'TAG' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that an entity exists. + +```ruby +describe aws_ec2_traffic_mirror_filters do + it { should exist } +end +``` + +Use `should_not` to test that an entity does not exist. + +```ruby +describe aws_ec2_traffic_mirror_filters do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeTrafficMirrorFiltersResult" %}} + +See the [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html) documentation for additional information. diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_traffic_mirror_session.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_traffic_mirror_session.md new file mode 100644 index 0000000..f29dda0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_traffic_mirror_session.md @@ -0,0 +1,117 @@ ++++ +title = "aws_ec2_traffic_mirror_session resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_traffic_mirror_session" +identifier = "inspec/resources/aws/aws_ec2_traffic_mirror_session resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_traffic_mirror_session` InSpec audit resource to test properties an AWS Traffic Mirror session. + +## Syntax + +An `aws_ec2_traffic_mirror_session` resource block declares the tests for a single AWS Traffic Mirror session by session ID. + +```ruby +describe aws_ec2_traffic_mirror_session(traffic_mirror_session_id: 'TRAFFIC_MIRROR_SESSION_ID') do + it { should exist } +end +``` + +## Parameters + +`traffic_mirror_session_id` _(required)_ + +: The ID of the Traffic Mirror session. + +## Properties + +`traffic_mirror_session_id` +: The ID for the Traffic Mirror session. + +`traffic_mirror_target_id` +: The ID of the Traffic Mirror target. + +`traffic_mirror_filter_id` +: The ID of the Traffic Mirror filter. + +`network_interface_id` +: The ID of the Traffic Mirror session's network interface. + +`owner_id` +: The ID of the account that owns the Traffic Mirror session. + +`packet_length` +: The number of bytes in each packet to mirror. + +`virtual_network_id` +: The virtual network ID associated with the Traffic Mirror session. + +`description` +: The description of the Traffic Mirror session. + +`tags` +: The tags assigned to the Traffic Mirror session. + +`session_number` +: The session number determines the order in which sessions are evaluated when an interface is used by multiple sessions. + +For additional information, see [the API reference documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorSession.html). + +## Examples + +Test that a Traffic Mirror session should exist: + +```ruby +describe aws_ec2_traffic_mirror_session(traffic_mirror_session_id: 'TRAFFIC_MIRROR_SESSION_ID') do + it { should exist } +end +``` + +Test the packet length of a Traffic Mirror session: + +```ruby +describe aws_ec2_traffic_mirror_session(traffic_mirror_session_id: 'TRAFFIC_MIRROR_SESSION_ID') do + its('packet_length') { should eq 1 } +end +``` + +Test that a Traffic Mirror session has the correct ID: + +```ruby +describe aws_ec2_traffic_mirror_session(traffic_mirror_session_id: 'TRAFFIC_MIRROR_SESSION_ID') do + its('traffic_mirror_session_id') { should eq 'TRAFFIC_MIRROR_SESSION_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### be_available + +Check if the Traffic Mirror session is available. + +```ruby +describe aws_ec2_traffic_mirror_session(traffic_mirror_session_id: 'TRAFFIC_MIRROR_SESSION_ID') do + it { should be_available } +end +``` + +Use `should_not` to test a Traffic Mirror session that should not exist. + +```ruby +describe aws_ec2_traffic_mirror_session(traffic_mirror_session_id: 'TRAFFIC_MIRROR_SESSION_ID') do + it { should_not be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeTrafficMirrorSessionsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_traffic_mirror_sessions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_traffic_mirror_sessions.md new file mode 100644 index 0000000..cfbc2f2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_traffic_mirror_sessions.md @@ -0,0 +1,135 @@ ++++ +title = "aws_ec2_traffic_mirror_sessions resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_traffic_mirror_sessions" +identifier = "inspec/resources/aws/aws_ec2_traffic_mirror_sessions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_traffic_mirror_sessions` InSpec audit resource to test properties of all AWS Traffic Mirror sessions. + +## Syntax + +An `aws_ec2_traffic_mirror_sessions` resource block declares the tests for all the AWS Traffic Mirror sessions. + +```ruby +describe aws_ec2_traffic_mirror_sessions do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`traffic_mirror_session_ids` +: The ID for the Traffic Mirror session. + +: **Field**: `traffic_mirror_session_id` + +`traffic_mirror_target_ids` +: The ID of the Traffic Mirror target. + +: **Field**: `traffic_mirror_target_id` + +`traffic_mirror_filter_ids` +: The ID of the Traffic Mirror filter. + +: **Field**: `traffic_mirror_filter_id` + +`network_interface_ids` +: The ID of the Traffic Mirror session's network interface. + +: **Field**: `network_interface_id` + +`owner_ids` +: The ID of the account that owns the Traffic Mirror session. + +: **Field**: `owner_id` + +`packet_lengths` +: The number of bytes in each packet to mirror. + +: **Field**: `packet_length` + +`session_numbers` +: The session number determines the order in which sessions are evaluated when an interface is used by multiple sessions. + +: **Field**: `session_number` + +`virtual_network_ids` +: The virtual network ID associated with the Traffic Mirror session. + +: **Field**: `virtual_network_id` + +`descriptions` +: The description of the Traffic Mirror session. + +: **Field**: `description` + +`tags` +: The tags assigned to the Traffic Mirror session. + +: **Field**: `tags` + +For additional information, see [the API reference documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorSession.html). + +## Examples + +Test that an AWS Traffic Mirror session exists: + +```ruby +describe aws_ec2_traffic_mirror_sessions do + it { should exist } +end +``` + +Test that Traffic Mirror target includes a value: + +```ruby +describe aws_ec2_traffic_mirror_sessions do + its('traffic_mirror_target_ids') { should include 'TRAFFIC_MIRROR_TARGET_ID' } +end +``` + +Test the a Traffic Mirror session has a description: + +```ruby +describe aws_ec2_traffic_mirror_sessions do + its('description') { should include 'DESCRIPTION_TEXT' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### be_available + +Check if the Traffic mirror session is available. + +```ruby +describe aws_ec2_traffic_mirror_sessions do + it { should be_available } +end +``` + +Use `should_not` to test a Traffic mirror session that should not exist. + +```ruby +describe aws_ec2_traffic_mirror_sessions do + it { should_not be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeTrafficMirrorSessionsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_attachment.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_attachment.md new file mode 100644 index 0000000..09be3f5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_attachment.md @@ -0,0 +1,132 @@ ++++ +title = "aws_ec2_transit_gateway_attachment resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_transit_gateway_attachment" +identifier = "inspec/resources/aws/aws_ec2_transit_gateway_attachment resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_transit_gateway_attachment` InSpec audit resource to test properties of a single specific Transit Gateway attachment. + +A Transit Gateway attachment attaches a VPC to a Transit Gateway. + +For additional information, including details on parameters and properties, see the [AWS documentation on Transit Gateway attachments](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayattachment.html). + +## Syntax + +### Ensure that a Transit Gateway attachment ID exists + +```ruby +describe aws_ec2_transit_gateway_attachment(transit_gateway_attachment_id:'tgw-attach-006f2fd0a03d51323') do + it { should exist } +end +``` + +## Parameters + +`transit_gateway_attachment_id` _(required)_ + +## Properties + +`transit_gateway_attachment_id` +: The IDs of the attachments. + +`transit_gateway_id` +: The ID of the Transit Gateway. + +`transit_gateway_owner_id` +: The ID of the AWS account that owns the Transit Gateway. + +`resource_owner_id` +: The ID of the AWS account that owns the resource. + +`resource_type` +: The resource type. Valid values are: `vpc`, `vpn`, `direct-connect-gateway`, `peering`, and `connect`. + +`resource_id` +: The ID of the resource. + +`state` +: The state of the attachment. Valid values are: `available`, `deleted`, `deleting`, `failed`, `failing`, `initiatingRequest`, `modifying`, `pendingAcceptance`, `pending`, `rollingBack`, `rejected`, and `rejecting`. + +`association (transit_gateway_route_table_id)` +: The ID of the route table for the Transit Gateway. + +`association (state)` +: The state of the attachment. Valid values are `associating`, `associated`, `disassociating`, and `disassociated`. + +`creation_time` +: The creation time of the Transit Gateway. + +`tags` +: The tags of the attachments. + +## Examples + +Ensure a Transit Gateway attachment ID is available: + +```ruby +describe aws_ec2_transit_gateway_attachment(transit_gateway_attachment_id: 'tgw-attach-006f2fd0a03d51323') do + its('public_ip') { should eq 'tgw-attach-006f2fd0a03d51323' } +end +``` + +Ensure that the state is `available` or `deleted`: + +```ruby +describe aws_ec2_transit_gateway_attachment(transit_gateway_attachment_id: 'tgw-attach-006f2fd0a03d51323') do + its('state') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_transit_gateway_attachment(transit_gateway_attachment_id: 'tgw-attach-006f2fd0a03d51323') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_transit_gateway_attachment(transit_gateway_attachment_id: 'tgw-attach-006f2fd0a03d51323') do + it { should_not exist } +end +``` + +### be_available + +Check if the IP address is available. + +```ruby +describe aws_ec2_transit_gateway_attachment(transit_gateway_attachment_id: 'tgw-attach-006f2fd0a03d51323') do + it { should be_available } +end +``` + +Use `should_not` to test an IP address that should not exist. + +```ruby +describe aws_ec2_transit_gateway_attachment(transit_gateway_attachment_id: 'tgw-attach-006f2fd0a03d51323') do + it { should_not be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ec2:DescribeAddresses" %}} + +See the [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html) documentation for additional information. diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_attachments.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_attachments.md new file mode 100644 index 0000000..1665285 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_attachments.md @@ -0,0 +1,126 @@ ++++ +title = "aws_ec2_transit_gateway_attachments resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_transit_gateway_attachments" +identifier = "inspec/resources/aws/aws_ec2_transit_gateway_attachments resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_transit_gateway_attachments` InSpec audit resource to test properties of some or all AWS Transit Gateway attachments. + +This resource does not expect any parameters. + +For additional information, including details on parameters and properties, see the [AWS documentation on Transit Gateway attachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayattachment.html). + +## Syntax + +Verify that a Transit Gateway attachment ID exists. + +```ruby +describe aws_ec2_transit_gateway_attachment(transit_gateway_attachment_id:'tgw-attach-006f2fd0a03d51323') do + it { should exist } +end +``` + +An `aws_ec2_transit_gateway_attachments` resource block uses an optional filter to select a group of Elastic IPs and then test that group. + +## Parameters + +This resource does not require any parameters. + +## Properties + +`transit_gateway_attachment_ids` +: The IDs of the attachments. + +`transit_gateway_ids` +: The ID of the Transit Gateway. + +`transit_gateway_owner_ids` +: The ID of the AWS account that owns the Transit Gateway. + +`resource_owner_ids` +: The ID of the AWS account that owns the resource. + +`resource_types` +: The resource type. Valid values are: `vpc`, `vpn`, `direct-connect-gateway`, `peering`, and `connect`. + +`resource_ids` +: The ID of the resource. + +`states` +: The state of the attachment. Valid values are: `available`, `deleted`, `deleting`, `failed`, `failing`, `initiatingRequest`, `modifying`, `pendingAcceptance`, `pending`, `rollingBack`, `rejected`, and `rejecting`. + +`associations (transit_gateway_route_table_id)` +: The ID of the route table for the Transit Gateway. + +`associations (state)` +: The state of the attachment. Valid values are `associating`, `associated`, `disassociating`, and `disassociated`. + +`creation_times` +: The creation time of the Transit Gateway. + +`tags` +: The tags of the attachments. + +## Examples + +Ensure a Transit Gateway attachment has transit_gateway_attachment_ids: + +```ruby +describe aws_ec2_transit_gateway_attachments do + it { should exist } +end +``` + +Match count of Transit Gateway attachment: + +```ruby +describe aws_ec2_transit_gateway_attachments do + its('count') { should eq 5 } +end +``` + +Check State whether it is correct or not: + +```ruby +describe aws_ec2_transit_gateway_attachments do + its('states') { should include "available" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should` to test the entity exist. + +```ruby +describe aws_ec2_transit_gateway_attachments do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ec2_transit_gateway_attachments do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ec2:DescribeVpcEndpoints" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table.md new file mode 100644 index 0000000..01044a8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table.md @@ -0,0 +1,122 @@ ++++ +title = "aws_ec2_transit_gateway_route_table resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_transit_gateway_route_table" +identifier = "inspec/resources/aws/aws_ec2_transit_gateway_route_table resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_transit_gateway_route_table` InSpec audit resource to test properties of a single specific Transit Gateway route table association. + +A Transit Gateway route table association associates the specified attachment with the specified Transit Gateway route table. + +For additional information, including details on parameters and properties, see the [AWS documentation on Transit Gateway route table](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroutetable.html). + +## Syntax + +Ensure that a Transit Gateway route table ID exists. + +```ruby +describe aws_ec2_transit_gateway_route_table(transit_gateway_route_table_id: 'tgw-rtb-052d947d91b6bb69f') do + it { should exist } +end +``` + +## Parameters + +`transit_gateway_route_table_id` _(required)_ + +: The ID of the Transit Gateway route table. + +## Properties + +`transit_gateway_route_table_id` +: The ID of the Transit Gateway route table. + +`transit_gateway_id` +: The ID of the Transit Gateway. + +`state` +: The state of the route table. Relevant values are: `available`, `deleting`, `deleted`, and `pending`. + +`default_association_route_table` +: Indicates whether this is the default association route table for the Transit Gateway. Default values are `true` and `false`. + +`default_propagation_route_table` +: Indicates whether this is the default propagation route table for the Transit Gateway. Default values are `true` and `false`. + +`creation_time` +: The creation time of the Transit Gateway route table. + +`tags` +: The tags of the Transit Gateway route table. + +## Examples + +Ensure a Transit Gateway route table ID is available: + +```ruby +describe aws_ec2_transit_gateway_route_table(transit_gateway_route_table_id: 'tgw-rtb-052d947d91b6bb69f') do + its('transit_gateway_route_table_id') { should eq 'tgw-rtb-052d947d91b6bb69f' } +end +``` + +Ensure that the state is `available` or `deleted`: + +```ruby +describe aws_ec2_transit_gateway_route_table(transit_gateway_route_table_id: 'tgw-rtb-052d947d91b6bb69f') do + its('state') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_transit_gateway_route_table(transit_gateway_route_table_id: 'tgw-rtb-052d947d91b6bb69f') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_transit_gateway_route_table(transit_gateway_route_table_id: 'tgw-rtb-052d947d91b6bb69f') do + it { should_not exist } +end +``` + +### be_available + +Check if the Transit Gateway route table ID is available. + +```ruby +describe aws_ec2_transit_gateway_route_table(transit_gateway_route_table_id: 'tgw-rtb-052d947d91b6bb69f') do + it { should be_available } +end +``` + +Use `should_not` to test an Transit Gateway route table ID that should not exist. + +```ruby +describe aws_ec2_transit_gateway_route_table(transit_gateway_route_table_id: 'tgw-rtb-052d947d91b6bb69f') do + it { should_not be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ec2:describe_transit_gateway_route_tables" %}} + +See the [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html) documentation for additional information. diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table_association.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table_association.md new file mode 100644 index 0000000..64d876a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table_association.md @@ -0,0 +1,103 @@ ++++ +title = "aws_ec2_transit_gateway_route_table_association resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_transit_gateway_route_table_association" +identifier = "inspec/resources/aws/aws_ec2_transit_gateway_route_table_association resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_transit_gateway_route_table_association` InSpec audit resource to test properties of a single AWS transit gateway route table association. + +A transit gateway route table association associates the specified attachment with the specified transit gateway route table. You can associate only one route table with an attachment. + +## Syntax + +Ensure that a transit gateway route table ID exists. + +```ruby +describe aws_ec2_transit_gateway_route_table_association(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + it { should exist } +end +``` + +## Parameters + +`transit_gateway_route_table_id` _(required)_ + +: For additional information, check out the [AWS documentation on transit gateway route table association](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroutetableassociation.html). + +## Properties + +`transit_gateway_route_table_id` +: The ID of the transit gateway route table. + +`resource_type` +: The resource type. Valid values are: `vpc`, `vpn`, `direct-connect-gateway`, `peering`, and `connect`. + +`resource_id` +: The ID of the resource. + +`state` +: The possible states of the route table are: `available`, `deleting`, `deleted`, and `pending`. + +## Examples + +Ensure that the transit gateway route table ID is available: + +```ruby +describe aws_ec2_transit_gateway_route_table_association(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + its('transit_gateway_attachment_id') { should eq ''TRANSIT_GATEWAY_ATTACHMENT_ID'' } +end +``` + +Ensure that the state is available or deleted: + +```ruby +describe aws_ec2_transit_gateway_route_table_association(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + its('state') { should eq 'available' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For the complete list of available matchers, visit [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test whether the entity exists. + +```ruby +describe aws_ec2_transit_gateway_route_table_association(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + it { should exist } +end +``` + +Use `should_not` to test an entity that should not exist. + +```ruby +describe aws_ec2_transit_gateway_route_table_association(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check whether the transit gateway route table ID is available. + +```ruby +describe aws_ec2_transit_gateway_route_table_association(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ec2:client:get_transit_gateway_route_table_associations" %}} + +For addition information, check out the [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html) documentation. diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table_associations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table_associations.md new file mode 100644 index 0000000..0f9441a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table_associations.md @@ -0,0 +1,101 @@ ++++ +title = "aws_ec2_transit_gateway_route_table_associations resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_transit_gateway_route_table_associations" +identifier = "inspec/resources/aws/aws_ec2_transit_gateway_route_table_associations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_transit_gateway_route_table_associations` InSpec audit resource to test properties of some or all AWS transit gateway route table associations. + +An AWS transit gateway route table association associates the specified attachment with the specified transit gateway route table. You can associate only one route table with an attachment. + +## Syntax + +Verify whether a transit gateway route table ID exists. + +```ruby +describe aws_ec2_transit_gateway_route_table_associations(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + it { should exist } +end +``` + +## Parameters + +`transit_gateway_route_table_id` _(required)_ + +: For addition information, check out the [AWS documentation on transit gateway route table](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroutetableassociation.html). + +## Properties + +`transit_gateway_route_table_ids` +: The ID of the transit gateway route table. + +`resource_types` +: The resource type. Valid values are: `vpc`, `vpn`, `direct-connect-gateway`, `peering`, and `connect`. + +`resource_ids` +: The ID of the resource. + +`states` +: The possible states of the route table are: `available`, `deleting`, `deleted`, and `pending`. + +## Examples + +Ensure a transit gateway route table exists: + +```ruby +describe aws_ec2_transit_gateway_route_table_associations(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + it { should exist } +end +``` + +Match count of transit gateway route table: + +```ruby +describe aws_ec2_transit_gateway_route_table_associations(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + its('count') { should eq 5 } +end +``` + +Check the state of the route table: + +```ruby +describe aws_ec2_transit_gateway_route_table_associations(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + its('states') { should include "available" } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For the complete list of available matchers, visit [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the `describe` returns at least one result. + +Use `should` to test whether the entity exists. + +```ruby +describe aws_ec2_transit_gateway_route_table_associations(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + it { should exist } +end +``` + +Use `should_not` to test an entity that should not exist. + +```ruby +describe aws_ec2_transit_gateway_route_table_associations(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:GetTransitGatewayRouteTableAssociationsResult" %}} + +For addition information, check out the [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html) documentation. diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table_propagation.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table_propagation.md new file mode 100644 index 0000000..b036a35 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table_propagation.md @@ -0,0 +1,107 @@ ++++ +title = "aws_ec2_transit_gateway_route_table_propagation resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_transit_gateway_route_table_propagation" +identifier = "inspec/resources/aws/aws_ec2_transit_gateway_route_table_propagation resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_transit_gateway_route_table_propagation` InSpec audit resource to test properties of a propagation route between a Transit Gateway attachment and a Transit Gateway route table. + +The `AWS::EC2::TransitGatewayRouteTablePropagation` resource enables the specified attachment to propagate routes to the specified propagation route table. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 TransitGatewayRouteTablePropagation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroutetablepropagation.html). + +## Syntax + +Ensure that a Transit Gateway route table id exists. + +```ruby +describe aws_ec2_transit_gateway_route_table_propagation(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID', transit_gateway_attachment_id: "TRANSIT_GATEWAY_ATTACHMENT_ID") do + it { should exist } +end +``` + +## Parameters + +`transit_gateway_route_table_id` _(required)_ + +: The ID of the Transit Gateway route table. + +`transit_gateway_attachment_id` _(required)_ + +: The ID of the attachment. + +## Properties + +`transit_gateway_attachment_id` +: The ID of the attachment. + +`resource_id` +: The ID of the resource. + +`resource_type` +: The type of resource. + +`state` +: The state of the resource. + +## Examples + +Ensure a Transit Gateway attachment ID is available: + +```ruby +describe aws_ec2_transit_gateway_route_table_propagation(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID', transit_gateway_attachment_id: "TRANSIT_GATEWAY_ATTACHMENT_ID") do + its('transit_gateway_attachment_id') { should eq 'TRANSIT_GATEWAY_ROUTE_TABLE_ID' } +end +``` + +Ensure that the state is `enabled`: + +```ruby +describe aws_ec2_transit_gateway_route_table_propagation(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID', transit_gateway_attachment_id: "TRANSIT_GATEWAY_ATTACHMENT_ID") do + its('state') { should eq 'enabled' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_transit_gateway_route_table_propagation(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID', transit_gateway_attachment_id: "TRANSIT_GATEWAY_ATTACHMENT_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_transit_gateway_route_table_propagation(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_transit_gateway_route_table_propagation(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID', transit_gateway_attachment_id: "TRANSIT_GATEWAY_ATTACHMENT_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:GetTransitGatewayRouteTablePropagationsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table_propagations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table_propagations.md new file mode 100644 index 0000000..67b52a8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_table_propagations.md @@ -0,0 +1,111 @@ ++++ +title = "aws_ec2_transit_gateway_route_table_propagations resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_transit_gateway_route_table_propagations" +identifier = "inspec/resources/aws/aws_ec2_transit_gateway_route_table_propagations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_transit_gateway_route_table_propagations` InSpec audit resource to test properties of multiple propagation routes between Transit Gateway attachments and a Transit Gateway route table. + +The `AWS::EC2::TransitGatewayRouteTablePropagation` resource enables the specified attachment to propagate routes to the specified propagation route table. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 TransitGatewayRouteTablePropagation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroutetablepropagation.html). + +## Syntax + +Ensure that a Transit Gateway route table id exists. + +```ruby +describe aws_ec2_transit_gateway_route_table_propagations(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + it { should exist } +end +``` + +## Parameters + +`transit_gateway_route_table_id` _(required)_ + +: The ID of the Transit Gateway route table. + +## Properties + +`transit_gateway_attachment_ids` +: A list of the attachment IDs. + +: **Field**: `transit_gateway_attachment_id` + +`resource_ids` +: A list of the resource IDs. + +: **Field**: `resource_id` + +`resource_types` +: A list of the resource types. + +: **Field**: `resource_type` + +`states` +: A list of the resource states. + +: **Field**: `state` + +## Examples + +Ensure that a Transit Gateway attachment ID is available: + +```ruby +describe aws_ec2_transit_gateway_route_table_propagations(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + its('transit_gateway_attachment_ids') { should include 'TRANSIT_GATEWAY_ROUTE_TABLE_ID' } +end +``` + +Ensure that a propagation route is `enabled`: + +```ruby +describe aws_ec2_transit_gateway_route_table_propagations(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + its('states') { should include 'enabled' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that an entity exists. + +```ruby +describe aws_ec2_transit_gateway_route_table_propagations(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + it { should exist } +end +``` + +Use `should_not` to test an entity does not exist. + +```ruby +describe aws_ec2_transit_gateway_route_table_propagations(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if an entity is available. + +```ruby +describe aws_ec2_transit_gateway_route_table_propagations(transit_gateway_route_table_id: 'TRANSIT_GATEWAY_ROUTE_TABLE_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:GetTransitGatewayRouteTablePropagationsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_tables.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_tables.md new file mode 100644 index 0000000..9fa0240 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_transit_gateway_route_tables.md @@ -0,0 +1,112 @@ ++++ +title = "aws_ec2_transit_gateway_route_tables resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_transit_gateway_route_tables" +identifier = "inspec/resources/aws/aws_ec2_transit_gateway_route_tables resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_transit_gateway_route_tables` InSpec audit resource to test properties of some or all Transit Gateway route tables. + +This resource does not expect any parameters. + +For additional information, including details on parameters and properties, see the [AWS documentation on Transit Gateway route tables](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroutetable.html). + +## Syntax + +Verify that a Transit Gateway route table ID exists. + +```ruby +describe aws_ec2_transit_gateway_route_tables do + it { should exist } +end +``` + +An `aws_ec2_transit_gateway_route_tables` resource block uses an optional filter to select a group of Elastic IPs and then test that group. + +## Parameters + +This resource does not require any parameters. + +## Properties + +`transit_gateway_route_table_ids` +: The ID of the Transit Gateway route table. + +`transit_gateway_ids` +: The ID of the Transit Gateway. + +`states` +: The state of the route table. Relevant values are: `available`, `deleting`, `deleted`, and `pending`. + +`default_association_route_tables` +: Indicates whether this is the default association route table for the Transit Gateway. Default values are `true` and `false`. + +`default_propagation_route_tables` +: Indicates whether this is the default propagation route table for the Transit Gateway. Default values are `true` and `false`. + +`creation_times` +: The creation time of the Transit Gateway route table. + +`tags` +: The tags of the Transit Gateway route table. + +## Examples + +Ensure a Transit Gateway route table has route table ID: + +```ruby +describe aws_ec2_transit_gateway_route_tables do + it { should exist } +end +``` + +Match count of Transit Gateway route table: + +```ruby +describe aws_ec2_transit_gateway_route_tables do + its('count') { should eq 5 } +end +``` + +Check State whether it is available or not: + +```ruby +describe aws_ec2_transit_gateway_route_tables do + its('states') { should include "available" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +```ruby +describe aws_ec2_transit_gateway_route_tables do + it { should exist } +end +``` + +Use `should_not` to test an entity that should not exist. + +```ruby +describe aws_ec2_transit_gateway_route_tables do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeTransitGatewayRouteTablesResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_volume_attachment.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_volume_attachment.md new file mode 100644 index 0000000..d5dba92 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_volume_attachment.md @@ -0,0 +1,109 @@ ++++ +title = "aws_ec2_volume_attachment resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_volume_attachment" +identifier = "inspec/resources/aws/aws_ec2_volume_attachment resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_volume_attachment` InSpec audit resource to test properties of a single specific AWS EC2 volume attachment. + +The `AWS::EC2::VolumeAttachment` resource attaches an Amazon EBS volume to a running instance and exposes it to the instance with the specified device name. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Volume Attachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volumeattachment.html). + +## Syntax + +Ensure that volume attachment exists. + +```ruby +describe aws_ec2_volume_attachment(volume_id: 'VOLUME_ID') do + it { should exist } +end +``` + +## Parameters + +`volume_id` _(required)_ + +: The volume ID. + +## Properties + +`attach_time` +: The time stamp when the attachment initiated. + +`device` +: The device name. + +`instance_id` +: The ID of the instance. + +`state` +: The attachment state of the volume. + +`volume_id` +: The ID of the volume. + +`delete_on_termination` +: Indicates whether the EBS volume is deleted on instance termination. + +## Examples + +Ensure a device is available: + +```ruby +describe aws_ec2_volume_attachment(volume_id: 'VOLUME_ID') do + its('device') { should eq '/dev/sdf' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_ec2_volume_attachment(volume_id: 'VOLUME_ID') do + its('state') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_volume_attachment(volume_id: 'VOLUME_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_volume_attachment(volume_id: 'dummy') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_volume_attachment(volume_id: 'VOLUME_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVolumesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_volume_attachments.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_volume_attachments.md new file mode 100644 index 0000000..47c802d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_volume_attachments.md @@ -0,0 +1,109 @@ ++++ +title = "aws_ec2_volume_attachments resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_volume_attachments" +identifier = "inspec/resources/aws/aws_ec2_volume_attachments resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_volume_attachments` InSpec audit resource to test properties of multiple AWS EC2 volume attachments. + +The `AWS::EC2::VolumeAttachment` resource attaches an Amazon EBS volume to a running instance and exposes it to the instance with the specified device name. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 Volume Attachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volumeattachment.html). + +## Syntax + +Ensure that volume attachment exists. + +```ruby +describe aws_ec2_volume_attachments do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`attach_times` +: The time stamp when the attachment initiated. + +: **Field**: `attach_time` + +`devices` +: The device name. + +: **Field**: `device` + +`instance_ids` +: The ID of the instance. + +: **Field**: `instance_id` + +`states` +: The attachment state of the volume. + +: **Field**: `state` + +`volume_ids` +: The ID of the volume. + +: **Field**: `volume_id` + +`delete_on_terminations` +: Indicates whether the EBS volume is deleted on instance termination. + +: **Field**: `delete_on_termination` + +## Examples + +Ensure a device is available: + +```ruby +describe aws_ec2_volume_attachments do + its('devices') { should include '/dev/sdf' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_ec2_volume_attachments do + its('states') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_volume_attachments do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_volume_attachments do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVolumesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpc_peering_connection.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpc_peering_connection.md new file mode 100644 index 0000000..5313c7c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpc_peering_connection.md @@ -0,0 +1,226 @@ ++++ +title = "aws_ec2_vpc_peering_connection resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_vpc_peering_connection" +identifier = "inspec/resources/aws/aws_ec2_vpc_peering_connection resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_vpc_peering_connection` InSpec audit resource to test properties of a single specific AWS EC2 VPC Peering Connection. + +The AWS::EC2::VPCPeeringConnection resource requests a VPC peering connection between two VPCs: a requester VPC that you own and an accepter VPC with which to create the connection. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 VPC Peering Connection.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcpeeringconnection.html). + +## Syntax + +Ensure that VPC Peering Connection ID exists. + +```ruby +describe aws_ec2_vpc_peering_connection(vpc_peering_connection_id: 'VPCPeeringConnectionID') do + it { should exist } +end +``` + +## Parameters + +`vpc_peering_connection_id` _(required)_ + +: The ID of the VPC peering connection. + +## Properties + +`accepter_vpc_info.cidr_block` +: The IPv4 CIDR block for the VPC. + +: **Field**: `accepter_vpc_info.cidr_block` + +`accepter_vpc_info.ipv_6_cidr_block_set` +: The IPv6 CIDR block for the VPC. + +: **Field**: `accepter_vpc_info.ipv_6_cidr_block_set` + +`accepter_vpc_info.ipv_6_cidr_block_set.first.ipv_6_cidr_block` +: The IPv6 CIDR block. + +: **Field**: `accepter_vpc_info.ipv_6_cidr_block_set[0].ipv_6_cidr_block` + +`accepter_vpc_info.cidr_block_set` +: The IPv4 CIDR block for the VPC. + +: **Field**: `accepter_vpc_info.cidr_block_set` + +`accepter_vpc_info.cidr_block_set.first.cidr_block` +: The IPv4 CIDR block. + +: **Field**: `accepter_vpc_info.cidr_block_set[0].cidr_block` + +`accepter_vpc_info.owner_id` +: The ID of the Amazon Web Services account that owns the VPC. + +: **Field**: `accepter_vpc_info.owner_id` + +`accepter_vpc_info.peering_options.allow_dns_resolution_from_remote_vpc` +: Indicates whether a local VPC can resolve public DNS hostnames to private IP addresses when queried from instances in a peer VPC. + +: **Field**: `accepter_vpc_info.peering_options.allow_dns_resolution_from_remote_vpc` + +`accepter_vpc_info.peering_options.allow_egress_from_local_classic_link_to_remote_vpc` +: Indicates whether a local ClassicLink connection can communicate with the peer VPC over the VPC peering connection. + +: **Field**: `accepter_vpc_info.peering_options.allow_egress_from_local_classic_link_to_remote_vpc` + +`accepter_vpc_info.peering_options.allow_egress_from_local_vpc_to_remote_classic_link` +: Indicates whether a local VPC can communicate with a ClassicLink connection in the peer VPC over the VPC peering connection. + +: **Field**: `accepter_vpc_info.peering_options.allow_egress_from_local_vpc_to_remote_classic_link` + +`accepter_vpc_info.vpc_id` +: The ID of the VPC. + +: **Field**: `accepter_vpc_info.vpc_id` + +`accepter_vpc_info.region` +: The Region in which the VPC is located. + +: **Field**: `accepter_vpc_info.region` + +`expiration_time` +: The time that an unaccepted VPC peering connection will expire. + +: **Field**: `expiration_time` + +`requester_vpc_info.cidr_block` +: The IPv4 CIDR block for the VPC. + +: **Field**: `requester_vpc_info.cidr_block` + +`requester_vpc_info.ipv_6_cidr_block_set` +: The IPv6 CIDR block for the VPC. + +: **Field**: `requester_vpc_info.ipv_6_cidr_block_set` + +`requester_vpc_info.ipv_6_cidr_block_set.first.ipv_6_cidr_block` +: The IPv6 CIDR block. + +: **Field**: `requester_vpc_info.ipv_6_cidr_block_set[0].ipv_6_cidr_block` + +`requester_vpc_info.cidr_block_set` +: The IPv4 CIDR block for the VPC. + +: **Field**: `requester_vpc_info.cidr_block_set` + +`requester_vpc_info.cidr_block_set.first.cidr_block` +: The IPv4 CIDR block. + +: **Field**: `requester_vpc_info.cidr_block_set[0].cidr_block` + +`requester_vpc_info.owner_id` +: The ID of the Amazon Web Services account that owns the VPC. + +: **Field**: `requester_vpc_info.owner_id` + +`requester_vpc_info.peering_options.allow_dns_resolution_from_remote_vpc` +: Indicates whether a local VPC can resolve public DNS hostnames to private IP addresses when queried from instances in a peer VPC. + +: **Field**: `requester_vpc_info.peering_options.allow_dns_resolution_from_remote_vpc` + +`requester_vpc_info.peering_options.allow_egress_from_local_classic_link_to_remote_vpc` +: Indicates whether a local ClassicLink connection can communicate with the peer VPC over the VPC peering connection. + +: **Field**: `requester_vpc_info.peering_options.allow_egress_from_local_classic_link_to_remote_vpc` + +`requester_vpc_info.peering_options.allow_egress_from_local_vpc_to_remote_classic_link` +: Indicates whether a local VPC can communicate with a ClassicLink connection in the peer VPC over the VPC peering connection. + +: **Field**: `requester_vpc_info.peering_options.allow_egress_from_local_vpc_to_remote_classic_link` + +`requester_vpc_info.vpc_id` +: The ID of the VPC. + +: **Field**: `requester_vpc_info.vpc_id` + +`requester_vpc_info.region` +: The Region in which the VPC is located. + +: **Field**: `requester_vpc_info.region` + +`status.code` +: The status of the VPC peering connection. + +: **Field**: `status.code` + +`status.message` +: A message that provides more information about the status, if applicable. + +: **Field**: `status.message` + +`tags` +: Any tags assigned to the resource. + +: **Field**: `tags` + +`vpc_peering_connection_id` +: The ID of the VPC peering connection. + +: **Field**: `vpc_peering_connection_id` + +## Examples + +Ensure a VPC Peering Connection ID is available: + +```ruby +describe aws_ec2_vpc_peering_connection(vpc_peering_connection_id: 'VPCPeeringConnectionID') do + its('vpc_peering_connection_id') { should eq 'VPCPeeringConnectionID' } +end +``` + +Ensure that the status is `available`: + +```ruby +describe aws_ec2_vpc_peering_connection(vpc_peering_connection_id: 'VPCPeeringConnectionID') do + its('status.code') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_vpc_peering_connection(vpc_peering_connection_id: 'VPCPeeringConnectionID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_vpc_peering_connection(vpc_peering_connection_id: 'dummy') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_vpc_peering_connection(vpc_peering_connection_id: 'VPCPeeringConnectionID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpcPeeringConnectionsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpc_peering_connections.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpc_peering_connections.md new file mode 100644 index 0000000..a6db663 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpc_peering_connections.md @@ -0,0 +1,109 @@ ++++ +title = "aws_ec2_vpc_peering_connections resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_vpc_peering_connections" +identifier = "inspec/resources/aws/aws_ec2_vpc_peering_connections resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_vpc_peering_connections` InSpec audit resource to test properties of a plural AWS EC2 Network Interface Attachment. + +The AWS::EC2::VPCPeeringConnection resource requests a VPC peering connection between two VPCs: a requester VPC that you own and an accepter VPC with which to create the connection. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 VPC Peering Connection.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcpeeringconnection.html). + +## Syntax + +Ensure that VPC Peering Connection ID exists. + +```ruby +describe aws_ec2_vpc_peering_connections do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`accepter_vpc_infos` +: Information about the accepter VPC. CIDR block information is only returned when describing an active VPC peering connection. + +: **Field**: `accepter_vpc_info` + +`expiration_times` +: The time that an unaccepted VPC peering connection will expire. + +: **Field**: `expiration_time` + +`requester_vpc_infos` +: Information about the requester VPC. CIDR block information is only returned when describing an active VPC peering connection. + +: **Field**: `requester_vpc_info` + +`statuses` +: The status of the VPC peering connection. + +: **Field**: `status` + +`tags` +: Any tags assigned to the resource. + +: **Field**: `tags` + +`vpc_peering_connection_ids` +: The ID of the VPC peering connection. + +: **Field**: `vpc_peering_connection_id` + +## Examples + +Ensure a VPC Peering Connection ID is available: + +```ruby +describe aws_ec2_vpc_peering_connections do + its('vpc_peering_connection_ids') { should include 'VPCPeeringConnectionID' } +end +``` + +Ensure that the status is `available`: + +```ruby +describe aws_ec2_vpc_peering_connections do + its('statuses') { should_not be_empty } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_vpc_peering_connections do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_vpc_peering_connections do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpcPeeringConnectionsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpn_connection_routes.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpn_connection_routes.md new file mode 100644 index 0000000..903dbce --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpn_connection_routes.md @@ -0,0 +1,96 @@ ++++ +title = "aws_ec2_vpn_connection_routes resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_vpn_connection_routes" +identifier = "inspec/resources/aws/aws_ec2_vpn_connection_routes resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_vpn_connection_routes` InSpec audit resource to test properties of multiple AWS EC2 VPN connection routes. + +The `AWS::EC2::VPNConnectionRoute` resource specifies a static route for a VPN connection between an existing virtual private gateway and a VPN customer gateway. The static route allows traffic to be routed from the virtual private gateway to the VPN customer gateway. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 VPN Connection Route.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpn-connection-route.html). + +## Syntax + +Ensure that VPN Connection ID exists. + +```ruby +describe aws_ec2_vpn_connection_routes(vpn_connection_id: 'VPN_CONNECTION_ID') do + it { should exist } +end +``` + +## Parameters + +`vpn_connection_id` _(required)_ + +: The ID of the VPN Connection. + +## Properties + +`destination_cidr_blocks` +: The CIDR block associated with the local subnet of the customer data center. + +: **Field**: `destination_cidr_block` + +`sources` +: Indicates how the routes were provided. + +: **Field**: `source` + +`states` +: The current state of the static route. + +: **Field**: `state` + +## Examples + +Ensure a destination CIDR block is available: + +```ruby +describe aws_ec2_vpn_connection_routes(vpn_connection_id: 'VPN_CONNECTION_ID') do + its('destination_cidr_blocks') { should eq [['CIDR_BLOCK']] } +end +``` + +Ensure that a VPN connection route is `available`: + +```ruby +describe aws_ec2_vpn_connection_routes(vpn_connection_id: 'VPN_CONNECTION_ID') do + its('states') { should eq [['available']] } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_vpn_connection_routes(vpn_connection_id: 'VPN_CONNECTION_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_vpn_connection_routes(vpn_connection_id: 'VPN_CONNECTION_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpnConnectionsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpn_gateway_route_propagation.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpn_gateway_route_propagation.md new file mode 100644 index 0000000..20d2872 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpn_gateway_route_propagation.md @@ -0,0 +1,97 @@ ++++ +title = "aws_ec2_vpn_gateway_route_propagation resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_vpn_gateway_route_propagation" +identifier = "inspec/resources/aws/aws_ec2_vpn_gateway_route_propagation resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_vpn_gateway_route_propagation` InSpec audit resource to test if a virtual private gateway can propagate routes to a single AWS EC2 route table. + +The `AWS::EC2::TransitGatewayRouteTablePropagation` resource enables a virtual private gateway (VGW) to propagate routes to the specified route table of a VPC. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 VPNGatewayRoutePropagation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpn-gatewayrouteprop.html). + +## Syntax + +Ensure that a route table ID exists. + +```ruby +describe aws_ec2_vpn_gateway_route_propagation(route_table_id: 'ROUTE_TABLE_ID') do + it { should exist } +end +``` + +## Parameters + +`transit_gateway_route_table_id` _(required)_ + +: The ID of the route table. + +## Properties + +`vpn_gateway_id` +: The ID of the virtual private gateway. + +`route_table_id` +: The ID of the route table. + +## Examples + +Ensure a VPN gateway ID is available: + +```ruby +describe aws_ec2_vpn_gateway_route_propagation(route_table_id: 'ROUTE_TABLE_ID') do + its('vpn_gateway_id') { should eq 'VPN_GATEWAY_ID' } +end +``` + +Ensure a route table ID is available: + +```ruby +describe aws_ec2_vpn_gateway_route_propagation(route_table_id: 'ROUTE_TABLE_ID') do + its('route_table_id') { should eq 'ROUTE_TABLE_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_vpn_gateway_route_propagation(route_table_id: 'ROUTE_TABLE_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_vpn_gateway_route_propagation(route_table_id: 'ROUTE_TABLE_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_vpn_gateway_route_propagation(route_table_id: 'ROUTE_TABLE_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeRouteTablesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpn_gateway_route_propagations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpn_gateway_route_propagations.md new file mode 100644 index 0000000..7e67704 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ec2_vpn_gateway_route_propagations.md @@ -0,0 +1,99 @@ ++++ +title = "aws_ec2_vpn_gateway_route_propagations resource" + +draft = false + + +[menu.aws] +title = "aws_ec2_vpn_gateway_route_propagations" +identifier = "inspec/resources/aws/aws_ec2_vpn_gateway_route_propagations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ec2_vpn_gateway_route_propagations` InSpec audit resource to test if virtual private gateways can propagate routes to multiple AWS EC2 route tables. + +The `AWS::EC2::VPNGatewayRoutePropagation` resource enables a virtual private gateway (VGW) to propagate routes to the specified route table of a VPC. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 VPNGatewayRoutePropagation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpn-gatewayrouteprop.html). + +## Syntax + +Ensure that a route table exists. + +```ruby +describe aws_ec2_vpn_gateway_route_propagations do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`route_table_ids` +: The ID of the route table. + +: **Field**: `route_table_id` + +`propagating_vgws_gateway_ids` +: The ID of the virtual private gateway. + +: **Field**: `propagating_vgws_gateway_ids` + +## Examples + +Ensure a VPN gateway ID is available: + +```ruby +describe aws_ec2_vpn_gateway_route_propagations do + its('propagating_vgws_gateway_ids') { should include 'VPN_GATEWAY_ID' } +end +``` + +Ensure a route table ID is available: + +```ruby +describe aws_ec2_vpn_gateway_route_propagations do + its('route_table_ids') { should include 'ROUTE_TABLE_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ec2_vpn_gateway_route_propagations do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ec2_vpn_gateway_route_propagations do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ec2_vpn_gateway_route_propagations do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeRouteTablesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr.md new file mode 100644 index 0000000..bd3c8e5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr.md @@ -0,0 +1,106 @@ ++++ +title = "aws_ecr resource" + +draft = false + + +[menu.aws] +title = "aws_ecr" +identifier = "inspec/resources/aws/aws_ecr resource" +parent = "inspec/resources/aws" ++++ + +> WARNING: **This resource is deprecated. Please use one of the following resources instead: + +- `aws_ecr_image` +- `aws_ecr_images` +- `aws_ecr_repository` +- `aws_ecr_repositories` + +Use the `aws_ecr` InSpec audit resource to test properties of a single AWS Elastic Container Registry. + +## Syntax + +An `aws_ecr` resource block declares the tests for a single AWS ECR by repository name. + +```ruby +describe aws_ecr(repository_name: aws_ecr_name) do + it { should exist } + its ('repository_name') { should eq aws_ecr_name } +end +``` + +## Parameters + +The ECR repository_name must be provided. + +`repository_name` _(required)_ + +: The name of the repository + This can be passed either as a string or as an `repository_name: 'value'` key-value entry in a hash. + +## Properties + +`registry_id` +: The AWS account ID associated with the registry. + +`repository_arn` +: The Amazon Resource Name of the repository. + +`repository_name` +: The name of the repository. + +`repository_uri` +: The uri of the repository. + +`image_tags` +: The tags associated with the image. + +`image_digest` +: A sha256 hash of the image. + +`image_size_in_bytes` +: The size of the image in bytes. + +`image_pushed_at` +: The datetime as a string when the image was uploaded. 'yyyy-mm-dd hh:mm:ss tz'. + +`image_uploaded_date` +: The date as a string when the image was uploaded. 'yyyy-mm-dd'. + +## Examples + +Test that an ECR has the correct image properties: + +```ruby +describe aws_ecr(repository_name: aws_ecr_name).images do + its ('image_tags') { should include 'latest'} + its ('image_digest') { should eq 'sha256:6dce4a9c1635c4c9b6a2b645e6613fa0238182fe13929808ee2258370d0f3497'} + its ('image_size_in_bytes') { should eq 764234} + its ('image_uploaded_date') { should eq '2019-06-11'} + its ('image_pushed_at') { should eq '2019-06-11 15:08:29 +0100'} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +it { should exist } +it { should_not exist } +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ECR:Client:DescribeRepositoriesResponse` and `ECR:Client:DescribeImagesResponse` actions set to allow.. + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ECR](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticcontainerregistry.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_image.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_image.md new file mode 100644 index 0000000..315fe60 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_image.md @@ -0,0 +1,126 @@ ++++ +title = "aws_ecr_image resource" + +draft = false + + +[menu.aws] +title = "aws_ecr_image" +identifier = "inspec/resources/aws/aws_ecr_image resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ecr_image` InSpec audit resource to test the properties of a single image in an AWS Elastic Container Registry (ECR) repository. +This resource is available in InSpec AWS resource pack version **[1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0)** onwards. + +## Syntax + +An `aws_ecr_image` resource block declares the tests for a single image in an AWS ECR repository by repository name and image identifier. + +```ruby +describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do + it { should exist } +end +``` + +## Parameters + +The repository name and the image identifier (either `image_tag` or `image_digest`) must be provided. The ID of the registry is optional. + +`repository_name` _(required)_ + +: The name of the ECR repository must satisfy the following constraints: + +- Regex pattern `(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*`. +- Minimum 2 and maximum of 256 characters long. + +`image_tag` _(required if `image_digest` not provided)_ + +: The tag used for the image. It can not be longer than 300 characters. + +`image_digest` _(required if `image_tag` not provided)_ + +: The `sha256` digest of the image manifest. It must satisfy this regex pattern: `[a-zA-Z0-9-_+.]+:[a-fA-F0-9]+`. + +`registry_id` _(optional)_ + +: The 12-digit ID of the AWS Elastic Container Registry. If not provided, the [default](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeRepositories.html) registry is assumed. + +## Properties + +`repository_name` +: The name of the repository. + +`registry_id` +: The AWS account ID associated with the registry that contains the repository. + +`tags` +: The list of tags associated with this image. + +`vulnerability_severity_counts` +: The image vulnerability counts, sorted by severity, e.g. `{:high=>1}`. + +`vulnerabilities` +: A list of hashes with each key-value pair corresponding to an image [scan findings](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageScanFinding.html). E.g. `{:name=>"CVE-2019-14697", :uri=>"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697", :severity=>"HIGH", :package_version=>"1.1.18-r3", :package_name=>"musl", :CVSS2_VECTOR=>"AV:N/AC:L/Au:N/C:P/I:P/A:P", :CVSS2_SCORE=>"7.5"}`. + +`cve_ids` +: The list of [CVE IDs](https://cve.mitre.org/cve/identifiers/) of the vulnerabilities in the image. + +`highest_vulnerability_severity` +: The [CVSS v2](https://www.first.org/cvss/v2/guide) score of the most severe vulnerability in the image. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageDetail.html) + +## Examples + +Test the scan status of an image: + +```ruby +describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do + its('image_scan_status.status') { should eq 'COMPLETE' } +end +``` + +Test that an image has a certain tag: + +```ruby +describe aws_ecr_image(repository_name: 'my-repo', image_digest: 'sha256:687fba9b76554c8dea4c40fed4144011f29b8e1d5db5f2fc976c64ed31894967') do + its('tags') { should include('latest') } +end +``` + +Test that an image does not contain the [Heartbleed](https://heartbleed.com/) vulnerability: + +```ruby +describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do + its('cve_ids') { should_not include('CVE-2014-0160') } +end +``` + +Test that an image does not contain a vulnerability more severe than CVSS v2 score 8: + +```ruby +describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do + its('highest_vulnerability_severity') { should be <= 8 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +```ruby +describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do + it { should exist } +end +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ECR:Client:DescribeImagesResponse` and `ECR:Client:DescribeImageScanFindingsResponse` actions set to allow. + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Operations.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_images.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_images.md new file mode 100644 index 0000000..a82c998 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_images.md @@ -0,0 +1,121 @@ ++++ +title = "aws_ecr_images resource" + +draft = false + + +[menu.aws] +title = "aws_ecr_images" +identifier = "inspec/resources/aws/aws_ecr_images resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ecr_images` InSpec audit resource to test the properties of all images in an AWS Elastic Container Registry (ECR) repository. +This resource is available in InSpec AWS resource pack version **[1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0)** onwards. + +## Syntax + +An `aws_ecr_images` resource block declares the tests for all images in an AWS ECR repository by the repository name. + +```ruby +describe aws_ecr_images(repository_name: 'my-repo') do + it { should exist } +end +``` + +## Parameters + +The repository name must be provided. The ID of the registry is optional. + +`repository_name` _(required)_ + +: The name of the ECR repository must satisfy the following constraints: + +- Regex pattern `(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*`. +- Minimum 2 and maximum of 256 characters long. + +`registry_id` _(optional)_ + +: The 12-digit ID of the AWS Elastic Container Registry. If not provided, the [default](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeRepositories.html) registry is assumed. + +## Properties + +`digests` +: The sha256 digest of the image manifest. + +: **Field**: `digest` + +`size_in_bytes` +: The size, in bytes, of the image in the repository. + +: **Field**: `digest` + +`tags` +: The list of tags associated with an image. + +: **Field**: `tags` + +`vulnerability_severity_counts` +: The image vulnerability counts, sorted by severity. + +: **Field**: `tags` + +`vulnerability_scan_status` +: The current state of the scan. It returns an [image scan status object](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageScanStatus.html). + +: **Field**: `tags` + +`pushed_at_dates` +: The date and time at which an image was pushed to the repository. + +: **Field**: `pushed_at_date` + +## Examples + +Ensure that there are exactly 3 images: + +```ruby +describe aws_ecr_images(repository_name: 'my-repo') do + its('count') { should cmp 3 } +end +``` + +Use this InSpec resource to request the digests of all images, then test in-depth using `aws_ecr_image`: + +```ruby +aws_ecr_images(repository_name: 'my-repo').digests.each do |image_digest| + describe aws_ecr_image(repository_name: 'my-repo', image_digest: image_digest) do + its('tags') { should include('latest') } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ecr_images(repository_name: 'my-repo').where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_ecr_images(repository_name: 'my-repo').where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ECR:Client:DescribeImagesResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Operations.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_repositories.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_repositories.md new file mode 100644 index 0000000..a458f1c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_repositories.md @@ -0,0 +1,108 @@ ++++ +title = "aws_ecr_repositories resource" + +draft = false + + +[menu.aws] +title = "aws_ecr_repositories" +identifier = "inspec/resources/aws/aws_ecr_repositories resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ecr_repositories` InSpec audit resource to test the properties of all repositories in an AWS Elastic Container Registry (ECR). +This resource is available in InSpec AWS resource pack version **[1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0)** onwards. + +## Syntax + +An `aws_ecr_repositories` resource block declares the tests for all AWS ECR repositories in the default registry unless the registry ID is provided. + +```ruby +describe aws_ecr_repositories do + it { should exist } +end +``` + +Repositories in a non-default registry can be tested by supplying the registry ID if the AWS user has necessary permissions on it. + +```ruby +describe aws_ecr_repositories(registry_id: '123456789012') do + it { should exist } +end +``` + +## Parameters + +The registry id is optional. + +`registry_id` _(optional)_ + +: The 12-digit ID of the AWS Elastic Container Registry. If not provided, the [default](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeRepositories.html) registry is assumed. + +## Properties + +`arns` +: The Amazon Resource Name (ARN) that identifies the repository. + +`names` +: The name of the repository. + +`uris` +: The URI for the repository. + +`created_at_dates` +: The date and time, in JavaScript date format, when the repository was created. + +`image_tag_mutability_status` +: The tag mutability setting for the repository. + +`image_scanning_on_push_status` +: The setting that determines whether images are scanned after being pushed to a repository. + +## Examples + +Ensure that there are exactly 3 repositories in the default registry: + +```ruby +describe aws_ecr_repositories do + its("count") { should cmp 3 } +end +``` + +Use this InSpec resource to request the names of all repositories, then test in-depth using `aws_ecr_repository`: + +```ruby +aws_ecr_repositories.names.each do |repository_name| + describe aws_ecr_repository(repository_name) do + its('image_tag_mutability') { should eq 'MUTABLE' } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ecr_repositories.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_ecr_repositories.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ECR:Client:DescribeRepositoriesResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Operations.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_repository.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_repository.md new file mode 100644 index 0000000..2335f50 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_repository.md @@ -0,0 +1,111 @@ ++++ +title = "aws_ecr_repository resource" + +draft = false + + +[menu.aws] +title = "aws_ecr_repository" +identifier = "inspec/resources/aws/aws_ecr_repository resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ecr_repository` InSpec audit resource to test the properties of a single AWS Elastic Container Registry (ECR) repository. +This resource is available in InSpec AWS resource pack version **[1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0)** onwards. + +## Syntax + +An `aws_ecr_repository` resource block declares the tests for a single AWS ECR repository by repository name. + +```ruby +describe aws_ecr_repository(repository_name: 'my-repo') do + it { should exist } +end +``` + +The value of the `repository_name` can be provided as a string. + +```ruby +describe aws_ecr_repository('my-repo') do + it { should exist } +end +``` + +## Parameters + +The repository name must be provided. The registry id is optional. + +`repository_name` _(required)_ + +: The name of the ECR repository must satisfy the following constraints: + +- Regex pattern `(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*`. +- Minimum 2 and maximum of 256 characters long. + +: This can be passed either as a string or as a `repository_name: 'value'` key-value entry in a hash. + +`registry_id` _(optional)_ + +: The 12-digit ID of the AWS Elastic Container Registry. If not provided, the [default](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeRepositories.html) registry is assumed. + +## Properties + +`repository_name` +: The name of the repository. + +`image_tag_mutability` +: The tag mutability settings for the repository. Valid values are `MUTABLE` or `IMMUTABLE`. + +`registry_id` +: The AWS account ID associated with the registry that contains the repository. + +`tags` +: An hash with each key-value pair corresponding to a tag associated with the entity. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Repository.html) + +## Examples + +Test that image tags are `IMMUTABLE` in an ECR repository: + +```ruby +describe aws_ecr_repository('my-repo') do + its('image_tag_mutability') { should eq 'IMMUTABLE' } +end +``` + +Test that images are scanned for vulnerabilities at a push to repository: + +```ruby +describe aws_ecr_repository(repository_name: 'my-repo') do + its('image_scanning_configuration.scan_on_push') { should eq true} +end +``` + +Test that an ECR repository has a certain tag: + +```ruby +describe aws_ecr_repository('my-repo') do + its('tags') { should include('environment' => 'dev') } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +```ruby +describe aws_ecr_repository(repository_name: 'my-repo') do + it { should exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ECR:Client:DescribeRepositoriesResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Operations.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_repository_policy.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_repository_policy.md new file mode 100644 index 0000000..c79f3d1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecr_repository_policy.md @@ -0,0 +1,104 @@ ++++ +title = "aws_ecr_repository_policy resource" + +draft = false + + +[menu.aws] +title = "aws_ecr_repository_policy" +identifier = "inspec/resources/aws/aws_ecr_repository_policy resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ecr_repository_policy` InSpec audit resource to test the policy configured for a single AWS Elastic Container Registry (ECR) repository. + +New in InSpec AWS resource pack [1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0). + +## Syntax + +An `aws_ecr_repository_policy` resource block declares the tests for a single AWS ECR repository by repository name. + +```ruby +describe aws_ecr_repository_policy(repository_name: 'my-repo') do + it { should exist } +end +``` + +The value of the `repository_name` can be provided as a string. + +```ruby +describe aws_ecr_repository_policy('my-repo') do + it { should exist } +end +``` + +## Parameters + +The repository name must be provided. + +`repository_name` _(required)_ + +: The name of the ECR repository must satisfy the following constraints: + +- Regex pattern `(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*`. +- Minimum 2 and maximum of 256 characters long. + +: This can be passed either as a string or as a `repository_name: 'value'` key-value entry in a hash. + +`have_statement` + +: The `have_statement` examines the list of statements contained in the policy and passes if at least one of the statements matches. + This matcher does _not_ interpret the policy in a request authorization context as AWS does when a request is processed. Rather, the `have_statement` examines the literal contents of the IAM policy and reports on what is present (or absent, when used with `should_not`). + +: **Criteria** + +: The `have_statement` accepts the following criteria to search for matching statements. A test is successful if any statement matches all the criteria. Criteria can be formatted in title case or lowercase, and as a string or symbol. + +: `Action` + : Expresses the requested operation. Acceptable literal values are any AWS operation name, including the '\*' wildcard character. + `Action` may also use a list of AWS operation names. + +: `Effect` + : Expresses if the operation is permitted. Acceptable values are `'Deny'` and `'Allow'`. + +: `Sid` + : A user-provided string identifier for the statement. + +: `Principal` + : Expresses the operation's target. Acceptable values are Amazon Resource Names (ARNs), including the '\*' wildcard. + `Principal` may also use a list of ARN values. + +: Please note the following about the behavior of the `have_statement`: + +: - The `Action`, `Sid`, and `Resource` criteria will allow a regular expression instead of a string literal. + +- The `have_statement` does not support wildcard expansion; to check for a wildcard value, check for it explicitly. For example, if the policy includes a statement with `"Action": "s3:*"` and the test checks for `Action: "s3:PutObject"`, the test _will not match_. You must write an additional test checking for the wildcard case. +- The `have_statement` supports searching for list values. For example, if a statement contains a list of three resources and a `have_statement` test specifies _one_ of those resources, it will match. + +## Examples + +```ruby +describe aws_ecr_repository_policy('repo_name') do + it { should exist } + it { should have_statement(Action: "ecr:GetDownloadUrlForLayer", Effect: "Allow", Principal: "*", Sid: "new policy")} + it { should_not have_statement(Action: /^rds:.+$/)} +end +``` + +Symbols, title case, and lowercase are all allowed as criteria. +The following four statements will return the same results: + +```ruby +describe aws_ecr_repository_policy('repo_name') do + it { should_not have_statement('Effect' => 'Allow', 'Principal' => '*', 'Action' => '*')} + it { should_not have_statement('effect' => 'Allow', 'Principal' => '*', 'action' => '*')} + it { should_not have_statement(Effect: 'Allow', Principal: '*', Action: '*')} + it { should_not have_statement(effect: 'Allow', Principal: '*', action: '*')} +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ECR:Client:GetRepositoryPolicyResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Operations.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecrpublic_repositories.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecrpublic_repositories.md new file mode 100644 index 0000000..10809a4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecrpublic_repositories.md @@ -0,0 +1,93 @@ ++++ +title = "aws_ecrpublic_repositories resource" + +draft = false + + +[menu.aws] +title = "aws_ecrpublic_repositories" +identifier = "inspec/resources/aws/aws_ecrpublic_repositories resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ecrpublic_repositories` InSpec audit resource to test the properties of all public repositories in an AWS Elastic Container Registry (ECR). + +## Syntax + +An `aws_ecrpublic_repositories` resource block declares the tests for all AWS ECR repositories in the default registry unless the registry ID is provided. + +```ruby +describe aws_ecrpublic_repositories do + it { should exist } +end +``` + +Repositories in a non-default registry can be tested by supplying the registry ID if the AWS user has necessary permissions on it. + +```ruby +describe aws_ecrpublic_repositories(registry_id: '123456789012') do + it { should exist } +end +``` + +## Parameters + +The registry id is optional. + +`registry_id` _(optional)_ + +: The 12-digit ID of the AWS Elastic Container Registry. If not provided, the [default](https://docs.aws.amazon.com/AmazonECRPublic/latest/APIReference/API_DescribeRepositories.html) registry is assumed. + +## Properties + +`arns` +: The Amazon Resource Name (ARN) that identifies the repository. + +`names` +: The name of the repository. + +`uris` +: The URI for the repository. + +`created_at_dates` +: The date and time, in JavaScript date format, when the repository was created. + +## Examples + +Ensure that there are exactly four public repositories in the default registry: + +```ruby +describe aws_ecrpublic_repositories do + its("count") { should cmp 4 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the `describe` method returns at least one result. + +```ruby +describe aws_ecrpublic_repositories.where( : ) do + it { should exist } +end +``` + +Use `should_not` to test for entities that should not exist. + +```ruby +describe aws_ecrpublic_repositories.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ECRPublic:Client:DescribeRepositoriesResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ECR Public](https://docs.aws.amazon.com/AmazonECRPublic/latest/APIReference/API_Repository.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecrpublic_repository.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecrpublic_repository.md new file mode 100644 index 0000000..7644627 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecrpublic_repository.md @@ -0,0 +1,79 @@ ++++ +title = "aws_ecrpublic_repository resource" + +draft = false + + +[menu.aws] +title = "aws_ecrpublic_repository" +identifier = "inspec/resources/aws/aws_ecrpublic_repository resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ecrpublic_repository` InSpec audit resource to test the properties of a single AWS Elastic Container Registry (ECR) public repository. + +## Syntax + +An `aws_ecrpublic_repository` resource block declares the tests for a single AWS ECR repository by repository name. + +```ruby +describe aws_ecrpublic_repository(repository_name: 'my-repo') do + it { should exist } +end +``` + +The value of the `repository_name` can be provided as a string. + +```ruby +describe aws_ecrpublic_repository('my-repo') do + it { should exist } +end +``` + +## Parameters + +The repository name must be provided. The registry id is optional. + +`repository_name` _(required)_ + +: The name of the ECR repository must satisfy the following constraints: + +: - It must match the following regular expression: `(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*`. + +- It must be between 2 and 256 characters long. + +: The `repository_name` can be passed as a string or as a `repository_name: 'value'` key-value entry in a hash. + +`registry_id` _(optional)_ + +: The 12-digit ID of the AWS Elastic Container Registry. If not provided, this resource will use the [default public registry](https://docs.aws.amazon.com/AmazonECRPublic/latest/APIReference/API_DescribeRepositories.html). + +## Properties + +`repository_name` +: The name of the repository. + +`registry_id` +: The AWS account ID associated with the registry that contains the repository. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AmazonECRPublic/latest/APIReference/API_Repository.html) + +## Examples + +Test that ecr public repository 'public-repo' exists: + +```ruby +describe aws_ecrpublic_repository('public-repo') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ECRPublic:Client:DescribeRepositoriesResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ECR Public](https://docs.aws.amazon.com/AmazonECRPublic/latest/APIReference/API_Repository.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_cluster.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_cluster.md new file mode 100644 index 0000000..6965247 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_cluster.md @@ -0,0 +1,106 @@ ++++ +title = "aws_ecs_cluster resource" + +draft = false + + +[menu.aws] +title = "aws_ecs_cluster" +identifier = "inspec/resources/aws/aws_ecs_cluster resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ecs_cluster` InSpec audit resource to test properties of a single AWS ECS Cluster. + +For additional information, including details on parameters and properties, see the [AWS documentation on ECS Clusters](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_clusters.html). + +## Syntax + +An `aws_ecs_cluster` resource block declares the tests for a single AWS ECS Cluster by cluster name. + +```ruby +describe aws_ecs_cluser(cluster_name: 'cluster-8') do + it { should exist } +end +``` + +## Parameters + +If no parameters are passed, the resource will attempt to retrieve the `default` ECS Cluster. + +`cluster_name` _(optional)_ + +: This resource accepts a single parameter, the Cluster Name. + This can be passed either as a string or as a `cluster_name: 'value'` key-value entry in a hash. + +## Properties + +`cluster_arn` +: The Amazon Resource Name (ARN) that identifies the cluster. + +`cluster_name` +: A user-generated string that you use to identify your cluster. + +`status` +: The status of the cluster. + +`running_tasks_count` +: The number of tasks in the cluster that are in the RUNNING state. + +`pending_tasks_count` +: The number of tasks in the cluster that are in the PENDING state. + +`active_services_count` +: The number of services that are running on the cluster in an ACTIVE state. + +`registered_container_instances_count` +: The number of container instances registered into the cluster. This includes container instances in both ACTIVE and DRAINING status. + +`statistics` +: Additional information about your clusters that are separated by launch type. + +## Examples + +Test that an ECS Cluster does not exist: + +```ruby +describe aws_ecs_cluster(cluster_name: 'invalid-cluster') do + it { should_not exist } +end +``` + +Test that an ECS Cluster is active: + +```ruby +describe aws_ecs_cluster('cluster-8') do + its ('status') { should eq 'ACTIVE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ecs_cluster('cluster-8') do + it { should exist } +end +``` + +```ruby +describe aws_ecs_cluster('cluster-9') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ECS:Client:DescribeClustersResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_clusters.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_clusters.md new file mode 100644 index 0000000..922ec9b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_clusters.md @@ -0,0 +1,96 @@ ++++ +title = "aws_ecs_clusters resource" + +draft = false + + +[menu.aws] +title = "aws_ecs_clusters" +identifier = "inspec/resources/aws/aws_ecs_clusters resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ecs_clusters` InSpec audit resource to test properties of some or all AWS ECS Clusters. + +For additional information, including details on parameters and properties, see the [AWS documentation on ECS Clusters](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_clusters.html). + +## Syntax + +An `aws_ecs_clusters` resource block returns all ECS Clusters and allows the testing of that group of Clusters. + +```ruby +describe aws_ecs_clusters do + its('cluster_names') { should include 'cluster-root' } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`cluster_arn` +: The Amazon Resource Name (ARN) that identifies the cluster. + +`cluster_name` +: A user-generated string that you use to identify your cluster. + +`status` +: The status of the cluster. + +`running_tasks_count` +: The number of tasks in the cluster that are in the RUNNING state. + +`pending_tasks_count` +: The number of tasks in the cluster that are in the PENDING state. + +`active_services_count` +: The number of services that are running on the cluster in an ACTIVE state. + +`registered_container_instances_count` +: The number of container instances registered into the cluster. This includes container instances in both ACTIVE and DRAINING status. + +`statistics` +: Additional information about your clusters that are separated by launch type. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure there are no Clusters in an undesired state: + +```ruby +describe aws_ecs_clusters do + it { should exist } + its('statuses') { should_not include 'UNDESIRED-STATUS'} + its('cluster_names') { should include 'SQL-cluster' } +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ecs_clusters.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_ecs_clusters.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ECS:Client:ListClustersResponse` & `ECS:Client:DescribeClustersResponse` action set to allow. diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_service.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_service.md new file mode 100644 index 0000000..73b23f6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_service.md @@ -0,0 +1,127 @@ ++++ +title = "aws_ecs_service resource" + +draft = false + + +[menu.aws] +title = "aws_ecs_service" +identifier = "inspec/resources/aws/aws_ecs_service resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ecs_service` InSpec audit resource to test properties of a single AWS ECS Service. + +The AWS ECS Service resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers. + +For additional information, including details on parameters and properties, see the [AWS documentation on ECS Service](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html). + +## Syntax + +Ensure that a services exists. + +```ruby +describe aws_ecs_service(cluster: "default", service: "SERVICE_ARN") do + it { should exist } +end +``` + +## Parameters + +`cluster` + +: The short name or full Amazon Resource Name (ARN) of the cluster on which your service is running. + +`service` _(required)_ + +: The ECS service ARN or service name. + +## Properties + +`service_arn` +: The ARN of the service. + +`service_name` +: The name of the service. + +`cluster_arn` +: The Amazon Resource Name (ARN) of the cluster that hosts the service. + +`status` +: The status of the service. The valid values are `ACTIVE`, `DRAINING`, or `INACTIVE`. + +`desired_count` +: The desired number of instantiations of the task definition to keep running on the service. + +`running_count` +: The number of tasks in the cluster that are in the `RUNNING` state. + +`pending_count` +: The number of tasks in the cluster that are in the `PENDING` state. + +`launch_type` +: The infrastructure on which your service is running. + +`task_definition` +: The task definition to use for tasks in the service. + +`platform_version` +: The AWS Fargate platform version on which the tasks in the task set are running. + +For additional information, see the [AWS documentation on ECS describe services method](https://docs.aws.amazon.com/sdk-for-ruby/v2/api/Aws/ECS/Client.html#describe_services-instance_method). + +## Examples + +Ensure a work group name is available: + +```ruby +describe aws_ecs_service(cluster: "default", service: "SERVICE_ARN") do + its('service_name') { should eq 'service_name' } +end +``` + +Ensure that the status is `ACTIVE` or not: + +```ruby +describe aws_ecs_service(cluster: "default", service: "SERVICE_ARN") do + its('status') { should eq 'ACTIVE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ecs_service(cluster: "CLUSTER_NAME", service: "SERVICE_ARN") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ecs_service(cluster: "CLUSTER_NAME", service: "SERVICE_NAME") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the services is available. + +```ruby +describe aws_ecs_service(cluster: "default", service: "SERVICE_ARN") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ECS:Client:DeleteServiceResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_services.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_services.md new file mode 100644 index 0000000..5818eec --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_services.md @@ -0,0 +1,114 @@ ++++ +title = "aws_ecs_services resource" + +draft = false + + +[menu.aws] +title = "aws_ecs_services" +identifier = "inspec/resources/aws/aws_ecs_services resource" +parent = "inspec/resources/aws" ++++ +Use the `aws_ecs_services` InSpec audit resource to test properties of multiple AWS ECS Services. + +The AWS ECS Service resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers. + +For additional information, including details on parameters and properties, see the [AWS documentation on ECS Service](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html). + +## Syntax + +Ensure that a service exists. + +```ruby +describe aws_ecs_services(cluster: "CLUSTER_NAME") do + it { should exist } +end +``` + +## Parameters + +`cluster` _(required)_ + +: The short name or full Amazon Resource Name (ARN) of the cluster on which your service is running. + +## Properties + +`service_arns` +: The ARNs of the services. + +`service_names` +: The names of the services. + +`cluster_arns` +: The Amazon Resource Name (ARN) of the cluster that hosts the services. + +`status` +: The status of the service. The valid values are `ACTIVE`, `DRAINING`, or `INACTIVE`. + +`desired_count` +: The desired number of instantiations of the task definition to keep running on the service. + +`running_count` +: The number of tasks in the cluster that are in the `RUNNING` state. + +`pending_count` +: The number of tasks in the cluster that are in the `PENDING` state. + +`launch_types` +: The infrastructure on which your service is running. + +`task_definitions` +: The task definitions to use for tasks in the service. + +`platform_versions` +: The AWS Fargate platform versions on which the tasks in the task set are running. + +For additional information, see the [AWS documentation on ECS describe services method](https://docs.aws.amazon.com/sdk-for-ruby/v2/api/Aws/ECS/Client.html#describe_services-instance_method). + +## Examples + +Ensure a specific service is available on a cluster: + +```ruby +describe aws_ecs_services(cluster: "CLUSTER_NAME") do + its('service_arns') { should include 'SERVICE_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ecs_services(cluster: "CLUSTER_NAME") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ecs_services(cluster: "CLUSTER_NAME") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the service is available. + +```ruby +describe aws_ecs_services(cluster: "CLUSTER_NAME") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ECS:Client:ListServicesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_task_definition.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_task_definition.md new file mode 100644 index 0000000..b9b719e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_task_definition.md @@ -0,0 +1,846 @@ ++++ +title = "aws_ecs_task_definition resource" + +draft = false + + +[menu.aws] +title = "aws_ecs_task_definition" +identifier = "inspec/resources/aws/aws_ecs_task_definition resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ecs_task_definition` InSpec audit resource to test the properties of a single ECS task definition. + +For additional information, including details on parameters and properties, see the [AWS ECS task definition documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html). + +## Syntax + +Ensure that a task definition exists. + +```ruby +describe aws_ecs_task_definition(task_definition: 'TASK_DEFINITION') do + it { should exist } +end +``` + +## Parameters + +`task_definition` _(required)_ + +: The full task definition description. + Specified as just the `family`, which targets the latest active revision, or `family:revision` for a specific revision number of a family, or the full Amazon Resource Name (ARN) of the task definition. + +## Properties + +`task_definition_arn` +: The full Amazon Resource Name (ARN) of the task definition. + +: **Field**: `task_definition_arn` + +`container_definitions` +: A list of container definitions in JSON format that describe the different containers that make up your task. + +: **Field**: `container_definitions` + +`container_definitions (name)` +: The name of a container. + +: **Field**: `container_definitions_names` + +`container_definitions (image)` +: The image used to start a container. + +: **Field**: `container_definitions_images` + +`container_definitions (repository_credentials)` +: The private repository authentication credentials to use. + +: **Field**: `container_definitions_repository_credentials` + +`container_definitions (repository_credentials (credentials_parameter))` +: The Amazon Resource Name (ARN) of the secret containing the private repository credentials. + +: **Field**: `container_definitions_repository_credentials_credentials_parameters` + +`container_definitions (cpu)` +: The number of CPU units reserved for the container. + +: **Field**: `container_definitions_cpus` + +`container_definitions (memory)` +: The amount (in MiB) of memory to present to the container. + +: **Field**: `container_definitions_memories` + +`container_definitions (memory_reservation)` +: The soft limit (in MiB) of memory to reserve for the container. + +: **Field**: `container_definitions_memory_reservations` + +`container_definitions (links)` +: The links parameter allows containers to communicate with each other without the need for port mappings. + +: **Field**: `container_definitions_links` + +`container_definitions (port_mappings)` +: The list of port mappings for the container. + +: **Field**: `container_definitions_port_mappings` + +`container_definitions (port_mappings (container_port))` +: The port number on the container that is bound to the user-specified or automatically assigned host port. + +: **Field**: `container_definitions_port_mappings_container_ports` + +`container_definitions (port_mappings (host_port))` +: The port number on the container instance to reserve for your container. + +: **Field**: `container_definitions_port_mappings_host_ports` + +`container_definitions (port_mappings (protocol))` +: The protocol used for the port mapping. Valid values are `tcp` and `udp`. Default value: `tcp`. + +: **Field**: `container_definitions_port_mappings_protocols` + +`container_definitions (essential)` +: If the essential parameter of a container is marked as `true`, and that container fails or stops for any reason, all other containers that are part of the task are stopped. If the essential parameter of a container is marked as `false`, then its failure does not affect the rest of the containers in a task. If this parameter is omitted, a container is assumed to be essential. + +: **Field**: `container_definitions_essentials` + +`container_definitions (entry_point)` +: The entry point that is passed to the container. + +: **Field**: `container_definitions_entry_points` + +`container_definitions (command)` +: The command that is passed to the container. + +: **Field**: `container_definitions_commands` + +`container_definitions (environment)` +: The environment variables to pass to a container. + +: **Field**: `container_definitions_environments` + +`container_definitions (environment (name))` +: The name of the key-value pair. + +: **Field**: `container_definitions_environments_names` + +`container_definitions (environment (value))` +: The value of the key-value pair. + +: **Field**: `container_definitions_environments_values` + +`container_definitions (environment_files)` +: A list of files containing the environment variables to pass to a container. + +: **Field**: `container_definitions_environment_files` + +`container_definitions (environment_files (value)` +: The Amazon Resource Name (ARN) of the Amazon S3 object containing the environment variable file. + +: **Field**: `container_definitions_environment_files_values` + +`container_definitions (environment_files (type)` +: The file type to use. The only supported value is `s3`. + +: **Field**: `container_definitions_environment_files_types` + +`container_definitions (mount_points)` +: The mount points for data volumes in your container. + +: **Field**: `container_definitions_mount_points` + +`container_definitions (mount_points (source_volume))` +: The name of the volume to mount. Must be a volume name referenced in the name parameter of task definition volume. + +: **Field**: `container_definitions_mount_points_source_volumes` + +`container_definitions (mount_points (container_path))` +: The path on the container to mount the host volume at. + +: **Field**: `container_definitions_mount_points_container_paths` + +`container_definitions (mount_points (read_only))` +: If this value is `true`, the container has read-only access to the volume. If this value is `false`, then the container can write to the volume. The default value is `false`. + +: **Field**: `container_definitions_mount_points_read_only` + +`container_definitions (volumes_from)` +: Data volumes to mount from another container. + +: **Field**: `container_definitions_volumes_froms` + +`container_definitions (volumes_from (source_container))` +: The name of another container within the same task definition from which to mount volumes. + +: **Field**: `container_definitions_volumes_froms_source_containers` + +`container_definitions (volumes_from (read_only))` +: If this value is `true`, the container has read-only access to the volume. If this value is `false`, then the container can write to the volume. The default value is `false`. + +: **Field**: `container_definitions_volumes_froms_read_only` + +`container_definitions (linux_parameters)` +: Linux-specific modifications that are applied to the container, such as Linux kernel capabilities. + +: **Field**: `container_definitions_linux_parameters` + +`container_definitions (linux_parameters (capabilities))` +: The Linux capabilities for the container that are added to or dropped from the default configuration provided by Docker. + +: **Field**: `container_definitions_linux_parameters_capabilities` + +`container_definitions (linux_parameters (capabilities (add)))` +: The Linux capabilities for the container that have been added to the default configuration provided by Docker. + +: **Field**: `container_definitions_linux_parameters_capabilities_adds` + +`container_definitions (linux_parameters (capabilities (drop)))` +: The Linux capabilities for the container that have been removed from the default configuration provided by Docker. + +: **Field**: `container_definitions_linux_parameters_capabilities_drops` + +`container_definitions (linux_parameters (devices))` +: Any host devices to expose to the container. + +: **Field**: `container_definitions_linux_parameters_capabilities_devices` + +`container_definitions (linux_parameters (devices (host_path)))` +: The path for the device on the host container instance. + +: **Field**: `container_definitions_linux_parameters_capabilities_devices_host_paths` + +`container_definitions (linux_parameters (devices (container_path)))` +: The path inside the container at which to expose the host device. + +: **Field**: `container_definitions_linux_parameters_capabilities_devices_container_paths` + +`container_definitions (linux_parameters (devices (permissions)))` +: The explicit permissions to provide to the container for the device. By default, the container has permissions for `read`, `write`, and `mknod` for the device. + +: **Field**: `container_definitions_linux_parameters_capabilities_devices_permissions` + +`container_definitions (linux_parameters (init_process_enabled))` +: Run an `init` process inside the container that forwards signals and reaps processes. This parameter maps to the `--init` option to docker run. + +: **Field**: `container_definitions_linux_parameters_init_process_enabled` + +`container_definitions (linux_parameters (shared_memory_size)` +: The value for the size (in MiB) of the /dev/shm volume. This parameter maps to the `--shm-size` option to docker run. + +: **Field**: `container_definitions_linux_parameters_shared_memory_sizes` + +`container_definitions (linux_parameters (tmpfs)` +: The container path, mount options, and size (in MiB) of the tmpfs mount. This parameter maps to the `--tmpfs` option to docker run. + +: **Field**: `container_definitions_linux_parameters_tmpfs` + +`container_definitions (linux_parameters (tmpfs (container_path))` +: The absolute file path where the tmpfs volume is to be mounted. + +: **Field**: `container_definitions_linux_parameters_tmpfs_container_paths` + +`container_definitions (linux_parameters (tmpfs (size))` +: The maximum size (in MiB) of the tmpfs volume. + +: **Field**: `container_definitions_linux_parameters_tmpfs_sizes` + +`container_definitions (linux_parameters (tmpfs (mount_options))` +: The list of tmpfs volume mount options. + +: **Field**: `container_definitions_linux_parameters_tmpfs_mount_options` + +`container_definitions (linux_parameters (max_swap))` +: The total amount of swap memory (in MiB) a container can use. + +: **Field**: `container_definitions_linux_parameters_max_swaps` + +`container_definitions (linux_parameters (swappiness))` +: This allows you to tune a container's memory swappiness behavior. + +: **Field**: `container_definitions_linux_parameters_swappiness` + +`container_definitions (secrets)` +: The secrets to pass to the container. + +: **Field**: `container_definitions_secrets` + +`container_definitions (secrets (name))` +: The name of the secret. + +: **Field**: `container_definitions_secrets_names` + +`container_definitions (secrets (value_from))` +: The secret to expose to the container. + +: **Field**: `container_definitions_secrets_value_froms` + +`container_definitions (depends_on)` +: The dependencies defined for container startup and shutdown. + +: **Field**: `container_definitions_depends_on` + +`container_definitions (depends_on (container_name))` +: The name of a container. + +: **Field**: `container_definitions_depends_on_container_names` + +`container_definitions (depends_on (condition))` +: The dependency condition of the container. + +: **Field**: `container_definitions_depends_on_conditions` + +`container_definitions (start_timeout)` +: Time duration (in seconds) to wait before giving up on resolving dependencies for a container. + +: **Field**: `container_definitions_start_timeouts` + +`container_definitions (stop_timeout)` +: Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own. + +: **Field**: `container_definitions_stop_timeouts` + +`container_definitions (hostname)` +: The hostname to use for your container. + +: **Field**: `container_definitions_hostnames` + +`container_definitions (user)` +: The user to use inside the container. + +: **Field**: `container_definitions_users` + +`container_definitions (working_directory)` +: The working directory in which to run commands inside the container. + +: **Field**: `container_definitions_working_directories` + +`container_definitions (disable_networking)` +: When this parameter is `true`, networking is disabled within the container. + +: **Field**: `container_definitions_disable_networkings` + +`container_definitions (privileged)` +: When this parameter is `true`, the container is given elevated privileges on the host container instance (similar to the root user). + +: **Field**: `container_definitions_privilegeds` + +`container_definitions (readonly_root_filesystem)` +: When this parameter is `true`, the container is given read-only access to its root file system. This parameter maps to `ReadonlyRootfs` in the Create a container section of the Docker Remote API and the `--read-only` option to docker run. + +: **Field**: `container_definitions_readonly_root_filesystems` + +`container_definitions (dns_servers)` +: A list of DNS servers that are presented to the container. + +: **Field**: `container_definitions_dns_servers` + +`container_definitions (dns_search_domains)` +: A list of DNS search domains that are presented to the container. + +: **Field**: `container_definitions_dns_search_domains` + +`container_definitions (extra_hosts)` +: A list of hostnames and IP address mappings to append to the `/etc/hosts` file on the container. + +: **Field**: `container_definitions_extra_hosts` + +`container_definitions (extra_hosts (hostname))` +: The hostname to use in the `/etc/hosts` entry. + +: **Field**: `container_definitions_extra_hosts_hostnames` + +`container_definitions (extra_hosts (ip_address))` +: The IP address to use in the `/etc/hosts` entry. + +: **Field**: `container_definitions_extra_hosts_ip_addresses` + +`container_definitions (docker_security_options)` +: A list of strings to provide custom labels for SELinux and AppArmor multi-level security systems. This field is not valid for containers in tasks using the Fargate launch type. + +: **Field**: `container_definitions_docker_security_options` + +`container_definitions (interactive)` +: When this parameter is `true`, this allows you to deploy containerized applications that require stdin or a tty to be allocated. This parameter maps to OpenStdin in the Create a container section of the Docker Remote API and the --interactive option to docker run. + +: **Field**: `container_definitions_interactives` + +`container_definitions (pseudo_terminal)` +: When this parameter is `true`, a TTY is allocated. This parameter maps to Tty in the Create a container section of the Docker Remote API and the --tty option to docker run. + +: **Field**: `container_definitions_pseudo_terminals` + +`container_definitions (docker_labels)` +: A key/value map of labels to add to the container. + +: **Field**: `container_definitions_docker_labels` + +`container_definitions (ulimits)` +: The ulimit settings to pass to the container. + +: **Field**: `container_definitions_ulimits` + +`container_definitions (ulimits (name))` +: The type of the ulimit. + +: **Field**: `container_definitions_ulimits_names` + +`container_definitions (ulimits (soft_limit))` +: The soft limit for the ulimit type. + +: **Field**: `container_definitions_ulimits_soft_limits` + +`container_definitions (ulimits (hard_limit))` +: The hard limit for the ulimit type. + +: **Field**: `container_definitions_ulimits_hard_limits` + +`container_definitions (log_configuration)` +: The log configuration specification for the container. + +: **Field**: `container_definitions_log_configurations` + +`container_definitions (log_configuration (log_driver))` +: The log driver to use for the container. + +: **Field**: `container_definitions_log_configurations_log_drivers` + +`container_definitions (log_configuration (options))` +: The configuration options to send to the log driver. + +: **Field**: `container_definitions_log_configurations_options` + +`container_definitions (log_configuration (secret_options))` +: The secrets to pass to the log configuration. + +: **Field**: `container_definitions_log_configurations_secret_options` + +`container_definitions (log_configuration (secret_options (name)))` +: The name of the secret. + +: **Field**: `container_definitions_log_configurations_secret_options_names` + +`container_definitions (log_configuration (secret_options (value_from)))` +: The secret to expose to the container. The supported values are either the full ARN of the AWS Secrets Manager secret or the full ARN of the parameter in the AWS Systems Manager Parameter Store. + +: **Field**: `container_definitions_log_configurations_secret_value_froms` + +`container_definitions (health_check)` +: The container health check command and associated configuration parameters for the container. + +: **Field**: `container_definitions_health_checks` + +`container_definitions (health_check (command))` +: A string array representing the command that the container runs to determine if it is healthy. + +: **Field**: `container_definitions_health_checks_commands` + +`container_definitions (health_check (interval))` +: The time period in seconds between each health check execution. + +: **Field**: `container_definitions_health_checks_intervals` + +`container_definitions (health_check (timeout))` +: The time period in seconds to wait for a health check to succeed before it is considered a failure. + +: **Field**: `container_definitions_health_checks_timeouts` + +`container_definitions (health_check (retries))` +: The number of times to retry a failed health check before the container is considered unhealthy. + +: **Field**: `container_definitions_health_checks_retries` + +`container_definitions (health_check (start_period))` +: The optional grace period within which to provide containers time to bootstrap before failed health checks count towards the maximum number of retries. + +: **Field**: `container_definitions_health_checks_start_periods` + +`container_definitions (system_controls)` +: A list of namespaced kernel parameters to set in the container. + +: **Field**: `container_definitions_system_controls` + +`container_definitions (system_controls (namespace))` +: The namespaced kernel parameter for which to set a value. + +: **Field**: `container_definitions_system_controls_namespaces` + +`container_definitions (system_controls (value))` +: The value for the namespaced kernel parameter specified in namespace. + +: **Field**: `container_definitions_system_controls_values` + +`container_definitions (resource_requirements)` +: The type and amount of a resource to assign to a container. + +: **Field**: `container_definitions_resource_requirements` + +`container_definitions (resource_requirements (value))` +: The value for the specified resource type. + +: **Field**: `container_definitions_resource_requirements_values` + +`container_definitions (resource_requirements (type))` +: The type of resource to assign to a container. + +: **Field**: `container_definitions_resource_requirements_types` + +`container_definitions (firelens_configuration)` +: The FireLens configuration for the container. + +: **Field**: `container_definitions_firelens_configurations` + +`container_definitions (firelens_configuration (type))` +: The log router to use. The valid values are `fluentd` or `fluentbit`. + +: **Field**: `container_definitions_firelens_configurations_types` + +`container_definitions (firelens_configuration (options))` +: The options to use when configuring the log router. + +: **Field**: `container_definitions_firelens_configurations_options` + +`family` +: The name of a family that this task definition is registered to. + +: **Field**: `family` + +`task_role_arn` +: The short name or full Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role. + +: **Field**: `task_role_arn` + +`execution_role_arn` +: The Amazon Resource Name (ARN) of the task execution role that grants the Amazon ECS container. + +: **Field**: `execution_role_arn` + +`network_mode` +: The Docker networking mode to use for the containers in the task. The valid values are `none`, `bridge`, `awsvpc`, and `host`. + +: **Field**: `network_mode` + +`revision` +: The revision of the task in a particular family. + +: **Field**: `revision` + +`volumes` +: The list of data volume definitions for the task. + +: **Field**: `volumes` + +`volumes (name)` +: The name of the volume. + +: **Field**: `volumes_names` + +`volumes (host)` +: The host of the volume. + +: **Field**: `volumes_hosts` + +`volumes (host (source_path))` +: The source path of the volume. + +: **Field**: `volumes_source_paths` + +`volumes (docker_volume_configuration)` +: This parameter is specified when you are using Docker volumes. + +: **Field**: `volumes_docker_volume_configurations` + +`volumes (docker_volume_configuration (scope))` +: The scope for the Docker volume that determines its lifecycle. + +: **Field**: `volumes_docker_volume_configuration_scopes` + +`volumes (docker_volume_configuration (autoprovision))` +: If this value is `true`, the Docker volume is created if it does not already exist. + +: **Field**: `volumes_docker_volume_configuration_autoprovisions` + +`volumes (docker_volume_configuration (driver))` +: The Docker volume driver to use. + +: **Field**: `volumes_docker_volume_configuration_drivers` + +`volumes (docker_volume_configuration (driver_opts))` +: A map of Docker driver-specific options passed through. + +: **Field**: `volumes_docker_volume_configuration_driver_opts` + +`volumes (docker_volume_configuration (labels))` +: Custom metadata to add to your Docker volume. + +: **Field**: `volumes_docker_volume_configuration_labels` + +`volumes (efs_volume_configuration)` +: This parameter is specified when you are using an Amazon Elastic File System file system for task storage. + +: **Field**: `volumes_efs_volume_configurations` + +`volumes (efs_volume_configuration (file_system_id))` +: The Amazon EFS file system ID to use. + +: **Field**: `volumes_efs_volume_configuration_file_system_ids` + +`volumes (efs_volume_configuration (root_directory))` +: The directory within the Amazon EFS file system to mount as the root directory inside the host. + +: **Field**: `volumes_efs_volume_configuration_root_directories` + +`volumes (efs_volume_configuration (transit_encryption))` +: Whether or not to enable encryption for Amazon EFS data in transit between the Amazon ECS host and the Amazon EFS server. Transit encryption must be enabled if Amazon EFS IAM authorization is used. + +: **Field**: `volumes_efs_volume_configuration_transit_encryptions` + +`volumes (efs_volume_configuration (transit_encryption_port))` +: The port to use when sending encrypted data between the Amazon ECS host and the Amazon EFS server. + +: **Field**: `volumes_efs_volume_configuration_transit_encryption_ports` + +`volumes (efs_volume_configuration (authorization_config)` +: The authorization configuration details for the Amazon EFS file system. + +: **Field**: `volumes_efs_volume_configuration_authorization_configs` + +`volumes (efs_volume_configuration (authorization_config (access_point_id))` +: The Amazon EFS access point ID to use. + +: **Field**: `volumes_efs_volume_configuration_authorization_config_access_point_ids` + +`volumes (efs_volume_configuration (authorization_config (iam))` +: The Amazon EFS IAM to use. + +: **Field**: `volumes_efs_volume_configuration_authorization_config_iams` + +`volumes (fsx_windows_file_server_volume_configuration)` +: This parameter is specified when you are using Amazon FSx for Windows File Server file system for task storage. + +: **Field**: `volumes_fsx_windows_file_server_volume_configurations` + +`volumes (fsx_windows_file_server_volume_configuration (file_system_id))` +: The Amazon FSx for Windows File Server file system ID to use. + +: **Field**: `volumes_fsx_windows_file_server_volume_configurations_file_system_ids` + +`volumes (fsx_windows_file_server_volume_configuration (root_directory))` +: The directory within the Amazon FSx for Windows File Server file system to mount as the root directory inside the host. + +: **Field**: `volumes_fsx_windows_file_server_volume_configurations_root_directories` + +`volumes (fsx_windows_file_server_volume_configuration (authorization_config))` +: The authorization configuration details for the Amazon FSx for Windows File Server file system. + +: **Field**: `volumes_fsx_windows_file_server_volume_configurations_authorization_configs` + +`volumes (fsx_windows_file_server_volume_configuration (authorization_config (credentials_parameter)))` +: The authorization credential option to use. + +: **Field**: `volumes_fsx_windows_file_server_volume_configurations_authorization_configs_credentials_parameters` + +`volumes (fsx_windows_file_server_volume_configuration (authorization_config (domain)))` +: A fully qualified domain name hosted by an AWS Directory Service Managed Microsoft AD (Active Directory) or self-hosted AD on Amazon EC2. + +: **Field**: `volumes_fsx_windows_file_server_volume_configurations_authorization_configs_domains` + +`status` +: The status of the task definition. + +: **Field**: `status` + +`requires_attributes` +: The container instance attributes required by your task. + +: **Field**: `requires_attributes` + +`requires_attributes (name)` +: The name of the attribute. + +: **Field**: `requires_attributes_names` + +`requires_attributes (value)` +: The value of the attribute. + +: **Field**: `requires_attributes_values` + +`requires_attributes (target_type)` +: The type of the target with which to attach the attribute. + +: **Field**: `requires_attributes_target_types` + +`requires_attributes (target_id)` +: The ID of the target. + +: **Field**: `requires_attributes_targets` + +`placement_constraints` +: An array of placement constraint objects to use for tasks. + +: **Field**: `placement_constraints` + +`placement_constraints (type)` +: The type of constraint. + +: **Field**: `placement_constraints_types` + +`placement_constraints (expression)` +: The expression of constraint. + +: **Field**: `placement_constraints_expressions` + +`compatibilities` +: The task launch types the task definition validated against during task definition registration. + +: **Field**: `compatibilities` + +`requires_compatibilities` +: The task launch types the task definition was validated against. + +: **Field**: `FieldName` + +`cpu` +: The number of CPU units used by the task. + +: **Field**: `cpu` + +`memory` +: The amount (in MiB) of memory used by the task. + +: **Field**: `memory` + +`inference_accelerators` +: The Elastic Inference accelerator associated with the task. + +: **Field**: `inference_accelerators` + +`inference_accelerators (device_name)` +: The Elastic Inference accelerator device name. + +: **Field**: `inference_accelerators_device_names` + +`inference_accelerators (device_type)` +: The Elastic Inference accelerator type to use. + +: **Field**: `inference_accelerators_device_types` + +`pid_mode` +: The process namespace to use for the containers in the task. The valid values are `host` or `task`. + +: **Field**: `pid_mode` + +`ipc_mode` +: The IPC resource namespace to use for the containers in the task. The valid values are `host`, `task`, or `none`. + +: **Field**: `ipc_mode` + +`proxy_configuration` +: The configuration details for the App Mesh proxy. + +: **Field**: `proxy_configuration` + +`proxy_configuration (type)` +: The proxy type. The only supported value is `APPMESH`. + +: **Field**: `proxy_configuration_types` + +`proxy_configuration (container_name)` +: The name of the container that will serve as the App Mesh proxy. + +: **Field**: `proxy_configuration_container_names` + +`proxy_configuration (properties)` +: The set of network configuration parameters to provide the Container Network Interface (CNI) plugin, specified as key-value pairs. + +: **Field**: `proxy_configuration_properties` + +`proxy_configuration (properties (name))` +: The name of the key-value pair. + +: **Field**: `proxy_configuration_properties_names` + +`proxy_configuration (properties (value))` +: The value of the key-value pair. + +: **Field**: `proxy_configuration_properties_values` + +`tags` +: The tags of the task definition. + +: **Field**: `tags` + +## Examples + +Ensure a task definition ARN is available: + +```ruby +describe aws_ecs_task_definition(task_definition: 'TASK_DEFINITION') do + its('task_definition_arn') { should eq 'arn:aws:ecs:REGION:AWS_ACCOUNT_ID:task-definition/TASK_DEFINITION_ID' } +end +``` + +Verify the amount of memory for a task definition: + +```ruby +describe aws_ecs_task_definition(task_definition: 'TASK_DEFINITION') do + its('memory') { should eq 500 } +end +``` + +Verify the name of a task definition: + +```ruby +describe aws_ecs_task_definition(task_definition: 'TASK_DEFINITION') do + its('container_definitions_names') { should include 'Task_Definition_Container_Name' } +end +``` + +Verify the cpu of a task definition: + +```ruby +describe aws_ecs_task_definition(task_definition: 'TASK_DEFINITION') do + its('container_definitions_cpus') { should include 10 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ecs_task_definition(task_definition: 'TASK_DEFINITION') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ecs_task_definition(task_definition: 'TASK_DEFINITION') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the task definition is available. + +```ruby +describe aws_ecs_task_definition(task_definition: 'TASK_DEFINITION') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ECS:Client:DescribeTaskDefinitionResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_task_definitions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_task_definitions.md new file mode 100644 index 0000000..a885b50 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ecs_task_definitions.md @@ -0,0 +1,82 @@ ++++ +title = "aws_ecs_task_definitions resource" + +draft = false + + +[menu.aws] +title = "aws_ecs_task_definitions" +identifier = "inspec/resources/aws/aws_ecs_task_definitions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ecs_task_definitions` InSpec audit resource to test the properties of multiple ECS task definitions. + +For additional information, including details on parameters and properties, see the [AWS ECS task definition documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html). + +## Syntax + +Ensure that a task definition ARNs exists. + +```ruby +describe aws_ecs_task_definitions do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`task_definition_arns` +: A list of ARNs to describe the task definition. + +## Examples + +Ensure a task definition ARN is available: + +```ruby +describe aws_ecs_task_definitions do + its('task_definition_arns') { should include 'arn:aws:ecs:REGION:AWS_ACCOUNT_ID:task-definition/TASK_DEFINITION_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list_task_definitions` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ecs_task_definitions do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ecs_task_definitions do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the task definition arns is available. + +```ruby +describe aws_ecs_task_definitions do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ECS:Client:ListTaskDefinitionsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_efs_file_system.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_efs_file_system.md new file mode 100644 index 0000000..2804a71 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_efs_file_system.md @@ -0,0 +1,137 @@ ++++ +title = "aws_efs_file_system resource" + +draft = false + + +[menu.aws] +title = "aws_efs_file_system" +identifier = "inspec/resources/aws/aws_efs_file_system resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_efs_file_system` InSpec audit resource to test the properties of a single AWS EFS file system. +This resource is added to InSpec AWS resource pack in version **[1.10.0](https://github.com/inspec/inspec-aws/releases/tag/v1.10.0)** and it is available with InSpec **[4.18.108](https://github.com/inspec/inspec/releases/tag/v4.18.108)** and later versions. + +## Syntax + +An `aws_efs_file_system` resource block declares the tests for a single AWS EFS file system by either file system id or creation token. + +```ruby +describe aws_efs_file_system(file_system_id: 'fs-12345678') do + it { should be_encrypted } + its('size_in_bytes.value') { should cmp 6144 } +end +``` + +```ruby +describe aws_efs_file_system(creation_token: 'my-token') do + its('encrypted') { should cmp true } + its('throughput_mode') { should eq 'bursting' } +end +``` + +The value of the `file_system_id` can be provided as a string. + +```ruby +describe aws_efs_file_system('fs-12345678') do + it { should exist } +end +``` + +## Parameters + +Either the EFS file system id or creation token must be provided. + +`file_system_id` _(required if `creation_token` not provided)_ + +: The ID of the EFS file system. This is in the format of `fs-` followed by 8 or 17 hexadecimal characters. + This can be passed either as a string or as a `file_system_id: 'value'` key-value entry in a hash. + +`creation_token` _(required if `file_system_id` not provided)_ + +: The creation token is automatically assigned by AWS if not provided by the user at creation. + This is a string with minimum 1 and maximum 64-character long. + This must be passed as a `creation_token: 'value'` key-value entry in a hash. + +## Properties + +`creation_token` +: The value of the creation token. + +`file_system_id` +: The id of the file system which is auto-assigned by the AWS. + +`encrypted` +: Indicates whether the file system is encrypted or not. + +`life_cycle_state` +: The lifecycle phase of the file system, e.g. 'creating'. + +`owner_id` +: The AWS account that created the file system. + +`performance_mode` +: The performance mode of the file system, e.g. 'maxIO'. + +`throughput_mode` +: The throughput mode for a file system, e.g. 'bursting'. + +`tags` +: An hash with each key-value pair corresponding to a tag associated with the entity. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/efs/latest/ug/API_FileSystemDescription.html) + +## Examples + +Test that an EFS file system is available: + +```ruby +describe aws_efs_file_system("fs-12345678") do + its("life_cycle_state") { should eq 'available' } +end +``` + +Test that an EFS file system is in 'maxIO' performance mode: + +```ruby +describe aws_efs_file_system(creation_token: "My Token") do + its("performance_mode") { should eq "maxIO" } +end +``` + +Test that an EFS file system has a certain tag: + +```ruby +describe aws_efs_file_system(creation_token: "My Token") do + its("tags") { should include("companyName" => "My Company") } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +```ruby +describe aws_efs_file_system(file_system_id: "fs-12345678") do + it { should exist } +end +``` + +### be_encrypted + +```ruby +describe aws_efs_file_system(creation_token: "My Token") do + it { should be_encrypted } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EFS:Client:DescribeFileSystemsResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EFS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticfilesystem.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_efs_file_systems.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_efs_file_systems.md new file mode 100644 index 0000000..c557bb4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_efs_file_systems.md @@ -0,0 +1,121 @@ ++++ +title = "aws_efs_file_systems resource" + +draft = false + + +[menu.aws] +title = "aws_efs_file_systems" +identifier = "inspec/resources/aws/aws_efs_file_systems resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_efs_file_systems` InSpec audit resource to test the properties of some or all AWS EFS file systems. To audit a single EFS file system, use `aws_efs_file_ststem` (singular). + +This resource is added to InSpec AWS resource pack in version **[1.10.0](https://github.com/inspec/inspec-aws/releases/tag/v1.10.0)** and it is available with InSpec **[4.18.108](https://github.com/inspec/inspec/releases/tag/v4.18.108)** and later versions. + +## Syntax + +An `aws_efs_file_systems` resource block collects a group of EFS file system descriptions and then tests that group. + +```ruby +describe aws_efs_file_systems + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`tags` +: The list of tags that the EFS file system has. + +`names` +: The value of the `Name` (case sensitive) tag if it is defined. + +`file_system_ids` +: The ID of the EFS file system. + +`creation_tokens` +: The creation token that the EFS file system is associated. + +`owner_ids` +: The owner id of the EFS file system. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +`creation_times` +: The creation time of the EFS file system. + +`performance_modes` +: The performance mode of the EFS file system, e.g. 'maxIO'. + +`encryption_status` +: This indicates whether the EFS file system is encrypted or not. + +`throughput_modes` +: The throughput mode of the EFS file system. + +`kms_key_ids` +: The ID of an AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the encrypted EFS file system. + +`size_in_bytes` +: The latest known metered size (in bytes) of data stored in the file system, in its `value` field. + +`life_cycle_states` +: The life cycle phase of the EFS file system, e.g. 'deleting'. + +## Examples + +Ensure you have exactly 3 file systems: + +```ruby +describe aws_efs_file_systems do + its("entries.count") { should cmp 3 } +end +``` + +Use this InSpec resource to request the IDs of all EFS file systems, then test in-depth using `aws_efs_file_system`: + +```ruby +aws_efs_file_systems.file_system_ids.each do |file_system_id| + describe aws_efs_file_system(file_system_id) do + its("tags") { should include("companyName" => "My Company Name") } + it { should be_encrypted } + its("throughput_mode") { should eq "bursting" } + its("performance_mode") { should eq "generalPurpose" } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_efs_file_systems.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_efs_file_systems.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EFS:Client:DescribeFileSystemsResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EFS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticfilesystem.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_efs_mount_target.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_efs_mount_target.md new file mode 100644 index 0000000..b826811 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_efs_mount_target.md @@ -0,0 +1,116 @@ ++++ +title = "aws_efs_mount_target resource" + +draft = false + + +[menu.aws] +title = "aws_efs_mount_target" +identifier = "inspec/resources/aws/aws_efs_mount_target resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_efs_mount_target` InSpec audit resource to test properties of a single specific EFS Mount Target. + +The AWS::EFS::MountTarget resource is an Amazon EFS resource that creates a mount target for an EFS file system. You can then mount the file system on Amazon EC2 instances or other resources by using the mount target. + +For additional information, including details on parameters and properties, see the [AWS documentation on EFS Mount Target](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-mounttarget.html). + +## Syntax + +Ensure that a mount target id exists. + +```ruby +describe aws_efs_mount_target(mount_target_id: 'MOUNT_TARGET_ID') do + it { should exist } +end +``` + +## Parameters + +`mount_target_id` _(required)_ + +## Properties + +`owner_id` +: The owner ID of the mount targets. + +`mount_target_id` +: ID of the file system whose mount targets you want to list (String). + +`file_system_id` +: The ID of the file system for which to create the mount target. + +`life_cycle_state` +: The life cycle state of the mount targets. + +`ip_address` +: Valid IPv4 address within the address range of the specified subnet. + +`network_interface_id` +: The network interface ID of the mount targets. + +`availability_zone_id` +: The availability zone ID of the mount targets. + +`availability_zone_name` +: The availability zone name of the mount targets. + +`vpc_id` +: The VPC ID of the mount targets. + +## Examples + +Ensure a owner ID is available: + +```ruby +describe aws_efs_mount_target(mount_target_id: 'MOUNT_TARGET_ID') do + its('owner_id') { should eq '012345678912' } +end +``` + +Ensure that the life cycle state is available: + +```ruby +describe aws_efs_mount_target(mount_target_id: 'MOUNT_TARGET_ID') do + its('life_cycle_state') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_efs_mount_target(mount_target_id: 'MOUNT_TARGET_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_efs_mount_target(mount_target_id: 'MOUNT_TARGET_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the mount target id is available. + +```ruby +describe aws_efs_mount_target(mount_target_id: 'MOUNT_TARGET_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EFS:Client:DescribeMountTargetsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_efs_mount_targets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_efs_mount_targets.md new file mode 100644 index 0000000..b88a606 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_efs_mount_targets.md @@ -0,0 +1,116 @@ ++++ +title = "aws_efs_mount_targets resource" + +draft = false + + +[menu.aws] +title = "aws_efs_mount_targets" +identifier = "inspec/resources/aws/aws_efs_mount_targets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_efs_mount_targets` InSpec audit resource to test properties of a plural EFS Mount Targets. + +The AWS::EFS::MountTarget resource is an Amazon EFS resource that creates a mount target for an EFS file system. You can then mount the file system on Amazon EC2 instances or other resources by using the mount target. + +For additional information, including details on parameters and properties, see the [AWS documentation on EFS Mount Target](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-mounttarget.html). + +## Syntax + +Ensure that a file system exists. + +```ruby +describe aws_efs_mount_targets(file_system_id: "FILE_SYSTEM_ID") do + it { should exist } +end +``` + +## Parameters + +`file_system_ids` _(required)_ + +## Properties + +`owner_ids` +: The owner IDs of the mount targets. + +`mount_target_ids` +: IDs of the file system whose mount targets you want to list (String). + +`file_system_ids` +: The IDs of the file system for which to create the mount target. + +`life_cycle_states` +: The life cycle states of the mount targets. + +`ip_addresses` +: Valid IPv4 addresses within the address range of the specified subnet. + +`network_interface_ids` +: The network interface IDs of the mount targets. + +`availability_zone_ids` +: The availability zone IDs of the mount targets. + +`availability_zone_names` +: The availability zone names of the mount targets. + +`vpc_ids` +: The vpc IDs of the mount targets. + +## Examples + +Ensure a owner ID is available: + +```ruby +describe aws_efs_mount_targets(file_system_id: "FILE_SYSTEM_ID") do + its('owner_ids') { should include 'OWNER_ID' } +end +``` + +Ensure that the IP address is available: + +```ruby +describe aws_efs_mount_targets(file_system_id: "FILE_SYSTEM_ID") do + its('ip_addresses') { should include 'IP_ADDRESS' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_efs_mount_targets(file_system_id: "FILE_SYSTEM_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_efs_mount_targets(file_system_id: "FILE_SYSTEM_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the file system is available. + +```ruby +describe aws_efs_mount_targets(file_system_id: "FILE_SYSTEM_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EFS:Client:DescribeMountTargetsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_eks_cluster.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_eks_cluster.md new file mode 100644 index 0000000..e86ea64 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_eks_cluster.md @@ -0,0 +1,197 @@ ++++ +title = "aws_eks_cluster resource" + +draft = false + + +[menu.aws] +title = "aws_eks_cluster" +identifier = "inspec/resources/aws/aws_eks_cluster resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_eks_cluster` InSpec audit resource to test properties of a single AWS Elastic Container Service for Kubernetes. + +For additional information, including details on parameters and properties, see the [AWS documentation on EKS Clusters](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html). + +## Syntax + +An `aws_eks_cluster` resource block declares the tests for a single EKS Cluster by Cluster name. + +```ruby +describe aws_eks_cluster('my-eks') do + it { should exist } +end +``` + +```ruby +describe aws_eks_cluster(cluster_name: 'my-eks') do + it { should exist } +end +``` + +## Parameters + +`cluster_name` _(required if resource_data not provided)_ + +: The name of the EKS cluster. + This can be passed either as a string or as a `cluster_name: 'value'` key-value entry in a hash. + +`resource_data` _(required if cluster_name not provided)_ + +: A hash or the cached AWS response passed from the `aws_eks_clusters` resource. + +## Properties + +`arn` +: The Amazon Resource Name (ARN) of the cluster. + +`name` +: The name of the cluster. + +`endpoint` +: The endpoint for your Kubernetes API server. + +`status` +: The current status of the cluster. + +`version` +: The Kubernetes server version for the cluster. + +`certificate_authority` +: The certificate-authority-data for your cluster. + +`subnets_count` +: The number of subnets associated with your cluster. + +`subnet_ids` +: The subnets associated with your cluster. + +`security_groups_count` +: The count of security groups associated with your cluster. + +`security_group_ids` +: The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your worker nodes and the Kubernetes control plane. + +`role_arn` +: The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. + +`vpc_id` +: The VPC associated with your cluster. + +`created_at` +: The Unix epoch timestamp in seconds for when the cluster was created. + +`creating` +: Boolean indicating whether or not the state of the cluster is CREATING. + +`active` +: Boolean indicating whether or not the state of the cluster is ACTIVE. + +`failed` +: Boolean indicating whether or not the state of the cluster is FAILED. + +`deleting` +: Boolean indicating whether or not the state of the cluster is DELETING. + +`tags` +: Cluster tags. + +`enabled_logging_types` +: Return list of enabled logging types. + +`disabled_logging_types` +: Return list of disabled logging types. + +## Examples + +Test that an EKS Cluster has at least 2 subnets: + +```ruby +describe aws_eks_cluster('my-cluster') do + its('subnets_count') { should be > 1 } +end +``` + +Ensure a Cluster has the correct status: + +```ruby +describe aws_eks_cluster(cluster_name: 'my-eks') do + its('status') { should eq 'ACTIVE' } +end +``` + +Ensure that the EKS Cluster is on the correct VPC: + +```ruby +describe aws_eks_cluster('my-cluster') do + its('vpc_id') { should eq 'vpc-12345678' } +end +``` + +Ensure the EKS Cluster is using the correct IAM Role: + +```ruby +describe aws_eks_cluster('my-cluster') do + its('role_arn') { should cmp 'rn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-J7ONKE3BQ4PI' } +end +``` + +Ensure that the EKS Cluster is on the correct VPC from cached resources: + +```ruby +resource = aws_eks_clusters.where(cluster_name: 'my-eks') +describe aws_eks_cluster(resource_data: resource) do + its('vpc_id') { should eq 'vpc-12345678' } +end +``` + +Integrate with other resources: + +Use a combination of InSpec AWS resources to ensure your EKS Cluster does not use the Default VPC. + +Find the default Security Group for our VPC: + +```ruby +cluster_vpc = aws_eks_cluster(cluster_name: 'my-cluster').vpc_id +default_sg = aws_security_group(group_name: 'default', vpc_id: cluster_vpc) +``` + +Ensure we are not using the default Security Group: + +```ruby +describe aws_eks_cluster(cluster_name: 'my-cluster') do + its('security_group_ids') { should_not include default_security_group.group_id } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_eks_cluster('AnExistingCluster') do + it { should exist } +end +``` + +```ruby +describe aws_eks_cluster('ANonExistentCluster') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EKS:Client:DescribeClusterResponse" %}} + +You can find detailed documentation at [Amazon EKS IAM Policies, Roles, and Permissions](https://docs.aws.amazon.com/eks/latest/userguide/IAM_policies.html) +The documentation for EKS actions is at [Policy Structure](https://docs.aws.amazon.com/eks/latest/userguide/iam-policy-structure.html#UsingWithEKS_Actions) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_eks_clusters.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_eks_clusters.md new file mode 100644 index 0000000..8879a9f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_eks_clusters.md @@ -0,0 +1,140 @@ ++++ +title = "aws_eks_clusters resource" + +draft = false + + +[menu.aws] +title = "aws_eks_clusters" +identifier = "inspec/resources/aws/aws_eks_clusters resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_eks_clusters` resource to test the configuration of a collection of AWS Elastic Container Service for Kubernetes. + +For additional information, including details on parameters and properties, see the [AWS documentation on EKS Clusters](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html). + +## Syntax + +```ruby +describe aws_eks_clusters do + its('names.count') { should cmp 10 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`arn` +: The Amazon Resource Name (ARN) of the cluster. + +`name` +: The name of the cluster. + +`endpoint` +: The endpoint for your Kubernetes API server. + +`status` +: The current status of the cluster. + +`version` +: The Kubernetes server version for the cluster. + +`certificate_authority` +: The certificate-authority-data for your cluster. + +`subnets_count` +: The number of subnets associated with your cluster. + +`subnet_ids` +: The subnets associated with your cluster. + +`security_groups_count` +: The count of security groups associated with your cluster. + +`security_group_ids` +: The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your worker nodes and the Kubernetes control plane. + +`role_arn` +: The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. + +`vpc_id` +: The VPC associated with your cluster. + +`created_at` +: The Unix epoch timestamp in seconds for when the cluster was created. + +`creating` +: Boolean indicating whether or not the state of the cluster is CREATING. + +`active` +: Boolean indicating whether or not the state of the cluster is ACTIVE. + +`failed` +: Boolean indicating whether or not the state of the cluster is FAILED. + +`deleting` +: Boolean indicating whether or not the state of the cluster is DELETING. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Allow at most 100 EKS Clusters on the account: + +```ruby +describe aws_eks_clusters do + its('entries.count') { should be <= 100} +end +``` + +Ensure a specific Cluster exists, by name: + +```ruby +describe aws_eks_clusters do + its('names') { should include('cluster-1') } +end +``` + +Ensure no Clusters are in a failed state: + +```ruby +describe aws_eks_clusters.where( failed: true ) do + it { should_not exist ) +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_eks_clusters.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_eks_clusters.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EKS:Client:DescribeClusterResponse" %}} + +You can find detailed documentation at [Amazon EKS IAM Policies, Roles, and Permissions](https://docs.aws.amazon.com/eks/latest/userguide/IAM_policies.html) +The documentation for EKS actions is at [Policy Structure](https://docs.aws.amazon.com/eks/latest/userguide/iam-policy-structure.html#UsingWithEKS_Actions) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_cluster.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_cluster.md new file mode 100644 index 0000000..b004d4b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_cluster.md @@ -0,0 +1,124 @@ ++++ +title = "aws_elasticache_cluster resource" + +draft = false + + +[menu.aws] +title = "aws_elasticache_cluster" +identifier = "inspec/resources/aws/aws_elasticache_cluster resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticache_cluster` InSpec audit resource to test the properties of a single AWS ElastiCache cluster. + +## Syntax + +An `aws_elasticache_cluster` resource block declares the tests for a single AWS ElastiCache cluster by `cache_cluster_id`. + +```ruby +describe aws_elasticache_cluster(cache_cluster_id: 'my-cluster-123') do + it { should exist } +end +``` + +The value of the `cache_cluster_id` can be provided as a string. + +```ruby +describe aws_elasticache_cluster('my-cluster-123') do + its('engine') { should cmp 'redis' } +end +``` + +## Parameters + +The ElastiCache cluster ID must be provided. + +`cache_cluster_id` _(required)_ + +: The ID of the ElastiCache cluster: + +- contains between 1 and 50 alphanumeric characters or hyphens, +- should start with a letter, +- cannot end with a hyphen or contain two consecutive hyphens. + +: It can be passed either as a string or as a `cache_cluster_id: 'value'` key-value entry in a hash. + +## Properties + +`cache_cluster_id` +: The user-supplied identifier of the cluster. This identifier is a unique key that identifies a cluster. + +`engine` +: The name of the cache engine, e.g. `redis`. + +`node_ids` +: The id list of all cluster nodes. + +`ports` +: A hash of the node ID and port number pairs. + +`status` +: The current state of the cluster, e.g. `creating`, `available`. + +`encrypted_at_rest` +: Indicates whether the content is encrypted at rest or not. + +`encrypted_at_transit` +: Indicates whether the content is encrypted at transit or not. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CacheCluster.html). + +## Examples + +Test that an ElastiCache cluster is available: + +```ruby +describe aws_elasticache_cluster("my-cluster-123") do + its("status") { should eq 'available' } +end +``` + +Test that an Elasticache cluster engine is listening on port `11211`: + +```ruby +describe aws_elasticache_cluster(cache_cluster_id: "my-cluster-123") do + its("port") { should cmp 11211 } +end +``` + +Test that an Elasticache cluster's engine version is `1.5.16`: + +```ruby +describe aws_elasticache_cluster(cache_cluster_id: "my-cluster-123") do + its("engine_version") { should cmp 1.5.16 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +```ruby +describe aws_elasticache_cluster(cache_cluster_id: "my-cluster-123") do + it { should exist } +end +``` + +### be_encrypted_at_rest + +```ruby +describe aws_elasticache_cluster(cache_cluster_id: "my-cluster-123") do + it { should be_encrypted_at_rest } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElastiCache:Client:CacheClusterMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ElastiCache](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticache.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_cluster_node.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_cluster_node.md new file mode 100644 index 0000000..702694b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_cluster_node.md @@ -0,0 +1,106 @@ ++++ +title = "aws_elasticache_cluster_node resource" + +draft = false + + +[menu.aws] +title = "aws_elasticache_cluster_node" +identifier = "inspec/resources/aws/aws_elasticache_cluster_node resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticache_cluster_node` InSpec audit resource to test the properties of a single AWS ElastiCache cluster node. + +## Syntax + +An `aws_elasticache_cluster_node` resource block declares the tests for a single AWS ElastiCache cluster node by `cache_cluster_id` and `node_id`. + +```ruby +describe aws_elasticache_cluster_node(cache_cluster_id: 'my-cluster-123', node_id: '0001') do + it { should exist } +end +``` + +## Parameters + +The ElastiCache cluster ID and node ID must be provided. + +`cache_cluster_id` _(required)_ + +: The ID of the ElastiCache cluster: + +- contains between 1 and 50 alphanumeric characters or hyphens, +- should start with a letter, +- cannot end with a hyphen or contain two consecutive hyphens. + +: It can be passed either as a string or as a `cache_cluster_id: 'value'` key-value entry in a hash. + +`node_id` _(required)_ + +: The ID of the node must be a string containing 4 digits. It can be passed as a `node_id: 'value'` key-value entry in a hash. + +## Properties + +`id` +: The cache node identifier, e.g. `0001`. + +`port` +: The port number that the cache engine is listening on. + +`address` +: The DNS hostname of the cache node. + +`status` +: The current state of the cache node. One of the following values: `available`, `creating`, `rebooting`, or `deleting`. + +`create_time` +: The date and time when the cache node was created. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CacheNode.html). + +## Examples + +Test that an ElastiCache cluster node is available: + +```ruby +describe aws_elasticache_cluster_node(cache_cluster_id: "my-cluster-123", node_id: "0001") do + its("status") { should eq 'available' } +end +``` + +Test that an Elasticache cluster engine is listening on port `11211`: + +```ruby +describe aws_elasticache_cluster_node(cache_cluster_id: "my-cluster-123", node_id: "0001") do + its("port") { should cmp 11211 } +end +``` + +Test that an Elasticache cluster node's customer availability zone is `us-east-2b`: + +```ruby +describe aws_elasticache_cluster_node(cache_cluster_id: "my-cluster-123", node_id: "0001") do + its("customer_availability_zone") { should cmp "us-east-2b" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +```ruby +describe aws_elasticache_cluster_node(cache_cluster_id: "my-cluster-123", node_id: "0001") do + it { should exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElastiCache:Client:CacheClusterMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ElastiCache](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticache.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_clusters.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_clusters.md new file mode 100644 index 0000000..5fc4157 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_clusters.md @@ -0,0 +1,103 @@ ++++ +title = "aws_elasticache_clusters resource" + +draft = false + + +[menu.aws] +title = "aws_elasticache_clusters" +identifier = "inspec/resources/aws/aws_elasticache_clusters resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticache_clusters` InSpec audit resource to test the properties of all AWS ElastiCache clusters. To audit a single ElastiCache cluster, use `aws_elasticache_cluster` (singular). + +## Syntax + +An `aws_elasticache_clusters` resource block collects a group of ElastiCache cluster descriptions and then tests that group. + +```ruby +describe aws_elasticache_clusters + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The user-supplied identifier of the cluster. This identifier is a unique key that identifies a cluster. + +`node_types` +: The name of the compute and memory capacity node type for the cluster, e.g. `cache.m5.large`. + +`engines` +: The name of the cache engine, e.g. `redis`. + +`status` +: The current state of the cluster, e.g. `creating`, `available`. + +`zones` +: The name of the availability zone in which the cluster is located or "Multiple" if the cache nodes are located in different availability zones. + +`subnet_group_names` +: The name of the cache subnet group. + +`encrypted_at_rest` +: Indicates whether the content is encrypted at rest or not. + +`encrypted_at_transit` +: Indicates whether the content is encrypted at transit or not. + +## Examples + +Ensure that exactly 3 ElastiCache clusters exist: + +```ruby +describe aws_elasticache_clusters do + its("entries.count") { should cmp 3 } +end +``` + +Use this InSpec resource to request the IDs of all ElastiCache clusters, then test in-depth using `aws_elasticache_cluster` and `aws_elasticache_cluster_node`: + +```ruby +aws_elasticache_clusters.ids.each do |id| + aws_elasticache_cluster(id).node_ids.each do |node_id| + describe aws_elasticache_cluster_node(cache_cluster_id: id, node_id: node_id) do + it { should exist } + end + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_elasticache_clusters.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_elasticache_clusters.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElastiCache:Client:CacheClusterMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ElastiCache](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticache.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_replication_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_replication_group.md new file mode 100644 index 0000000..26a03a3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_replication_group.md @@ -0,0 +1,100 @@ ++++ +title = "aws_elasticache_replication_group resource" + +draft = false + + +[menu.aws] +title = "aws_elasticache_replication_group" +identifier = "inspec/resources/aws/aws_elasticache_replication_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticache_replication_group` InSpec audit resource to test the properties of a single Amazon ElastiCache replication group. + +## Syntax + +An `aws_elasticache_replication_group` resource block declares the tests for a single Amazon ElastiCache replication group by `replication_group_id`. + +```ruby +describe aws_elasticache_replication_group(replication_group_id: 'my-replication-group-123') do + it { should exist } +end +``` + +The value of the `replication_group_id` can be provided as a string. + +```ruby +describe aws_elasticache_replication_group('my-replication-group-123') do + it { should exist } +end +``` + +## Parameters + +The ElastiCache replication group ID is required. + +`replication_group_id` _(required)_ + +: The ID of the ElastiCache replication group: + +: - must contain between 1 and 50 alphanumeric characters or hyphens + +- should start with a letter +- cannot end with a hyphen or contain two consecutive hyphens + +: It can be passed either as a string or as a `replication_group_id: 'value'` key-value entry in a hash. + +## Properties + +`replication_group_id` +: The user-supplied identifier of the replication group. This identifier is a unique key that identifies a replication group. + +`status` +: The current state of the replication group, e.g. `creating`, `available`. + +`encrypted_at_rest` +: Indicates whether the content is encrypted at rest or not. + +`encrypted_at_transit` +: Indicates whether the content is encrypted at transit or not. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/ElastiCache/Types/ReplicationGroup.html). + +## Examples + +Test that an ElastiCache replication group is available: + +```ruby +describe aws_elasticache_replication_group('my-replication-group-123') do + its("status") { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +```ruby +describe aws_elasticache_replication_group('my-replication-group-123') do + it { should exist } +end +``` + +### be_encrypted_at_rest + +```ruby +describe aws_elasticache_replication_group('my-replication-group-123') do + it { should be_encrypted_at_rest } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElastiCache:Client:ReplicationGroupMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ElastiCache](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticache.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_replication_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_replication_groups.md new file mode 100644 index 0000000..6180466 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticache_replication_groups.md @@ -0,0 +1,94 @@ ++++ +title = "aws_elasticache_replication_groups resource" + +draft = false + + +[menu.aws] +title = "aws_elasticache_replication_groups" +identifier = "inspec/resources/aws/aws_elasticache_replication_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticache_replication_groups` InSpec audit resource to test the properties of all Amazon ElastiCache replication groups. To audit a single ElastiCache replication group, use `aws_elasticache_replication_group` (singular). + +## Syntax + +An `aws_elasticache_replication_groups` resource block collects a group of ElastiCache replication group descriptions and then tests that group. + +```ruby +describe aws_elasticache_replication_groups + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The user-supplied identifier of the replication group. This identifier is a unique key that identifies a replication group. + +`node_types` +: The name of the compute and memory capacity node type for the replication group, e.g. `cache.m5.large`. + +`status` +: The current state of the replication group, e.g. `creating`, `available`. + +`encrypted_at_rest` +: Indicates whether the content is encrypted at rest or not. + +`encrypted_at_transit` +: Indicates whether the content is encrypted at transit or not. + +## Examples + +Ensure that exactly three ElastiCache replication groups exist: + +```ruby +describe aws_elasticache_replication_groups do + its('count') { should eq 3 } +end +``` + +Request the IDs of all ElastiCache replication groups, then test in-depth using `aws_elasticache_replication_group`: + +```ruby +aws_elasticache_replication_groups.ids.each do |replication_group_id| + describe aws_elasticache_replication_group(replication_group_id) do + it { should be_encrypted_at_rest } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the 'describe' method returns at least one result. + +```ruby +describe aws_elasticache_replication_groups.where( : ) do + it { should exist } +end +``` + +Use `should_not` to test an entity that should not exist. + +```ruby +describe aws_elasticache_replication_groups.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElastiCache:Client:ReplicationGroupMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ElastiCache](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticache.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener.md new file mode 100644 index 0000000..b0469e5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener.md @@ -0,0 +1,221 @@ ++++ +title = "aws_elasticloadbalancingv2_listener resource" + +draft = false + + +[menu.aws] +title = "aws_elasticloadbalancingv2_listener" +identifier = "inspec/resources/aws/aws_elasticloadbalancingv2_listener resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticloadbalancingv2_listener` InSpec audit resource to test properties of a single Application Load Balancer or Network Load Balancer listener. + +For additional information, including details on parameters and properties, see the [AWS documentation on ElasticLoadBalancingV2 Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listener.html). + +## Syntax + +Ensure that a listener arn exist. + +```ruby +describe aws_elasticloadbalancingv2_listener(listener_arn: "LISTENER_ARN") do + it { should exist } +end +``` + +Ensure that the listener has a desired port. + +```ruby +describe aws_elasticloadbalancingv2_listener(listener_arn: "LISTENER_ARN") do + its ('port') { should eq 80 } +end +``` + +## Parameters + +`listener_arn` _(required)_ + +: The Amazon Resource Name (ARN) of the listener. + +## Properties + +`listener_arn` +: The Amazon Resource Name (ARN) of the listener. + +`load_balancer_arn` +: The Amazon Resource Name (ARN) of the load balancer. + +`port` +: The port on which the load balancer is listening. + +`protocol` +: The protocol for connections from clients to the load balancer. + +`certificates (certificate_arn)` +: The Amazon Resource Name (ARN) of the certificate. + +`certificates (is_default)` +: Indicates whether the certificate is the default certificate. Do not set this value when specifying a certificate as an input. This value is not included in the output when describing a listener, but is included when describing listener certificates. + +`ssl_policy` +: The security policy (HTTPS or TLS listener) that defines which protocols and ciphers are supported. + +`default_actions (type)` +: The type of action. + +`default_actions (target_group_arn)` +: The Amazon Resource Name (ARN) of the target group. Specify only when Type is forward and you want to route to a single target group. To route to one or more target groups, use ForwardConfig instead. + +`default_actions (authenticate_oidc_config (issuer))` +: The OIDC issuer identifier of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path. + +`default_actions (authenticate_oidc_config (authorization_endpoint))` +: The authorization endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path. + +`default_actions (authenticate_oidc_config (token_endpoint))` +: The token endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path. + +`default_actions (authenticate_oidc_config (user_info_endpoint))` +: The user info endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path. + +`default_actions (authenticate_oidc_config (client_id))` +: The OAuth 2.0 client identifier. + +`default_actions (authenticate_oidc_config (client_secret))` +: The OAuth 2.0 client secret. This parameter is required if you are creating a rule. If you are modifying a rule, you can omit this parameter if you set `UseExistingClientSecret` to true. + +`default_actions (authenticate_oidc_config (session_cookie_name))` +: The name of the cookie used to maintain session information. The default is AWSELBAuthSessionCookie. + +`default_actions (authenticate_oidc_config (scope))` +: The set of user claims to be requested from the IdP. The default is `openid`. To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP. + +`default_actions (authenticate_oidc_config (session_timeout))` +: The maximum duration of the authentication session, in seconds. The default is 604800 seconds (7 days). + +`default_actions (authenticate_oidc_config (authentication_request_extra_params))` +: The query parameters (up to 10) to include in the redirect request to the authorization endpoint. + +`default_actions (authenticate_oidc_config (on_unauthenticated_request))` +: The behavior if the user is not authenticated. The following are possible values are demy or allow or authenticate. + +`default_actions (authenticate_oidc_config (use_existing_client_secret))` +: Indicates whether to use the existing client secret when modifying a rule. If you are creating a rule, you can omit this parameter or set it to `false`. + +`default_actions (authenticate_oidc_config (user_pool_arn))` +: The Amazon Resource Name (ARN) of the Amazon Cognito user pool. + +`default_actions (authenticate_oidc_config (user_pool_client_id))` +: The ID of the Amazon Cognito user pool client. + +`default_actions (authenticate_oidc_config (user_pool_domain))` +: The domain prefix or fully-qualified domain name of the Amazon Cognito user pool. + +`default_actions (authenticate_oidc_config (session_cookie_name))` +: The name of the cookie used to maintain session information. The default is `AWSELBAuthSessionCookie`. + +`default_actions (authenticate_oidc_config (scope))` +: The set of user claims to be requested from the IdP. The default is `openid`. To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP. + +`default_actions (authenticate_oidc_config (session_timeout))` +: The maximum duration of the authentication session, in seconds. The default is `604800` seconds (7 days). + +`default_actions (authenticate_oidc_config (authentication_request_extra_params))` +: The query parameters (up to 10) to include in the redirect request to the authorization endpoint. + +`default_actions (authenticate_oidc_config (authentication_request_extra_params))` +: group. + +`default_actions (authenticate_oidc_config (on_unauthenticated_request))` +: The behavior if the user is not authenticated. Possible values: `deny`, `allow`, or `authenticate`. + +`default_actions (order)` +: The order for the action. This value is required for rules with multiple actions. The action with the lowest value for order is performed first. + +`default_actions (redirect_config (protocol))` +: The protocol. You can specify `HTTP`, `HTTPS`, or `#{protocol}`. + +`default_actions (redirect_config (port))` +: The port. You can specify a value from 1 to 65535 or `#{port}`. + +`default_actions (redirect_config (host))` +: The hostname. This component is not percent-encoded. The hostname can contain `#{host}`. + +`default_actions (redirect_config (path))` +: The absolute path, starting with the leading "/". This component is not percent-encoded. The path can contain `#{host}`, `#{path}`, and `#{port}`. + +`default_actions (redirect_config (query))` +: The query parameters, URL-encoded when necessary, but not percent-encoded. Do not include the leading "?", as it is automatically added. You can specify any of the reserved keywords. + +`default_actions (redirect_config (status_code))` +: The HTTP redirect code. The redirect is either permanent (HTTP 301) or temporary (HTTP 302). + +`default_actions (fixed_response_config (message_body))` +: The message. + +`default_actions (fixed_response_config (status_code))` +: The HTTP response code (2XX, 4XX, or 5XX). + +`default_actions (fixed_response_config (content_type))` +: The content type. Valid Values: `text/plain`, `text/css`, `text/html`, `application/javascript`, `application/json`. + +`default_actions (forward_config (target_groups))` +: One or more target groups. For Network Load Balancers, you can specify a single target group. + +`default_actions (forward_config (target_groups (target_group_arn)))` +: The Amazon Resource Name (ARN) of the target group. + +`default_actions (forward_config (target_groups (weight)))` +: The weight. The range is 0 to 999. + +`default_actions (forward_config (target_group_stickiness_config (enabled)))` +: Indicates whether target group stickiness is enabled. + +`default_actions (forward_config (target_group_stickiness_config (duration_seconds)))` +: The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). + +`alpn_policy` +: [TLS listener] The name of the Application-Layer Protocol Negotiation (ALPN) policy. + +## Examples + +Ensure that a listener arn exists: + +```ruby +describe aws_elasticloadbalancingv2_listener(listener_arn: "LISTENER_ARN") do + its('listener_arn') { should eq "LISTENER_ARN" } +end +``` + +Ensure that listener listens to a specific port: + +```ruby +describe aws_elasticloadbalancingv2_listener(listener_arn: "LISTENER_ARN") do + its('port') { should eq PORT_NUMBER} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_elasticloadbalancingv2_listener(listener_arn: "LISTENER_ARN") do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticLoadBalancingV2:Client:DescribeListenersOutput" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Auto Scaling Groups](https://docs.aws.amazon.com/autoscaling/ec2/userguide/control-access-using-iam.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener_certificate.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener_certificate.md new file mode 100644 index 0000000..1d768af --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener_certificate.md @@ -0,0 +1,87 @@ ++++ +title = "aws_elasticloadbalancingv2_listener_certificate resource" + +draft = false + + +[menu.aws] +title = "aws_elasticloadbalancingv2_listener_certificate" +identifier = "inspec/resources/aws/aws_elasticloadbalancingv2_listener_certificate resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticloadbalancingv2_listener_certificate` InSpec audit resource to test properties of a single TLS or HTTPS listener certificate. + +For additional information, including details on parameters and properties, see the [AWS documentation on ElasticLoadBalancingV2 Listener Certificate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenercertificate.html). + +## Syntax + +Ensure that a listener ARN exist. + +```ruby +describe aws_elasticloadbalancingv2_listener_certificate(listener_arn: 'LISTENER_ARN') do + it { should exist } +end +``` + +Ensure that the listener has a desired port. + +```ruby +describe aws_elasticloadbalancingv2_listener_certificate(listener_arn: 'LISTENER_ARN') do + its('certificate_arn') { should eq "CERTIFICATE_ARN" } +end +``` + +## Parameters + +`listener_arn` _(required)_ + +: The Amazon Resource Name (ARN) of the listener certificate. + +## Properties + +`certificate_arn` +: The Amazon Resource Name (ARN) of the certificate. + +`is_default` +: Indicates whether the certificate is the default certificate. Valid values: `true` or `false`. + +## Examples + +Ensure that a listener ARN exists: + +```ruby +describe aws_elasticloadbalancingv2_listener_certificate(listener_arn: 'LISTENER_ARN') do + it { should exist } +end +``` + +Ensure that listener has a desired certificate ARN attached: + +```ruby +describe aws_elasticloadbalancingv2_listener_certificate(listener_arn: 'LISTENER_ARN') do + its('certificate_arn') { should eq "CERTIFICATE_ARN" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_elasticloadbalancingv2_listener(listener_arn: "LISTENER_ARN") do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticLoadBalancingV2:Client:DescribeListenerCertificatesOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener_certificates.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener_certificates.md new file mode 100644 index 0000000..4e46034 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener_certificates.md @@ -0,0 +1,85 @@ ++++ +title = "aws_elasticloadbalancingv2_listener_certificates resource" + +draft = false + + +[menu.aws] +title = "aws_elasticloadbalancingv2_listener_certificates" +identifier = "inspec/resources/aws/aws_elasticloadbalancingv2_listener_certificates resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticloadbalancingv2_listener_certificates` InSpec audit resource to test properties of multiple TLS or HTTPS listener certificates. + +For additional information, including details on parameters and properties, see the [AWS documentation on ElasticLoadBalancingV2 Listener Certificate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenercertificate.html). + +## Syntax + +Ensure that a listener ARN exists. + +```ruby +describe aws_elasticloadbalancingv2_listener_certificates(listener_arn: 'LISTENER_ARN') do + it { should exist } +end +``` + +## Parameters + +`listener_arn` _(required)_ + +: The Amazon Resource Name (ARN) of the listener certificate. + +## Properties + +`certificate_arns` +: The Amazon Resource Name (ARN) of the certificate. + +`is_default` +: Indicates whether the certificate is the default certificate. + +## Examples + +Ensure a listener ARN is available: + +```ruby +describe aws_elasticloadbalancingv2_listener_certificates(listener_arn: 'LISTENER_ARN') do + it { should exist } +end +``` + +Ensure that listener has a desired certificate ARN attached: + +```ruby +describe aws_elasticloadbalancingv2_listener_certificates(listener_arn: 'LISTENER_ARN') do + its('certificate_arns') { should include "CERTIFICATE_ARN" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_elasticloadbalancingv2_listener_certificates(listener_arn: 'LISTENER_ARN') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_elasticloadbalancingv2_listener_certificates(listener_arn: 'LISTENER_ARN') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticLoadBalancingV2:Client:DescribeListenerCertificatesOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener_rule.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener_rule.md new file mode 100644 index 0000000..211c572 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener_rule.md @@ -0,0 +1,236 @@ ++++ +title = "aws_elasticloadbalancingv2_listener_rule resource" + +draft = false + + +[menu.aws] +title = "aws_elasticloadbalancingv2_listener_rule" +identifier = "inspec/resources/aws/aws_elasticloadbalancingv2_listener_rule resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticloadbalancingv2_listener_rule` InSpec audit resource to test properties of a single listener rule for an Application Load Balancer. Each rule consists of a priority, one or more actions, and one or more conditions. + +For additional information, including details on parameters and properties, see the [AWS documentation on ELBv2 Listener Rule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenerrule.html). + +## Syntax + +Ensure that a rule exists. + +```ruby +describe aws_elasticloadbalancingv2_listener_rule(rule_arn: 'RULE_ARN') do + it { should exist } +end +``` + +## Parameters + +`rule_arn` _(required)_ + +: The Amazon Resource Name (ARN) of the rule. + +## Properties + +`rule_arn` +: The Amazon Resource Names (ARN) of the rules. + +`priority` +: The rule priority. + +`conditions (field)` +: The field in the HTTP request. Valid values are `http-header`, `http-request-method`, `host-header`, `path-pattern`, `query-string, and source-ip`. + +`conditions (values)` +: The condition value. Specify only when Field is `host-header` or `path-pattern`. Alternatively, to specify multiple host names or multiple path patterns, use `HostHeaderConfig` or `PathPatternConfig`. + +`conditions (host_header_config (values))` +: One or more host names. + +`conditions (path_pattern_config (values))` +: One or more path patterns to compare against the request URL. + +`conditions (http_header_config (http_header_name))` +: The name of the HTTP header field. + +`conditions (http_header_config (Values))` +: One or more strings to compare against the value of the HTTP header. + +`conditions (query_string_config (values (key)))` +: The key of the query string configuration. You can omit the key. + +`conditions (query_string_config (values (value)))` +: The value of the query string configuration. + +`conditions (http_request_method_config (values))` +: The name of the request method. + +`conditions (source_ip_config (values))` +: One or more source IP addresses, in CIDR format. Either IPv4 or IPv6 address. + +`actions (type)` +: The type of action. Valid values: `authenticate-cognito`, `authenticate-oidc`, `fixed-response`, `forward`, `redirect`. + +`actions (target_group_arn)` +: The ARN of the target group. Specified only when Type is `forward` and you are routing to a single target group. If routing to one or more target groups, `ForwardConfig` is used instead. + +`actions (authenticate_oidc_config (issuer))` +: The OIDC issuer identifier of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path. + +`actions (authenticate_oidc_config (authorization_endpoint))` +: The authorization endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path. + +`actions (authenticate_oidc_config (token_endpoint))` +: The token endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path. + +`actions (authenticate_oidc_config (user_info_endpoint))` +: The user info endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path. + +`actions (authenticate_oidc_config (client_id))` +: The OAuth 2.0 client identifier. + +`actions (authenticate_oidc_config (client_secret))` +: The OAuth 2.0 client secret. + +`actions (authenticate_oidc_config (session_cookie_name))` +: The name of the cookie used to maintain session information. The default is `AWSELBAuthSessionCookie`. + +`actions (authenticate_oidc_config (scope))` +: The set of user claims to be requested from the IdP. The default is `openid`. + +`actions (authenticate_oidc_config (session_timeout))` +: The maximum duration of the authentication session, in seconds. The default is 604800 seconds (7 days). + +`actions (authenticate_oidc_config (authentication_request_extra_params))` +: The query parameters (up to 10) to include in the redirect request to the authorization endpoint. + +`actions (authenticate_oidc_config (on_unauthenticated_request))` +: The behavior if the user is not authenticated. Valid values are `deny`, `allow`, and `autheticate`. + +`actions (authenticate_oidc_config (use_existing_client_secret))` +: Indicates whether to use the existing client secret when modifying a rule. If you are creating a rule, you can omit this parameter or set it to false. + +`actions (authenticate_cognito_config (user_pool_arn))` +: The ARN of the Amazon Cognito user pool. + +`actions (authenticate_cognito_config (user_pool_client_id))` +: The ID of the Amazon Cognito user pool client. + +`actions (authenticate_cognito_config (user_pool_domain))` +: The domain prefix or fully-qualified domain name of the Amazon Cognito user pool. + +`actions (authenticate_cognito_config (session_cookie_name))` +: The name of the cookie used to maintain session information. The default is `AWSELBAuthSessionCookie`. + +`actions (authenticate_cognito_config (scope))` +: The set of user claims to be requested from the IdP. The default is `openid`. + +`actions (authenticate_cognito_config (session_timeout))` +: The maximum duration of the authentication session, in seconds. The default is 604800 seconds (7 days). + +`actions (authenticate_cognito_config (authentication_request_extra_params))` +: The query parameters (up to 10) to include in the redirect request to the authorization endpoint. + +`actions (authenticate_cognito_config (on_unauthenticated_request))` +: The behavior if the user is not authenticated. The following are possible values are `deny`, `allow`, and `authenticate`. + +`actions (order)` +: The order for the action. This value is required for rules with multiple actions. + +`actions (redirect_config (protocol))` +: The protocol. Valid values are: `HTTP`, `HTTPS`, or `#{protocol}`. + +`actions (redirect_config (port))` +: The port. Values range from 1 to 65535 or #{port}. + +`actions (redirect_config (host))` +: The hostname. This component is not percent-encoded. The hostname can contain #{host}. + +`actions (redirect_config (path))` +: The absolute path, starting with the leading "/". This component is not percent-encoded. The path can contain #{host}, #{path}, and #{port}. + +`actions (redirect_config (query))` +: The query parameters, URL-encoded when necessary, but not percent-encoded. Do not include the leading "?", as it is automatically added. You can specify any of the reserved keywords. + +`actions (redirect_config (status_code))` +: The HTTP redirect code. The redirect is either permanent (HTTP 301) or temporary (HTTP 302). + +`actions (fixed_response_config (message_body))` +: The message from a custom HTTP response. Only valid when Type is `fixed-response`. + +`actions (fixed_response_config (status_code))` +: The HTTP response code (2XX, 4XX, or 5XX) from a custom HTTP response. + +`actions (fixed_response_config (content_type))` +: The content type from a custom HTTP response. Valid values: `text/plain`, `text/css`, `text/html`, `application/javascript`, `application/json`. + +`actions (forward_config (target_groups ( target_group_tupple (target_group_arn))))` +: The ARN of the target group. + +`actions (forward_config (target_groups ( target_group_tupple (weight))))` +: The weight of the target group. The range is 0 to 999. + +`actions (fixed_response_config (target_group_stickiness_config (enabled)))` +: Indicates whether target group stickiness is enabled. + +`actions (fixed_response_config (target_group_stickiness_config (duration_seconds)))` +: The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). + +`is_default` +: Indicates whether this is the default rule. + +## Examples + +Ensure a rule ARN is available: + +```ruby +describe aws_elasticloadbalancingv2_listener_rule(rule_arn: 'RULE_ARN') do + its('rule_arn') { should eq 'RULE_ARN' } +end +``` + +Verify the priority of the desired rule ARN: + +```ruby +describe aws_elasticloadbalancingv2_listener_rule(rule_arn: 'RULE_ARN') do + its('priority') { should eq 1 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_elasticloadbalancingv2_listener_rule(rule_arn: 'RULE_ARN') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_elasticloadbalancingv2_listener_rule(rule_arn: 'RULE_ARN') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_elasticloadbalancingv2_listener_rule(rule_arn: 'dummy') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticLoadBalancingV2:Client:DescribeRulesOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener_rules.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener_rules.md new file mode 100644 index 0000000..b903b6a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listener_rules.md @@ -0,0 +1,116 @@ ++++ +title = "aws_elasticloadbalancingv2_listener_rules resource" + +draft = false + + +[menu.aws] +title = "aws_elasticloadbalancingv2_listener_rules" +identifier = "inspec/resources/aws/aws_elasticloadbalancingv2_listener_rules resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticloadbalancingv2_listener_rules` InSpec audit resource to test properties of multiple listener rules associated with an Application Load Balancer. + +Each rule consists of a priority, one or more actions, and one or more conditions. + +For additional information, including details on parameters and properties, see the [AWS documentation on ELBv2 Listener Rule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenerrule.html). + +## Syntax + +Ensure that a listener ARN exists. + +```ruby +describe aws_elasticloadbalancingv2_listener_rules(listener_arn: 'LISTENER_ARN') do + it { should exist } +end +``` + +## Parameters + +`listener_arn` _(required)_ + +: The ARN of the listener. + +## Properties + +`rule_arns` +: The Amazon Resource Name (ARN) of the rule. + +: **Field**: `rule_arns` + +`priorities` +: The rule priority. + +: **Field**: `priorities` + +`conditions` +: The conditions for listener rules. Each rule can include zero or one of the following conditions: `http-request-method` , `host-header` , `path-pattern` , and `source-ip`, and zero or more of the following conditions: `http-header` and `query-string`. + +: **Field**: `conditions` + +`actions` +: The actions for listener rules. Each rule includes exactly one of the following types of actions: `forward`, `redirect`, or `fixed-response`. + +: **Field**: `actions` + +`is_defaults` +: Indicates whether this is the default rule. + +: **Field**: `is_defaults` + +## Examples + +Ensure a listener ARN is available: + +```ruby +describe aws_elasticloadbalancingv2_listener_rules(listener_arn: 'LISTENER_ARN') do + its('rule_arns') { should include 'RULE_ARN' } +end +``` + +Verify the priority of the desired rule ARN: + +```ruby +describe aws_elasticloadbalancingv2_listener_rules(listener_arn: 'LISTENER_ARN') do + its('priorities') { should include 1 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_elasticloadbalancingv2_listener_rules(listener_arn: 'LISTENER_ARN') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_elasticloadbalancingv2_listener_rules(listener_arn: 'LISTENER_ARN') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_elasticloadbalancingv2_listener_rules(listener_arn: 'LISTENER_ARN') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticLoadBalancingV2:Client:DescribeRulesOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listeners.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listeners.md new file mode 100644 index 0000000..a890d21 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_listeners.md @@ -0,0 +1,89 @@ ++++ +title = "aws_elasticloadbalancingv2_listeners resource" + +draft = false + + +[menu.aws] +title = "aws_elasticloadbalancingv2_listeners" +identifier = "inspec/resources/aws/aws_elasticloadbalancingv2_listeners resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticloadbalancingv2_listeners` InSpec audit resource to test the properties of multiple Application Load Balancer or Network Load Balancer listeners. + +For additional information, including details on parameters and properties, see the [AWS documentation on ElasticLoadBalancingV2 Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listener.html). + +## Syntax + +An `aws_elasticloadbalancingv2_listeners` resource block returns all Application Load Balancer or Network Load Balancer listeners. + +```ruby +describe aws_elasticloadbalancingv2_listener(load_balancer_arn: "LOAD_BALANCER_ARN") do + its { should exist } +end +``` + +## Parameters + +`load_balancer_arn` _(required)_ + +: The Amazon Resource Name (ARN) of the load balancer. + +## Properties + +`listener_arns` +: The Amazon Resource Name (ARN) of the listener. + +`load_balancer_arns` +: The Amazon Resource Name (ARN) of the load balancer. + +`ports` +: The port on which the load balancer is listening. + +`protocols` +: The protocol for connections from clients to the load balancer. + +`certificates` +: The certificates of the listener. + +`ssl_policies` +: The SSL policies of the listener. + +`default_actions` +: The default actions of the listener. + +`alpn_policies` +: The name of the Application-Layer Protocol Negotiation (ALPN) policies of the listener. + +## Examples + +Ensure there are ports attached to the listener: + +```ruby +describe aws_elasticloadbalancingv2_listener(load_balancer_arn: "LOAD_BALANCER_ARN") do + its('ports') { should include PORT_NUMBER} +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_elasticloadbalancingv2_listener(load_balancer_arn: "LOAD_BALANCER_ARN") do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticLoadBalancingV2:Client:DescribeListenersOutput" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Auto Scaling Groups](https://docs.aws.amazon.com/autoscaling/ec2/userguide/control-access-using-iam.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_target_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_target_group.md new file mode 100644 index 0000000..d2d933d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_target_group.md @@ -0,0 +1,143 @@ ++++ +title = "aws_elasticloadbalancingv2_target_group resource" + +draft = false + + +[menu.aws] +title = "aws_elasticloadbalancingv2_target_group" +identifier = "inspec/resources/aws/aws_elasticloadbalancingv2_target_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticloadbalancingv2_target_group` InSpec audit resource to test properties of a single Elastic Load Balancing V2 target group. + +For additional information, including details on parameters and properties, see the [AWS documentation on ElasticLoadBalancingV2 TargetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html). + +## Syntax + +Ensure that a target group arn exists. + +```ruby +describe aws_elasticloadbalancingv2_target_group(target_group_arn: 'arn:aws:elasticloadbalancing:REGION:ACCOUNT_ID:RESOURCE_ID') do + it { should exist } +end +``` + +## Parameters + +`target_group_arn` _(required)_ + +: The Amazon Resource Name (ARN) of the target group. + +## Properties + +`target_group_arn` +: The Amazon Resource Name (ARN) of the target group. + +`target_group_name` +: The name of the target group. + +`protocol` +: The protocol to use for routing traffic to the targets. Valid values are: `GENEVE`, `HTTP`, `HTTPS`, `TCP`, `TCP_UDP`, `TLS`, or `UDP`. + +`port` +: The port on which the targets are listening. Not used if the target is a Lambda function. + +`vpc_id` +: The ID of the VPC for the targets. + +`health_check_protocol` +: The protocol to use to connect with the target. The GENEVE, TLS, UDP, and TCP_UDP protocols are not supported for health checks. + +`health_check_port` +: The port to use to connect with the target. + +`health_check_enabled` +: Indicates whether health checks are enabled. + +`health_check_interval_seconds` +: The approximate amount of time, in seconds, between health checks of an individual target. + +`health_check_timeout_seconds` +: The amount of time, in seconds, during which no response means a failed health check. + +`healthy_threshold_count` +: The number of consecutive health check successes required before considering an unhealthy target healthy. + +`unhealthy_threshold_count` +: The number of consecutive health check failures required before considering the target unhealthy. + +`health_check_path` +: The destination for health checks on the targets. + +`matcher (http_code)` +: For Application Load Balancers, you can specify values between 200 and 499, and the default value is 200. You can specify multiple values (for example, "200,202") or a range of values (for example, "200-299"). For Network Load Balancers and Gateway Load Balancers, this must be "200–399". + +`matcher (grpc_code)` +: You can specify values between 0 and 99. You can specify multiple values (for example, "0,1") or a range of values (for example, "0-5"). The default value is 12. + +`load_balancer_arns` +: The Amazon Resource Names (ARN) of the load balancers that route traffic to this target group. + +`target_type` +: The type of target that you must specify when registering targets with this target group. The possible values are instance (register targets by instance ID), ip (register targets by IP address), or lambda (register a single Lambda function as a target). + +`protocol_version` +: For HTTP or HTTPS protocols, the protocol version. Valid values are `GRPC`, `HTTP1`, and `HTTP2`. + +## Examples + +Ensure a target group ARN is available: + +```ruby +describe aws_elasticloadbalancingv2_target_group(target_group_arn: 'arn:aws:elasticloadbalancing:REGION:ACCOUNT_ID:RESOURCE_ID') do + its('target_group_arn') { should eq 'arn:aws:elasticloadbalancing:REGION:ACCOUNT_ID:RESOURCE_ID' } +end +``` + +Ensure that the target group name exists: + +```ruby +describe aws_elasticloadbalancingv2_target_group(target_group_arn: 'arn:aws:elasticloadbalancing:REGION:ACCOUNT_ID:RESOURCE_ID') do + its('target_group_name') { should eq 'TARGET_GROUP_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_elasticloadbalancingv2_target_group(target_group_arn: 'arn:aws:elasticloadbalancing:REGION:ACCOUNT_ID:RESOURCE_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_elasticloadbalancingv2_target_group( target_group_arn: 'dummy') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_elasticloadbalancingv2_target_group(target_group_arn: 'arn:aws:elasticloadbalancing:REGION:ACCOUNT_ID:RESOURCE_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticLoadBalancingV2:Client:DescribeTargetGroupsOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_target_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_target_groups.md new file mode 100644 index 0000000..8fe49e3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticloadbalancingv2_target_groups.md @@ -0,0 +1,134 @@ ++++ +title = "aws_elasticloadbalancingv2_target_groups resource" + +draft = false + + +[menu.aws] +title = "aws_elasticloadbalancingv2_target_groups" +identifier = "inspec/resources/aws/aws_elasticloadbalancingv2_target_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticloadbalancingv2_target_groups` InSpec audit resource to test properties of multiple Elastic Load Balancing V2 target groups. + +## Syntax + +Ensure that a target group arn exists. + +```ruby +describe aws_elasticloadbalancingv2_target_groups do + it { should exist } +end +``` + +For additional information, see the [AWS documentation on ElasticLoadBalancingV2 TargetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html). + +## Properties + +`target_group_arns` +: The Amazon Resource Name (ARN) of the target group. + +`target_group_names` +: The name of the target group. + +`protocols` +: The protocol to use for routing traffic to the targets. Valid values are: `GENEVE`, `HTTP`, `HTTPS`, `TCP`, `TCP_UDP`, `TLS`, or `UDP`. + +`ports` +: The port on which the targets are listening. Not used if the target is a Lambda function. + +`vpc_id s` +: The ID of the VPC for the targets. + +`health_check_protocols` +: The protocol to use to connect with the target. The `GENEVE`, `TLS`, `UDP`, and `TCP_UDP` protocols are not supported for health checks. + +`health_check_ports` +: The port to use to connect with the target. + +`health_check_enableds` +: Indicates whether health checks are enabled. + +`health_check_interval_seconds` +: The approximate amount of time, in seconds, between health checks of an individual target. + +`health_check_timeout_seconds` +: The amount of time, in seconds, during which no response means a failed health check. + +`healthy_threshold_counts` +: The number of consecutive health check successes required before considering an unhealthy target healthy. + +`unhealthy_threshold_counts` +: The number of consecutive health check failures required before considering the target unhealthy. + +`health_check_paths` +: The destination for health checks on the targets. + +`matchers` +: The HTTP or gRPC codes to use when checking for a successful response from a target. + +`load_balancer_arns` +: The Amazon Resource Names (ARN) of the load balancers that route traffic to this target group. + +`target_types` +: The type of target that you must specify when registering targets with this target group. The possible values are instance (register targets by instance ID), ip (register targets by IP address), or lambda (register a single Lambda function as a target). + +`protocol_versions` +: For HTTP or HTTPS protocols, the protocol version. Valid values are `GRPC`, `HTTP1`, and `HTTP2`. + +## Examples + +Ensure a target group ARN is available: + +```ruby +describe aws_elasticloadbalancingv2_target_groups do + its('target_group_names') { should include 'TARGET_GROUP_NAME' } +end +``` + +Ensure that the target group name exists: + +```ruby +describe aws_elasticloadbalancingv2_target_groups do + its('protocol_versions') { should include 'HTTP1' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_elasticloadbalancingv2_target_groups do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_elasticloadbalancingv2_target_groups do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_elasticloadbalancingv2_target_groups do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticLoadBalancingV2:Client:DescribeTargetGroupsOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticsearchservice_domain.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticsearchservice_domain.md new file mode 100644 index 0000000..a835888 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticsearchservice_domain.md @@ -0,0 +1,275 @@ ++++ +title = "aws_elasticsearchservice_domain resource" + +draft = false + + +[menu.aws] +title = "aws_elasticsearchservice_domain" +identifier = "inspec/resources/aws/aws_elasticsearchservice_domain resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticsearchservice_domain` InSpec audit resource to test properties of a single specific Elasticsearch domain. + +The AWS::Elasticsearch::Domain resource creates an Amazon Elasticsearch Service (Amazon ES) domain. + +For additional information, including details on parameters and properties, see the [AWS documentation on Elasticsearch Domain](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html). + +## Syntax + +Ensure that a domain name exists. + +```ruby +describe aws_elasticsearchservice_domain(domain_name: 'DOMAIN_NAME') do + it { should exist } +end +``` + +## Parameters + +`domain_name` _(required)_ + +: The name of an Elasticsearch domain. + Pass the domain name as a key-value entry in a hash. + +## Properties + +`domain_id` +: The unique identifier for the specified Elasticsearch domain. + +`domain_name` +: The name of an Elasticsearch domain. + +`arn` +: The Amazon resource name (ARN) of an Elasticsearch domain. + +`created` +: The domain creation status. `true` if the creation of an Elasticsearch domain is complete. `false` if domain creation is still in progress. + +`deleted` +: The domain deletion status. `true` if a delete request has been received for the domain but resource cleanup is still in progress. `false` if the domain has not been deleted. Once domain deletion is complete, the status of the domain is no longer returned. + +`endpoint` +: The Elasticsearch domain endpoint that you use to submit index and search requests. + +`endpoints` +: Key-value map containing the Elasticsearch domain endpoints used to submit index and search requests. + +`processing` +: The status of the Elasticsearch domain configuration. `true` if Amazon Elasticsearch Service is processing configuration changes. `false` if the configuration is active. + +`upgrade_processing` +: The status of an Elasticsearch domain version upgrade. `true` if Amazon Elasticsearch Service is undergoing a version upgrade. `false` if the configuration is active. + +`elasticsearch_version` +: The elasticsearch version. + +`elasticsearch_cluster_config (instance_type)` +: The instance type for an Elasticsearch cluster. UltraWarm instance types are not supported for data instances. + +`elasticsearch_cluster_config (instance_count)` +: The number of instances in the specified domain cluster. + +`elasticsearch_cluster_config (dedicated_master_enabled)` +: A boolean value to indicate whether a dedicated master node is enabled. + +`elasticsearch_cluster_config (zone_awareness_enabled)` +: A boolean value to indicate whether zone awareness is enabled. + +`elasticsearch_cluster_config (zone_awareness_config (availability_zone_count))` +: An integer value to indicate the number of availability zones for a domain when zone awareness is enabled. This should be equal to number of subnets if VPC endpoints is enabled. + +`elasticsearch_cluster_config (dedicated_master_type)` +: The instance type for a dedicated master node. + +`elasticsearch_cluster_config (dedicated_master_count)` +: Total number of dedicated master nodes, active and on standby, for the cluster. + +`elasticsearch_cluster_config (warm_enabled)` +: True to enable warm storage. + +`elasticsearch_cluster_config (warm_type)` +: The instance type for the Elasticsearch cluster's warm nodes. + +`elasticsearch_cluster_config (warm_count)` +: The number of warm nodes in the cluster. + +`ebs_options (ebs_enabled)` +: Specifies whether EBS-based storage is enabled. + +`ebs_options (volume_type)` +: Specifies the volume type for EBS-based storage. + +`ebs_options (volume_size)` +: Integer to specify the size of an EBS volume. + +`ebs_options (iops)` +: Specifies the IOPD for a Provisioned IOPS EBS volume (SSD). + +`access_policies` +: IAM access policy as a JSON-formatted string. + +`snapshot_options (automated_snapshot_start_hour)` +: Specifies the time, in UTC format, when the service takes a daily automated snapshot of the specified Elasticsearch domain. Default value is 0 hours. + +`vpc_options (vpc_id)` +: The VPC Id for the Elasticsearch domain. Exists only if the domain was created with VPCOptions. + +`vpc_options (subnet_ids)` +: Specifies the subnets for VPC endpoint. + +`vpc_options (availability_zones)` +: The availability zones for the Elasticsearch domain. Exists only if the domain was created with VPCOptions. + +`vpc_options (security_group_ids)` +: Specifies the security groups for VPC endpoint. + +`cognito_options (enabled)` +: Specifies the option to enable Cognito for Kibana authentication. + +`cognito_options (user_pool_id)` +: Specifies the Cognito user pool ID for Kibana authentication. + +`cognito_options (identity_pool_id)` +: Specifies the Cognito identity pool ID for Kibana authentication. + +`cognito_options (role_arn)` +: Specifies the role ARN that provides Elasticsearch permissions for accessing Cognito resources. + +`encryption_at_rest_options (enabled)` +: Specifies the option to enable Encryption At Rest. + +`encryption_at_rest_options (kms_key_id)` +: Specifies the KMS Key ID for Encryption At Rest options. + +`node_to_node_encryption_options (enabled)` +: Specify true to enable node-to-node encryption. + +`advanced_options` +: Additional options to specify for the Amazon ES domain. + +`log_publishing_options (cloud_watch_logs_log_group_arn)` +: ARN of the Cloudwatch log group to which log needs to be published. + +`log_publishing_options (enabled)` +: Specifies whether given log publishing option is enabled or not. + +`service_software_options (current_version)` +: The current service software version that is present on the domain. + +`service_software_options (new_version)` +: The new service software version if one is available. + +`service_software_options (update_available)` +: Whether you are able to update your service software version. Valid values: `true` or `false`. + +`service_software_options (cancellable)` +: Whether you are able to cancel your service software version update. Valid values: `true` or `false`. + +`service_software_options (update_status)` +: The status of your service software update. Valid values: `ELIGIBLE`, `PENDING_UPDATE`, `IN_PROGRESS` , `COMPLETED`, and `NOT_ELIGIBLE`. + +`service_software_options (description)` +: The description of the UpdateStatus. + +`service_software_options (automated_update_date)` +: Timestamp, in Epoch time, until which you can manually request a service software update. After this date, we automatically update your service software. + +`service_software_options (optional_deployment)` +: Whether service software is never automatically updated after `AutomatedUpdateDate`. Valid values: `true` or `false`. + +`domain_endpoint_options (enforce_https)` +: Specify if only HTTPS endpoint should be enabled for the Elasticsearch domain. + +`domain_endpoint_options (tls_security_policy)` +: Specify the TLS security policy that needs to be applied to the HTTPS endpoint of Elasticsearch domain. Valid values are: `Policy-Min-TLS-1-0-2019-07` and `Policy-Min-TLS-1-2-2019-07`. + +`domain_endpoint_options (custom_endpoint_enabled)` +: Specify if custom endpoint should be enabled for the Elasticsearch domain. Valid values: `true` or `false`. + +`domain_endpoint_options (custom_endpoint)` +: Specify the fully qualified domain for your custom endpoint. + +`domain_endpoint_options (custom_endpoint_certificate_arn)` +: Specify ACM certificate ARN for your custom endpoint. + +`advanced_security_options (enabled)` +: `true` if advanced security is enabled. Valid values: `true` or `false`. + +`advanced_security_options (internal_user_database_enabled)` +: `true` if the internal user database is enabled. Valid values: `true` or `false`. + +`advanced_security_options (saml_options (enabled))` +: `true` if SAML is enabled. Valid values: `true` or `false`. + +`advanced_security_options (saml_options (idp (metadata_content)))` +: The metadata of the SAML application in XML format. + +`advanced_security_options (saml_options (idp (entity_id)))` +: The unique entity ID of the application in SAML Identity Provider. + +`advanced_security_options (saml_options (subject_key))` +: The key used for matching the SAML Subject attribute. + +`advanced_security_options (saml_options (roles_key))` +: The key used for matching the SAML Roles attribute. + +`advanced_security_options (saml_options (session_timeout_minutes))` +: The duration, in minutes, after which a user session becomes inactive. + +## Examples + +Ensure a domain name is available: + +```ruby +describe aws_elasticsearchservice_domain(domain_name: 'DOMAIN_NAME') do + its('domain_name') { should eq 'DOMAIN_NAME' } +end +``` + +Verify the ARN of a desired domain: + +```ruby +describe aws_elasticsearchservice_domain(domain_name: 'DOMAIN_NAME') do + its('arn') { should eq 'ELASTICSEARCH_DOMAIN_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_elasticsearchservice_domain(domain_name: 'DOMAIN_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_elasticsearchservice_domain(domain_name: 'DOMAIN_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the domain name is available. + +```ruby +describe aws_elasticsearchservice_domain(domain_name: 'DOMAIN_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticsearchService:Client:DescribeElasticsearchDomainResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticsearchservice_domains.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticsearchservice_domains.md new file mode 100644 index 0000000..cdf2c6b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elasticsearchservice_domains.md @@ -0,0 +1,84 @@ ++++ +title = "aws_elasticsearchservice_domains resource" + +draft = false + + +[menu.aws] +title = "aws_elasticsearchservice_domains" +identifier = "inspec/resources/aws/aws_elasticsearchservice_domains resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elasticsearchservice_domains` InSpec audit resource to test properties of a plural Elasticsearch Domains. + +The AWS::Elasticsearch::Domain resource creates an Amazon Elasticsearch Service (Amazon ES) domain. + +For additional information, including details on parameters and properties, see the [AWS documentation on Elasticsearch Domain](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html). + +## Syntax + +Ensure that a domain name exists. + +```ruby +describe aws_elasticsearchservice_domains do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`domain_name` +: Specifies the domain name. + +## Examples + +Ensure a domain name is available: + +```ruby +describe aws_elasticsearchservice_domains do + its('domain_name') { should include 'DOMAIN_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_elasticsearchservice_domains do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_elasticsearchservice_domains do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_elasticsearchservice_domains do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticsearchService:Client:ListDomainNamesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elb.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elb.md new file mode 100644 index 0000000..f3ef38e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elb.md @@ -0,0 +1,178 @@ ++++ +title = "aws_elb resource" + +draft = false + + +[menu.aws] +title = "aws_elb" +identifier = "inspec/resources/aws/aws_elb resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elb` InSpec audit resource to test properties of a single AWS Elastic Load Balancer (ELB). + +For additional information, including details on parameters and properties, see the [AWS documentation on Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference). + +## Syntax + +An `aws_elb` resource block declares the tests for a single AWS ELB by ELB name. AWS ELB Names are unique per region. + +```ruby +describe aws_elb('my-elb') do + it { should exist } +end +``` + +```ruby +describe aws_elb(load_balancer_name: 'my-elb') do + it { should exist } +end +``` + +## Parameters + +`load_balancer_name` _(required)_ + +: This resource accepts a single parameter, the ELB Name which uniquely identifies the ELB. + This can be passed either as a string or as a `load_balancer_name: 'value'` key-value entry in a hash. + +## Properties + +`load_balancer_name` +: The name of the load balancer. + +`dns_name` +: The DNS name of the load balancer. + +`availability_zones` +: The Availability Zones for the load balancer. + +`instance_ids` +: An array containing all instance ids associated with the ELB. + +`external_ports` +: An array of the external ports exposed on the ELB. + +`internal_ports` +: An array of the internal ports exposed on the ELB. + +`security_group_ids` +: The security groups for the load balancer. Valid only for load balancers in a VPC. + +`vpc_id` +: The ID of the VPC for the load balancer. + +`subnet_ids` +: The IDs of the subnets for the load balancer. + +`listeners` +: A collection of the listeners for the load balancer. + +`ssl_policies` +: A collection of the SSL Policies configured in-use for the load balancer (and their policy attributes). + +`protocols` +: A list of the protocols configured for the listeners of the load balancer. + +`cross_zone_load_balancing_enabled?` +: The cross-zone load balancing status for ELB. + +`access_log_enabled?` +: The access log status for ELB. + +`certificate_id` +: A list of SSL certificate IDs configured for the listeners of the load balancer. + +## Examples + +Test that cross-zone load balancing for ELB is enabled: + +```ruby +describe aws_elb('prod_web_app_elb') do + it { should be_cross_zone_load_balancing_enabled } +end +``` + +Test that access logs for ELB are enabled: + +```ruby +describe aws_elb('prod_web_app_elb') do + it { should be_access_log_enabled } +end +``` + +Test that an ELB has its availability zones configured correctly: + +```ruby +describe aws_elb('prod_web_app_elb') do + its('availability_zones.count') { should be > 1 } + its('availability_zones') { should include 'us-east-2a' } + its('availability_zones') { should include 'us-east-2b' } +end +``` + +Ensure an ELB has the correct number of EC2 Instances associated with it: + +```ruby +describe aws_elb('prod_web_app_elb') do + its('instance_ids.count') { should cmp 3 } +end +``` + +Ensure the correct DNS is set : + +```ruby +describe aws_elb('prod_web_app_elb') do + its('dns_name') { should cmp 'your-fqdn.com' } +end +``` + +Ensure we only expose port 80, both to the public and internal: + +```ruby +describe aws_elb('prod_web_app_elb') do + its('external_ports.count') { should cmp 1 } + its('external_ports') { should include 80 } + its('internal_ports.count') { should cmp 1 } + its('internal_ports') { should include 80 } +end +``` + +Ensure the correct EC2 Instances are associated: + +```ruby +describe aws_elb('prod_web_app_elb') do + its('instance_ids') { should include 'i-12345678' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_elb('AnExistingELB') do + it { should exist } +end +``` + +```ruby +describe aws_elb('ANonExistentELB') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticLoadBalancing:Client:DescribeAccessPointsOutput" %}} + +You can find detailed documentation at [Authentication and Access Control for Your Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elbs.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elbs.md new file mode 100644 index 0000000..f8ad638 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_elbs.md @@ -0,0 +1,108 @@ ++++ +title = "aws_elbs resource" + +draft = false + + +[menu.aws] +title = "aws_elbs" +identifier = "inspec/resources/aws/aws_elbs resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_elbs` InSpec audit resource to test the configuration of a collection of AWS Elastic Load Balancers. + +For additional information, including details on parameters and properties, see the [AWS documentation on Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference). + +## Syntax + +```ruby +describe aws_elbs do + its('load_balancer_names') { should include 'elb-name' } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`load_balancer_names` +: The name of the load balancer. + +`dns_names` +: The DNS name of the load balancer. + +`availability_zones` +: The Availability Zones for the load balancer. + +`instance_ids` +: An array containing all instance ids associated with the ELB. + +`external_ports` +: An array of the external ports exposed on the ELB. + +`internal_ports` +: An array of the internal ports exposed on the ELB. + +`security_group_ids` +: The security groups for the load balancer. Valid only for load balancers in a VPC. + +`vpc_ids` +: The ID of the VPC for the load balancer. + +`subnet_id s` +: The IDs of the subnets for the load balancer. + +## Examples + +Ensure there are no Load Balancers with an undesired zone: + +```ruby +describe aws_elbs do + it { should exist } + its('availability_zones') { should_not include 'us-east-1a'} +end +``` + +Ensure all ELBs expose only port 80: + +```ruby +aws_elbs.each do |elb| + describe elb do + its('external_ports.count') { should cmp 1 } + its('external_ports') { should include 80 } + its('internal_ports.count') { should cmp 1 } + its('internal_ports') { should include 80 } + end +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_elbs.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_elbs.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ElasticLoadBalancing:Client:DescribeAccessPointsOutput" %}} + +You can find detailed documentation at [Authentication and Access Control for Your Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_emr_cluster.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_emr_cluster.md new file mode 100644 index 0000000..3791bc0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_emr_cluster.md @@ -0,0 +1,158 @@ ++++ +title = "aws_emr_cluster resource" + +draft = false + + +[menu.aws] +title = "aws_emr_cluster" +identifier = "inspec/resources/aws/aws_emr_cluster resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_emr_cluster` InSpec audit resource to test properties of the singular resource of AWS EMR cluster. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EMR clusters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticmapreduce-cluster.html). + +## Syntax + +An `aws_emr_cluster` resource block declares the tests for a single AWS EMR cluster by cluster ID. + +```ruby +describe aws_emr_cluster(cluster_id: 'CLUSTER_ID') do + it { should exist } +end +``` + +```ruby +describe aws_emr_cluster('CLUSTER_ID') do + it { should exist } +end +``` + +## Parameters + +`cluster_id` _(required)_ + +: This resource requires a single parameter, the EMR cluster ID. + This can be passed either as a string or as a `cluster_id: 'value'` key-value entry in a hash. + +## Properties + +`cluster_id` +: The unique identifier of the cluster. + +`cluster_arn` +: The Amazon Resource Name (ARN) that identifies the cluster. + +`cluster_name` +: A user-generated string that you use to identify your cluster. + +`state` +: The current state of the cluster. + +`status_state_change_reason_code` +: The programmatic code for the state change reason. + +`status_state_change_reason_message` +: The descriptive message for the state change reason. + +`status_timeline_creation_date_time` +: The creation date and time of the cluster. + +`status_timeline_ready_date_time` +: The date and time when the cluster was ready to run steps. + +`status_timeline_end_date_time` +: The date and time when the cluster was terminated. + +`applications` +: The name of applications installed on this cluster. + +`auto_scaling_role` +: An IAM role for automatic scaling policies. + +`custom_ami_id` +: Available only in Amazon EMR version 5.7.0 and later. The ID of a custom Amazon EBS-backed Linux AMI if the cluster uses a custom AMI. + +`ebs_root_volume_size` +: The size, in GiB, of the Amazon EBS root device volume of the Linux AMI that is used for each EC2 instance. Available in Amazon EMR version 4.x and later. + +`kerberos_attributes_realm` +: The name of the Kerberos realm to which all nodes in a cluster belong. + +`kerberos_attributes_realm_ad_domain_join_user` +: A user with sufficient privileges to join resources to the domain. Required only when establishing a cross-realm trust with an Active Directory domain. + +`log_encryption_kms_key_id` +: The KMS key used for encrypting log files. + +`log_uri` +: The path to the Amazon S3 location where logs for this cluster are stored. + +`release_label` +: The Amazon EMR release label, which determines the version of open-source application packages installed on the cluster. + +`scale_down_behavior` +: The way that individual Amazon EC2 instances terminate when an automatic scale-in activity occurs or an instance group is resized. Valid values are TERMINATE_AT_INSTANCE_HOUR, TERMINATE_AT_TASK_COMPLETION. + +`service_role` +: The IAM role that Amazon EMR assumes in order to access Amazon Web Services resources on your behalf. + +`step_concurrency_level` +: Specifies the number of steps that can be executed concurrently. + +`visible_to_all_users` +: Indicates whether the cluster is visible to IAM principals in the Amazon Web Services account associated with the cluster. + +`managed_scaling_policy_unit_type` +: The unit type used for specifying a managed scaling policy. Valid values are InstanceFleetUnits, Instances, VCPU. + +`security_configuration_name` +: The name of the security configuration applied to the cluster. + +## Examples + +Test that an EMR cluster state is `WAITING`: + +```ruby +describe aws_emr_cluster('CLUSTER_ID') do + its ('state') { should eq 'WAITING' } +end +``` + +Test that an EMR cluster state is `RUNNING`: + +```ruby +describe aws_emr_cluster('CLUSTER_ID') do + its ('state') { should eq 'RUNNING' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test an entity that should exist. + +```ruby +describe aws_emr_cluster('CLUSTER_ID') do + it { should exist } +end +``` + +Use `should_not` to test for an entity that should not exist. + +```ruby +describe aws_emr_cluster('CLUSTER_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EMR:Client:DescribeClusterOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_emr_clusters.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_emr_clusters.md new file mode 100644 index 0000000..11fad7c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_emr_clusters.md @@ -0,0 +1,185 @@ ++++ +title = "aws_emr_clusters resource" + +draft = false + + +[menu.aws] +title = "aws_emr_clusters" +identifier = "inspec/resources/aws/aws_emr_clusters resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_emr_clusters` resource to test the configuration of a collection of clusters of AWS Elastic MapReduce Service. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EMR clusters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticmapreduce-cluster.html). + +## Syntax + +```ruby +describe aws_emr_clusters do + its('cluster_ids') { should include 'CLUSTER_ID'} +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`cluster_ids` +: The unique identifier of the cluster. + +: **Field**: `cluster_id` + +`cluster_arns` +: The Amazon Resource Name (ARN) that identifies the cluster. + +: **Field**: `cluster_arn` + +`cluster_names` +: A user-generated string that you use to identify your cluster. + +: **Field**: `cluster_name` + +`status_states` +: The current state of the cluster. + +: **Field**: `status(state)` + +`status_state_change_reason_code` +: The programmatic code for the state change reason. + +: **Field**: `status(state_change_reason(code))` + +`status_state_change_reason_message` +: The descriptive message for the state change reason. + +: **Field**: `status(state_change_reason(message))` + +`status_timeline_creation_date_time` +: The creation date and time of the cluster. + +: **Field**: `status(timeline(creation_date_time))` + +`status_timeline_ready_date_time` +: The date and time when the cluster was ready to run steps. + +: **Field**: `status(timeline(ready_date_time))` + +`status_timeline_end_date_time` +: The date and time when the cluster was terminated. + +: **Field**: `status(timeline(end_date_time))` + +`applications` +: The name of applications installed on this cluster. + +: **Field**: `applications` + +`auto_scaling_roles` +: An IAM role for automatic scaling policies. + +: **Field**: `auto_scaling_role` + +`custom_ami_ids` +: Available only in Amazon EMR version 5.7.0 and later. The ID of a custom Amazon EBS-backed Linux AMI if the cluster uses a custom AMI. + +: **Field**: `custom_ami_id` + +`ebs_root_volume_sizes` +: The size, in GiB, of the Amazon EBS root device volume of the Linux AMI that is used for each EC2 instance. Available in Amazon EMR version 4.x and later. + +: **Field**: `ebs_root_volume_size` + +`kerberos_attributes_realms` +: The name of the Kerberos realm to which all nodes in a cluster belong. + +: **Field**: `kerberos_attributes(realm)` + +`kerberos_attributes_realm_ad_domain_join_user` +: A user with sufficient privileges to join resources to the domain. Required only when establishing a cross-realm trust with an Active Directory domain. + +: **Field**: `kerberos_attributes(ad_domain_join_user)` + +`log_encryption_kms_key_ids` +: The KMS key used for encrypting log files. + +: **Field**: `log_encryption_kms_key_id` + +`log_uris` +: The path to the Amazon S3 location where logs for this cluster are stored. + +: **Field**: `log_uri` + +`release_labels` +: The Amazon EMR release label, which determines the version of open-source application packages installed on the cluster. + +: **Field**: `release_label` + +`scale_down_behaviors` +: The way that individual Amazon EC2 instances terminate when an automatic scale-in activity occurs or an instance group is resized. Valid values are TERMINATE_AT_INSTANCE_HOUR, TERMINATE_AT_TASK_COMPLETION. + +: **Field**: `scale_down_behavior` + +`service_roles` +: The IAM role that Amazon EMR assumes in order to access Amazon Web Services resources on your behalf. + +: **Field**: `service_role` + +`step_concurrency_levels` +: Specifies the number of steps that can be executed concurrently. + +: **Field**: `step_concurrency_level` + +`visible_to_all_users` +: Indicates whether the cluster is visible to IAM principals in the Amazon Web Services account associated with the cluster. + +: **Field**: `visible_to_all_users` + +`security_configuration_names` +: The name of the security configuration applied to the cluster. + +: **Field**: `security_configuration` + +## Examples + +Ensure there are no EMR clusters in an undesired state: + +```ruby +describe aws_emr_clusters do + it { should exist } + its('state') { should_not include 'UNDESIRED_STATE'} + its('cluster_ids') { should include 'CLUSTER_ID'} +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://docs.chef.io/inspec/matchers/). + +### exist + +Use `should` to test for an entity that should exist. + +```ruby +describe aws_emr_clusters.where( : ) do + it { should exist } +end +``` + +Use `should_not` to test for an entity that should not exist. + +```ruby +describe aws_emr_clusters.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `EMR:Client:DescribeClusterOutput`, `EMR:Client:ListClustersOutput` actions set to allow. + +You can find detailed documentation at [Amazon EMR IAM Policies, Roles, and Permissions](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html) +The documentation for EMR actions is at [Policy Structure](https://docs.aws.amazon.com/emr/latest/ManagementGuide/security_iam_id-based-policy-examples.html) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_emr_security_configuration.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_emr_security_configuration.md new file mode 100644 index 0000000..dc20105 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_emr_security_configuration.md @@ -0,0 +1,103 @@ ++++ +title = "aws_emr_security_configuration resource" + +draft = false + + +[menu.aws] +title = "aws_emr_security_configuration" +identifier = "inspec/resources/aws/aws_emr_security_configuration resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_emr_security_configuration` InSpec audit resource to test properties of the singular resource of AWS EMR security configuration. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EMR security configuration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-emr-securityconfiguration.html). + +## Syntax + +An `aws_emr_security_configuration` resource block declares the tests for a single AWS EMR security configuration by `security_configuration_name`. + +```ruby +describe aws_emr_security_configuration(security_configuration_name: 'SECURITY_CONFIGURATION_NAME') do + it { should exist } +end +``` + +```ruby +describe aws_emr_security_configuration('SECURITY_CONFIGURATION_NAME') do + it { should exist } +end +``` + +## Parameters + +`security_configuration_name` _(required)_ + +: This resource requires a single parameter, the EMR security configuration name. + This can be passed either as a string or as a `security_configuration_name: 'value'` key-value entry in a hash. + +## Properties + +`encryption_at_rest` +: Specifies whether at-rest encryption is enabled for the cluster. + +`encryption_in_transit` +: Specifies whether in-transit encryption is enabled for the cluster. + +`local_disk_encryption` +: Specifies whether local-disk encryption is enabled for the cluster. + +## Examples + +Test that an EMR security configuration has at-rest encryption enabled: + +```ruby +describe aws_emr_security_configuration('SECURITY_CONFIGURATION_NAME') do + its ('encryption_at_rest') { should eq true } +end +``` + +Test that an EMR security configuration has in-transit encryption enabled: + +```ruby +describe aws_emr_security_configuration('SECURITY_CONFIGURATION_NAME') do + its ('encryption_in_transit') { should eq true } +end +``` + +Test that an EMR security configuration has local-disk encryption enabled: + +```ruby +describe aws_emr_security_configuration('SECURITY_CONFIGURATION_NAME') do + its ('local_disk_encryption') { should eq true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test the entity should exist. + +```ruby +describe aws_emr_security_configuration('SECURITY_CONFIGURATION_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_emr_security_configuration('SECURITY_CONFIGURATION_NAME') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EMR:Client:DescribeSecurityConfigurationOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_emr_security_configurations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_emr_security_configurations.md new file mode 100644 index 0000000..be42be9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_emr_security_configurations.md @@ -0,0 +1,88 @@ ++++ +title = "aws_emr_security_configurationss resource" + +draft = false + + +[menu.aws] +title = "aws_emr_security_configurationss" +identifier = "inspec/resources/aws/aws_emr_security_configurationss resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_emr_security_configurations` resource to test the properties of collection for AWS EMR security configuration. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EMR security configuration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-emr-securityconfiguration.html). + +## Syntax + +```ruby +describe aws_emr_security_configurations do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`security_configuration_names` +: The name of the security configuration. + +: **Field**: `name` + +`encryption_at_rest` +: Specifies whether at-rest encryption is enabled for the cluster. + +: **Field**: `security_configuration(EncryptionConfiguration(EnableAtRestEncryption))` + +`encryption_in_transit` +: Specifies whether in-transit encryption is enabled for the cluster. + +: **Field**: `security_configuration(EncryptionConfiguration(EnableInTransitEncryption))` + +`local_disk_encryption` +: Specifies whether local-disk encryption is enabled for the cluster. + +: **Field**: `security_configuration(EncryptionConfiguration(AtRestEncryptionConfiguration(LocalDiskEncryptionConfiguration)))` + +## Examples + +Ensure AWS EMR security configurations exists: + +```ruby +describe aws_emr_security_configurations do + it { should exist } + its('encryption_at_rests') { should include encryption_at_rest } + its('encryption_in_transits') { should include encryption_in_transit } + its('local_disk_encryptions') { should include local_disk_encryption } +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://docs.chef.io/inspec/matchers/). + +### exist + +Use `should` to test an entity that should exist. + +```ruby +describe aws_emr_security_configurations.where(security_configuration_name: 'SECURITY_CONFIGURATION_NAME') do + it { should exist } +end +``` + +Use `should_not` to test an entity that should not exist. + +```ruby +describe aws_emr_security_configurations.where(security_configuration_name: 'INVALID_SECURITY_CONFIGURATION_NAME') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EMR:Client:DescribeSecurityConfigurationOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_eventbridge_rule.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_eventbridge_rule.md new file mode 100644 index 0000000..7161d24 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_eventbridge_rule.md @@ -0,0 +1,119 @@ ++++ +title = "aws_eventbridge_rule resource" + +draft = false + + +[menu.aws] +title = "aws_eventbridge_rule" +identifier = "inspec/resources/aws/aws_eventbridge_rule resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_eventbridge_rule` InSpec audit resource to test properties of a single Amazon EventBridge event rule. + +The AWS::Events::Rule resource creates a rule that matches incoming events and routes them to one or more targets for processing. + +For additional information, including details on parameters and properties, see the [AWS documentation on Events Rule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-rule.html). + +## Syntax + +Ensure that a rule name exists. + +```ruby +describe aws_eventbridge_rule(name: 'test_rule') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: The name of the rule. + Pass the name as a key-value entry in a hash. + +## Properties + +`name` +: The name of the rule. + +`arn` +: The Amazon Resource Name (ARN) of the rule. + +`event_pattern` +: The event pattern. + +`schedule_expression` +: The scheduling expression. For example, "cron(0 20 ** ? *)", "rate(5 minutes)". + +`state` +: Specifies whether the rule is enabled or disabled. + +`description` +: The description of the rule. + +`role_arn` +: The Amazon Resource Name (ARN) of the IAM role associated with the rule. + +`managed_by` +: If this is a managed rule, created by an AWS service on your behalf, this field displays the principal name of the AWS service that created the rule. + +`event_bus_name` +: The name of the event bus associated with the rule. + +## Examples + +Ensure a rule name is available: + +```ruby +describe aws_eventbridge_rule(name: 'RULE_NAME') do + its('name') { should eq 'RULE_NAME' } +end +``` + +Ensure that the state is `ENABLED` or `DISABLED`: + +```ruby +describe aws_eventbridge_rule(name: 'RULE_NAME') do + its('state') { should eq 'ENABLED' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_eventbridge_rule(name: 'test_rule') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_eventbridge_rule(name: 'dummy') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_eventbridge_rule(name: 'test_rule') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EventBridge:Client:DescribeRuleResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_eventbridge_rules.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_eventbridge_rules.md new file mode 100644 index 0000000..52cdef1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_eventbridge_rules.md @@ -0,0 +1,116 @@ ++++ +title = "aws_eventbridge_rules resource" + +draft = false + + +[menu.aws] +title = "aws_eventbridge_rules" +identifier = "inspec/resources/aws/aws_eventbridge_rules resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_eventbridge_rules` InSpec audit resource to test properties of multiple Amazon EventBridge event rules. + +The AWS::Events::Rule resource creates a rule that matches incoming events and routes them to one or more targets for processing. + +For additional information, including details on parameters and properties, see the [AWS documentation on Events Rule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-rule.html). + +## Syntax + +Ensure that a rule name exists. + +```ruby +describe aws_eventbridge_rules do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`names` +: The name of the rule. + +`arns` +: The Amazon Resource Name (ARN) of the rule. + +`event_patterns` +: The event pattern. + +`schedule_expressions` +: The scheduling expression. For example, "cron(0 20 ** ? *)", "rate(5 minutes)". + +`states` +: Specifies whether the rule is enabled or disabled. + +`descriptions` +: The description of the rule. + +`role_arns` +: The Amazon Resource Name (ARN) of the IAM role associated with the rule. + +`managed_bys` +: If this is a managed rule, created by an AWS service on your behalf, this field displays the principal name of the AWS service that created the rule. + +`event_bus_names` +: The name of the event bus associated with the rule. + +## Examples + +Ensure a rule name is available: + +```ruby +describe aws_eventbridge_rules do + its('name') { should include 'test_rule' } +end +``` + +Ensure that the state is `ENABLED` or `DISABLED`: + +```ruby +describe aws_eventbridge_rules do + its('state') { should include 'ENABLED' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_eventbridge_rules do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_eventbridge_rules do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the rule name is available. + +```ruby +describe aws_eventbridge_rules do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EventBridge:Client:ListRulesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_flow_log.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_flow_log.md new file mode 100644 index 0000000..d4593fe --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_flow_log.md @@ -0,0 +1,143 @@ ++++ +title = "aws_flow_log resource" + +draft = false + + +[menu.aws] +title = "aws_flow_log" +identifier = "inspec/resources/aws/aws_flow_log resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_flow_log` InSpec audit resource to test properties of a single Flow Log. + +For additional information, including details on parameters and properties, see the [AWS documentation on Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html). + +## Syntax + +```ruby +describe aws_flow_log(flow_log_id: 'fl-9c718cf5') do + it { should exist } +end +``` + +## Parameters + +This resource requires at least one of the following parameters to be provided: `flow_log_id`, `subnet_id`, `vpc_id`. + +`flow_log_id` _(required if no other parameters provided)_ + +: The Flow Log ID which uniquely identifies the Flow Log. + This can be passed either as a string or as a `flow_log_id: 'value'` key-value entry in a hash. + +`subnet_id` _(required if no other parameters provided)_ + +: The subnet associated with the Flow Log, if applicable. + This must be passed as a `subnet_id: 'value'` key-value entry in a hash. + +`vpc_id` _(required if no other parameters provided)_ + +: The VPC associated with the Flow Log, if applicable. + This must be passed as a `vpc_id: 'value'` key-value entry in a hash. + +## Properties + +`flow_log_id` +: The ID of the Flow Log. + +`log_group_name` +: The name of the associated log group. + +`resource_id` +: The ID of the assosiated resource, e.g. VPC, Subnet or Network Interface. + +## Examples + +Search for a flow log by the associated subnet id: + +```ruby +describe aws_flow_log(subnet_id: 'subnet-c6a4319c') do + it { should exist } +end +``` + +Search for a flow log by the associated VPC id: + +```ruby +describe aws_flow_log(vpc_id: 'vpc-96cabaef') do + it { should exist } +end +``` + +Ensure the correct Flow Log is associated with a Subnet: + +```ruby +describe aws_flow_log(subnet_id: 'subnet-c6a4319c') do + its('flow_log_id') { should cmp 'fl-9c718cf5' } +end +``` + +Ensure the Flow Log is associated with the correct resource type: + +```ruby +describe aws_flow_log('fl-9c718cf5') do + its('resource_type') { should cmp 'subnet' } +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_flow_log('AnExistingFlowLog') do + it { should exist } +end +``` + +```ruby +describe aws_flow_log('ANonExistentFlowLog') do + it { should_not exist } +end +``` + +#### be_attached_to_eni + +Indicates that the Flow Log is attached to a ENI resource. + +```ruby +describe aws_flow_log('fl-9c718cf5') do + it { should be_attached_to_eni } +end +``` + +#### be_attached_to_subnet + +Indicates that the Flow Log is attached to a subnet resource. + +```ruby +describe aws_flow_log('fl-9c718cf5') do + it { should be_attached_to_subnet } +end +``` + +#### be_attached_to_vpc + +Indicates that the Flow Log is attached to a vpc resource. + +```ruby +describe aws_flow_log('fl-9c718cf5') do + it { should be_attached_to_vpc } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeFlowLogsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_glue_crawler.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_glue_crawler.md new file mode 100644 index 0000000..8b6d04d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_glue_crawler.md @@ -0,0 +1,148 @@ ++++ +title = "aws_glue_crawler resource" + +draft = false + + +[menu.aws] +title = "aws_glue_crawler" +identifier = "inspec/resources/aws/aws_glue_crawler resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_glue_crawler` InSpec audit resource to test properties of a single AWS Glue crawler. + +The AWS::Glue::Crawler resource specifies an AWS Glue crawler. + +For additional information, including details on parameters and properties, see the [AWS documentation on Glue Crawler](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-glue-crawler.html). + +## Syntax + +Ensure that a crawler name exists. + +```ruby +describe aws_glue_crawler(name: 'CRAWLER_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: The name of the crawler. + +## Properties + +`name` +: The name of the crawler. + +`role` +: The ARN of an IAM role that's used to access customer resources, such as Amazon Simple Storage Service (Amazon S3) data. + +`target` +: A collection of targets to crawl. + +`database_name` +: The name of the database in which the crawler's output is stored. + +`description` +: A description of the crawler. + +`classifier` +: A list of UTF-8 strings that specify the custom classifiers that are associated with the crawler. + +`recrawl_policy` +: A policy that specifies whether to crawl the entire dataset again, or to crawl only folders that were added since the last crawler run. + +`schema_change_policy` +: The policy that specifies update and delete behaviors for the crawler. + +`lineage_configuration` +: A configuration that specifies whether data lineage is enabled for the crawler. + +`state` +: Whether the crawler is running, or whether a run is pending. + +`table_prefix` +: The prefix added to the names of tables that are created. + +`schedule` +: For scheduled crawlers, the schedule when the crawler runs. + +`crawl_elapsed_time` +: If the crawler is running, contains the total time elapsed since the last crawl began. + +`creation_time` +: The time that the crawler was created. + +`last_updated` +: The time that the crawler was last updated. + +`last_crawl` +: The status of the last crawl, and potentially error information if an error occurred. + +`version` +: The version of the crawler. + +`configuration` +: Crawler configuration information. This versioned JSON string allows users to specify aspects of a crawler's behavior. + +`crawler_security_configuration` +: The name of the `SecurityConfiguration` structure to be used by this crawler. + +## Examples + +Ensure a crawler name is available: + +```ruby +describe aws_glue_crawler(name: 'CRAWLER_NAME') do + its('name') { should eq 'CRAWLER_NAME' } +end +``` + +Verify the database name in the crawler: + +```ruby +describe aws_glue_crawler(name: 'CRAWLER_NAME') do + its('database_name') { should eq 'CRAWLER_DATABASE_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_glue_crawler(name: 'crawler_name') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_glue_crawler(name: 'dummy') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_glue_crawler(name: 'crawler_name') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:GetCrawlerResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_glue_crawlers.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_glue_crawlers.md new file mode 100644 index 0000000..6721f35 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_glue_crawlers.md @@ -0,0 +1,146 @@ ++++ +title = "aws_glue_crawlers resource" + +draft = false + + +[menu.aws] +title = "aws_glue_crawlers" +identifier = "inspec/resources/aws/aws_glue_crawlers resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_glue_crawlers` InSpec audit resource to test properties of a plural Glue Crawlers. + +The AWS::Glue::Crawler resource specifies an AWS Glue crawler. + +For additional information, including details on parameters and properties, see the [AWS documentation on Glue Crawler](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-glue-crawler.html). + +## Syntax + +Ensure that a crawler exists. + +```ruby +describe aws_glue_crawlers do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`names` +: The name of a crawler. + +`roles` +: The ARNs of IAM roles used to access customer resources, such as Amazon Simple Storage Service (Amazon S3) data. + +`targets` +: A collection of targets to crawl. + +`database_names` +: The name of the database in which a crawler's output is stored. + +`descriptions` +: A description of a crawler. + +`classifiers` +: A list of UTF-8 strings that specify the custom classifiers that are associated with a crawler. + +`recrawl_policies` +: A policy that specifies whether to crawl the entire dataset again, or to crawl only folders that were added since the last crawler run. + +`schema_change_policies` +: The policy that specifies update and delete behaviors for a crawler. + +`lineage_configurations` +: A configuration that specifies whether data lineage is enabled for a crawler. + +`states` +: Whether a crawler is running, or whether a run is pending. + +`table_prefixes` +: The prefix added to the names of tables that are created. + +`schedules` +: The schedule of a crawler. + +`crawl_elapsed_times` +: If a crawler is running, contains the total time elapsed since the last crawl began. + +`creation_times` +: The time that a crawler was created. + +`last_updated` +: The time that a crawler was last updated. + +`last_crawls` +: The status of the last crawl, and potentially error information if an error occurred. + +`versions` +: The version of a crawler. + +`configurations` +: Crawler configuration information. This versioned JSON string allows users to specify aspects of a crawler's behavior. + +`crawler_security_configurations` +: The name of the `SecurityConfiguration` structure to be used by a crawler. + +## Examples + +Ensure a crawler name is available: + +```ruby +describe aws_glue_crawlers do + its('names') { should include 'CRAWLER_NAME' } +end +``` + +Ensure a database name is available: + +```ruby +describe aws_glue_crawlers do + its('database_names') { should include 'CRAWLER_DATABASE_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_glue_crawlers do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_glue_crawlers do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if a crawler name is available. + +```ruby +describe aws_glue_crawlers do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:GetCrawlersResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_glue_database.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_glue_database.md new file mode 100644 index 0000000..3139f9a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_glue_database.md @@ -0,0 +1,121 @@ ++++ +title = "aws_glue_database resource" + +draft = false + + +[menu.aws] +title = "aws_glue_database" +identifier = "inspec/resources/aws/aws_glue_database resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_glue_database` InSpec audit resource to test properties of a single Glue database. + +The AWS::Glue::Database resource specifies a logical grouping of tables in AWS Glue. + +For additional information, including details on parameters and properties, see the [AWS documentation on Glue Database](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-glue-database.html). + +## Syntax + +Ensure that a database name exists. + +```ruby +describe aws_glue_database(name: 'GLUE_DATABASE_NAME') + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: The name of the Glue database. + +## Properties + +`name` +: The name of the database. For Hive compatibility, this is folded to lowercase when it is stored. + +`description` +: A description of the database. + +`location_uri` +: The location of the database (for example, an HDFS path). + +`parameters` +: These key-value pairs define parameters and properties of the database. + +`create_time` +: The time at which the metadata database was created in the catalog. + +`create_table_default_permissions (principal (data_lake_principal_identifier))` +: An identifier for the AWS Lake Formation principal. + +`create_table_default_permissions (permissions)` +: The permissions that are granted to the principal. + +`target_database (catalog_id)` +: The ID of the Data Catalog in which the database resides. + +`target_database (database_name)` +: The name of the catalog database. + +`catalog_id` +: The ID of the Data Catalog in which the database resides. + +## Examples + +Ensure a database name is available: + +```ruby +describe aws_glue_database(name: 'GLUE_DATABASE_NAME') do + its('name') { should eq 'GLUE_DATABASE_NAME' } +end +``` + +Ensure a target database name is available: + +```ruby +describe aws_glue_database(name: 'GLUE_DATABASE_NAME') do + its('target_database.database_name') { should eq 'CATALOG_DATABASE_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_glue_database(name: 'GLUE_DATABASE_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_glue_database(name: 'GLUE_DATABASE_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the database name is available. + +```ruby +describe aws_glue_database(name: 'GLUE_DATABASE_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:GetDatabaseResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_glue_databases.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_glue_databases.md new file mode 100644 index 0000000..cfb288d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_glue_databases.md @@ -0,0 +1,105 @@ ++++ +title = "aws_glue_databases resource" + +draft = false + + +[menu.aws] +title = "aws_glue_databases" +identifier = "inspec/resources/aws/aws_glue_databases resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_glue_databases` InSpec audit resource to test properties of multiple Glue databases. + +The AWS::Glue::Database resource specifies a logical grouping of tables in AWS Glue. + +For additional information, including details on parameters and properties, see the [AWS documentation on Glue Database](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-glue-database.html). + +## Syntax + +Ensure that a database name exists. + +```ruby +describe aws_glue_databases + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`names` +: The name of a database. For Hive compatibility, this is folded to lowercase when it is stored. + +`descriptions` +: A description of a database. + +`location_uris` +: The location of a database (for example, an HDFS path). + +`parameters` +: These key-value pairs define parameters and properties of a database. + +`create_times` +: The time at which the metadata database was created in the catalog. + +`create_table_default_permissions` +: Creates a set of default permissions on the table for principals.. + +`target_databases` +: A DatabaseIdentifier structure that describes a target database for resource linking. + +`catalog_ids` +: The ID of the Data Catalog in which a database resides. + +## Examples + +Ensure a database name is available: + +```ruby +describe aws_glue_databases + its('names') { should include 'GLUE_DATABASE_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_glue_databases + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_glue_databases + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if a database name is available. + +```ruby +describe aws_glue_databases + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:GetDatabasesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_guardduty_detector.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_guardduty_detector.md new file mode 100644 index 0000000..e359316 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_guardduty_detector.md @@ -0,0 +1,117 @@ ++++ +title = "aws_guardduty_detector resource" + +draft = false + + +[menu.aws] +title = "aws_guardduty_detector" +identifier = "inspec/resources/aws/aws_guardduty_detector resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_guardduty_detector` InSpec audit resource to test properties of a single AWS GuardDuty Detector. + +For additional information, including details on parameters and properties, see the [Actions, Resources, and Condition Keys for Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_GetDetector.html). + +For additional information, including details on parameters and properties, see the [AWS documentation on GuardDuty Detectors](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html). + +## Requirements + +Train AWS version 0.1.18 or newer is required for this resource. + +## Syntax + +An `aws_guardduty_detector` resource block declares the tests for a single AWS GuardDuty Detector by detector id. + +```ruby +describe aws_guardduty_detector(detector_id: '12abc34d567e8fa901bc2d34e56789f0') do + it { should exist } +end +``` + +## Parameters + +`detector_id` _(required)_ + +: This resource accepts a single parameter, the GuardDuty Detector ID. + This can be passed either as a string or as a `detector_id: 'value'` key-value entry in a hash. + +## Properties + +`created_at` +: The timestamp of when the detector was created. + +`data_sources` +: An object that describes which data sources are enabled for the detector. + +`finding_publishing_frequency` +: The publishing frequency of the finding. + +`service_role` +: The GuardDuty service role. + +`status` +: The detector status. Status should be either ENABLED or DISABLED. + +`tags` +: The tags of the detector resource. + +`updated_at` +: The last-updated timestamp for the detector. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_GetDetector.html) + +## Examples + +Check the publishing frequency of a Detector: + +```ruby +describe aws_guardduty_detector(detector_id: '12abc34d567e8fa901bc2d34e56789f0') do + its('finding_publishing_frequency') { should eq "SIX_HOURS" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### be_enabled + +The `be_enabled` matcher tests if the status of the detector is enabled. + +```ruby +describe aws_guardduty_detector(detector_id: 'detector-id-1234') do + it { should be_enabled } +end +``` + +```ruby +describe aws_guardduty_detector(detector_id: 'detector-id-6789') do + it { should_not be_enabled } +end +``` + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_guardduty_detector(detector_id: '12abc34d567e8fa901bc2d34e56789f0') do + it { should exist } +end +``` + +```ruby +describe aws_guardduty_detector(detector_id: '809abz34d567e8fa91bc2d34e56789f5') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="GuardDuty:Client:GetDetectorResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_guardduty_detectors.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_guardduty_detectors.md new file mode 100644 index 0000000..ce9c49d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_guardduty_detectors.md @@ -0,0 +1,91 @@ ++++ +title = "aws_guardduty_detectors resource" + +draft = false + + +[menu.aws] +title = "aws_guardduty_detectors" +identifier = "inspec/resources/aws/aws_guardduty_detectors resource" +parent = "inspec/resources/aws" ++++ + + + +Use the `aws_guardduty_detectors` InSpec audit resource to test properties of some or all AWS GuardDuty Detectors. + +For additional information, including details on parameters and properties, see the [Actions, Resources, and Condition Keys for Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_GetDetector.html). + +For additional information, including details on parameters and properties, see the [AWS documentation on GuardDuty Detectors](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html). + +## Requirements + +Train AWS version 0.1.18 or newer is required for this resource. + +## Syntax + + Ensure you have exactly 3 Detectors available to you. + +```ruby +describe aws_guardduty_detectors do + its('detector_ids.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`detector_ids` +: A list of detector IDs. + +## Examples + +Ensure GuardDuty Detector ID exists: + +```ruby +describe aws_guardduty_detectors do + its('detector_ids') { should include ['detector-id-43542'] } +end +``` + +Use the InSpec resource to request the IDs of all Detectors, then test in-depth using `aws_guardduty_detector` to ensure all detectors have a six hour publishing frequency: + +```ruby +aws_guardduty_detectors.detector_ids.first.each do |detector_id| + describe aws_guardduty_detector(detector_id: detector_id) do + it { should exist } + its('finding_publishing_frequency') { should eq "SIX_HOURS" } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_guardduty_detectors do + it { should exist } +end +``` + +```ruby +describe aws_guardduty_detectors do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="GuardDuty:Client:GetDetectorResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_hosted_zone.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_hosted_zone.md new file mode 100644 index 0000000..a2f5813 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_hosted_zone.md @@ -0,0 +1,107 @@ ++++ +title = "aws_hosted_zone resource" + +draft = false + + +[menu.aws] +title = "aws_hosted_zone" +identifier = "inspec/resources/aws/aws_hosted_zone resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_hosted_zone` resource to test a specific hosted zone configuration. + +## Syntax + +```ruby +describe aws_hosted_zone('zone-name') do + it { should exist } + its ('name_servers.count') { should eq 4 } + its ('private_zone') { should be false } + its ('record_names') { should include 'sid-james.carry-on.films.com' } +end +``` + +## Parameters + +`zone_name` + +: This resource takes one parameter, the name of the hosted zone to validate. + +## Properties + +`name` +: The name of the hosted zone. + +`id` +: It's id. + +`name_servers` +: List of the associated name servers. + +`private_zone` +: If the hosted zone if private or public. + +`record_count` +: Number of associated records. + +`records` +: The associated records, flattens the list, so each rule will have multiple records for each type. + +## Examples + +Ensure a specific hosted zone exists: + +```ruby +describe aws_hosted_zone('zone-name') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe passes all tests. + +Use `exist` to validate the hosted zone exists + +```ruby +describe aws_hosted_zone('zone-name') do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_hosted_zone('zone-name') do + it { should_not exist } +end +``` + +### should + +The control will pass if the describe passes all tests. + +Use `should` to validate the hosted zone if public or private, the number of name servers is correct or that a specific record exists e.g. + +```ruby +describe aws_hosted_zone('zone-name') do + it { should exist } + its ('name_servers.count') { should eq 4 } + its ('private_zone') { should be false } + its ('record_names') { should include 'sid-james.carry-on.films.com' } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Route53:Client:GetHostedZoneResponse" %}} + +You can find detailed documentation at [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/r53-api-permissions-ref.html) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_hosted_zones.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_hosted_zones.md new file mode 100644 index 0000000..6512afd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_hosted_zones.md @@ -0,0 +1,117 @@ ++++ +title = "aws_hosted_zones resource" + +draft = false + + +[menu.aws] +title = "aws_hosted_zones" +identifier = "inspec/resources/aws/aws_hosted_zones resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_hosted_zones` InSpec audit resource to test the properties of multiple AWS Route53 hosted zones. + +The `AWS::Route53::HostedZone` creates a new public or private hosted zone. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::Route53::HostedZone` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-hostedzone.html). + +## Syntax + +Ensure the hosted zones are available + +```ruby +describe aws_hosted_zones do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The ID that Amazon Route 53 assigned to the hosted zone when you created it. + +: **Field**: `id` + +`names` +: The name of the domain. + +: **Field**: `name` + +`caller_references` +: The value that you specified for CallerReference when you created the hosted zone. + +: **Field**: `caller_reference` + +`configs` +: A complex type that includes the Comment and PrivateZone elements. + +: **Field**: `config` + +`resource_record_set_counts` +: The number of resource record sets in the hosted zone. + +: **Field**: `resource_record_set_count` + +`linked_services` +: If the hosted zone was created by another service, the service that created the hosted zone. + +: **Field**: `linked_service` + +## Examples + +Ensure that there are more than one hosted zone: + +```ruby +describe aws_hosted_zones do + its('count') { should >= 1 } +end +``` + +Ensure a hosted zone is available: + +```ruby +describe aws_hosted_zones do + its('ids') { should include 'HOSTED_ZONE_ID' } +end +``` + +Ensure a hosted zone name is available: + +```ruby +describe aws_hosted_zones do + its('names') { should include 'HOSTED_ZONE_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_hosted_zones do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_hosted_zones do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Route53:Client:ListHostedZonesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_access_key.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_access_key.md new file mode 100644 index 0000000..116a03e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_access_key.md @@ -0,0 +1,108 @@ ++++ +title = "aws_iam_access_key resource" + +draft = false + + +[menu.aws] +title = "aws_iam_access_key" +identifier = "inspec/resources/aws/aws_iam_access_key resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_access_key` InSpec audit resource to test properties of a single AWS IAM Access Key. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM Access Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html). + +## Syntax + +An `aws_iam_access_key` resource allows the testing of a single AWS IAM Access Key. + +```ruby +describe aws_iam_access_key(access_key_id: 'AKIA1111111111111111') do + it { should exist } +end +``` + +## Parameters + +This resources requires either an `access_key_id` or the IAM `username` associated with the Access Key. + +`access_key_id` _(required if `username` not provided.)_ + +: The Access Key ID which uniquely identifies the Key. Begins with the characters "AKIA". + This can be passed either as a string or as a `access_key_id: 'value'` key-value entry in a hash. + +`username` _(required if `access_key_id` not provided.)_ + +: The IAM Username which is associated with the Access Key. + This can be passed either as a string or as a `username: 'value'` key-value entry in a hash. + +## Properties + +`access_key_id` +: The ID of the Access Key. + +`username` +: The IAM Username which is associated with the Access Key. + +`status` +: The status of the Access Key, e.g. "Active". + +`create_date` +: The creation date of the Access Key. + +## Examples + +The following examples show how to use this InSpec audit resource. + +Test that an IAM Access Key has been used in the last 90 days: + +```ruby +describe aws_iam_access_key(access_key_id: 'AKIA1111111111111111') do + it { should exist } + its('last_used_date') { should be > Time.now - 90 * 86400 } +end +``` + +Test that an IAM Access Key for a specific user exists: + +```ruby +describe aws_iam_access_key(username: 'psmith', id: 'AKIA1111111111111111') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +it { should exist } +``` + +```ruby +it { should_not exist } +``` + +### active + +The `active` matcher tests if the described IAM Access Key has a status of Active. + +```ruby +it { should be_active } +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:GetAccessKeyLastUsedResponse" %}} + +You can find detailed documentation at [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/r53-api-permissions-ref.html) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_access_keys.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_access_keys.md new file mode 100644 index 0000000..57954c8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_access_keys.md @@ -0,0 +1,125 @@ ++++ +title = "aws_iam_access_keys resource" + +draft = false + + +[menu.aws] +title = "aws_iam_access_keys" +identifier = "inspec/resources/aws/aws_iam_access_keys resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_access_keys` InSpec audit resource to test properties of some or all AWS IAM Access Keys. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM Access Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html). + +## Syntax + +An `aws_iam_access_keys` resource block returns all IAM Access Keys and allows the testing of that group of Access Keys. + +```ruby +describe aws_iam_access_keys do + it { should exist } + its('access_key_ids') { should include 'AKIA1111111111111111' } +end +``` + +## Parameters + +This resources accepts a single optional parameter, a Username for which to retrieve all Access Keys. +If not provided, all Access Keys for all Users will be retrieved. + +`username` _(optional)_ + +: The IAM Username for which to retrieve the Access Keys. + This can be passed either as a string or as a `username: 'value'` key-value entry in a hash. + +## Properties + +`access_key_id` +: The ID of the Access Key. + +`username` +: The IAM Username which is associated with the Access Key. + +`active` +: Indicates if the status of the Key is Active. + +`inactive` +: Indicates if the status of the Key is Inactive. + +`ever_used` +: Indicates if the Key has ever been used. + +`never_used` +: Indicates if the Key has never been used. + +`create_date` +: The creation date of the Access Key. + +`created_days_ago` +: How many days ago the Access Key was created. + +`created_hours_ago` +: How many hours ago the Access Key was created. + +`created_with_user` +: Boolean indicating if the Access Key was created with a user. + +`last_used_date` +: The date the Access Key was last used. + +`last_used_hours_ago` +: How many hours ago the Key was last used. + +`last_used_days_ago` +: How many days ago the Key was last used. + +`user_created_date` +: The date on which the associated User was created. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Test all Active keys: + +```ruby +describe aws_iam_access_keys.where(active: true) do + its('access_key_ids') { should include 'AKIA1111111111111111' } +end +``` + +Ensure a User has no Access Keys: + +```ruby +describe aws_iam_access_keys.where(username: 'untrusted-account') do + it { should_not exist } +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +it { should exist } +``` + +```ruby +it { should_not exist } +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `IAM:Client:GetAccessKeyLastUsedResponse`, `IAM:Client:ListAccessKeysResponse` and `IAM:Client:ListUsersResponse` action with Effect set to Allow. + +You can find detailed documentation at [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/r53-api-permissions-ref.html) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_account_alias.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_account_alias.md new file mode 100644 index 0000000..7d6b5d9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_account_alias.md @@ -0,0 +1,71 @@ ++++ +title = "aws_iam_account_alias resource" + +draft = false + + +[menu.aws] +title = "aws_iam_account_alias" +identifier = "inspec/resources/aws/aws_iam_account_alias resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_account_alias` InSpec audit resource to test properties of the AWS IAM account alias. + +For additional information, including details on parameters and properties, see the [AWS documentation on Account Aliases](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html). + +## Syntax + +An `aws_iam_account_alias` resource block may be used to perform tests on details of the AWS account alias. + +```ruby +describe aws_iam_account_alias do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`alias` +: String containing the Alias of the account. + +## Examples + +Check that the account alias has not be set: + +```ruby +describe aws_iam_account_alias do + it { should_not exist } +end +``` + +Test if the account alias starts with expected prefix: + +```ruby +describe aws_iam_account_alias do + it { should exist } + its('alias') { should match /^chef-/ } +end +``` + +## Matchers + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_iam_account_alias do + it { should exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:ListAccountAliasesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_group.md new file mode 100644 index 0000000..f1ccb4a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_group.md @@ -0,0 +1,93 @@ ++++ +title = "aws_iam_group resource" + +draft = false + + +[menu.aws] +title = "aws_iam_group" +identifier = "inspec/resources/aws/aws_iam_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_group` InSpec audit resource to test properties of a single IAM group. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM Groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html). + +## Syntax + +An `aws_iam_group` resource block identifies a group by group name. + +```ruby +describe aws_iam_group('mygroup') do + it { should exist } +end +``` + +Hash syntax for group name: + +```ruby +describe aws_iam_group(group_name: 'mygroup') do + it { should exist } +end +``` + +## Parameters + +`group_name` _(required)_ + +: This resource accepts a single parameter, the Group Name which uniquely identifies the IAM Group. + This can be passed either as a string or as a `group_name: 'value'` key-value entry in a hash. + +## Properties + +`group_name` +: The group name. + +`group_id` +: The group ID. + +`arn` +: The Amazon Resource Name of the group. + +`users` +: Array of users associated with the group. + +`inline_policy_names` +: A list of inline policy names associated with the group. + +## Examples + +Ensure group contains a certain user: + +```ruby +describe aws_iam_group('admin-group') do + its('users') { should include 'deployment-service-account')} +end +``` + +## Matchers + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_iam_group('AnExistingGroup') do + it { should exist } +end +``` + +```ruby +describe aws_iam_group('ANonExistentGroup') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:GetGroupResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_groups.md new file mode 100644 index 0000000..892505a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_groups.md @@ -0,0 +1,97 @@ ++++ +title = "aws_iam_groups resource" + +draft = false + + +[menu.aws] +title = "aws_iam_groups" +identifier = "inspec/resources/aws/aws_iam_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_groups` InSpec audit resource to test properties of a collection of IAM groups. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM Groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html). + +## Syntax + +An `aws_iam_groups` resource block identifies a group by group name. + +```ruby +describe aws_iam_groups('mygroup') do + it { should exist } +end +``` + +Hash syntax for group name: + +```ruby +describe aws_iam_groups(group_name: 'mygroup') do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`group_names` +: The group name. + +`group_ids` +: The group ID. + +`arns` +: The Amazon Resource Name of the group. + +`users` +: Array of users associated with the group. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +`has_inline_policies` +: Boolean indicating whether or not the group has policies applied to it. + +`inline_policy_names` +: The names of the policies (if any) which are applied to the group. + +## Examples + +Ensure group contains a certain user: + +```ruby +describe aws_iam_groups do + it { should exist } + its('group_names') { should include 'prod-access-group' } +end +``` + +Ensure there are no groups with inline policies: + +```ruby +describe aws_iam_groups.where(has_inline_policies: true) do + its('group_names') { should be_empty } +end +``` + +## Matchers + +### exist + +The control will pass if a group with the given group name exists. + +```ruby +describe aws_iam_groups do + it { should exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:ListGroupsResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_inline_policy.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_inline_policy.md new file mode 100644 index 0000000..9b23880 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_inline_policy.md @@ -0,0 +1,204 @@ ++++ +title = "aws_iam_inline_policy resource" + +draft = false + + +[menu.aws] +title = "aws_iam_inline_policy" +identifier = "inspec/resources/aws/aws_iam_inline_policy resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_inline_policy` InSpec audit resource to test properties of a single inline AWS IAM Policy embedded with IAM User, IAM Group or IAM Role. For managed policies, use the `aws_iam_policy` resource. + +## Syntax + +An `aws_iam_inline_policy` resource block identifies an inline policy by policy name and user/group/role by name + +Find an inline policy by name and role name: + +```ruby +describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do + it { should exist } +end +``` + +Find an inline policy by name and group name: + +```ruby +describe aws_iam_inline_policy(group_name: 'group-x', policy_name: 'policy-1') do + it { should exist } +end +``` + +Find an inline policy by name and user name: + +```ruby +describe aws_iam_inline_policy(user_name: 'user-a', policy_name: 'policy-1') do + it { should exist } +end +``` + +## Parameters + +This resource requires `policy_name` and one of the `role_name`, `group_name` or `user_name` to be provided. + +See AWS Documentation on inline policies for more details + +- [get-role-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-role-policy.html) +- [get-group-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-group-policy.html) +- [get-user-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-user-policy.html) + +## Properties + +`policy` +: Returns the default version of the policy document after decoding as a Ruby hash. This hash contains the policy statements and is useful for performing checks that cannot be expressed using higher-level matchers like `have_statement`. + +`statement_count` +: Returns the number of statements present in the `policy`. + +## Examples + +Test that a policy does exist: + +```ruby +describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do + it { should exist } +end +``` + +Examine the policy statements: + +```ruby +describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do +Verify that there is at least one statement allowing access to S3: + + it { should have_statement(Action: 's3:PutObject', Effect: 'allow') } +``` + +```ruby +have_statement does not expand wildcards. If you want to verify: +they are absent, an explicit check is required: + +it { should_not have_statement(Action: 's3:*') } +``` + +```ruby +You can also check NotAction: + +it { should_not have_statement(NotAction: 'iam:*') } + end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +it { should exist } +``` + +```ruby +it { should_not exist } +``` + +### have_statement + +Examines the list of statements contained in the policy and passes if at least one of the statements matches. This matcher does _not_ interpret the policy in a request authorization context, as AWS does when a request processed. Rather, `have_statement` examines the literal contents of the IAM policy, and reports on what is present (or absent, when used with `should_not`). + +`have_statement` accepts the following criteria to search for matching statements. If any statement matches all the criteria, the test is successful. All criteria may be used as Titlecase (as in the AWS examples) or lowercase, string or symbol. + +- `Action` - Expresses the requested operation. Acceptable literal values are any AWS operation name, including the '\*' wildcard character. `Action` may also use a list of AWS operation names. +- `Effect` - Expresses if the operation is permitted. Acceptable values are 'Deny' and 'Allow'. +- `Sid` - A user-provided string identifier for the statement. +- `Resource` - Expresses the operation's target. Acceptable values are ARNs, including the '\*' wildcard. `Resource` may also use a list of ARN values. + +Please note the following about the behavior of `have_statement`: + +- `Action`, `Sid`, and `Resource` allow using a regular expression as the search critera instead of a string literal. +- it does not support wildcard expansion; to check for a wildcard value, check for it explicitly. For example, if the policy includes a statement with `"Action": "s3:*"` and the test checks for `Action: "s3:PutObject"`, the test _will not match_. You must write an additional test checking for the wildcard case. +- it supports searching list values. For example, if a statement contains a list of 3 resources, and a `have_statement` test specifes _one_ of those resources, it will match. +- `Action` and `Resource` allow using a list of string literals or regular expressions in a test, in which case _all_ must match on the _same_ statement for the test to match. Order is ignored. +- it does not support the `[Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)` or `Conditional` key, or any of `NotAction`, `Not[Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)`, or `NotResource`. + +Examples: + +Verify there is no full:-admin statement + +```ruby +describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do + it { should_not have_statement('Effect' => 'Allow', 'Resource' => '*', 'Action' => '*')} +end +``` + +Symbols and lowercase also allowed as criteria: + +```ruby +describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do + # All 4 the same + it { should_not have_statement('Effect' => 'Allow', 'Resource' => '*', 'Action' => '*')} + it { should_not have_statement('effect' => 'Allow', 'resource' => '*', 'action' => '*')} + it { should_not have_statement(Effect: 'Allow', Resource: '*', Action: '*')} + it { should_not have_statement(effect: 'Allow', resource: '*', action: '*')} +end +``` + +Verify bob is allowed to manage things on S3 buckets that start with bobs:-stuff + +```ruby +describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do + it { should have_statement(Effect: 'Allow', + # Using the AWS wildcard - this must match exactly + Resource: 'arn:aws:s3:::bobs-stuff*', + # Specify a list of actions - all must match, no others, order isn't important + Action: ['s3:PutObject', 's3:GetObject', 's3:DeleteObject'])} +``` + +```ruby +# Bob would make new buckets constantly if we let him. +it { should_not have_statement(Effect: 'Allow', Action: 's3:CreateBucket')} +it { should_not have_statement(Effect: 'Allow', Action: 's3:*')} +it { should_not have_statement(Effect: 'Allow', Action: '*')} +``` + +```ruby +# An alternative to checking for wildcards is to specify the +# statements you expect, then restrict statement count +its('statement_count') { should cmp 1 } + end +``` + +Use regular expressions to examine the policy: + +```ruby +describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do + # Check to see if anything mentions RDS at all. + # This catches `rds:CreateDBinstance` and `rds:*`, but would not catch '*'. + it { should_not have_statement(Action: /^rds:.+$/)} +``` + +```ruby +# This policy should refer to both sally and kim's s3 buckets. +# This will only match if there is a statement that refers to both resources. +it { should have_statement(Resource: [/arn:aws:s3.+:sally/, /arn:aws:s3.+:kim/]) } +# The following also matches on a statement mentioning only one of them +it { should have_statement(Resource: /arn:aws:s3.+:(sally|kim)/) } + end +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `IAM:Client:GetUserPolicyResponse`, `IAM:Client:GetPolicyResponse`, and `IAM:Client:GetRolePolicyResponse` actions set to allow. + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). + +aws_iam_inline_policy.md diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_instance_profile.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_instance_profile.md new file mode 100644 index 0000000..81099be --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_instance_profile.md @@ -0,0 +1,146 @@ ++++ +title = "aws_iam_instance_profile resource" + +draft = false + + +[menu.aws] +title = "aws_iam_instance_profile" +identifier = "inspec/resources/aws/aws_iam_instance_profile resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_instance_profile` InSpec audit resource to test properties of a single IAM instance profile. + +This resource retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM Instance Profile](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html). + +## Syntax + +Ensure that a instance profile name exists. + +```ruby +describe aws_iam_instance_profile(instance_profile_name: 'INSTANCE_PROFILE_NAME') do + it { should exist } +end +``` + +## Parameters + +`instance_profile_name` _(required)_ + +## Properties + +`path` +: The path to the instance profile. + +`instance_profile_name` +: The name identifying the instance profile. + +`instance_profile_id` +: The stable and unique string identifying the instance profile. + +`arn` +: The Amazon Resource Name (ARN) specifying the instance profile. + +`create_date` +: The date when the instance profile was created. + +`roles (path)` +: The path to the role. + +`roles (role_name)` +: The friendly name that identifies the role. + +`roles (role_id)` +: The stable and unique string identifying the role. + +`roles (arn)` +: The Amazon Resource Name (ARN) specifying the role. + +`roles (create_date)` +: The date and time, in [ISO 8601 date-time format](https://www.iso.org/iso-8601-date-and-time-format.html), when the role was created. + +`roles (assume_role_policy_document)` +: The policy that grants an entity permission to assume the role. + +`roles (description)` +: A description of the role that you provide. + +`roles (max_session_duration)` +: The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI, or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter. + +`roles (permissions_boundary (permissions_boundary_type))` +: The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy . + +`roles (permissions_boundary (permissions_boundary_arn))` +: The ARN of the policy used to set the permissions boundary for the user or role. + +`roles (tags (key))` +: The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices. + +`roles (tags (value))` +: The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values. + +`roles (role_last_used (last_used_date))` +: The date and time, in ISO 8601 date-time format that the role was last used. + +`roles (role_last_used (region))` +: The name of the AWS Region in which the role was last used. + +## Examples + +Ensure a instance profile name is available: + +```ruby +describe aws_iam_instance_profile(instance_profile_name: 'INSTANCE_PROFILE_NAME') do + its('instance_profile_name') { should eq 'INSTANCE_PROFILE_NAME' } +end +``` + +Ensure that an arn is available: + +```ruby +describe aws_iam_instance_profile(instance_profile_name: 'INSTANCE_PROFILE_NAME') do + its('arn') { should eq 'INSTANCE_PROFILE_NAME_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_iam_instance_profile(instance_profile_name: 'INSTANCE_PROFILE_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_iam_instance_profile(instance_profile_name: 'INSTANCE_PROFILE_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the instance profile name is available. + +```ruby +describe aws_iam_instance_profile(instance_profile_name: 'INSTANCE_PROFILE_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:GetInstanceProfileResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_instance_profiles.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_instance_profiles.md new file mode 100644 index 0000000..e899877 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_instance_profiles.md @@ -0,0 +1,107 @@ ++++ +title = "aws_iam_instance_profiles resource" + +draft = false + + +[menu.aws] +title = "aws_iam_instance_profiles" +identifier = "inspec/resources/aws/aws_iam_instance_profiles resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_instance_profiles` InSpec audit resource to test properties of multiple IAM instance profiles. + +This resource lists the instance profiles that have the specified path prefix. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM Instance Profile](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html). + +## Syntax + +Ensure that an instance profile name exists. + +```ruby +describe aws_iam_instance_profiles do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`paths` +: The path to the instance profile. + +`instance_profile_names` +: The name identifying the instance profile. + +`instance_profile_ids` +: The stable and unique string identifying the instance profile. + +`arns` +: The Amazon Resource Name (ARN) specifying the instance profile. + +`create_dates` +: The date when the instance profile was created. + +`roles` +: The role associated with the instance profile. + +## Examples + +Ensure an instance profile name is available: + +```ruby +describe aws_iam_instance_profiles do + its('instance_profile_names') { should include 'INSTANCE_PROFILE_NAME' } +end +``` + +Ensure that an arn is available: + +```ruby +describe aws_iam_instance_profiles do + its('arns') { should include 'INSTANCE_PROFILE_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_iam_instance_profiles do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_iam_instance_profiles do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_iam_instance_profiles do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:ListInstanceProfilesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_managed_policies.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_managed_policies.md new file mode 100644 index 0000000..50ba772 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_managed_policies.md @@ -0,0 +1,143 @@ ++++ +title = "aws_iam_managed_policies resource" + +draft = false + + +[menu.aws] +title = "aws_iam_managed_policies" +identifier = "inspec/resources/aws/aws_iam_managed_policies resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_managed_policies` InSpec audit resource to test the properties of a collection of AWS IAM managed policies. + +## Syntax + +The `aws_iam_managed_policies` resource returns a collection of IAM managed policies and allows testing of that collection. + +```ruby +describe aws_iam_managed_policies do + its('policy_names') { should include('POLICY_NAME') } +end +``` + +This resource allows filtering by scope, which are: + +- To list only AWS-managed policies, set `scope` to `AWS`. +- To list only the customer-managed policies in your AWS account, set `scope` to `Local`. +- If a scope is not provided or if `scope` is set to `ALL`, all policies are returned. + +```ruby +describe aws_iam_managed_policies(scope: 'AWS') do + it { should exist } +end +``` + +```ruby +describe aws_iam_managed_policies(scope: 'Local') do + it { should exist } +end +``` + +```ruby +describe aws_iam_managed_policies(scope: 'ALL') do + it { should exist } +end +``` + +See the [AWS documentation on IAM Managed Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html) for additional information. + +## Parameters + +`scope` _(optional)_ + +`scope` accepts three possible values, `AWS`, `Local`, or `ALL`: + +- `AWS` returns AWS-managed policies. +- `Local` returns customer-managed policies. +- `ALL` returns all policies. + +: Specify a scope by passing a key-value entry in a hash: `scope: 'VALUE'`. + +: If ommitted, all policies are returned. + +## Properties + +`arns` +: A list of the ARN identifiers of the policies. + +: **Field**: `arn` + +`policy_ids` +: A list of the stable and unique strings identifying the policies. + +: **Field**: `policy_id` + +`policy_names` +: A list of the friendly names (not ARN) identifying the policies. + +: **Field**: `policy_name` + +`attachment_counts` +: A list of the counts of attached entities for each policy. + +: **Field**: `attachment_count` + +`attached_groups` +: A list of the list of group names of the groups attached to each policy. + +: **Field**: `attached_group` + +`default_version_ids` +: A list of the identifier for the default version of the policy. + +: **Field**: `default_version_id` + +## Examples + +Ensure a specific policy exists: + +```ruby +describe aws_iam_managed_policies do + its('policy_names') { should include('POLICY_NAME') } +end +``` + +Allow at most 100 IAM Policies on the account: + +```ruby +describe aws_iam_managed_policies do + its('polict_ids.count') { should be <= 100} +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control passes if the describe returns at least one result. + +Use `should` to test the entity should exist. + +```ruby +describe aws_iam_managed_policies.where( PROPERTY: PROPERTY_VALUE) do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_iam_managed_policies.where( PROPERTY: PROPERTY_VALUE) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="iam:ListPolicies" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_managed_policy.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_managed_policy.md new file mode 100644 index 0000000..c1cd88d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_managed_policy.md @@ -0,0 +1,99 @@ ++++ +title = "aws_iam_managed_policy resource" + +draft = false + + +[menu.aws] +title = "aws_iam_managed_policy" +identifier = "inspec/resources/aws/aws_iam_managed_policy resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_managed_policy` InSpec audit resource to test the properties of an AWS IAM managed policy. + +## Syntax + +The `aws_iam_managed_policy` resource returns an IAM managed policy and allows testing of that policy. + +```ruby +describe aws_iam_managed_policy(policy_arn: 'POLICY_ARN') do + its('policy_name') { should eq 'POLICY_NAME' } +end +``` + +See the [AWS documentation on IAM Managed Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html) for additional information. + +## Parameters + +`policy_arn` _(required)_ + +: The ARN of the AWS IAM managed policy. + +## Properties + +`arn` +: The ARN identifier of the specified policy. + +`policy_id` +: The stable and unique string identifying the policy. + +`policy_name` +: The friendly name (not ARN) identifying the policy. + +`attachment_count` +: The count of attached entities for each policy. + +`attached_group` +: The list of group names of the groups attached to each policy. + +`default_version_id` +: The identifier for the default version of the policy. + +## Examples + +Test that a specific policy name exists: + +```ruby +describe aws_iam_managed_policy(policy_arn: 'POLICY_ARN') do + its('policy_name') { should eq 'POLICY_NAME' } +end +``` + +Test that a specific policy ID exists: + +```ruby +describe aws_iam_managed_policy(policy_arn: 'POLICY_ARN') do + its('policy_id') { should eq 'POLICY_ID'} +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control passes if the describe method returns at least one result. + +Use `should` to test an entity that should exist. + +```ruby +describe aws_iam_managed_policy(policy_arn: 'POLICY_ARN').where( PROPERTY: PROPERTY_VALUE ) do + it { should exist } +end +``` + +Use `should_not` to test an entity that should not exist. + +```ruby +describe aws_iam_managed_policy(policy_arn: 'POLICY_ARN').where( PROPERTY: PROPERTY_VALUE ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="iam:ListPolicies" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_oidc_provider.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_oidc_provider.md new file mode 100644 index 0000000..92f2ba2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_oidc_provider.md @@ -0,0 +1,100 @@ ++++ +title = "aws_iam_oidc_provider resource" + +draft = false + + +[menu.aws] +title = "aws_iam_oidc_provider" +identifier = "inspec/resources/aws/aws_iam_oidc_provider resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_oidc_provider` InSpec audit resource to test properties of a single IAM OpenID Connect (OIDC) provider. + +This resource retrieves information about the specified OIDC provider. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM OIDC provider](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html). + +## Syntax + +Ensure that an OIDC provider exists. + +```ruby +describe aws_iam_oidc_provider(open_id_connect_provider_arn: 'OIDC_PROVIDER_ARN') do + it { should exist } +end +``` + +## Parameters + +`open_id_connect_provider_arn` _(required)_ + +: The Amazon Resource Name (ARN) of the OIDC provider resource object in IAM to get information for. + +## Properties + +`url` +: The URL that the IAM OIDC provider resource object is associated with. + +`create_date` +: The date and time when the IAM OIDC provider resource object was created in the account. + +`tags` +: A list of tags that are attached to the specified IAM OIDC provider. + +## Examples + +Ensure an URL is available: + +```ruby +describe aws_iam_oidc_provider(open_id_connect_provider_arn: 'OIDC_PROVIDER_ARN') do + its('url') { should eq 'example.com' } +end +``` + +Ensure that tags are available: + +```ruby +describe aws_iam_oidc_provider(open_id_connect_provider_arn: 'OIDC_PROVIDER_ARN') do + its('tags') { should eq ':TAG => 'TAG_VALUE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_iam_oidc_provider(open_id_connect_provider_arn: 'OIDC_PROVIDER_ARN') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_iam_oidc_provider(open_id_connect_provider_arn: 'OIDC_PROVIDER_ARN') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_iam_oidc_provider(open_id_connect_provider_arn: 'OIDC_PROVIDER_ARN') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:GetOpenIDConnectProviderResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_oidc_providers.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_oidc_providers.md new file mode 100644 index 0000000..e3a6ad4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_oidc_providers.md @@ -0,0 +1,84 @@ ++++ +title = "aws_iam_oidc_providers resource" + +draft = false + + +[menu.aws] +title = "aws_iam_oidc_providers" +identifier = "inspec/resources/aws/aws_iam_oidc_providers resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_oidc_providers` InSpec audit resource to test properties of a set of AWS IAM OpenID Connect (OIDC) providers. + +This resource retrieves information about all OIDC providers. + +## Syntax + +Ensure that an OIDC provider exists. + +```ruby +describe aws_iam_oidc_providers do + it { should exist } +end +``` + +For additional information, see the [AWS documentation on IAM OIDC provider](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html). + +## Parameters + +This resource does not require any parameters. + +## Properties + +`arns` +: The Amazon Resource Name (ARN). + +## Examples + +Ensure a OIDC Provider is available: + +```ruby +describe aws_iam_oidc_providers do + its('arns') { should include 'OIDC_PROVIDER_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_iam_oidc_providers do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_iam_oidc_providers do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the OIDC Provider is available. + +```ruby +describe aws_iam_oidc_providers do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:ListOpenIDConnectProviderTagsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_password_policy.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_password_policy.md new file mode 100644 index 0000000..0295469 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_password_policy.md @@ -0,0 +1,121 @@ ++++ +title = "aws_iam_password_policy resource" + +draft = false + + +[menu.aws] +title = "aws_iam_password_policy" +identifier = "inspec/resources/aws/aws_iam_password_policy resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_password_policy` InSpec audit resource to test properties of an AWS IAM Password Policy. + +For additional information, including details on parameters and properties, see the [AWS documentation on Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html). + +## Syntax + +An `aws_iam_password_policy` resource block declares the tests for an AWS IAM Password Policy. + +```ruby +describe aws_iam_password_policy do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`minimum_password_length` +: The minimum character count of the password policy. + +`max_password_age_in_days` +: Integer representing in days how long a password may last before expiring. + +`number_of_passwords_to_remember` +: Number of previous passwords to remember. + +## Examples + +Test that a Password Policy meets your company's requirements: + +```ruby +describe aws_iam_password_policy do + it { should require_uppercase_characters } + it { should require_lowercase_characters } + it { should require_numbers } + its('minimum_password_length') { should be > 8 } +end +``` + +Test that users can change their own passwords : + +```ruby +describe aws_iam_password_policy do + it { should allow_users_to_change_password } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +```ruby +it { should exist } +``` + +#### prevent_password_reuse + +```ruby +it { should prevent_password_reuse } +``` + +#### expire_passwords + +```ruby +it { should expire_passwords } +``` + +#### require_numbers + +```ruby +it { should require_numbers } +``` + +#### require_symbols + +```ruby +it { should require_symbols } +``` + +#### require_lowercase_characters + +```ruby +it { should require_lowercase_characters } +``` + +#### require_uppercase_characters + +```ruby +it { should require_uppercase_characters} +``` + +#### allow_users_to_change_passwords + +```ruby +it { should allow_users_to_change_password } +``` + +All matchers can use the inverse `should_not` predicate. + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the following permissions action set to allow: `IAM:Client:GetAccountPasswordPolicyResponse` diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_policies.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_policies.md new file mode 100644 index 0000000..1bd1ed6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_policies.md @@ -0,0 +1,112 @@ ++++ +title = "aws_iam_policies resource" + +draft = false + + +[menu.aws] +title = "aws_iam_policies" +identifier = "inspec/resources/aws/aws_iam_policies resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_policies` InSpec audit resource to test properties of a collection of AWS IAM Policies. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM Policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html). + +## Syntax + +`aws_iam_policies` Resource returns a collection of IAM Policies and allows testing of that collection. + +```ruby +describe aws_iam_policies do + its('policy_names') { should include('test-policy-1') } +end +``` + +## Parameters + +`only_attached` _(optional)_ + +: This resource allows filtering by only_attached. + When `OnlyAttached` is `true`, the returned list contains only the policies that are attached to an IAM user, group, or role. When `OnlyAttached` is `false`, or when the parameter is not included, all policies are returned. + +`scope` _(optional)_ + +: This resource allows filtering by scope. + To list only AWS managed policies, set `Scope` to `AWS`. To list only the customer managed policies in your AWS account, set `Scope` to `Local`. If scope is not supplied `ALL` policies are returned. + +## Properties + +`arns` +: The ARN identifier of the specified policy. + +`policy_ids` +: The policy ids. + +`policy_names` +: The policy names. + +`attachment_counts` +: The count of attached entities for each policy. + +`attached_groups` +: The list of group names of the groups attached to each policy. + +`attached_roles` +: The list of role names of the roles attached to each policy. + +`attached_users` +: The list of usernames of the users attached to each policy. + +`default_version_ids` +: The 'default_version_id' value of each policy. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure a policy exists: + +```ruby +describe aws_iam_policies do + its('policy_names') { should include('test-policy-1') } +end +``` + +Allow at most 100 IAM Policies on the account: + +```ruby +describe aws_iam_policies do + its('entries.count') { should be <= 100} +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_iam_policies.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_iam_policies.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:ListPoliciesResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_policy.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_policy.md new file mode 100644 index 0000000..180170d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_policy.md @@ -0,0 +1,267 @@ ++++ +title = "aws_iam_policy resource" + +draft = false + + +[menu.aws] +title = "aws_iam_policy" +identifier = "inspec/resources/aws/aws_iam_policy resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_policy` InSpec audit resource to test properties of a single managed AWS IAM Policy. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM Policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html). + +## Syntax + +An `aws_iam_policy` resource block identifies a policy by policy name or arn + +Find a policy by name: + +```ruby +describe aws_iam_policy('AWSSupportAccess') do + it { should exist } +end +``` + +Hash syntax for policy name: + +```ruby +describe aws_iam_policy(policy_name: 'AWSSupportAccess') do + it { should exist } +end +``` + +## Parameters + +This resource requires either the `policy_name` or the `policy_arn` to be provided. + +`policy_name` _(required if `policy_arn` not provided)_ + +: The Policy Name which uniquely identifies the Policy. + This must be passed as a `policy_name: 'value'` key-value entry in a hash. + +`policy_arn` _(required if `policy_name` not provided)_ + +: The Policy ARN which uniquely identifies the Policy. + This must be passed as a `policy_arn: 'value'` key-value entry in a hash. + +## Properties + +`arn` +: The ARN identifier of the specified policy. + +`attachment_count` +: The count of attached entities for the specified policy. + +`attached_groups` +: The list of group names of the groups attached to the policy. + +`attached_roles` +: The list of role names of the roles attached to the policy. + +`attached_users` +: The list of usernames of the users attached to the policy. + +`default_version_id` +: The 'default_version_id' value of the specified policy. + +`policy` +: Returns the default version of the policy document after decoding as a Ruby hash. This hash contains the policy statements and is useful for performing checks that cannot be expressed using higher-level matchers like `have_statement`. + +`statement_count` +: Returns the number of statements present in the `policy`. + +## Examples + +Test that a policy does exist: + +```ruby +describe aws_iam_policy('AWSSupportAccess') do + it { should exist } +end +``` + +Test that a policy is attached to at least one entity: + +```ruby +describe aws_iam_policy('AWSSupportAccess') do + it { should be_attached } +end +``` + +Examine the policy statements: + +```ruby +describe aws_iam_policy('my-policy') do +Verify that there is at least one statement allowing access to S3: + + it { should have_statement(Action: 's3:PutObject', Effect: 'allow') } +``` + +```ruby +have_statement does not expand wildcards. If you want to verify: +they are absent, an explicit check is required: + +it { should_not have_statement(Action: 's3:*') } +``` + +```ruby +You can also check NotAction: + +it { should_not have_statement(NotAction: 'iam:*') } + end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +it { should exist } +``` + +```ruby +it { should_not exist } +``` + +#### be_attached + +The test will pass if the identified policy is attached to at least one IAM user, group, or role. + +```ruby +describe aws_iam_policy('AWSSupportAccess') do + it { should be_attached } +end +``` + +#### be_attached_to_group(GROUPNAME) + +The test will pass if the identified policy attached the specified group. + +```ruby +describe aws_iam_policy('AWSSupportAccess') do + it { should be_attached_to_group(GROUPNAME) } +end +``` + +#### be_attached_to_user(USERNAME) + +The test will pass if the identified policy attached the specified user. + +```ruby +describe aws_iam_policy('AWSSupportAccess') do + it { should be_attached_to_user(USERNAME) } +end +``` + +#### be_attached_to_role(ROLENAME) + +The test will pass if the identified policy attached the specified role. + +```ruby +describe aws_iam_policy('AWSSupportAccess') do + it { should be_attached_to_role(ROLENAME) } +end +``` + +#### have_statement + +Examines the list of statements contained in the policy and passes if at least one of the statements matches. This matcher does _not_ interpret the policy in a request authorization context, as AWS does when a request processed. Rather, `have_statement` examines the literal contents of the IAM policy, and reports on what is present (or absent, when used with `should_not`). + +`have_statement` accepts the following criteria to search for matching statements. If any statement matches all the criteria, the test is successful. All criteria may be used as Titlecase (as in the AWS examples) or lowercase, string or symbol. + +* `Action` - Expresses the requested operation. Acceptable literal values are any AWS operation name, including the '*' wildcard character. `Action` may also use a list of AWS operation names. +* `Effect` - Expresses if the operation is permitted. Acceptable values are 'Deny' and 'Allow'. +* `Sid` - A user-provided string identifier for the statement. +* `Resource` - Expresses the operation's target. Acceptable values are ARNs, including the '*' wildcard. `Resource` may also use a list of ARN values. + +Please note the following about the behavior of `have_statement`: + +* `Action`, `Sid`, and `Resource` allow using a regular expression as the search critera instead of a string literal. +* It does not support wildcard expansion; to check for a wildcard value, check for it explicitly. For example, if the policy includes a statement with `"Action": "s3:*"` and the test checks for `Action: "s3:PutObject"`, the test _will not match_. You must write an additional test checking for the wildcard case. +* It supports searching list values. For example, if a statement contains a list of 3 resources, and a `have_statement` test specifes _one_ of those resources, it will match. +* `Action` and `Resource` allow using a list of string literals or regular expressions in a test, in which case _all_ must match on the _same_ statement for the test to match. Order is ignored. +* It does not support the [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html), [NotPrincipal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html) or [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html). + +Examples: + +Verify there is no full:-admin statement + +```ruby +describe aws_iam_policy('kryptonite') do + it { should_not have_statement('Effect' => 'Allow', 'Resource' => '*', 'Action' => '*')} +end +``` + +Symbols and lowercase also allowed as criteria: + +```ruby +describe aws_iam_policy('kryptonite') do + # All 4 the same + it { should_not have_statement('Effect' => 'Allow', 'Resource' => '*', 'Action' => '*')} + it { should_not have_statement('effect' => 'Allow', 'resource' => '*', 'action' => '*')} + it { should_not have_statement(Effect: 'Allow', Resource: '*', Action: '*')} + it { should_not have_statement(effect: 'Allow', resource: '*', action: '*')} +end +``` + +Verify bob is allowed to manage things on S3 buckets that start with bobs:-stuff + +```ruby +describe aws_iam_policy('bob-is-a-packrat') do + it { should have_statement(Effect: 'Allow', + # Using the AWS wildcard - this must match exactly + Resource: 'arn:aws:s3:::bobs-stuff*', + # Specify a list of actions - all must match, no others, order isn't important + Action: ['s3:PutObject', 's3:GetObject', 's3:DeleteObject'])} +``` + +```ruby +# Bob would make new buckets constantly if we let him. +it { should_not have_statement(Effect: 'Allow', Action: 's3:CreateBucket')} +it { should_not have_statement(Effect: 'Allow', Action: 's3:*')} +it { should_not have_statement(Effect: 'Allow', Action: '*')} +``` + +```ruby +# An alternative to checking for wildcards is to specify the +# statements you expect, then restrict statement count +its('statement_count') { should cmp 1 } + end +``` + +Use regular expressions to examine the policy: + +```ruby +describe aws_iam_policy('regex-demo') do + # Check to see if anything mentions RDS at all. + # This catches `rds:CreateDBinstance` and `rds:*`, but would not catch '*'. + it { should_not have_statement(Action: /^rds:.+$/)} +``` + +```ruby +# This policy should refer to both sally and kim's s3 buckets. +# This will only match if there is a statement that refers to both resources. +it { should have_statement(Resource: [/arn:aws:s3.+:sally/, /arn:aws:s3.+:kim/]) } +# The following also matches on a statement mentioning only one of them +it { should have_statement(Resource: /arn:aws:s3.+:(sally|kim)/) } + end +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `IAM:Client:GetGroupPolicyResponse`, `IAM:Client:ListPoliciesResponse`, and `IAM:Client:ListEntitiesForPolicyResponse` actions set to allow. + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). +aws_iam_policy.md diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_role.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_role.md new file mode 100644 index 0000000..15712d3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_role.md @@ -0,0 +1,114 @@ ++++ +title = "aws_iam_role resource" + +draft = false + + +[menu.aws] +title = "aws_iam_role" +identifier = "inspec/resources/aws/aws_iam_role resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_role` InSpec audit resource to test properties of an AWS IAM Role. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html). + +## Syntax + +An `aws_iam_role` resource block declares the tests for a single AWS IAM Role by Role Name. + +```ruby +describe aws_iam_role(role_name: 'my-role') do + it { should exist } +end +``` + +## Parameters + +`role_name` _(required)_ + +: This resource accepts a single parameter, the Role Name which uniquely identifies the Role. + This can be passed either as a string or as a `role_name: 'value'` key-value entry in a hash. + +## Properties + +`path` +: The path to the role. + +`role_name` +: The name of the role. + +`role_id` +: The id of the role. + +`arn` +: The Amazon Resource Name (ARN) specifying the role. + +`create_date` +: The date and time, in ISO 8601 date-time format , when the role was created. + +`assume_role_policy_document` +: The policy that grants an entity permission to assume the role. + +`description` +: The description of the role. + +`max_session_duration` +: The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI, or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter. + +`permissions_boundary_type` +: The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy . + +`permissions_boundary_arn` +: The ARN of the policy used to set the permissions boundary for the user or role. + +`inline_policies` +: A list of inline policy names associated with the described role. + +`attached_policy_names` +: A list of attached policy names associated with the described role. + +`attached_policy_arns` +: A list of attached policy ARNs associated with the described role. + +## Examples + +Test that an IAM Role exists: + +```ruby +describe aws_iam_role(role_name: aws_iam_role_name) do + it { should exist } + its('role_name') { should eq aws_iam_role_name } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_iam_role('AnExistingRole') do + it { should exist } +end +``` + +```ruby +describe aws_iam_role('ANonExistentRole') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:GetRoleResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_roles.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_roles.md new file mode 100644 index 0000000..73f9a90 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_roles.md @@ -0,0 +1,104 @@ ++++ +title = "aws_iam_roles resource" + +draft = false + + +[menu.aws] +title = "aws_iam_roles" +identifier = "inspec/resources/aws/aws_iam_roles resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_roles` InSpec audit resource to test properties of a collection of AWS IAM Roles. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html). + +## Syntax + +An `aws_iam_roles` resource block returns all IAM Roles and allows the testing of that group of Roles. + +```ruby +describe aws_iam_roles do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`paths` +: The path to the role. + +`role_names` +: The name of the role. + +`role_ids` +: The ID of the role. + +`arns` +: The Amazon Resource Name (ARN) specifying the role. + +`create_date` +: The date and time, in ISO 8601 date-time format, when the role was created. + +`assume_role_policy_document` +: The policy that grants an entity permission to assume the role. + +`description` +: The description of the role. + +`max_session_duration` +: The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI, or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter. + +`permissions_boundary_type` +: The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy. + +`permissions_boundary_arn` +: The ARN of the policy used to set the permissions boundary for the user or role. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure the Role 'RDS-RW' exists: + +```ruby +describe aws_iam_roles do + its('role_names') { should include 'RDS-RW' } +end +``` + +Ensure no Roles have `max_session_duration` greater or equal to 2hrs: + +```ruby +describe aws_iam_roles.where{ max_session_duration >= (60*120) } do + it { should_not exist } +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The `exists` matcher tests if the filtered IAM User(s) exists. + +```ruby +describe aws_iam_roles.where( : ) do + it { should exist } +end +``` + +You may also use `it { should_not exist }`. + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:ListRolesResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_root_user.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_root_user.md new file mode 100644 index 0000000..594c721 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_root_user.md @@ -0,0 +1,111 @@ ++++ +title = "aws_iam_root_user resource" + +draft = false + + +[menu.aws] +title = "aws_iam_root_user" +identifier = "inspec/resources/aws/aws_iam_root_user resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_root_user` InSpec audit resource to test properties of an AWS IAM Root User. + +For additional information, including details on parameters and properties, see the [AWS documentation on Root Users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html). + +## Syntax + +An `aws_iam_root_user` resource block declares the tests for a single AWS IAM Root User by user name. + +```ruby +describe aws_iam_root_user do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`summary_account` +: A hash containing a summary of the Root User's account. Properties within this hash can be accessed and tested against. Please see the [API Documentation](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html) for details on the available properties. + +`virtual_devices` +: A list of the virtual MFA devices in the AWS account. + +## Examples + +Test that an IAM Root User has MFA enabled: + +```ruby +describe aws_iam_root_user do + it { should have_mfa_enabled } +end +``` + +Test that an IAM Root User does not have an access key: + +```ruby +describe aws_iam_root_user do + it { should_not have_access_key } +end +``` + +Test the IAM Root User has virtual MFA enabled: + +```ruby +describe aws_iam_root_user do + it { should have_virtual_mfa_enabled } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_iam_root_user do + it { should exist } +end +``` + +### have_mfa_enabled + +```ruby +it { should have_mfa_enabled } +``` + +### have_virtual_mfa_enabled + +```ruby +it { should have_virtual_mfa_enabled } +``` + +### have_access_key + +```ruby +it { should have_access_key } +``` + +### have_hardware_mfa_enabled + +```ruby +it { should have_hardware_mfa_enabled } +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the following permissions action set to allow: +`IAM:Client:GetAccountSummaryResponse` +`IAM:Client:ListVirtualMFADevicesResponse` diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_saml_provider.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_saml_provider.md new file mode 100644 index 0000000..7b33c14 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_saml_provider.md @@ -0,0 +1,87 @@ ++++ +title = "aws_iam_saml_provider resource" + +draft = false + + +[menu.aws] +title = "aws_iam_saml_provider" +identifier = "inspec/resources/aws/aws_iam_saml_provider resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_saml_provider` InSpec audit resource to test properties of an AWS IAM SAML Provider. + +## Syntax + +```ruby +describe aws_iam_saml_provider('SAML_ARN') do + it { should exist } +end +``` + +## Parameters + +`saml_provider_arn` _(required)_ + +: This resource accepts a single parameter, the ARN of the SAML Provider. + This can be passed either as a string or as a `saml_provider_arn: 'value'` key-value entry in a hash. + +## Properties + +`provider` +: The provider. + +`arn` +: The arn of the provider. + +`saml_metadata_document` +: Metadata document associated with the saml provider. + +`valid_until` +: The expiration date and time for the SAML provider. + +`create_date` +: The date and time, in ISO 8601 date-time format , when the role was created. + +## Syntax + +An `aws_iam_saml_provider` resource block declares the tests for a single AWS IAM SAML Provider by Provider ARN. + +```ruby +describe aws_iam_saml_provider('arn:aws:iam::123456789012:saml-provider/FANCY') do + it { should exist } +end +``` + +## Examples + +Ensure we have at least one provider currently valid: + +```ruby +describe aws_iam_saml_provider("arn:aws:iam::123456789012:saml-provider/FANCY") do + it { should exist } + its("arn") { should match("arn:aws:iam::.*:saml-provider\/FANCY") } + its("valid_until") { should be > Time.now + 90 * 86400 } + end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The `exists` matcher tests if the filtered IAM SAML Provider(s) exists. + +```ruby +describe aws_iam_saml_provider('arn:aws:iam::123456789012:saml-provider/FANCY') do + it { should exist } +end +``` + +You may also use `it { should_not exist }`. + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:GetSAMLProviderResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_saml_providers.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_saml_providers.md new file mode 100644 index 0000000..3104d3f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_saml_providers.md @@ -0,0 +1,95 @@ ++++ +title = "aws_iam_saml_providers resource" + +draft = false + + +[menu.aws] +title = "aws_iam_saml_providers" +identifier = "inspec/resources/aws/aws_iam_saml_providers resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_saml_providers` InSpec audit resource to test properties of some or all AWS IAM SAML Providers. + +## Syntax + +An `aws_iam_saml_providers` resource block returns all IAM SAML Providers and allows the testing of that group of Providers. + +```ruby +describe aws_iam_saml_providers do + it { should exist } +end +``` + +## Parameters + +`saml_provider_arn` _(required)_ + +: This resource accepts a single parameter, the ARN of the SAML Provider. + This can be passed either as a string or as a `saml_provider_arn: 'value'` key-value entry in a hash. + +## Properties + +`provider_arns` +: The ARNs of the returned providers. + +`valid_untils` +: The expiration date and time for the SAML provider. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure we have at least one provider currently valid: + +```ruby +describe.one do + aws_iam_saml_providers.provider_arns.each do |provider_arn| + describe aws_iam_saml_provider(provider_arn) do + it { should exist } + its('arn') { should match("arn:aws:iam::.*:saml-provider\/FANCY") } + its('valid_until') { should be > Time.now + 90 * 86400 } + end + end +end +``` + +Ensure we have one and only one SAML provider: + +```ruby +describe aws_iam_saml_providers do + its('entries.count') { should cmp 1 } +end +``` + +Ensure we have at least one provider that matches: + +```ruby +describe aws_iam_saml_providers.where{ arn =~ /arn:aws:iam::.*:saml-provider\/FANCY/ } do + it { should exist } +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The `exists` matcher tests if the filtered IAM SAML Provider(s) exists. + +```ruby +describe aws_iam_saml_providers.where( : ) do + it { should exist } +end +``` + +You may also use `it { should_not exist }`. + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the following permissions set to Allow: +`IAM:Client:ListSAMLProvidersResponse` +`IAM:Client:etSAMLProviderResponse` diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_server_certificate.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_server_certificate.md new file mode 100644 index 0000000..c0f52f2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_server_certificate.md @@ -0,0 +1,107 @@ ++++ +title = "aws_iam_server_certificate resource" + +draft = false + + +[menu.aws] +title = "aws_iam_server_certificate" +identifier = "inspec/resources/aws/aws_iam_server_certificate resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_server_certificate` InSpec audit resource to test the properties of a single IAM server certificate. + +This resource retrieves information about the specified server certificate, including the server certificate's path, GUID, ARN, and role. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM Instance Profile](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html). + +## Syntax + +Ensure that a server certificate name exists. + +```ruby +describe aws_iam_server_certificate(server_certificate_name: 'CERTIFICATE_NAME') do + it { should exist } +end +``` + +## Parameters + +`server_certificate_name` _(required)_ + +## Properties + +`path` +: The path to the server certificate. + +`server_certificate_name` +: The name that identifies the server certificate. + +`server_certificate_id` +: The stable and unique string identifying the server certificate. + +`arn` +: The Amazon Resource Name (ARN) specifying the server certificate. + +`upload_date` +: The date when the server certificate is uploaded. + +`expiration` +: The date on which the certificate is set to expire. + +## Examples + +Ensure a server certificate name is available: + +```ruby +describe aws_iam_server_certificate(server_certificate_name: 'CERTIFICATE_NAME') do + its('server_certificate_name') { should eq 'PROFILE_NAME' } +end +``` + +Ensure that an arn is available: + +```ruby +describe aws_iam_server_certificate(server_certificate_name: 'CERTIFICATE_NAME') do + its('arn') { should eq 'INSTANCE_PROFILE_NAME_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_iam_server_certificate(server_certificate_name: 'CERTIFICATE_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_iam_server_certificate(server_certificate_name: 'CERTIFICATE_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the server certificate is available. + +```ruby +describe aws_iam_server_certificate(server_certificate_name: 'CERTIFICATE_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:GetServerCertificateResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_server_certificates.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_server_certificates.md new file mode 100644 index 0000000..b3d5796 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_server_certificates.md @@ -0,0 +1,103 @@ ++++ +title = "aws_iam_server_certificates resource" + +draft = false + + +[menu.aws] +title = "aws_iam_server_certificates" +identifier = "inspec/resources/aws/aws_iam_server_certificates resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_server_certificates` InSpec audit resource to test the properties of all IAM server certificates. + +This resource retrieves information about the server certificate, including the server certificate's path, GUID, ARN, and role. + +## Syntax + +Ensure that a server certificate name exists. + +```ruby +describe aws_iam_server_certificates do + it { should exist } +end +``` + +For additional information, see the [AWS documentation on IAM Instance Profile](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html). + +## Properties + +`paths` +: The path to the server certificate. + +`server_certificate_names` +: The name that identifies the server certificate. + +`server_certificate_ids` +: The stable and unique string identifying the server certificate. + +`arns` +: The Amazon Resource Name (ARN) specifying the server certificate. + +`upload_date` +: The date when the server certificate is uploaded. + +`expiration_date` +: The date on which the certificate is set to expire. + +## Examples + +Ensure a server certificate name is available: + +```ruby +describe aws_iam_server_certificates do + its('server_certificate_name') { should include 'PROFILE_NAME' } +end +``` + +Ensure that an arn is available: + +```ruby +describe aws_iam_server_certificates do + its('arn') { should include 'INSTANCE_PROFILE_NAME_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_iam_server_certificates do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_iam_server_certificates do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the server certificate is available. + +```ruby +describe aws_iam_server_certificates do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:ListServerCertificateResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_service_linked_role_deletion_status.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_service_linked_role_deletion_status.md new file mode 100644 index 0000000..1d46c3e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_service_linked_role_deletion_status.md @@ -0,0 +1,86 @@ ++++ +title = "aws_iam_service_linked_role_deletion_status resource" + +draft = false + + +[menu.aws] +title = "aws_iam_service_linked_role_deletion_status" +identifier = "inspec/resources/aws/aws_iam_service_linked_role_deletion_status resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_service_linked_role_deletion_status` InSpec audit resource to test the deletion status of a single AWS IAM service-linked role. + +`deletion_task_id` _(required)_ + +The deletion task identifier. + +For additional information, including details on parameters and properties, see the [AWS documentation on Service linked role deletion status](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html). + +## Syntax + +Ensure that a service-linked role deletion task exists. + +```ruby +describe aws_iam_service_linked_role_deletion_status(deletion_task_id: 'DELETION_TASK_ID') do + it { should exist } +end +``` + +## Parameters + +`deletion_task_id` _(required)_ + +: The deletion task identifier. + +## Properties + +`status` +: The status of the deletion. Valid Values: `SUCCEEDED`, `IN_PROGRESS`, `FAILED`, `NOT_STARTED`. + +## Examples + +Ensure a service-linked role is deleted: + +```ruby +describe aws_iam_service_linked_role_deletion_status(deletion_task_id: 'DELETION_TASK_ID') do + its('status') { should eq 'SUCCEEDED' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a complete list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_iam_service_linked_role_deletion_status(deletion_task_id: 'DELETION_TASK_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_iam_service_linked_role_deletion_status(deletion_task_id: 'DELETION_TASK_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the Service Linked Role deletion task is available. + +```ruby +describe aws_iam_service_linked_role_deletion_status(deletion_task_id: 'DELETION_TASK_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:GetServiceLinkedRoleDeletionStatusResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_ssh_public_key.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_ssh_public_key.md new file mode 100644 index 0000000..6a12be7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_ssh_public_key.md @@ -0,0 +1,126 @@ ++++ +title = "aws_iam_ssh_public_key resource" + +draft = false + + +[menu.aws] +title = "aws_iam_ssh_public_key" +identifier = "inspec/resources/aws/aws_iam_ssh_public_key resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_ssh_public_key` InSpec audit resource to test the properties of a singular resource of an AWS SSH public key for an IAM user. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS IAM AccessKey.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html). + +## Syntax + +Ensure that the public key exists. + +```ruby +describe aws_iam_ssh_public_key(user_name: 'USER_NAME', ssh_public_key_id: 'KEY_ID', encoding: 'SSH') do + it { should exist } +end +``` + +## Parameters + +`user_name` _(required)_ + +: The IAM user name associated with the SSH public key. + +`ssh_public_key_id` _(required)_ + +: The unique identifier for the SSH public key. + +`encoding` _(required)_ + +: Specifies the public key encoding format to use in the response. To retrieve the public key in SSH-RSA format, use `SSH`. To retrieve the public key in PEM format, use `PEM`. + +## Properties + +`user_name` +: The name of the IAM user associated with the SSH public key. + +`ssh_public_key_id` +: The unique identifier for the SSH public key. + +`fingerprint` +: The MD5 message digest of the SSH public key. + +`ssh_public_key_body` +: The SSH public key. + +`status` +: The status of the SSH public key. + +`upload_date` +: The date and time, in ISO 8601 date-time format, when the SSH public key is uploaded. + +`ssh_key_age_valid` +: This is a customized parameter. It helps to check AWS IAM SSH keys's age rotated within 730 days. It returns a boolean value. + +## Examples + +Ensure a user name is available: + +```ruby +describe aws_iam_ssh_public_key(user_name: 'USER_NAME', ssh_public_key_id: 'KEY_ID', encoding: 'SSH') do + its('user_name') { should eq 'USER_NAME' } +end +``` + +Ensure an SSH public key ID is available: + +```ruby +describe aws_iam_ssh_public_key(user_name: 'USER_NAME', ssh_public_key_id: 'KEY_ID', encoding: 'SSH') do + its('ssh_public_key_id') { should eq 'SSH_PUBLIC_KEY_ID' } +end +``` + +Ensure SSH key is expired or not: + +```ruby +describe aws_iam_ssh_public_key(user_name: 'USER_NAME', ssh_public_key_id: 'KEY_ID', encoding: 'SSH') do + its('ssh_key_age_valid') { should eq true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_iam_ssh_public_key(user_name: 'USER_NAME', ssh_public_key_id: 'KEY_ID', encoding: 'SSH') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_iam_ssh_public_key(user_name: 'USER_NAME', ssh_public_key_id: 'KEY_ID', encoding: 'SSH') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_iam_ssh_public_key(user_name: 'USER_NAME', ssh_public_key_id: 'KEY_ID', encoding: 'SSH') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:GetSSHPublicKeyResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_ssh_public_keys.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_ssh_public_keys.md new file mode 100644 index 0000000..8cc6393 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_ssh_public_keys.md @@ -0,0 +1,151 @@ ++++ +title = "aws_iam_ssh_public_keys resource" + +draft = false + + +[menu.aws] +title = "aws_iam_ssh_public_keys" +identifier = "inspec/resources/aws/aws_iam_ssh_public_keys resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_ssh_public_keys` InSpec audit resource to test the properties of the plural resource of an AWS SSH public key for an IAM user. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS IAM AccessKey.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html). + +## Syntax + +Ensure that the public key exists by passing the parameter user_name. + +```ruby +describe aws_iam_ssh_public_keys(user_name: 'USER_NAME') do + it { should exist } +end +``` + +Ensure that the public key exists without passing any parameter. + +```ruby +describe aws_iam_ssh_public_keys do + it { should exist } +end +``` + +## Parameters + +`user_name` _(required)_ + +: The IAM user name associated with the SSH public key. The above required parameter is optional. + +## Properties + +`user_names` +: The IAM user name associated with the SSH public key. + +: **Field**: `user_name` + +`ssh_public_key_ids` +: The unique identifier for the SSH public key. + +: **Field**: `ssh_public_key_id` + +`statuses` +: The status of the SSH public key. + +: **Field**: `status` + +`upload_dates` +: The date and time, in ISO 8601 date-time format, when the SSH public key is uploaded. + +: **Field**: `upload_date` + +## Examples + +Ensure a user name is available: + +```ruby +describe aws_iam_ssh_public_keys do + its('user_names') { should include 'USER_NAME' } +end +``` + +Ensure an ssh public key id is available: + +```ruby +describe aws_iam_ssh_public_keys do + its('ssh_public_key_ids') { should include 'KEY_ID' } +end +``` + +Ensure status is 'Active' by passing the parameter user_name: + +```ruby +describe aws_iam_ssh_public_keys(user_name: 'USER_NAME') do + its('statuses') { should include 'Active' } +end +``` + +Ensure status is 'Active' without passing any parameter: + +```ruby +describe aws_iam_ssh_public_keys do + its('statuses') { should include 'Active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_iam_ssh_public_keys(user_name: 'USER_NAME') do + it { should exist } +end +``` + +```ruby +describe aws_iam_ssh_public_keys do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_iam_ssh_public_keys(user_name: 'USER_NAME') do + it { should_not exist } +end +``` + +```ruby +describe aws_iam_ssh_public_keys do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_iam_ssh_public_keys(user_name: 'USER_NAME') do + it { should be_available } +end +``` + +```ruby +describe aws_iam_ssh_public_keys do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:ListSSHPublicKeysResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_user.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_user.md new file mode 100644 index 0000000..f80c181 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_user.md @@ -0,0 +1,146 @@ ++++ +title = "aws_iam_user resource" + +draft = false + + +[menu.aws] +title = "aws_iam_user" +identifier = "inspec/resources/aws/aws_iam_user resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_user` InSpec audit resource to test properties of a single AWS IAM User. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM Users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html). + +## Syntax + +An `aws_iam_user` resource block declares the tests for a single AWS IAM User by user name. + +```ruby +describe aws_iam_user(user_name: 'psmith') do + it { should exist } +end +``` + +## Parameters + +`user_name` _(required)_ + +: This resource accepts a single parameter, the User's username which uniquely identifies the User. +This can be passed either as a string or as a `user_name: 'value'` key-value entry in a hash. + +## Properties + +`username` +: The friendly name identifying the user. + +`user_id` +: The stable and unique string identifying the user. + +`user_arn` +: The Amazon Resource Name (ARN) that identifies the user. + +`access_keys` +: An array of hashes each containing metadata about the user's Access Keys. + +`inline_policy_names` +: The names of policies directly attached to the user. + +`attached_policy_names` +: The name of standalone IAM policies which are attached to the user. + +`attached_policy_arns` +: The Amazon Resource Name (ARN) that identifies the user. + +`user_path` +: The path to the user. + +`user_create_date` +: The date and time, in ISO 8601 date-time format, when the user was created. + +`user_password_last_used` +: The date and time, in ISO 8601 date-time format, when the user's password was last used to sign in to an Amazon Web Services website. + +`permissions_boundary` +: The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. + +`user_tags` +: A list of tags that are associated with the user. + +* has_mfa_enabled +* has_console_password + +## Examples + +The following examples show how to use this InSpec audit resource. + +Test that an IAM user does not exist: + +```ruby +describe aws_iam_user(user_name: 'invalid-user') do + it { should_not exist } +end +``` + +Test that an IAM user has MFA enabled: + +```ruby +describe aws_iam_user('psmith') do + it { should exist } + it { should have_mfa_enabled } +end +``` + +Ensure a User has no Access Keys or Inline Policies: + +```ruby +describe aws_iam_user('psmith') do + it { should exist } + its('access_keys') { should be_empty } + its('inline_policy_names') { should be_empty } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +it { should exist } +``` + +#### has_mfa_enabled + +This will check if the requested User has Multi Factor Authentication enabled. + +```ruby +it { should have_mfa_enabled } +``` + +#### has_console_password + +This will ensure the User has a console password set. + +```ruby +it { should have_console_password } +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the following permissions action set to allow: +`IAM:Client:GetUserResponse` +`IAM:Client:GetLoginProfileResponse` +`IAM:Client:ListMFADevicesResponse` +`IAM:Client:ListAccessKeysResponse` +`IAM:Client:ListUserPoliciesResponse` +`IAM:Client:ListAttachedUserPoliciesResponse` diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_users.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_users.md new file mode 100644 index 0000000..b1717a5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_users.md @@ -0,0 +1,131 @@ ++++ +title = "aws_iam_users resource" + +draft = false + + +[menu.aws] +title = "aws_iam_users" +identifier = "inspec/resources/aws/aws_iam_users resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_users` InSpec audit resource to test properties of some or all AWS IAM Users. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM Users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html). + +## Syntax + +An `aws_iam_users` resource block returns all IAM Users and allows the testing of that group of Users. + +```ruby +describe aws_iam_users do + its('usernames') { should include 'payroll-admin' } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`usernames` +: The usernames of the returned Users. + +`user_arns` +: The Amazon Resource Names of the returned Users. + +`user_ids` +: The IDs of the returned Users. + +`access_keys` +: Array of Access Keys belonging to each User. + +`has_attached_policies` +: Whether or not the User has IAM Policies attached. + +`attached_policy_names` +: The names (if any) of the IAM Policies attached to the User. + +`attached_policy_arns` +: The Amazon Resource Names (if any) of the IAM Policies attached to the User. + +`has_console_password` +: Whether or not the User has a console password set. + +`has_inline_policies` +: Boolean indicating whether or not the User has policies set directly on them. + +`inline_policy_names` +: The names of the policies (if any) which are directly on the User. + +`has_mfa_enabled` +: Boolean indicating whether the User has MFA enabled or not. + +`password_ever_used?` +: Whether the user has even used their console password. + +`password_last_used_days_ago` +: How long ago, in days, since the user last used their console password. Returns `-1` if the password has never been used. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure there are no Users who do not have MFA enabled: + +```ruby +describe aws_iam_users.where( has_mfa_enabled: false) do + it { should_not exist } +end +``` + +Ensure there are no Users with inline policies: + +```ruby +describe aws_iam_users.where(has_inline_policies: true) do + its('usernames') { should be_empty } +end +``` + +Ensure there are no Users with attached policies: + +```ruby +describe aws_iam_users.where(has_attached_policies: true) do + its('usernames') { should be_empty } +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_iam_users.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_iam_users.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the following permissions set to Allow: +`IAM:Client:GetLoginProfileResponse` +`IAM:Client:ListUsersResponse` +`IAM:Client:ListMFADevicesResponse` +`IAM:Client:ListAccessKeysResponse` +`IAM:Client:ListUserPoliciesResponse` +`IAM:Client:ListAttachedUserPoliciesResponse` diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_virtual_mfa_devices.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_virtual_mfa_devices.md new file mode 100644 index 0000000..5867c16 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_iam_virtual_mfa_devices.md @@ -0,0 +1,129 @@ ++++ +title = "aws_iam_virtual_mfa_devices resource" + +draft = false + + +[menu.aws] +title = "aws_iam_virtual_mfa_devices" +identifier = "inspec/resources/aws/aws_iam_virtual_mfa_devices resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_iam_virtual_mfa_devices` InSpec audit resource to test properties of multiple virtual multi-factor authentication (MFA) devices. + +This resource does not require any parameters. + +For additional information, including details on parameters and properties, see the [AWS documentation on IAM virtual MFA Devices](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html). + +## Syntax + +Ensure that a virtual MFA device exists. + +```ruby +describe aws_iam_virtual_mfa_devices do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`serial_numbers` +: A list of the virtual MFA device's serial number identifiers. + +: **Field**: `serial_number` + +`paths` +: A list of the user paths. + +: **Field**: `path` + +`user_names` +: A list of the friendly names identifying the users. + +: **Field**: `user_name` + +`user_ids` +: A list of the stable and unique user IDs. + +: **Field**: `user_id` + +`arns` +: A list of the Amazon Resource Names (ARNs) that identify the users. + +: **Field**: `arn` + +`create_dates` +: A list of timestamps, in ISO 8601 date-time format, when the user was created. + +: **Field**: `create_date` + +`enable_dates` +: A list of timestamps on which the virtual MFA devices were enabled. + +: **Field**: `enable_date` + +`tags` +: A list of the tags for the resources. + +: **Field**: `tags` + +## Examples + +Ensure a username is available: + +```ruby +describe aws_iam_virtual_mfa_devices do + its('user_names') { should include 'USER_NAME' } +end +``` + +Ensure that an ARN is available: + +```ruby +describe aws_iam_virtual_mfa_devices do + its('arns') { should include 'USER_ARN' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a complete list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_iam_virtual_mfa_devices do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_iam_virtual_mfa_devices do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_iam_virtual_mfa_devices do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="IAM:Client:ListVirtualMFADevicesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_internet_gateway.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_internet_gateway.md new file mode 100644 index 0000000..4e57e34 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_internet_gateway.md @@ -0,0 +1,115 @@ ++++ +title = "aws_internet_gateway resource" + +draft = false + + +[menu.aws] +title = "aws_internet_gateway" +identifier = "inspec/resources/aws/aws_internet_gateway resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_internet_gateway` InSpec audit resource to test the properties of a single AWS internet gateway. + +## Syntax + +An `aws_internet_gateway` resource block declares the tests for a single AWS internet gateway by id or name. + +```ruby +describe aws_internet_gateway(id: 'igw-abc0123456789deff') do + it { should exist } +end +``` + +```ruby +describe aws_internet_gateway(name: 'my-igw') do + it { should exist } +end +``` + +## Parameters + +Either the id or the name must be provided. + +`id` _(required if `name` not provided)_ + +: The value of the `internet_gateway_id` assigned by the AWS after the resource has been created. + This should be in the format of `igw-` followed by 8 or 17 hexadecimal characters and passed as an `id: 'value'` key-value entry in a hash. + +`name` _(required if `id` not provided)_ + +: If a `Name` tag is applied to the internet gateway, this can be used to lookup the resource. + This must be passed as a `name: 'value'` key-value entry in a hash. + If there are multiple internet gateways with the same name, this resource will raise an error. + +## Properties + +`id` +: The ID of the internet gateway. + +`name` +: The value of the `Name` tag. It is `nil` if not defined. + +`vpc_id` +: The ID of the attached VPC. It is `nil` if the resource is in a `detached` state. + +`tags` +: A hash, with each key-value pair corresponding to an internet gateway tag. + +`attached?` +: Indicates whether the internet gateway is **attached** to a VPC or not (`true` or `false`). + +`detached?` +: Indicates whether the internet gateway is in a **detached** state or not (`true` or `false`). + +`owner_id` +: The ID of the AWS account that owns the internet gateway. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InternetGateway.html) + +## Examples + +Test that the internet gateway is attached: + +```ruby +describe aws_internet_gateway(name: 'my-igw') do + it { should be_attached } +end +``` + +Test that the ID of the attached VPC is `vpc-1234567890abcdef1`: + +```ruby +describe aws_internet_gateway(id: 'igw-abc0123456789deff') do + its('vpc_id') { should eq `vpc-1234567890abcdef1` } +end +``` + +Test that the internet gateway has a certain tag: + +```ruby +describe aws_internet_gateway(name: 'my-igw') do + its('tags') { should include('environment' => 'dev') } +Regardless of the value: + +end +``` + +## Matchers + +This InSpec audit resource has the following special matcher. For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +```ruby +describe aws_internet_gateway(name: 'my-igw') do + it { should exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeInternetGatewaysResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_internet_gateways.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_internet_gateways.md new file mode 100644 index 0000000..ee581c8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_internet_gateways.md @@ -0,0 +1,108 @@ ++++ +title = "aws_internet_gateways resource" + +draft = false + + +[menu.aws] +title = "aws_internet_gateways" +identifier = "inspec/resources/aws/aws_internet_gateways resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_internet_gateways` InSpec audit resource to test the properties of all AWS internet gateways owned by the AWS account. + +## Syntax + +An `aws_internet_gateways` resource block collects all of the internet gateways and then tests that group. + +```ruby +describe aws_internet_gateways do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The ID of the internet gateway. + +: **Field**: `id` + +`names` +: The value of the `Name` tag. It is `nil` if not defined. + +: **Field**: `name` + +`vpc_ids` +: The ID of the attached VPC. It is `nil` if the resource is in a `detached` state. + +: **Field**: `vpc_id` + +`tags` +: A hash, with each key-value pair corresponding to an internet gateway tag. + +: **Field**: `tags` + +`attachment_states` +: Indicates whether the internet gateway is attached to a VPC (`attached` or `detached`). + +: **Field**: `attachment_state` + +`owner_ids` +: The ID of the AWS account that owns the internet gateway. + +: **Field**: `owner_id` + +## Examples + +Test that there are exactly 3 internet gateways: + +```ruby +describe aws_internet_gateway do + its('count') { should cmp 3 } +end +``` + +Use this InSpec resource to request the ids of all internet gateways, then test in-depth using `aws_internet_gateway`: + +```ruby +aws_internet_gateways.ids.each do |id| + describe aws_internet_gateway(id: id) do + it { should be_attached } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. +The field names described in the [properties](#properties) should be used for the `` in the `where` clause. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_internet_gateways.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_internet_gateways.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeInternetGatewaysResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_kms_key.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_kms_key.md new file mode 100644 index 0000000..c548e3b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_kms_key.md @@ -0,0 +1,186 @@ ++++ +title = "aws_kms_key resource" + +draft = false + + +[menu.aws] +title = "aws_kms_key" +identifier = "inspec/resources/aws/aws_kms_key resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_kms_key` InSpec audit resource to test properties of a single AWS KMS Key. + +AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS lets you create master keys that can never be exported from the service and which can be used to encrypt and decrypt data based on policies you define. + +Each AWS KMS Key is uniquely identified by its key_id or arn. + +For additional information, including details on parameters and properties, see the [AWS documentation on KS Keys](https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html). + +## Syntax + +An aws_kms_key resource block identifies a key by key_arn or the key id. + +Find a kms key by arn: + +```ruby +describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do + it { should exist } +end +``` + +Find a kms key by just the id: + +```ruby +describe aws_kms_key('4321dcba-21io-23de-85he-ab0987654321') do + it { should exist } +end +``` + +Hash syntax for key arn: + +```ruby +describe aws_kms_key(key_id: 'arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do + it { should exist } +end +``` + +## Parameters + +`alias` _(required if `key_id` not specified)_ + +: This resource accepts searching for a KMS Key by it's Alias. + This can be passed as a `alias: 'alias/value'` key-value entry in a hash. This will then use the `target_key_id` from the Alias to search for the KMS Key. + +`key_id` _(required if `alias` not specified)_ + +: This resource accepts searching for a KMS Key by the KMS Key ID which can represent both the actual Key ID or the ARN of the Key. + This can be passed either as a string or as a `key_id: 'value'` key-value entry in a hash. + +## Properties + +`key_id` +: The globally unique identifier for the key. + +`arn` +: The ARN identifier of the specified key. + +`creation_date` +: Specifies the date and time when the key was created. + +`created_days_ago` +: Specifies the number of days since the key was created. + +`key_state` +: Specifies the state of the key one of "Enabled", "Disabled", "PendingDeletion", "PendingImport". To just check if the key is enabled or not, use the `be_enabled` matcher. + +`description` +: The description of the key. + +`deletion_time` +: Specifies the date and time after which AWS KMS deletes the key. This value is present only when KeyState is PendingDeletion, otherwise this value is nil. + +`invalidation_time` +: Provides the date and time until the key is not valid. Once the key is not valid, AWS KMS deletes the key and it becomes unusable. This value will be null unless the keys Origin is EXTERNAL and its matcher have_key_expiration is set to true. + +`tags` +: A hash with each key-value pair corresponding to a tag associated with the entity. + +## Examples + +Test that the specified key does exist: + +```ruby +describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do + it { should exist } +end +``` + +Test that the specified key is enabled: + +```ruby +describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do + it { should be_enabled } +end +``` + +Test that the specified key is rotation enabled: + +```ruby +describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do + it { should have_rotation_enabled } +end +``` + +Makes sure that the key was created at least 10 days ago: + +```ruby +describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do + its('creation_date') { should be < Time.now - 10 * 86400 } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers (such as `exist`) please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/). + +Use `should_not` to test the entity should not exist in all cases. + +### exist + +The control will pass if the describe returns at least one result. + +```ruby +it { should exist } +``` + +```ruby +it { should_not exist } +``` + +#### be_enabled + +The test will pass if the specified key's key_state is set to enabled. + +```ruby +it { should be_enabled } +``` + +#### be_external + +Provides whether the source of the key's key material is external or not. If it is not external than it was created by AWS KMS. When it is external, the key material was imported from an existing key management infrastructure or the key lacks key material. + +```ruby +it { should be_external } +``` + +#### be_managed_by_aws + +Provides whether or not the key manager is from AWS. If it is not managed by AWS, it is managed by the customer. + +```ruby +it { should be_managed_by_aws } +``` + +#### have_key_expiration + +Specifies whether the key's key material expires. This value is null unless the keys Origin is External. + +```ruby +it { should have_key_expiration } +``` + +#### have_rotation_enabled + +The test will pass if automatic rotation of the key material is enabled for the specified key. + +```ruby +it { should have_rotation_enabled } +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `KMS:Client:DescribeKeyResponse`, and `KMS:Client:GetKeyRotationStatusResponse` actions set to allow. + +You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS Key Management Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_kms_keys.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_kms_keys.md new file mode 100644 index 0000000..e061812 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_kms_keys.md @@ -0,0 +1,96 @@ ++++ +title = "aws_kms_keys resource" + +draft = false + + +[menu.aws] +title = "aws_kms_keys" +identifier = "inspec/resources/aws/aws_kms_keys resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_kms_keys` InSpec audit resource to test properties of some or all AWS KMS Keys. + +AWS Key Management Service (KMS) is a managed service that makes creating and controlling your encryption keys for your data easier. KMS uses Hardware Security Modules (HSMs) to protect the security of your keys. + +AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services. + +For additional information, including details on parameters and properties, see the [AWS documentation on KS Keys](https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html). + +## Syntax + +An `aws_kms_keys` resource block uses an optional filter to select a group of KMS Keys and then tests that group. + +Verify the number of KMS keys in the AWS account: + +```ruby +describe aws_kms_keys do + its('entries.count') { should cmp 10 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`key_ids` +: The IDs of the returned keys. + +`key_arns` +: The Amazon Resource Names of the returned keys. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +The following examples show how to use this InSpec audit resource. + +Ensure a Key exists: + +```ruby +describe aws_kms_keys do + its('key_ids') { should include 'fd7e608b-f435-4186-b8b5-111111111111'} +end +``` + +Allow at most 100 KMS Keys on the account: + +```ruby +describe aws_kms_keys do + its('entries.count') { should be <= 100} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_kms_keys do + it { should exist } +end +``` + +```ruby +describe aws_kms_keys.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="KMS:Client:ListKeysResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS Key Management Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda.md new file mode 100644 index 0000000..6060d5d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda.md @@ -0,0 +1,55 @@ ++++ +title = "aws_lambda resource" + +draft = false + + +[menu.aws] +title = "aws_lambda" +identifier = "inspec/resources/aws/aws_lambda resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda` resource to test a specific AWS Lambda function. + +## Syntax + +```ruby +describe aws_lambda('LAMBDA_FUNCTION') do + it { should exist} + its ('handler') { should eq 'main.on_event'} + its ('version') { should eq '$LATEST' } + its ('runtime') { should eq 'python3.7' } +end +``` + +## Parameters + +This resource expects the name of the AWS Lambda function. + +## Properties + +This resource can test all properties defined by the [Aws::lambda::Types::GetFunctionResponse](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Lambda/Types/GetFunctionResponse.html) class. + +## Examples + +Test that all lambda functions with a particular tag is correctly deployed: + +```ruby +describe aws_lambda('LAMBDA_FUNCTION') do + it { should exist} + its ('handler') { should eq 'main.on_event'} + its ('version') { should eq '$LATEST' } + its ('runtime') { should eq 'python3.7' } +end +``` + +## Matchers + +This InSpec audit resource uses the standard matchers. For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:GetFunctionResponse" %}} + +You can find detailed documentation at [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_alias.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_alias.md new file mode 100644 index 0000000..76296ac --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_alias.md @@ -0,0 +1,113 @@ ++++ +title = "aws_lambda_alias resource" + +draft = false + + +[menu.aws] +title = "aws_lambda_alias" +identifier = "inspec/resources/aws/aws_lambda_alias resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda_alias` InSpec audit resource to test properties of a single AWS Lambda alias. + +The `AWS::Lambda::Alias` resource creates an alias for a Lambda function version. Use aliases to provide clients with a function identifier that you can update to invoke a different version. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Lambda alias](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-alias.html). + +## Syntax + +Ensure that the alias exists. + +```ruby +describe aws_lambda_alias(function_name: 'FUNCTION_NAME', function_alias_name: 'FUNCTION_ALIAS_NAME') do + it { should exist } +end +``` + +## Parameters + +`function_name` _(required)_ + +: The name of the lambda function. + +`function_alias_name` _(required)_ + +: Name of the alias for which you want to retrieve information. + +## Properties + +`alias_arn` +: Lambda function ARN that is qualified using the alias name as the suffix. + +`name` +: The alias name. + +`function_version` +: Function version to which the alias points. + +`description` +: The alias description. + +`routing_config.additional_version_weights` +: The name of the second alias, and the percentage of traffic that is routed to it. + +`revision_id` +: Represents the latest updated revision of the function or alias. + +## Examples + +Ensure an alias ARN is available: + +```ruby +describe aws_lambda_alias(function_name: 'FUNCTION_NAME', function_alias_name: 'FUNCTION_ALIAS_NAME') do + its('alias_arn') { should eq 'ALIAS_ARN' } +end +``` + +Ensure a alias name is available: + +```ruby +describe aws_lambda_alias(function_name: 'FUNCTION_NAME', function_alias_name: 'FUNCTION_ALIAS_NAME') do + its('name') { should eq 'FUNCTION_ALIAS_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_lambda_alias(function_name: 'FUNCTION_NAME', function_alias_name: 'FUNCTION_ALIAS_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_lambda_alias(function_name: 'FUNCTION_NAME', function_alias_name: 'FUNCTION_ALIAS_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_lambda_alias(function_name: 'FUNCTION_NAME', function_alias_name: 'FUNCTION_ALIAS_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:AliasConfiguration" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_aliases.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_aliases.md new file mode 100644 index 0000000..a79db69 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_aliases.md @@ -0,0 +1,121 @@ ++++ +title = "aws_lambda_aliases resource" + +draft = false + + +[menu.aws] +title = "aws_lambda_aliases" +identifier = "inspec/resources/aws/aws_lambda_aliases resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda_aliases` InSpec audit resource to test properties of multiple AWS Lambda aliases. + +The `AWS::Lambda::Alias` resource creates an alias for a Lambda function version. Use aliases to provide clients with a function identifier that you can update to invoke a different version. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Lambda alias](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-alias.html). + +## Syntax + +Ensure that the alias exists. + +```ruby +describe aws_lambda_aliases(function_name: 'FUNCTION_NAME') do + it { should exist } +end +``` + +## Parameters + +`function_name` _(required)_ + +: The name of the lambda function. + +## Properties + +`alias_arns` +: Lambda function ARN that is qualified using the alias name as the suffix. + +: **Field**: `alias_arn` + +`names` +: The alias names. + +: **Field**: `name` + +`function_versions` +: Function version to which the alias points. + +: **Field**: `function_version` + +`descriptions` +: The alias descriptions. + +: **Field**: `description` + +`routing_configs` +: Specifies an additional function versions the alias points to, allowing you to dictate what percentage of traffic will invoke each version. + +: **Field**: `routing_config` + +`revision_ids` +: Represents the latest updated revision of the function or alias. + +: **Field**: `revision_id` + +## Examples + +Ensure an alias ARN is available: + +```ruby +describe aws_lambda_aliases(function_name: 'FUNCTION_NAME') do + its('alias_arns') { should include 'ALIAS_ARN' } +end +``` + +Ensure an alias name is available: + +```ruby +describe aws_lambda_aliases(function_name: 'FUNCTION_NAME') do + its('names') { should include 'FUNCTION_ALIAS_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_lambda_aliases(function_name: 'FUNCTION_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_lambda_aliases(function_name: 'FUNCTION_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_lambda_aliases(function_name: 'FUNCTION_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:ListAliasesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_code_signing_config.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_code_signing_config.md new file mode 100644 index 0000000..e0d3a8c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_code_signing_config.md @@ -0,0 +1,109 @@ ++++ +title = "aws_lambda_code_signing_config resource" + +draft = false + + +[menu.aws] +title = "aws_lambda_code_signing_config" +identifier = "inspec/resources/aws/aws_lambda_code_signing_config resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda_code_signing_config` InSpec audit resource to test properties of a single AWS Lambda code signing configuration. + +The `AWS::Lambda::CodeSigningConfig` resource specifies the details about a code signing configuration. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SSM CodeSigningConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-codesigningconfig.html). + +## Syntax + +Ensure that the code signing config exists. + +```ruby +describe aws_lambda_code_signing_config(code_signing_config_arn: 'CODE_SIGNING_CONFIG_ARN') do + it { should exist } +end +``` + +## Parameters + +`code_signing_config_arn` _(required)_ + +: The Amazon Resource Name (ARN) of the code signing configuration. + +## Properties + +`code_signing_config_id` +: Unique identifier for the Code signing configuration. + +`code_signing_config_arn` +: The Amazon Resource Name (ARN) of the Code signing configuration. + +`description` +: Code signing configuration description. + +`allowed_publishers.signing_profile_version_arns` +: The Amazon Resource Name (ARN) for each of the signing profiles. A signing profile defines a trusted user who can sign a code package. + +`code_signing_policies.untrusted_artifact_on_deployment` +: Code signing configuration policy for deployment validation failure. + +`last_modified` +: The date and time that the Code signing configuration was last modified, in ISO-8601 format (YYYY-MM-DDThh:mm:ss.sTZD). + +## Examples + +Ensure a code signing config ID is available: + +```ruby +describe aws_lambda_code_signing_config(code_signing_config_arn: 'CODE_SIGNING_CONFIG_ARN') do + its('code_signing_config_id') { should eq 'CODE_SIGNING_CONFIG_ID' } +end +``` + +Ensure a code signing config ARN is available: + +```ruby +describe aws_lambda_code_signing_config(code_signing_config_arn: 'CODE_SIGNING_CONFIG_ARN') do + its('code_signing_config_arn') { should eq 'CODE_SIGNING_CONFIG_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_lambda_code_signing_config(code_signing_config_arn: 'CODE_SIGNING_CONFIG_ARN') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_lambda_code_signing_config(code_signing_config_arn: 'CODE_SIGNING_CONFIG_ARN') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_lambda_code_signing_config(code_signing_config_arn: 'CODE_SIGNING_CONFIG_ARN') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:GetCodeSigningConfigResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_code_signing_configs.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_code_signing_configs.md new file mode 100644 index 0000000..9e81130 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_code_signing_configs.md @@ -0,0 +1,119 @@ ++++ +title = "aws_lambda_code_signing_configs resource" + +draft = false + + +[menu.aws] +title = "aws_lambda_code_signing_configs" +identifier = "inspec/resources/aws/aws_lambda_code_signing_configs resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda_code_signing_configs` InSpec audit resource to test properties of multiple AWS Lambda code signing configurations. + +The `AWS::Lambda::CodeSigningConfig` resource specifies the details about a code signing configuration. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SSM CodeSigningConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-codesigningconfig.html). + +## Syntax + +Ensure that the code signing config exists. + +```ruby +describe aws_lambda_code_signing_configs do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`code_signing_config_ids` +: Unique identifier for the Code signing configuration. + +: **Field**: `code_signing_config_id` + +`code_signing_config_arns` +: The Amazon Resource Name (ARN) of the Code signing configuration. + +: **Field**: `code_signing_config_arn` + +`descriptions` +: Code signing configuration description. + +: **Field**: `description` + +`allowed_publishers` +: The Amazon Resource Name (ARN) for each of the signing profiles. A signing profile defines a trusted user who can sign a code package. + +: **Field**: `allowed_publishers` + +`code_signing_policies` +: Code signing configuration policy for deployment validation failure. + +: **Field**: `code_signing_policies` + +`last_modified` +: The date and time that the Code signing configuration was last modified, in ISO-8601 format (YYYY-MM-DDThh:mm:ss.sTZD). + +: **Field**: `last_modified` + +## Examples + +Ensure a code signing config id is available: + +```ruby +describe aws_lambda_code_signing_configs do + its('code_signing_config_ids') { should include 'CODE_SIGNING_CONFIG_ID' } +end +``` + +Ensure a code signing config arn is available: + +```ruby +describe aws_lambda_code_signing_configs do + its('code_signing_config_arns') { should include 'CODE_SIGNING_CONFIG_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_lambda_code_signing_configs do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_lambda_code_signing_configs do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_lambda_code_signing_configs do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:ListCodeSigningConfigsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_event_invoke_config.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_event_invoke_config.md new file mode 100644 index 0000000..037897a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_event_invoke_config.md @@ -0,0 +1,129 @@ ++++ +title = "aws_lambda_event_invoke_config resource" + +draft = false + + +[menu.aws] +title = "aws_lambda_event_invoke_config" +identifier = "inspec/resources/aws/aws_lambda_event_invoke_config resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda_event_invoke_config` InSpec audit resource to test properties of a specific AWS Lambda EventInvokeConfig. + +The AWS::Lambda::EventInvokeConfig resource configures options for asynchronous invocation on a version or an alias. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Lambda EventInvokeConfig.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventinvokeconfig.html). + +## Syntax + +Ensure that the config exists. + +```ruby +describe aws_lambda_event_invoke_config(function_name: 'FUNCTION_NAME') do + it { should exist } +end +``` + +## Parameters + +`function_name` _(required)_ + +: The name of the function. + +## Properties + +`last_modified` +: The date and time that the configuration was last updated. + +: **Field**: `last_modified` + +`function_arn` +: The Amazon Resource Name (ARN) of the function. + +: **Field**: `function_arn` + +`maximum_retry_attempts` +: The maximum number of times to retry when the function returns an error. + +: **Field**: `maximum_retry_attempts` + +`maximum_event_age_in_seconds` +: The maximum age of a request that Lambda sends to a function for processing. + +: **Field**: `maximum_event_age_in_seconds` + +`on_success_destinations` +: The destination configuration for successful invocations. The Amazon Resource Name (ARN) of the destination resource. + +: **Field**: `destination_config (on_success (destination))` + +`on_faliure_destinations` +: The destination configuration for failed invocations. The Amazon Resource Name (ARN) of the destination resource. + +: **Field**: `destination_config (on_failure (destination))` + +## Examples + +Ensure an arn is available: + +```ruby +describe aws_lambda_event_invoke_config(function_name: 'FUNCTION_NAME') do + its('function_arn') { should eq 'FUNCTION_ARN' } +end +``` + +Ensure a maximum retry attempts is available: + +```ruby +describe aws_lambda_event_invoke_config(function_name: 'FUNCTION_NAME') do + its('maximum_retry_attempts') { should eq 1 } +end +``` + +Ensure on success destination is available: + +```ruby +describe aws_lambda_event_invoke_config(function_name: 'FUNCTION_NAME') do + its('on_success_destinations') { should include 'DESTINATION' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_lambda_event_invoke_config(function_name: 'FUNCTION_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_lambda_event_invoke_config(function_name: 'FUNCTION_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_lambda_event_invoke_config(function_name: 'FUNCTION_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:FunctionEventInvokeConfig" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_event_invoke_configs.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_event_invoke_configs.md new file mode 100644 index 0000000..2890b42 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_event_invoke_configs.md @@ -0,0 +1,101 @@ ++++ +title = "aws_lambda_event_invoke_configs resource" + +draft = false + + +[menu.aws] +title = "aws_lambda_event_invoke_configs" +identifier = "inspec/resources/aws/aws_lambda_event_invoke_configs resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda_event_invoke_configs` InSpec audit resource to test properties of the plural resource of AWS Lambda EventInvokeConfig. + +The AWS::Lambda::EventInvokeConfig resource configures options for asynchronous invocation on a version or an alias. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Lambda EventInvokeConfig.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventinvokeconfig.html). + +## Syntax + +Ensure that the config exists. + +```ruby +describe aws_lambda_event_invoke_configs(function_name: 'FUNCTION_NAME') do + it { should exist } +end +``` + +## Parameters + +`function_name` _(required)_ + +: The name of the function. + +## Properties + +`last_modified` +: The date and time that the configuration was last updated. + +: **Field**: `last_modified` + +`function_arns` +: The Amazon Resource Name (ARN) of the function. + +: **Field**: `function_arn` + +`maximum_retry_attempts` +: The maximum number of times to retry when the function returns an error. + +: **Field**: `maximum_retry_attempts` + +`destination_configs` +: A destination for events after they have been sent to a function for processing. + +: **Field**: `destination_configs` + +## Examples + +Ensure an arn is available: + +```ruby +describe aws_lambda_event_invoke_configs(function_name: 'FUNCTION_NAME') do + its('function_arns') { should include 'FUNCTION_ARN' } +end +``` + +Ensure a maximum retry attempts is available: + +```ruby +describe aws_lambda_event_invoke_configs(function_name: 'FUNCTION_NAME') do + its('maximum_retry_attempts') { should include 1 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_lambda_event_invoke_configs(function_name: 'FUNCTION_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_lambda_event_invoke_configs(function_name: 'FUNCTION_NAME') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:ListFunctionEventInvokeConfigsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_event_source_mapping.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_event_source_mapping.md new file mode 100644 index 0000000..b56ca0a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_event_source_mapping.md @@ -0,0 +1,154 @@ ++++ +title = "aws_lambda_event_source_mapping resource" + +draft = false + + +[menu.aws] +title = "aws_lambda_event_source_mapping" +identifier = "inspec/resources/aws/aws_lambda_event_source_mapping resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda_event_source_mapping` InSpec audit resource to test properties of a single mapping between an AWS event source and an AWS Lambda function. + +The `AWS::Lambda::EventSourceMapping` resource creates a mapping between an event source and an AWS Lambda function. Lambda reads items from the event source and triggers the function. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Lambda EventSourceMapping](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventsourcemapping.html). + +## Syntax + +Ensure that a UUID exists. + +```ruby +describe aws_lambda_event_source_mapping(uuid: 'EVENT_SOURCE_MAPPING_UUID') do + it { should exist } +end +``` + +## Parameters + +`uuid` _(required)_ + +: The identifier of the event source mapping. + +## Properties + +`uuid` +: The identifier of the event source mapping. + +`starting_position` +: The position in a stream from which to start reading. Required for Amazon Kinesis, Amazon DynamoDB, and Amazon MSK Streams sources. `AT_TIMESTAMP` is only supported for Amazon Kinesis streams. + +`starting_position_timestamp` +: With `StartingPosition` set to `AT_TIMESTAMP`, the time from which to start reading. + +`batch_size` +: The maximum number of items to retrieve in a single batch. + +`maximum_batching_window_in_seconds` +: (Streams and SQS standard queues) The maximum amount of time to gather records before invoking the function, in seconds. The default value is zero. + +`parallelization_factor` +: (Streams only) The number of batches to process from each shard concurrently. The default value is 1. + +`event_source_arn` +: The Amazon Resource Name (ARN) of the event source. + +`function_arn` +: The ARN of the Lambda function. + +`last_modified` +: The date that the event source mapping was last updated, or its state changed. + +`last_processing_result` +: The result of the last AWS Lambda invocation of your Lambda function. + +`state` +: The state of the event source mapping. It can be one of the following: `Creating`, `Enabling`, `Enabled`, `Disabling`, `Disabled`, `Updating`, or `Deleting`. + +`state_transition_reason` +: Indicates whether the last change to the event source mapping was made by a user, or by the Lambda service. + +`destination_config (on_success (destination))` +: (Streams) An Amazon SQS queue or Amazon SNS topic destination for discarded records. The Amazon Resource Name (ARN) of the destination resource. + +`destination_config (on_failure (destination))` +: The destination configuration for failed invocations. The Amazon Resource Name (ARN) of the destination resource. + +`topics` +: The name of the Kafka topic. + +`queues` +: (Amazon MQ) The name of the Amazon MQ broker destination queue to consume. + +`source_access_configurations (type)` +: An array of the authentication protocol, or the VPC components to secure your event source. The type of authentication protocol or the VPC components for your event source. Valid values: `BASIC_AUTH`, `SASL_SCRAM_256_AUTH`, `SASL_SCRAM_512_AUTH`, `VIRTUAL_HOST`, `VPC_SECURITY_GROUP`, `VPC_SUBNET`. + +`source_access_configurations (uri)` +: An array of the authentication protocol, or the VPC components to secure your event source. The value for your chosen configuration in Type. For example: `"URI": "arn:aws:secretsmanager:us-east-1:01234567890:secret:MyBrokerSecretName"`. + +`maximum_record_age_in_seconds` +: (Streams only) Discard records older than the specified age. The default value is infinite (-1). When set to infinite (-1), failed records are retried until the record expires. + +`bisect_batch_on_function_error` +: (Streams only) If the function returns an error, split the batch in two and retry. The default value is false. + +`maximum_retry_attempts` +: (Streams only) Discard records after the specified number of retries. The default value is infinite (-1). When set to infinite (-1), failed records are retried until the record expires. + +## Examples + +Ensure an UUID is available: + +```ruby +describe aws_lambda_event_source_mapping(uuid: 'EVENT_SOURCE_MAPPING_UUID') do + its('uuid') { should eq 'EVENT_SOURCE_MAPPING_UUID' } +end +``` + +Ensure that the state is `Creating` or not: + +```ruby +describe aws_lambda_event_source_mapping(uuid: 'EVENT_SOURCE_MAPPING_UUID') do + its('state') { should eq 'Creating' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_lambda_event_source_mapping(uuid: 'EVENT_SOURCE_MAPPING_UUID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_lambda_event_source_mapping(uuid: 'EVENT_SOURCE_MAPPING_UUID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the uuid is available. + +```ruby +describe aws_lambda_event_source_mapping(uuid: 'EVENT_SOURCE_MAPPING_UUID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:EventSourceMappingConfiguration" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_event_source_mappings.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_event_source_mappings.md new file mode 100644 index 0000000..e85d021 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_event_source_mappings.md @@ -0,0 +1,146 @@ ++++ +title = "aws_lambda_event_source_mappings resource" + +draft = false + + +[menu.aws] +title = "aws_lambda_event_source_mappings" +identifier = "inspec/resources/aws/aws_lambda_event_source_mappings resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda_event_source_mappings` InSpec audit resource to test properties of multiple mappings between AWS event sources and AWS Lambda functions. + +The `AWS::Lambda::EventSourceMapping` resource creates a mapping between an event source and an AWS Lambda function. Lambda reads items from the event source and triggers the function. + +For additional information, including details on parameters and properties, see the [AWS documentation on Athena Work Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-athena-workgroup.html). + +## Syntax + +Ensure that a mapping exists. + +```ruby +describe aws_lambda_event_source_mappings do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`uuids` +: The identifier of the event source mapping. + +`starting_positions` +: The position in a stream from which to start reading. Required for Amazon Kinesis, Amazon DynamoDB, and Amazon MSK Streams sources. `AT_TIMESTAMP` is only supported for Amazon Kinesis streams. + +`starting_position_timestamps` +: With `StartingPosition` set to `AT_TIMESTAMP`, the time from which to start reading. + +`batch_sizes` +: The maximum number of items to retrieve in a single batch. + +`maximum_batching_window_in_seconds` +: (Streams and SQS standard queues) The maximum amount of time to gather records before invoking the function, in seconds. The default value is zero. + +`parallelization_factors` +: (Streams) The number of batches to process from each shard concurrently. The default value is 1. + +`event_source_arns` +: The Amazon Resource Name (ARN) of the event source. + +`function_arns` +: The ARN of the Lambda function. + +`last_modified` +: The date that the event source mapping was last updated, or its state changed. + +`last_processing_results` +: The result of the last AWS Lambda invocation of your Lambda function. + +`states` +: The state of the event source mapping. It can be one of the following: `Creating`, `Enabling`, `Enabled`, `Disabling`, `Disabled`, `Updating`, or `Deleting`. + +`state_transition_reasons` +: Indicates whether the last change to the event source mapping was made by a user, or by the Lambda service. + +`destination_configs` +: The destination configuration of the destination resource. + +`topics` +: The name of the Kafka topic. + +`queues` +: (Amazon MQ) The name of the Amazon MQ broker destination queue to consume. + +`source_access_configurations` +: An array of the authentication protocol, or the VPC components to secure your event source. + +`maximum_record_age_in_seconds` +: (Streams) Discard records older than the specified age. The default value is infinite (-1). When set to infinite (-1), failed records are retried until the record expires. + +`bisect_batch_on_function_errors` +: (Streams only) If the function returns an error, split the batch in two and retry. The default value is false. + +`maximum_retry_attempts` +: (Streams only) Discard records after the specified number of retries. The default value is infinite (-1). When set to infinite (-1), failed records are retried until the record expires. + +## Examples + +Ensure an UUID is available: + +```ruby +describe aws_lambda_event_source_mappings do + its('uuids') { should include 'EVENT_SOURCE_MAPPING_UUID' } +end +``` + +Ensure that a mapping has the `Creating` state or not: + +```ruby +describe aws_lambda_event_source_mappings do + its('states') { should include 'Creating' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_lambda_event_source_mappings do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_lambda_event_source_mappings do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_lambda_event_source_mappings do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:ListEventSourceMappingsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_layer_version_permission.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_layer_version_permission.md new file mode 100644 index 0000000..0582a54 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_layer_version_permission.md @@ -0,0 +1,101 @@ ++++ +title = "aws_lambda_layer_version_permission resource" + +draft = false + + +[menu.aws] +title = "aws_lambda_layer_version_permission" +identifier = "inspec/resources/aws/aws_lambda_layer_version_permission resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda_layer_version_permission` InSpec audit resource to test properties of a single AWS Lambda layer version permission. + +The `AWS::Lambda::LayerVersionPermission` resource adds permissions to the resource-based policy of a version of an Lambda layer. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Lambda layer version permission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-layerversionpermission.html). + +## Syntax + +Ensure that the permission exists. + +```ruby +describe aws_lambda_layer_version_permission(layer_name: 'LAYER_NAME', version_number: 'VERSION_NUMBER') do + it { should exist } +end +``` + +## Parameters + +`layer_name` _(required)_ + +: The name or Amazon Resource Name (ARN) of the layer. + +`version_number` _(required)_ + +: The version number. + +## Properties + +`policy` +: The policy document. + +`revision_id` +: A unique identifier for the current revision of the policy. + +## Examples + +Ensure a policy is available: + +```ruby +describe aws_lambda_layer_version_permission(layer_name: 'LAYER_NAME', version_number: 'VERSION_NUMBER') do + its('policy') { should eq 'POLICY' } +end +``` + +Ensure a revision ID is available: + +```ruby +describe aws_lambda_layer_version_permission(layer_name: 'LAYER_NAME', version_number: 'VERSION_NUMBER') do + its('revision_id') { should eq 'REVISION_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_lambda_layer_version_permission(layer_name: 'LAYER_NAME', version_number: 'VERSION_NUMBER') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_lambda_layer_version_permission(layer_name: 'LAYER_NAME', version_number: 'VERSION_NUMBER') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_lambda_layer_version_permission(layer_name: 'LAYER_NAME', version_number: 'VERSION_NUMBER') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:GetLayerVersionPolicyResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_permission.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_permission.md new file mode 100644 index 0000000..62d511c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_permission.md @@ -0,0 +1,80 @@ ++++ +title = "aws_lambda_permission resource" + +draft = false + + +[menu.aws] +title = "aws_lambda_permission" +identifier = "inspec/resources/aws/aws_lambda_permission resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda_permission` InSpec audit resource to test properties of a single AWS Lambda permission. + +The `AWS::Lambda::Permission` resource grants an AWS service or another account permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Lambda permission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html). + +## Syntax + +Ensure that permission has the desired statement ID. + +```ruby +describe aws_lambda_permission(function_name: 'LAMBDA_FUNCTION_NAME', Sid: 'STATEMENT_ID') do + its('sid') { should eq 'STATEMENT_ID' } +end +``` + +## Parameters + +`function_name` _(required)_ + +: The name of the Lambda function. + +`Sid` _(required)_ + +: The statement ID of the function. + +## Properties + +`sid` +: The statement ID of the function. + +`effect` +: The effect of the function. + +`principal` +: The AWS service or account that invokes the function. + +`action` +: The action that the principal can use on the function. + +`resource` +: The resource ARN of the function. + +## Examples + +Ensure a statement ID is available: + +```ruby +describe aws_lambda_permission(function_name: 'LAMBDA_FUNCTION_NAME', Sid: 'STATEMENT_ID') do + its('sid') { should eq 'StatementID' } +end +``` + +Ensure a effect is available: + +```ruby +describe aws_lambda_permission(function_name: 'LAMBDA_FUNCTION_NAME', Sid: 'STATEMENT_ID') do + its('effect') { should eq 'Allow' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:GetPolicyResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_permissions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_permissions.md new file mode 100644 index 0000000..6fa545b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_permissions.md @@ -0,0 +1,74 @@ ++++ +title = "aws_lambda_permissions resource" + +draft = false + + +[menu.aws] +title = "aws_lambda_permissions" +identifier = "inspec/resources/aws/aws_lambda_permissions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda_permissions` InSpec audit resource to test properties of multiple AWS Lambda permissions. + +The `AWS::Lambda::Permission` resource grants an AWS service or another account permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Lambda permission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html). + +## Syntax + +Ensure that permission has the desired statement id. + +```ruby +describe aws_lambda_permission(function_name: 'LAMBDA_FUNCTION_NAME') do + its('sids') { should include 'STATEMENT_ID' } +end +``` + +## Parameters + +`function_name` _(required)_ + +## Properties + +`sids` +: The statement ID of the function. + +`effects` +: The effect of the function. + +`principals` +: The AWS services or accounts that invokes the function. + +`actions` +: The action of the function. + +`resources` +: The resource ARNs of the function.. + +## Examples + +Ensure a statement ID is available: + +```ruby +describe aws_lambda_permission(function_name: 'LAMBDA_FUNCTION_NAME') do + its('sids') { should include 'STATEMENT_ID' } +end +``` + +Ensure an effect is available: + +```ruby +describe aws_lambda_permission(function_name: 'LAMBDA_FUNCTION_NAME') do + its('effects') { should include 'Allow' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:GetPolicyResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_version.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_version.md new file mode 100644 index 0000000..c7141f2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_version.md @@ -0,0 +1,134 @@ ++++ +title = "aws_lambda_version resource" + +draft = false + + +[menu.aws] +title = "aws_lambda_version" +identifier = "inspec/resources/aws/aws_lambda_version resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda_version` InSpec audit resource to test properties of a single AWS Lambda function version. + +The `AWS::Lambda::Version` resource creates a version from the current code and configuration of a function. Use versions to create a snapshot of your function code and configuration that doesn't change. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Lambda Version](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-version.html). + +## Syntax + +Ensure that the Lambda layer version exists. + +```ruby +describe aws_lambda_version(layer_name: 'LAYER_NAME', version_number: 1) do + it { should exist } +end +``` + +## Parameters + +`layer_name` _(required)_ + +: The name or Amazon Resource Name (ARN) of the Lambda layer. + +`version_number` _(required)_ + +: The version number. + +## Properties + +`content.location` +: A link to the layer archive in Amazon S3 that is valid for 10 minutes. + +`content.code_sha_256` +: The SHA-256 hash of the layer archive. + +`content.code_size` +: The size of the layer archive in bytes. + +`content.signing_profile_version_arn` +: The Amazon Resource Name (ARN) for a signing profile version. + +`content.signing_job_arn` +: The Amazon Resource Name (ARN) of a signing job. + +`layer_arn` +: The ARN of the layer. + +`layer_version_arn` +: The ARN of the layer version. + +`description` +: The description of the version. + +`created_date` +: The date that the layer version was created, in ISO-8601 format (YYYY-MM-DDThh:mm:ss.sTZD). + +`version` +: The version number. + +`compatible_runtimes` +: The layer's compatible runtimes. + +`license_info` +: The layer's software license. + +`compatible_architectures` +: A list of compatible instruction set architectures. + +## Examples + +Ensure a layer ARN is available: + +```ruby +describe aws_lambda_version(layer_name: 'LAYER_NAME', version_number: 1) do + its('layer_arn') { should eq 'LAYER_ARN' } +end +``` + +Ensure a layer version ARN is available: + +```ruby +describe aws_lambda_version(layer_name: 'LAYER_NAME', version_number: 1) do + its('layer_version_arn') { should eq 'LAYER_VERSION_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_lambda_version(layer_name: 'LAYER_NAME', version_number: 1) do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_lambda_version(layer_name: 'LAYER_NAME', version_number: 1) do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_lambda_version(layer_name: 'LAYER_NAME', version_number: 1) do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:GetLayerVersionResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_versions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_versions.md new file mode 100644 index 0000000..abcfbc2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambda_versions.md @@ -0,0 +1,126 @@ ++++ +title = "aws_lambda_versions resource" + +draft = false + + +[menu.aws] +title = "aws_lambda_versions" +identifier = "inspec/resources/aws/aws_lambda_versions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambda_versions` InSpec audit resource to test properties of multiple AWS Lambda function versions. + +The `AWS::Lambda::Version` resource creates a version from the current code and configuration of a function. Use versions to create a snapshot of your function code and configuration that doesn't change. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Lambda Version](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-version.html). + +## Syntax + +Ensure that a Lambda version exists. + +```ruby +describe aws_lambda_versions(layer_name: 'LAYER_NAME') do + it { should exist } +end +``` + +## Parameters + +`layer_name` _(required)_ + +: The name or Amazon Resource Name (ARN) of the Lambda layer. + +## Properties + +`layer_version_arns` +: The ARN of the layer version. + +: **Field**: `layer_version_arn` + +`versions` +: The version number. + +: **Field**: `version` + +`descriptions` +: The description of the version. + +: **Field**: `description` + +`created_dates` +: The date that the layer version was created, in ISO-8601 format (YYYY-MM-DDThh:mm:ss.sTZD). + +: **Field**: `created_date` + +`compatible_runtimes` +: The layer's compatible runtimes. + +: **Field**: `compatible_runtimes` + +`license_infos` +: The layer's software license. + +: **Field**: `license_info` + +`compatible_architectures` +: A list of compatible instruction set architectures . + +: **Field**: `compatible_architectures` + +## Examples + +Ensure a layer version ARN is available: + +```ruby +describe aws_lambda_versions(layer_name: 'LAYER_NAME') do + its('layer_version_arns') { should include 'LAYER_VERSION_ARN' } +end +``` + +Ensure a version is available: + +```ruby +describe aws_lambda_versions(layer_name: 'LAYER_NAME') do + its('versions') { should include 1 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_lambda_versions(layer_name: 'LAYER_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_lambda_versions(layer_name: 'LAYER_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_lambda_versions(layer_name: 'LAYER_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:ListLayerVersionsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambdas.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambdas.md new file mode 100644 index 0000000..f0e1da8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_lambdas.md @@ -0,0 +1,68 @@ ++++ +title = "aws_lambdas resource" + +draft = false + + +[menu.aws] +title = "aws_lambdas" +identifier = "inspec/resources/aws/aws_lambdas resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_lambdas` resource to test the collection of lambdas deployed into an account. + +## Syntax + +```` +describe aws_lambdas do + its('count') { should eq 20 } +end +```` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`names` +: The names of the lambda deployed. + +`tags` +: The tags of the lambda deployed. + +## Examples + +Tests that all lambdas with a particular tag is correctly deployed: + +```` +lambdas = aws_lambdas() + +describe lambdas do +its ('count') { should eq 33} +end + +lambdas.tags.each_with_index { | tag, i | +if tag!= {} and tag.include? 'Application' and tag['Application']=='test') + lambda_name = lambdas.names[i] + + describe aws_lambda(lambda_name) do + it { should exist} + its ('handler') { should eq 'main.on_event'} + its ('version') { should eq '$LATEST' } + its ('runtime') { should eq 'python3.7' } + end +end +} +```` + +## Matchers + +This InSpec audit resource uses the standard matchers. For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Lambda:Client:ListFunctionsResponse" %}} + +You can find detailed documentation at [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html) diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_launch_configuration.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_launch_configuration.md new file mode 100644 index 0000000..31a7dfc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_launch_configuration.md @@ -0,0 +1,146 @@ ++++ +title = "aws_launch_configuration resource" + +draft = false + + +[menu.aws] +title = "aws_launch_configuration" +identifier = "inspec/resources/aws/aws_launch_configuration resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_launch_configuration` InSpec audit resource to test properties of a single AWS Launch Configuration. + +For additional information, including details on parameters and properties, see the [AWS documentation on Launch Configurations](https://docs.aws.amazon.com/autoscaling/ec2/userguide/LaunchConfiguration.html). + +## Syntax + +Ensure that a launch configuration exists and has the correct key name: + +```ruby +describe aws_launch_configuration('my-config') do + it { should exist } + its('key_name') { should be 'my-key-name' } +end +``` + +You may also use hash syntax to pass the launch configuration name: + +```ruby +describe aws_launch_configuration(launch_configuration_name: 'my-config') do + it { should exist } +end +``` + +## Parameters + +`launch_configuration_name` _(required)_ + +: This resource expects a single parameter, the `launch_configuration_name` which uniquely identifies the of a Launch Configuration. + +## Properties + +`arn` +: An string indicating the ARN of the launch configuration. + +`image_id` +: An string indicating the AMI of the launch configuration. + +`instance_type` +: A string indicating the instance type of the launch configuration. + +`iam_instance_profile` +: A string indicating the IAM profile for the launch configuration. + +`key_name` +: A string indicating the AWS key pair for the launch configuration. + +`security_groups` +: An array of strings of the security group IDs associated with the launch configuration. + +`associate_public_ip_address` +: A boolean indicating if the launch configuration is configured to set a public IP address. + +`user_data` +: A string containing the user data configured for the launch configuration. + +`ebs_optimized` +: A boolean indicating if the launch configuration is optimized for Amazon EBS. + +`instance_monitoring` +: A string indicating if instance monitoring is set to `detailed` or `basic`. + +`spot_price` +: A floating point number indicating the spot price configured. + +## Examples + +Ensure a Launch Config is using the correct AMI : + +```ruby +describe aws_launch_configuration('my-config') do + its('image_id') { should eq 'ami-012345'} +end +``` + +Test the instance type used in a Launch Config: + +```ruby +describe aws_launch_configuration('my-config') do + its('instance_type') { should eq 't3.micro'} +end +``` + +Ensure a Launch Config is associated with the right IAM Profile: + +```ruby +describe aws_launch_configuration('my-config') do + its('iam_instance_profile') { should eq 'iam-profile' } +end +``` + +Ensure the Launch Config does not set a public IP: + +```ruby +describe aws_launch_configuration('my-config') do + its('associate_public_ip_address') { should be false } +end +``` + +Ensure the correct UserData is set on launched instances: + +```ruby +describe aws_launch_configuration('my-config') do + its('user_data') { should include 'user-data' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_launch_configuration('AnExistingLC') do + it { should exist } +end +``` + +```ruby +describe aws_launch_configuration('ANonExistentLC') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="AutoScaling:Client:LaunchConfigurationsType" %}} +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Auto Scaling Groups and launch configurations](https://docs.aws.amazon.com/autoscaling/ec2/userguide/control-access-using-iam.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_logs_metric_filter.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_logs_metric_filter.md new file mode 100644 index 0000000..827be83 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_logs_metric_filter.md @@ -0,0 +1,113 @@ ++++ +title = "aws_logs_metric_filter resource" + +draft = false + + +[menu.aws] +title = "aws_logs_metric_filter" +identifier = "inspec/resources/aws/aws_logs_metric_filter resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_logs_metric_filter` InSpec audit resource to test properties of a single specific AWS CloudWatch logs metric filter. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Logs MetricFilter](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-metricfilter.html). + +## Syntax + +Ensure that a work_group name exists. + +```ruby +describe aws_logs_metric_filter(filter_name: 'FILTER_NAME') do + it { should exist } +end +``` + +## Parameters + +`filter_name` _(required)_ + +: The name of the metric filter. + +## Properties + +`filter_name` +: The name of the metric filter. + +`filter_pattern` +: A symbolic description of how CloudWatch Logs should interpret the data in each log event. For example, a log event can contain timestamps, IP addresses, strings, and so on. You use the filter pattern to specify what to look for in the log event message. + +`metric_transformations (metric_name)` +: The metric transformations. The name of the CloudWatch metric. + +`metric_transformations (metric_namespace)` +: The metric transformations. A custom namespace to contain your metric in CloudWatch. Use namespaces to group together metrics that are similar. + +`metric_transformations (metric_value)` +: The metric transformations. The value to publish to the CloudWatch metric when a filter pattern matches a log event. + +`metric_transformations (default_value)` +: The metric transformations. The value to emit when a filter pattern does not match a log event. This value can be null. + +`creation_time` +: The creation time of the metric filter, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC. + +`log_group_name` +: The name of the log group. + +## Examples + +Ensure a filter name is available: + +```ruby +describe aws_logs_metric_filter(filter_name: 'FILTER_NAME') do + its('filter_name') { should eq 'FilterName' } +end +``` + +Ensure a log group name is available: + +```ruby +describe aws_logs_metric_filter(filter_name: 'FILTER_NAME') do + its('log_group_name') { should eq 'LogGroupName' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_logs_metric_filter(filter_name: 'FILTER_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_logs_metric_filter(filter_name: 'dummy') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the filter name is available. + +```ruby +describe aws_logs_metric_filter(filter_name: 'FILTER_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatchLogs:Client:DescribeMetricFiltersResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_logs_metric_filters.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_logs_metric_filters.md new file mode 100644 index 0000000..f8c11d9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_logs_metric_filters.md @@ -0,0 +1,102 @@ ++++ +title = "aws_logs_metric_filters resource" + +draft = false + + +[menu.aws] +title = "aws_logs_metric_filters" +identifier = "inspec/resources/aws/aws_logs_metric_filters resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_logs_metric_filters` InSpec audit resource to test properties of multiple AWS CloudWatch logs metric filters. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Logs MetricFilter](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-metricfilter.html). + +## Syntax + +Ensure that a filter name exists. + +```ruby +describe aws_logs_metric_filters do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`filter_names` +: The name of the metric filter. + +`filter_patterns` +: A symbolic description of how CloudWatch Logs should interpret the data in each log event. For example, a log event can contain timestamps, IP addresses, strings, and so on. You use the filter pattern to specify what to look for in the log event message. + +`metric_transformations` +: The metric transformations. + +`creation_times` +: The creation time of the metric filter, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC. + +`log_group_names` +: The name of the log group. + +## Examples + +Ensure a filter name is available: + +```ruby +describe aws_logs_metric_filters do + its('filter_names') { should include 'FILTER_NAME' } +end +``` + +Ensure a log group name is available: + +```ruby +describe aws_logs_metric_filters do + its('log_group_names') { should include 'LOG_GROUP_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_logs_metric_filters do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_logs_metric_filters do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the filter name is available. + +```ruby +describe aws_logs_metric_filters do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="CloudWatchLogs:Client:DescribeMetricFiltersResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_mq_broker.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_mq_broker.md new file mode 100644 index 0000000..d98ed93 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_mq_broker.md @@ -0,0 +1,169 @@ ++++ +title = "aws_mq_broker resource" + +draft = false + + +[menu.aws] +title = "aws_mq_broker" +identifier = "inspec/resources/aws/aws_mq_broker resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_mq_broker` InSpec audit resource to test the properties of a single specific AWS MQ Broker. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS MQ Broker](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html). + +## Syntax + +Ensure that AWS MQ Broker exists. + +```ruby +describe aws_mq_broker(broker_id: 'BROKER_ID') do + it { should exist } +end +``` + +## Parameters + +`broker_id` _(required)_ + +: broker_id: The ID of the AWS MQ broker. + +## Properties + +`authentication_strategy` +: The authentication strategy used to secure the broker. The default is `SIMPLE`. + +: **Field**: `authentication_strategy` + +`auto_minor_version_upgrade` +: Enables automatic upgrades to new minor versions for brokers, as new versions are released and supported by Amazon MQ. + +: **Field**: `auto_minor_version_upgrade` + +`broker_arn` +: The broker's Amazon Resource Name (ARN). + +: **Field**: `broker_arn` + +`broker_name` +: The name of the broker. + +: **Field**: `broker_name` + +`broker_state` +: The broker's status. + +: **Field**: `broker_state` + +`created` +: Creation time of the broker's profile. + +: **Field**: `created` + +`deployment_mode` +: The deployment mode of the broker. + +: **Field**: `deployment_mode` + +`engine_type` +: The type of broker engine. Currently, Amazon MQ supports `ACTIVEMQ` and `RABBITMQ.`. + +: **Field**: `engine_type` + +`engine_version` +: The version of the broker engine. + +: **Field**: `engine_version` + +`host_instance_type` +: The broker's instance type. + +: **Field**: `host_instance_type` + +`pending_engine_version` +: The broker engine version for the upgrade. + +: **Field**: `pending_engine_version` + +`pending_host_instance_type` +: The broker's host instance type for the upgrade. + +: **Field**: `pending_host_instance_type` + +`publicly_accessible` +: Enables connections from applications outside of the VPC that hosts the broker's subnets. + +: **Field**: `publicly_accessible` + +`storage_type` +: The broker's storage type. + +: **Field**: `storage_type` + +`subnet_ids` +: The list of groups defines which subnets and IP range the broker can use from different availability zones. If you specify more than one subnet, the subnets must be in different availability zones. Amazon MQ cannot create VPC endpoints for the broker with multiple subnets in the same availability zone. A `SINGLE_INSTANCE` deployment requires one subnet (for example, the default subnet). An `ACTIVE_STANDBY_MULTI_AZ deployment (ACTIVEMQ)` requires two subnets. A `CLUSTER_MULTI_AZ deployment (RABBITMQ)` has no subnet requirements when deployed with public accessibility, deployment without public accessibility requires at least one subnet. + +: **Field**: `subnet_ids` + +`tags` +: The list of all tags associated with this broker. + +: **Field**: `tags` + +## Examples + +Ensure a broker ID is available: + +```ruby +describe aws_mq_broker(broker_id: 'BROKER_ID') do + its('broker_id') { should eq 'BROKER_ID } +end +``` + +Ensure a broker name is available: + +```ruby +describe aws_mq_broker(broker_id: 'BROKER_ID') do + its('broker_name') { should eq 'BROKER_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_mq_broker(broker_id: 'BROKER_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_mq_broker(broker_id: 'DUMMY') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the mq broker is available. + +```ruby +describe aws_mq_broker(broker_id: 'BROKER_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="MQ:Client:DescribeBrokerResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_mq_brokers.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_mq_brokers.md new file mode 100644 index 0000000..9d32401 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_mq_brokers.md @@ -0,0 +1,127 @@ ++++ +title = "aws_mq_brokers resource" + +draft = false + + +[menu.aws] +title = "aws_mq_brokers" +identifier = "inspec/resources/aws/aws_mq_brokers resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_mq_brokers` InSpec audit resource to test the properties of multiple AWS MQ Broker. + +## Syntax + +Ensure that AWS MQ Broker exists. + +```ruby +describe aws_mq_brokers do + it { should exist } +end +``` + +For additional information, see the [AWS documentation on AWS MQ Broker](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html). + +## Parameters + +This resource does not require any parameters. + +## Properties + +`broker_arns` +: The broker's Amazon Resource Name (ARN). + +: **Field**: `broker_arn` + +`broker_names` +: The name of the broker. This value must be unique in your AWS account, 1-50 characters long, contain only letters, numbers, dashes, and underscores, and not contain white spaces, brackets, wildcard characters, or special characters. + +: **Field**: `broker_name` + +`broker_states` +: The broker's status. + +: **Field**: `broker_state` + +`created` +: Creation time of the broker profile. + +: **Field**: `created` + +`deployment_modes` +: The deployment mode of the broker. Available values: `SINGLE_INSTANCE`', `ACTIVE_STANDBY_MULTI_AZ`, and `CLUSTER_MULTI_AZ`. + +: **Field**: `deployment_mode` + +`engine_types` +: The type of broker engine. Currently, Amazon MQ supports `ACTIVEMQ` and `RABBITMQ.`. + +: **Field**: `engine_type` + +`engine_versions` +: The version of the broker engine. + +: **Field**: `engine_version` + +`host_instance_types` +: The broker's instance type. + +: **Field**: `host_instance_type` + +## Examples + +Ensure a broker is available: + +```ruby +describe aws_mq_brokers do + its('broker_ids') { should include 'BROKER_ID' } +end +``` + +Ensure that the status is correct: + +```ruby +describe aws_mq_brokers do + its('broker_names') { should include 'BROKER_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_mq_brokers do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_mq_brokers do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the AWS MQ broker is available. + +```ruby +describe aws_mq_brokers do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="MQ:Client:ListBrokersResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_mq_configuration.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_mq_configuration.md new file mode 100644 index 0000000..ae18e80 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_mq_configuration.md @@ -0,0 +1,135 @@ ++++ +title = "aws_mq_configuration resource" + +draft = false + + +[menu.aws] +title = "aws_mq_configuration" +identifier = "inspec/resources/aws/aws_mq_configuration resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_mq_configuration` InSpec audit resource to test the properties of a single specific AWS MQ configuration. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS MQ configuration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-configuration.html). + +## Syntax + +Ensure that AWS MQ configuration exists. + +```ruby +describe aws_mq_configuration(configuration_id: 'configuration_id') do + it { should exist } +end +``` + +## Parameters + +`configuration_id` _(required)_ + +`configuration_id` +: The configuration ID. + +## Properties + +`arn` +: The ARN of the configuration. + +: **Field**: `arn` + +`authentication_strategy` +: The authentication strategy associated with the configuration. The default is SIMPLE. + +: **Field**: `authentication_strategy` + +`created` +: The date and time of the configuration revision. + +: **Field**: `Created` + +`description` +: The description of the configuration. + +: **Field**: `description` + +`engine_type` +: The type of broker engine. Currently, Amazon MQ supports ACTIVEMQ and RABBITMQ. + +: **Field**: `engine_type` + +`engine_version` +: The broker engine's version. For a list of supported engine versions. + +: **Field**: `engine_version` + +`id` +: The unique ID that Amazon MQ generates for the configuration. + +: **Field**: `id` + +`name` +: The name of the configuration. + +: **Field**: `name` + +`tags` +: The list of all tags associated with this configuration. + +: **Field**: `tags` + +## Examples + +Ensure a configuration id is available: + +```ruby +describe aws_mq_configuration(configuration_id: 'configuration_id') do + its('configuration_id') { should eq 'configuration_id' } +end +``` + +Ensure a configuration name is available: + +```ruby +describe aws_mq_configuration(configuration_id: 'configuration_id') do + its('configuration_name') { should eq 'configuration_name' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_mq_configuration(configuration_id: 'configuration_id') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_mq_configuration(configuration_id: 'dummy') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the mq configuration is available. + +```ruby +describe aws_mq_configuration(configuration_id: 'configuration_id') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="MQ:Client:DescribeConfigurationResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_mq_configurations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_mq_configurations.md new file mode 100644 index 0000000..06f36e5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_mq_configurations.md @@ -0,0 +1,132 @@ ++++ +title = "aws_mq_configurations resource" + +draft = false + + +[menu.aws] +title = "aws_mq_configurations" +identifier = "inspec/resources/aws/aws_mq_configurations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_mq_configurations` InSpec audit resource to test the properties of multiple AWS MQ configuration. + +## Syntax + +Ensure that AWS MQ configuration exists. + +```ruby +describe aws_mq_configurations do + it { should exist } +end +``` + +For additional information, see the [AWS documentation on AWS MQ configuration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-configuration.html). + +## Parameters + +This resource does not require any parameters. + +## Properties + +`arns` +: The ARN of the configuration. + +: **Field**: `arn` + +`authentication_strategies` +: The authentication strategy associated with the configuration. The default is SIMPLE. + +: **Field**: `authentication_strategy` + +`Created` +: The date and time of the configuration revision. + +: **Field**: `Created` + +`description` +: The description of the configuration. + +: **Field**: `description` + +`engine_types` +: The type of broker engine. Currently, Amazon MQ supports ACTIVEMQ and RABBITMQ. + +: **Field**: `engine_type` + +`engine_versions` +: The broker engine's version. For a list of supported engine versions. + +: **Field**: `engine_version` + +`ids` +: The unique ID that Amazon MQ generates for the configuration. + +: **Field**: `id` + +`names` +: The name of the configuration. + +: **Field**: `name` + +`tags` +: The list of all tags associated with this configuration. + +: **Field**: `tags` + +## Examples + +Ensure a configuration ID is available: + +```ruby +describe aws_mq_configurations do + its('ids') { should include 'configuration_id' } +end +``` + +Ensure a configuration name is available: + +```ruby +describe aws_mq_configurations do + its('names') { should include 'configuration_name' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_mq_configurations do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_mq_configurations do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the mq configuration is available. + +```ruby +describe aws_mq_configurations do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="MQ:Client:ListConfigurationsResponsegit" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_nat_gateway.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_nat_gateway.md new file mode 100644 index 0000000..011ad0a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_nat_gateway.md @@ -0,0 +1,148 @@ ++++ +title = "aws_nat_gateway resource" + +draft = false + + +[menu.aws] +title = "aws_nat_gateway" +identifier = "inspec/resources/aws/aws_nat_gateway resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_nat_gateway` InSpec audit resource to test the properties of a single AWS NAT gateway. + +## Syntax + +An `aws_nat_gateway` resource block declares the tests for a single AWS NAT gateway by id, name, vpc_id or subnet_id. + +```ruby +describe aws_nat_gateway(id: 'nat-abc0123456789deff') do + it { should exist } +end +``` + +```ruby +describe aws_nat_gateway(name: 'my-nat-gateway') do + it { should exist } +end +``` + +Multiple parameters can be provided for better granularity. + +```ruby +describe aws_nat_gateway(vpc_id: 'vpc-abc01234', subnet_id: 'subnet-6789deff') do + it { should exist } +end +``` + +## Parameters + +At least one of the following parameters must be provided. + +- id +- name +- subnet_id +- vpc_id + +`id` + +: The value of the `nat_gateway_id` assigned by the AWS after the resource has been created. + This should be in the format of `nat-` followed by 8 or 17 hexadecimal characters and passed as an `id: 'value'` key-value entry in a hash. + +`name` + +: If a `Name` tag is applied to the NAT gateway, this can be used to lookup the resource. + This must be passed as a `name: 'value'` key-value entry in a hash. + If there are multiple NAT gateways with the same name, this resource will raise an error. + +`subnet_id` + +: The ID of the subnet in which the NAT gateway is placed. + This should be in the format of `subnet-` followed by 8 or 17 hexadecimal characters and passed as an `subnet_id: 'value'` key-value entry in a hash. + +`vpc_id` + +: The ID of the VPC in which the NAT gateway is located. + This should be in the format of `vpc-` followed by 8 or 17 hexadecimal characters and passed as an `vpc_id: 'value'` key-value entry in a hash. + +## Properties + +`id` +: The ID of the NAT gateway. + +`name` +: The value of the `Name` tag. It is `nil` if not defined. + +`vpc_id` +: The ID of the VPC in which the NAT gateway is located. + +`subnet_id` +: The ID of the subnet in which the NAT gateway is placed. + +`tags` +: A hash, with each key-value pair corresponding to a NAT gateway tag. + +`nat_gateway_address_set` +: A hash of [NatGatewayAddress object](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_NatGatewayAddress.html) that gives information about the IP addresses and network interface associated with the NAT gateway. + +`state` +: The sate of the NAT gateway. Valid values are: `pending`, `failed`, `available`, `deleting` and `deleted`. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_NatGateway.html) + +## Examples + +Test that the NAT gateway is in `available` state: + +```ruby +describe aws_nat_gateway(name: 'my-nat-gateway') do + its('state') { should eq 'available' } +end +``` + +Test that the ID of the VPC is `vpc-1234567890abcdef1`: + +```ruby +describe aws_nat_gateway(id: 'nat-abc0123456789deff') do + its('vpc_id') { should eq `vpc-1234567890abcdef1` } +end +``` + +Test that the NAT gateway has a certain tag: + +```ruby +describe aws_nat_gateway(name: 'my-nat-gateway') do + its('tags') { should include('environment' => 'dev') } +Regardless of the value: + +end +``` + +Test that the private IP address is `10.0.1.68`: + +```ruby +describe aws_nat_gateway(vpc_id: 'vpc-abc01234', subnet_id: 'subnet-12345678') do + its('nat_gateway_address_set') { should include(:private_ip => '10.0.1.68') } +end +``` + +For more examples, see the [integration tests](https://github.com/inspec/inspec-aws/blob/main/test/integration/verify/controls/aws_nat_gateway.rb). + +## Matchers + +This InSpec audit resource has the following special matcher. For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +```ruby +describe aws_nat_gateway(name: 'my-nat-gateway') do + it { should exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNatGatewaysResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_nat_gateways.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_nat_gateways.md new file mode 100644 index 0000000..226aff0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_nat_gateways.md @@ -0,0 +1,112 @@ ++++ +title = "aws_nat_gateways resource" + +draft = false + + +[menu.aws] +title = "aws_nat_gateways" +identifier = "inspec/resources/aws/aws_nat_gateways resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_nat_gateways` InSpec audit resource to test the properties of all AWS NAT gateways owned by the AWS account. + +## Syntax + +An `aws_nat_gateways` resource block collects all of the NAT gateways and then tests that group. + +```ruby +describe aws_nat_gateways do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The ID of the NAT gateway. + +: **Field**: `id` + +`names` +: The value of the `Name` tag. It is `nil` if not defined. + +: **Field**: `name` + +`vpc_ids` +: The ID of the VPC in which the NAT gateway is located. + +: **Field**: `vpc_id` + +`subnet_ids` +: The ID of the subnet in which the NAT gateway is placed. + +: **Field**: `subnet_id` + +`tags` +: A hash, with each key-value pair corresponding to a NAT gateway tag. + +: **Field**: `tags` + +`states` +: The sate of the NAT gateway. Valid values are: `pending`, `failed`, `available`, `deleting` and `deleted`. + +: **Field**: `state` + +## Examples + +Test that there are exactly 3 NAT gateways: + +```ruby +describe aws_nat_gateways do + its('count') { should cmp 3 } +end +``` + +Use this InSpec resource to request the ids of all NAT gateways, then test in-depth using `aws_nat_gateway` InSpec singular AWS resource: + +```ruby +aws_nat_gateways.ids.each do |id| + describe aws_nat_gateway(id: id) do + its('state') { should eq 'available' } + end +end +``` + +For more examples, see the [integration tests](https://github.com/inspec/inspec-aws/blob/main/test/integration/verify/controls/aws_nat_gateways.rb). + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exist + +The control will pass if the describe returns at least one result. +The field names described in the [properties](#properties) should be used for the `` in the `where` clause. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_nat_gateways.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_nat_gateways.where( : ) do + it { should_not exist } +end +``` + +Please see [here](https://github.com/inspec/inspec/blob/master/docs/dev/filtertable-usage.md) for more information on how to use filter table. + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNatGatewaysResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_acl.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_acl.md new file mode 100644 index 0000000..419e15c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_acl.md @@ -0,0 +1,215 @@ ++++ +title = "aws_network_acl resource" + +draft = false + + +[menu.aws] +title = "aws_network_acl" +identifier = "inspec/resources/aws/aws_network_acl resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_acl` InSpec audit resource to test the properties of a single Amazon network ACL. + +## Syntax + +An `aws_network_acl` resource block declares the tests for a single Amazon network ACL by `network_acl_id`. + +```ruby +describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do + it { should exist } +end +``` + +The value of the `network_acl_id` can be provided as a string. + +```ruby +describe aws_network_acl('acl-001db867a1898981b') do + it { should exist } +end +``` + +## Parameters + +The network ACL ID is required. + +`network_acl_id` _(required)_ + +: The ID of the network ACL: + +: - must contain between 1 and 50 alphanumeric characters or hyphens + +- should start with `acl-` +- cannot end with a hyphen or contain two consecutive hyphens + +: It can be passed either as a string or as a `network_acl_id: 'value'` key-value entry in a hash. + +## Properties + +`network_acl_id` +: The ID of the network ACL. + +`is_default` +: Indicates whether this is the default network ACL for the VPC. + +`vpc_id` +: The ID of the VPC for the network ACL. + +`owner_id` +: The ID of the AWS account that owns the network ACL. + +`associated_subnet_ids` +: The ID of the associated subnets to the network ACL. + +`egress` +: All rules that are applied to traffic leaving the subnet. + +`ingress` +: All rules that are applied to traffic incoming to the subnet. + +`associations` +: All subnet associations on the network ACL. + +`tags` +: A hash with each key-value pair corresponding to a network ACL. + +`egress_rule_number_*`ACL_RULE_NUMBER`*` +: This is a dynamically formed property of the egress ACL rule for a specific _`ACL_RULE_NUMBER`_. See below for nested details and examples. + +`ingress_rule_number_*`ACL_RULE_NUMBER`*` +: This is a dynamically formed property of the ingress ACL rule for a specific _`ACL_RULE_NUMBER`_. See below for nested details and examples. + +### Nested Properties of dynamic egress and ingress rule number properties + +|Nested Property | Description | +| --- | --- | +|cidr_block | The IPv4 network range to allow or deny, in CIDR notation. | +|ipv_6_cidr_block | The IPv6 network range to allow or deny, in CIDR notation. | +|protocol | The protocol specified in the entry. Accepted values are: `tcp`, `udp`, `icmp`, or a protocol number. | +|rule_action | Allows or denies the matching traffic. Accepted values are: `allow` or `deny`. | +|rule_number | The number of an entry (in other words, rule) in the set of ACL entries. | +|port_range.from | The start of the port range specified in the entry. | +|port_range.to | The end of the port range specified in the entry. | +|icmp_type_cod.code | The ICMP code specified in the entry, if any. | +|icmp_type_code.type | The ICMP type specified in the entry, if any. | + +You can find detailed documentation at [NetworkAclEntry](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/EC2/Types/NetworkAclEntry.html) + +## Examples + +Test that if a network ACL is default for the VPC: + +```ruby +describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do + it { should be_default } +end +``` + +Test that the ID of the VPC is `vpc-00727fc4213acee4a`: + +```ruby +describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do + its('vpc_id') { should eq 'vpc-00727fc4213acee4a' } +end +``` + +Test that the Associated subnet IDs include `subnet-07a323891825bc312`: + +```ruby +describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do + its('associated_subnet_ids') { should include 'subnet-07a323891825bc312' } +end +``` + +Test that CIDR Block of ACL egress entry for rule number `100` is `10.3.0.0/18`: + +```ruby +describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do + its('egress_rule_number_100.cidr_block') { should eq '10.3.0.0/18' } +end +``` + +Test that Port Ranges of ACL ingress entry for rule number `100` is `443`: + +```ruby +describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do + its('ingress_rule_number_100.port_range.from') { should eq '443' } + its('ingress_rule_number_100.port_range.to') { should eq '443' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +```ruby +describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do + it { should exist } +end +``` + +### be_default + +```ruby +describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do + it { should be_default } +end +``` + +### be_associated (to any subnet) + +```ruby +describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do + it { should be_associated } +end +``` + +### have_associations + +```ruby +describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do + it { should have_associations } + it { should have_associations(subnet_id: 'subnet-07a323891825bc312') } +end +``` + +### have_acl_entry_value + +```ruby +describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do + it { should have_acl_entry_value(cidr_block: '10.3.0.0/18', egress: false, rule_action: 'allow') } +end +``` + +### have_egress + +```ruby +describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do + it { should have_egress } + it { should have_egress(cidr_block: '10.3.0.0/18', rule_action: 'allow') } + it { should have_egress(rule_action: 'allow') } + it { should have_egress(cidr_block: '10.3.0.0/18') } +end +``` + +### have_ingress + +```ruby +describe aws_network_acl(network_acl_id: 'acl-001db867a1898981b') do + it { should have_ingress } + it { should have_ingress(cidr_block: '10.3.0.0/18', rule_action: 'allow') } + it { should have_ingress(rule_action: 'allow') } + it { should have_ingress(cidr_block: '10.3.0.0/18') } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNetworkAclsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for network ACL](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-policy-examples.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_acls.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_acls.md new file mode 100644 index 0000000..cdacd45 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_acls.md @@ -0,0 +1,214 @@ ++++ +title = "aws_network_acls resource" + +draft = false + + +[menu.aws] +title = "aws_network_acls" +identifier = "inspec/resources/aws/aws_network_acls resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_acls` InSpec audit resource to test the properties of all Amazon network ACLs. +To audit a single network ACL, use the `aws_network_acl` (singular) resource. + +## Syntax + +An `aws_network_acls` resource block collects a group of network ACL descriptions and then tests that group. + +```ruby +describe aws_network_acls + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`network_acl_ids` +: The IDs of all network ACLs. + +: **Field**: `network_acl_id` + +`vpc_ids` +: The IDs of all the VPCs of the network ACLs. + +: **Field**: `vpc_id` + +`default` +: The boolean flag to say whether the network ACL is default or not. + +: **Field**: `default` + +`default_network_acl_ids` +: The default network ACL IDs for all the VPCs. + +: **Field**: `default_network_acl_ids` + +`associated_subnet_ids` +: The ID of the associated subnets to all the network ACLs. + +: **Field**: `associated_subnet_ids` + +`network_acl_association_ids` +: The ID of the association between the subnets and the network ACLs. + +: **Field**: `network_acl_association_ids` + +`entries_cidr_blocks` +: The IPv4 network range to allow or deny, in CIDR notation of all the network ACLs. + +: **Field**: `entries_cidr_blocks` + +`entries_icmp_type_codes` +: The ICMP code specified in the entry for all the network ACLs. + +: **Field**: `entries_icmp_type_codes` + +`entries_icmp_type_code_types` +: The ICMP type specified in the entry for all the network ACLs. + +: **Field**: `entries_icmp_type_code_types` + +`entries_ipv_6_cidr_blocks` +: The IPv6 network range to allow or deny, in CIDR notation of all the network ACLs. + +: **Field**: `entries_ipv_6_cidr_blocks` + +`entries_port_ranges` +: The ports specified in the entry for all the network ACLs. + +: **Field**: `entries_port_ranges` + +`entries_protocols` +: The protocol specified in the entry for all the network ACLs. + +: **Field**: `entries_protocols` + +`entries_rule_actions` +: The rule to allow or deny the matching traffic for all the network ACLs. + +: **Field**: `entries_rule_actions` + +`entries_rule_numbers` +: The rule number of all ACL entries. + +: **Field**: `entries_rule_numbers` + +`egress_rule_numbers` +: The rule number of all egress ACL entries. + +: **Field**: `egress_rule_numbers` + +`ingress_rule_numbers` +: The rule number of all ingress ACL entries. + +: **Field**: `ingress_rule_numbers` + +`owner_ids` +: The ID of all the AWS accounts that owns all the network ACLs. + +: **Field**: `owner_ids` + +`tags` +: A hash, with each key-value pair corresponding to a network ACL tag. + +: **Field**: `tags` + +## Examples + +Ensure that exactly three network ACLs exist: + +```ruby +describe aws_network_acls do + its('count') { should eq 3 } +end +``` + +Filter all network ACLs whose entries have rule number equal to 100: + +```ruby +describe aws_network_acls.where { entries_rule_numbers.include?(100) } do + it { should exist } +end +``` + +Filter all default network ACLs: + +```ruby +describe aws_network_acls.where(default: true) do + it { should exist } +end +``` + +Filter all network ACLs with associated subnet IDs matching `subnet-07a323891825bc312`: + +```ruby +describe aws_network_acls.where { associated_subnet_ids.include?('subnet-07a323891825bc312') } do + it { should exist } +end +``` + +Filter all network ACLs with entries CIDR blocks matching `10.3.0.0/18`: + +```ruby +describe aws_network_acls.where { entries_cidr_blocks.include?('10.3.0.0/18') } do + it { should exist } +end +``` + +Request the IDs of all network ACLs, then test in-depth using `aws_network_acl`: + +```ruby +aws_network_acls.network_acl_ids.each do |network_acl_id| + describe aws_network_acl(network_acl_id) do + it { should be_default } + end +end +``` + +Request the IDs of all network ACLs for rule number `100`, then test in-depth using `aws_network_acl`: + +```ruby +aws_network_acls.where{ ingress_rule_numbers.include?(100) }.network_acl_ids.each do |network_acl_id| + describe aws_network_acl(network_acl_id) do + its('egress_rule_number_100.cidr_block') { should eq '10.3.0.0/18' } + its('egress_rule_number_100.protocol') { should eq '6' } + its('egress_rule_number_100.rule_action') { should eq 'allow' } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the 'describe' method returns at least one result. + +```ruby +describe aws_network_acls.where( : ) do + it { should exist } +end +``` + +Use `should_not` to test an entity that should not exist. + +```ruby +describe aws_network_acls.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeNetworkAclsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ElastiCache](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-policy-examples.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_firewall.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_firewall.md new file mode 100644 index 0000000..10a998c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_firewall.md @@ -0,0 +1,154 @@ ++++ +title = "aws_network_firewall_firewall resource" + +draft = false + + +[menu.aws] +title = "aws_network_firewall_firewall" +identifier = "inspec/resources/aws/aws_network_firewall_firewall resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_firewall_firewall` InSpec audit resource to test properties of a single specific AWS Network Firewall firewall. + +The firewall defines the configuration settings for an AWS Network Firewall firewall. The settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall AWS resource. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Network Firewall Firewall](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewall.html). + +## Syntax + +Ensure that the firewall exists. + +```ruby +describe aws_network_firewall_firewall(firewall_name: "FIREWALL_NAME") do + it { should exist } +end +``` + +## Parameters + +`firewall_name` _(required)_ + +: The descriptive name of the firewall. + +## Properties + +`firewall.firewall_name` +: The descriptive name of the firewall. + +`firewall.firewall_arn` +: The Amazon Resource Name (ARN) of the firewall. + +`firewall.firewall_policy_arn` +: The Amazon Resource Name (ARN) of the firewall policy. + +`firewall.vpc_id` +: The unique identifier of the VPC where the firewall is in use. + +`firewall.subnet_mappings` +: The public subnets that Network Firewall is using for the firewall. + +`firewall.subnet_mappings.first.subnet_id` +: The unique identifier for the subnet. + +`firewall.delete_protection` +: A flag indicating whether it is possible to delete the firewall. + +`firewall.subnet_change_protection` +: A setting indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. + +`firewall.firewall_policy_change_protection` +: A setting indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. + +`firewall.description` +: A description of the firewall. + +`firewall.firewall_id` +: The unique identifier for the firewall. + +`firewall.tags` +: A key:value pair associated with an AWS resource. + +`firewall_status.status` +: The readiness of the configured firewall to handle network traffic across all of the Availability Zones where you've configured it. + +`firewall_status.configuration_sync_state_summary` +: The configuration sync state for the firewall. + +`firewall_status.sync_states` +: The subnets that you've configured for use by the Network Firewall firewall. + +`firewall_status.sync_states["AvailabilityZone"].attachment.subnet_id` +: The unique identifier of the subnet that you've specified to be used for a firewall endpoint. + +`firewall_status.sync_states["AvailabilityZone"].attachment.endpoint_id` +: The identifier of the firewall endpoint that Network Firewall has instantiated in the subnet. + +`firewall_status.sync_states["AvailabilityZone"].attachment.status` +: The current status of the firewall endpoint in the subnet. + +`firewall_status.sync_states["AvailabilityZone"].config` +: The configuration status of the firewall endpoint in a single VPC subnet. + +`firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status` +: Indicates whether this object is in sync with the version indicated in the update token. + +`firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].update_token` +: The current version of the object that is either in sync or pending synchronization. + +## Examples + +Ensure a firewall name is available: + +```ruby +describe aws_network_firewall_firewall(firewall_name: "FIREWALL_NAME") do + its('firewall.firewall_name') { should eq 'IAMFleetRole' } +end +``` + +Ensure that the status is `READY`: + +```ruby +describe aws_network_firewall_firewall(firewall_name: "FIREWALL_NAME") do + its('firewall_status.status') { should eq 'READY' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_network_firewall_firewall(firewall_name: "FIREWALL_NAME") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_network_firewall_firewall(firewall_name: 'dummy') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_network_firewall_firewall(firewall_name: "FIREWALL_NAME") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="NetworkFirewall:Client:DescribeFirewallResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_firewall_policies.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_firewall_policies.md new file mode 100644 index 0000000..c2ab340 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_firewall_policies.md @@ -0,0 +1,89 @@ ++++ +title = "aws_network_firewall_firewall_policies resource" + +draft = false + + +[menu.aws] +title = "aws_network_firewall_firewall_policies" +identifier = "inspec/resources/aws/aws_network_firewall_firewall_policies resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_firewall_firewall_policies` InSpec audit resource to test properties of multiple AWS Network Firewall Policy. + +The firewall defines the configuration settings for an AWS Network Firewall firewall. The settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall AWS resource. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Network Firewall Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewall.html). + +## Syntax + +Ensure that the policy exists. + +```ruby +describe aws_network_firewall_firewall_policies do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`firewall_names` +: The descriptive name of the firewall. + +: **Field**: `firewall_name` + +`firewall_arns` +: The Amazon Resource Name (ARN) of the firewall. + +: **Field**: `firewall_arn` + +## Examples + +Ensure a policy name is available: + +```ruby +describe aws_network_firewall_firewall_policies do + its('names') { should include 'FIREWALL_NAME' } +end +``` + +Ensure that the policy arn is available: + +```ruby +describe aws_network_firewall_firewall_policies do + its('arns') { should include 'POLICY_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `List` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_network_firewall_firewall_policies do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_network_firewall_firewall_policies do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="NetworkFirewall:Client:ListFirewallPoliciesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_firewall_policy.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_firewall_policy.md new file mode 100644 index 0000000..dbf3682 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_firewall_policy.md @@ -0,0 +1,142 @@ ++++ +title = "aws_network_firewall_firewall_policy resource" + +draft = false + + +[menu.aws] +title = "aws_network_firewall_firewall_policy" +identifier = "inspec/resources/aws/aws_network_firewall_firewall_policy resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_firewall_firewall_policy` InSpec audit resource to test properties of a single specific AWS Network Firewall policy. + +The firewall defines the configuration settings for an AWS Network Firewall firewall. The settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall AWS resource. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Network Firewall Firewall](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewallpolicy.html). + +## Syntax + +Ensure that the firewall exists. + +```ruby +describe aws_network_firewall_firewall_policy(firewall_policy_name: 'FIREWALL_POLICY_NAME') do + it { should exist } +end +``` + +## Parameters + +`firewall_policy_name` _(required)_ + +: The descriptive name of the firewall. + +## Properties + +`update_token` +: A token used for optimistic locking. + +`firewall_policy_response.firewall_policy_name` +: The descriptive name of the firewall policy. + +`firewall_policy_response.firewall_policy_arn` +: The Amazon Resource Name (ARN) of the firewall policy. + +`firewall_policy_response.firewall_policy_id` +: The unique identifier for the firewall policy. + +`firewall_policy_response.description` +: A description of the firewall policy. + +`firewall_policy_response.firewall_policy_status` +: The current status of the firewall policy. + +`firewall_policy_response.tags` +: The key:value pairs to associate with the resource. + +`firewall_policy.stateless_rule_group_references` +: References to the stateless rule groups that are used in the policy. + +`firewall_policy.stateless_rule_group_references.first.resource_arn` +: The Amazon Resource Name (ARN) of the stateless rule group. + +`firewall_policy.stateless_rule_group_references.first.priority` +: An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy. + +`firewall_policy.stateless_default_actions` +: The actions to take on a fragmented UDP packet if it doesn't match any of the stateless rules in the policy. + +`firewall_policy.stateless_fragment_default_actions` +: The actions to take on a fragmented UDP packet if it doesn't match any of the stateless rules in the policy. + +`firewall_policy.stateless_custom_actions` +: The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting. + +`firewall_policy.stateless_custom_actions.first.action_name` +: The descriptive name of the custom action. + +`firewall_policy.stateless_custom_actions.first.action_definition.publish_metric_action.dimensions` +: The value to use in an Amazon CloudWatch custom metric dimension. + +`firewall_policy.stateful_rule_group_references` +: References to the stateless rule groups that are used in the policy. + +`firewall_policy.stateful_rule_group_references.first.resource_arn` +: The Amazon Resource Name (ARN) of the stateful rule group. + +## Examples + +Ensure a update token is available: + +```ruby +describe aws_network_firewall_firewall_policy(firewall_policy_name: 'FIREWALL_POLICY_NAME') do + its('update_token') { should eq 'UPDATE_TOKEN' } +end +``` + +Ensure a policy name is available: + +```ruby +describe aws_network_firewall_firewall_policy(firewall_policy_name: 'FIREWALL_POLICY_NAME') do + its('firewall_policy_response.firewall_policy_name') { should eq 'FIREWALL_POLICY_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_network_firewall_firewall_policy(firewall_policy_name: 'FIREWALL_POLICY_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_network_firewall_firewall_policy(firewall_policy_name: 'FIREWALL_POLICY_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_network_firewall_firewall_policy(firewall_policy_name: 'FIREWALL_POLICY_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="NetworkFirewall:Client:DescribeFirewallPolicyResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_firewalls.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_firewalls.md new file mode 100644 index 0000000..e49d6d6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_firewalls.md @@ -0,0 +1,99 @@ ++++ +title = "aws_network_firewall_firewalls resource" + +draft = false + + +[menu.aws] +title = "aws_network_firewall_firewalls" +identifier = "inspec/resources/aws/aws_network_firewall_firewalls resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_firewall_firewalls` InSpec audit resource to test properties of multiple AWS Network Firewall firewalls. + +The firewall defines the configuration settings for an AWS Network Firewall firewall. The settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall AWS resource. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Network Firewall Firewall](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewall.html). + +## Syntax + +Ensure that the firewall exists. + +```ruby +describe aws_network_firewall_firewalls do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`firewall_names` +: The descriptive name of the firewall. + +: **Field**: `firewall_name` + +`firewall_arns` +: The Amazon Resource Name (ARN) of the firewall. + +: **Field**: `firewall_arn` + +## Examples + +Ensure a firewall name is available: + +```ruby +describe aws_network_firewall_firewalls do + its('firewall_names') { should include 'FIREWALL_NAME' } +end +``` + +Ensure that the firewall ARN is `FIREWALL_ARN`: + +```ruby +describe aws_network_firewall_firewalls do + its('firewall_arns') { should include 'FIREWALL_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_network_firewall_firewalls do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_network_firewall_firewalls do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_network_firewall_firewalls do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="NetworkFirewall:Client:DescribeFirewallResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_logging_configuration.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_logging_configuration.md new file mode 100644 index 0000000..bd9c897 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_logging_configuration.md @@ -0,0 +1,103 @@ ++++ +title = "aws_network_firewall_logging_configuration resource" + +draft = false + + +[menu.aws] +title = "aws_network_firewall_logging_configuration" +identifier = "inspec/resources/aws/aws_network_firewall_logging_configuration resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_firewall_logging_configuration` InSpec audit resource to test properties of a single specific AWS Network Firewall Logging Configuration. + +The `AWS::NetworkFirewall::LoggingConfiguration` resource defines the destinations and logging options for an [`AWS::NetworkFirewall::Firewall`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewall.html). + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Network Firewall Logging Configuration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-loggingconfiguration.html). + +## Syntax + +Ensure that the firewall exists. + +```ruby +describe aws_network_firewall_logging_configuration(firewall_name: 'FIREWALL_NAME') do + it { should exist } +end +``` + +## Parameters + +`firewall_name` _(required)_ + +: The Amazon Resource Name (ARN) of the firewall. + +## Properties + +`firewall_arn` +: The Amazon Resource Name (ARN) of the firewall. + +`logging_configuration_log_destination_configs_log_type` +: The type of log to send. + +`logging_configuration_log_destination_configs_log_destination_type` +: The type of storage destination to send these logs to. + +`logging_configuration_log_destination_configs_log_destination` +: The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type. + +## Examples + +Ensure a firewall ARN is available: + +```ruby +describe aws_network_firewall_logging_configuration(firewall_name: 'FIREWALL_NAME') do + its('firewall_arn') { should eq 'FIREWALL_ARN' } +end +``` + +Ensure that the log type is available: + +```ruby +describe aws_network_firewall_logging_configuration(firewall_name: 'FIREWALL_NAME') do + its('logging_configuration_log_destination_configs_log_type') { should eq 'LOG_TYPE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_network_firewall_logging_configuration(firewall_name: 'FIREWALL_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_network_firewall_logging_configuration(firewall_name: 'FIREWALL_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_network_firewall_logging_configuration(firewall_name: 'FIREWALL_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="NetworkFirewall:Client:DescribeFirewallResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_rule_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_rule_group.md new file mode 100644 index 0000000..a65447d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_rule_group.md @@ -0,0 +1,232 @@ ++++ +title = "aws_network_firewall_rule_group resource" + +draft = false + + +[menu.aws] +title = "aws_network_firewall_rule_group" +identifier = "inspec/resources/aws/aws_network_firewall_rule_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_firewall_rule_group` InSpec audit resource to test properties of a single specific AWS Network Firewall rule group. + +The `AWS::NetworkFirewall::RuleGroup` resource defines a reusable collection of stateless or stateful network traffic filtering rules. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Network Firewall Rule Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-rulegroup.html). + +## Syntax + +Ensure that the firewall exists. + +```ruby +describe aws_network_firewall_rule_group(rule_group_name: "RULE_GROUP_NAME") do + it { should exist } +end +``` + +## Parameters + +`rule_group_name` _(required)_ + +: The descriptive name of the rule group. + +## Properties + +`update_token` +: A token used for optimistic locking. + +`rule_group.rule_variables.ip_sets` +: A list of IP addresses and address ranges, in CIDR notation. + +`rule_group.rule_variables.ip_sets["RuleVariableName"].definition` +: The list of IP addresses and address ranges, in CIDR notation. + +`rule_group.rule_variables.port_sets` +: A list of port ranges. + +`rule_group.rule_variables.port_sets["RuleVariableName"].definition` +: The set of port ranges. + +`rule_group.rules_source.rules_string` +: Stateful inspection criteria, provided in Suricata compatible intrusion prevention system (IPS) rules. + +`rule_group.rules_source.rules_source_list.targets` +: The domains that you want to inspect for in your traffic flows. + +`rule_group.rules_source.rules_source_list.target_types` +: The protocols you want to inspect. Specify TLS_SNI for HTTPS. + +`rule_group.rules_source.rules_source_list.generated_rules_type` +: Whether you want to allow or deny access to the domains in your target list. + +`rule_group.rules_source.stateful_rules` +: The 5-tuple stateful inspection criteria. + +`rule_group.rules_source.stateful_rules.first.action` +: Defines what Network Firewall should do with the packets in a traffic flow when the flow matches the stateful rule criteria. + +`rule_group.rules_source.stateful_rules.first.header.protocol` +: The protocol to inspect for. + +`rule_group.rules_source.stateful_rules.first.header.source` +: The source IP address or address range to inspect for, in CIDR notation. + +`rule_group.rules_source.stateful_rules.first.header.source_port` +: The source port to inspect for. + +`rule_group.rules_source.stateful_rules.first.header.direction` +: The direction of traffic flow to inspect. + +`rule_group.rules_source.stateful_rules.first.header.destination` +: The destination IP address or address range to inspect for, in CIDR notation. + +`rule_group.rules_source.stateful_rules.first.header.destination_port` +: The destination port to inspect for. + +`rule_group.rules_source.stateful_rules.first.rule_options` +: Additional settings for a stateful rule. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules` +: Defines the set of stateless rules for use in a stateless rule group. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.sources` +: The source IP addresses and address ranges to inspect for. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.sources.first.address_definition` +: Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.destinations` +: The destination IP addresses and address ranges to inspect for, in CIDR notation. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.destinations.first.address_definition` +: Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.source_ports` +: The source ports to inspect for. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.source_ports.first.from_port` +: The lower limit of the port range. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.source_ports.first.to_port` +: The upper limit of the port range. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.destination_ports` +: The destination ports to inspect for. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.destination_ports.first.from_port` +: The lower limit of the port range. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.destination_ports.first.to_port` +: The upper limit of the port range. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.protocols` +: The protocols to inspect for, specified using each protocol's assigned internet protocol number (IANA). + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.tcp_flags` +: The TCP flags and masks to inspect for. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.tcp_flags.first.flags` +: Used in conjunction with the Masks setting to define the flags that must be set and flags that must not be set in order for the packet to match. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.match_attributes.tcp_flags.first.masks` +: The set of flags to consider in the inspection. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.rule_definition.actions` +: The actions to take on a packet that matches one of the stateless rule definition's match attributes. + +`rule_group.rules_source.stateless_rules_and_custom_actions.stateless_rules.first.priority` +: A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. + +`rule_group.rules_source.stateless_rules_and_custom_actions.custom_actions` +: Defines an array of individual custom action definitions that are available for use by the stateless rules in this StatelessRulesAndCustomActions specification. + +`rule_group.rules_source.stateless_rules_and_custom_actions.custom_actions.first.action_name` +: The descriptive name of the custom action. + +`rule_group.rules_source.stateless_rules_and_custom_actions.custom_actions.first.action_definition.publish_metric_action.dimensions` +: The value to use in an Amazon CloudWatch custom metric dimension. + +`rule_group.rules_source.stateless_rules_and_custom_actions.custom_actions.first.action_definition.publish_metric_action.dimensions.first.value` +: The value to use in the custom metric dimension. + +`rule_group_response.rule_group_arn` +: The Amazon Resource Name (ARN) of the rule group. + +`rule_group_response.rule_group_name` +: The descriptive name of the rule group. + +`rule_group_response.rule_group_id` +: The unique identifier for the rule group. + +`rule_group_response.description` +: A description of the rule group. + +`rule_group_response.type` +: Indicates whether the rule group is stateless or stateful. + +`rule_group_response.capacity` +: The maximum operating resources that this rule group can use. + +`rule_group_response.rule_group_status` +: Detailed information about the current status of a rule group. + +`rule_group_response.tags` +: The key:value pairs to associate with the resource. + +## Examples + +Ensure an update token is available: + +```ruby +describe aws_network_firewall_rule_group(rule_group_name: "RULE_GROUP_NAME") do + its('update_token') { should eq 'UPDATE_TOKEN' } +end +``` + +Ensure that the rule group arn is `RuleGroupARN`: + +```ruby +describe aws_network_firewall_rule_group(rule_group_name: "RULE_GROUP_NAME") do + its('rule_group_response.rule_group_arn') { should eq 'ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_network_firewall_rule_group(rule_group_name: "RULE_GROUP_NAME") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_network_firewall_rule_group(rule_group_name: 'dummy') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_network_firewall_rule_group(rule_group_name: "RULE_GROUP_NAME") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="NetworkFirewall:Client:DescribeRuleGroupResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_rule_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_rule_groups.md new file mode 100644 index 0000000..5f9d781 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_firewall_rule_groups.md @@ -0,0 +1,89 @@ ++++ +title = "aws_network_firewall_rule_groups resource" + +draft = false + + +[menu.aws] +title = "aws_network_firewall_rule_groups" +identifier = "inspec/resources/aws/aws_network_firewall_rule_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_firewall_rule_groups` InSpec audit resource to test properties of multiple AWS Network Firewall rule groups. + +The `AWS::NetworkFirewall::RuleGroup` resource defines a reusable collection of stateless or stateful network traffic filtering rules. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Network Firewall Rule Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-rulegroup.html). + +## Syntax + +Ensure that the rule group exists. + +```ruby +describe aws_network_firewall_rule_groups do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`names` +: The descriptive name of the rule group. + +: **Field**: `name` + +`arns` +: The Amazon Resource Name (ARN) of the rule group. + +: **Field**: `arn` + +## Examples + +Ensure a name is available: + +```ruby +describe aws_network_firewall_rule_groups do + its('names') { should include 'RULE_GROUP_NaAME' } +end +``` + +Ensure that the arn is available: + +```ruby +describe aws_network_firewall_rule_groups do + its('arns') { should include 'ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_network_firewall_rule_groups do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_network_firewall_rule_groups do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="NetworkFirewall:Client:ListRuleGroupsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_customer_gateway_association.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_customer_gateway_association.md new file mode 100644 index 0000000..a602b64 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_customer_gateway_association.md @@ -0,0 +1,110 @@ ++++ +title = "aws_network_manager_customer_gateway_association resource" + +draft = false + + +[menu.aws] +title = "aws_network_manager_customer_gateway_association" +identifier = "inspec/resources/aws/aws_network_manager_customer_gateway_association resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_manager_customer_gateway_association` InSpec audit resource to test properties of a single specific AWS Network Manager customer gateway association. + +The `AWS::NetworkManager::CustomerGatewayAssociation` resource specifies an association between a customer gateway, a device, and optionally, a link. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Network Manager Customer Gateway Association.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkmanager-customergatewayassociation.html). + +## Syntax + +Ensure that the customer gateway association exists. + +```ruby +describe aws_network_manager_customer_gateway_association(global_network_id: 'GLOBAL_NETWORK_ID', customer_gateway_arn: 'CUSTOMER_GATEWAY_ARN') do + it { should exist } +end +``` + +## Parameters + +`global_network_id` _(required)_ + +: The ID of the global network. + +`customer_gateway_arn` _(required)_ + +: The Amazon Resource Name (ARN) of the customer gateway. + +## Properties + +`customer_gateway_arn` +: The Amazon Resource Name (ARN) of the customer gateway. + +`global_network_id` +: The ID of the global network. + +`device_id` +: The ID of the device. + +`link_id` +: The ID of the link. + +`state` +: The association state. + +## Examples + +Ensure a customer gateway arn is available: + +```ruby +describe aws_network_manager_customer_gateway_association(global_network_id: 'GLOBAL_NETWORK_ID', customer_gateway_arn: 'CUSTOMER_GATEWAY_ARN') do + its('customer_gateway_arn') { should eq 'CustomerGatewayARN' } +end +``` + +Ensure that the state is `active`: + +```ruby +describe aws_network_manager_customer_gateway_association(global_network_id: 'GLOBAL_NETWORK_ID', customer_gateway_arn: 'CUSTOMER_GATEWAY_ARN') do + its('state') { should eq 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_network_manager_customer_gateway_association(global_network_id: 'GLOBAL_NETWORK_ID', customer_gateway_arn: 'CUSTOMER_GATEWAY_ARN') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_network_manager_customer_gateway_association(global_network_id: 'GLOBAL_NETWORK_ID', customer_gateway_arn: 'CUSTOMER_GATEWAY_ARN') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_network_manager_customer_gateway_association(global_network_id: 'GLOBAL_NETWORK_ID', customer_gateway_arn: 'CUSTOMER_GATEWAY_ARN') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="NetworkManager:Client:GetCustomerGatewayAssociationsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_customer_gateway_associations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_customer_gateway_associations.md new file mode 100644 index 0000000..f3c459f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_customer_gateway_associations.md @@ -0,0 +1,106 @@ ++++ +title = "aws_network_manager_customer_gateway_associations resource" + +draft = false + + +[menu.aws] +title = "aws_network_manager_customer_gateway_associations" +identifier = "inspec/resources/aws/aws_network_manager_customer_gateway_associations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_manager_customer_gateway_associations` InSpec audit resource to test properties of multiple AWS Network Manager customer gateway associations. + +The `AWS::NetworkManager::CustomerGatewayAssociation` resource specifies an association between a customer gateway, a device, and optionally, a link. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Network Manager Customer Gateway Association.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkmanager-customergatewayassociation.html). + +## Syntax + +Ensure that the customer gateway association exists. + +```ruby +describe aws_network_manager_customer_gateway_associations(global_network_id: "GLOBAL_NETWORK_ID") do + it { should exist } +end +``` + +## Parameters + +`global_network_id` _(required)_ + +: The ID of the global network. + +## Properties + +`customer_gateway_arns` +: The Amazon Resource Name (ARN) of the customer gateway. + +: **Field**: `customer_gateway_arn` + +`global_network_ids` +: The ID of the global network. + +: **Field**: `global_network_id` + +`device_ids` +: The ID of the device. + +: **Field**: `device_id` + +`link_ids` +: The ID of the link. + +: **Field**: `link_id` + +`states` +: The association state. + +: **Field**: `state` + +## Examples + +Ensure a customer gateway arn is available: + +```ruby +describe aws_network_manager_customer_gateway_association(global_network_id: 'GLOBAL_NETWORK_ID') do + its('customer_gateway_arns') { should include 'CustomerGatewayARN' } +end +``` + +Ensure that the state is `active`: + +```ruby +describe aws_network_manager_customer_gateway_association(global_network_id: 'GLOBAL_NETWORK_ID') do + its('states') { should include 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_network_manager_customer_gateway_association(global_network_id: 'GLOBAL_NETWORK_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_network_manager_customer_gateway_association(global_network_id: "dummy") do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="NetworkManager:Client:GetCustomerGatewayAssociationsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_device.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_device.md new file mode 100644 index 0000000..45a7090 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_device.md @@ -0,0 +1,162 @@ ++++ +title = "aws_network_manager_device resource" + +draft = false + + +[menu.aws] +title = "aws_network_manager_device" +identifier = "inspec/resources/aws/aws_network_manager_device resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_manager_device` InSpec audit resource to test properties of a single specific AWS Network Manager device. + +The `AWS::NetworkManager::Device` resource gets information about one or more of your devices in a global network. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Network Manager Device](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkmanager-device.html). + +## Syntax + +Ensure that a device exists. + +```ruby +describe aws_network_manager_device(device_id: 'DEVICE_ID', global_network_id: 'GLOBAL_NETWORK_ID') do + it { should exist } +end +``` + +## Parameters + +`device_id` _(required)_ + +: The ID of the device. + +`global_network_id` _(required)_ + +: The ID of the global network. + +## Properties + +`device_id` +: The ID of the device. + +`device_arn` +: The Amazon Resource Name (ARN) of the device. + +`global_network_id` +: The ID of the global network. + +`aws_location.zone` +: The Zone the device is located in. This can be the ID of an Availability Zone, Local Zone, Wavelength Zone, or an Outpost. + +`aws_location.subnet_arn` +: The Amazon Resource Name (ARN) of the subnet the device is located in. + +`description` +: The description of the device. + +`type` +: The device type. + +`vendor` +: The device vendor. + +`model` +: The device model. + +`serial_number` +: The device serial number. + +`location.address` +: The physical address of the location. + +`location.latitude` +: The latitude of the location. + +`location.longitude` +: The longitude of the location. + +`site_id` +: The site ID. + +`created_at` +: The date and time that the site was created. + +`state` +: The device state. + +`tags` +: The tags for the device. + +## Examples + +Ensure a device ID is available: + +```ruby +describe aws_network_manager_device(device_id: 'DEVICE_ID', global_network_id: 'GLOBAL_NETWORK_ID') do + its('device_id') { should eq 'DEVICE_ID' } +end +``` + +Ensure a global network ID is available: + +```ruby +describe aws_network_manager_device(device_id: 'DEVICE_ID', global_network_id: 'GLOBAL_NETWORK_ID') do + its('global_network_id') { should eq 'GLOBAL_NETWORK_ID' } +end +``` + +Ensure a zone is available: + +```ruby +describe aws_network_manager_device(device_id: 'DEVICE_ID', global_network_id: 'GLOBAL_NETWORK_ID') do + its('aws_location.zone') { should eq 'ZONE_NAME' } +end +``` + +Ensure that the state is `AVAILABLE`: + +```ruby +describe aws_network_manager_global_network(device_id: 'DEVICE_ID', global_network_id: 'GLOBAL_NETWORK_ID') do + its('state') { should eq 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_network_manager_device(device_id: 'DEVICE_ID', global_network_id: 'GLOBAL_NETWORK_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_network_manager_device(device_id: 'DEVICE_ID', global_network_id: 'GLOBAL_NETWORK_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_network_manager_device(device_id: 'DEVICE_ID', global_network_id: 'GLOBAL_NETWORK_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="NetworkManager:Client:GetDevicesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_devices.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_devices.md new file mode 100644 index 0000000..c3dd8ca --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_devices.md @@ -0,0 +1,177 @@ ++++ +title = "aws_network_manager_devices resource" + +draft = false + + +[menu.aws] +title = "aws_network_manager_devices" +identifier = "inspec/resources/aws/aws_network_manager_devices resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_manager_devices` InSpec audit resource to test properties of multiple AWS Network Manager devices. + +The `AWS::NetworkManager::Device` resource gets information about one or more of your devices in a global network. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Network Manager Device](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkmanager-device.html). + +## Syntax + +Ensure that a device exists. + +```ruby +describe aws_network_manager_devices(global_network_id: 'GLOBAL_NETWORK_ID') do + it { should exist } +end +``` + +## Parameters + +`global_network_id` _(required)_ + +: The ID of the global network. + +## Properties + +`device_ids` +: The ID of the device. + +: **Field**: `device_id` + +`device_arns` +: The Amazon Resource Name (ARN) of the device. + +: **Field**: `device_arn` + +`global_network_ids` +: The ID of the global network. + +: **Field**: `global_network_id` + +`location_zones` +: The Zone the device is located in. This can be the ID of an Availability Zone, Local Zone, Wavelength Zone, or an Outpost. + +: **Field**: `zone` + +`location_subnet_arns` +: The Amazon Resource Name (ARN) of the subnet the device is located in. + +: **Field**: `subnet_arn` + +`descriptions` +: The description of the device. + +: **Field**: `description` + +`types` +: The device type. + +: **Field**: `type` + +`vendors` +: The device vendor. + +: **Field**: `vendor` + +`models` +: The device model. + +: **Field**: `model` + +`addresses` +: The physical address of the location. + +: **Field**: `address` + +`latitudes` +: The latitude of the location. + +: **Field**: `latitude` + +`longitudes` +: The longitude of the location. + +: **Field**: `longitude` + +`site_ids` +: The site ID. + +: **Field**: `site_id` + +`created_at` +: The date and time that the site was created. + +: **Field**: `created_at` + +`states` +: The device state. + +: **Field**: `state` + +`tags` +: The tags for the device. + +: **Field**: `tags` + +## Examples + +Ensure a device ID is available: + +```ruby +describe aws_network_manager_devices(global_network_id: 'GLOBAL_NETWORK_ID') do + its('device_ids') { should include 'DEVICE_ID' } +end +``` + +Ensure a global network ID is available: + +```ruby +describe aws_network_manager_devices(global_network_id: 'GLOBAL_NETWORK_ID') do + its('global_network_ids') { should include 'GLOBAL_NETWORK_ID' } +end +``` + +Ensure a location zone is available: + +```ruby +describe aws_network_manager_devices(global_network_id: 'GLOBAL_NETWORK_ID') do + its('location_zones') { should include 'ZONE_NAME' } +end +``` + +Ensure that the state is `AVAILABLE`: + +```ruby +describe aws_network_manager_devices(global_network_id: 'GLOBAL_NETWORK_ID') do + its('states') { should include 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_network_manager_devices(global_network_id: 'GLOBAL_NETWORK_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_network_manager_devices(global_network_id: 'GLOBAL_NETWORK_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="NetworkManager:Client:GetDevicesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_global_network.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_global_network.md new file mode 100644 index 0000000..3181b2f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_global_network.md @@ -0,0 +1,109 @@ ++++ +title = "aws_network_manager_global_network resource" + +draft = false + + +[menu.aws] +title = "aws_network_manager_global_network" +identifier = "inspec/resources/aws/aws_network_manager_global_network resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_manager_global_network` InSpec audit resource to test properties of a specific AWS Network Manager global network. + +The `AWS::NetworkManager::GlobalNetwork` resource describes one or more global networks. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Network Manager Global Network](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkmanager-globalnetwork.html). + +## Syntax + +Ensure that Global Network ID exists. + +```ruby +describe aws_network_manager_global_network(global_network_id: 'GLOBAL_NETWORK_ID') do + it { should exist } +end +``` + +## Parameters + +`global_network_id` _(required)_ + +: The ID of the global network. + +## Properties + +`global_network_id` +: The ID of the global network. + +`global_network_arn` +: The Amazon Resource Name (ARN) of the global network. + +`description` +: The description of the global network. + +`created_at` +: The date and time that the global network was created. + +`state` +: The state of the global network. + +`tags` +: The tags for the global network. + +## Examples + +Ensure a global network ID is available: + +```ruby +describe aws_network_manager_global_network(global_network_id: 'GLOBAL_NETWORK_ID') do + its('global_network_id') { should eq 'GLOBAL_NETWORK_ID' } +end +``` + +Ensure that the state is `AVAILABLE`: + +```ruby +describe aws_network_manager_global_network(global_network_id: 'GLOBAL_NETWORK_ID') do + its('state') { should eq 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_network_manager_global_network(global_network_id: 'GLOBAL_NETWORK_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_network_manager_global_network(global_network_id: 'GLOBAL_NETWORK_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_network_manager_global_network(global_network_id: 'GLOBAL_NETWORK_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="NetworkManager:Client:DescribeGlobalNetworksResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_global_networks.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_global_networks.md new file mode 100644 index 0000000..f2e1644 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_network_manager_global_networks.md @@ -0,0 +1,97 @@ ++++ +title = "aws_network_manager_global_networks resource" + +draft = false + + +[menu.aws] +title = "aws_network_manager_global_networks" +identifier = "inspec/resources/aws/aws_network_manager_global_networks resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_network_manager_global_networks` InSpec audit resource to test properties of a single specific AWS Network Manager global network. + +The `AWS::NetworkManager::GlobalNetwork` resource describes one or more global networks. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Network Manager Global Network](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkmanager-globalnetwork.html). + +## Syntax + +Ensure that Global Network ID exists. + +```ruby +describe aws_network_manager_global_networks do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`global_network_ids` +: global_network_id. + +`global_network_arns` +: global_network_arn. + +`descriptions` +: description. + +`created_at` +: created_at. + +`states` +: state. + +`tags` +: tags. + +## Examples + +Ensure a Global Network ID is available: + +```ruby +describe aws_network_manager_global_networks do + its('global_network_ids') { should include 'GLOBAL_NETWORK_ID' } +end +``` + +Ensure that the state is `AVAILABLE`: + +```ruby +describe aws_network_manager_global_networks do + its('states') { should include 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_network_manager_global_networks do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_network_manager_global_networks do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="NetworkManager:Client:DescribeGlobalNetworksResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_organizations_member.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_organizations_member.md new file mode 100644 index 0000000..88cba9c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_organizations_member.md @@ -0,0 +1,92 @@ ++++ +title = "aws_organizations_member resource" + +draft = false + + +[menu.aws] +title = "aws_organizations_member" +identifier = "inspec/resources/aws/aws_organizations_member resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_organizations_member` InSpec audit resource to test the current AWS Account being used within an organization. + +## Syntax + +An `aws_organizations_member` resource block tests if the current AWS Account is the Master Account. + +The `master` matcher will return `true` or `false` accordingly. +You may also verify that the `master_account_id` and `master_account_arn` properties match known values. + +If the current AWS Account _**is**_ the Master Account, you may also access properties of that account. + +```ruby +describe aws_organizations_member do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`master_account_id` +: The ID of the AWS Organizations Master Account. + +`master_account_arn` +: The ARN of the AWS Organizations Master Account. + +_**If the current Account is the Master Account, the following properties are also available:**_ + +|Property | Description| +| --- | --- | +|account_id | The ID of the current Account. | +|account_arn | The ARN of the current Account. | +|account_name | The Name of the current Acccount. | +|account_email | The Email address associated with the current Account. | + +## Examples + +Ensure you are a child account with a certain ID for the top level account: + +```ruby +describe aws_organizations_member do + it { should_not be_master } + its('master_account_id') { should cmp '56845218745' } +end +``` + +Ensure you are the top level account, with the right name and email associated: + +```ruby +describe aws_organizations_member do + it { should be_master } + its('account_name') { should eq 'MyAWSMasterAccount' } + its('account_email') { should eq 'aws.admin@org.com' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### be_master + +The `be_master` matcher tests if the account is a 'master' AWS Account. + +```ruby +it { should_not be_master } +``` + +### exist + +The control will pass if the describe returns at least one result. + +```ruby +it { should exist } +``` diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ram_resource_share.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ram_resource_share.md new file mode 100644 index 0000000..ad98157 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ram_resource_share.md @@ -0,0 +1,123 @@ ++++ +title = "aws_ram_resource_share resource" + +draft = false + + +[menu.aws] +title = "aws_ram_resource_share" +identifier = "inspec/resources/aws/aws_ram_resource_share resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ram_resource_share` InSpec audit resource to test properties of a single specific AWS RAM resource share. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS RAM Resource Share](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ram-resourceshare.html). + +## Syntax + +Ensure that a resource exists. + +```ruby +describe aws_ram_resource_share(resource_owner: 'SELF', resource_share_arn: 'RESOURCE_SHARE_ARN') do + it { should exist } +end +``` + +## Parameters + +`resource_owner` _(required)_ + +: The type of owner. Possible values: `SELF` and `OTHER-ACCOUNTS`. + +`resource_share_arn` _(required)_ + +: The Amazon Resource Name (ARN) of the resource share. + +## Properties + +`resource_share_arn` +: The Amazon Resource Name (ARN) of the resource share. + +`name` +: The name of the resource share. + +`owning_account_id` +: The ID of the AWS account that owns the resource share. + +`allow_external_principals` +: Indicates whether principals outside your AWS organization can be associated with a resource share. + +`status` +: The status of the resource share. + +`status_message` +: A message about the status of the resource share. + +`tags` +: The tags for the resource share. + +`creation_time` +: The time when the resource share was created. + +`last_updated_time` +: The time when the resource share was last updated. + +`feature_set` +: Indicates how the resource share was created. Possible values include `CREATED_FROM_POLICY`, `PROMOTING_TO_STANDARD`, and `STANDARD`. + +## Examples + +Ensure a resource share ARN is available: + +```ruby +describe aws_ram_resource_share(resource_owner: 'SELF', resource_share_arn: 'RESOURCE_SHARE_ARN') do + its('resource_share_arn') { should eq 'RESOURCE_SHARE_ARN' } +end +``` + +Ensure a resource name is available: + +```ruby +describe aws_ram_resource_share(resource_owner: 'SELF', resource_share_arn: 'RESOURCE_SHARE_ARN') do + its('name') { should eq 'RESOURCE_SHARE_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ram_resource_share(resource_owner: 'SELF', resource_share_arn: 'RESOURCE_SHARE_ARN') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ram_resource_share(resource_owner: 'SELF', resource_share_arn: 'RESOURCE_SHARE_ARN') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the work_group name is available. + +```ruby +describe aws_ram_resource_share(resource_owner: 'SELF', resource_share_arn: 'RESOURCE_SHARE_ARN') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RAM:Client:GetResourceSharesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ram_resource_shares.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ram_resource_shares.md new file mode 100644 index 0000000..9873545 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ram_resource_shares.md @@ -0,0 +1,119 @@ ++++ +title = "aws_ram_resource_shares resource" + +draft = false + + +[menu.aws] +title = "aws_ram_resource_shares" +identifier = "inspec/resources/aws/aws_ram_resource_shares resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ram_resource_shares` InSpec audit resource to test properties of multiple AWS RAM resource shares. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS RAM Resource Share](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ram-resourceshare.html). + +## Syntax + +Ensure that a resource exists. + +```ruby +describe aws_ram_resource_shares(resource_owner: 'SELF') do + it { should exist } +end +``` + +## Parameters + +`resource_owner` _(required)_ + +: The type of owner. Possible values: `SELF` and `OTHER-ACCOUNTS`. + +## Properties + +`resource_share_arns` +: The Amazon Resource Name (ARN) of the resource share. + +`names` +: The name of the resource share. + +`owning_account_ids` +: The ID of the AWS account that owns the resource share. + +`allow_external_principals` +: Indicates whether principals outside your AWS organization can be associated with a resource share. + +`statuses` +: The status of the resource share. + +`status_messages` +: A message about the status of the resource share. + +`tags` +: The tags for the resource share. + +`creation_times` +: The time when the resource share was created. + +`last_updated_times` +: The time when the resource share was last updated. + +`feature_sets` +: Indicates how the resource share was created. Possible values include `CREATED_FROM_POLICY`, `PROMOTING_TO_STANDARD`, and `STANDARD`. + +## Examples + +Ensure a resource ARN is available: + +```ruby +describe aws_ram_resource_shares(resource_owner: 'SELF') do + its('resource_share_arns') { should include 'RESOURCE_SHARE_ARN' } +end +``` + +Ensure that a resource share has an `ACTIVE` status: + +```ruby +describe aws_ram_resource_shares(resource_owner: 'SELF') do + its('statuses') { should include 'ACTIVE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ram_resource_shares(resource_owner: 'SELF') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ram_resource_shares(resource_owner: 'dummy') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the resource is available. + +```ruby +describe aws_ram_resource_shares(resource_owner: 'SELF') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RAM:Client:GetResourceSharesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_cluster.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_cluster.md new file mode 100644 index 0000000..22ddf75 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_cluster.md @@ -0,0 +1,114 @@ ++++ +title = "aws_rds_cluster resource" + +draft = false + + +[menu.aws] +title = "aws_rds_cluster" +identifier = "inspec/resources/aws/aws_rds_cluster resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_cluster` InSpec audit resource to test detailed properties of an individual RDS cluster. + +RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server. + +For additional information, including details on parameters and properties, see the [AWS documentation on RDS cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.html). + +## Syntax + +An `aws_rds_cluster` resource block uses resource parameters to search for an RDS cluster, and then tests that RDS cluster. If no RDS clusters match, no error is raised, but the `exists` matcher will return `false` and all properties will be `nil`. If more than one RDS cluster matches (due to vague search parameters), an error is raised. + +```ruby +describe aws_rds_cluster('test-cluster-id') do + it { should exist } +end +``` + +Can also use hash syntax: + +```ruby +describe aws_rds_cluster(db_cluster_identifier: 'test-cluster-id') do + it { should exist } +end +``` + +## Parameters + +`db_cluster_identifier` _(required)_ + +: This resource accepts a single parameter, the user-supplied cluster identifier. This parameter isn't case-sensitive. + This can be passed either as a string or as a `db_cluster_identifier: 'value'` key-value entry in a hash. + +## Properties + +For a comprehensive list of properties available to test on an RDS cluster see the [AWS Response Object](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/RDS/DBCluster.html). + +## Examples + +Test the engine used with an RDS cluster: + +```ruby +describe aws_rds_cluster(db_cluster_identifier: 'awsrds123') do + its('engine') { should eq 'mysql' } + its('engine_version') { should eq '5.6.37' } +end +``` + +Test the storage allocated to an RDS cluster: + +```ruby +describe aws_rds_cluster(db_cluster_identifier: 'awsrds123') do + its('storage_encrypted') { should eq true } + its('allocated_storage') { should eq 10 } +end +``` + +Test the cluster status and master username: + +```ruby +describe aws_rds_cluster(db_cluster_identifier: 'awsrds123') do + its('master_username') { should eq 'db-maintain' } + its('status') { should eq 'available' } +end +``` + +Test the maximum and minimum capacity of a serverless RDS cluster: + +```ruby +describe aws_rds_cluster(db_cluster_identifier: 'awsrds123') do + its('scaling_configuration_info.min_capacity') { should eq 2 } + its('scaling_configuration_info.max_capacity') { should eq 64 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_rds_cluster(db_cluster_identifier: 'AnExistingRDS') do + it { should exist } +end +``` + +```ruby +describe aws_rds_cluster(db_cluster_identifier: 'ANonExistentRDS') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DBClusterMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_clusters.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_clusters.md new file mode 100644 index 0000000..d6409ec --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_clusters.md @@ -0,0 +1,114 @@ ++++ +title = "aws_rds_clusters resource" + +draft = false + + +[menu.aws] +title = "aws_rds_clusters" +identifier = "inspec/resources/aws/aws_rds_clusters resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_clusters` InSpec audit resource to test properties of a collection of AWS RDS clusters. + +RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server. + +## Syntax + +Ensure you have exactly 3 clusters + +```ruby +describe aws_rds_clusters do + its('db_cluster_identifiers.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`cluster_identifier` +: The unique IDs of the RDS clusters returned. + +`database_name` +: The name of the database associated with each RDS cluster. + +`cluster_\members` +: The RDS instances attached to each RDS cluster. + +`engine` +: The name of the database engine used by each cluster. + +`engine_version` +: The version of the database engine used by each cluster. + +`status` +: The current status of each cluster. + +`allocated_storage` +: The storage allocated to each cluster. + +`storage_encrypted` +: Returns T/F whether the cluster is encrypted or not. + +`availability_zones` +: A list of availability zones of the RDS clusters returned. + +`multi_az` +: Returns T/F depending on whether multiple availability zones are used in the cluster. + +`arn` +: The unique Amazon resource name of the RDS clusters. + +## Examples + +Ensure a specific cluster exists: + +```ruby +describe aws_rds_clusters do + its('db_cluster_identifier') { should include ['cluster-12345678', 'cluster-456786786'] } +end +``` + +Request the IDs of all RDS clusters, then test in-depth using `aws_rds_cluster` to ensure all clusters are encrypted and have a sensible size: + +```ruby +aws_rds_clusters.cluster_identifier.each do |cluster_identifier| + describe aws_rds_cluster(cluster_identifier) do + it { should have_encrypted_storage } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_rds_clusters do + it { should exist } +end +``` + +```ruby +describe aws_rds_clusters do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DBClusterMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_cluster_snapshot.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_cluster_snapshot.md new file mode 100644 index 0000000..bfce7dd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_cluster_snapshot.md @@ -0,0 +1,152 @@ ++++ +title = "aws_rds_db_cluster_snapshot resource" + +draft = false + + +[menu.aws] +title = "aws_rds_db_cluster_snapshot" +identifier = "inspec/resources/aws/aws_rds_db_cluster_snapshot resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_db_cluster_snapshot` InSpec audit resource to test the properties of the singular resource of AWS RDS Cluster snapshot. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS RDS Cluster Snapshot.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_RDS.html). + +## Syntax + +Ensure that cluster snapshot exists. + +```ruby +describe aws_rds_db_cluster_snapshot(db_cluster_snapshot_id: "CLUSTER_ID") do + it { should exist } +end +``` + +## Parameters + +`db_cluster_snapshot_id` _(required)_ + +: The cluster snapshot ID. + +## Properties + +`availability_zones` +: Provides the list of EC2 Availability Zones instances in the DB cluster snapshot that can be restored. + +`db_cluster_snapshot_identifier` +: Specifies the identifier for the DB cluster snapshot. + +`db_cluster_identifier` +: Specifies the identifier of the DB cluster from which the DB cluster snapshot is created. + +`snapshot_create_time` +: Provides the time when the snapshot is taken, in Universal Coordinated Time (UTC). + +`engine` +: Specifies the name of the database engine. + +`allocated_storage` +: Specifies the allocated storage size in Gibibytes (GiB). + +`status` +: Specifies the status of this DB cluster snapshot. + +`port` +: Specifies the port where the DB cluster is listening at the time of the snapshot. + +`vpc_id` +: Provides the VPC ID associated with the DB cluster snapshot. + +`cluster_create_time` +: Specifies when the DB cluster is created, in Universal Coordinated Time (UTC). + +`master_username` +: Provides the master username for the DB cluster snapshot. + +`engine_version` +: Provides the version of the database engine for the DB cluster snapshot. + +`license_model` +: Provides the license model information for the DB cluster snapshot. + +`snapshot_type` +: Provides the DB cluster snapshot type. + +`percent_progress` +: Specifies the percentage of the estimated data that is transferred. + +`storage_encrypted` +: Specifies whether the DB cluster snapshot is encrypted. + +`kms_key_id` +: If `StorageEncrypted` is true, the AWS Key Management Service (AWS KMS) identifier for the encrypted DB cluster snapshot is set to protect the data. + +`db_cluster_snapshot_arn` +: The Amazon Resource Name (ARN) for the DB cluster snapshot. + +`source_db_cluster_snapshot_arn` +: If the DB cluster snapshot is copied from a source DB cluster snapshot, the Amazon Resource Name (ARN) for the source DB cluster snapshot is associated, otherwise a null value is stored for the source DB cluster snapsot ARN. + +`iam_database_authentication_enabled` +: `True`, if the mapping of the AWS Identity and Access Management (IAM) corresponds to database accounts that are enabled, and otherwise `False`. + +`tag_list` +: The related tags. + +## Examples + +Ensure a cluster snapshot ID is `available`: + +```ruby +describe aws_rds_db_cluster_snapshot(db_cluster_snapshot_id: "CLUSTER_ID") do + its('db_cluster_snapshot_id') { should eq 'CLUSTER_ID' } +end +``` + +Ensure that the status is `available`: + +```ruby +describe aws_rds_db_cluster_snapshot(db_cluster_snapshot_id: "CLUSTER_ID") do + its('status') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_rds_db_cluster_snapshot(db_cluster_snapshot_id: "CLUSTER_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_rds_db_cluster_snapshot(db_cluster_snapshot_id: "CLUSTER_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_rds_db_cluster_snapshot(db_cluster_snapshot_id: "CLUSTER_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DBClusterSnapshotMessage" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_cluster_snapshots.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_cluster_snapshots.md new file mode 100644 index 0000000..2cb7b0d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_cluster_snapshots.md @@ -0,0 +1,192 @@ ++++ +title = "aws_rds_db_cluster_snapshots resource" + +draft = false + + +[menu.aws] +title = "aws_rds_db_cluster_snapshots" +identifier = "inspec/resources/aws/aws_rds_db_cluster_snapshots resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_db_cluster_snapshots` InSpec audit resource to test the properties of a single specific AWS RDS Cluster snapshot. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS RDS Cluster Snapshot.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_RDS.html). + +## Syntax + +Ensure that the cluster snapshot exists. + +```ruby +describe aws_rds_db_cluster_snapshots do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`availability_zones` +: Provides the list of EC2 Availability Zones instances in the DB cluster snapshot that can be restored. + +: **Field**: `availability_zone` + +`db_cluster_snapshot_identifiers` +: Specifies the identifier for the DB cluster snapshot. + +: **Field**: `db_cluster_snapshot_identifier` + +`db_cluster_identifiers` +: Specifies the identifier of the DB cluster from which the DB cluster snapshot is created. + +: **Field**: `db_cluster_identifier` + +`snapshot_create_times` +: Provides the time when the snapshot is taken, in Universal Coordinated Time (UTC). + +: **Field**: `snapshot_create_time` + +`engines` +: Specifies the name of the database engine. + +: **Field**: `engine` + +`allocated_storages` +: Specifies the allocated storage size in Gibibytes (GiB). + +: **Field**: `allocated_storage` + +`statuses` +: Specifies the status of this DB cluster snapshot. + +: **Field**: `status` + +`ports` +: Specifies the port where the DB cluster is listening at the time of the snapshot. + +: **Field**: `port` + +`vpc_ids` +: Provides the VPC ID associated with the DB cluster snapshot. + +: **Field**: `vpc_id` + +`cluster_create_times` +: Specifies the time when the DB cluster is created, in Universal Coordinated Time (UTC). + +: **Field**: `cluster_create_time` + +`master_usernames` +: Provides the master username for the DB cluster snapshot. + +: **Field**: `master_username` + +`engine_versions` +: Provides the database engine version for the DB cluster snapshot. + +: **Field**: `engine_version` + +`license_models` +: Provides the license model information for the DB cluster snapshot. + +: **Field**: `license_model` + +`snapshot_types` +: Provides the DB cluster snapshot type. + +: **Field**: `snapshot_type` + +`percent_progresses` +: Specifies the percentage of the estimated data that is transferred. + +: **Field**: `percent_progress` + +`storage_encrypted` +: Specifies whether the DB cluster snapshot is encrypted. + +: **Field**: `storage_encrypted` + +`kms_key_ids` +: If `StorageEncrypted` is true, the AWS Key Management Service (AWS KMS) identifier for the encrypted DB cluster snapshot is set to protect the data. + +: **Field**: `kms_key_id` + +`db_cluster_snapshot_arns` +: The Amazon Resource Name (ARN) for the DB cluster snapshot. + +: **Field**: `db_cluster_snapshot_arn` + +`source_db_cluster_snapshot_arns` +: If the DB cluster snapshot is copied from a source DB cluster snapshot, the Amazon Resource Name (ARN) for the source DB cluster snapshot is associated, otherwise a null value is stored for the source DB cluster snapsot ARN. + +: **Field**: `source_db_cluster_snapshot_arn` + +`iam_database_authentication_enabled` +: `True`, if the mapping of the AWS Identity and Access Management (IAM) corresponds to database accounts are enabled, and otherwise `False`. + +: **Field**: `iam_database_authentication_enabled` + +`tag_lists` +: The related tags. + +: **Field**: `tag_list` + +## Examples + +Ensure a cluster snapshot id is available: + +```ruby +describe aws_rds_db_cluster_snapshots do + its('db_cluster_snapshot_ids') { should include 'CLUSTER_ID' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_rds_db_cluster_snapshots do + its('statuses') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_rds_db_cluster_snapshots do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_rds_db_cluster_snapshots do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_rds_db_cluster_snapshots do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DBClusterSnapshotMessage" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy.md new file mode 100644 index 0000000..1d63bec --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy.md @@ -0,0 +1,156 @@ ++++ +title = "aws_rds_db_proxy resource" + +draft = false + + +[menu.aws] +title = "aws_rds_db_proxy" +identifier = "inspec/resources/aws/aws_rds_db_proxy resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_db_proxy` InSpec audit resource to test properties of a single AWS Relational Database Service (RDS) database proxy. + +The `AWS::RDS::DBProxy` resource creates or updates an RDS DB proxy. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS RDS DBProxy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbproxy.html). + +## Syntax + +Ensure that the db proxy exists. + +```ruby +describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do + it { should exist } +end +``` + +## Parameters + +`db_proxy_name` _(required)_ + +: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. + +## Properties + +`db_proxy_name` +: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. + +`db_proxy_arn` +: The Amazon Resource Name (ARN) for the proxy. + +`status` +: The current status of this proxy. + +`engine_family` +: The engine family applies to MySQL and PostgreSQL for both RDS and Aurora. + +`vpc_id` +: The VPC id. + +`vpc_security_group_ids` +: Provides a list of VPC security groups that the proxy belongs to. + +`vpc_subnet_ids` +: The EC2 subnet IDs for the proxy. + +`auth_descriptions` +: A user-specified description about the authentication used by a proxy to log in as a specific database user. + +`auth_user_names` +: The name of the database user to which the proxy connects. + +`auth_schemes` +: The type of authentication that the proxy uses for connections from the proxy to the underlying database. + +`auth_secret_arns` +: The Amazon Resource Name (ARN) representing the secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager. + +`auth_iam_auths` +: Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. + +`role_arn` +: The Amazon Resource Name (ARN) for the IAM role that the proxy uses to access Amazon Secrets Manager. + +`endpoint` +: The endpoint that you can use to connect to the proxy. You include the endpoint value in the connection string for a database client application. + +`require_tls` +: Indicates whether Transport Layer Security (TLS) encryption is required for connections to the proxy. + +`idle_client_timeout` +: The number of seconds a connection to the proxy can have no activity before the proxy drops the client connection. + +`debug_logging` +: Whether the proxy includes detailed information about SQL statements in its logs. + +`created_date` +: The date and time when the proxy was first created. + +`updated_date` +: The date and time when the proxy was last updated. + +## Examples + +Ensure a db proxy name is available: + +```ruby +describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do + its('db_proxy_name') { should eq 'DB_PROXY_NAME' } +end +``` + +Ensure a db proxy arn is available: + +```ruby +describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do + its('db_proxy_arn') { should eq 'DB_PROXY_ARN' } +end +``` + +Ensure a status is `available`: + +```ruby +describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do + its('status') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DescribeDBProxiesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy_endpoint.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy_endpoint.md new file mode 100644 index 0000000..2157cee --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy_endpoint.md @@ -0,0 +1,136 @@ ++++ +title = "aws_rds_db_proxy_endpoint resource" + +draft = false + + +[menu.aws] +title = "aws_rds_db_proxy_endpoint" +identifier = "inspec/resources/aws/aws_rds_db_proxy_endpoint resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_db_proxy_endpoint` InSpec audit resource to test properties of a single AWS Relational Database Service (RDS) database proxy endpoint. + +The `AWS::RDS::DBProxyEndpoint` resource creates or updates an AWS RDS DB proxy endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS RDS DBProxyEndpoint](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbproxyendpoint.html). + +## Syntax + +Ensure that the DB proxy endpoint exists. + +```ruby +describe aws_rds_db_proxy_endpoint(db_proxy_name: 'DB_PROXY_NAME', db_proxy_endpoint_name: 'DB_PROXY_ENDPOINT_NAME') do + it { should exist } +end +``` + +## Parameters + +`db_proxy_name` _(required)_ + +: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. + +`db_proxy_endpoint_name` _(required)_ + +: The name for the DB proxy endpoint. + +## Properties + +`db_proxy_endpoint_name` +: The name for the DB proxy endpoint. + +`db_proxy_endpoint_arn` +: The Amazon Resource Name (ARN) for the DB proxy endpoint. + +`db_proxy_name` +: The identifier for the DB proxy that is associated with this DB proxy endpoint. + +`status` +: The current status of this DB proxy endpoint. + +`vpc_id` +: Provides the VPC ID of the DB proxy endpoint. + +`vpc_security_group_ids` +: Provides a list of VPC security groups that the DB proxy endpoint belongs to. + +`vpc_subnet_ids` +: The EC2 subnet IDs for the DB proxy endpoint. + +`endpoint` +: The endpoint that you can use to connect to the DB proxy. + +`created_date` +: The date and time when the DB proxy endpoint was first created. + +`target_role` +: A value that indicates whether the DB proxy endpoint can be used for read/write or read-only operations. + +`is_default` +: A value that indicates whether this endpoint is the default endpoint for the associated DB proxy. Default DB proxy endpoints always have read/write capability. + +## Examples + +Ensure a DB proxy endpoint name is available: + +```ruby +describe aws_rds_db_proxy_endpoint(db_proxy_name: 'DB_PROXY_NAME', db_proxy_endpoint_name: 'DB_PROXY_ENDPOINT_NAME') do + its('db_proxy_endpoint_name') { should eq 'DB_PROXY_ENDPOINT_NAME' } +end +``` + +Ensure a DB proxy is available: + +```ruby +describe aws_rds_db_proxy_endpoint(db_proxy_name: 'DB_PROXY_NAME', db_proxy_endpoint_name: 'DB_PROXY_ENDPOINT_NAME') do + its('db_proxy_name') { should eq 'DB_PROXY_NAME' } +end +``` + +Ensure a status is `available`: + +```ruby +describe aws_rds_db_proxy_endpoint(db_proxy_name: 'DB_PROXY_NAME', db_proxy_endpoint_name: 'DB_PROXY_ENDPOINT_NAME') do + its('status') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_rds_db_proxy_endpoint(db_proxy_name: 'DB_PROXY_NAME', db_proxy_endpoint_name: 'DB_PROXY_ENDPOINT_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_rds_db_proxy_endpoint(db_proxy_name: 'DB_PROXY_NAME', db_proxy_endpoint_name: 'DB_PROXY_ENDPOINT_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_rds_db_proxy_endpoint(db_proxy_name: 'DB_PROXY_NAME', db_proxy_endpoint_name: 'DB_PROXY_ENDPOINT_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DescribeDBProxyEndpointsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy_endpoints.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy_endpoints.md new file mode 100644 index 0000000..9bc1a6b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy_endpoints.md @@ -0,0 +1,154 @@ ++++ +title = "aws_rds_db_proxy_endpoints resource" + +draft = false + + +[menu.aws] +title = "aws_rds_db_proxy_endpoints" +identifier = "inspec/resources/aws/aws_rds_db_proxy_endpoints resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_db_proxy_endpoints` InSpec audit resource to test properties of multiple AWS Relational Database Service (RDS) database proxy endpoints. + +The `AWS::RDS::DBProxyEndpoint` resource creates or updates an AWS RDS DB proxy endpoint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS RDS DBProxyEndpoint](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbproxyendpoint.html). + +## Syntax + +Ensure that the DB proxy endpoint exists. + +```ruby +describe aws_rds_db_proxy_endpoints(db_proxy_name: 'DB_PROXY_NAME') do + it { should exist } +end +``` + +## Parameters + +`db_proxy_name` _(required)_ + +: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. + +## Properties + +`db_proxy_endpoint_names` +: The name for the DB proxy endpoint. + +: **Field**: `db_proxy_endpoint_name` + +`db_proxy_endpoint_arns` +: The Amazon Resource Name (ARN) for the DB proxy endpoint. + +: **Field**: `db_proxy_endpoint_arn` + +`db_proxy_names` +: The identifier for the DB proxy that is associated with this DB proxy endpoint. + +: **Field**: `db_proxy_name` + +`statuses` +: The current status of this DB proxy endpoint. + +: **Field**: `status` + +`vpc_ids` +: Provides the VPC ID of the DB proxy endpoint. + +: **Field**: `vpc_id` + +`vpc_security_group_ids` +: Provides a list of VPC security groups that the DB proxy endpoint belongs to. + +: **Field**: `vpc_security_group_ids` + +`vpc_subnet_ids` +: The EC2 subnet IDs for the DB proxy endpoint. + +: **Field**: `vpc_subnet_ids` + +`endpoints` +: The endpoint that you can use to connect to the DB proxy. + +: **Field**: `endpoint` + +`created_dates` +: The date and time when the DB proxy endpoint was first created. + +: **Field**: `created_date` + +`target_roles` +: A value that indicates whether the DB proxy endpoint can be used for read/write or read-only operations. + +: **Field**: `target_role` + +`is_default` +: A value that indicates whether this endpoint is the default endpoint for the associated DB proxy. Default DB proxy endpoints always have read/write capability. + +: **Field**: `is_default` + +## Examples + +Ensure a DB proxy endpoint name is available: + +```ruby +describe aws_rds_db_proxy_endpoints(db_proxy_name: 'DB_PROXY_NAME') do + its('db_proxy_endpoint_names') { should include 'DB_PROXY_ENDPOINT_NAME' } +end +``` + +Ensure a DB proxy is available: + +```ruby +describe aws_rds_db_proxy_endpoints(db_proxy_name: 'DB_PROXY_NAME') do + its('db_proxy_names') { should include 'DB_PROXY_NAME' } +end +``` + +Ensure a status is `available`: + +```ruby +describe aws_rds_db_proxy_endpoints(db_proxy_name: 'DB_PROXY_NAME') do + its('statuses') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_rds_db_proxy_endpoints(db_proxy_name: 'DB_PROXY_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_rds_db_proxy_endpoints(db_proxy_name: 'DB_PROXY_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_rds_db_proxy_endpoints(db_proxy_name: 'DB_PROXY_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DescribeDBProxyEndpointsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy_target_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy_target_group.md new file mode 100644 index 0000000..d242dd5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy_target_group.md @@ -0,0 +1,139 @@ ++++ +title = "aws_rds_db_proxy_target_group resource" + +draft = false + + +[menu.aws] +title = "aws_rds_db_proxy_target_group" +identifier = "inspec/resources/aws/aws_rds_db_proxy_target_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_db_proxy_target_group` InSpec audit resource to test properties of a single AWS Relational Database Service (RDS) database proxy target group. + +The `AWS::RDS::DBProxyTargetGroup` resource represents a set of RDS DB instances, Aurora DB clusters, or both that a proxy can connect to. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS RDS DBProxyTargetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbproxytargetgroup.html). + +## Syntax + +Ensure that the target group exists. + +```ruby +describe aws_rds_db_proxy_target_group(db_proxy_name: 'DB_PROXY_NAME', target_group_name: 'TARGET_GROUP_NAME') do + it { should exist } +end +``` + +## Parameters + +`db_proxy_name` _(required)_ + +: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. + +`target_group_name` _(required)_ + +: The identifier for the target group. + +## Properties + +`db_proxy_name` +: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. + +`target_group_name` +: The identifier for the target group. + +`target_group_arn` +: The Amazon Resource Name (ARN) representing the target group. + +`is_default` +: Whether this target group is the first one used for connection requests by the associated proxy. + +`status` +: The current status of this target group. + +`connection_pool_config.max_connections_percent` +: The maximum size of the connection pool for each target in a target group. + +`connection_pool_config.max_idle_connections_percent` +: Controls how actively the proxy closes idle database connections in the connection pool. + +`connection_pool_config.connection_borrow_timeout` +: The number of seconds for a proxy to wait for a connection to become available in the connection pool. + +`connection_pool_config.session_pinning_filters` +: Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection. + +`connection_pool_config.init_query` +: One or more SQL statements for the proxy to run when opening each new database connection. + +`created_date` +: The date and time when the target group was first created. + +`updated_date` +: The date and time when the target group was last updated. + +## Examples + +Ensure a DB proxy name is available: + +```ruby +describe aws_rds_db_proxy_target_group(db_proxy_name: 'DB_PROXY_NAME', target_group_name: 'TARGET_GROUP_NAME') do + its('db_proxy_name') { should eq 'DB_PROXY_NAME' } +end +``` + +Ensure a target group name is available: + +```ruby +describe aws_rds_db_proxy_target_group(db_proxy_name: 'DB_PROXY_NAME', target_group_name: 'TARGET_GROUP_NAME') do + its('target_group_name') { should eq 'TARGET_GROUP_NAME' } +end +``` + +Ensure a status is `available`: + +```ruby +describe aws_rds_db_proxy_target_group(db_proxy_name: 'DB_PROXY_NAME', target_group_name: 'TARGET_GROUP_NAME') do + its('status') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_rds_db_proxy_target_group(db_proxy_name: 'DB_PROXY_NAME', target_group_name: 'TARGET_GROUP_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_rds_db_proxy_target_group(db_proxy_name: 'DB_PROXY_NAME', target_group_name: 'TARGET_GROUP_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_rds_db_proxy_target_group(db_proxy_name: 'DB_PROXY_NAME', target_group_name: 'TARGET_GROUP_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DescribeDBProxyTargetGroupsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy_target_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy_target_groups.md new file mode 100644 index 0000000..41e61f7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_proxy_target_groups.md @@ -0,0 +1,139 @@ ++++ +title = "aws_rds_db_proxy_target_groups resource" + +draft = false + + +[menu.aws] +title = "aws_rds_db_proxy_target_groups" +identifier = "inspec/resources/aws/aws_rds_db_proxy_target_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_db_proxy_target_groups` InSpec audit resource to test properties of multiple AWS Relational Database Service (RDS) database proxy target groups. + +The `AWS::RDS::DBProxyTargetGroup` resource represents a set of RDS DB instances, Aurora DB clusters, or both that a proxy can connect to. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS RDS DBProxyTargetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbproxytargetgroup.html). + +## Syntax + +Ensure that the target group exists. + +```ruby +describe aws_rds_db_proxy_target_groups(db_proxy_name: 'DB_PROXY_NAME') do + it { should exist } +end +``` + +## Parameters + +`db_proxy_name` _(required)_ + +: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. + +## Properties + +`db_proxy_names` +: The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. + +: **Field**: `db_proxy_name` + +`target_group_names` +: The identifier for the target group. + +: **Field**: `target_group_name` + +`target_group_arns` +: The Amazon Resource Name (ARN) representing the target group. + +: **Field**: `target_group_arn` + +`is_default` +: Whether this target group is the first one used for connection requests by the associated proxy. + +: **Field**: `is_default` + +`statuses` +: The current status of this target group. + +: **Field**: `status` + +`connection_pool_configs` +: The settings that determine the size and behavior of the connection pool for the target group. + +: **Field**: `connection_pool_config` + +`created_dates` +: The date and time when the target group was first created. + +: **Field**: `created_date` + +`updated_dates` +: The date and time when the target group was last updated. + +: **Field**: `updated_date` + +## Examples + +Ensure a DB proxy name is available: + +```ruby +describe aws_rds_db_proxy_target_groups(db_proxy_name: 'DB_PROXY_NAME') do + its('db_proxy_names') { should include 'DB_PROXY_NAME' } +end +``` + +Ensure a target group name is available: + +```ruby +describe aws_rds_db_proxy_target_groups(db_proxy_name: 'DB_PROXY_NAME') do + its('target_group_names') { should include 'TARGET_GROUP_NAME' } +end +``` + +Ensure a status is `available`: + +```ruby +describe aws_rds_db_proxy_target_groups(db_proxy_name: 'DB_PROXY_NAME') do + its('statuses') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_rds_db_proxy_target_groups(db_proxy_name: 'DB_PROXY_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_rds_db_proxy_target_groups(db_proxy_name: 'DB_PROXY_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_rds_db_proxy_target_groups(db_proxy_name: 'DB_PROXY_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DescribeDBProxyTargetGroupsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_security_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_security_group.md new file mode 100644 index 0000000..d085a18 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_security_group.md @@ -0,0 +1,157 @@ ++++ +title = "aws_rds_db_security_group resource" + +draft = false + + +[menu.aws] +title = "aws_rds_db_security_group" +identifier = "inspec/resources/aws/aws_rds_db_security_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_db_security_group` InSpec audit resource to test properties of a single Amazon Relational Database Service (RDS) database security group. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::RDS::DBSecurityGroup` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-security-group.html). + +## Syntax + +Ensure that the security group exists. + +```ruby +describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do + it { should exist } +end +``` + +## Parameters + +`db_security_group_name` _(required)_ + +: The identifier for the security group. + +## Properties + +`owner_id` +: Provides the Amazon Web Services ID of the owner of a specific DB security group. + +: **Field**: `owner_id` + +`db_security_group_name` +: Specifies the name of the DB security group. + +: **Field**: `db_security_group_name` + +`db_security_group_description` +: Provides the description of the DB security group. + +: **Field**: `db_security_group_description` + +`vpc_id` +: Provides the VpcId of the DB security group. + +: **Field**: `vpc_id` + +`ec2_security_groups` +: Contains a list of EC2SecurityGroup elements. + +: **Field**: `ec2_security_groups` + +`ec2_security_group_statuses` +: Provides the status of the EC2 security group. Status can be "authorizing", "authorized", "revoking", and "revoked". + +: **Field**: `ec2_security_group (status)` + +`ec2_security_group_names` +: Specifies the name of the EC2 security group. + +: **Field**: `ec2_security_group_name` + +`ec2_security_group_ids` +: pecifies the id of the EC2 security group. + +: **Field**: `ec2_security_group_id` + +`ec2_security_group_owner_ids` +: pecifies the Amazon Web Services ID of the owner of the EC2 security group specified in the EC2SecurityGroupName field. + +: **Field**: `ec2_security_group_owner_id` + +`ip_ranges_statuses` +: Specifies the status of the IP range. Status can be "authorizing", "authorized", "revoking", and "revoked". + +: **Field**: `ip_ranges (status)` + +`ip_ranges_cidrips` +: Specifies the IP range. + +: **Field**: `cidrip` + +`db_security_group_arn` +: The Amazon Resource Name (ARN) for the DB security group. + +: **Field**: `db_security_group_arn` + +## Examples + +Ensure a security group name is available: + +```ruby +describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do + its('db_security_group_name') { should eq 'DB_SECURITY_GROUP_NAME' } +end +``` + +Ensure a security group description is available: + +```ruby +describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do + its('db_security_group_description') { should eq 'DB_SECURITY_GROUP_DESCRIPTION' } +end +``` + +Ensure a status is `authorized`: + +```ruby +describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do + its('ec2_security_group_statuses') { should include 'authorized' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_rds_db_security_group(db_security_group_name: 'DB_SECURITY_GROUP_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DescribeDBSecurityGroup" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_security_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_security_groups.md new file mode 100644 index 0000000..408c0af --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_db_security_groups.md @@ -0,0 +1,108 @@ ++++ +title = "aws_rds_db_security_groups resource" + +draft = false + + +[menu.aws] +title = "aws_rds_db_security_groups" +identifier = "inspec/resources/aws/aws_rds_db_security_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_db_security_groups` InSpec audit resource to test properties of multiple Amazon Relational Database Service (RDS) database security groups. + +## Syntax + +Ensure that the DB security group exists. + +```ruby +describe aws_rds_db_security_groups do + it { should exist } +end +``` + +For additional information, see the [AWS documentation on the `AWS::RDS::DBSecurityGroup` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-security-group.html). + +## Properties + +`owner_ids` +: Provides the Amazon Web Services ID of the owner of a specific DB security group. + +: **Field**: `owner_id` + +`db_security_group_names` +: The name of the DB security group to return details for. + +: **Field**: `db_security_group_name` + +`db_security_group_descriptions` +: Provides the description of the DB security group. + +: **Field**: `db_security_group_description` + +`vpc_ids` +: Provides the VpcId of the DB security group. + +: **Field**: `vpc_id` + +`db_security_group_arns` +: The Amazon Resource Name (ARN) for the DB security group. + +: **Field**: `db_security_group_arn` + +## Examples + +Ensure a DB security group name is available: + +```ruby +describe aws_rds_db_security_groups do + its('db_security group_names') { should include 'DB_SECURITY_GROUP_NAME' } +end +``` + +Ensure a DB security group ARN is available: + +```ruby +describe aws_rds_db_security_groups do + its('db_security_group_arns') { should include 'DB_SECURITY_GROUP_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_rds_db_security_groups do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_rds_db_security_groups do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_rds_db_security_groups do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DescribeDBSecurityGroup" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_event_subscription.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_event_subscription.md new file mode 100644 index 0000000..a6e9394 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_event_subscription.md @@ -0,0 +1,127 @@ ++++ +title = "aws_rds_event_subscription resource" + +draft = false + + +[menu.aws] +title = "aws_rds_event_subscription" +identifier = "inspec/resources/aws/aws_rds_event_subscription resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_event_subscription` InSpec audit resource to test properties of a single AWS RDS event subscription. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::RDS::EventSubscription` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-eventsubscription.html). + +## Syntax + +Ensure that the event subscription exists. + +```ruby +describe aws_rds_event_subscription(subscription_name: 'EVENT_SUBSCRIPTION_NAME') do + it { should exist } +end +``` + +## Parameters + +`subscription_name` _(required)_ + +: The identifier for the event subscription. + +## Properties + +`customer_aws_id` +: The Amazon Web Services customer account associated with the RDS event notification subscription. + +`cust_subscription_id` +: The RDS event notification subscription ID. + +`sns_topic_arn` +: The topic ARN of the RDS event notification subscription. + +`status` +: The status of the RDS event notification subscription. + +`subscription_creation_time` +: The time the RDS event notification subscription was created. + +`source_type` +: The source type for the RDS event notification subscription. + +`source_ids_list` +: A list of source IDs for the RDS event notification subscription. + +`event_categories_list` +: A list of event categories for the RDS event notification subscription. + +`enabled` +: A Boolean value indicating if the subscription is enabled. True indicates the subscription is enabled. + +`event_subscription_arn` +: The Amazon Resource Name (ARN) for the event subscription. + +## Examples + +Ensure an event subscription name is available: + +```ruby +describe aws_rds_event_subscription(subscription_name: 'EVENT_SUBSCRIPTION_NAME') do + its('cust_subscription_id') { should eq 'CUST_SUBSCRIPTION_ID' } +end +``` + +Ensure an event subscription SNS topic ARN is available: + +```ruby +describe aws_rds_event_subscription(subscription_name: 'EVENT_SUBSCRIPTION_NAME') do + its('sns_topic_arn') { should eq 'SNS_TOPIC_ARN' } +end +``` + +Ensure a customer AWS ID is available: + +```ruby +describe aws_rds_event_subscription(subscription_name: 'EVENT_SUBSCRIPTION_NAME') do + its('customer_aws_id') { should eq 'CUSTOMER_AWS_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_rds_event_subscription(subscription_name: 'EVENT_SUBSCRIPTION_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_rds_event_subscription(subscription_name: 'EVENT_SUBSCRIPTION_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_rds_event_subscription(subscription_name: 'EVENT_SUBSCRIPTION_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DescribeEventSubscriptionsMessage" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_event_subscriptions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_event_subscriptions.md new file mode 100644 index 0000000..79ef2a7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_event_subscriptions.md @@ -0,0 +1,145 @@ ++++ +title = "aws_rds_event_subscriptions resource" + +draft = false + + +[menu.aws] +title = "aws_rds_event_subscriptions" +identifier = "inspec/resources/aws/aws_rds_event_subscriptions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_event_subscriptions` InSpec audit resource to test properties of multiple AWS RDS event subscriptions. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::RDS::EventSubscription` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-eventsubscription.html). + +## Syntax + +Ensure that the event subscription exists. + +```ruby +describe aws_rds_event_subscriptions do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`customer_aws_ids` +: The Amazon Web Services customer account associated with the RDS event notification subscription. + +: **Field**: `customer_aws_id` + +`cust_subscription_ids` +: The RDS event notification subscription Id. + +: **Field**: `cust_subscription_id` + +`sns_topic_arns` +: The topic ARN of the RDS event notification subscription. + +: **Field**: `sns_topic_arn` + +`statuses` +: The status of the RDS event notification subscription. + +: **Field**: `status` + +`subscription_creation_times` +: The time the RDS event notification subscription was created. + +: **Field**: `subscription_creation_time` + +`source_types` +: The source type for the RDS event notification subscription. + +: **Field**: `source_type` + +`source_ids_lists` +: A list of source IDs for the RDS event notification subscription. + +: **Field**: `source_ids_list` + +`event_categories_lists` +: A list of event categories for the RDS event notification subscription. + +: **Field**: `event_categories_list` + +`enabled` +: A Boolean value indicating if the subscription is enabled. True indicates the subscription is enabled. + +: **Field**: `enabled` + +`event_subscription_arns` +: The Amazon Resource Name (ARN) for the event subscription.Exceptions. + +: **Field**: `event_subscription_arn` + +## Examples + +Ensure an event subscription name is available: + +```ruby +describe aws_rds_event_subscriptions do + its('cust_subscription_ids') { should include 'CUST_SUBSCRIPTION_ID' } +end +``` + +Ensure an event subscription SNS Topic ARN is available: + +```ruby +describe aws_rds_event_subscriptions do + its('sns_topic_arns') { should include 'SNS_TOPIC_ARN' } +end +``` + +Ensure a customer AWS ID is available: + +```ruby +describe aws_rds_event_subscriptions do + its('customer_aws_ids') { should include 'CUSTOMER_AWS_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_rds_event_subscriptions do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_rds_event_subscriptions do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_rds_event_subscriptions do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DescribeDBSecurityGroup" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_global_cluster.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_global_cluster.md new file mode 100644 index 0000000..cd8d97e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_global_cluster.md @@ -0,0 +1,147 @@ ++++ +title = "aws_rds_global_cluster resource" + +draft = false + + +[menu.aws] +title = "aws_rds_global_cluster" +identifier = "inspec/resources/aws/aws_rds_global_cluster resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_global_cluster` InSpec audit resource to test properties of a single Amazon Aurora global database cluster. + +The `AWS::RDS::GlobalCluster` resource creates or updates an Amazon Aurora global database spread across multiple AWS Regions. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::RDS::GlobalCluster` resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-globalcluster.html). + +## Syntax + +Ensure that the global cluster exists. + +```ruby +describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER') do + it { should exist } +end +``` + +## Parameters + +`global_cluster_identifier` _(required)_ + +: The cluster identifier of the global database cluster. + +## Properties + +`global_cluster_identifier` +: The list of global clusters returned by this request. + +`global_cluster_resource_id` +: Contains a user-supplied global database cluster identifier. This identifier is the unique key that identifies a global database cluster. + +`global_cluster_arn` +: The Amazon Web Services Region-unique, immutable identifier for the global database cluster. + +`status` +: Specifies the current state of this global database cluster. + +`engine` +: The Aurora database engine used by the global database cluster. + +`engine_version` +: Indicates the database engine version. + +`database_name` +: The default database name within the new global database cluster. + +`storage_encrypted` +: The storage encryption setting for the global database cluster. + +`deletion_protection` +: The deletion protection setting for the new global database cluster. + +`failover_state.status` +: The current status of the Aurora global database ( GlobalCluster ). + +`failover_state.from_db_cluster_arn` +: The Amazon Resource Name (ARN) of the Aurora DB cluster that is currently being demoted, and which is associated with this state. + +`failover_state.to_db_cluster_arn` +: The Amazon Resource Name (ARN) of the Aurora DB cluster that is currently being promoted, and which is associated with this state. + +`global_cluster_members.db_cluster_arn` +: The Amazon Resource Name (ARN) for each Aurora cluster. + +`global_cluster_members.readers` +: The Amazon Resource Name (ARN) for each read-only secondary cluster associated with the Aurora global database. + +`global_cluster_members.is_writer` +: Specifies whether the Aurora cluster is the primary cluster (that is, has read-write capability) for the Aurora global database with which it is associated. + +`global_cluster_members.global_write_forwarding_status` +: Specifies whether a secondary cluster in an Aurora global database has write forwarding enabled, not enabled, or is in the process of enabling it. + +## Examples + +Ensure a DB global cluster is available: + +```ruby +describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do + its('global_cluster_resource_id') { should eq 'GLOBAL_CLUSTER_ID' } +end +``` + +Ensure a global cluster engine is available: + +```ruby +describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do + its('engine') { should eq 'ENGINE' } +end +``` + +Ensure a status is `available`: + +```ruby +describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do + its('status') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DescribeGlobalClustersMessage" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_global_clusters.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_global_clusters.md new file mode 100644 index 0000000..3122a1c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_global_clusters.md @@ -0,0 +1,138 @@ ++++ +title = "aws_rds_global_clusters resource" + +draft = false + + +[menu.aws] +title = "aws_rds_global_clusters" +identifier = "inspec/resources/aws/aws_rds_global_clusters resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_global_clusters` InSpec audit resource to test properties of multiple Amazon Aurora global database clusters. + +The AWS::RDS::GlobalCluster resource creates or updates an Amazon Aurora global database spread across multiple AWS Regions. + +## Syntax + +Ensure that the global cluster exists. + +```ruby +aws_rds_global_clusters do + it { should exist } +end +``` + +For additional information, see the [AWS documentation on the `AWS::RDS::GlobalCluster` resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-globalcluster.html). + +## Properties + +`global_cluster_identifiers` +: The list of global clusters returned by this request. + +: **Field**: `global_cluster_identifier` + +`global_cluster_resource_ids` +: Contains a user-supplied global database cluster identifier. + +: **Field**: `global_cluster_resource_id` + +`global_cluster_arns` +: The Amazon Web Services Region-unique, immutable identifier for the global database cluster. + +: **Field**: `global_cluster_arn` + +`statuses` +: Specifies the current state of this global database cluster. + +: **Field**: `status` + +`engines` +: The Aurora database engine used by the global database cluster. + +: **Field**: `engine` + +`engine_versions` +: Indicates the database engine version. + +: **Field**: `engine_version` + +`database_names` +: The default database name within the new global database cluster. + +: **Field**: `database_name` + +`storage_encrypted` +: The storage encryption setting for the global database cluster. + +: **Field**: `storage_encrypted` + +`deletion_protections` +: The deletion protection setting for the new global database cluster. + +: **Field**: `deletion_protection` + +## Examples + +Ensure global cluster resource ID is available: + +```ruby +describe aws_rds_global_clusters do + its('global_cluster_identifiers') { should include 'GLOBAL_CLUSTER_IDENTIFIER' } +end +``` + +Ensure global cluster resource ID is available: + +```ruby +describe aws_rds_global_clusters do + its('global_cluster_resource_ids') { should include 'GLOBAL_CLUSTER_RESOURCE_ID' } +end +``` + +Ensure a status is `available`: + +```ruby +describe aws_rds_global_clusters do + its('statuses') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_rds_global_clusters do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_rds_global_clusters do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_rds_global_clusters do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DescribeGlobalClustersMessage" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_group_option.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_group_option.md new file mode 100644 index 0000000..5c562d5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_group_option.md @@ -0,0 +1,117 @@ ++++ +title = "aws_rds_group_option resource" + +draft = false + + +[menu.aws] +title = "aws_rds_group_option" +identifier = "inspec/resources/aws/aws_rds_group_option resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_group_option` InSpec audit resource to test detailed properties of an individual RDS cluster.An `aws_rds_group_option` resource block uses resource parameters to search for an RDS option group, and then tests that RDS option group. If no RDS option group match, no error is raised, but the `exists` matcher will return `false` and all properties will be `nil`. + +RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server. + +For additional information, including details on parameters and properties, see the [AWS documentation on RDS Option Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-optiongroup.html). + +## Syntax + +Ensure if the option group exists + +```ruby +describe aws_rds_group_option('default:aurora-5-6') do + it { should exist } +end +``` + +Can also use hash syntax: + +```ruby +describe aws_rds_group_option(option_group_name: 'default:aurora-5-6') do + it { should exist } +end +``` + +## Parameters + +`option_group_name` _(required)_ + +: This resource accepts a single parameter, the user-supplied option_group_name. This parameter isn't case-sensitive. + This can be passed either as a string or as a `option_group_name: 'value'` key-value entry in a hash. + +## Properties + +`option_group_name` +: The name RDS option group. + +`option_group_description` +: The name of the database associated with each RDS cluster. + +`engine_name` +: The name of the engine associated with each RDS cluster. + +`major_engine_version` +: The major engine version of a option group. + +`option_group_arn` +: The arn of a option group. + +`vpc_id` +: The vpc id of option group. + +`allows_vpc_and_non_vpc_instance_memberships` +: The storage allocated to each cluster. + +For a comprehensive list of properties available to test on an RDS option group see the [AWS Response Object](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/RDS/DBCluster.html). + +## Examples + +Test the engine used with an aws_rds_group_option: + +```ruby +describe aws_rds_group_option(option_group_name: 'mysql') do + its('engine_name') { should eq 'mysql' } + its('major_engine_version') { should eq '5.6.37' } +end +``` + +Test the options to allocated to an aws_rds_group_option: + +```ruby +describe aws_rds_group_option(option_group_name: 'mysql') do + its('options.option_name') { should eq 'test' } + its('options.permanent') { should eq true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_rds_group_option(option_group_name: 'mysql') do + it { should exist } +end +``` + +```ruby +describe aws_rds_group_option(option_group_name: 'mysql') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:OptionGroups" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_group_options.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_group_options.md new file mode 100644 index 0000000..f46d811 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_group_options.md @@ -0,0 +1,133 @@ ++++ +title = "aws_rds_group_options resource" + +draft = false + + +[menu.aws] +title = "aws_rds_group_options" +identifier = "inspec/resources/aws/aws_rds_group_options resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_group_options` InSpec audit resource to test detailed properties of a group of Amazon Relational Database Service (RDS) clusters. + +RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server. + +## Syntax + +An `aws_rds_group_options` resource block uses resource parameters to search for an RDS option group, and then tests that RDS option group. If no RDS option group match, no error is raised, but the `exists` matcher will return `false` and all properties will be `nil`. +describe aws_rds_group_option(engine_name: 'mysql') do +it { should exist } +end + +Can also use hash syntax: + +```ruby +describe aws_rds_group_options do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`option_group_names` +: The name RDS option group. + +: **Field**: `option_group_name` + +`option_group_description` +: The name of the database associated with each RDS cluster. + +: **Field**: `option_group_description` + +`engine_names` +: The name of the engine associated with each RDS cluster. + +: **Field**: `engine_name` + +`major_engine_versions` +: The major engine version of a option group. + +: **Field**: `major_engine_version` + +`option_group_arns` +: The arn of a option group. + +: **Field**: `option_group_arn` + +`vpc_ids` +: The vpc id of option group. + +: **Field**: `vpc_id` + +`allows_vpc_and_non_vpc_instance_memberships` +: The storage allocated to each cluster. + +: **Field**: `allows_vpc_and_non_vpc_instance_memberships` +See the [AWS documentation on RDS cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-optiongroup.html). + +For a comprehensive list of properties available to test on an RDS cluster see the [AWS Response Object](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/RDS/DBCluster.html). + +## Examples + +Test the engine used with an aws_rds_group_option: + +```ruby +describe aws_rds_group_options do + its('engine_name') { should include 'mysql' } + its('major_engine_version') { should include '5.6.37' } +end +``` + +Ensure a specific cluster exists: + +```ruby +describe aws_rds_group_options do + its('option_group_name') { should include 'option_group_name8-test } +end +``` + +Use the InSpec resource to request the IDs of all RDS clusters, then test in-depth using `aws_rds_cluster` to ensure all clusters are encrypted and have a sensible size: + +```ruby +aws_rds_group_options.option_group_name.each do |option_group_name| + describe aws_rds_group_option(option_group_name) do + it { should exist } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_rds_group_options do + it { should exist } +end +``` + +```ruby +describe aws_rds_group_options do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:OptionGroups" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_instance.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_instance.md new file mode 100644 index 0000000..ddbda7e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_instance.md @@ -0,0 +1,119 @@ ++++ +title = "aws_rds_instance resource" + +draft = false + + +[menu.aws] +title = "aws_rds_instance" +identifier = "inspec/resources/aws/aws_rds_instance resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_instance` InSpec audit resource to test detailed properties of an individual RDS instance. + +RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server. + +For additional information, including details on parameters and properties, see the [AWS documentation on RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_GettingStarted.html). + +## Syntax + +An `aws_rds_instance` resource block uses resource parameters to search for an RDS instance, and then tests that RDS instance. If no RDS instances match, no error is raised, but the `exists` matcher will return `false` and all properties will be `nil`. If more than one RDS instance matches (due to vague search parameters), an error is raised. + +```ruby +describe aws_rds_instance('test-instance-id') do + it { should exist } +end +``` + +Can also use hash syntax: + +```ruby +describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do + it { should exist } +end +``` + +## Parameters + +`db_instance_identifier` _(required if resource_data not provided)_ + +: The user-supplied instance identifier. This parameter isn't case-sensitive. + This can be passed either as a string or as a `db_instance_identifier: 'value'` key-value entry in a hash. + +`resource_data` _(required if db_instance_identifier not provided)_ + +: A hash or the cached AWS response passed from the `aws_rds_instances` resource. + +## Properties + +For a comprehensive list of properties available to test on an RDS Instance see the [AWS Response Object](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/RDS/Types/DBInstance.html) + +## Examples + +Test the engine used with an RDS instance: + +```ruby +describe aws_rds_instance(db_instance_identifier: 'awsrds123') do + its ('engine') { should eq 'mysql' } + its ('engine_version') { should eq '5.6.37' } +end +``` + +Test the storage allocated to an RDS instance: + +```ruby +describe aws_rds_instance(db_instance_identifier: 'awsrds123') do + its ('storage_type') { should eq 'gp2' } + its ('allocated_storage') { should eq 10 } +end +``` + +Test the instance type and master username: + +```ruby +describe aws_rds_instance(db_instance_identifier: 'awsrds123') do + its ('master_username') { should eq 'db-maintain' } + its ('db_instance_class') { should eq 'db.t3.micro' } +end +``` + +Test the instance type and master username from cached resources: + +```ruby +resource = aws_rds_instances.where(db_instance_identifier: 'awsrds123') +describe aws_rds_instance(resource_data: resource) do + its ('master_username') { should eq 'db-maintain' } + its ('db_instance_class') { should eq 'db.t3.micro' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_rds_instance(db_instance_identifier: 'AnExistingRDS') do + it { should exist } +end +``` + +```ruby +describe aws_rds_instance(db_instance_identifier: 'ANonExistentRDS') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DBInstanceMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_instances.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_instances.md new file mode 100644 index 0000000..2f938f5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_instances.md @@ -0,0 +1,100 @@ ++++ +title = "aws_rds_instances resource" + +draft = false + + +[menu.aws] +title = "aws_rds_instances" +identifier = "inspec/resources/aws/aws_rds_instances resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_instances` InSpec audit resource to test properties of a collection of AWS RDS instances. + +RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server. + +RDS instances are compute instances used by the RDS service. + +## Syntax + +Ensure you have exactly 3 instances + +```ruby +describe aws_rds_instances do + its('db_instance_identifiers.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`db_instance_identifiers` +: The unique IDs of the RDS Instances returned. + +`db_instance_classes` +: The list of the name of the compute and memory capacity class of the DB instances. + +`db_security_groups` +: A list of DB security group elements containing `DBSecurityGroup.Name` and `DBSecurityGroup.Status` subelements. + +`vpc_security_groups` +: Provides a list of VPC security group elements that the DB instance belongs to. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +See the [AWS RDS DBInstance API documentation](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DBInstance.html) for more information. + +## Examples + +Ensure a specific instance exists: + +```ruby +describe aws_rds_instances do + its('db_instance_identifiers') { should include 'rds-12345678' } +end +``` + +Use the InSpec resource to request the IDs of all RDS instances, then test in-depth using `aws_rds_instance` to ensure all instances are encrypted and have a sensible size: + +```ruby +aws_rds_instances.db_instance_identifiers.each do |db_instance_identifier| + describe aws_rds_instance(db_instance_identifier) do + it { should be_encrypted } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_rds_instances do + it { should exist } +end +``` + +```ruby +describe aws_rds_instances do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DBInstanceMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_snapshot.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_snapshot.md new file mode 100644 index 0000000..a00762d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_snapshot.md @@ -0,0 +1,127 @@ ++++ +title = "aws_rds_snapshot resource" + +draft = false + + +[menu.aws] +title = "aws_rds_snapshot" +identifier = "inspec/resources/aws/aws_rds_snapshot resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_snapshot` InSpec audit resource to test the detailed properties of an individual RDS snapshot. + +For additional information, including details on parameters and properties, see the [AWS documentation on RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_GettingStarted.html). + +## Syntax + +An `aws_rds_snapshot` resource block uses resource parameters to search for an RDS snapshot and test the respective RDS snapshot. + +No error is raised if no RDS snapshots match. However, the `exists` matcher will return `false`, and all properties will be `nil`. + +An error is raised if more than one RDS snapshot matches (due to vague search parameters). + +```ruby +describe aws_rds_snapshot('TEST-SNAPSHOT-ID') do + it { should exist } +end +``` + +Can also use hash syntax: + +```ruby +describe aws_rds_snapshot(db_snapshot_identifier: 'TEST-SNAPSHOT-ID') do + it { should exist } +end +``` + +Passing in: + +```ruby +describe aws_rds_snapshot(resource_data: 'RESOURCE_DATA_OBJECT') do + it { should exist } +end +``` + +## Parameters + +`db_snapshot_identifier` _(required if resource_data not provided)_ + +: The user-supplied database snapshot identifier. + This parameter can passed as a string or a `db_snapshot_identifier: 'value'` key-value entry in a hash. + +`resource_data` _(required if db_snapshot_identifier not provided)_ + +: A cached resource data object. + This must be passed key-value entry in a hash. For example, `resource_data: 'RESOURCE_DATA_OBJECT'` . + +## Properties + +For a comprehensive list of properties available to test on an RDS snapshot see the [AWS Response Object](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/RDS/Types/DBSnapshot.html) + +## Examples + +Tests the engine used is with an RDS snapshot: + +```ruby +describe aws_rds_snapshot(db_snapshot_identifier: 'AWSRDS123') do + its ('engine') { should eq 'MYSQL' } + its ('engine_version') { should eq '5.6.37' } +end +``` + +Tests the storage allocated to an RDS snapshot: + +```ruby +describe aws_rds_snapshot(db_snapshot_identifier: 'AWSRDS123') do + its ('allocated_storage') { should eq 10 } +end +``` + +Tests the snapshot type and master username: + +```ruby +describe aws_rds_snapshot(db_snapshot_identifier: 'AWSRDS123') do + its ('master_username') { should eq 'DB-MAINTAIN' } +end +``` + +Tests the snapshot using cached resource data: + +```ruby +describe aws_rds_snapshot(resource_data: 'AWS_RDS_SNAPSHOT') do + its ('engine') { should eq 'MYSQL' } + its ('engine_version') { should eq '5.6.37' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_rds_snapshot(db_snapshot_identifier: 'AnExistingRDS') do + it { should exist } +end +``` + +```ruby +describe aws_rds_snapshot(db_snapshot_identifier: 'ANonExistentRDS') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DBSnapshotMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_snapshot_attributes.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_snapshot_attributes.md new file mode 100644 index 0000000..767b261 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_snapshot_attributes.md @@ -0,0 +1,102 @@ ++++ +title = "aws_rds_snapshot_attributes resource" + +draft = false + + +[menu.aws] +title = "aws_rds_snapshot_attributes" +identifier = "inspec/resources/aws/aws_rds_snapshot_attributes resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_snapshotattributes` InSpec audit resource to test the detailed properties of an individual RDS snapshot attrbutes. + +For additional information, including details on parameters and properties, see the [AWS documentation on RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_GettingStarted.html). + +## Syntax + +An `aws_rds_snapshot_attributes` resource block uses resource parameters to search for an RDS snapshot and test the respective RDS snapshot attributes. + +No error is raised if no RDS snapshots match. However, the `exists` matcher will return `false`, and all properties will be `nil`. + +An error is raised if more than one RDS snapshot matches (due to vague search parameters). + +```ruby +describe aws_rds_snapshot_attributes('TEST-SNAPSHOT-ID') do + it { should exist } +end +``` + +Can also use hash syntax: + +```ruby +describe aws_rds_snapshot_attributes(db_snapshot_identifier: 'TEST-SNAPSHOT-ID') do + it { should exist } +end +``` + +## Parameters + +`db_snapshot_identifier` + +: This resource accepts a single parameter either as a string or a `db_snapshot_identifier: 'value'` key-value entry in a hash. This parameter is user-supplied DB snapshot identifier. This parameter isn't case-sensitive and is a required parameter. + +## Properties + +`db_snapshot_identifier` +: The unique ID of the RDS snapshot returned. + +`attribute_name` +: The name of the attribute returned for a RDS snapshot. + +`attribute_values` +: The attribute values associated with the attribute_name. + +## Examples + +Tests the attribute name of RDS snapshot: + +```ruby +describe aws_rds_snapshot-attributes(db_snapshot_identifier: 'AWSRDS123') do + its ('attribute_name') { should eq 'restore' } +end +``` + +Tests the attribute value of attribute name for a RDS snapshot: + +```ruby +describe aws_rds_snapshot_attributes(db_snapshot_identifier: 'AWSRDS123').where('attribute_name' == 'restore') do + its('attribute_values') { should_not include 'all' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_rds_snapshot_attributes(db_snapshot_identifier: 'AnExistingRDS') do + it { should exist } +end +``` + +```ruby +describe aws_rds_snapshot_attributes(db_snapshot_identifier: 'ANonExistentRDS') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DescribeDBSnapshotAttributesResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_snapshots.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_snapshots.md new file mode 100644 index 0000000..f410e8b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_rds_snapshots.md @@ -0,0 +1,109 @@ ++++ +title = "aws_rds_snapshots resource" + +draft = false + + +[menu.aws] +title = "aws_rds_snapshots" +identifier = "inspec/resources/aws/aws_rds_snapshots resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_rds_snapshots` InSpec audit resource to test the properties of a collection of AWS RDS snapshots. + +## Syntax + + Ensure you have three snapshots. + +```ruby +describe aws_rds_snapshots do + its('db_snapshot_identifiers.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`db_snapshot_identifiers` +: The unique IDs of the RDS snapshots returned. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Ensure a specific snapshot exists: + +```ruby +describe aws_rds_snapshots do + its('db_snapshot_identifiers') { should include 'RDS-12345678' } +end +``` + +Requests the IDs of RDS snapshots and ensures the snapshots are encrypted with sensible size: + +```ruby +aws_rds_snapshots.db_snapshot_identifiers.each do |db_snapshot_identifier| + describe aws_rds_snapshot(db_snapshot_identifier) do + it { should be_encrypted } + end +end +``` + +Tests the snapshot using cached resource_data: + +```ruby +aws_rds_snapshots.entries.each do |AWS_RDS_SNAPSHOT| + describe aws_rds_snapshot(resource_data: AWS_RDS_SNAPSHOT) do + its ('engine') { should eq 'MYSQL' } + its ('engine_version') { should eq '5.6.37' } + end +end +``` + +Loop through all RDS snapshots and test each snapshot with singular resource: + +This method uses local in-memory caching to test each snapshot for quicker execution of large sets of test cases. + +```ruby +aws_rds_snapshots.entries.each do |AWS_RDS_SNAPSHOT| + describe aws_rds_snapshot(resource_data: AWS_RDS_SNAPSHOT) do + it { should exist } + it { should have_encrypted_snapshot } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_rds_snapshots do + it { should exist } +end +``` + +```ruby +describe aws_rds_snapshots do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="RDS:Client:DBSnapshotMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_redshift_cluster.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_redshift_cluster.md new file mode 100644 index 0000000..d1cb703 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_redshift_cluster.md @@ -0,0 +1,147 @@ ++++ +title = "aws_redshift_cluster resource" + +draft = false + + +[menu.aws] +title = "aws_redshift_cluster" +identifier = "inspec/resources/aws/aws_redshift_cluster resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_redshift_cluster` InSpec audit resource to test detailed properties of an individual AWS Redshift cluster. + +## Syntax + +An `aws_redshift_cluster` resource block uses resource parameters to search for a Redshift cluster, and then tests that Redshift cluster. If no Redshift clusters match, no error is raised, but the `exists` matcher will return `false` and all properties will be `nil`. If more than one Redshift cluster matches (due to vague search parameters), an error is raised. + +```ruby +describe aws_redshift_cluster('test-cluster-id') do + it { should exist } +end +``` + +Can also use hash syntax: + +```ruby +describe aws_redshift_cluster(cluster_identifier: 'test-cluster-id') do + it { should exist } +end +``` + +## Parameters + +`cluster_identifier` _(required)_ + +: This resource accepts a single parameter, the user-supplied cluster identifier. This parameter isn't case-sensitive. + This can be passed either as a string or as a `cluster_identifier: 'value'` key-value entry in a hash. + +: Also see the [AWS Redshift cluster documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html). + +## Properties + +`cluster_identifier` +: The unique IDs of the redshift clusters returned. + +`db_names` +: The name of the database associated with each redshift cluster. + +`node_type` +: The redshift instance type. + +`cluster_create_time` +: The create time of redshift clusters. + +`cluster_subnet_group_name` +: The cluster name of redshift clusters. + +`cluster_status` +: The current status of each cluster . + +`cluster_availability_status` +: The current status of cluster. + +`modify_status` +: The current status of cluster. + +`availability_zones` +: A list of availability zones of the redshift clusters returned. + +`allow_version_upgrade` +: Returns T/F depending on whether version upgrade is allowed or not. + +`encrypted` +: Returns T/F depending on whether Redshift clusters are encrypted or not. + +`cluster_subnet_group_name` +: Cluster subnet group name for redshift clusters returned. + +`iam_roles` +: iam_roles that are used in the cluster. + +`vpc_id` +: vpc_id of the redshift clusters. + +## Examples + +For a comprehensive list of properties available to test on an Redshift cluster see the [AWS Response Object](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Redshift/Client.html#describe_clusters-instance_method.html). + +## Examples + +### Test the engine used with a Redshift cluster + +```ruby +describe aws_redshift_cluster(cluster_identifier: 'awsRedshift123') do + its('engine') { should eq 'mysql' } + its('engine_version') { should eq '5.6.37' } +end +``` + +### Test the encryption and version_upgrade attribute of the Redshift cluster + +```ruby +describe aws_redshift_cluster(cluster_identifier: 'awsRedshift123') do + its('encrypted') { should eq true } + its('allow_version_upgrade') { should eq true } +end +``` + +### Test the cluster status and master username + +```ruby +describe aws_redshift_cluster(cluster_identifier: 'awsRedshift123') do + its('master_username') { should eq 'db-maintain' } + its('cluster_status') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_redshift_cluster(cluster_identifier: 'AnExistingRedshift') do + it { should exist } +end +``` + +```ruby +describe aws_redshift_cluster(cluster_identifier: 'ANonExistentRedshift') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Redshift:Client:ClustersMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Redshift](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonRedshift.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_redshift_cluster_parameter_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_redshift_cluster_parameter_group.md new file mode 100644 index 0000000..9ebccb0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_redshift_cluster_parameter_group.md @@ -0,0 +1,111 @@ ++++ +title = "aws_redshift_cluster_parameter_group resource" + +draft = false + + +[menu.aws] +title = "aws_redshift_cluster_parameter_group" +identifier = "inspec/resources/aws/aws_redshift_cluster_parameter_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_redshift_cluster_parameter_group` InSpec audit resource to test properties of a single specific Redshift cluster parameter group. + +A Redshift cluster parameter group is uniquely identified by the parameter group name. + +For additional information, including details on parameters and properties, see the [AWS documentation on Redshift cluster parameter group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-clusterparametergroup.html). + +## Syntax + +Ensure that a parameter_group_name exists. + +```ruby +describe aws_redshift_cluster_parameter_group(parameter_group_name: 'test') do + it { should exist } +end +``` + +## Parameters + +`parameter_group_name` _(required)_ + +## Properties + +`parameter_group_name` +: The name of a specific parameter group for which to return details. By default, details about all parameter groups and the default parameter group are returned. + +`parameter_group_family` +: The family of the parameter group. + +`description` +: The description of the parameter group. + +`tags` +: The tags of the parameter group. + +## Examples + +Ensure a parameter group name is available: + +```ruby +describe aws_redshift_cluster_parameter_group(parameter_group_name: 'test') do + its('parameter_group_name') { should eq 'test' } +end +``` + +Check the family name in the cluster parameter group: + +```ruby +describe aws_redshift_cluster_parameter_group(parameter_group_name: 'test') do + its('parameter_group_family') { should eq 'family_name' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_redshift_cluster_parameter_group(parameter_group_name: 'test') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_redshift_cluster_parameter_group(parameter_group_name: 'test') do + it { should_not exist } +end +``` + +### be_available + +Check if the IP address is available. + +```ruby +describe aws_redshift_cluster_parameter_group(parameter_group_name: 'test') do + it { should be_available } +end +``` + +Use `should_not` to test an IP address that should not exist. + +```ruby +describe aws_redshift_cluster_parameter_group(parameter_group_name: 'test') do + it { should_not be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Redshift:Client:ClusterParameterGroupsMessage" %}} + +See the [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html) documentation for additional information. diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_redshift_cluster_parameter_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_redshift_cluster_parameter_groups.md new file mode 100644 index 0000000..d8e1440 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_redshift_cluster_parameter_groups.md @@ -0,0 +1,109 @@ ++++ +title = "aws_redshift_cluster_parameter_groups resource" + +draft = false + + +[menu.aws] +title = "aws_redshift_cluster_parameter_groups" +identifier = "inspec/resources/aws/aws_redshift_cluster_parameter_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_redshift_cluster_parameter_groups` InSpec audit resource to test properties of some or all AWS Redshift cluster parameter groups. + +This resource does not expect any parameters. + +For additional information, including details on parameters and properties, see the [AWS documentation on Redshift cluster parameter group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-clusterparametergroup.html). + +## Syntax + +Verify that a Parameter group name exists. + +```ruby +describe aws_redshift_cluster_parameter_groups do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`parameter_group_names` +: The name of a specific parameter group for which to return details. By default, details about all parameter groups and the default parameter group are returned. + +: **Field**: `parameter_group_name` + +`parameter_group_families` +: The family of the parameter group. + +: **Field**: `parameter_group_family` + +`descriptions` +: The description of the parameter group. + +: **Field**: `description` + +`tags` +: The tags of the parameter group. + +: **Field**: `tags` + +## Examples + +Ensure a Redshift cluster parameter group has parameter groups: + +```ruby +describe aws_redshift_cluster_parameter_groups do + it { should exist } +end +``` + +Verify the number of Redshift cluster parameter groups: + +```ruby +describe aws_redshift_cluster_parameter_groups do + its('count') { should eq 5 } +end +``` + +Verify the family name exists for at least one of the cluster parameter groups: + +```ruby +describe aws_redshift_cluster_parameter_groups do + its('parameter_group_families') { should include "FAMILY_NAME" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +```ruby +describe aws_redshift_cluster_parameter_groups do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_redshift_cluster_parameter_groups do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Redshift:Client:ClusterParameterGroupsMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_redshift_clusters.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_redshift_clusters.md new file mode 100644 index 0000000..67036b7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_redshift_clusters.md @@ -0,0 +1,155 @@ ++++ +title = "aws_redshift_clusters resource" + +draft = false + + +[menu.aws] +title = "aws_redshift_clusters" +identifier = "inspec/resources/aws/aws_redshift_clusters resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_redshift_clusters` InSpec audit resource to test properties of a collection of Amazon Redshift clusters. + +Redshift gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server. + +## Syntax + +Ensure you have exactly 3 clusters + +```ruby +describe aws_redshift_clusters do + its('cluster_identifiers.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`cluster_identifiers` +: The unique IDs of the Redshift clusters returned. + +: **Field**: `cluster_identifier` + +`db_names` +: The name of the database associated with each Redshift cluster. + +: **Field**: `db_name` + +`node_types` +: The Redshift instance type. + +: **Field**: `node_type` + +`cluster_create_time` +: The create time of Redshift clusters. + +: **Field**: `cluster_create_time` + +`cluster_subnet_group_names` +: The cluster name of Redshift clusters. + +: **Field**: `cluster_subnet_group_name` + +`cluster_status` +: The current status of each cluster. + +: **Field**: `cluster_status` + +`cluster_availability_status` +: The current status of cluster. + +: **Field**: `cluster_availability_status` + +`modify_status` +: The current status of cluster. + +: **Field**: `modify_status` + +`availability_zones` +: A list of availability zones of the Redshift clusters returned. + +: **Field**: `availability_zones` + +`allow_version_upgrade` +: Returns `true` or `false` depending on whether version upgrade is allowed or not. + +: **Field**: `allow_version_upgrade` + +`encrypted` +: Returns `true` or `false` depending on whether Redshift clusters are encrypted or not. + +: **Field**: `encrypted` + +`cluster_subnet_group_names` +: Cluster subnet group name for Redshift clusters returned. + +: **Field**: `cluster_subnet_group_name` + +`iam_roles` +: The IAM roles that are used in the cluster. + +: **Field**: `iam_roles` + +`vpc_ids` +: The VPC ID of the Redshift clusters. + +: **Field**: `vpc_id` + +For a comprehensive list of properties available to test on an Redshift cluster see the [AWS Response Object](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Redshift/Client.html#describe_clusters-instance_method.html). + +## Examples + +Ensure a specific cluster exists: + +```ruby +describe aws_redshift_clusters do + its('cluster_identifier') { should include 'cluster-12345678' } +end +``` + +Request the IDs of all Redshift clusters, then test in-depth using `aws_redshift_cluster` to ensure all clusters are encrypted: + +```ruby +aws_redshift_clusters.cluster_identifier.each do |cluster_identifier| + describe aws_redshift_cluster(cluster_identifier) do + it { should have_encrypted } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should` to test entity exists. + +```ruby +describe aws_redshift_clusters do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_redshift_clusters do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Redshift:Client:ClustersMessage" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_region.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_region.md new file mode 100644 index 0000000..201c3ec --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_region.md @@ -0,0 +1,84 @@ ++++ +title = "aws_region resource" + +draft = false + + +[menu.aws] +title = "aws_region" +identifier = "inspec/resources/aws/aws_region resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_region` InSpec audit resource to test properties of a single AWS region. + +For additional information, including details on parameters and properties, see the [AWS documentation on Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html). + +## Syntax + +An `aws_region` resource block identifies an AWS region by ID. If no region is provided, the current default is used. + +```ruby +describe aws_region('eu-west-2') do + it { should exist } +end +``` + +```ruby +describe aws_region(region_name: 'us-east-1') do + it { should exist } +end +``` + +## Parameters + +`region_name` _(optional)_ + +: This resource accepts a single parameter, the region_name. + This can be passed either as a string or as a `region_name: 'value'` key-value entry in a hash. + +## Properties + +`region_name` +: The Name of the region. + +`endpoint` +: The resolved endpoint of the region. + +## Examples + +Test whether a region exists: + +```ruby +describe aws_region('region-not-real') do + it { should_not exist } +end +``` + +Test the Region Endpoint: + +```ruby +describe aws_region(region_name: 'eu-west-2') do + its('endpoint') { should eq 'ec2.eu-west-2.amazonaws.com' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +```ruby +it { should exist } +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeRegionsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_regions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_regions.md new file mode 100644 index 0000000..32423be --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_regions.md @@ -0,0 +1,89 @@ ++++ +title = "aws_regions resource" + +draft = false + + +[menu.aws] +title = "aws_regions" +identifier = "inspec/resources/aws/aws_regions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_regions` InSpec audit resource to test properties of some or all AWS regions in bulk. + +Note that this resource lists all AWS regions that are currently available to the caller. + +For additional information, including details on parameters and properties, see the [AWS documentation on Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html). + +## Syntax + +An `aws_regions` resource block uses an optional filter to select a group of regions and then tests that group. + +```ruby +describe aws_regions.where { region_name: 'us-not-there-1' } do + it { should_not exist } +end +``` + +## Parameters + +`name` _(required)_ + +: This resource does not expect any parameters. + +## Properties + +`region_names` +: The Names of the regions. + +`endpoints` +: The resolved endpoints of the regions. + +## Examples + +The following examples show how to use this InSpec audit resource. + +Check for a Particular Region: + +```ruby +describe aws_regions do + its('region_names') { should include 'eu-west-2' } +end +``` + +Check an endpoint exists: + +```ruby +describe aws_regions do + its('endpoints') { should include 'ec2.eu-west-2.amazonaws.com' } +end +``` + +Use the regions resource to check single regions in more detail: + +```ruby +aws_regions.region_names.each do |aws_region_name| + describe aws_region(region_name: aws_region_name) do + it { should exist } + end +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the describe returns at least one result. + +```ruby +it { should exist } +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeRegionsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53_record_set.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53_record_set.md new file mode 100644 index 0000000..4600e0d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53_record_set.md @@ -0,0 +1,146 @@ ++++ +title = "aws_route53_record_set resource" + +draft = false + + +[menu.aws] +title = "aws_route53_record_set" +identifier = "inspec/resources/aws/aws_route53_record_set resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_route53_record_set` InSpec audit resource to test properties of a single specific AWS Route53 record set. + +The `AWS::Route53::RecordSet` resource specifies information about the record that you want to create. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Route53 Record Set](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-recordset.html). + +## Syntax + +Ensure that a record exists. + +```ruby +describe aws_route53_record_set(hosted_zone_id: 'HOSTED_ZONE_ID', start_record_name: 'RECORD_SET_NAME') do + it { should exist } +end +``` + +## Parameters + +`hosted_zone_id` _(required) + +: The ID of the hosted zone that contains the resource record sets that you want to list. + +`start_record_name` _(required)_ + +: The name of the record set. + +## Properties + +`name` +: The name of a record in the specified hosted zone. + +`type` +: The DNS record type. + +`set_identifier` +: In a group of resource record sets that have the same name and type, the value of SetIdentifier must be unique for each resource record set. + +`weight` +: The weight element for every weighted resource record set. + +`region` +: The Amazon EC2 Region of the record set. + +`geo_location (continent_code)` +: The two-letter code for the continent. Amazon Route 53 supports the following continent codes: `AF`: Africa, `AN`: Antarctica, `AS`: Asia, `EU`: Europe, `OC`: Oceania, `NA`: North America, `SA`: South America. + +`geo_location (country_code)` +: The [two-letter code for a country](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). + +`geo_location (subdivision_code)` +: The [two-letter code for a state](https://pe.usps.com/text/pub28/28apb.htm) of the United States. + +`failover` +: The failover configuration of resource record set. Valid values are `PRIMARY` and `SECONDARY`. + +`multi_value_answer` +: Whether the resource is a Multivalue answer resource record set. Valid values: `true` or `false`. + +`ttl` +: The resource record cache time to live (TTL), in seconds. + +`resource_records` +: Information about the resource records to act upon. + +`alias_target (hosted_zone_id)` +: Alias resource record sets only: The hosted zone ID of the resource. + +`alias_target (dns_name)` +: Alias resource record sets only: The applicable domain name for your API. + +`alias_target (evaluate_target_health)` +: Applies only to alias, failover alias, geolocation alias, latency alias, and weighted alias resource record sets: When `EvaluateTargetHealth` is `true`, an alias resource record set inherits the health of the referenced AWS resource, such as an ELB load balancer or another resource record set in the hosted zone. Valid values: `true` or `false`. + +`health_check_id` +: The ID of a health check. + +`traffic_policy_instance_id` +: The ID of the traffic policy instance. When you create a traffic policy instance, Amazon Route 53 automatically creates a resource record set. `TrafficPolicyInstanceId` is the ID of the traffic policy instance that Route 53 created this resource record set for. + +## Examples + +Ensure a record is available: + +```ruby +describe aws_route53_record_set(hosted_zone_id: 'HOSTED_ZONE_ID', start_record_name: 'RECORD_SET_NAME') do + its('name') { should eq 'RECORD_SET_NAME' } +end +``` + +Ensure that the failover is `PRIMARY`: + +```ruby +describe aws_route53_record_set(hosted_zone_id: 'HOSTED_ZONE_ID', start_record_name: 'RECORD_SET_NAME') do + its('failover') { should eq 'PRIMARY' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_route53_record_set(hosted_zone_id: 'HOSTED_ZONE_ID', start_record_name: 'RECORD_SET_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_route53_record_set(hosted_zone_id: 'HOSTED_ZONE_ID', start_record_name: 'RECORD_SET_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the record name is available. + +```ruby +describe aws_route53_record_set(hosted_zone_id: 'HOSTED_ZONE_ID', start_record_name: 'RECORD_SET_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Route53:Client:ListResourceRecordSetsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53_record_sets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53_record_sets.md new file mode 100644 index 0000000..e00be6f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53_record_sets.md @@ -0,0 +1,146 @@ ++++ +title = "aws_route53_record_sets resource" + +draft = false + + +[menu.aws] +title = "aws_route53_record_sets" +identifier = "inspec/resources/aws/aws_route53_record_sets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_route53_record_sets` InSpec audit resource to test properties of multiple AWS Route53 record sets. + +The `AWS::Route53::RecordSet` type can be used as a standalone resource or as an embedded property in the `AWS::Route53::RecordSetGroup` type. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Route53 Record Set](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-recordset.html). + +## Syntax + +Ensure that a record exists. + +```ruby +describe aws_route53_record_sets(hosted_zone_id: 'HOSTED_ZONE_ID') do + it { should exist } +end +``` + +## Parameters + +`hosted_zone_id` _(required)_ + +: The ID of the hosted zone that contains the resource record sets that you want to get. + +## Properties + +`names` +: The name of a record in the specified hosted zone. + +: **Field**: `name` + +`types` +: The DNS record type. + +: **Field**: `type` + +`set_identifiers` +: In a group of resource record sets that have the same name and type, the value of SetIdentifier must be unique for each resource record set. + +: **Field**: `set_identifier` + +`weights` +: The weight element for every weighted resource record set. + +: **Field**: `weight` + +`regions` +: The Amazon EC2 Region of the record set. + +: **Field**: `region` + +`geo_locations` +: The geo location of the record set. + +: **Field**: `geo_location` + +`failovers` +: The failover configuration of resource record set. Valid values are `PRIMARY` and `SECONDARY`. + +: **Field**: `failover` + +`multi_value_answers` +: Whether a resource is a Multivalue answer resource record set. Valid values: `true` or `false`. + +: **Field**: `multi_value_answer` + +`ttls` +: The resource record cache time to live (TTL), in seconds. + +: **Field**: `ttl` + +`resource_records` +: Information about the resource records to act upon. + +: **Field**: `resource_record` + +`alias_targets` +: The alias target of the record set. + +: **Field**: `alias_target` + +`health_check_ids` +: The IDs of a health check. + +: **Field**: `health_check_id` + +`traffic_policy_instance_ids` +: The ID of the traffic policy instance. When you create a traffic policy instance, Amazon Route 53 automatically creates a resource record set. `TrafficPolicyInstanceId` is the ID of the traffic policy instance that Route 53 created this resource record set for. + +: **Field**: `traffic_policy_instance_id` + +## Examples + +Ensure a record name is available: + +```ruby +describe aws_route53_record_sets(hosted_zone_id: 'HOSTED_ZONE_ID') do + its('names') { should include 'RECORD_SET_NAME' } +end +``` + +Ensure that the failover of a record set is configured to `PRIMARY`: + +```ruby +describe aws_route53_record_sets(hosted_zone_id: 'HOSTED_ZONE_ID') do + its('failovers') { should include 'PRIMARY' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_route53_record_sets(hosted_zone_id: 'HOSTED_ZONE_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_route53_record_sets(hosted_zone_id: 'HOSTED_ZONE_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Route53:Client:ListResourceRecordSetsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_endpoint.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_endpoint.md new file mode 100644 index 0000000..53be2dd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_endpoint.md @@ -0,0 +1,127 @@ ++++ +title = "aws_route53resolver_resolver_endpoint resource" + +draft = false + + +[menu.aws] +title = "aws_route53resolver_resolver_endpoint" +identifier = "inspec/resources/aws/aws_route53resolver_resolver_endpoint resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_route53resolver_resolver_endpoint` InSpec audit resource to test properties of a single AWS Route53 Resolver endpoint. + +There are two types of Resolver endpoints, inbound and outbound. An inbound Resolver endpoint forwards DNS queries to the DNS service for a VPC from your network. An outbound Resolver endpoint forwards DNS queries from the DNS service for a VPC to your network. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Route53Resolver Resolver Endpoint](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53resolver-resolverendpoint.html). + +## Syntax + +Ensure that an endpoint exists. + +```ruby +describe aws_route53resolver_resolver_endpoint(resolver_endpoint_id: 'ResourceId') do + it { should exist } +end +``` + +## Parameters + +`resolver_endpoint_id` _(required)_ + +: The ID of the Resolver endpoint. + +## Properties + +`id` +: The ID of the Resolver endpoint. + +`creator_request_id` +: A unique string that identifies the request that created the Resolver endpoint. The `CreatorRequestId` allows failed requests to be retried without the risk of running the operation twice. + +`arn` +: The ARN (Amazon Resource Name) for the Resolver endpoint. + +`name` +: The name that you assigned to the Resolver endpoint when you submitted a `CreateResolverEndpoint` request. + +`security_group_ids` +: The ID of one or more security groups that control access to this VPC. The security group must include one or more inbound rules (for inbound endpoints) or outbound rules (for outbound endpoints). Inbound and outbound rules must allow TCP and UDP access. For inbound access, open port 53. For outbound access, open the port that you're using for DNS queries on your network. + +`direction` +: Indicates whether the Resolver endpoint allows inbound or outbound DNS queries. Valid values: `INBOUND`, `OUTBOUND`. + +`ip_address_count` +: The number of IP addresses that the Resolver endpoint can use for DNS queries. + +`host_vpc_id` +: The ID of the VPC that you want to create the Resolver endpoint in. + +`status` +: A code that specifies the current status of the Resolver endpoint. Valid values are: `CREATING`, `OPERATIONAL`, `UPDATING`, `AUTO_RECOVERING`, `ACTION_NEEDED`, `DELETING`. + +`status_message` +: A detailed description of the status of the Resolver endpoint. + +`creation_time` +: The date and time that the endpoint was created, in Unix time format and Coordinated Universal Time (UTC). + +`modification_time` +: The date and time that the endpoint was last modified, in Unix time format and Coordinated Universal Time (UTC). + +## Examples + +Ensure an endpoint name is available: + +```ruby +describe aws_route53resolver_resolver_endpoint(resolver_endpoint_id: 'RESOLVER_ENDPOINT_ID') do + its('name') { should eq 'ENDPOINT_NAME' } +end +``` + +Ensure that the endpoint status is `CREATING`: + +```ruby +describe aws_route53resolver_resolver_endpoint(resolver_endpoint_id: 'RESOLVER_ENDPOINT_ID') do + its('status') { should eq 'CREATING' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_route53resolver_resolver_endpoint(resolver_endpoint_id: 'RESOLVER_ENDPOINT_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_route53resolver_resolver_endpoint(resolver_endpoint_id: 'RESOLVER_ENDPOINT_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the endpoint name is available. + +```ruby +describe aws_route53resolver_resolver_endpoint(resolver_endpoint_id: 'RESOLVER_ENDPOINT_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Route53Resolver:Client:GetResolverEndpointResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_endpoints.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_endpoints.md new file mode 100644 index 0000000..1ce6cef --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_endpoints.md @@ -0,0 +1,125 @@ ++++ +title = "aws_route53resolver_resolver_endpoints resource" + +draft = false + + +[menu.aws] +title = "aws_route53resolver_resolver_endpoints" +identifier = "inspec/resources/aws/aws_route53resolver_resolver_endpoints resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_route53resolver_resolver_endpoints` InSpec audit resource to test properties of multiple AWS Route53 Resolver endpoints. + +There are two types of Resolver endpoints, inbound and outbound. An inbound Resolver endpoint forwards DNS queries to the DNS service for a VPC from your network. An outbound Resolver endpoint forwards DNS queries from the DNS service for a VPC to your network. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Route53Resolver Resolver Endpoint](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53resolver-resolverendpoint.html). + +## Syntax + +Ensure that an endpoint exists. + +```ruby +describe aws_route53resolver_resolver_endpoints do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The ID of the Resolver endpoint. + +`creator_request_ids` +: A unique string that identifies the request that created the Resolver endpoint. The `CreatorRequestId` allows failed requests to be retried without the risk of running the operation twice. + +`arns` +: The ARN (Amazon Resource Name) for the Resolver endpoint. + +`names` +: The name that you assigned to the Resolver endpoint when you submitted a `CreateResolverEndpoint` request. + +`security_group_ids` +: The ID of one or more security groups that control access to this VPC. The security group must include one or more inbound rules (for inbound endpoints) or outbound rules (for outbound endpoints). Inbound and outbound rules must allow TCP and UDP access. For inbound access, open port 53. For outbound access, open the port that you're using for DNS queries on your network. + +`directions` +: Indicates whether the Resolver endpoint allows inbound or outbound DNS queries. Valid values: `INBOUND`, `OUTBOUND`. + +`ip_address_counts` +: The number of IP addresses that the Resolver endpoint can use for DNS queries. + +`host_vpc_ids` +: The ID of the VPC that you want to create the Resolver endpoint in. + +`statuses` +: A code that specifies the current status of the Resolver endpoint. Valid values are: `CREATING`, `OPERATIONAL`, `UPDATING`, `AUTO_RECOVERING`, `ACTION_NEEDED`, `DELETING`. + +`status_messages` +: A detailed description of the status of the Resolver endpoint. + +`creation_times` +: The date and time that the endpoint was created, in Unix time format and Coordinated Universal Time (UTC). + +`modification_times` +: The date and time that the endpoint was last modified, in Unix time format and Coordinated Universal Time (UTC). + +## Examples + +Ensure an endpoint name is available: + +```ruby +describe aws_route53resolver_resolver_endpoints do + its('names') { should include 'ENDPOINT_NAME' } +end +``` + +Ensure that an endpoint has the `CREATING` status: + +```ruby +describe aws_route53resolver_resolver_endpoints do + its('statuses') { should include 'CREATING' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_route53resolver_resolver_endpoints do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_route53resolver_resolver_endpoints do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the endpoint name is available. + +```ruby +describe aws_route53resolver_resolver_endpoints do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Route53Resolver:Client:ListResolverEndpointsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_rule.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_rule.md new file mode 100644 index 0000000..a6582ab --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_rule.md @@ -0,0 +1,136 @@ ++++ +title = "aws_route53resolver_resolver_rule resource" + +draft = false + + +[menu.aws] +title = "aws_route53resolver_resolver_rule" +identifier = "inspec/resources/aws/aws_route53resolver_resolver_rule resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_route53resolver_resolver_rule` InSpec audit resource to test properties of a single AWS Route53 Resolver rule. + +The AWS Route53 Resolver Rule resource specifies which Resolver endpoint the queries pass through, one domain name that you want to forward to your network, and the IP addresses of the DNS resolvers in your network. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Route53 Resolver rule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53resolver-resolverrule.html). + +## Syntax + +Ensure that a resolver rule exists. + +```ruby +describe aws_route53resolver_resolver_rule(resolver_rule_id: 'RULE_ID') do + it { should exist } +end +``` + +## Parameters + +`resolver_rule_id` _(required)_ + +: The ID of the Resolver rule. + +## Properties + +`id` +: The ID that Resolver assigned to the Resolver rule when you created it. + +`creator_request_id` +: A unique string that you specified when you created the Resolver rule. `CreatorRequestId` identifies the request and allows failed requests to be retried without the risk of running the operation twice. + +`arn` +: The ARN (Amazon Resource Name) for the Resolver rule specified by Id. + +`domain_name` +: DNS queries for this domain name are forwarded to the IP addresses that are specified in `TargetIps`. + +`status` +: A code that specifies the current status of the Resolver rule. + +`status_message` +: A detailed description of the status of a Resolver rule. + +`rule_type` +: When you want to forward DNS queries for specified domain name to resolvers on your network, specify FORWARD. + +`name` +: The name for the Resolver rule, which you specified when you created the Resolver rule. + +`target_ips (ip)` +: One IP address that you want to forward DNS queries to. You can specify only IPv4 addresses. + +`target_ips (port)` +: The port at the IP address that you want to forward DNS queries to. + +`resolver_endpoint_id` +: The ID of the endpoint that the rule is associated with. + +`owner_id` +: When a rule is shared with another AWS account, the account ID of the account that the rule is shared with. + +`share_status` +: Whether the rule is shared and, if so, whether the current account is sharing the rule with another account, or another account is sharing the rule with the current account. + +`creation_time` +: The date and time that the Resolver rule was created, in Unix time format and Coordinated Universal Time (UTC). + +`modification_time` +: The date and time that the Resolver rule was last updated, in Unix time format and Coordinated Universal Time (UTC). + +## Examples + +Ensure a Resolver rule name is available: + +```ruby +describe aws_route53resolver_resolver_rule(resolver_rule_id: 'RULE_ID') do + its('name') { should eq 'ResolverRuleName' } +end +``` + +Ensure that the status is `COMPLETE` or `FAILED`: + +```ruby +describe aws_route53resolver_resolver_rule(resolver_rule_id: 'RULE_ID') do + its('status') { should eq 'COMPLETE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_route53resolver_resolver_rule(resolver_rule_id: 'RULE_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_route53resolver_resolver_rule(resolver_rule_id: 'RULE_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_route53resolver_resolver_rule(resolver_rule_id: 'RULE_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Route53Resolver:Client:GetResolverRuleResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_rule_association.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_rule_association.md new file mode 100644 index 0000000..3a6f2bb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_rule_association.md @@ -0,0 +1,109 @@ ++++ +title = "aws_route53resolver_resolver_rule_association resource" + +draft = false + + +[menu.aws] +title = "aws_route53resolver_resolver_rule_association" +identifier = "inspec/resources/aws/aws_route53resolver_resolver_rule_association resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_route53resolver_resolver_rule_association` InSpec audit resource to test properties of a single AWS Route53 Resolver rule association. + +The Resolver rule association determines which DNS queries that originate in the VPC are forwarded to your network. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Route53Resolver Resolver Rule Association](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53resolver-resolverruleassociation.html). + +## Syntax + +Ensure that a resolver rule exists. + +```ruby +describe aws_route53resolver_resolver_rule_association(resolver_rule_association_id: 'RESOLVER_RULE_ASSOCIATION_ID') do + it { should exist } +end +``` + +## Parameters + +`resolver_rule_association_id` _(required)_ + +: The ID of the Resolver rule association that you want to get information about. + +## Properties + +`id` +: The ID of the association between a Resolver rule and a VPC. + +`resolver_rule_id` +: The ID of the Resolver rule that you associated with the VPC that is specified by VPCId. + +`name` +: The name of an association between a Resolver rule and a VPC. + +`vpc_id` +: The ID of the VPC that you associated the Resolver rule with. + +`status` +: A code that specifies the current status of the association between a Resolver rule and a VPC. + +`status_message` +: A detailed description of the status of the association between a Resolver rule and a VPC. + +## Examples + +Ensure a resolver rule name is available: + +```ruby +describe aws_route53resolver_resolver_rule_association(resolver_rule_association_id: 'RESOLVER_RULE_ASSOCIATION_ID') do + its('name') { should eq 'RESOLVER_RULE_NAME' } +end +``` + +Ensure that the status is `COMPLETE` or `FAILED`: + +```ruby +describe aws_route53resolver_resolver_rule_association(resolver_rule_association_id: 'RESOLVER_RULE_ASSOCIATION_ID') do + its('status') { should eq 'COMPLETE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_route53resolver_resolver_rule_association(resolver_rule_association_id: 'RESOLVER_RULE_ASSOCIATION_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_route53resolver_resolver_rule_association(resolver_rule_association_id: 'RESOLVER_RULE_ASSOCIATION_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_route53resolver_resolver_rule_association(resolver_rule_association_id: 'RESOLVER_RULE_ASSOCIATION_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Route53Resolver:Client:GetResolverRuleAssociationResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_rule_associations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_rule_associations.md new file mode 100644 index 0000000..e5ed8f7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_rule_associations.md @@ -0,0 +1,107 @@ ++++ +title = "aws_route53resolver_resolver_rule_associations resource" + +draft = false + + +[menu.aws] +title = "aws_route53resolver_resolver_rule_associations" +identifier = "inspec/resources/aws/aws_route53resolver_resolver_rule_associations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_route53resolver_resolver_rule_associations` InSpec audit resource to test properties of multiple AWS Route53 Resolver rule associations. + +The Resolver rule association determines which DNS queries that originate in the VPC are forwarded to your network. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Route53Resolver Resolver Rule Association](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53resolver-resolverruleassociation.html). + +## Syntax + +Ensure that a resolver name exists. + +```ruby +describe aws_route53resolver_resolver_rule_associations do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The ID of the association between a Resolver rule and a VPC. + +`resolver_rule_ids` +: The ID of the Resolver rule that you associated with the VPC that is specified by VPCId. + +`names` +: The name of an association between a Resolver rule and a VPC. + +`vpc_ids` +: The ID of the VPC that you associated the Resolver rule with. + +`statuses` +: A code that specifies the current status of the association between a Resolver rule and a VPC. + +`status_messages` +: A detailed description of the status of the association between a Resolver rule and a VPC. + +## Examples + +Ensure a resolver name is available: + +```ruby +describe aws_route53resolver_resolver_rule_associations do + its('names') { should include 'RESOLVER_RULE_NAME' } +end +``` + +Ensure that the status is `COMPLETE` or `FAILED`: + +```ruby +describe aws_route53resolver_resolver_rule_associations do + its('statuses') { should include 'COMPLETE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_route53resolver_resolver_rule_associations do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_route53resolver_resolver_rule_associations do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_athena_work_groups do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Route53Resolver:Client:ListResolverRuleAssociationsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_rules.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_rules.md new file mode 100644 index 0000000..49dd68c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route53resolver_resolver_rules.md @@ -0,0 +1,131 @@ ++++ +title = "aws_route53resolver_resolver_rules resource" + +draft = false + + +[menu.aws] +title = "aws_route53resolver_resolver_rules" +identifier = "inspec/resources/aws/aws_route53resolver_resolver_rules resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_route53resolver_resolver_rules` InSpec audit resource to test properties of multiple AWS Route53 Resolver rules. + +The AWS Route53 Resolver Rule resource specifies which Resolver endpoint the queries pass through, one domain name that you want to forward to your network, and the IP addresses of the DNS resolvers in your network. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Route53 Resolver Rule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53resolver-resolverrule.html). + +## Syntax + +Ensure that a rule exists. + +```ruby +describe aws_route53resolver_resolver_rules do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The ID that Resolver assigned to the Resolver rule when you created it. + +`creator_request_ids` +: A unique string that you specified when you created the Resolver rule. `CreatorRequestId` identifies the request and allows failed requests to be retried without the risk of running the operation twice. + +`arns` +: The ARN (Amazon Resource Name) for the Resolver rule specified by ID. + +`domain_names` +: DNS queries for this domain name are forwarded to the IP addresses that are specified in `TargetIps`. + +`statuses` +: A code that specifies the current status of the Resolver rule. + +`status_messages` +: A detailed description of the status of a Resolver rule. + +`rule_types` +: When you want to forward DNS queries for specified domain name to resolvers on your network, specify FORWARD. + +`names` +: The name for the Resolver rule, which you specified when you created the Resolver rule. + +`target_ips` +: An array that contains the IP addresses and ports that an outbound endpoint forwards DNS queries to. + +`resolver_endpoint_ids` +: The ID of the endpoint that the rule is associated with. + +`owner_ids` +: When a rule is shared with another AWS account, the account ID of the account that the rule is shared with. + +`share_statuses` +: Whether the rule is shared and, if so, whether the current account is sharing the rule with another account, or another account is sharing the rule with the current account. + +`creation_times` +: The date and time that the Resolver rule was created, in Unix time format and Coordinated Universal Time (UTC). + +`modification_times` +: The date and time that the Resolver rule was last updated, in Unix time format and Coordinated Universal Time (UTC). + +## Examples + +Ensure a rule name is available: + +```ruby +describe aws_route53resolver_resolver_rules do + its('names') { should include 'RULE_NAME' } +end +``` + +Ensure that the status is `COMPLETE` or `FAILED`: + +```ruby +describe aws_route53resolver_resolver_rules do + its('statuses') { should include 'COMPLETE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_route53resolver_resolver_rules do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_route53resolver_resolver_rules do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the rule name is available. + +```ruby +describe aws_route53resolver_resolver_rules do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Route53Resolver:Client:ListResolverRulesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route_table.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route_table.md new file mode 100644 index 0000000..2bd4e3d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route_table.md @@ -0,0 +1,258 @@ ++++ +title = "aws_route_table resource" + +draft = false + + +[menu.aws] +title = "aws_route_table" +identifier = "inspec/resources/aws/aws_route_table resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_route_table` InSpec audit resource to test the properties of a single route or route table. A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. + +For additional information, including details on parameters and properties, see the [AWS documentation on route tables](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route-table.html) and the [AWS documentation on routes](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html#cfn-ec2-route-destinationcidrblock). + +## Syntax + +This resource expects a single parameter that uniquely identifies the route table. You may pass it as a string, or as the value in a hash: + +```ruby +describe aws_route_table('ROUTE_TABLE_ID') do + it { should exist } +end +``` + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + it { should exist } +end +``` + +## Parameters + +`route_table_id` _(required)_ + +: This resource accepts a single parameter, the `route_table_id`. + This can be passed either as a string or as a `route_table_id: 'value'` key-value entry in a hash. + +## Properties + +`route_table_id` +: The ID of the route table. + +`owner_id` +: The ID of the AWS account that owns the route table. + +`vpc_id` +: The ID of the VPC. + +`routes` +: The routes in the route table. + +`associations` +: The associations between the route table and one or more subnets. + +`propagating_vgws` +: Any virtual private gateway (VGW) propagating routes. + +`tags` +: Any tags assigned to the route table. + +`routes(carrier_gateway_id)` +: The ID of the carrier gateway. + +`routes(destination_cidr_block)` +: The IPv4 CIDR block used for the destination match. + +`routes(destination_ipv_6_cidr_block)` +: The IPv6 CIDR block used for the destination match. + +`routes(destination_prefix_list_id)` +: The prefix of the AWS service. + +`routes(egress_only_internet_gateway_id)` +: The ID of the egress-only internet gateway. + +`routes(gateway_id)` +: The ID of a gateway attached to your VPC. + +`routes(instance_id)` +: The ID of a NAT instance in your VPC. + +`routes(local_gateway_id)` +: The ID of the local gateway. + +`routes(nat_gateway_id)` +: The ID of a NAT gateway. + +`routes(network_interface_id)` +: The ID of the network interface. + +`routes(transit_gateway_id)` +: The ID of a transit gateway. + +`routes(vpc_peering_connection_id)` +: The ID of a VPC peering connection. + +`routes(instance_owner_id)` +: The owner ID of a NAT instance in your VPC. + +`routes(origin)` +: Describes how the route was created. + +`routes(state)` +: The state of the route. + +`associated_subnet_ids` +: List of associated subnet IDs. + +`associated_gateway_ids` +: List of associated gateway IDs. + +## Examples + +Confirm that the route table has expected VPC identifier: + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + its('vpc_id') { should eq 'VPC_ID' } +end +``` + +Confirm that the route table has expected owner identifier: + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + its('owner_id') { should eq 'OWNER_ID' } +end +``` + +Ensure the expected number of routes is present: + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + its('routes.count') { should eq 2 } +end +``` + +Ensure the expected number of associations is present: + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + its('associations.count') { should eq 1 } +end +``` + +Ensure the subnet ID of interest is associated: + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + its('associated_subnet_ids') { should include 'SUBNET_ID' } +end +``` + +Ensure no gateways are associated: + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + its('associated_gateway_ids') { should be_empty } +end +``` + +Ensure there are no virtual private gateway (VGW) propagating routes: + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + its('propagating_vgws') { should be_empty } +end +``` + +Confirm that the route table has the expected destination IPv4 CIDR block of the route: + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + its('routes.first.destination_cidr_block') { should eq 'IPV4_CIDR_BLOCK' } +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_route_table('should-be-there') do + it { should exist } +end +``` + +```ruby +describe aws_route_table('should-not-be-there') do + it { should_not exist } +end +``` + +### main + +The control will pass if the route table is the main route table for the VPC. + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + it { should be_main } +end +``` + +### have_subnet_associated + +The control will pass if the subnet is associated with the route table. + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + it { should have_subnet_associated('SUBNET_ID') } +end +``` + +### have_gateway_associated + +The control will pass if the specified gateway is associated with the route table. + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + it { should have_gateway_associated('GATEWAY_ID') } +end +``` + +### have_failed_association_value + +The control will pass if the specified gateway, subnet, or association that is associated with the route table has a failed state. + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + it { should have_failed_association_value(gateway_id: 'GATEWAY_ID') } +end +``` + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + it { should have_failed_association_value(subnet_id: 'SUBNET_ID') } +end +``` + +```ruby +describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do + it { should have_failed_association_value(route_table_association_id: 'ROUTE_TABLE_ASSOCIATION_ID') } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeRouteTablesResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route_tables.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route_tables.md new file mode 100644 index 0000000..323985b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_route_tables.md @@ -0,0 +1,224 @@ ++++ +title = "aws_route_tables resource" + +draft = false + + +[menu.aws] +title = "aws_route_tables" +identifier = "inspec/resources/aws/aws_route_tables resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_route_tables` InSpec audit resource to test the properties of all route tables or a group of route tables, and all routes or a group of routes. A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. + +For additional information, including details on parameters and properties, see the [AWS documentation on route tables](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route-table.html). + +## Syntax + +```ruby +describe aws_route_tables do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`route_table_ids` +: The route table IDs. + +: **Field**: `route_table_id` + +`vpc_ids` +: The VPC IDs. + +: **Field**: `vpc_id` + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +: **Field**: Not Applicable + +`routes(carrier_gateway_ids)` +: The ID of the carrier gateway. + +: **Field**: `carrier_gateway_id` + +`routes(destination_cidr_blocks)` +: The IPv4 CIDR block used for the destination match. + +: **Field**: `destination_cidr_block` + +`routes(destination_ipv_6_cidr_blocks)` +: The IPv6 CIDR block used for the destination match. + +: **Field**: `destination_ipv_6_cidr_block` + +`routes(destination_prefix_list_ids)` +: The prefix of the AWS service. + +: **Field**: `destination_prefix_list_id` + +`routes(egress_only_internet_gateway_ids)` +: The ID of the egress-only internet gateway. + +: **Field**: `egress_only_internet_gateway_id` + +`routes(gateway_ids)` +: The ID of a gateway attached to your VPC. + +: **Field**: `gateway_id` + +`routes(instance_ids)` +: The ID of a NAT instance in your VPC. + +: **Field**: `instance_id` + +`routes(local_gateway_ids)` +: The ID of the local gateway. + +: **Field**: `instance_owner_id` + +`routes(nat_gateway_ids)` +: The ID of a NAT gateway. + +: **Field**: `nat_gateway_id` + +`routes(network_interface_ids)` +: The ID of the network interface. + +: **Field**: `network_interface_id` + +`routes(transit_gateway_ids)` +: The ID of a transit gateway. + +: **Field**: `transit_gateway_id` + +`routes(vpc_peering_connection_ids)` +: The ID of a VPC peering connection. + +: **Field**: `vpc_peering_connection_id` + +`routes(instance_owner_ids)` +: The owner ID of a NAT instance in your VPC. + +: **Field**: `instance_owner_id` + +`routes(origins)` +: Describes how the route was created. + +: **Field**: `origin` + +`routes(states)` +: The state of the route. + +: **Field**: `state` + +`route_table_association_ids` +: List of associated route table association IDs. + +: **Field**: `route_table_association_ids` + +`association_subnet_ids` +: List of all association states(`associated`, `failed`, `disassociated`) subnet IDs. + +: **Field**: `association_subnet_ids` + +`associated_subnet_ids` +: List of associated subnet IDs. + +: **Field**: `associated_subnet_ids` + +`association_gateway_ids` +: List of all association states(`associated`, `failed`, `disassociated`) gateway IDs. + +: **Field**: `association_gateway_ids` + +`associated_gateway_ids` +: List of associated gateway IDs. + +: **Field**: `associated_gateway_ids` + +`association_states` +: List of all association states(`associated`, `failed`, `disassociated`). + +: **Field**: `association_states` + +`main` +: flag to indicate the main route table. + +: **Field**: `main` + +## Examples + +Confirm that a route table exists: + +```ruby +describe aws_route_tables do + its('vpc_ids') { should include 'VPC_ID' } +end +``` + +Confirm a route table exists: + +```ruby +describe aws_route_tables do + its('route_table_ids') { should include 'ROUTE_TABLE_ID' } +end +``` + +Confirm a destination_cidr_blocks is there in the routes: + +```ruby +describe aws_route_tables do + its('destination_cidr_blocks') { should include "IPV4_CIDR_BLOCK" } +end +``` + +Ensure subnet ID of interest is associated : + +```ruby +describe aws_route_tables do + its('associated_subnet_ids') { should include 'SUBNET_ID' } +end +``` + +Filter only main route tables: + +```ruby +describe aws_route_tables.where(main: true) do + it { should exist } +end +``` + +Filter all failed associations: + +```ruby +describe aws_route_tables.where{ association_states.include?('associated') } do + it { should exist } +end +``` + +## Matchers + +### exist + +The control will pass if the describe returns at least one result. + +Use `should` to test the entity should not exist. + +```ruby +describe aws_route_tables do + it { should exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeRouteTablesResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_access_point.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_access_point.md new file mode 100644 index 0000000..64f63c2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_access_point.md @@ -0,0 +1,108 @@ ++++ +title = "aws_s3_access_point resource" + +draft = false + + +[menu.aws] +title = "aws_s3_access_point" +identifier = "inspec/resources/aws/aws_s3_access_point resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_s3_access_point` InSpec audit resource to test properties of a single specific S3 bucket resource. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS API Metric.](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketMetricsConfiguration.html). + +## Syntax + +Ensure that the base path mapping exists. + +```ruby +describe aws_s3_access_point(bucket_name: 'BUCKET_NAME', metrics_id: 'METRICS_ID') do + it { should exist } +end +``` + +## Parameters + +`domain_name` _(required)_ + +: The name of the bucket containing the metrics configuration to retrieve. + +`metrics_id` _(required)_ + +: The ID used to identify the metrics configuration. + +## Properties + +`id` +: The ID used to identify the metrics configuration. + +: **Field**: `id` + +`filter.access_point_arn` +: The access point ARN used when evaluating a metrics filter. + +: **Field**: `filter.access_point_arn` + +`filter.and.access_point_arn` +: The access point ARN used when evaluating an AND predicate. + +: **Field**: `filter.and.access_point_arn` + +## Examples + +Ensure that the id is available: + +```ruby +describe aws_s3_access_point(bucket_name: 'BUCKET_NAME', metrics_id: 'METRICS_ID') do + its('id') { should eq 'METRICS_ID' } +end +``` + +Ensure that access point arn is available: + +```ruby +describe aws_s3_access_point(bucket_name: 'BUCKET_NAME', metrics_id: 'METRICS_ID') do + its('filter.access_point_arn') { should eq 'AccessPointArn' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_s3_access_point(bucket_name: 'BUCKET_NAME', metrics_id: 'METRICS_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_s3_access_point(bucket_name: 'dummy', metrics_id: 'dummy') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_s3_access_point(bucket_name: 'BUCKET_NAME', metrics_id: 'METRICS_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="S3:Client:GetBucketMetricsConfigurationOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_access_points.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_access_points.md new file mode 100644 index 0000000..fedc7c9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_access_points.md @@ -0,0 +1,104 @@ ++++ +title = "aws_s3_access_points resource" + +draft = false + + +[menu.aws] +title = "aws_s3_access_points" +identifier = "inspec/resources/aws/aws_s3_access_points resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_s3_access_points` InSpec audit resource to test properties of a Multiple specific S3 bucket points resource. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS S3 Access Points.](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketMetricsConfiguration.html). + +## Syntax + +Ensure that the base path mapping exists. + +```ruby +describe aws_s3_access_points(bucket_name: 'BUCKET_NAME') do + it { should exist } +end +``` + +## Parameters + +`bucket_name` _(required)_ + +: The name of the bucket containing the metrics configuration to retrieve. + +## Properties + +`ids` +: The ID used to identify the metrics configuration. + +: **Field**: `id` + +`filter_access_point_arns` +: The access point ARN used when evaluating a metrics filter. + +: **Field**: `filter.access_point_arn` + +`filter_and_access_point_arns` +: The access point ARN used when evaluating an AND predicate. + +: **Field**: `filter.and.access_point_arn` + +## Examples + +Ensure that an ID is available: + +```ruby +describe aws_s3_access_points(bucket_name: 'BUCKET_NAME') do + its('ids') { should include 'AccessPointArn' } +end +``` + +Ensure that stage name is available: + +```ruby +describe aws_s3_access_points(bucket_name: 'BUCKET_NAME') do + its('filter_access_point_arns') { should include 'AccessPointArn' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_s3_access_points(bucket_name: 'BUCKET_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_s3_access_points(bucket_name: 'BUCKET_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_s3_access_points(bucket_name: 'BUCKET_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="S3:Client:listBucketMetricsConfigurationOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_bucket.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_bucket.md new file mode 100644 index 0000000..0dc7904 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_bucket.md @@ -0,0 +1,196 @@ ++++ +title = "aws_s3_bucket resource" + +draft = false + + +[menu.aws] +title = "aws_s3_bucket" +identifier = "inspec/resources/aws/aws_s3_bucket resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_s3_bucket` InSpec audit resource to test properties of a single AWS bucket. + +For additional information, including details on parameters and properties, see the [AWS documentation on S3 Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html). + +## Syntax + +An `aws_s3_bucket` resource block declares a bucket by name, and then lists tests to be performed. + +```ruby +describe aws_s3_bucket(bucket_name: 'test_bucket') do + it { should exist } + it { should_not be_public } +end +``` + +```ruby +describe aws_s3_bucket('test_bucket') do + it { should exist } +end +``` + +## Parameters + +`bucket_name` _(required)_ + +: This resource accepts a single parameter, the S3 Bucket Name which uniquely identifies the bucket. + This can be passed either as a string or as a `bucket_name: 'value'` key-value entry in a hash. + +## Properties + +`region` +: The region of the bucket. Region is overridden based on the location returned from S3. + +`bucket_acl` +: An array of AWS Grants detailing permission grants on the bucket. + +`bucket_policy` +: The IAM policy document controlling access to the bucket. + +`bucket_lifecycle_rules` +: The lifecycle policy rules that define actions S3 will take for all objects (or a subset of objects) in their lifetime. + +`tags` +: An hash with each key-value pair corresponding to a tag associated with the entity. + +## Examples + +Test the bucket-level ACL: + +```ruby +describe aws_s3_bucket('test_bucket') do + its('bucket_acl.count') { should eq 1 } +end +``` + +Check if a bucket has a bucket policy: + +```ruby +describe aws_s3_bucket('test_bucket') do + its('bucket_policy') { should be_empty } +end +``` + +Check if a bucket appears to be exposed to the public: + +```ruby +describe aws_s3_bucket('test_bucket') do + it { should_not be_public } +end +``` + +Check if the correct region is set: + +```ruby +describe aws_s3_bucket('test_bucket') do + its('region') { should eq 'us-east-1' } +end +``` + +Check bucket's ACL for correct grants: + +```ruby +bucket_acl = aws_s3_bucket('my-bucket').bucket_acl +``` + +Look for grants to "AllUsers" (that is, the public): + +```ruby +all_users_grants = bucket_acl.select do |g| + g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/ +end +``` + +Look for grants to "AuthenticatedUsers" (that is, any authenticated AWS user - nearly public): + +```ruby +auth_grants = bucket_acl.select do |g| + g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/ +end +``` + +Test all buckets : + +```ruby +aws_s3_buckets.bucket_names.each do |bucket_name| + describe aws_s3_bucket(bucket_name) do + it { should have_default_encryption_enabled } + end + end +``` + +Test buckets in a specific region : + +```ruby +aws_s3_buckets.bucket_names.each do |bucket_name| + if aws_s3_bucket(bucket_name: bucket_name).region == region + describe aws_s3_bucket(bucket_name) do + it { should have_default_encryption_enabled } + end + end + end +``` + +Check if a bucket has a bucket policy that requires requests to use HTTPS: + +```ruby +describe aws_s3_bucket('test_bucket') do + it { should have_secure_transport_enabled } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +#### be_public + +The `be_public` matcher tests if the bucket has potentially insecure access controls. This high-level matcher detects several insecure conditions, which may be enhanced in the future. Currently, the matcher reports an insecure bucket if any of the following conditions are met: + + 1. A bucket ACL grant exists for the 'AllUsers' group + 2. A bucket ACL grant exists for the 'AuthenticatedUsers' group + 3. A bucket policy has an effect 'Allow' and principal '*' + +Note: This resource does not detect insecure object ACLs. + +```ruby +it { should_not be_public } +``` + +#### have_access_logging_enabled + +The `have_access_logging_enabled` matcher tests if access logging is enabled for the s3 bucket. + +```ruby +it { should have_access_logging_enabled } +``` + +#### have_default_encryption_enabled + +The `have_default_encryption_enabled` matcher tests if default encryption is enabled for the s3 bucket. + +```ruby +it { should have_default_encryption_enabled } +``` + +#### have_versioning_enabled + +The `have_versioning_enabled` matcher tests if versioning is enabled for the s3 bucket. + + it { should have_versioning_enabled } + +#### have_secure_transport_enabled + +The `have_secure_transport_enabled` matcher tests if a bucket policy that explicitly denies requests via HTTP is enabled for the s3 bucket. + + it { should have_secure_transport_enabled } + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `S3:Client:GetBucketAclOutput`, `S3:Client:GetBucketLocationOutput`, `S3:Client:GetBucketLoggingOutput`, `S3:Client:GetBucketPolicyOutput`, and `S3:Client:GetBucketEncryptionOutput` actions set to allow. + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon S3](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_bucket_object.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_bucket_object.md new file mode 100644 index 0000000..7c4f8cb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_bucket_object.md @@ -0,0 +1,116 @@ ++++ +title = "aws_s3_bucket_object resource" + +draft = false + + +[menu.aws] +title = "aws_s3_bucket_object" +identifier = "inspec/resources/aws/aws_s3_bucket_object resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_s3_bucket_object` InSpec audit resource to test properties of a single AWS bucket object. + +Each S3 Object has a 'key' which can be thought of as the name of the S3 Object which uniquely identifies it. + +For additional information, including details on parameters and properties, see the [AWS documentation on S3 Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html). + +## Syntax + +An `aws_s3_bucket_object` resource block declares a bucket and an object key by name, and then lists tests to be performed. + +```ruby +describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_object_key') do + it { should exist } + it { should_not be_public } +end +``` + +## Parameters + +`bucket_name` _(required)_ + +: The S3 Bucket Name which uniquely identifies the bucket. + This must be passed as a `bucket_name: 'value'` key-value entry in a hash. + +`key` _(required)_ + +: The S3 Bucket Key which uniquely identifies the bucket object. + This must be passed as a `key: 'value'` key-value entry in a hash. + +## Properties + +`bucket_name` +: The name of the bucket. + +`key` +: The key within the bucket. + +`content_length` +: Size of the body in bytes. + +`content_type` +: A standard MIME type describing the format of the object data. + +`object_acl` +: An array of AWS Grants detailing permission grants on the bucket object. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html). + +## Examples + +Test an object's object-level ACL: + +```ruby +describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_key') do + its('object_acl.count') { should eq 1 } +end +``` + +Test an object's size in bytes is less than `100000`: + +```ruby +describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_key') do + its('content_length') { should be < 1_000_000 } +end +``` + +Test an object's type is "image/jpeg": + +```ruby +describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_key') do + its('content_type') { should eq "image/jpeg" } +end +``` + +Check to see if a object appears to be exposed to the public: + +```ruby +describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_key') do + it { should_not be_public } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers (such as `exist`) please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/). + +### be_public + +The `be_public` matcher tests if the object has potentially insecure access controls. This high-level matcher detects several insecure conditions, which may be enhanced in the future. Currently, the matcher reports an insecure object if any of the following conditions are met: + + 1. A object ACL grant exists for the 'AllUsers' group + 2. A object ACL grant exists for the 'AuthenticatedUsers' group + +Note: This resource does not detect insecure bucket ACLs. + +```ruby +it { should_not be_public } +``` + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `S3:Client:GetObjectOutput`, and `S3:Client:GetObjectAclOutput` actions set to allow. + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon S3](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_bucket_objects.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_bucket_objects.md new file mode 100644 index 0000000..39effb4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_bucket_objects.md @@ -0,0 +1,187 @@ ++++ +title = "aws_s3_bucket_objects resource" + +draft = false + + +[menu.aws] +title = "aws_s3_bucket_objects" +identifier = "inspec/resources/aws/aws_s3_bucket_objects resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_s3_bucket_objects` InSpec audit resource to test properties of multiple AWS S3 bucket objects. + +Amazon S3 is an object store that uses unique key-values to store as many objects as you want. + +`bucket_name` _(required)_ + +The bucket name. + +For additional information, including details on parameters and properties, see the [AWS documentation on S3 Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html). + +## Syntax + +Ensure that a bucket exists. + +```ruby +describe aws_s3_bucket_objects(bucket_name: 'BUCKET_NAME') do + it { should exist } +end +``` + +## Parameters + +`bucket_name` _(required)_ + +: The bucket name. + +## Properties + +`contents` +: A list of the metadata about each object returned. + +: **Field**: `contents` + +`contents_keys` +: A list of the object names. + +: **Field**: `contents (key)` + +`contents_last_modified` +: A list of creation date of the objects. + +: **Field**: `contents (last_modified)` + +`contents_sizes` +: A list of the sizes of the objects in bytes. + +: **Field**: `contents (size)` + +`contents_etags` +: A list of the entity tags which are a hash of the objects. + +: **Field**: `contents (etag)` + +`contents_storage_classes` +: A list of the classes of storage used to store the objects. + +: **Field**: `contents (storage_class)` + +`contents_owners` +: A list of the owners of the objects. + +: **Field**: `contents (owners)` + +`names` +: The bucket name. + +: **Field**: `name` + +`prefixes` +: A list of keys that begin with the indicated prefix. + +: **Field**: `prefix` + +`delimiters` +: A list of delimiters, which are a character used to group keys. + +: **Field**: `delimiter` + +`max_keys` +: The maximum number of keys returned in the response. By default the action returns up to 1,000 key names. + +: **Field**: `max_keys` + +`common_prefixes` +: A list of containers for the specified common prefix. + +: **Field**: `common_prefixes (prefix)` + +`encoding_types` +: A list of the encoding types used by Amazon S3 to encode object key names in the XML response. + +: **Field**: `encoding_type` + +`key_counts` +: The number of keys returned with this request. + +: **Field**: `key_count` + +## Examples + +Ensure whether the bucket is truncated: + +```ruby +describe aws_s3_bucket_objects(bucket_name: 'BUCKET_NAME') do + its ('is_truncated') { should include true } +end +``` + +Verify the bucket name: + +```ruby +describe aws_s3_bucket_objects(bucket_name: 'BUCKET_NAME') do + its ('names') { should include "BUCKET_NAME" } +end +``` + +Ensure an object name exists: + +```ruby +describe aws_s3_bucket_objects(bucket_name: 'BUCKET_NAME') do + its('contents_keys') { should include 'OBJECT_NAME' } +end +``` + +Ensure an object has a last modified date: + +```ruby +describe aws_s3_bucket_objects(bucket_name: 'BUCKET_NAME') do + its('contents_last_modified') { should include Time.parse("2021-05-05 06:22:04.000000000 +0000") } +end +``` + +Ensure a storage class of an object exists: + +```ruby +describe aws_s3_bucket_objects(bucket_name: 'BUCKET_NAME') do + its('contents_storage_classes') { should include "STANDARD") } +end +``` + +Verify the key counts of a bucket: + +```ruby +describe aws_s3_bucket_objects(bucket_name: 'BUCKET_NAME') do + its('key_counts') { should include 2 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_s3_bucket_objects(bucket_name: 'BUCKET_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_s3_bucket_objects(bucket_name: 'BUCKET_NAME') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="S3:Client:ListObjectsV2Output" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_bucket_policy.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_bucket_policy.md new file mode 100644 index 0000000..e4c9b95 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_bucket_policy.md @@ -0,0 +1,101 @@ ++++ +title = "aws_s3_bucket_policy resource" + +draft = false + + +[menu.aws] +title = "aws_s3_bucket_policy" +identifier = "inspec/resources/aws/aws_s3_bucket_policy resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_s3_bucket_policy` Chef InSpec audit resource to test properties of a single AWS S3 bucket policy. + +The `AWS::S3::BucketPolicy` resource type applies an Amazon S3 bucket policy to an Amazon S3 bucket. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::S3::BucketPolicy` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html). + +## Syntax + +Ensure that an S3 bucket policy exists. + +```ruby +describe aws_s3_bucket_policy(bucket: 'BUCKET_NAME') do + it { should exist } +end +``` + +## Parameters + +`bucket` _(required)_ + +: The name of the Amazon S3 bucket to which the policy applies. + +## Properties + +`Effect` +: The effect of the policy. + +`Sid` +: The policy statement ID of the S3 bucket. + +`Condition` +: The policy condition key of the S3 bucket. + +`Action` +: The policy action of the S3 bucket. + +`Resource` +: The policy resource type of the S3 bucket. + +`Principal` +: The policy principal of the S3 bucket. + +## Examples + +Ensure a policy is available: + +```ruby +describe aws_s3_bucket_policy(bucket: 'BUCKET_NAME') do + its('Sid') { should eq 'SID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_s3_bucket_policy(bucket: 'BUCKET_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_s3_bucket_policy(bucket: 'BUCKET_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_s3_bucket_policy(bucket: 'BUCKET_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="S3:Client:GetBucketPolicyOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_buckets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_buckets.md new file mode 100644 index 0000000..81232cf --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_s3_buckets.md @@ -0,0 +1,82 @@ ++++ +title = "aws_s3_buckets resource" + +draft = false + + +[menu.aws] +title = "aws_s3_buckets" +identifier = "inspec/resources/aws/aws_s3_buckets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_s3_buckets` InSpec audit resource to list all buckets in a single account. + +For additional information, including details on parameters and properties, see the [AWS documentation on S3 Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html). + +## Syntax + +An `aws_s3_buckets` resource block takes no arguments + +```ruby +describe aws_s3_buckets do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`bucket_names` +: An Array of bucket names. + +`tags` +: An hash with each key-value pair corresponding to a tag associated with the entity. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +Examine what buckets have been created: + +```ruby +describe aws_s3_buckets do + its('bucket_names') { should eq ['my_bucket'] } +OR: + + its('bucket_names') { should include 'my_bucket' } +end +``` + +Check the tags on buckets : + +```ruby +describe aws_s3_buckets.where( bucket_names: 'my-bucket' ) do + its('tags') { should include(:Environment => 'env-name', + :Name => 'bucket-name')} +end +``` + +## Matchers + +### exist + +The control will pass if the resource contains at least one bucket. + +Test if there are any buckets: + +```ruby +describe aws_s3_buckets + it { should exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="S3:Client:ListBucketsOutput" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon S3](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sdb_domains.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sdb_domains.md new file mode 100644 index 0000000..4dd03fc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sdb_domains.md @@ -0,0 +1,74 @@ ++++ +title = "aws_sdb_domains resource" + +draft = false + + +[menu.aws] +title = "aws_sdb_domains" +identifier = "inspec/resources/aws/aws_sdb_domains resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_sdb_domains` InSpec audit resource to test multiple SimpleDB domain names. + +## Syntax + +Ensure that a domain exists. + +```ruby +describe aws_sdb_domains do + it { should exist } +end +``` + +For additional information, see the [AWS documentation on AWS SDB Domains.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-simpledb.html). + +## Parameters + +This resource does not require any parameters. + +## Properties + +`domain_names` +: A list of domain names that match the expression. + +: **Field**: `domain_names` + +## Examples + +Ensure a domain name is available: + +```ruby +describe aws_sdb_domains do + its('domain_names') { should include 'DOMAIN_NAME')' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_sdb_domains do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_sdb_domains do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SimpleDB:Client:ListDomainsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_secretsmanager_secret.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_secretsmanager_secret.md new file mode 100644 index 0000000..c911808 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_secretsmanager_secret.md @@ -0,0 +1,137 @@ ++++ +title = "aws_secretsmanager_secret resource" + +draft = false + + +[menu.aws] +title = "aws_secretsmanager_secret" +identifier = "inspec/resources/aws/aws_secretsmanager_secret resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_secretsmanager_secret` InSpec audit resource to test properties of a single AWS Secret Manager secret. + +The `AWS::SecretsManager::Secret` resource creates a secret and stores it in Secrets Manager. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Secret Manager Secret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html). + +## Syntax + +Ensure that a secret ID exists. + +```ruby +describe aws_secretsmanager_secret(secret_id: 'SECRET_ID') do + it { should exist } +end +``` + +## Parameters + +`secret_id` _(required)_ + +## Properties + +`arn` +: The Amazon Resource Name (ARN) of the secret. + +`name` +: The friendly name of the secret. + +`description` +: The user-provided description of the secret. + +`kms_key_id` +: The ARN or alias of the AWS KMS customer master key (CMK) used to encrypt the `SecretString` and `SecretBinary` fields in each version of the secret. + +`rotation_enabled` +: Indicates whether automatic, scheduled rotation is enabled for this secret. + +`rotation_lambda_arn` +: The ARN of an AWS Lambda function invoked by Secrets Manager to rotate and expire the secret either automatically per the schedule or manually by a call to `RotateSecret`. + +`rotation_rules (automatically_after_days)` +: Specifies the number of days between automatic scheduled rotations of the secret. + +`last_rotated_date` +: The most recent date and time that the Secrets Manager rotation process was successfully completed. This value is `null` if the secret hasn't ever rotated. + +`last_changed_date` +: The last date and time that this secret was modified in any way. + +`last_accessed_date` +: The last date that this secret was accessed. This value is truncated to midnight of the date and therefore shows only the date, not the time. + +`deleted_date` +: The date and time the deletion of the secret occurred. Not present on active secrets. The secret can be recovered until the number of days in the recovery window has passed, as specified in the `RecoveryWindowInDays` parameter of the `DeleteSecret` operation. + +`tags` +: The list of user-defined tags associated with the secret. + +`secret_versions_to_stages` +: A list of all of the currently assigned `SecretVersionStage` staging labels and the `SecretVersionId` attached to each one. Staging labels are used to keep track of the different versions during the rotation process. + +`owning_service` +: Returns the name of the service that created the secret. + +`created_date` +: The date and time when a secret was created. + +`primary_region` +: The region where Secrets Manager originated the secret. + +## Examples + +Ensure the ARN is available: + +```ruby +describe aws_secretsmanager_secret(secret_id: 'SECRET_ID') do + its('arn') { should eq 'arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3' } +end +``` + +Ensure the name is available: + +```ruby +describe aws_secretsmanager_secret(secret_id: 'SECRET_ID') do + its('name') { should eq 'MyTestDatabaseSecret' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_secretsmanager_secret(secret_id: 'SECRET_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_secretsmanager_secret(secret_id: 'SECRET_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the secret ID is available. + +```ruby +describe aws_secretsmanager_secret(secret_id: 'SECRET_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SecretsManager:Client:DescribeSecretResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_secretsmanager_secrets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_secretsmanager_secrets.md new file mode 100644 index 0000000..0eda244 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_secretsmanager_secrets.md @@ -0,0 +1,137 @@ ++++ +title = "aws_secretsmanager_secrets resource" + +draft = false + + +[menu.aws] +title = "aws_secretsmanager_secrets" +identifier = "inspec/resources/aws/aws_secretsmanager_secrets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_secretsmanager_secrets` InSpec audit resource to test properties of multiple AWS Secret Manager secrets. + +The `AWS::SecretsManager::Secret` resource creates a secret and stores it in Secrets Manager. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Secret Manager Secret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html). + +## Syntax + +Ensure that a secret exists. + +```ruby +describe aws_secretsmanager_secrets do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`arns` +: The Amazon Resource Name (ARN) of the secret. + +`names` +: The friendly name of the secret. + +`descriptions` +: The user-provided description of the secret. + +`kms_key_ids` +: The ARN or alias of the AWS KMS customer master key (CMK) used to encrypt the `SecretString` and `SecretBinary` fields in each version of the secret. + +`rotation_enabled` +: Indicates whether automatic, scheduled rotation is enabled for this secret. + +`rotation_lambda_arns` +: The ARN of an AWS Lambda function invoked by Secrets Manager to rotate and expire the secret either automatically per the schedule or manually by a call to `RotateSecret`. + +`rotation_rules` +: A structure that defines the rotation configuration for the secret. + +`last_rotated_dates` +: The most recent date and time that the Secrets Manager rotation process was successfully completed. This value is `null` if the secret hasn't ever rotated. + +`last_changed_dates` +: The last date and time that this secret was modified in any way. + +`last_accessed_dates` +: The last date that this secret was accessed. This value is truncated to midnight of the date and therefore shows only the date, not the time. + +`deleted_dates` +: The date and time the deletion of the secret occurred. Not present on active secrets. The secret can be recovered until the number of days in the recovery window has passed, as specified in the `RecoveryWindowInDays` parameter of the `DeleteSecret` operation. + +`tags` +: The list of user-defined tags associated with the secret. + +`secret_versions_to_stages` +: A list of all of the currently assigned `SecretVersionStage` staging labels and the `SecretVersionId` attached to each one. Staging labels are used to keep track of the different versions during the rotation process. + +`owning_services` +: Returns the name of the service that created the secret. + +`created_dates` +: The date and time when a secret was created. + +`primary_regions` +: The region where Secrets Manager originated the secret. + +## Examples + +Ensure an ARN is available: + +```ruby +describe aws_secretsmanager_secrets do + its('arns') { should include 'SECRETS_MANAGER_SECRET_ARN' } +end +``` + +Ensure a name is available: + +```ruby +describe aws_secretsmanager_secrets do + its('names') { should include 'SECRET_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_secretsmanager_secrets do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_secretsmanager_secrets do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the secret is available. + +```ruby +describe aws_secretsmanager_secrets do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SecretsManager:Client:ListSecretsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_security_group.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_security_group.md new file mode 100644 index 0000000..72669b9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_security_group.md @@ -0,0 +1,333 @@ ++++ +title = "aws_security_group resource" + +draft = false + + +[menu.aws] +title = "aws_security_group" +identifier = "inspec/resources/aws/aws_security_group resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_security_group` InSpec audit resource to test detailed properties of an individual security group (SG). + +SGs are a networking construct which contain ingress and egress rules for network communications. SGs may be attached to EC2 instances, as well as certain other AWS resources. Along with Network Access Control Lists, SGs are one of the two main mechanisms of enforcing network-level security. + +### Limitations + +While this resource provides facilities for searching inbound and outbound rules on a variety of criteria, there is currently no support for performing matches based on: + +* References to VPC peers or other AWS services (that is, no support for searches based on 'prefix lists'). + +This resource requires one of the following parameters: + +* `group_id` +* `group_name` +* `vpc_id` +* `resource_data` + +##### group_id _(required if no other parameter provided)_ + +The security group ID which uniquely identifies the SG. +This can be passed either as a string or as a `group_id: 'value'` key-value entry in a hash. + +##### group_name _(required if no other parameter provided)_ + +The security group name. +This can be passed either as a string or as a `group_name: 'value'` key-value entry in a hash. + +##### vpc_id _(required if no other parameter provided)_ + +The ID of the VPC associated with the SG. +This can be passed either as a string or as a `vpc_id: 'value'` key-value entry in a hash. + +### resource_data _(required if no other parameter provided)_ + +The cached resource data object of a security group. +This must be passed as a key-value entry in a hash. For example, `resource_data: AWS_SECURITY_GROUP_OBJECT` . + +For additional information, including details on parameters and properties, see the [AWS documentation on security groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html). + +## Syntax + +```ruby +describe aws_security_group('sg-12345678') do + it { should exist } +end +``` + +May also use hash syntax: + +```ruby +describe aws_security_group(group_id: 'sg-12345678') do + it { should exist } +end +``` + +Ensure you have a security group with a specific name. +Names are unique within a VPC but not across VPCs. +Using only group returns an error if multiple security groups match. + +```ruby +describe aws_security_group(group_name: 'my-group') do + it { should exist } +end +``` + +Add vpc_id to ensure uniqueness:. + +```ruby +describe aws_security_group(group_name: 'my-group', vpc_id: 'vpc-12345678') do + it { should exist } +end +``` + +Using only resource data for a cached AWS security group:. + +```ruby +describe aws_security_group(resource_data: 'AWS_SECURITY_GROUP_OBJECT') do + it { should exist } +end +``` + +## Parameters + +This resource requires one of the following parameters: + +* `group_id` +* `group_name` +* `vpc_id` +* `resource_data` + +`group_id` _(required if no other parameter provided)_ + +: The security group ID which uniquely identifies the SG. + This can be passed either as a string or as a `group_id: 'value'` key-value entry in a hash. + +`group_name` _(required if no other parameter provided)_ + +: The security group name. + This can be passed either as a string or as a `group_name: 'value'` key-value entry in a hash. + +`vpc_id` _(required if no other parameter provided)_ + +: The ID of the VPC associated with the SG. + This can be passed either as a string or as a `vpc_id: 'value'` key-value entry in a hash. + +`resource_data` _(required if no other parameter provided)_ + +: The cached resource data object of a security group. + This must be passed as a key-value entry in a hash. For example, `resource_data: AWS_SECURITY_GROUP_OBJECT` . + +## Properties + +`description` +: A String reflecting the human-meaningful description that was given to the SG at creation time. + +`group_id` +: Provides the security group ID. + +`group_name` +: A String reflecting the name that was given to the SG at creation time. + +`inbound_rules` +: A list of the rules that the security group applies to incoming network traffic. + +`inbound_rules_count` +: A Number totalling the number of individual rules defined - It is a sum of the combinations of port, protocol, IPv4 rules, IPv6 rules and security group rules. + +`outbound_rules` +: A list of the rules that the security group applies to outgoing network traffic initiated by the AWS resource in the security group. + +`outbound_rules_count` +: A Number totalling the number of individual rules defined - It is a sum of the combinations of port, protocol, IPv4 rules, IPv6 rules and security group rules. + +`vpc_id` +: A String in the format `vpc-` followed by 8 hexadecimal characters reflecting VPC that contains the security group. + +`tags` +: The tags of the security group. + +## Examples + +Test outbound rules: + +```ruby +describe aws_security_group(group_name: isolated_servers) do + its('outbound_rules.last') { should_not include(ip_ranges:['0.0.0.0/0']) } +end +``` + +Test a rule that allows All Traffic: + +```ruby +describe aws_security_group(group_name: my_group) do + it { should allow_in(ipv4_range: ["10.1.2.0/24", "10.3.2.0/24"], protocol: 'all') } +end +``` + +Ensure a SG only allows SSH from a specific range: + +```ruby +describe aws_security_group(group_name: linux_servers) do + it { should allow_in(port: 22, ipv4_range: '10.5.0.0/16') } + it { should_not allow_in(port: 22, ipv4_range: '0.0.0.0/0') } +end +``` + +Ensure that the careful_updates security group may only initiate contact with specific IPs: + +```ruby +describe aws_security_group(group_name: 'careful_updates') do +``` + +```ruby +If you have two rules, with one CIDR each:: + +[ '10.7.23.12/32', '10.8.23.12/32' ].each do |allowed_destination| +This doesn't care about which ports are enabled: + + it { should allow_out(ipv4_range: allowed_destination) } +end +``` + +```ruby +If you have one rule with two CIDRs:: + +it { should allow_out(ipv4_range: [ '10.7.23.12/32', '10.8.23.12/32' ]) } +``` + +```ruby +Expect exactly three rules: + +its('outbound_rules.count') { should cmp 3 } + end +``` + +Ensure that the canary_deployments security group only allows access from one specific security group id on port 443: + +```ruby +describe aws_security_group(group_name: 'canary_deployments') do + it { should allow_in_only(port: 443, security_group: "sg-33334444") } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +#### allow_in + +#### allow_out + +#### allow_in_only + +#### allow_out_only + +The `allow` series of matchers enable you to perform queries about what network traffic would be permitted through the security group rule set. + +`allow_in` and `allow_in_exactly` examine inbound rules, and `allow_out` and `allow_out_exactly` examine outbound rules. + +`allow_in` and `allow_out` examine if at least one rule that matches the criteria exists. `allow_in` and `allow_out` also perform inexact (ie, range-based or subset-based) matching on ports and IP addresses ranges, allowing you to specify a candidate port or IP address and determine if it is covered by a rule. + +`allow_in_only` and `allow_out_only` examines if exactly one rule exists (but see `position`, below), and if it matches the criteria (this is useful for ensuring no unexpected rules have been added). Additionally, `allow_in_only` and `allow_out_only` do _not_ perform inexact matching; you must specify exactly the port range or IP address(es) you wish to match. + +### Matchers search criteria + +The matchers accept a key-value list of search criteria. For a rule to match, it must match all provided criteria. + +* `from_port` - Determines if a rule exists whose port range begins at the specified number. The word `from_` does _not_ relate to inbound/outbound directionality; it relates to the port range ("counting _from_"). `from_port` is an exact criterion; so if the rule allows 1000-2000 and you specify a `from_port` of 1001, it does not match. +* `ipv4_range` - Specifies an IPv4 address or subnet as a CIDR, or a list of them, to be checked as a permissible origin (for `allow_in`) or destination (for `allow_out`) for traffic. Each AWS security group rule may have multiple allowed source IP ranges. +* ipv6_range - Specifies an IPv6 address or subnet as a CIDR, or a list of them, to be checked as a permissible origin (for `allow_in`) or destination (for `allow_out`) for traffic. Each AWS security group rule may have multiple allowed source IP ranges. +* `port` - Determines if a particular TCP/IP port is reachable. `allow_in` and `allow_out` examine whether the specified port is included in the port range of a rule, while `allow_in`. You may specify the port as a string (`'22'`) or as a number. +* `position` - A one-based index into the list of rules. If provided, this restricts the evaluation to the rule at that position. You may also use the special values `:first` and `:last`. `position` may also be used to enable `allow_in_only` and `allow_out_only` to work with multi-rule security groups. +* `protocol` - Specifies the IP protocol. `tcp`, `udp`, and `icmp` are some typical values. The string `"-1"` or `any` is used to indicate any protocol. +* `to_port` - Determines if a rule exists whose port range ends at the specified number. The word `to_` does _not_ relate to inbound/outbound directionality; it relates to the port range ("counting _to_"). `to_port` is an exact criterion; so if the rule allows 1000-2000 and you specify a `to_port` of 1999, it does not match. +* `security_group` - Specifies a security-group id, to be checked as permissible origin (for `allow_in`) or destination (for `allow_out`) for traffic. Each AWS security group rule may have multiple allowed source or destination security groups. + +```ruby +describe aws_security_group(group_name: 'mixed-functionality-group') do + # Allow RDP from defined range + it { should allow_in(port: 3389, ipv4_range: '10.5.0.0/16') } + it { should allow_in(port: 3389, ipv6_range: '2001:db8::/122') } +``` + +```ruby +# Allow SSH from two ranges +it { should allow_in(port: 22, ipv4_range: ['10.5.0.0/16', '10.2.3.0/24']) } +``` + +```ruby +# Check Bacula port range +it { should allow_in(from_port: 9101, to_port: 9103, ipv4_range: '10.6.7.0/24') } +``` + +```ruby +# Assuming the AWS SG allows 9001-9003, use inexact matching to check 9002 +it { should allow_in(port: 9002) } +``` + +```ruby +# Assuming the AWS SG allows 10.2.1.0/24, use inexact matching to check 10.2.1.33/32 +it { should allow_in(ipv4_range: '10.2.1.33/32') } +``` + +```ruby +# Ensure the 3rd outbound rule is TCP-based +it { should allow_in(protocol: 'tcp', position: 3') } +``` + +```ruby +# Do not allow unrestricted IPv4 access. +it { should_not allow_in(ipv4_range: '0.0.0.0/0') } +``` + +```ruby +# Allow unrestricted access from security-group. +it { should allow_in(security_group: 'sg-11112222') } + end +``` + +```ruby +# Suppose you have a Group that should allow SSH and RDP from +# the admin network, 10.5.0.0/16. The resource has 2 rules to +# allow this, and you want to ensure no others have been added. +describe aws_security_group(group_name: 'admin-group') do + # Allow RDP from a defined range and nothing else + # The SG must have this rule in position 1 and it must match this exactly + it { should allow_in_only(port: 3389, ipv4_range: '10.5.0.0/16', position: 1) } +``` + +```ruby +# Specify position 2 for the SSH rule. Without `position`, +# allow_in_only only allows one rule, total. +it { should allow_in_only(port: 22, ipv4_range: '10.5.0.0/16', position: 2) } +``` + +```ruby +# Because this is an _only matcher, this fails - _only matchers +# use exact IP matching. +it { should allow_in_only(port: 3389, ipv4_range: '10.5.1.34/32', position: 1) } + end +``` + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +it { should exist } +``` + +```ruby +it { should_not exist } +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeSecurityGroupsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_security_groups.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_security_groups.md new file mode 100644 index 0000000..f38beb1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_security_groups.md @@ -0,0 +1,125 @@ ++++ +title = "aws_security_groups resource" + +draft = false + + +[menu.aws] +title = "aws_security_groups" +identifier = "inspec/resources/aws/aws_security_groups resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_security_groups` InSpec audit resource to test properties of some or all security groups. + +Security groups are a networking construct that contain ingress and egress rules for network communications. Security groups may be attached to EC2 instances, as well as certain other AWS resources. Along with Network Access Control Lists, Security Groups are one of the two main mechanisms of enforcing network-level security. + +For additional information, including details on parameters and properties, see the [AWS documentation on Security Groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html). + +## Syntax + +An `aws_security_groups` resource block uses an optional filter to select a group of security groups and then tests that group. + +```ruby +describe aws_security_groups do + its('entries.count') { should be > 1 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`group_ids` +: The name of the auto scaling launch configuration associated with the auto scaling group. + +`group_names` +: An integer indicating the maximum number of instances in the auto scaling group. + +`vpc_ids` +: An integer indicating the desired number of instances in the auto scaling group. + +`ip_permissions` +: A list of the rules that the Security Group applies to incoming network traffic. + +`ip_permissions_egress` +: A list of the rules that the Security Group applies to outgoing network traffic initiated by the AWS resource in the Security Group. + +`descriptions` +: Description for the rule, which can help to identify it later. A description can be up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*. + +`tags` +: An integer indicating the minimum number of instances in the auto scaling group. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +The following examples show how to use this InSpec audit resource. + +Look for a particular security group in just one VPC: + +```ruby +describe aws_security_groups.where( vpc_id: 'vpc-12345678') do + its('group_ids') { should include('sg-abcdef12')} +end +``` + +Examine the default security group in all VPCs: + +```ruby +describe aws_security_groups.where( group_name: 'default') do + it { should exist } +end +``` + +Allow at most 100 security groups on the account: + +```ruby +describe aws_security_groups do + its('entries.count') { should be <= 100} +end +``` + +Pass entry resource data from security groups to the singular resource for testing: + +Use the `security_group_objects` resource to pass resource data to the singular resource for testing. +This method uses local in-memory caching for quicker execution of large sets of test cases. + +```ruby +aws_security_groups.entries.each do |entry| + describe aws_security_group(resource_data: entry) do + it { should exist } + its('count') { should be >= 4 } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the filter returns at least one result. + +Use `should_not` if you expect zero matches. + +You will always have at least one SG:, the VPC default SG + +```ruby +describe aws_security_groups + it { should exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeSecurityGroupsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_securityhub_hub.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_securityhub_hub.md new file mode 100644 index 0000000..d7f1033 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_securityhub_hub.md @@ -0,0 +1,98 @@ ++++ +title = "aws_securityhub_hub resource" + +draft = false + + +[menu.aws] +title = "aws_securityhub_hub" +identifier = "inspec/resources/aws/aws_securityhub_hub resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_securityhub_hub` InSpec audit resource to test properties of a single AWS Security Hub. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Security Hub](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeHub.html). + +## Syntax + +Ensure that the hub exists. + +```ruby +describe aws_securityhub_hub(hub_arn: 'HUB_ARN') do + it { should exist } +end +``` + +## Parameters + +`hub_arn` _(required)_ + +: The ARN of the Hub resource that was retrieved. + +## Properties + +`hub_arn` +: The ARN of the Hub resource that was retrieved. + +`subscribed_at` +: The date and time when Security Hub was enabled in the account. + +`auto_enable_controls` +: Whether to automatically enable new controls when they are added to standards that are enabled. + +## Examples + +Ensure an auto enable controls is true: + +```ruby +describe aws_securityhub_hub(hub_arn: 'HUB_ARN') do + its('auto_enable_controls') { should eq true } +end +``` + +Ensure a hub ARN is available: + +```ruby +describe aws_securityhub_hub(hub_arn: 'HUB_ARN') do + its('hub_arn') { should eq 'HUB_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_securityhub_hub(hub_arn: 'HUB_ARN') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_securityhub_hub(hub_arn: 'HUB_ARN') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_securityhub_hub(hub_arn: 'HUB_ARN') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SecurityHub:Client:DescribeHubResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_cloud_formation_product.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_cloud_formation_product.md new file mode 100644 index 0000000..2843f5e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_cloud_formation_product.md @@ -0,0 +1,122 @@ ++++ +title = "aws_servicecatalog_cloud_formation_product resource" + +draft = false + + +[menu.aws] +title = "aws_servicecatalog_cloud_formation_product" +identifier = "inspec/resources/aws/aws_servicecatalog_cloud_formation_product resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_servicecatalog_cloud_formation_product` InSpec audit resource to test properties of a single AWS Service Catalog CloudFormation product. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Service Catalog CloudFormation product](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicecatalog-cloudformationproduct.html). + +## Syntax + +Ensure that a product exists. + +```ruby +describe aws_servicecatalog_cloud_formation_product(name: 'PRODUCT_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: The name of the product. + +## Properties + +`id` +: The product view identifier. + +`product_id` +: The product identifier. + +`name` +: The name of the product. + +`owner` +: The owner of the product. + +`short_description` +: Short description of the product. + +`type` +: The product type. + +`distributor` +: The distributor of the product. + +`has_default_path` +: Indicates whether the product has a default path. + +`support_email` +: The email contact information to obtain support for this product. + +`support_description` +: The description of the support for this product. + +`support_url` +: The URL information to obtain support for this product. + +## Examples + +Ensure a product name is available: + +```ruby +describe aws_servicecatalog_cloud_formation_product(name: 'PRODUCT_NAME') do + its('name') { should eq 'PRODUCT_NAME' } +end +``` + +Ensure a owner is available: + +```ruby +describe aws_servicecatalog_cloud_formation_product(name: 'PRODUCT_NAME') do + its('owner') { should eq 'PRODUCT_OWNER' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_servicecatalog_cloud_formation_product(name: 'PRODUCT_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_servicecatalog_cloud_formation_product(name: 'PRODUCT_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_servicecatalog_cloud_formation_product(name: 'PRODUCT_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ServiceCatalog:Client:DescribeProductAsAdminOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_launch_role_constraint.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_launch_role_constraint.md new file mode 100644 index 0000000..3458662 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_launch_role_constraint.md @@ -0,0 +1,113 @@ ++++ +title = "aws_servicecatalog_launch_role_constraint resource" + +draft = false + + +[menu.aws] +title = "aws_servicecatalog_launch_role_constraint" +identifier = "inspec/resources/aws/aws_servicecatalog_launch_role_constraint resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_servicecatalog_launch_role_constraint` InSpec audit resource to test properties of a single specific AWS Service Catalog launch constraint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Service Catalog launch role constraint](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicecatalog-launchroleconstraint.html). + +## Syntax + +Ensure that a constraint exists. + +```ruby +describe aws_servicecatalog_launch_role_constraint(id: 'CONSTRAINT_ID') do + it { should exist } +end +``` + +## Parameters + +`id` _(required)_ + +: The identifier of the constraint. + +## Properties + +`constraint_detail (constraint_id)` +: The identifier of the constraint. + +`constraint_detail (type)` +: The type of constraint. Valid values are: `LAUNCH`, `NOTIFICATION`, `RESOURCE_UPDATE`, `STACKSET`, and `TEMPLATE`. + +`constraint_detail (description)` +: The description of the constraint. + +`constraint_detail (owner)` +: The owner of the constraint. + +`constraint_detail (product_id)` +: The identifier of the product the constraint applies to. Note that a constraint applies to a specific instance of a product within a certain portfolio. + +`constraint_detail (portfolio_id)` +: The identifier of the portfolio the product resides in. The constraint applies only to the instance of the product that lives within this portfolio. + +`constraint_parameters` +: The constraint parameters. + +`status` +: The status of the current request. Valid values are: `AVAILABLE`, `CREATING`, and `FAILED`. + +## Examples + +Ensure a product name is available: + +```ruby +describe aws_servicecatalog_launch_role_constraint(id: 'CONSTRAINT_ID') do + its('constraint_detail.constraint_id') { should eq 'ID' } +end +``` + +Ensure a status is available: + +```ruby +describe aws_servicecatalog_launch_role_constraint(id: 'CONSTRAINT_ID') do + its('status') { should eq 'AVAILABLE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_servicecatalog_launch_role_constraint(id: 'CONSTRAINT_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_servicecatalog_launch_role_constraint(id: 'CONSTRAINT_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_servicecatalog_launch_role_constraint(id: 'CONSTRAINT_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ServiceCatalog:Client:DescribeConstraintOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_launch_role_constraints.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_launch_role_constraints.md new file mode 100644 index 0000000..590c04c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_launch_role_constraints.md @@ -0,0 +1,97 @@ ++++ +title = "aws_servicecatalog_launch_role_constraints resource" + +draft = false + + +[menu.aws] +title = "aws_servicecatalog_launch_role_constraints" +identifier = "inspec/resources/aws/aws_servicecatalog_launch_role_constraints resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_servicecatalog_launch_role_constraints` InSpec audit resource to test properties of multiple AWS Service Catalog launch constraint. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS ServiceCatalog LaunchRoleConstraint](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicecatalog-launchroleconstraint.html). + +## Syntax + +Ensure that a portfolio exists. + +```ruby +describe aws_servicecatalog_launch_role_constraints(portfolio_id: 'PORTFOLIO_ID') do + it { should exist } +end +``` + +## Parameters + +`portfolio_id` _(required)_ + +: The identifier of the portfolio the product resides in. + +## Properties + +`constraint_ids` +: The identifier of the constraint. + +`types` +: The type of constraint. Valid values are: `LAUNCH`, `NOTIFICATION`, `RESOURCE_UPDATE`, `STACKSET`, and `TEMPLATE`. + +`descriptions` +: The description of the constraint. + +`owners` +: The owner of the constraint. + +`product_ids` +: The identifier of the product the constraint applies to. Note that a constraint applies to a specific instance of a product within a certain portfolio. + +`portfolio_ids` +: The identifier of the portfolio the product resides in. The constraint applies only to the instance of the product that lives within this portfolio. + +## Examples + +Ensure a constraint is available: + +```ruby +describe aws_servicecatalog_launch_role_constraints(portfolio_id: 'PORTFOLIO_ID') do + its('constraint_ids') { should include 'ID' } +end +``` + +Ensure that the type is 'LAUNCH': + +```ruby +describe aws_servicecatalog_launch_role_constraints(portfolio_id: 'PORTFOLIO_ID') do + its('types') { should include 'LAUNCH' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_servicecatalog_launch_role_constraints(portfolio_id: 'PORTFOLIO_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_servicecatalog_launch_role_constraints(portfolio_id: 'PORTFOLIO_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ServiceCatalog:Client:ListConstraintsForPortfolioOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_portfolio_principal_association.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_portfolio_principal_association.md new file mode 100644 index 0000000..2d1c714 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_portfolio_principal_association.md @@ -0,0 +1,95 @@ ++++ +title = "aws_servicecatalog_portfolio_principal_association resource" + +draft = false + + +[menu.aws] +title = "aws_servicecatalog_portfolio_principal_association" +identifier = "inspec/resources/aws/aws_servicecatalog_portfolio_principal_association resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_servicecatalog_portfolio_principal_association` InSpec audit resource to test properties of a single specific AWS Service Catalog portfolio principal association. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Service Catalog Portfolio Principal Association](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicecatalog-portfolioprincipalassociation.html). + +## Syntax + +Ensure that a portfolio is available. + +```ruby +describe aws_servicecatalog_portfolio_principal_association(portfolio_id: 'PORTFOLIO_ID') do + it { should exist } +end +``` + +## Parameters + +`portfolio_id` _(required)_ + +: The ID of the portfolio. + +## Properties + +`principal_arn` +: The ARN of the principal (IAM user, role, or group). + +`principal_type` +: The principal type. The supported value is `IAM`. + +## Examples + +Ensure a principal ARN is available: + +```ruby +describe aws_servicecatalog_portfolio_principal_association(portfolio_id: 'PORTFOLIO_ID') do + its('principal_arn') { should eq 'principal_arn' } +end +``` + +Ensure a principal type is 'IAM': + +```ruby +describe aws_servicecatalog_portfolio_principal_association(portfolio_id: 'PORTFOLIO_ID') do + its('principal_type') { should eq 'IAM' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_servicecatalog_portfolio_principal_association(portfolio_id: 'PORTFOLIO_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_servicecatalog_portfolio_principal_association(portfolio_id: 'PORTFOLIO_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_servicecatalog_portfolio_principal_association(portfolio_id: 'PORTFOLIO_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ServiceCatalog:Client:ListPrincipalsForPortfolioOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_portfolio_principal_associations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_portfolio_principal_associations.md new file mode 100644 index 0000000..35862de --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_portfolio_principal_associations.md @@ -0,0 +1,85 @@ ++++ +title = "aws_servicecatalog_portfolio_principal_associations resource" + +draft = false + + +[menu.aws] +title = "aws_servicecatalog_portfolio_principal_associations" +identifier = "inspec/resources/aws/aws_servicecatalog_portfolio_principal_associations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_servicecatalog_portfolio_principal_associations` InSpec audit resource to test properties of a single specific AWS Service Catalog portfolio principal association. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Service Catalog Portfolio Principal Association](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicecatalog-portfolioprincipalassociation.html). + +## Syntax + +Ensure that portfolio are available. + +```ruby +describe aws_servicecatalog_portfolio_principal_associations(portfolio_id: 'PORTFOLIO_ID') do + it { should exist } +end +``` + +## Parameters + +`portfolio_id` _(required)_ + +: The ID of the portfolio. + +## Properties + +`principal_arns` +: The ARN of the principal (IAM user, role, or group). + +`principal_types` +: The principal type. The supported value is `IAM`. + +## Examples + +Ensure a principal ARN is available: + +```ruby +describe aws_servicecatalog_portfolio_principal_associations(portfolio_id: 'PORTFOLIO_ID') do + its('principal_arns') { should include 'PRINCIPAL_ARN' } +end +``` + +Ensure a principal type is 'IAM': + +```ruby +describe aws_servicecatalog_portfolio_principal_associations(portfolio_id: 'PORTFOLIO_ID') do + its('principal_types') { should include 'IAM' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_servicecatalog_portfolio_principal_associations(portfolio_id: 'PORTFOLIO_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_servicecatalog_portfolio_principal_associations(portfolio_id: 'PORTFOLIO_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ServiceCatalog:Client:ListPrincipalsForPortfolioOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_portfolio_product_association.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_portfolio_product_association.md new file mode 100644 index 0000000..621e9c4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_portfolio_product_association.md @@ -0,0 +1,97 @@ ++++ +title = "aws_servicecatalog_portfolio_product_association resource" + +draft = false + + +[menu.aws] +title = "aws_servicecatalog_portfolio_product_association" +identifier = "inspec/resources/aws/aws_servicecatalog_portfolio_product_association resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_servicecatalog_portfolio_product_association` InSpec audit resource to test properties of a single specific AWS Service Catalog portfolio product association. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Service Catalog Portfolio Product Association](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicecatalog-portfolioproductassociation.html). + +## Syntax + +Ensure that a portfolio exists. + +```ruby +describe aws_servicecatalog_portfolio_product_association(product_id: 'PRODUCT_ID') do + it { should exist } +end +``` + +## Parameters + +`product_id` _(required)_ + +: The product identifier. + +## Properties + +`id` +: The portfolio identifier. + +`arn` +: The ARN assigned to the portfolio. + +`display_name` +: The name to use for display purposes. + +`description` +: The description of the portfolio. + +`created_time` +: The UTC time stamp of the creation time. + +`provider_name` +: The name of the portfolio provider. + +## Examples + +Ensure a product name is available: + +```ruby +describe aws_servicecatalog_portfolio_product_association(product_id: 'PRODUCT_ID') do + its('id') { should eq 'PORTFOLIO_ID' } +end +``` + +Ensure a status is available: + +```ruby +describe aws_servicecatalog_portfolio_product_association(product_id: 'PRODUCT_ID') do + its('provider_name') { should eq 'PORTFOLIO_PROVIDER_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_servicecatalog_portfolio_product_association(product_id: 'PRODUCT_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_servicecatalog_portfolio_product_association(product_id: 'PRODUCT_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ServiceCatalog:Client:ListPortfoliosForProductOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_portfolio_product_associations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_portfolio_product_associations.md new file mode 100644 index 0000000..40cd6c8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_servicecatalog_portfolio_product_associations.md @@ -0,0 +1,97 @@ ++++ +title = "aws_servicecatalog_portfolio_product_associations resource" + +draft = false + + +[menu.aws] +title = "aws_servicecatalog_portfolio_product_associations" +identifier = "inspec/resources/aws/aws_servicecatalog_portfolio_product_associations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_servicecatalog_portfolio_product_associations` InSpec audit resource to test properties of a single specific AWS Service Catalog portfolio product association. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Service Catalog Portfolio Product Association](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicecatalog-portfolioproductassociation.html). + +## Syntax + +Ensure that a portfolio exists. + +```ruby +describe aws_servicecatalog_portfolio_product_associations(product_id: 'PRODUCT_ID') do + it { should exist } +end +``` + +## Parameters + +`product_id` _(required)_ + +: The product identifier. + +## Properties + +`ids` +: The portfolio identifier. + +`arns` +: The ARN assigned to the portfolio. + +`display_names` +: The name to use for display purposes. + +`descriptions` +: The description of the portfolio. + +`created_times` +: The UTC time stamp of the creation time. + +`provider_names` +: The name of the portfolio provider. + +## Examples + +Ensure a product name is available: + +```ruby +describe aws_servicecatalog_portfolio_product_association(product_id: 'PRODUCT_ID') do + its('ids') { should include 'PORTFOLIO_ID' } +end +``` + +Ensure a status is available: + +```ruby +describe aws_servicecatalog_portfolio_product_association(product_id: 'PRODUCT_ID') do + its('provider_names') { should include 'PORTFOLIO_PROVIDER_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_servicecatalog_portfolio_product_associations(product_id: 'PRODUCT_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_servicecatalog_portfolio_product_associations(product_id: 'PRODUCT_ID') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="ServiceCatalog:Client:ListPortfoliosForProductOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_receipt_rule.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_receipt_rule.md new file mode 100644 index 0000000..511c4f3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_receipt_rule.md @@ -0,0 +1,173 @@ ++++ +title = "aws_ses_receipt_rule resource" + +draft = false + + +[menu.aws] +title = "aws_ses_receipt_rule" +identifier = "inspec/resources/aws/aws_ses_receipt_rule resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ses_receipt_rule` InSpec audit resource to test properties of the singular resource of AWS Simple Email Service (SES) receipt rule. + +The `AWS::SES::ReceiptRule` resource specifies a receipt rule. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SES ReceiptRule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-receiptrule.html). + +## Syntax + +Ensure that the rule exists. + +```ruby +describe aws_ses_receipt_rule(rule_set_name: 'RULE_SET_NAME', rule_name: 'RULE_NAME') do + it { should exist } +end +``` + +## Parameters + +`rule_set_name` _(required)_ + +: The name of the receipt rule set that the receipt rule belongs to. + +`rule_name` _(required)_ + +: The name of the receipt rule. + +## Properties + +`name` +: The name of the receipt rule. + +`enabled` +: If `true`, the receipt rule is active. The default value is false. + +`tls_policy` +: Specifies whether Amazon SES should require that incoming email is delivered over a connection encrypted with Transport Layer Security (TLS). + +`recipients` +: The recipient domains and email addresses that the receipt rule applies to. + +`actions` +: An ordered list of actions to perform on messages that match at least one of the recipient email addresses or domains specified in the receipt rule. + +`s3_action_topic_arns` +: The ARN of the Amazon SNS topic to notify when the message is saved to the Amazon S3 bucket. + +`s3_action_bucket_names` +: The name of the Amazon S3 bucket that incoming email will be saved to. + +`s3_action_object_key_prefixes` +: The key prefix of the Amazon S3 bucket. + +`s3_action_kms_key_arns` +: The customer master key that Amazon SES should use to encrypt your emails before saving them to the Amazon S3 bucket. + +`bounce_action_topic_arns` +: The Amazon Resource Name (ARN) of the Amazon SNS topic to notify when the bounce action is taken. + +`bounce_action_smtp_reply_codes` +: The SMTP reply code, as defined by RFC 5321. + +`bounce_action_status_codes` +: The SMTP enhanced status code, as defined by RFC 3463. + +`bounce_action_messages` +: Human-readable text to include in the bounce message. + +`bounce_action_senders` +: The email address of the sender of the bounced email. + +`workmail_action_topic_arns` +: The Amazon Resource Name (ARN) of the Amazon SNS topic to notify when the WorkMail action is called. + +`workmail_action_organization_arns` +: The ARN of the Amazon WorkMail organization. + +`lambda_action_topic_arns` +: The Amazon Resource Name (ARN) of the Amazon SNS topic to notify when the Lambda action is taken. + +`lambda_action_function_arns` +: The Amazon Resource Name (ARN) of the AWS Lambda function. + +`lambda_action_invocation_types` +: The invocation type of the AWS Lambda function. + +`stop_action_scopes` +: The scope of the StopAction. The only acceptable value is RuleSet. + +`stop_action_topic_arns` +: The Amazon Resource Name (ARN) of the Amazon SNS topic to notify when the stop action is taken. + +`add_header_action_header_names` +: The name of the header to add. Must be between 1 and 50 characters, inclusive, and consist of alphanumeric (a-z, A-Z, 0-9) characters and dashes only. + +`add_header_action_header_values` +: Must be less than 2048 characters, and must not contain newline characters ("r" or "n"). + +`sns_action_topic_arns` +: The Amazon Resource Name (ARN) of the Amazon SNS topic to notify. + +`sns_action_encodings` +: The encoding to use for the email within the Amazon SNS notification. + +`scan_enabled` +: If `true`, then messages that this receipt rule applies to are scanned for spam and viruses. The default value is `false`. + +## Examples + +Ensure a rule is available: + +```ruby +describe aws_ses_receipt_rule(rule_set_name: 'RULE_SET_NAME', rule_name: 'RULE_NAME') do + its('name') { should eq 'RULE_NAME' } +end +``` + +Ensure that `scan_enabled` is `true` so that messages that this receipt rule is applied to are scanned for spam and viruses: + +```ruby +describe aws_ses_receipt_rule(rule_set_name: 'RULE_SET_NAME', rule_name: 'RULE_NAME') do + its('scan_enabled') { should eq true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ses_receipt_rule(rule_set_name: 'RULE_SET_NAME', rule_name: 'RULE_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ses_receipt_rule(rule_set_name: 'RULE_SET_NAME', rule_name: 'RULE_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ses_receipt_rule(rule_set_name: 'RULE_SET_NAME', rule_name: 'RULE_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SES:Client:DescribeReceiptRuleResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_receipt_rule_set.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_receipt_rule_set.md new file mode 100644 index 0000000..b7a2370 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_receipt_rule_set.md @@ -0,0 +1,169 @@ ++++ +title = "aws_ses_receipt_rule_set resource" + +draft = false + + +[menu.aws] +title = "aws_ses_receipt_rule_set" +identifier = "inspec/resources/aws/aws_ses_receipt_rule_set resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ses_receipt_rule_set` InSpec audit resource to test properties of a single AWS Simple Email Service (SES) receipt rule set. + +The `AWS::SES::ReceiptRuleSet` resource specifies a receipt rule set. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SES ReceiptRuleSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-receiptruleset.html). + +## Syntax + +Ensure that the rule set exists. + +```ruby +describe aws_ses_receipt_rule_set(rule_set_name: 'RULE_SET_NAME') do + it { should exist } +end +``` + +## Parameters + +`rule_set_name` _(required)_ + +: The name of the receipt rule set to describe. + +## Properties + +`name` +: The name of the receipt rule. + +`enabled` +: If `true`, the receipt rule is active. The default value is `false`. + +`tls_policy` +: Specifies whether Amazon SES should require that incoming email is delivered over a connection encrypted with Transport Layer Security (TLS). + +`recipients` +: The recipient domains and email addresses that the receipt rule applies to. + +`actions` +: An ordered list of actions to perform on messages that match at least one of the recipient email addresses or domains specified in the receipt rule. + +`s3_action_topic_arns` +: The ARN of the Amazon SNS topic to notify when the message is saved to the Amazon S3 bucket. + +`s3_action_bucket_names` +: The name of the Amazon S3 bucket that incoming email will be saved to. + +`s3_action_object_key_prefixes` +: The key prefix of the Amazon S3 bucket. + +`s3_action_kms_key_arns` +: The customer master key that Amazon SES should use to encrypt your emails before saving them to the Amazon S3 bucket. + +`bounce_action_topic_arns` +: The Amazon Resource Name (ARN) of the Amazon SNS topic to notify when the bounce action is taken. + +`bounce_action_smtp_reply_codes` +: The SMTP reply code, as defined by RFC 5321. + +`bounce_action_status_codes` +: The SMTP enhanced status code, as defined by RFC 3463. + +`bounce_action_messages` +: Human-readable text to include in the bounce message. + +`bounce_action_senders` +: The email address of the sender of the bounced email. + +`workmail_action_topic_arns` +: The Amazon Resource Name (ARN) of the Amazon SNS topic to notify when the WorkMail action is called. + +`workmail_action_organization_arns` +: The ARN of the Amazon WorkMail organization. + +`lambda_action_topic_arns` +: The Amazon Resource Name (ARN) of the Amazon SNS topic to notify when the Lambda action is taken. + +`lambda_action_function_arns` +: The Amazon Resource Name (ARN) of the AWS Lambda function. + +`lambda_action_invocation_types` +: The invocation type of the AWS Lambda function. + +`stop_action_scopes` +: The scope of the StopAction. The only acceptable value is RuleSet. + +`stop_action_topic_arns` +: The Amazon Resource Name (ARN) of the Amazon SNS topic to notify when the stop action is taken. + +`add_header_action_header_names` +: The name of the header to add. Must be between 1 and 50 characters, inclusive, and consist of alphanumeric (a-z, A-Z, 0-9) characters and dashes only. + +`add_header_action_header_values` +: Must be less than 2048 characters, and must not contain newline characters ("r" or "n"). + +`sns_action_topic_arns` +: The Amazon Resource Name (ARN) of the Amazon SNS topic to notify. + +`sns_action_encodings` +: The encoding to use for the email within the Amazon SNS notification. + +`scan_enabled` +: If `true`, then messages that this receipt rule applies to are scanned for spam and viruses. The default value is `false`. + +## Examples + +Ensure a rule set is available: + +```ruby +describe aws_ses_receipt_rule_set(rule_set_name: 'RULE_SET_NAME') do + its('name') { should eq 'RULE_NAME' } +end +``` + +Ensure that `scan_enabled` is `true` so that messages that this receipt rule is applied to are scanned for spam and viruses: + +```ruby +describe aws_ses_receipt_rule_set(rule_set_name: 'RULE_SET_NAME') do + its('scan_enabled') { should eq true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ses_receipt_rule_set(rule_set_name: 'RULE_SET_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ses_receipt_rule_set(rule_set_name: 'RULE_SET_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ses_receipt_rule_set(rule_set_name: 'RULE_SET_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SES:Client:DescribeReceiptRuleSetResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_receipt_rule_sets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_receipt_rule_sets.md new file mode 100644 index 0000000..6a90b53 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_receipt_rule_sets.md @@ -0,0 +1,81 @@ ++++ +title = "aws_ses_receipt_rule_sets resource" + +draft = false + + +[menu.aws] +title = "aws_ses_receipt_rule_sets" +identifier = "inspec/resources/aws/aws_ses_receipt_rule_sets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ses_receipt_rule_sets` InSpec audit resource to test properties of multiple AWS Simple Email Service (SES) receipt rule sets. + +The `AWS::SES::ReceiptRuleSet` resource specifies a receipt rule set. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SES ReceiptRuleSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-receiptruleset.html). + +## Syntax + +Ensure that the rule set exists. + +```ruby +describe aws_ses_receipt_rule_sets do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`names` +: The name of the receipt rule set. + +: **Field**: `name` + +`created_timestamps` +: The date and time the receipt rule set was created. + +: **Field**: `created_timestamp` + +## Examples + +Ensure a rule set name is available: + +```ruby +describe aws_ses_receipt_rule_sets do + its('names') { should include 'RULE_SET_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ses_receipt_rule_sets do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ses_receipt_rule_sets do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SES:Client:ListReceiptRuleSetsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_template.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_template.md new file mode 100644 index 0000000..41a93e3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_template.md @@ -0,0 +1,119 @@ ++++ +title = "aws_ses_template resource" + +draft = false + + +[menu.aws] +title = "aws_ses_template" +identifier = "inspec/resources/aws/aws_ses_template resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ses_template` InSpec audit resource to test properties of a single AWS Simple Email Service (SES) template. + +The `AWS::SES::Template` resource specifies an email template. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SES Template](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-template.html). + +## Syntax + +Ensure that the template exists. + +```ruby +describe aws_ses_template(template_name: 'TEMPLATE_NAME') do + it { should exist } +end +``` + +## Parameters + +`template_name` _(required)_ + +: The name of the template. + +## Properties + +`template_name` +: The name of the template. + +`subject_part` +: The subject line of the email. + +`text_part` +: The email body that will be visible to recipients whose email clients do not display HTML. + +`html_part` +: The HTML body of the email. + +## Examples + +Ensure a template name is available: + +```ruby +describe aws_ses_template(template_name: 'TEMPLATE_NAME') do + its('template_name') { should eq 'TEMPLATE_NAME' } +end +``` + +Ensure a subject is available in the template: + +```ruby +describe aws_ses_template(template_name: 'TEMPLATE_NAME') do + its('subject_part') { should eq 'HTML_SUBJECT' } +end +``` + +Ensure a text part is available in the template: + +```ruby +describe aws_ses_template(template_name: 'TEMPLATE_NAME') do + its('text_part') { should eq 'HTML_TEXT_PART' } +end +``` + +Ensure an HTML body is available in the template: + +```ruby +describe aws_ses_template(template_name: 'TEMPLATE_NAME') do + its('html_part') { should eq 'HTML_PART' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ses_template(template_name: 'TEMPLATE_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ses_template(template_name: 'TEMPLATE_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ses_template(template_name: 'TEMPLATE_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SES:Client:GetTemplateResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_templates.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_templates.md new file mode 100644 index 0000000..a049604 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ses_templates.md @@ -0,0 +1,81 @@ ++++ +title = "aws_ses_templates resource" + +draft = false + + +[menu.aws] +title = "aws_ses_templates" +identifier = "inspec/resources/aws/aws_ses_templates resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ses_templates` InSpec audit resource to test properties of multiple AWS Simple Email Service (SES) templates. + +The `AWS::SES::Template` resource specifies an email template. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SES Template](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-template.html). + +## Syntax + +Ensure that the template exists. + +```ruby +describe aws_ses_templates do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`names` +: The name of the template. + +: **Field**: `name` + +`created_timestamps` +: The time and date the template was created. + +: **Field**: `created_timestamp` + +## Examples + +Ensure a template name is available: + +```ruby +describe aws_ses_templates do + its('names') { should include 'TEMPLATE_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ses_templates do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ses_templates do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SES:Client:ListTemplatesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_shield_subscription.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_shield_subscription.md new file mode 100644 index 0000000..5d84f9f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_shield_subscription.md @@ -0,0 +1,75 @@ ++++ +title = "aws_shield_subscription resource" + +draft = false + + +[menu.aws] +title = "aws_shield_subscription" +identifier = "inspec/resources/aws/aws_shield_subscription resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_shield_subscription` InSpec audit resource to test properties of an AWS Shield Advanced subscription. + +## Syntax + +An `aws_shield_subscription` resource block returns a Shield Advanced subscription. + +```ruby +describe aws_shield_subscription do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`auto_renew` +: If `ENABLED`, the subscription will be automatically renewed at the end of the existing subscription period. Valid values: `ENABLED` or `DISABLED`. + +`end_time` +: The date and time your subscription will end. + +`limits` +: Specifies how many protections of a given type you can create. This is an array containing the Type of protection and the maximum number of protections that can be created for the specified Type. + +`proactive_engagement_status` +: Valid values: `ENABLED`, `DISABLED`, `PENDING`. + + If `ENABLED`, the DDoS Response Team (DRT) will use email and phone to notify contacts about escalations to the DRT and to initiate proactive customer support. + + If `PENDING`, you have requested proactive engagement and the request is pending. The status changes to `ENABLED` when your request is fully processed. + + If `DISABLED`, the DRT will not proactively notify contacts about escalations or to initiate proactive customer support. + +`start_time` +: The start time of the subscription, in Unix time in seconds. + +`time_commitment_in_seconds` +: The length, in seconds, of the AWS Shield Advanced subscription for the account. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_Subscription.html) + +## Examples + +Check the automatic renewal status of a Shield Subscription: + +```ruby +describe aws_shield_subscription do + its('auto_renew') { should eq 'ENABLED' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Shield:Client:DescribeSubscriptionResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Shield](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsshield.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_signer_profile_permissions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_signer_profile_permissions.md new file mode 100644 index 0000000..dacc526 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_signer_profile_permissions.md @@ -0,0 +1,109 @@ ++++ +title = "aws_signer_profile_permissions resource" + +draft = false + + +[menu.aws] +title = "aws_signer_profile_permissions" +identifier = "inspec/resources/aws/aws_signer_profile_permissions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_signer_profile_permissions` InSpec audit resource to test properties of multiple AWS Signer profile permissions. + +The `AWS::Signer::ProfilePermission` resource adds cross-account permissions to a signing profile. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Signer ProfilePermission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-signer-profilepermission.html). + +## Syntax + +Ensure that the profile permission exists. + +```ruby +describe aws_signer_profile_permissions(profile_name: 'PROFILE_NAME') do + it { should exist } +end +``` + +## Parameters + +`profile_name` _(required)_ + +: Name of the signing profile containing the cross-account permissions. + +## Properties + +`actions` +: An AWS Signer action permitted as part of cross-account permissions. + +: **Field**: `action` + +`principals` +: The AWS principal that has been granted a cross-account permission. + +: **Field**: `principal` + +`statement_ids` +: A unique identifier for a cross-account permission statement. + +: **Field**: `statement_id` + +`profile_versions` +: The signing profile version that a permission applies to. + +: **Field**: `profile_version` + +## Examples + +Ensure a principal is available: + +```ruby +describe aws_signer_profile_permissions(profile_name: 'PROFILE_NAME') do + its('principals') { should include 'PRINCIPAL' } +end +``` + +Ensure a statement ID is available: + +```ruby +describe aws_signer_profile_permissions(profile_name: 'PROFILE_NAME') do + its('statement_ids') { should include 'STATEMENT_ID' } +end +``` + +Ensure a profile version is available: + +```ruby +describe aws_signer_profile_permissions(profile_name: 'PROFILE_NAME') do + its('profile_versions') { should include 'PROFILE_VERSION' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_signer_profile_permissions(profile_name: 'PROFILE_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_signer_profile_permissions(profile_name: 'PROFILE_NAME') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Signer:Client:ListProfilePermissionsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_signer_signing_profile.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_signer_signing_profile.md new file mode 100644 index 0000000..42766d2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_signer_signing_profile.md @@ -0,0 +1,156 @@ ++++ +title = "aws_signer_signing_profile resource" + +draft = false + + +[menu.aws] +title = "aws_signer_signing_profile" +identifier = "inspec/resources/aws/aws_signer_signing_profile resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_signer_signing_profile` InSpec audit resource to test properties of a single specific AWS Signer signing profile. + +A signing profile is a code signing template that can be used to carry out a pre-defined signing job. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Signer SigningProfile.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-signer-signingprofile.html). + +## Syntax + +Ensure that the signing profile exists. + +```ruby +describe aws_signer_signing_profile(profile_name: 'PROFILE_NAME') do + it { should exist } +end +``` + +## Parameters + +`profile_name` _(required)_ + +: The name of the target signing profile. + +## Properties + +`profile_name` +: The name of the target signing profile. + +`profile_version` +: The current version of the signing profile. + +`profile_version_arn` +: The signing profile ARN, including the profile version. + +`revocation_record.revocation_effective_from` +: The time when revocation becomes effective. + +`revocation_record.revoked_at` +: The time when the signing profile was revoked. + +`revocation_record.revoked_by` +: The identity of the revoker. + +`signing_material.certificate_arn` +: The Amazon Resource Name (ARN) of the certificates that is used to sign your code. + +`platform_id` +: The ID of the platform that is used by the target signing profile. + +`platform_display_name` +: A human-readable name for the signing platform associated with the signing profile. + +`signature_validity_period.value` +: The numerical value of the time unit for signature validity. + +`signature_validity_period.type` +: The time unit for signature validity. + +`overrides.signing_configuration.encryption_algorithm` +: A specified override of the default encryption algorithm that is used in a code signing job. + +`overrides.signing_configuration.hash_algorithm` +: A specified override of the default hash algorithm that is used in a code signing job. + +`overrides.signing_image_format` +: profile_name. + +`signing_parameters` +: A map of key-value pairs for signing operations that is attached to the target signing profile. + +`status` +: The status of the target signing profile. + +`status_reason` +: Reason for the status of the target signing profile. + +`arn` +: The Amazon Resource Name (ARN) for the signing profile. + +`tags` +: A list of tags associated with the signing profile. + +## Examples + +Ensure a profile name is available: + +```ruby +describe aws_signer_signing_profile(profile_name: 'PROFILE_NAME') do + its('profile_name') { should eq 'PROFILE_NAME' } +end +``` + +Ensure a profile version is available: + +```ruby +describe aws_signer_signing_profile(profile_name: 'PROFILE_NAME') do + its('profile_version') { should eq 'PROFILE_VERSION' } +end +``` + +Ensure a status is `Active`: + +```ruby +describe aws_signer_signing_profile(profile_name: 'PROFILE_NAME') do + its('status') { should eq 'Active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_signer_signing_profile(profile_name: 'PROFILE_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_signer_signing_profile(profile_name: 'PROFILE_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_signer_signing_profile(profile_name: 'PROFILE_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Signer:Client:GetSigningProfileResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_signer_signing_profiles.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_signer_signing_profiles.md new file mode 100644 index 0000000..6d8696e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_signer_signing_profiles.md @@ -0,0 +1,147 @@ ++++ +title = "aws_signer_signing_profiles resource" + +draft = false + + +[menu.aws] +title = "aws_signer_signing_profiles" +identifier = "inspec/resources/aws/aws_signer_signing_profiles resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_signer_signing_profiles` InSpec audit resource to test properties of multiple AWS Signer signing profiles. + +A signing profile is a code signing template that can be used to carry out a pre-defined signing job. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS Signer SigningProfile.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-signer-signingprofile.html). + +## Syntax + +Ensure that the signing profile exists. + +```ruby +describe aws_signer_signing_profiles do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`profile_names` +: The name of the target signing profile. + +: **Field**: `profile_name` + +`profile_versions` +: The current version of the signing profile. + +: **Field**: `profile_version` + +`profile_version_arns` +: The signing profile ARN, including the profile version. + +: **Field**: `profile_version_arn` + +`signing_materials` +: The ACM certificate that is available for use by a signing profile. + +: **Field**: `signing_material` + +`signature_validity_periods` +: The validity period for a signing job created using this signing profile. + +: **Field**: `signature_validity_period` + +`platform_ids` +: The ID of the platform that is used by the target signing profile. + +: **Field**: `platform_id` + +`platform_display_names` +: A human-readable name for the signing platform associated with the signing profile. + +: **Field**: `platform_display_name` + +`signing_parameters` +: A map of key-value pairs for signing operations that is attached to the target signing profile. + +: **Field**: `signing_parameters` + +`statuses` +: The status of the target signing profile. + +: **Field**: `status` + +`status_reasons` +: Reason for the status of the target signing profile. + +: **Field**: `status_reason` + +`arns` +: The Amazon Resource Name (ARN) for the signing profile. + +: **Field**: `arn` + +`tags` +: A list of tags associated with the signing profile. + +: **Field**: `tags` + +## Examples + +Ensure a profile name is available: + +```ruby +describe aws_signer_signing_profiles do + its('profile_names') { should include 'PROFILE_NAME' } +end +``` + +Ensure a profile version is available: + +```ruby +describe aws_signer_signing_profiles do + its('profile_versions') { should include 'PROFILE_VERSION' } +end +``` + +Ensure a status is `Active`: + +```ruby +describe aws_signer_signing_profiles do + its('statuses') { should include 'Active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_signer_signing_profiles do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_signer_signing_profiles do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Signer:Client:ListSigningProfilesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sns_subscription.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sns_subscription.md new file mode 100644 index 0000000..599300f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sns_subscription.md @@ -0,0 +1,131 @@ ++++ +title = "aws_sns_subscription resource" + +draft = false + + +[menu.aws] +title = "aws_sns_subscription" +identifier = "inspec/resources/aws/aws_sns_subscription resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_sns_subscription` InSpec audit resource to test detailed properties of a AWS SNS Subscription. + +For additional information, including details on parameters and properties, see the [AWS documentation on SNS](https://docs.aws.amazon.com/sns/latest/dg/sns-getting-started.html). + +## Syntax + +An `aws_sns_subscription` resource block uses resource parameters to search for a SNS Subscription, and then tests that subscriptions properties. If no Subscriptions match, no error is raised, but the `exists` matcher will return `false` and all properties will be `nil`. + +```ruby +describe aws_sns_subscription('arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6') do + it { should exist } +end +``` + +## Parameters + +`subscription_arn` _(required)_ + +: This resource accepts a single parameter, the subscription_arn. + This can be passed either as a string or as a `subscription_arn: 'value'` key-value entry in a hash. + +## Properties + +`arn` +: The subscription's ARN. + +`owner` +: The subscription's owner. + +`raw_message_delivery` +: Indicates whether the subscription is raw or JSON. + +`topic_arn` +: The ARN of the subscription's topic. + +`protocol` +: The subscription's protocol. + +`confirmation_was_authenticated` +: Indicates whether the subscription confirmation request was authenticated. + +## Examples + +Inspect the endpoint: + +```ruby +describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do +If protocol is 'sms', this should be a phone number:: + + its('endpoint') { should cmp '+16105551234' } +If protocol is 'email' or 'email-json', endpoint should be an email address: + + its('endpoint') { should cmp 'myemail@example.com' } +If protocal is 'http', endpoint should be a URL beginning with 'https://': + + its('endpoint') { should cmp 'https://www.exampleurl.com' } +If the protocol is 'lambda', its endpoint should be the ARN of a AWS Lambda function: + + its('endpoint') { should cmp 'rn:aws:lambda:us-east-1:account-id:function:myfunction' } +end +``` + +Inspect the owners ID: + +```ruby +describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do + its('owner') { should cmp '12345678' } +end +``` + +Inspect the endpoint: + +```ruby +describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do + its('protocol') { should cmp 'sqs' } +end +``` + +## Matchers + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +it { should exist } +``` + +```ruby +it { should_not exist } +``` + +#### be_confirmation_authenticated + +Provides whether or not the subscription confirmation request was authenticated. + +```ruby +describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::NOGOOD:b214aff5-a2c7-438f-a753-8494493f2ff6') + it { should be_confirmation_authenticated } +end +``` + +#### have_raw_message_delivery + +Provides whether or not the original message is passed as is, not formatted as a json or yaml. + +```ruby +describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::NOGOOD:b214aff5-a2c7-438f-a753-8494493f2ff6') + it { should have_raw_message_delivery } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SNS:Client:GetSubscriptionAttributesResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon SNS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsns.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sns_subscriptions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sns_subscriptions.md new file mode 100644 index 0000000..e8c1cff --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sns_subscriptions.md @@ -0,0 +1,114 @@ ++++ +title = "aws_sns_subscriptions resource" + +draft = false + + +[menu.aws] +title = "aws_sns_subscriptions" +identifier = "inspec/resources/aws/aws_sns_subscriptions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_sns_subscriptions` InSpec audit resource to test properties of an AWS Simple Notification Service (SNS) subscription VPN route. + +The `AWS::SNS::Subscription` resource subscribes an endpoint to an Amazon SNS topic. For a subscription to be created, the owner of the endpoint must confirm the subscription. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SNS subscriptions.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-subscription.html). + +## Syntax + +Ensure that the subscription exists. + +```ruby +describe aws_sns_subscriptions do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`subscription_arns` +: The subscription's ARN. + +: **Field**: `subscription_arn` + +`owners` +: The subscription's owner. + +: **Field**: `owner` + +`protocols` +: The subscription's protocol. + +: **Field**: `protocol` + +`endpoints` +: The subscription's endpoint (format depends on the protocol). + +: **Field**: `endpoint` + +`topic_arns` +: The ARN of the subscription's topic. + +: **Field**: `topic_arn` + +## Examples + +Ensure a subscription ARN is available: + +```ruby +describe aws_sns_subscriptions do + its('subscription_arns') { should include 'SUBSCRIPTION_ARN' } +end +``` + +Ensure a topic ARN is available: + +```ruby +describe aws_sns_subscriptions do + its('topic_arns') { should include 'TOPIC_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_sns_subscriptions do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_sns_subscriptions do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_sns_subscriptions do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SNS:Client:ListSubscriptionsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sns_topic.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sns_topic.md new file mode 100644 index 0000000..fad841c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sns_topic.md @@ -0,0 +1,86 @@ ++++ +title = "aws_sns_topic resource" + +draft = false + + +[menu.aws] +title = "aws_sns_topic" +identifier = "inspec/resources/aws/aws_sns_topic resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_sns_topic` InSpec audit resource to test properties of a single AWS Simple Notification Service Topic. SNS topics are channels for related events. AWS resources place events in the Simple Notification Service (SNS) topic, while other AWS resources subscribe to receive notifications when new events occur. + +For additional information, including details on parameters and properties, see the [AWS documentation on SNS](https://docs.aws.amazon.com/sns/latest/dg/sns-getting-started.html). + +## Syntax + +```ruby +describe aws_sns_topic('arn:aws:sns:*::my-topic-name') do + it { should exist } +end +``` + +You may also use has syntax to pass the ARN: + +```ruby +describe aws_sns_topic(arn: 'arn:aws:sns:*::my-topic-name') do + it { should exist } +end +``` + +## Parameters + +`arn` _(required)_ + +: This resource accepts a single parameter, the ARN of the SNS Topic. + This can be passed either as a string or as a `arn: 'value'` key-value entry in a hash. + +## Properties + +`kms_master_key_id` +: Provides the ID of an AWS-managed customer master key (CMK) for Amazon SNS topic or a custom CMK. + +`confirmed_subscription_count` +: An integer indicating the number of currently active subscriptions. + +## Examples + +Make sure something is subscribed to the topic: + +```ruby +describe aws_sns_topic('arn:aws:sns:*::my-topic-name') do + its('confirmed_subscription_count') { should_not be_zero} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_sns_topic('arn:aws:sns:*::good-news') do + it { should exist } +end +``` + +```ruby +describe aws_sns_topic('arn:aws:sns:*::bad-news') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SNS:Client:GetTopicAttributesResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon SNS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsns.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sns_topics.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sns_topics.md new file mode 100644 index 0000000..1bb79d4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sns_topics.md @@ -0,0 +1,77 @@ ++++ +title = "aws_sns_topics resource" + +draft = false + + +[menu.aws] +title = "aws_sns_topics" +identifier = "inspec/resources/aws/aws_sns_topics resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_sns_topics` InSpec audit resource to test all or a group of the SNS Topic ARNs in an account. + +User the 'aws_sns_topic' InSpec audit resource to test a single SNS Topic in an account. + +For additional information, including details on parameters and properties, see the [AWS documentation on SNS](https://docs.aws.amazon.com/sns/latest/dg/sns-getting-started.html). + +## Syntax + +Get all SNS Topic arns: + +```ruby +describe aws_sns_topics do + its('topic_arns') { should include 'arn:aws:sns:us-east-1:333344445555:MyTopic' } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`topic_arns` +: The ARNs of the SNS Topics. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +## Examples + +The following examples show how to use this InSpec audit resource. + +Ensure a Topic exists: + +```ruby +describe aws_sns_topics do + its('topic_arns') { should include 'arn:aws:sns:us-east-1:333344445555:MyTopic' } +end +``` + +## Matchers + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_sns_topics do + it { should exist } +end +``` + +```ruby +describe aws_sns_topics do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SNS:Client:ListTopicsResponse" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon SNS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsns.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sqs_queue.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sqs_queue.md new file mode 100644 index 0000000..a2f3708 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sqs_queue.md @@ -0,0 +1,183 @@ ++++ +title = "aws_sqs_queue resource" + +draft = false + + +[menu.aws] +title = "aws_sqs_queue" +identifier = "inspec/resources/aws/aws_sqs_queue resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_sqs_queue` InSpec audit resource to test properties of a single AWS Simple Queue Service queue. + +For additional information, including details on parameters and properties, see the [AWS documentation on SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/welcome.html). + +## Syntax + +```ruby +describe aws_sqs_queue(queue_url: 'https://sqs.ap-southeast-2.amazonaws.com/1212121/MyQueue') do + it { should exist } +end +``` + +## Parameters + +`queue_url` _(required)_ + +: This resource accepts a single parameter, the SQS Queue URL. + This can be passed either as a string or as a `queue_url: 'value'` key-value entry in a hash. + +## Properties + +`arn` +: The ARN of the SQS Queue. + +`is_fifo_queue` +: A boolean value indicate if this queue is a FIFO queue. + +`visibility_timeout` +: An integer indicating the visibility timeout of the message in seconds. + +`maximum_message_size` +: An integer indicating the maximum message size in bytes. + +`message_retention_period` +: An integer indicating the maximum retention period for a message in seconds. + +`delay_seconds` +: An integer indicating the delay in seconds for the queue. + +`receive_message_wait_timeout_seconds` +: An integer indicating the number of seconds an attempt to recieve a message will wait before returning. + +`content_based_deduplication` +: A boolean value indicate if content based deduplication is enabled or not. + +`redrive_policy` +: A string indicating the redrive policy. + +`kms_master_id` +: Provides the ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK. + +`kms_data_key_reuse_period_seconds` +: Returns the length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. + +`sqs_managed_enabled` +: Returns information about whether the queue is using SSE-SQS encryption using SQS-owned encryption keys. + +`policy` +: Returns the policy of the queue. + +## Examples + +Ensure that a queue exists and has a visibility timeout of 300 seconds: + +```ruby +describe aws_sqs_queue('https://sqs.ap-southeast-2.amazonaws.com/1212121/MyQueue') do + it { should exist } + its('visibility_timeout') { should be 300 } +end +``` + +Ensure maximum message size is set: + +```ruby +describe aws_sqs_queue('https://sqs.ap-southeast-2.amazonaws.com/1212121/MyQueue') do +256 KB : + +end +``` + +Test the delay time : + +```ruby +describe aws_sqs_queue('https://sqs.ap-southeast-2.amazonaws.com/1212121/MyQueue') do + its('delay_seconds') { should be 0 } +end +``` + +Ensure messages are retained for 4 days: + +```ruby +describe aws_sqs_queue('https://sqs.ap-southeast-2.amazonaws.com/1212121/MyQueue') do +4 days: + +end +``` + +Check if queue is fifo: + +```ruby +describe aws_sqs_queue('https://sqs.ap-southeast-2.amazonaws.com/1212121/MyQueue') do + its('is_fifo_queue') { should be false } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should` to test the entity should exist. + +```ruby +describe aws_sqs_queue('https://sqs.ap-southeast-2.amazonaws.com/1212121/MyQueue') do + it { should exist } +end +``` + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_sqs_queue('https://sqs.ap-southeast-2.amazonaws.com/1212121/MyQueueWhichDoesntExist') do + it { should_not exist } +end +``` + +### policy_statement_principal_all_permissions_enabled + +The control will pass if at least one Principal has all permissions enabled. + +Use `should` to test when a Principal with all permissions should exist. + +```ruby +describe aws_sqs_queue('https://sqs.ap-southeast-2.amazonaws.com/1212121/MyQueue') do + it { should be_policy_statement_principal_all_permissions_enabled } +end +``` + +Use `should_not` to test that a Principal with all permissions should not exist. + +```ruby +describe aws_sqs_queue('https://sqs.ap-southeast-2.amazonaws.com/1212121/MyQueueWhichDoesntExist') do + it { should_not be_policy_statement_principal_all_permissions_enabled } +end +``` + +### policy_statement_action_all_permissions_enabled + +The control will pass if at least one action has all permissions enabled. + +Use `should` to test that at least one action has all permissions enabled should exist. + +```ruby +describe aws_sqs_queue('https://sqs.ap-southeast-2.amazonaws.com/1212121/MyQueue') do + it { should be_policy_statement_action_all_permissions_enabled } +end +```ruby +describe aws_sqs_queue('https://sqs.ap-southeast-2.amazonaws.com/1212121/MyQueueWhichDoesntExist') do + it { should_not be_policy_statement_action_all_permissions_enabled } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SQS:Client:GetQueueAttributesResult" %}} +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-using-identity-based-policies.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sqs_queues.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sqs_queues.md new file mode 100644 index 0000000..e4cac96 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sqs_queues.md @@ -0,0 +1,93 @@ ++++ +title = "aws_sqs_queues resource" + +draft = false + + +[menu.aws] +title = "aws_sqs_queues" +identifier = "inspec/resources/aws/aws_sqs_queues resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_sqs_queues` InSpec audit resource to test properties of some or all AWS Simple Queue Service queues. + +For additional information, including details on parameters and properties, see the [AWS documentation on SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/welcome.html). + +## Syntax + +```ruby +describe aws_sqs_queues() do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`arns` +: The ARNs of the SQS Queues. + +`is_fifo_queues` +: A boolean value indicate if queues are a FIFO queues. + +`visibility_timeouts` +: An integer indicating the visibility timeout of the message in seconds. + +`maximum_message_sizes` +: An integer indicating the maximum message size in bytes. + +`message_retention_periods` +: An integer indicating the maximum retention period for a message in seconds. + +`delay_seconds` +: An integer indicating the delay in seconds for the queues. + +`receive_message_wait_timeout_seconds` +: An integer indicating the number of seconds an attempt to recieve a message will wait before returning. + +`content_based_deduplications` +: A boolean value indicate if content based dedcuplication is enabled or not. + +## Examples + +Ensure that a queue exists and has a visibility timeout of 300 seconds: + +```ruby +describe aws_sqs_queues.where(queue_url: 'https://sqs.ap-southeast-2.amazonaws.com/1212121/MyQueue') do + it { should exist } + its('visibility_timeout') { should be 300 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_sqs_queues() do + it { should exist } +end +``` + +```ruby +describe aws_sqs_queues() do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SQS:Client:GetQueueAttributesResult" %}} +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-using-identity-based-policies.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_activation.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_activation.md new file mode 100644 index 0000000..290b28d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_activation.md @@ -0,0 +1,106 @@ ++++ +title = "aws_ssm_activation resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_activation" +identifier = "inspec/resources/aws/aws_ssm_activation resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_activation` InSpec audit resource to test properties of a ssm activation. + +For additional information, including details on parameters and properties, see the [AWS documentation on SSM Activations](https://docs.aws.amazon.com/systems-manager/latest/userguide/activations.html). + +## Syntax + + An `aws_ssm_activation` resource block uses the parameter to select a ssm activation. + +```ruby +describe aws_ssm_activation(activation_id: 'ssm-activation-id-1234') do + it { should exist } +end +``` + +## Parameters + +`activation_id` _(required)_ + +: This resource accepts a single parameter, the SSM Activation ID. + This can be passed either as a string or as a `activation_id: 'value'` key-value entry in a hash. + +## Properties + +`activation_id` +: Provides ID created by Systems Manager when you submitted the activation. + +`created_date` +: Provides the date the activation was created. + +`default_instance_name` +: Provides the name for the managed instance when it is created. + +`description` +: Provides a user defined description of the activation. + +`expiration_date` +: Provides the date when this activation can no longer be used to register managed instances. + +`expired` +: Whether or not the activation is expired. + +`iam_role` +: Provides the Amazon Identity and Access Management (IAM) role to assign to the managed instance. + +`registration_limit` +: Provides the maximum number of managed instances that can be registered with this activation. + +`registrations_count` +: Provides the number of managed instances already registered with this activation. + +`tags` +: Provides the tags assigned to the activation. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_Activation.html) + +## Examples + +Check the Activation ID of a SSM Activation: + +```ruby +describe aws_ssm_activation(activation_id: 'ssm-activation-id-1234') do + its('activation_id') { should eq 'ssm-activation-id-1234' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ssm_activation(activation_id: 'ssm-activation-id-1234') do + it { should exist } +end +``` + +```ruby +describe aws_ssm_activation(activation_id: 'ssm-activation-id-6789') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:DescribeActivationsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Systems Manager](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_activations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_activations.md new file mode 100644 index 0000000..d552045 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_activations.md @@ -0,0 +1,101 @@ ++++ +title = "aws_ssm_activations resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_activations" +identifier = "inspec/resources/aws/aws_ssm_activations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_activations` InSpec audit resource to test properties of a collection of AWS SSM Activations. + +## Syntax + + Ensure you have exactly 3 activations + +```ruby +describe aws_ssm_activations do + its('activation_ids.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`activation_ids` +: Provides ID created by Systems Manager when you submitted the activation. + +`created_dates` +: Provides the date the activation was created. + +`default_instance_names` +: Provides the name for the managed instance when it is created. + +`descriptions` +: Provides a user defined description of the activation. + +`expiration_dates` +: Provides the date when this activation can no longer be used to register managed instances. + +`expired` +: Whether or not the activation is expired. + +`iam_roles` +: Provides the Amazon Identity and Access Management (IAM) role to assign to the managed instance. + +`registration_limits` +: Provides the maximum number of managed instances that can be registered with this activation. + +`registrations_count` +: Provides the number of managed instances already registered with this activation. + +`tags` +: Provides the tags assigned to the activation. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_Activation.html) + +## Examples + +Ensure an Activation ID of a SSM Activation exists: + +```ruby +describe aws_ssm_activations do + its('activation_ids') { should include 'activation-id' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ssm_activations.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_ssm_activations.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:DescribeActivationsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Systems Manager](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_association.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_association.md new file mode 100644 index 0000000..480a5ba --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_association.md @@ -0,0 +1,148 @@ ++++ +title = "aws_ssm_association resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_association" +identifier = "inspec/resources/aws/aws_ssm_association resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_association` InSpec audit resource to test properties of a ssm association. + +For additional information, including details on parameters and properties, see the [AWS documentation on SSM Associations](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-state-assoc.html). + +## Syntax + + An `aws_ssm_association` resource block uses the parameter to select a ssm association. + +```ruby +describe aws_ssm_association(association_id: 'association-id-1234') do + it { should exist } +end +``` + +```ruby +describe aws_ssm_association(name: 'document-name', instance_id: 'instance-id') do + it { should exist } +end +``` + +## Parameters + +`association_id` _OR_ name _AND_ instance_id _(name and instance_id are required together)_ + +: This resource accepts the association_id, document name and instance id. If not using association_id, name and instance id must both be provided as parameters + This can be passed either as a string or as a `association_id: 'value'` key-value entry in a hash. + +## Properties + +`name` +: The name of the Systems Manager document. + +`instance_id` +: Provides the id of the instance. + +`association_version` +: Provides the version of the association. + +`date` +: The date when the association was made. + +`last_update_association_date` +: The date when the association was last updated. + +`status` +: The association status. + +`overview` +: Provides information about the association. + +`document_version` +: Provides the document version used in the association. + +`automation_target_parameter_name` +: Specify the target for the association. This target is required for associations that use an Automation document and target resources by using rate controls. + +`parameters` +: A description of the parameters for a document. + +`association_id` +: Provides the ID of the association. + +`targets` +: Provides the instances targeted by the request to create an association. + +`schedule_expression` +: A cron expression that specifies a schedule when the association runs. + +`output_location` +: An S3 bucket where you want to store the output details of the request. + +`last_execution_date` +: The date on which the association was last run. + +`last_successful_execution_date` +: The last date on which the association was successfully run. + +`association_name` +: Provides the name of the association. + +`max_errors` +: The number of errors that are allowed before the system stops sending requests to run the association on additional targets. + +`max_concurrency` +: The maximum number of targets allowed to run the association at the same time. + +`compliance_severity` +: The severity level that is assigned to the association. + +`sync_compliance` +: The mode for generating association compliance. You can specify AUTO or MANUAL. + +`apply_only_at_cron_interval` +: By default, when you create a new associations, the system runs it immediately after it is created and then according to the schedule you specified. Specify this option if you don't want an association to run immediately after you create it. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_Association.html) + +## Examples + +Check the Name of a SSM Association: + +```ruby +describe aws_ssm_association(association_id: 'association-id-1234') do + its('name') { should eq 'association-name-1234' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ssm_association(association_id: 'association-id-1234') do + it { should exist } +end +``` + +```ruby +describe aws_ssm_association(association_id: 'association-id-6789') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:DescribeAssociationResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Systems Manager](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_associations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_associations.md new file mode 100644 index 0000000..f5cad0f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_associations.md @@ -0,0 +1,101 @@ ++++ +title = "aws_ssm_associations resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_associations" +identifier = "inspec/resources/aws/aws_ssm_associations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_associations` InSpec audit resource to test properties of a collection of AWS SSM Associations. + +## Syntax + + Ensure you have exactly 3 associations + +```ruby +describe aws_ssm_associations do + its('names.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`association_ids` +: Provides the ID of the association. + +`association_names` +: Provides the name of the association. + +`association_versions` +: Provides the version of the association. + +`document_versions` +: Provides the document version used in the association. + +`instance_ids` +: Provides the id of the instance. + +`last_execution_dates` +: The date on which the association was last run. + +`names` +: The name of the Systems Manager document. + +`overviews` +: Provides information about the association. + +`schedule_expressions` +: A cron expression that specifies a schedule when the association runs. + +`targets` +: Provides the instances targeted by the request to create an association. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_Association.html) + +## Examples + +Ensure an Association ID of a SSM Association exists: + +```ruby +describe aws_ssm_associations do + its('association_ids') { should include 'association-id' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ssm_associations.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_ssm_associations.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:ListAssociationsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Systems Manager](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_document.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_document.md new file mode 100644 index 0000000..86c27f3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_document.md @@ -0,0 +1,142 @@ ++++ +title = "aws_ssm_document resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_document" +identifier = "inspec/resources/aws/aws_ssm_document resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_document` InSpec audit resource to test properties of a ssm document. + +For additional information, including details on parameters and properties, see the [AWS documentation on SSM Documents](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html). + +## Syntax + + An `aws_ssm_document` resource block uses the parameter to select a ssm document. + +```ruby +describe aws_ssm_document(name: 'document-name-1234') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: This resource accepts a single parameter, the SSM Document Name. + This can be passed either as a string or as a `name: 'value'` key-value entry in a hash. + +## Properties + +`sha_1` +: Provides the SHA1 hash of the document, which you can use for verification. + +`hash` +: Provides the Sha256 or Sha1 hash created by the system when the document was created. + +`hash_type` +: Provides the hash type of the document. Valid values include Sha256 or Sha1. + +`name` +: Provides the name of the Systems Manager document. + +`version_name` +: Provides the version of the artifact associated with the document. + +`owner` +: Provides the AWS user account that created the document. + +`created_date` +: Provides the date when the document was created. + +`status` +: Provides the status of the Systems Manager document. + +`status_information` +: Provides a message returned by AWS Systems Manager that explains the Status value. + +`document_version` +: Provides the document version. + +`description` +: Provides a description of the document. + +`parameters` +: Provides a description of the parameters for a document. These parameters include DefaultValue, Description, Name and Type. + +`platform_types` +: Provides the list of OS platforms compatible with this Systems Manager document. + +`document_type` +: Provides the type of the document. + +`schema_version` +: Provides the schema version. + +`latest_version` +: Provides the latest version of the document. + +`default_version` +: Provides the default version. + +`document_format` +: Provides the document format, either JSON or YAML. + +`target_type` +: The target type which defines the kinds of resources the document can run on. + +`tags` +: Provides the tags, or metadata, that have been applied to the document. + +`attachments_information` +: Provides details about the document attachments, including names, locations, sizes, and so on. + +`requires` +: Provides a list of SSM documents required by a document. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DocumentDescription.html) + +## Examples + +Check the Name of a SSM Document: + +```ruby +describe aws_ssm_document(name: 'document-name-1234') do + its('name') { should eq 'document-name-1234' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ssm_document(name: 'document-name-1234') do + it { should exist } +end +``` + +```ruby +describe aws_ssm_document(name: 'document-name-6789') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:DescribeDocumentResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Systems Manager](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_documents.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_documents.md new file mode 100644 index 0000000..7367867 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_documents.md @@ -0,0 +1,98 @@ ++++ +title = "aws_ssm_documents resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_documents" +identifier = "inspec/resources/aws/aws_ssm_documents resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_documents` InSpec audit resource to test properties of a collection of AWS SSM Compliance Items. + +## Syntax + + Ensure you have exactly 3 documents + +```ruby +describe aws_ssm_documents do + its('names.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`names` +: Provides the name of the Systems Manager document. + +`owners` +: Provides the AWS user account that created the document. + +`platform_types` +: Provides the list of OS platforms compatible with this Systems Manager document. + +`document_versions` +: Provides the document version. + +`document_types` +: Provides the type of the document. + +`schema_versions` +: Provides the schema version. + +`document_formats` +: Provides the document format, either JSON or YAML. + +`target_types` +: The target type which defines the kinds of resources the document can run on. + +`tags` +: Provides the tags, or metadata, that have been applied to the document. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DocumentDescription.html). + +## Examples + +Ensure a Name of a SSM Document exists: + +```ruby +describe aws_ssm_documents do + its('names') { should include 'document-name' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ssm_documents.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_ssm_documents.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:ListDocumentsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Systems Manager](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window.md new file mode 100644 index 0000000..cd8c014 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window.md @@ -0,0 +1,154 @@ ++++ +title = "aws_ssm_maintenance_window resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_maintenance_window" +identifier = "inspec/resources/aws/aws_ssm_maintenance_window resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_maintenance_window` InSpec audit resource to test properties of a single AWS Systems Manager (SSM) maintenance window. + +The `AWS::SSM::MaintenanceWindow` resource represents general information about a maintenance window for AWS Systems Manager. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::SSM::MaintenanceWindow` resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindow.html). + +## Syntax + +Ensure that the maintenance window exists. + +```ruby +describe aws_ssm_maintenance_window(window_id: 'WINDOW_ID') do + it { should exist } +end +``` + +## Parameters + +`window_id` _(required)_ + +: The ID of the maintenance window for which you want to retrieve information. + +## Properties + +`window_id` +: The ID of the maintenance window for which you want to retrieve information. + +`name` +: The name of the maintenance window. + +`description` +: The description of the maintenance window. + +`start_date` +: The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. + +`end_date` +: The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become inactive. + +`schedule` +: The schedule of the maintenance window in the form of a cron or rate expression. + +`schedule_timezone` +: The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format. + +`schedule_offset` +: The number of days to wait to run a maintenance window after the scheduled cron expression date and time. + +`next_execution_time` +: The next time the maintenance window will actually run, taking into account any specified times for the maintenance window to become active or inactive. + +`duration` +: The duration of the maintenance window in hours. + +`cutoff` +: The number of hours before the end of the maintenance window that Amazon Web Services Systems Manager stops scheduling new tasks for execution. + +`allow_unassociated_targets` +: Whether targets must be registered with the maintenance window before tasks can be defined for those targets. + +`enabled` +: Indicates whether the maintenance window is enabled. + +`created_date` +: The date the maintenance window was created. + +`modified_date` +: The date the maintenance window was last modified. + +## Examples + +Ensure a window ID is available: + +```ruby +describe aws_ssm_maintenance_window(window_id: 'WINDOW_ID') do + its('window_id') { should eq 'WINDOW_ID' } +end +``` + +Ensure a name is available: + +```ruby +describe aws_ssm_maintenance_window(window_id: 'WINDOW_ID') do + its('name') { should eq 'WINDOW_NAME' } +end +``` + +Ensure a duration is `1`: + +```ruby +describe aws_ssm_maintenance_window(window_id: 'WINDOW_ID') do + its('duration') { should eq 1 } +end +``` + +Ensure a maintenance window is enabled: + +```ruby +describe aws_ssm_maintenance_window(window_id: 'WINDOW_ID') do + its('enabled') { should eq true } +end +``` + +## Matchers + +This Chef InSpec audit resource has the following special matchers. + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ssm_maintenance_window(window_id: 'WINDOW_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ssm_maintenance_window(window_id: 'WINDOW_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ssm_maintenance_window(window_id: 'WINDOW_ID') + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:GetMaintenanceWindowResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window_target.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window_target.md new file mode 100644 index 0000000..d46aade --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window_target.md @@ -0,0 +1,128 @@ ++++ +title = "aws_ssm_maintenance_window_target resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_maintenance_window_target" +identifier = "inspec/resources/aws/aws_ssm_maintenance_window_target resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_maintenance_window_target` Chef InSpec audit resource to test properties of a single AWS Systems Manager (SSM) maintenance window target. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SSM MaintenanceWindowTarget](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindowtarget.html). + +## Syntax + +Ensure that the maintenance window target exists. + +```ruby +describe aws_ssm_maintenance_window_target(window_id: 'WINDOW_ID', window_target_id: 'WINDOW_TARGET_ID') do + it { should exist } +end +``` + +## Parameters + +`window_id` _(required)_ + +: The ID of the maintenance window to register the target with. + +`window_task_id` _(required)_ + +: The ID of the target. + +## Properties + +`window_id` +: The ID of the maintenance window to register the target with. + +`window_target_id` +: The ID of the target. + +`resource_type` +: The type of target that is being registered with the maintenance window. + +`targets` +: The targets, either instances or tags. + +`target_keys` +: User-defined criteria for sending commands that target instances that meet the criteria. + +`target_values` +: User-defined criteria that maps to Key. + +`owner_information` +: A user-provided value that will be included in any Amazon CloudWatch Events events that are raised while running tasks for these targets in this maintenance window. + +`name` +: The name for the maintenance window target. + +`description` +: A description for the target. + +## Examples + +Verify the description of a maintenance window target: + +```ruby +describe aws_ssm_maintenance_window_target(window_id: 'WINDOW_ID', window_target_id: 'WINDOW_TARGET_ID') do + its('description') { should eq 'MAINTENANCE_TARGET_DESCRIPTION' } +end +``` + +Ensure a maintenance window target id is available: + +```ruby +describe aws_ssm_maintenance_window_target(window_id: 'WINDOW_ID', window_target_id: 'WINDOW_TARGET_ID') do + its('window_target_id') { should eq 'WINDOW_TARGET_ID' } +end +``` + +Verify a maintenance resource type is `INSTANCE`: + +```ruby +describe aws_ssm_maintenance_window_target(window_id: 'WINDOW_ID', window_target_id: 'WINDOW_TARGET_ID') do + its('resource_type') { should eq 'INSTANCE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ssm_maintenance_window_target(window_id: 'WINDOW_ID', window_target_id: 'WINDOW_TARGET_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ssm_maintenance_window_target(window_id: 'WINDOW_ID', window_target_id: 'WINDOW_TARGET_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ssm_maintenance_window_target(window_id: 'WINDOW_ID', window_target_id: 'WINDOW_TARGET_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:DescribeMaintenanceWindowTargetsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window_targets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window_targets.md new file mode 100644 index 0000000..ad3ce82 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window_targets.md @@ -0,0 +1,132 @@ ++++ +title = "aws_ssm_maintenance_window_targets resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_maintenance_window_targets" +identifier = "inspec/resources/aws/aws_ssm_maintenance_window_targets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_maintenance_window_targets` InSpec audit resource to test properties of multiple AWS Systems Manager (SSM) maintenance window targets. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SSM MaintenanceWindowTarget](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindowtarget.html). + +## Syntax + +Ensure that a maintenance window target exists. + +```ruby +describe aws_ssm_maintenance_window_targets(window_id: 'WINDOW_ID') do + it { should exist } +end +``` + +## Parameters + +`window_id` _(required)_ + +: The ID of the maintenance window to register the target with. + +## Properties + +`window_ids` +: The ID of the maintenance window to register the target with. + +: **Field**: `window_id` + +`window_target_ids` +: The ID of the target. + +: **Field**: `window_target_id` + +`resource_types` +: The type of target that is being registered with the maintenance window. + +: **Field**: `resource_type` + +`targets` +: The targets, either instances or tags. + +: **Field**: `targets` + +`owner_informations` +: A user-provided value that will be included in any Amazon CloudWatch Events events that are raised while running tasks for these targets in this maintenance window. + +: **Field**: `owner_information` + +`names` +: The name for the maintenance window target. + +: **Field**: `name` + +`descriptions` +: A description for the target. + +: **Field**: `description` + +## Examples + +Verify that the maintenance window target description exists: + +```ruby +describe aws_ssm_maintenance_window_targets(window_id: 'WINDOW_ID') do + its('descriptions') { should include 'MAINTENANCE_TARGET_DESCRIPTION' } +end +``` + +Ensure a maintenance window target ID is available: + +```ruby +describe aws_ssm_maintenance_window_targets(window_id: 'WINDOW_ID') do + its('window_target_ids') { should include 'WINDOW_TARGET_ID' } +end +``` + +Verify a maintenance resource type is `INSTANCE`: + +```ruby +describe aws_ssm_maintenance_window_targets(window_id: 'WINDOW_ID') do + its('resource_types') { should include 'INSTANCE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ssm_maintenance_window_targets(window_id: 'WINDOW_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ssm_maintenance_window_targets(window_id: 'WINDOW_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ssm_maintenance_window_targets(window_id: 'WINDOW_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:DescribeMaintenanceWindowTargetsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window_task.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window_task.md new file mode 100644 index 0000000..a597ffa --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window_task.md @@ -0,0 +1,155 @@ ++++ +title = "aws_ssm_maintenance_window_task resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_maintenance_window_task" +identifier = "inspec/resources/aws/aws_ssm_maintenance_window_task resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_maintenance_window_task` InSpec audit resource to test properties of a single AWS Systems Manager (SSM) maintenance window task. + +The `AWS::SSM::MaintenanceWindowTask` resource defines information about a task for an AWS Systems Manager maintenance window. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SSM MaintenanceWindowTask](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindowtask.html). + +## Syntax + +Ensure that the maintenance window task exists. + +```ruby +aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID') + it { should exist } +end +``` + +## Parameters + +`window_id` _(required)_ + +: The ID of the maintenance window where the task is registered. + +`window_task_id` _(required)_ + +: The task ID. + +## Properties + +`window_id` +: The ID of the maintenance window where the task is registered. + +`window_task_id` +: The task ID. + +`task_arn` +: The resource that the task uses during execution. + +`type` +: The type of task. + +`targets` +: The targets (either instances or tags). + +`target_keys` +: User-defined criteria for sending commands that target instances that meet the criteria. + +`target_values` +: User-defined criteria that maps to Key. + +`task_parameters` +: The parameters that should be passed to the task when it is run. + +`priority` +: The priority of the task in the maintenance window. + +`logging_info.s3_bucket_name` +: The name of an S3 bucket where execution logs are stored. + +`logging_info.s3_key_prefix` +: The S3 bucket subfolder. + +`logging_info.s3_region` +: The Amazon Web Services Region where the S3 bucket is located. + +`service_role_arn` +: The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) service role to use to publish Amazon Simple Notification Service (Amazon SNS) notifications for maintenance window Run Command tasks. + +`max_concurrency` +: The maximum number of targets this task can be run for, in parallel. + +`max_errors` +: The maximum number of errors allowed before this task stops being scheduled. + +`name` +: The task name. + +`description` +: A description of the task. + +`cutoff_behavior` +: The specification for whether tasks should continue to run after the cutoff time specified in the maintenance windows is reached. + +## Examples + +Ensure a window task ID is available: + +```ruby +aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID') + its('window_task_id') { should eq 'WINDOW_TASK_ID' } +end +``` + +Verify the priority of the maintenance window: + +```ruby +aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID') + its('priority') { should eq 1 } +end +``` + +Verify the type of the maintenance window: + +```ruby +aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID') + its('type') { should eq 'AUTOMATION' } +end +``` + +Verify the name of the maintenance window: + +```ruby +aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID') + its('name') { should eq 'WINDOW_TASK_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID') + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +aws_ssm_maintenance_window_task(window_id: 'WINDOW_ID', window_task_id: 'WINDOW_TASK_ID') + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:DescribeMaintenanceWindowTasksResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window_tasks.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window_tasks.md new file mode 100644 index 0000000..efc09dc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_window_tasks.md @@ -0,0 +1,167 @@ ++++ +title = "aws_ssm_maintenance_window_tasks resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_maintenance_window_tasks" +identifier = "inspec/resources/aws/aws_ssm_maintenance_window_tasks resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_maintenance_window_tasks` InSpec audit resource to test properties of multiple AWS Systems Manager (SSM) maintenance window tasks. + +The `AWS::SSM::MaintenanceWindowTask` resource defines information about a task for an AWS Systems Manager maintenance window. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SSM MaintenanceWindowTask](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindowtask.html). + +## Syntax + +Ensure that the maintenance window task exists. + +```ruby +aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID') + it { should exist } +end +``` + +## Parameters + +`window_id` _(required)_ + +: The ID of the maintenance window where the task is registered. + +## Properties + +`window_ids` +: The ID of the maintenance window where the task is registered. + +: **Field**: `window_id` + +`window_task_ids` +: The task ID. + +: **Field**: `window_task_id` + +`task_arns` +: The resource that the task uses during execution. + +: **Field**: `task_arn` + +`types` +: The type of task. + +: **Field**: `type` + +`targets` +: The targets (either instances or tags). + +: **Field**: `targets` + +`task_parameters` +: The parameters that should be passed to the task when it is run. + +: **Field**: `task_parameters` + +`priorities` +: The priority of the task in the maintenance window. + +: **Field**: `priority` + +`logging_infos` +: The logging information. + +: **Field**: `logging_info` + +`service_role_arns` +: The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) service role to use to publish Amazon Simple Notification Service (Amazon SNS) notifications for maintenance window Run Command tasks. + +: **Field**: `service_role_arn` + +`max_concurrencies` +: The maximum number of targets this task can be run for, in parallel. + +: **Field**: `max_concurrency` + +`max_errors` +: The maximum number of errors allowed before this task stops being scheduled. + +: **Field**: `max_errors` + +`names` +: The task name. + +: **Field**: `name` + +`descriptions` +: A description of the task. + +: **Field**: `description` + +`cutoff_behaviors` +: The specification for whether tasks should continue to run after the cutoff time specified in the maintenance windows is reached. + +: **Field**: `cutoff_behavior` + +## Examples + +Ensure a window task ID is available: + +```ruby +aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID') + its('window_task_ids') { should include 'WINDOW_TASK_ID' } +end +``` + +Verify the priority of the maintenance window: + +```ruby +aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID') + its('priorities') { should include 1 } +end +``` + +Verify the type of the maintenance window: + +```ruby +aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID') + its('types') { should include 'AUTOMATION' } +end +``` + +Verify the name of the maintenance window: + +```ruby +aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID') + its('names') { should include 'WINDOW_TASK_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID') + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +aws_ssm_maintenance_window_tasks(window_id: 'WINDOW_ID') + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:DescribeMaintenanceWindowTasksResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_windows.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_windows.md new file mode 100644 index 0000000..b3532d8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_maintenance_windows.md @@ -0,0 +1,147 @@ ++++ +title = "aws_ssm_maintenance_windows resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_maintenance_windows" +identifier = "inspec/resources/aws/aws_ssm_maintenance_windows resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_maintenance_windows` InSpec audit resource to test properties of multiple AWS Systems Manager (SSM) maintenance windows. + +The `AWS::SSM::MaintenanceWindow` resource represents general information about a maintenance window for AWS Systems Manager. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::SSM::MaintenanceWindow` resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindow.html). + +## Syntax + +Ensure that a maintenance window exists. + +```ruby +describe aws_ssm_maintenance_windows do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`window_ids` +: The ID of the maintenance window. + +: **Field**: `window_id` + +`names` +: The name of the maintenance window. + +: **Field**: `name` + +`descriptions` +: A description of the maintenance window. + +: **Field**: `description` + +`enabled` +: Indicates whether the maintenance window is enabled. + +: **Field**: `enabled` + +`durations` +: The duration of the maintenance window in hours. + +: **Field**: `duration` + +`cutoffs` +: The number of hours before the end of the maintenance window that Amazon Web Services Systems Manager stops scheduling new tasks for execution. + +: **Field**: `cutoff` + +`schedules` +: The schedule of the maintenance window in the form of a cron or rate expression. + +: **Field**: `schedule` + +`schedule_timezones` +: The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format. + +: **Field**: `schedule_timezone` + +`schedule_offsets` +: The number of days to wait to run a maintenance window after the scheduled cron expression date and time. + +: **Field**: `schedule_offset` + +`end_dates` +: The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become inactive. + +: **Field**: `end_date` + +`start_dates` +: The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. + +: **Field**: `start_date` + +`next_execution_times` +: The next time the maintenance window will actually run, taking into account any specified times for the maintenance window to become active or inactive. + +: **Field**: `next_execution_time` + +## Examples + +Ensure a maintenance window ID is available: + +```ruby +describe aws_ssm_maintenance_windows do + its('window_ids') { should include 'MAINTENANCE_WINDOW_ID' } +end +``` + +Ensure a maintenance window name is available: + +```ruby +describe aws_ssm_maintenance_windows do + its('names') { should include 'MAINTENANCE_WINDOW_NAME' } +end +``` + +Verify a maintenance window is enabled: + +```ruby +describe aws_ssm_maintenance_windows do + its('enabled') { should include true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ssm_maintenance_windows do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ssm_maintenance_windows do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:DescribeMaintenanceWindowsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_parameter.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_parameter.md new file mode 100644 index 0000000..366aa47 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_parameter.md @@ -0,0 +1,107 @@ ++++ +title = "aws_ssm_parameter resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_parameter" +identifier = "inspec/resources/aws/aws_ssm_parameter resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_parameter` InSpec audit resource to test properties of a ssm parameter. + +For additional information, including details on parameters and properties, see the [AWS documentation on SSM Parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html). + +## Syntax + + An `aws_ssm_parameter` resource block uses the parameter to select a ssm parameter. + +```ruby +describe aws_ssm_parameter(name: 'ssm-parameter-name-1234') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: This resource accepts a single parameter, the SSM Parameter Name. + This can be passed either as a string or as a `aws_ssm_parameter: 'value'` key-value entry in a hash. + +`with_decryption` _(optional)_ + +: This decrypts the value associated with the ssm parameter. This must be passed as a string `with_decryption: "true"`. + +## Properties + +`arn` +: Provides the Amazon Resource Name (ARN) of the parameter. + +`data_type` +: Provides the data type of the parameter. + +`last_modified_date` +: Provides the date the parameter was last changed or updated and the parameter version was created. + +`name` +: Provides the name of the parameter. + +`selector` +: Provides the version number or label used to retrieve the parameter value. + +`source_result` +: Applies to parameters that reference information in other AWS services. + +`type` +: Provides the type of the parameter. + +`value` +: Provides the value of the parameter. + +`version` +: Provides the version of the parameter. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_Parameter.html) + +## Examples + +Check the Name of a SSM Parameter: + +```ruby +describe aws_ssm_parameter(name: 'ssm_parameter-name-1234') do + its('name') { should eq 'ssm_parameter-name-1234' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ssm_parameter(name: 'ssm_parameter-name-1234') do + it { should exist } +end +``` + +```ruby +describe aws_ssm_parameter(name: 'ssm_parameter-name-6789') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:GetParameterResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Systems Manager](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_parameters.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_parameters.md new file mode 100644 index 0000000..8aa931f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_parameters.md @@ -0,0 +1,95 @@ ++++ +title = "aws_ssm_parameters resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_parameters" +identifier = "inspec/resources/aws/aws_ssm_parameters resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_parameters` InSpec audit resource to test properties of a collection of AWS SSM parameters. + +## Syntax + + Ensure you have exactly 3 SSM Parameters + +```ruby +describe aws_ssm_parameters do + its('names.count') { should cmp 3 } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`names` +: Provides the name of the parameter. + +`types` +: Provides the type of the parameter. + +`key_ids` +: Provides the key id of the parameter. + +`last_modified_dates` +: Provides the date the parameter was last changed or updated and the parameter version was created. + +`last_modified_users` +: Provides the user that last changed or updated the parameter. + +`descriptions` +: Provides the description of the parameter. + +`versions` +: Provides the version of the parameter. + +`tiers` +: Provides the tier of the parameter. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_Parameter.html) + +## Examples + +Ensure Name of a SSM Parameter exists: + +```ruby +describe aws_ssm_parameters do + its('names') { should include 'ssm-parameter-name' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ssm_parameters.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_ssm_parameters.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:DescribeParametersResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Systems Manager](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_patch_baseline.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_patch_baseline.md new file mode 100644 index 0000000..a8cbb91 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_patch_baseline.md @@ -0,0 +1,242 @@ ++++ +title = "aws_ssm_patch_baseline resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_patch_baseline" +identifier = "inspec/resources/aws/aws_ssm_patch_baseline resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_patch_baseline` InSpec audit resource to test properties of a single AWS Systems Manager (SSM) patch baseline. + +The `AWS::SSM::PatchBaseline` resource defines the basic information for an AWS Systems Manager patch baseline. A patch baseline defines which patches are approved for installation on your instances. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SSM patch baseline](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-patchbaseline.html). + +## Syntax + +Ensure that the baseline exists: + +```ruby +describe aws_ssm_patch_baseline(baseline_id: 'BASELINE_ID') do + it { should exist } +end +``` + +## Parameters + +`baseline_id` _(required)_ + +: The ID of the patch baseline. + +## Properties + +`baseline_id` +: The ID of the patch baseline. + +: **Field**: `baseline_id` + +`name` +: The name of the patch baseline. + +: **Field**: `name` + +`operating_system` +: Returns the operating system specified for the patch baseline. + +: **Field**: `operating_system` + +`patch_filters` +: The set of patch filters that make up the group. + +: **Field**: `patch_filters` + +`patch_filter_keys` +: The key for the filter. + +: **Field**: `patch_filters.key` + +`patch_filter_values` +: The value for the filter key. + +: **Field**: `patch_filters.values` + +`approval_rules.patch_rules` +: The rules that make up the rule group. + +: **Field**: `patch_rules` + +`patch_filters` +: The set of patch filters that make up the group. + +: **Field**: `patch_filter_group.patch_filters` + +`patch_filter_group_keys` +: The key for the filter. + +: **Field**: `patch_filter_group.patch_filters.key` + +`patch_filter_group_values` +: The value for the filter key. + +: **Field**: `patch_filter_group.patch_filters.values` + +`compliance_levels` +: A compliance severity level for all approved patches in a patch baseline. + +: **Field**: `compliance_level` + +`approve_after_days` +: The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline. + +: **Field**: `approve_after_days` + +`approve_until_date` +: The cutoff date for auto approval of released patches. + +: **Field**: `approve_until_date` + +`enable_non_security` +: For instances identified by the approval rule filters, enables a patch baseline to apply non-security updates available in the specified repository. + +: **Field**: `enable_non_security` + +`approved_patches` +: A list of explicitly approved patches for the baseline. + +: **Field**: `approved_patches` + +`approved_patches_compliance_level` +: Returns the specified compliance severity level for approved patches in the patch baseline. + +: **Field**: `approved_patches_compliance_level` + +`approved_patches_enable_non_securities` +: Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. + +: **Field**: `approved_patches_enable_non_security` + +`rejected_patches` +: A list of explicitly rejected patches for the baseline. + +: **Field**: `rejected_patches` + +`rejected_patches_action` +: The action specified to take on patches included in the RejectedPatches list. + +: **Field**: `rejected_patches_action` + +`patch_groups` +: Patch groups included in the patch baseline. + +: **Field**: `patch_groups` + +`created_date` +: The date the patch baseline was created. + +: **Field**: `created_date` + +`modified_date` +: The date the patch baseline was last modified. + +: **Field**: `modified_date` + +`descriptions` +: A description of the patch baseline. + +: **Field**: `description` + +`sources` +: Information about the patches to use to update the instances, including target operating systems and source repositories. + +: **Field**: `sources` + +`source_names` +: The name specified to identify the patch source. + +: **Field**: `sources.name` + +`source_products` +: The specific operating system versions a patch repository applies to, such as "Ubuntu16.04", "AmazonLinux2016.09", "RedhatEnterpriseLinux7.2" or "Suse12.7". + +: **Field**: `sources.products` + +`source_configurations` +: The value of the yum repo configuration. + +: **Field**: `sources.configuration` + +## Examples + +Ensure a baseline ID is available: + +```ruby +describe aws_ssm_patch_baseline(baseline_id: 'BASELINE_ID') do + its('baseline_id') { should eq 'BASELINE_ID' } +end +``` + +Ensure an operating system is `WINDOWS`: + +```ruby +describe aws_ssm_patch_baseline(baseline_id: 'BASELINE_ID') do + its('operating_system') { should eq 'WINDOWS' } +end +``` + +Ensure a source name is empty: + +```ruby +describe aws_ssm_patch_baseline(baseline_id: 'BASELINE_ID') do + its('source_names') { should be_empty } +end +``` + +Ensure an approved patches compliance level is `UNSPECIFIED`: + +```ruby +describe aws_ssm_patch_baseline(baseline_id: 'BASELINE_ID') do + its('approved_patches_compliance_level') { should eq 'UNSPECIFIED' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ssm_patch_baseline(baseline_id: 'BASELINE_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ssm_patch_baseline(baseline_id: 'BASELINE_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ssm_patch_baseline(baseline_id: 'BASELINE_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:GetPatchBaselineResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_patch_baselines.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_patch_baselines.md new file mode 100644 index 0000000..5c3f9cd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_patch_baselines.md @@ -0,0 +1,130 @@ ++++ +title = "aws_ssm_patch_baselines resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_patch_baseline" +identifier = "inspec/resources/aws/aws_ssm_patch_baselines resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_patch_baseline` InSpec audit resource to test properties of multiple AWS Systems Manager (SSM) patch baselines. + +The `AWS::SSM::PatchBaseline` resource defines the basic information for an AWS Systems Manager patch baseline. A patch baseline defines which patches are approved for installation on your instances. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SSM patch baseline](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-patchbaseline.html). + +## Syntax + +Ensure that a baseline exists: + +```ruby +describe aws_ssm_patch_baselines do + it { should exist } +end +``` + +## Parameters + +This resource does not expect any required parameters. + +## Properties + +`baseline_ids` +: The ID of the patch baseline. + +: **Field**: `baseline_id` + +`names` +: The name of the patch baseline. + +: **Field**: `name` + +`operating_systems` +: Returns the operating system specified for the patch baseline. + +: **Field**: `operating_system` + +`baseline_descriptions` +: A description of the patch baseline. + +: **Field**: `baseline_description` + +`default_baselines` +: Whether this is the default baseline. + +: **Field**: `default_baseline` + +## Examples + +Ensure a baseline ID is available: + +```ruby +describe aws_ssm_patch_baselines do + its('baseline_ids') { should include 'BASELINE_ID' } +end +``` + +Ensure a baseline name is present: + +```ruby +describe aws_ssm_patch_baselines do + its('baseline_names') { should include 'BASELINE_NAME' } +end +``` + +Ensure a patch baseline has the `WINDOWS` operating system: + +```ruby +describe aws_ssm_patch_baselines do + its('operating_systems') { should include 'WINDOWS' } +end +``` + +Ensure a baseline description is present: + +```ruby +describe aws_ssm_patch_baselines do + its('baseline_descriptions') { should include 'BASELINE_DESCRIPTION' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ssm_patch_baselines do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ssm_patch_baselines do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_ssm_patch_baselines do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:DescribePatchBaselinesResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_resource_compliance_summaries.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_resource_compliance_summaries.md new file mode 100644 index 0000000..0a0813b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_resource_compliance_summaries.md @@ -0,0 +1,103 @@ ++++ +title = "aws_ssm_resource_compliance_summaries resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_resource_compliance_summaries" +identifier = "inspec/resources/aws/aws_ssm_resource_compliance_summaries resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_resource_compliance_summaries` InSpec audit resource to test properties of a collection of AWS SSM compliance summaries. + +## Syntax + + Ensure you have exactly 3 SSM Resource Compliance Summary Types + +```ruby +describe aws_ssm_resource_compliance_summaries do + its('compliance_types.count') { should cmp 3 } +end +``` + +## Parameters + +`compliance_type` _(optional)_ + +: This optional parameter allows you to filter based on compliance type. This must be passed as a string `compliance_type: 'value'`. + +`overall_severity` _(optional)_ + +: This optional parameter allows you to filter based on overall severity. This must be passed as a string `overall_severity: 'value'`. + +See the [AWS documentation on SSM](https://docs.aws.amazon.com/systems-manager/?id=docs_gateway). + +## Properties + +`compliance_types` +: Provides the compliance type. + +`compliant_summaries` +: Provides a list of items that are compliant for the resource. + +`execution_summaries` +: Provides information about the execution. + +`non_compliant_summaries` +: Provides a list of items that aren't compliant for the resource. + +`overall_severity` +: Provides the highest severity item found for the resource. + +`resource_ids` +: Provides the resource id. + +`resource_types` +: Provides the resource type. + +`status` +: Provides the compliance status for the resource. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_ResourceComplianceSummaryItem.html) + +## Examples + +Ensure Compliance Type of a SSM Resource Compliance Summary exists: + +```ruby +describe aws_ssm_resource_compliance_summaries do + its('compliance_types') { should include 'ssm-compliance-type' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ssm_resource_compliance_summaries.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_ssm_resource_compliance_summaries.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:ListResourceComplianceSummariesResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Systems Manager](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_resource_compliance_summary.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_resource_compliance_summary.md new file mode 100644 index 0000000..852ec98 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_resource_compliance_summary.md @@ -0,0 +1,124 @@ ++++ +title = "aws_ssm_resource_compliance_summary resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_resource_compliance_summary" +identifier = "inspec/resources/aws/aws_ssm_resource_compliance_summary resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_resource_compliance_summary` InSpec audit resource to test properties of a ssm resource compliance summary. + +## Syntax + + An `aws_ssm_resource_compliance_summary` resource block uses the parameter to select a ssm resource compliance summary. + +```ruby +describe aws_ssm_resource_compliance_summary(resource_id: 'resource-id-1234') do + it { should exist } +end +``` + +## Parameters + +`resource_id` _(required)_ + +: This resource requires the SSM Resource ID parameter. + This can be passed either as a string or as a `resource_id: 'value'` key-value entry in a hash. + +`compliance_type` _(optional)_ + +: This optional parameter allows you to filter based on resource_id and compliance type together. This must be passed as a string `compliance_type: 'value'`. + +`overall_severity` _(optional)_ + +: This optional parameter allows you to filter based on resource_id and overall severity together. This must be passed as a string `overall_severity: 'value'`. + +`status` _(optional)_ + +: This optional parameter allows you to filter based on resource_id and status together. This must be passed as a string `status: 'value'`. + +See the [AWS documentation on SSM Resource Compliance Summary](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-compliance-about.html#compliance-view-results). + +## Properties + +`compliance_type` +: Provides the compliance type. + +`compliant_summary` +: Provides a list of items that are compliant for the resource. + +`execution_summary` +: Provides information about the execution. + +`non_compliant_summary` +: Provides a list of items that aren't compliant for the resource. + +`overall_severity` +: Provides the highest severity item found for the resource. + +`resource_id` +: Provides the resource id. + +`resource_type` +: Provides the resource type. + +`status` +: Provides the compliance status for the resource. + +For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_ResourceComplianceSummaryItem.html) + +## Examples + +Check the Status of a SSM Resource Compliance Summary: + +```ruby +describe aws_ssm_resource_compliance_summary(resource_id: 'resource-id-1234', status: 'status-1234') do + it { should exist } + its('resource_id') { should include resource_id } + its('status') { should include 'status-1234' } +end +``` + +Return specific Compliance type for a SSM Resource Compliance Summary: + +```ruby +describe aws_ssm_resource_compliance_summary(resource_id: 'resource-id-1234', compliance_type: 'compliance-type-1234') do + it { should exist } + its('resource_id') { should include resource_id } + its('compliance_type') { should include 'compliance-type-1234' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_ssm_resource_compliance_summary(resource_id: 'resource-id-1234') do + it { should exist } +end +``` + +```ruby +describe aws_ssm_resource_compliance_summary(resource_id: 'resource-id-6789') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:ListResourceComplianceSummariesResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Systems Manager](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_resource_data_syncs.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_resource_data_syncs.md new file mode 100644 index 0000000..325dc91 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_ssm_resource_data_syncs.md @@ -0,0 +1,137 @@ ++++ +title = "aws_ssm_resource_data_syncs resource" + +draft = false + + +[menu.aws] +title = "aws_ssm_resource_data_syncs" +identifier = "inspec/resources/aws/aws_ssm_resource_data_syncs resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_ssm_resource_data_syncs` InSpec audit resource to test properties of the plural resource of an AWS Systems Manager (SSM) resource data sync. + +The `AWS::SSM::ResourceDataSync` resource creates, updates, or deletes a resource data sync for AWS Systems Manager. A resource data sync helps you view data from multiple sources in a single location. Systems Manager offers two types of resource data sync: `SyncToDestination` and `SyncFromSource`. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS SSM ResourceDataSync](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-resourcedatasync.html). + +## Syntax + +Ensure that the resource data syncs exists: + +```ruby +describe aws_ssm_resource_data_syncs do + it { should exist } +end +``` + +## Parameters + +This resource does not expect any required parameters. + +## Properties + +`sync_names` +: The name of the resource data sync. + +: **Field**: `sync_name` + +`sync_types` +: The type of resource data sync. + +: **Field**: `sync_type` + +`sync_sources` +: Information about the source where the data was synchronized. + +: **Field**: `sync_source` + +`s3_destinations` +: Configuration information for the target S3 bucket. + +: **Field**: `s3_destination` + +`last_sync_times` +: The last time the configuration attempted to sync (UTC). + +: **Field**: `last_sync_time` + +`last_successful_sync_times` +: The last time the sync operations returned a status of SUCCESSFUL (UTC). + +: **Field**: `last_successful_sync_time` + +`sync_last_modified_times` +: The date and time the resource data sync was changed. + +: **Field**: `sync_last_modified_time` + +`last_statuses` +: The status reported by the last sync. + +: **Field**: `last_status` + +`sync_created_times` +: The date and time the configuration was created (UTC). + +: **Field**: `sync_created_time` + +`last_sync_status_messages` +: The status message details reported by the last sync. + +: **Field**: `last_sync_status_message` + +## Examples + +Ensure a sync name is available: + +```ruby +describe aws_ssm_resource_data_syncs do + its('sync_names') { should include 'RESOURCE_DATA_SYNC_NAME' } +end +``` + +Ensure a sync type is available: + +```ruby +describe aws_ssm_resource_data_syncs do + its('sync_types') { should include 'RESOURCE_DATA_SYNC_TYPE' } +end +``` + +Ensure a status is `Successful`: + +```ruby +describe aws_ssm_resource_data_syncs do + its('last_statuses') { should include 'Successful' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_ssm_resource_data_syncs do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_ssm_resource_data_syncs do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="SSM:Client:ListResourceDataSyncResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_stepfunctions_activities.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_stepfunctions_activities.md new file mode 100644 index 0000000..b0d73a4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_stepfunctions_activities.md @@ -0,0 +1,92 @@ ++++ +title = "aws_stepfunctions_activities resource" + +draft = false + + +[menu.aws] +title = "aws_stepfunctions_activities" +identifier = "inspec/resources/aws/aws_stepfunctions_activities resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_stepfunctions_activity` Chef InSpec audit resource to test properties of multiple AWS Step Functions activities. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::StepFunctions::Activity` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-stepfunctions-activity.html). + +## Syntax + +Ensure that an activity exists. + +```ruby +describe aws_stepfunctions_activities do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`activity_arns` +: The Amazon Resource Name (ARN) that identifies the activity. + +: **Field**: `activity_arn` + +`names` +: The name of the activity. + +: **Field**: `name` + +`creation_dates` +: The date the activity is created. + +: **Field**: `creation_date` + +## Examples + +Ensure an activity ARN is available: + +```ruby +describe aws_stepfunctions_activities do + its('activity_arns') { should include 'ACTIVITY_ARN' } +end +``` + +Ensure an activity name is available: + +```ruby +describe aws_stepfunctions_activities do + its('names') { should include 'ACTIVITY_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_stepfunctions_activities do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_stepfunctions_activities do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="States:Client:ListActivitiesOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_stepfunctions_activity.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_stepfunctions_activity.md new file mode 100644 index 0000000..d864095 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_stepfunctions_activity.md @@ -0,0 +1,88 @@ ++++ +title = "aws_stepfunctions_activity resource" + +draft = false + + +[menu.aws] +title = "aws_stepfunctions_activity" +identifier = "inspec/resources/aws/aws_stepfunctions_activity resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_stepfunctions_activity` Chef InSpec audit resource to test properties of a single AWS Step Functions activity. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::StepFunctions::Activity` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-stepfunctions-activity.html). + +## Syntax + +Ensure that the activity exists. + +```ruby +describe aws_stepfunctions_activity(activity_arn: 'ACTIVITY_ARN') do + it { should exist } +end +``` + +## Parameters + +`activity_arn` _(required)_ + +: The Amazon Resource Name (ARN) that identifies the activity. + +## Properties + +`activity_arn` +: The Amazon Resource Name (ARN) that identifies the activity. + +`name` +: The name of the activity. + +`creation_date` +: The date the activity is created. + +## Examples + +Ensure a activity ARN is available: + +```ruby +describe aws_stepfunctions_activity(activity_arn: 'ACTIVITY_ARN') do + its('activity_arn') { should eq 'ACTIVITY_ARN' } +end +``` + +Ensure an activity name is available: + +```ruby +describe aws_stepfunctions_activity(activity_arn: 'ACTIVITY_ARN') do + its('name') { should eq 'ACTIVITY_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_stepfunctions_activity(activity_arn: 'ACTIVITY_ARN') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_stepfunctions_activity(activity_arn: 'ACTIVITY_ARN') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="States:Client:DescribeActivityOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_stepfunctions_state_machine.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_stepfunctions_state_machine.md new file mode 100644 index 0000000..bc50aa7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_stepfunctions_state_machine.md @@ -0,0 +1,124 @@ ++++ +title = "aws_stepfunctions_state_machine resource" + +draft = false + + +[menu.aws] +title = "aws_stepfunctions_state_machine" +identifier = "inspec/resources/aws/aws_stepfunctions_state_machine resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_stepfunctions_state_machine` InSpec audit resource to test properties of a single specific Step Functions state machine. + +A state machine consists of a collection of states that can do work (Task states), determine which states to transition next (Choice states), stop an execution with an error (Fail states), and so on. + +For additional information, including details on parameters and properties, see the [AWS documentation on Step Functions state machine](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-stepfunctions-statemachine.html). + +## Syntax + +Ensure that an identity pool exists. + +```ruby +describe aws_stepfunctions_state_machine(state_machine_arn: 'STATE_MACHINE_ARN') do + it { should exist } +end +``` + +## Parameters + +`state_machine_arn` _(required)_ + +: The ARN of the state machine. + +## Properties + +`state_machine_arn` +: The ARN of the state machine. + +`name` +: The name of the state machine. + +`status` +: The current status of the state machine. + +`definition` +: The Amazon States Language definition of the state machine. + +`role_arn` +: The ARN of the IAM role used when creating this state machine. + +`type` +: The type of the state machine. Valid values: `STANDARD` or `EXPRESS`. + +`creation_date` +: The creation date of the state machine. + +`logging_configuration (level)` +: The category of execution history in which events are logged. + +`logging_configuration (include_execution_data)` +: Whether execution data is included in your log. Valid values: `true` or `false`. + +`logging_configuration (destinations)` +: An array of objects that describes where your execution history events will be logged. + +`tracing_configuration (enabled)` +: Selects whether or not the state machine's AWS X-Ray tracing is enabled. Valid values: `true` or `false`. + +## Examples + +Ensure a state machine ARN is available: + +```ruby +describe aws_stepfunctions_state_machine(state_machine_arn: 'STATE_MACHINE_ARN') do + its('state_machine_arn') { should eq 'STATE_MACHINE_ARN' } +end +``` + +Ensure that the status is available: + +```ruby +describe aws_stepfunctions_state_machine(state_machine_arn: 'STATE_MACHINE_ARN') do + its('status') { should eq 'ACTIVE' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_stepfunctions_state_machine(state_machine_arn: 'STATE_MACHINE_ARN') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_stepfunctions_state_machine(state_machine_arn: 'STATE_MACHINE_ARN') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the identity pool id is available. + +```ruby +describe aws_stepfunctions_state_machine(state_machine_arn: 'STATE_MACHINE_ARN') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="States:Client:DescribeStateMachineOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_stepfunctions_state_machines.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_stepfunctions_state_machines.md new file mode 100644 index 0000000..8156d85 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_stepfunctions_state_machines.md @@ -0,0 +1,101 @@ ++++ +title = "aws_stepfunctions_state_machines resource" + +draft = false + + +[menu.aws] +title = "aws_stepfunctions_state_machines" +identifier = "inspec/resources/aws/aws_stepfunctions_state_machines resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_stepfunctions_state_machines` InSpec audit resource to test properties of multiple Step Functions state machines. + +A state machine consists of a collection of states that can do work (Task states), determine which states to transition next (Choice states), stop an execution with an error (Fail states), and so on. + +For additional information, including details on parameters and properties, see the [AWS documentation on Step Functions state machine](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-stepfunctions-statemachine.html). + +## Syntax + +Ensure that a state machine exists. + +```ruby +describe aws_stepfnctions_state_machines do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`state_machine_arns` +: The ARNs of the state machine. + +`names` +: The names of the state machine. + +`types` +: The type of the state machine. Valid values: `STANDARD` or `EXPRESS`. + +`creation_date` +: The creation dates of the state machine. + +## Examples + +Ensure an state machine ARN is available: + +```ruby +describe aws_stepfunctions_state_machines do + its('state_machine_arns') { should include 'STATE_MACHINE_ARN' } +end +``` + +Ensure a name is available: + +```ruby +describe aws_stepfunctions_state_machines do + its('names') { should include 'STATE_MACHINE_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_stepfunctions_state_machines do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_stepfunctions_state_machines do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the state machine is available. + +```ruby +describe aws_stepfunctions_state_machines do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="States:Client:ListStateMachinesOutput" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sts_caller_identity.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sts_caller_identity.md new file mode 100644 index 0000000..24ae931 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_sts_caller_identity.md @@ -0,0 +1,94 @@ ++++ +title = "aws_sts_caller_identity resource" + +draft = false + + +[menu.aws] +title = "aws_sts_caller_identity" +identifier = "inspec/resources/aws/aws_sts_caller_identity resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_sts_caller_identity` InSpec audit resource to test properties of AWS IAM identity whose credentials are used in the current InSpec scan. + +## Syntax + +An `aws_sts_caller_identity` resource block may be used to perform tests on details of the AWS credentials being used in the current Inspec scan. You can also test if the credentials belong to a GovCloud account or not. + +```ruby +describe aws_sts_caller_identity do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: This resource does not expect any parameters. + +## Properties + +`arn` +: The AWS ARN associated with the calling entity. + +`account` +: The AWS account ID number of the account that owns or contains the calling entity. + +`user_id` +: The unique identifier of the calling entity. + +For more info, see [the API reference documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) + +## Examples + +Check that the credentials used to run the scan is correct: + +```ruby +describe aws_sts_caller_identity do + its("arn") { should match "arn:aws:iam::.*:user/service-account-inspec" } +end +``` + +Test if the account belongs to GovCloud: + +```ruby +describe aws_sts_caller_identity do + it { should be_govcloud } +end +``` + +Skip a test if we are using GovCloud: + +```ruby +if aws_sts_caller_identity.govcloud? + describe 'Skipping Root User MFA check as we are on GovCloud' do + skip + end +else + describe aws_iam_root_user do + it { should have_mfa_enabled } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### be_govcloud + +The `be_govcloud` matcher tests if the account is a 'GovCloud' AWS Account. + +```ruby +describe aws_sts_caller_identity do + it { should_not be_govcloud } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="STS:Client:GetCallerIdentityResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_subnet.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_subnet.md new file mode 100644 index 0000000..eebdf26 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_subnet.md @@ -0,0 +1,145 @@ ++++ +title = "aws_subnet resource" + +draft = false + + +[menu.aws] +title = "aws_subnet" +identifier = "inspec/resources/aws/aws_subnet resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_subnet` InSpec audit resource to test properties of a vpc subnet. + +For additional information, including details on parameters and properties, see the [AWS documentation on Subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html). + +## Syntax + +An `aws_subnet` resource block uses the parameter to select a VPC and a subnet in the VPC. + +```ruby +describe aws_subnet(subnet_id: 'subnet-1234567') do + it { should exist } +end +``` + +## Parameters + +`subnet_id` _(required)_ + +: This resource accepts a single parameter, the Subnet ID. + This can be passed either as a string or as a `subnet_id: 'value'` key-value entry in a hash. + +## Properties + +`subnet_id` +: Provides the ID of the Subnet. + +`vpc_id` +: Provides the ID of the VPC the subnet is in. + +`availability_zone` +: Provides the Availability Zone of the subnet. + +`cidr_block` +: Provides the block of ip addresses specified to the subnet. + +`available_ip_address_count` +: Provides the number of available IPv4 addresses on the subnet. + +## Examples + +Check availability zone of a subnet: + +```ruby +describe aws_subnet(subnet_id: 'subnet-12345678') do + its('availability_zone') { should eq 'us-east-1c' } +end +``` + +Check the number of available IP addresses: + +```ruby +describe aws_subnet(subnet_id: 'subnet-12345678') do + its('available_ip_address_count') { should eq 251 } +end +``` + +Test the block of ip addresses specified to the subnet: + +```ruby +describe aws_subnet(subnet_id: 'subnet-12345678') do + its('cidr_block') { should eq '10.0.1.0/24' } +end +``` + +Ensure the subnet is in the right VPC: + +```ruby +describe aws_subnet(subnet_id: 'subnet-12345678') do + its('vpc_id') { should eq 'vpc-12345678' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +#### assigning_ipv_6_address_on_creation + +Detects if the network interface on the subnet accepts IPv6 addresses. + +```ruby +describe aws_subnet(subnet_id: 'subnet-12345678') do + it { should be_assigning_ipv_6_address_on_creation } +end +``` + +### available + +Provides the current state of the subnet. + +```ruby +describe aws_subnet(subnet_id: 'subnet-12345678') do + it { should be_available } +end +``` + +#### default_for_az + +Detects if the subnet is the default subnet for the Availability Zone. + +```ruby +describe aws_subnet(subnet_id: 'subnet-12345678') do + it { should be_default_for_az } +end +``` + +#### mapping_public_ip_on_launch + +Provides the VPC ID for the subnet. + +```ruby +describe aws_subnet(subnet_id: 'subnet-12345678') do + it { should be_mapping_public_ip_on_launch } +end +``` + +### exist + +The `exist` matcher indicates that a subnet exists for the specified vpc. + +```ruby +describe aws_subnet(subnet_id: 'subnet-12345678') do + it { should exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeSubnetsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_subnets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_subnets.md new file mode 100644 index 0000000..f38a621 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_subnets.md @@ -0,0 +1,133 @@ ++++ +title = "aws_subnets resource" + +draft = false + + +[menu.aws] +title = "aws_subnets" +identifier = "inspec/resources/aws/aws_subnets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_subnets` InSpec audit resource to test properties of some or all subnets. + +Subnets are networks within a VPC that can have their own block of IP address's and ACL's. +VPCs span across all availability zones in AWS, while a subnet in a VPC can only span a single availability zone. +Separating IP addresses allows for protection if there is a failure in one availability zone. + +For additional information, including details on parameters and properties, see the [AWS documentation on Subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html). + +## Syntax + +An `aws_subnets` resource block uses an optional filter to select a group of subnets and then tests that group. + +Test all subnets within a single vpc: + +```ruby +describe aws_subnets.where(vpc_id: 'vpc-12345678') do + its('subnet_ids') { should include 'subnet-12345678' } + its('subnet_ids') { should include 'subnet-98765432' } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`subnet_ids` +: The name of the auto scaling launch configuration associated with the auto scaling group. + +`vpc_ids` +: An integer indicating the maximum number of instances in the auto scaling group. + +`cidr_blocks` +: An integer indicating the minimum number of instances in the auto scaling group. + +`availability_zone` +: The availability zone this subnet is part of. + +`map_public_ip_on_launch` +: A boolean indicating if a public IP is automatically mapped to instances launched in this subnet. + +`states` +: An array of strings corresponding to the subnet IDs associated with the auto scaling group. + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +`tags` +: Array of arrays of hashes with existing tags. + +## Examples + +Look for all subnets within a vpc: + +```ruby +describe aws_subnets.where(vpc_id: 'vpc-12345678') do + its('subnet_ids') { should include 'subnet-12345678' } + its('subnet_ids') { should include 'subnet-98765432' } +end +``` + +Examine a specific subnet: + +```ruby +describe aws_subnets.where(subnet_id: 'subnet-12345678') do + its('cidr_blocks') { should eq ['10.0.1.0/24'] } +end +``` + +Examine a specific vpcs Subnet IDs: + +```ruby +describe aws_subnets.where(vpc_id: 'vpc-12345678') do + its('states') { should_not include 'pending' } +end +``` + +Examine a specific subnets VPC IDS: + +```ruby +describe aws_subnets.where(subnet_id: 'subnet-12345678') do + its('vpc_ids') { should include 'vpc-12345678' } +end +``` + +Check existing tags: + +```ruby +describe aws_subnets.where(vpc_id: vpc_id) do + its('tags') { should include([{key: 'Name', value: 'My favourite subnet'}]) } +end +``` + +## Matchers + +For a full list of available matchers, visit the [InSpec matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_subnets.where( : ) do + it { should exist } +end +``` + +```ruby +describe aws_subnets.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeSubnetsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_synthetics_canaries.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_synthetics_canaries.md new file mode 100644 index 0000000..2996c54 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_synthetics_canaries.md @@ -0,0 +1,162 @@ ++++ +title = "aws_synthetics_canaries resource" + +draft = false + + +[menu.aws] +title = "aws_synthetics_canaries" +identifier = "inspec/resources/aws/aws_synthetics_canaries resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_synthetics_canaries` Chef InSpec audit resource to test properties of multiple AWS Synthetics canaries. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::Synthetics::Canary` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-synthetics-canary.html). + +## Syntax + +Ensure that the canary exists. + +```ruby +describe aws_synthetics_canaries do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: The unique ID of this canary. + +: **Field**: `id` + +`names` +: The name of the canary. + +: **Field**: `name` + +`codes` +: This structure contains information about the canary's Lambda handler and where its code is stored by CloudWatch Synthetics. + +: **Field**: `code` + +`execution_role_arns` +: The ARN of the IAM role used to run the canary. This role must include lambda.amazonaws.com as a principal in the trust policy. + +: **Field**: `execution_role_arn` + +`schedules` +: A structure that contains information about how often the canary is to run, and when these runs are to stop. + +: **Field**: `schedule` + +`run_configs` +: A structure that contains information about a canary run. + +: **Field**: `run_config` + +`success_retention_period_in_days` +: The number of days to retain data about successful runs of this canary. + +: **Field**: `success_retention_period_in_days` + +`failure_retention_period_in_days` +: The number of days to retain data about failed runs of this canary. + +: **Field**: `failure_retention_period_in_days` + +`statuses` +: A structure that contains information about the canary's status. + +: **Field**: `status` + +`timelines` +: A structure that contains information about when the canary was created, modified, and most recently run. + +: **Field**: `timeline` + +`artifact_s3_locations` +: The location in Amazon S3 where Synthetics stores artifacts from the runs of this canary. Artifacts include the log file, screenshots, and HAR files. + +: **Field**: `artifact_s3_location` + +`engine_arns` +: The ARN of the Lambda function that is used as your canary's engine. + +: **Field**: `engine_arn` + +`runtime_versions` +: Specifies the runtime version to use for the canary. + +: **Field**: `runtime_version` + +`vpc_configs` +: If this canary is to test an endpoint in a VPC, this structure contains information about the subnets and security groups of the VPC endpoint. + +: **Field**: `vpc_config` + +`visual_references` +: If this canary performs visual monitoring by comparing screenshots, this structure contains the ID of the canary run to use as the baseline for screenshots, and the coordinates of any parts of the screen to ignore during the visual monitoring comparison. + +: **Field**: `visual_reference` + +`tags` +: The list of key-value pairs that are associated with the canary. + +: **Field**: `tags` + +`artifact_configs` +: A structure that contains the configuration for canary artifacts, including the encryption-at-rest settings for artifacts that the canary uploads to Amazon S3. + +: **Field**: `artifact_config` + +## Examples + +Ensure a canary ID is available: + +```ruby +describe aws_synthetics_canaries do + its('ids') { should include 'CANARY_ID' } +end +``` + +Ensure a canary name is available: + +```ruby +describe aws_synthetics_canaries do + its('names') { should include 'CANARY_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_synthetics_canaries do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_synthetics_canaries do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Synthetics:Client:DescribeCanariesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_synthetics_canary.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_synthetics_canary.md new file mode 100644 index 0000000..23e514a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_synthetics_canary.md @@ -0,0 +1,169 @@ ++++ +title = "aws_synthetics_canary resource" + +draft = false + + +[menu.aws] +title = "aws_synthetics_canary" +identifier = "inspec/resources/aws/aws_synthetics_canary resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_synthetics_canary` Chef InSpec audit resource to test properties of a single AWS Synthetics Canary. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::Synthetics::Canary` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-synthetics-canary.html). + +## Syntax + +Ensure that the canary exists. + +```ruby +describe aws_synthetics_canary(name: 'CANARY_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: The name of the canary. + +## Properties + +`id` +: The unique ID of this canary. + +`name` +: The name of the canary. + +`code.source_location_arn` +: The ARN of the Lambda layer where Synthetics stores the canary script code. + +`code.handler` +: The entry point to use for the source code when running the canary. + +`execution_role_arn` +: The ARN of the IAM role used to run the canary. + +`schedule.expression` +: A rate expression or a cron expression that defines how often the canary is to run. + +`schedule.duration_in_seconds` +: How long, in seconds, for the canary to continue making regular runs after it was created. The runs are performed according to the schedule in the Expression value. + +`run_config.timeout_in_seconds` +: How long the canary is allowed to run before it must stop. + +`run_config.memory_in_mb` +: The maximum amount of memory available to the canary while it is running, in MB. This value must be a multiple of 64. + +`run_config.active_tracing` +: Displays whether this canary run used active X-Ray tracing. + +`success_retention_period_in_days` +: The number of days to retain data about successful runs of this canary. + +`failure_retention_period_in_days` +: The number of days to retain data about failed runs of this canary. + +`status.state` +: The current state of the canary. + +`status.state_reason` +: If the canary has insufficient permissions to run, this field provides more details. + +`status.state_reason_code` +: If the canary cannot run or has failed, this field displays the reason. + +`timeline.created` +: The date and time the canary was created. + +`timeline.last_modified` +: The date and time the canary was most recently modified. + +`timeline.last_started` +: The date and time that the canary's most recent run started. + +`timeline.last_stopped` +: The date and time that the canary's most recent run ended. + +`artifact_s3_location` +: The location in Amazon S3 where Synthetics stores artifacts from the runs of this canary. + +`engine_arn` +: The ARN of the Lambda function that is used as your canary's engine. + +`runtime_version` +: Specifies the runtime version to use for the canary. + +`vpc_config.vpc_id` +: The IDs of the VPC where this canary is to run. + +`vpc_config.subnet_ids` +: The IDs of the subnets where this canary is to run. + +`vpc_config.security_group_ids` +: The IDs of the security groups for this canary. + +`visual_reference.base_screenshots` +: An array of screenshots that are used as the baseline for comparisons during visual monitoring. + +`visual_reference.base_canary_run_id` +: The ID of the canary run that produced the screenshots that are used as the baseline for visual monitoring comparisons during future runs of this canary. + +`tags` +: The list of key-value pairs that are associated with the canary. + +`artifact_config.s3_encryption.encryption_mode` +: The encryption method to use for artifacts created by this canary. + +`artifact_config.s3_encryption.kms_key_arn` +: The ARN of the customer-managed KMS key to use, if you specify SSE-KMS for EncryptionMode. + +## Examples + +Ensure a canary name is available: + +```ruby +describe aws_synthetics_canary(name: 'CANARY_NAME') do + its('name') { should eq 'CANARY_NAME' } +end +``` + +Ensure a state is `READY`: + +```ruby +describe aws_synthetics_canary(name: 'CANARY_NAME') do + its('status.state') { should eq 'READY' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_synthetics_canary(name: 'CANARY_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_synthetics_canary(name: 'CANARY_NAME') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Synthetics:Client:GetCanaryResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transfer_user.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transfer_user.md new file mode 100644 index 0000000..4d2e08f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transfer_user.md @@ -0,0 +1,132 @@ ++++ +title = "aws_transfer_user resource" + +draft = false + + +[menu.aws] +title = "aws_transfer_user" +identifier = "inspec/resources/aws/aws_transfer_user resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transfer_user` InSpec audit resource to test properties of a single Transfer user. + +For additional information, including details on parameters and properties, see the [AWS documentation on Transfer user](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-user.html). + +## Syntax + +Ensure that a Transfer user exists. + +```ruby +describe aws_transfer_user(server_id: "SERVER_ID", user_name: 'USER_NAME') do + it { should exist } +end +``` + +## Parameters + +`server_id` _(required)_ + +: The system-assigned unique identifier for a server that this user has been assigned to. + +`user_name` _(required)_ + +: The name of the user assigned to one or more servers. + +## Properties + +`server_id` +: The system-assigned unique identifier for a server that this user has been assigned to. + +`user (home_directory)` +: The landing directory for a user when they log in to the server using the client. + +`user (home_directory_mappings)` +: Logical directory mappings that specify what S3 paths and keys should be visible to your user and how you want to make them visible. + +`user (home_directory_mappings (entry))` +: The entry for `HomeDirectoryMappings`. + +`user (home_directory_mappings (target))` +: The map target that is used in a `HomeDirectorymapEntry`. + +`user (home_directory_type)` +: The type of landing directory you want your users' home directory to be when they log into the server. + +`user (policy)` +: A scope-down policy for your user so you can use the same IAM role across multiple users. + +`user (role)` +: The ARN of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. + +`user (ssh_public_keys (date_imported))` +: The date that the public key was added to the user account. + +`user (ssh_public_keys (ssh_public_key_body))` +: The content of the SSH public key as specified by the PublicKeyId. + +`user (ssh_public_keys (ssh_public_key_id))` +: The `SshPublicKeyId` parameter contains the identifier of the public key. + +`user (tags)` +: Key-value pairs that can be used to group and search for users. + +`user (user_name)` +: The user name associated with a server as specified by the `ServerId`. + +## Examples + +Ensure an user is available: + +```ruby +describe aws_transfer_user(server_id: "SERVER_ID", user_name: 'USER_NAME') do + its('user_name') { should eq 'USER_NAME' } +end +``` + +Ensure that the server ID is available: + +```ruby +describe aws_transfer_user(server_id: "SERVER_ID", user_name: 'USER_NAME') do + its('server_id') { should eq 'SERVER_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_transfer_user(server_id: "SERVER_ID", user_name: 'USER_NAME') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_transfer_user(server_id: "SERVER_ID", user_name: 'USER_NAME') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the user is available. + +```ruby +describe aws_transfer_user(server_id: "SERVER_ID", user_name: 'USER_NAME') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Transfer:Client:DescribeUserResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transfer_users.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transfer_users.md new file mode 100644 index 0000000..06f0495 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transfer_users.md @@ -0,0 +1,105 @@ ++++ +title = "aws_transfer_users resource" + +draft = false + + +[menu.aws] +title = "aws_transfer_users" +identifier = "inspec/resources/aws/aws_transfer_users resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transfer_users` InSpec audit resource to test properties of multiple Transfer users. + +For additional information, including details on parameters and properties, see the [AWS documentation on Transfer user](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-user.html). + +## Syntax + +Ensure that an user exists. + +```ruby +describe aws_transfer_users do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ARNs` +: The ARNs of the user. + +`home_directories` +: The landing directories for users when they log in to the server using the client. + +`home_directory_types` +: The landing directory types you want your users' home directory to be when they log into the server. + +`roles` +: The ARNs of the IAM roles that controls your users' access to your Amazon S3 bucket or EFS file system. + +`ssh_public_key_count` +: The ssh public key count of the user. + +`user_names` +: The user names associated with a server as specified by the `ServerId`. + +## Examples + +Ensure an ARN is available: + +```ruby +describe aws_transfer_users do + its('arns') { should include 'USER_ARN' } +end +``` + +Ensure that the roles is available: + +```ruby +describe aws_transfer_users do + its('roles') { should include 'USER_ROLE_ARN' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_transfer_users do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_transfer_users do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the user is available. + +```ruby +describe aws_transfer_users do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="Transfer:Client:ListUsersResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway.md new file mode 100644 index 0000000..d498794 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway.md @@ -0,0 +1,87 @@ ++++ +title = "aws_transit_gateway resource" + +draft = false + + +[menu.aws] +title = "aws_transit_gateway" +identifier = "inspec/resources/aws/aws_transit_gateway resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transit_gateway` InSpec audit resource to test properties of a transit gateway. + +For additional information, including details on parameters and properties, see the [AWS documentation on Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/). + +## Syntax + +An `aws_transit_gateway` resource block uses the parameter to select a transit gateway. + +```ruby +describe aws_transit_gateway(transit_gateway_id: 'tgw-1234567') do + it { should exist } +end +``` + +## Parameters + +`transit_gateway_id` _(required)_ + +: This resource accepts a single parameter, the Transit Gateway ID. + This can be passed either as a string or as a `transit_gateway_id: 'value'` key-value entry in a hash. + +## Properties + +`transit_gateway_id` +: Provides the ID of the Transit Gateway. + +`transit_gateway_arn` +: Provides the ARN of the Transit Gateway. + +`transit_gateway_owner_id` +: Provides the id of the owner of the Transit Gateway. + +`default_route_table_id` +: Provides the id of the default route table of the Transit Gateway. + +`propagation_default_route_table_id` +: Provides the propagation default route table id for the Transit gateway. + +`dns_support` +: Provides the status of dns support for the Transit Gateway. + +`vpn_ecmp_support` +: Provides the status of vpn ecmp support for the Transit Gateway. + +## Examples + +Check the owner id zone of the Transit Gateway: + +```ruby +describe aws_transit_gateway(transit_gateway_id: 'tgw-0e231ae7f5e5e7bd5') do + its('transit_gateway_owner_id') { should eq 'owner_id' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The `exist` matcher indicates that a transit gateway exists. + +```ruby +describe aws_transit_gateway(transit_gateway_id: 'tgw-0e231ae7f5e5e7bd5') do + it { should exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeTransitGatewaysResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_connect.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_connect.md new file mode 100644 index 0000000..d7b3672 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_connect.md @@ -0,0 +1,112 @@ ++++ +title = "aws_transit_gateway_connect resource" + +draft = false + + +[menu.aws] +title = "aws_transit_gateway_connect" +identifier = "inspec/resources/aws/aws_transit_gateway_connect resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transit_gateway_connect` InSpec audit resource to test properties of a single AWS EC2 Transit Gateway Connect. + +The `AWS::EC2::TransitGatewayConnect` resource creates a Connect attachment from a specified transit gateway attachment. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 TransitGatewayConnect](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayconnect.html). + +## Syntax + +Ensure that transit gateway Connect attachment exists. + +```ruby +describe aws_transit_gateway_connect(transit_gateway_attachment_id: 'TRANSIT_GATEWAY_CONNECT_ATTACHMENT_ID') do + it { should exits } +end +``` + +## Parameters + +`transit_gateway_attachment_id` _(required)_ + +: The ID of the transit gateway Connect attachment. + +## Properties + +`transit_gateway_attachment_id` +: The ID of the Connect attachment. + +`transport_transit_gateway_attachment_id` +: The ID of the attachment from which the Connect attachment was created. + +`transit_gateway_id` +: The ID of the transit gateway. + +`state` +: The state of the attachment. + +`creation_time` +: The creation time. + +`options (protocol)` +: The Connect attachment options. The tunnel protocol. + +`tags` +: The tags for the attachment. + +## Examples + +Ensure a transit gateway attachment ID is available: + +```ruby +describe aws_transit_gateway_connect(transit_gateway_attachment_id: 'TRANSIT_GATEWAY_CONNECT_ATTACHMENT_ID') do + its('transit_gateway_attachment_id') { should eq 'tgw-attach-1234567890' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_transit_gateway_connect(transit_gateway_attachment_id: 'TRANSIT_GATEWAY_CONNECT_ATTACHMENT_ID') do + its('state') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_transit_gateway_connect(transit_gateway_attachment_id: 'TRANSIT_GATEWAY_CONNECT_ATTACHMENT_ID') do + it { should exits } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_transit_gateway_connect(transit_gateway_attachment_id: 'TRANSIT_GATEWAY_CONNECT_ATTACHMENT_ID') do + it { should_not exits } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_transit_gateway_connect(transit_gateway_attachment_id: 'dummy') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeTransitGatewayConnectsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_connects.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_connects.md new file mode 100644 index 0000000..62f00f7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_connects.md @@ -0,0 +1,110 @@ ++++ +title = "aws_transit_gateway_connects resource" + +draft = false + + +[menu.aws] +title = "aws_transit_gateway_connects" +identifier = "inspec/resources/aws/aws_transit_gateway_connects resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transit_gateway_connects` InSpec audit resource to test properties of multiple AWS EC2 Transit Gateway Connect. + +The `AWS::EC2::TransitGatewayConnect` resource creates a Connect attachment from a specified transit gateway attachment. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 TransitGatewayConnect](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayconnect.html). + +## Syntax + +Ensure that Transit Gateway Connect exists. + +```ruby +describe aws_transit_gateway_connects do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`transit_gateway_attachment_ids` +: The ID of the Connect attachment. + +`transport_transit_gateway_attachment_ids` +: The ID of the attachment from which the Connect attachment was created. + +`transit_gateway_ids` +: The ID of the transit gateway. + +`states` +: The state of the attachment. + +`creation_times` +: The creation time. + +`options` +: The Connect attachment options. The tunnel protocol. + +`tags` +: The tags for the attachment. + +## Examples + +Ensure a transit gateway attachment ID is available: + +```ruby +describe aws_transit_gateway_connects do + its('transit_gateway_attachment_ids') { should include 'TRANSIT_GATEWAY_ATTACHMENT_ID' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_transit_gateway_connects do + its('states') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_transit_gateway_connects do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_transit_gateway_connects do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_transit_gateway_connects do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeTransitGatewayConnectsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_domain.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_domain.md new file mode 100644 index 0000000..23f1328 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_domain.md @@ -0,0 +1,121 @@ ++++ +title = "aws_transit_gateway_multicast_domain resource" + +draft = false + + +[menu.aws] +title = "aws_transit_gateway_multicast_domain" +identifier = "inspec/resources/aws/aws_transit_gateway_multicast_domain resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transit_gateway_multicast_domain` Chef InSpec audit resource to test properties of an AWS EC2 transit gateway multicast domain. + +The `AWS::EC2::TransitGatewayMulticastDomain` resource creates a multicast domain using the specified transit gateway. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 TransitGatewayConnect](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayconnect.html). + +## Syntax + +Ensure that transit gateway connect exists. + +```ruby +describe aws_transit_gateway_multicast_domain(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + it { should exits } +end +``` + +## Parameters + +`transit_gateway_attachment_id` _(required)_ + +: The ID of the transit gateway multicast domain. + +## Properties + +`transit_gateway_multicast_domain_id` +: The ID of the transit gateway multicast domain. + +`transit_gateway_id` +: The ID of the transit gateway. + +`transit_gateway_multicast_domain_arn` +: The Amazon Resource Name (ARN) of the transit gateway multicast domain. + +`owner_id` +: The ID of the AWS account that owns the transit gateway multicast domain. + +`options (igmpv_2_support)` +: The options for the transit gateway multicast domain. Indicates whether Internet Group Management Protocol (IGMP) version 2 is turned on for the transit gateway multicast domain. + +`options (static_sources_support)` +: The options for the transit gateway multicast domain. Indicates whether support for statically configuring transit gateway multicast group sources is turned on. + +`options (auto_accept_shared_associations)` +: The options for the transit gateway multicast domain. Indicates whether to automatically cross-account subnet associations that are associated with the transit gateway multicast domain. + +`state` +: The state of the transit gateway multicast domain. + +`creation_time` +: The time the transit gateway multicast domain was created. + +`tags` +: The tags for the transit gateway multicast domain. + +## Examples + +Ensure a transit gateway multicast domain ID is available: + +```ruby +describe aws_transit_gateway_multicast_domain(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + its('transit_gateway_multicast_domain_id') { should eq 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_transit_gateway_multicast_domain(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + its('state') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_transit_gateway_multicast_domain(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + it { should exits } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_transit_gateway_multicast_domain(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + it { should_not exits } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_transit_gateway_multicast_domain(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeTransitGatewayMulticastDomainsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_domain_association.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_domain_association.md new file mode 100644 index 0000000..41aeae5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_domain_association.md @@ -0,0 +1,109 @@ ++++ +title = "aws_transit_gateway_multicast_domain_association resource" + +draft = false + + +[menu.aws] +title = "aws_transit_gateway_multicast_domain_association" +identifier = "inspec/resources/aws/aws_transit_gateway_multicast_domain_association resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transit_gateway_multicast_domain_association` Chef InSpec audit resource to test properties of a single AWS EC2 transit gateway multicast domain association. + +The `AWS::EC2::TransitGatewayMulticastDomainAssociation` resource associates the specified subnets and transit gateway attachments with the specified transit gateway multicast domain. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 TransitGatewayMulticastDomainAssociation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewaymulticastdomainassociation.html). + +## Syntax + +Ensure that the transit gateway multicast domain association exists. + +```ruby +describe aws_transit_gateway_multicast_domain_association(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + it { should exits } +end +``` + +## Parameters + +`transit_gateway_multicast_domain_id` _(required)_ + +: The ID of the transit gateway multicast domain. + +## Properties + +`transit_gateway_attachment_id` +: The ID of the Connect attachment. + +`resource_id` +: The ID of the resource. + +`resource_type` +: The type of resource, for example a VPC attachment. + +`resource_owner_id` +: The ID of the AWS account that owns the transit gateway multicast domain association resource. + +`subnet (subnet_id)` +: The subnet associated with the transit gateway multicast domain. The ID of the subnet. + +`subnet (state)` +: The subnet associated with the transit gateway multicast domain. The state of the subnet association. + +## Examples + +Ensure a transit gateway attachment ID is available: + +```ruby +describe aws_transit_gateway_multicast_domain_association(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + its('transit_gateway_attachment_id') { should eq 'tgw-attach-1234567890' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_transit_gateway_multicast_domain_association(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + its('subnet.state') { should eq 'associated' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_transit_gateway_multicast_domain_association(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + it { should exits } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_transit_gateway_multicast_domain_association(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should_not exits } +end +``` + +### be_available + +Use `should` to check if the transit gateway multicast domain association is available. + +```ruby +describe aws_transit_gateway_multicast_domain_association(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:GetTransitGatewayMulticastDomainAssociationsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_domain_associations.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_domain_associations.md new file mode 100644 index 0000000..2a43487 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_domain_associations.md @@ -0,0 +1,106 @@ ++++ +title = "aws_transit_gateway_multicast_domain_associations resource" + +draft = false + + +[menu.aws] +title = "aws_transit_gateway_multicast_domain_associations" +identifier = "inspec/resources/aws/aws_transit_gateway_multicast_domain_associations resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transit_gateway_multicast_domain_associations` Chef InSpec audit resource to test properties of multiple AWS EC2 transit gateway multicast domain associations. + +The `AWS::EC2::TransitGatewayMulticastDomainAssociation` resource associates the specified subnets and transit gateway attachments with the specified transit gateway multicast domain. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 TransitGatewayMulticastDomainAssociation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewaymulticastdomainassociation.html). + +## Syntax + +Ensure that transit gateway connect exists. + +```ruby +describe aws_transit_gateway_multicast_domain_associations(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + it { should exist } +end +``` + +## Parameters + +`transit_gateway_multicast_domain_id` _(required)_ + +: The ID of the transit gateway multicast domain. + +## Properties + +`transit_gateway_attachment_ids` +: The ID of the transit gateway attachment. + +`resource_ids` +: The ID of the resource. + +`resource_types` +: The type of resource, for example a VPC attachment. + +`resource_owner_ids` +: The ID of the AWS account that owns the transit gateway multicast domain association resource. + +`subnets` +: The subnet associated with the transit gateway multicast domain. + +## Examples + +Ensure a transit gateway attachment ID is available: + +```ruby +describe aws_transit_gateway_multicast_domain_associations(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + its('transit_gateway_attachment_ids') { should include 'TRANSIT_GATEWAY_ATTACHMENT_ID' } +end +``` + +Ensure that the resource type is `vpc`: + +```ruby +describe aws_transit_gateway_multicast_domain_associations(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + its('resource_types') { should include 'vpc' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_transit_gateway_multicast_domain_associations(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_transit_gateway_multicast_domain_associations(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_transit_gateway_multicast_domain_associations(transit_gateway_multicast_domain_id: 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:GetTransitGatewayMulticastDomainAssociationsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_domains.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_domains.md new file mode 100644 index 0000000..2f6d0da --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_domains.md @@ -0,0 +1,113 @@ ++++ +title = "aws_transit_gateway_multicast_domains resource" + +draft = false + + +[menu.aws] +title = "aws_transit_gateway_multicast_domains" +identifier = "inspec/resources/aws/aws_transit_gateway_multicast_domains resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transit_gateway_multicast_domains` Chef InSpec audit resource to test properties of multiple AWS EC2 transit gateway multicast domains. + +The `AWS::EC2::TransitGatewayMulticastDomain` resource creates a Connect attachment from a specified transit gateway attachment. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 TransitGatewayMulticastDomain](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewaymulticastdomain.html). + +## Syntax + +Ensure that transit gateway multicast domain exists. + +```ruby +describe aws_transit_gateway_multicast_domains do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`transit_gateway_multicast_domain_ids` +: The ID of the transit gateway multicast domain. + +`transit_gateway_ids` +: The ID of the transit gateway. + +`transit_gateway_multicast_domain_arns` +: The Amazon Resource Name (ARN) of the transit gateway multicast domain. + +`owner_ids` +: The ID of the AWS account that owns the transit gateway multicast domain. + +`options` +: The options for the transit gateway multicast domain. + +`states` +: The state of the transit gateway multicast domain. + +`creation_time` +: The time the transit gateway multicast domain was created. + +`tags` +: The tags for the transit gateway multicast domain. + +## Examples + +Ensure a specific transit gateway attachment ID is available: + +```ruby +describe aws_transit_gateway_multicast_domains do + its('transit_gateway_multicast_domain_ids') { should include 'TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID' } +end +``` + +Ensure that the state is `available`: + +```ruby +describe aws_transit_gateway_multicast_domains do + its('states') { should include 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_transit_gateway_multicast_domains do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_transit_gateway_multicast_domains do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_transit_gateway_multicast_domains do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeTransitGatewayMulticastDomainsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_group_member.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_group_member.md new file mode 100644 index 0000000..bc579f9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_group_member.md @@ -0,0 +1,124 @@ ++++ +title = "aws_transit_gateway_multicast_group_member resource" + +draft = false + + +[menu.aws] +title = "aws_transit_gateway_multicast_group_member" +identifier = "inspec/resources/aws/aws_transit_gateway_multicast_group_member resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transit_gateway_multicast_group_member` InSpec audit resource to test properties of a single specific AWS EC2 transit gateway multicast group member. + +The `AWS::EC2::TransitGatewayMulticastGroupMember` resource registers members (network interfaces) with the transit gateway multicast group. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 TransitGatewayMulticastGroupMember](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewaymulticastgroupmember.html). + +## Syntax + +Ensure that transit gateway group member exists. + +```ruby +describe aws_transit_gateway_multicast_group_member(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should exist } +end +``` + +## Parameters + +`transit_gateway_multicast_domain_id` _(required)_ + +: The transit_gateway_multicast_domain_id is the ID of the multicast domain transit gateway. + +## Properties + +`group_ip_address` +: The IP address of the transit gateway multicast group. + +`transit_gateway_attachment_id` +: The attachment ID of the transit gateway. + +`subnet_id` +: The ID of the subnet. + +`resource_id` +: The ID of the resource. + +`resource_type` +: The type of the resource. + +`resource_owner_id` +: The Owner ID of the resource. + +`network_interface_id` +: The network interface ID of the resource. + +`group_member` +: The resource is a group member. Valid values are `true` and `false`. + +`group_source` +: The resource is a group source. Valid values are `true` and `false`. + +`member_type` +: The member type. Valid values are `igmp` and `static`. + +`source_type` +: The source type. Valid values are `igmp` and `static`. + +## Examples + +Ensure a group IP address is available: + +```ruby +describe aws_transit_gateway_multicast_group_member(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + its('group_ip_address') { should eq 'GROUP_IP_ADDRESS' } +end +``` + +Ensure that the resource type is `vpc`: + +```ruby +describe aws_transit_gateway_multicast_group_member(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + its('resource_type') { should eq 'vpc' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `search` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_transit_gateway_multicast_group_member(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_transit_gateway_multicast_group_member(transit_gateway_multicast_domain_id: "dummy") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_transit_gateway_multicast_group_member(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:SearchTransitGatewayMulticastGroupsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_group_members.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_group_members.md new file mode 100644 index 0000000..0fa5e41 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_group_members.md @@ -0,0 +1,146 @@ ++++ +title = "aws_transit_gateway_multicast_group_members resource" + +draft = false + + +[menu.aws] +title = "aws_transit_gateway_multicast_group_members" +identifier = "inspec/resources/aws/aws_transit_gateway_multicast_group_members resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transit_gateway_multicast_group_members` Chef InSpec audit resource to test properties of multiple AWS EC2 transit gateway multicast group members. + +The `AWS::EC2::TransitGatewayMulticastGroupMember` resource registers members (network interfaces) with the transit gateway multicast group. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 TransitGatewayMulticastGroupMember](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewaymulticastgroupmember.html). + +## Syntax + +Ensure that transit gateway multicast group member exists. + +```ruby +describe aws_transit_gateway_multicast_group_members(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should exist } +end +``` + +## Parameters + +`transit_gateway_multicast_domain_id` _(required)_ + +: The ID of the transit gateway multicast domain. + +## Properties + +`group_ip_addresses` +: The IP address of the transit gateway multicast group. + +: **Field**: `group_ip_address` + +`transit_gateway_attachment_ids` +: The attachment id of the transit gateway. + +: **Field**: `transit_gateway_attachment_id` + +`subnet_ids` +: The ID of the subnet. + +: **Field**: `subnet_id` + +`resource_ids` +: The ID of the resource. + +: **Field**: `resource_id` + +`resource_types` +: The type of the resource. + +: **Field**: `resource_type` + +`resource_owner_ids` +: The Owner ID of the resource. + +: **Field**: `resource_owner_id` + +`network_interface_ids` +: The network interface ID of the resource. + +: **Field**: `network_interface_id` + +`group_members` +: The resource is a group member. Valid values are `true` and `false`. + +: **Field**: `group_member` + +`group_sources` +: The resource is a group source. Valid values are `true` and `false`. + +: **Field**: `group_source` + +`member_types` +: The member type. Valid values are `igmp` and `static`. + +: **Field**: `member_type` + +`source_types` +: The source type. Valid values are `igmp` and `static`. + +: **Field**: `source_type` + +## Examples + +Ensure a transit gateway attachment ID is available: + +```ruby +describe aws_transit_gateway_multicast_group_members(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + its('transit_gateway_attachment_ids') { should include 'TRANSIT_GATEWAY_ATTACHMENT_ID' } +end +``` + +Ensure that the group members are available: + +```ruby +describe aws_transit_gateway_multicast_group_members(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + its('group_members') { should include true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `search` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_transit_gateway_multicast_group_members(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_transit_gateway_multicast_group_members(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_transit_gateway_multicast_group_members(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:SearchTransitGatewayMulticastGroupsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_group_source.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_group_source.md new file mode 100644 index 0000000..33e58ca --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_group_source.md @@ -0,0 +1,124 @@ ++++ +title = "aws_transit_gateway_multicast_group_source resource" + +draft = false + + +[menu.aws] +title = "aws_transit_gateway_multicast_group_source" +identifier = "inspec/resources/aws/aws_transit_gateway_multicast_group_source resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transit_gateway_multicast_group_source` InSpec audit resource to test properties of a single source (network interface) of an AWS EC2 transit gateway multicast domain group. + +The `AWS::EC2::TransitGatewayMulticastGroupSource` resource registers sources (network interfaces) with the specified transit gateway multicast domain. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 TransitGatewayMulticastGroupSource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewaymulticastgroupsource.html). + +## Syntax + +Ensure that a transit gateway group source exists. + +```ruby +describe aws_transit_gateway_multicast_group_source(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should exist } +end +``` + +## Parameters + +`transit_gateway_multicast_domain_id` _(required)_ + +: The ID of the transit gateway multicast domain. + +## Properties + +`group_ip_address` +: The IP address of the transit gateway multicast group. + +`transit_gateway_attachment_id` +: The attachment ID of the transit gateway. + +`subnet_id` +: The ID of the subnet. + +`resource_id` +: The ID of the resource. + +`resource_type` +: The type of the resource. Valid values are `vpc`, `vpn`, `direct-connect-gateway`, and `tgw-peering`. + +`resource_owner_id` +: The owner ID of the resource. + +`network_interface_id` +: The network interface ID of the resource. + +`group_member` +: Whether the resource is a group member. Valid values are `true` and `false`. + +`group_source` +: Whether the resource is a group source. Valid values are `true` and `false`. + +`member_type` +: The member type. Valid values are `igmp` and `static`. + +`source_type` +: The source type. Valid values are `igmp` and `static`. + +## Examples + +Ensure a group IP address is available: + +```ruby +describe aws_transit_gateway_multicast_group_source(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + its('group_ip_address') { should eq 'IP_ADDRESS' } +end +``` + +Ensure that the resource type is `vpc`: + +```ruby +describe aws_transit_gateway_multicast_group_source(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + its('resource_type') { should eq 'vpc' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `search` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_transit_gateway_multicast_group_source(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_transit_gateway_multicast_group_source(transit_gateway_multicast_domain_id: "dummy") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_transit_gateway_multicast_group_source(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:SearchTransitGatewayMulticastGroupsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_group_sources.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_group_sources.md new file mode 100644 index 0000000..d109b29 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_multicast_group_sources.md @@ -0,0 +1,146 @@ ++++ +title = "aws_transit_gateway_multicast_group_sources resource" + +draft = false + + +[menu.aws] +title = "aws_transit_gateway_multicast_group_sources" +identifier = "inspec/resources/aws/aws_transit_gateway_multicast_group_sources resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transit_gateway_multicast_group_sources` InSpec audit resource to test properties of the sources (network interfaces) of multiple AWS EC2 transit gateway multicast domain groups. + +The `AWS::EC2::TransitGatewayMulticastGroupSource` resource registers sources (network interfaces) with the specified transit gateway multicast domain. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS EC2 TransitGatewayMulticastGroupSource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewaymulticastgroupsource.html). + +## Syntax + +Ensure that a transit gateway multicast group source exists. + +```ruby +describe aws_transit_gateway_multicast_group_sources(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should exist } +end +``` + +## Parameters + +`transit_gateway_multicast_domain_id` _(required)_ + +: The ID of the transit gateway multicast domain. + +## Properties + +`group_ip_addresses` +: The IP address of the transit gateway multicast group. + +: **Field**: `group_ip_address` + +`transit_gateway_attachment_ids` +: The attachment ID of the transit gateway. + +: **Field**: `transit_gateway_attachment_id` + +`subnet_ids` +: The ID of the subnet. + +: **Field**: `subnet_id` + +`resource_ids` +: The ID of the resource. + +: **Field**: `resource_id` + +`resource_types` +: The type of the resource. Valid values are `vpc`, `vpn`, `direct-connect-gateway`, and `tgw-peering`. + +: **Field**: `resource_type` + +`resource_owner_ids` +: The Owner ID of the resource. + +: **Field**: `resource_owner_id` + +`network_interface_ids` +: The network interface ID of the resource. + +: **Field**: `network_interface_id` + +`group_members` +: Wether the resource is a group member. Valid values are `true` and `false`. + +: **Field**: `group_member` + +`group_sources` +: Wether the resource is a group source. Valid values are `true` and `false`. + +: **Field**: `group_source` + +`member_types` +: The member type. Valid values are `igmp` and `static`. + +: **Field**: `member_type` + +`source_types` +: The source type. Valid values are `igmp` and `static`. + +: **Field**: `source_type` + +## Examples + +Ensure a transit gateway attachment ID is available: + +```ruby +describe aws_transit_gateway_multicast_group_sources(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + its('transit_gateway_attachment_ids') { should include 'ATTACHMENT_ID' } +end +``` + +Ensure that a group source is available: + +```ruby +describe aws_transit_gateway_multicast_group_sources(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + its('group_sources') { should include true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `search` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_transit_gateway_multicast_group_sources(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_transit_gateway_multicast_group_sources(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_transit_gateway_multicast_group_sources(transit_gateway_multicast_domain_id: "TRANSIT_GATEWAY_MULTICAST_DOMAIN_ID") do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:SearchTransitGatewayMulticastGroupsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_route.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_route.md new file mode 100644 index 0000000..d75df0a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_route.md @@ -0,0 +1,173 @@ ++++ +title = "aws_transit_gateway_route resource" + +draft = false + + +[menu.aws] +title = "aws_transit_gateway_route" +identifier = "inspec/resources/aws/aws_transit_gateway_route resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transit_gateway_route` InSpec audit resource to test the properties of a single AWS transit gateway route. + +## Syntax + +An `aws_transit_gateway_route` resource block declares the tests for a single AWS transit gateway route by `transit_gateway_route_table_id`. + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do + it { should exist } +end +``` + +## Parameters + +To set the parameters of the AWS transit gateway route table, **ID** and **CIDR** block is required. + +`transit_gateway_route_table_id` _(required)_ + +: The **ID** of the AWS transit gateway route table: + +: - must contain alphanumeric characters between 1 to 50, or hyphens + +- should start with `tgw-rtb-` +- cannot end with a hyphen or contain two consecutive hyphens + +: The ID of the AWS transit gateway route table should be passed as a `transit_gateway_route_table_id: 'value'` key-value entry in a hash. + +`cidr_block` _(required)_ + +: The **CIDR** block range of the route is associated to the AWS transit gateway route table. It should be passed as a `cidr_block: 'value'` key-value entry in a hash. + +## Properties + +`cidr_block` +: The CIDR block used for destination matches. + +`prefix_list_id` +: The ID of the prefix list used for destination matches. + +`type` +: The type of route. Valid values: `propagated` or `static`. + +`state` +: The state of the route. Valid values: `active` or `blackhole`. + +`attachment_resource_id` +: The resource ID of the transit gateway attachment. Identifiers of relevant resource type. + +`attachment_id` +: The ID of the transit gateway attachment. + +`attachment_resource_type` +: The attachment resource type. Valid values are `vpc`, `vpn`, `direct-connect-gateway`, `peering`, `connect`. + +## Examples + +Test if a transit gateway route exists for a transit gateway route table and CIDR block range: + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do + it { should exist } +end +``` + +Test that the ID of the attached VPC is `vpc-00727fc4213acee4a`: + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do + its('attachment_resource_id') { should eq 'vpc-00727fc4213acee4a' } +end +``` + +Test that the ID of the Transit Gateway Attachment is `tgw-attach-0aab89f748131532e`: + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do + its('attachment_id') { should eq 'tgw-attach-0aab89f748131532e' } +end +``` + +Test that the attachment resource type is `vpc`: + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do + its('attachment_resource_type') { should eq 'vpc' } +end +``` + +Test that the prefix list ID is `pl-4ca54025`: + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do + its('prefix_list_id') { should eq 'pl-4ca54025' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a complete list of available matchers, visit [matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do + it { should exist } +end +``` + +### be_static + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do + it { should be_static } +end +``` + +### be_propagated + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e911', cidr_block: '0.0.0.0/16') do + it { should be_propagated } +end +``` + +### be_active + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do + it { should be_active } +end +``` + +### be_blackhole + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e911', cidr_block: '0.0.0.0/17') do + it { should be_blackhole } +end +``` + +### be_vpc_attachment + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do + it { should be_vpc_attachment } +end +``` + +### be_vpn_attachment + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e711', cidr_block: '0.0.0.0/16') do + it { should be_vpn_attachment } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeTransitGatewayRouteTablesResult" %}} + +Get the detailed document at [Actions, Resources, and Condition Keys for transit gateway route](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-policy-examples.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_routes.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_routes.md new file mode 100644 index 0000000..0cba633 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_transit_gateway_routes.md @@ -0,0 +1,212 @@ ++++ +title = "aws_transit_gateway_routes resource" + +draft = false + + +[menu.aws] +title = "aws_transit_gateway_routes" +identifier = "inspec/resources/aws/aws_transit_gateway_routes resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_transit_gateway_routes` InSpec audit resource to test the properties of all Route for a AWS transit gateway route table. +To audit a single gateway route, use the `aws_transit_gateway_route` (singular) resource. + +## Syntax + +An `aws_transit_gateway_routes` resource block collects a group of transit gateway routes' descriptions and tests that group. + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589') + it { should exist } +end +``` + +## Parameters + +To set the parameters of the AWS transit gateway route table, **ID** is required. + +The following additional parameters are optional: + +- `exact_match` +- `longest_prefix_match` +- `subnet_of_match` +- `supernet_of_match` + +`transit_gateway_route_table_id` _(required)_ + +: The **ID** of the AWS transit gateway route table: + +: - must contain alphanumeric characters between 1 to 50, or hyphens + +- should start with `tgw-rtb-` +- cannot end with a hyphen or contain two consecutive hyphens + +: The ID of the AWS transit gateway route table should be passed as a `transit_gateway_route_table_id: 'value'` key-value entry in a hash. + +`exact_match` + +: The exact match of the **CIDR** block is used for destination matches. It could be passed as a `exact_match: 'value'` key-value entry in a hash. + +`longest_prefix_match` + +: The longest prefix that matches the route. It could be passed as a `longest_prefix_match: 'value'` key-value entry in a hash. + +`subnet_of_match` + +: The routes with a subnet that match the specified CIDR filter. It could be passed as a `subnet_of_match: 'value'` key-value entry in a hash. + +`supernet_of_match` + +: The routes with a CIDR that encompass the CIDR filter. For example, if you have 10.0.1.0/29 and 10.0.1.0/31 routes in your route table and you specify supernet-of-match as 10.0.1.0/30, then the result returns 10.0.1.0/29. + It could be passed as a `supernet_of_match: 'value'` key-value entry in a hash. + +## Properties + +`cidr_blocks` +: All the CIDR blocks used for destination matches. + +: **Field**: `cidr_block` + +`prefix_list_ids` +: The IDs of the prefix list used for destination matches. + +: **Field**: `prefix_list_id` + +`types` +: The type of all routes. Valid values: `propagated` or `static`. + +: **Field**: `type` + +`states` +: The state of the routes. Valid values: `active` or `blackhole`. + +: **Field**: `state` + +`static` +: Boolean flag to determine whether the route type is static. + +: **Field**: `static` + +`propagated` +: Boolean flag to determine whether the route type is propagated. + +: **Field**: `propagated` + +`active` +: Boolean flag to determine whether the route state is active. + +: **Field**: `active` + +`blackhole` +: Boolean flag to determine whether the route state is blackhole. + +: **Field**: `blackhole` + +`attachment_ids` +: The id of the transit gateway attachment. + +: **Field**: `attachment_id` + +`attachment_resource_ids` +: The resource IDs of all the transit gateway attachments. Identifiers of relevant resource types. + +: **Field**: `attachment_resource_id` + +`attachment_resource_types` +: The attachment resource type. Valid values are `vpc`, `vpn`, `direct-connect-gateway`, `peering` `connect`. + +: **Field**: `attachment_resource_type` + +`attached_vpc_ids` +: The VPC IDs of all the transit gateway attachments. + +: **Field**: `attached_vpc_id` + +## Examples + +Ensure that exactly three transit gateway routes exist: + +```ruby +describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589') do + its('count') { should eq 3 } +end +``` + +Filter all transit gateway routes whose CIDR block matches `0.0.0.0/16`: + +```ruby +describe aws_transit_gateway_routes(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', exact_match: '0.0.0.0/16') do + it { should exist } +end +``` + +```ruby +describe aws_transit_gateway_routes(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589').where(cidr_block: '0.0.0.0/16') do + it { should exist } +end +``` + +Filter all static transit gateway routes: + +```ruby +describe aws_transit_gateway_routes(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589').where(static: true) do + it { should exist } +end +``` + +Filter all static transit gateway blackhole routes: + +```ruby +describe aws_transit_gateway_routes(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589').where(static: true, blackhole: true) do + it { should exist } +end +``` + +Filter all transit gateway routes with destination CIDR blocks matching `10.3.0.0/18`: + +```ruby +describe aws_transit_gateway_routes(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', supernet_of_match: 10.3.0.0/19) do + it { should exist } + its('cidr_blocks') { should include '10.3.0.0/18' } +end +``` + +Request the CIDR blocks of all transit gateway routes, then test in-depth using `aws_transit_gateway_route`: + +```ruby +aws_transit_gateway_routes(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589').cidr_blocks.each do |cidr_block| + describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: cidr_block) do + it { should exist } + end +end +``` + +## Matchers + +For a complete list of available matchers, visit [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the 'describe' method returns at least one result. + +```ruby +describe aws_transit_gateway_routes(transit_gateway_route_table_id: ).where( : ) do + it { should exist } +end +``` + +Use `should_not` to test an entity that should not exist. + +```ruby +describe aws_transit_gateway_routes(transit_gateway_route_table_id: ).where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeTransitGatewayRouteTablesResult" %}} + +Get the detailed document at [Actions, Resources, and Condition Keys for transit gateway route](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-policy-examples.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc.md new file mode 100644 index 0000000..93801c5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc.md @@ -0,0 +1,303 @@ ++++ +title = "aws_vpc resource" + +draft = false + + +[menu.aws] +title = "aws_vpc" +identifier = "inspec/resources/aws/aws_vpc resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpc` InSpec audit resource to test the properties of a single AWS Virtual Private Cloud (VPC) and the CIDR Block that is used within the VPC. + +Each VPC is uniquely identified by its ID. In addition, each VPC has a non-unique CIDR IP address range (such as 10.0.0.0/16), which it manages. + +Every AWS account has at least one VPC, the "default" VPC, in every region. + +For additional information, including details on parameters and properties, see the [AWS documentation on VPCs](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html). + +## Syntax + +An `aws_vpc` resource block identifies a VPC by ID. If no VPC ID is provided, the default VPC is used. + +Find the default VPC: + +```ruby +describe aws_vpc do + it { should exist } +end +``` + +Find a VPC by ID: + +```ruby +describe aws_vpc('VPC-12345678987654321') do + it { should exist } +end +``` + +Hash syntax for ID: + +```ruby +describe aws_vpc(vpc_id: 'VPC-12345678') do + it { should exist } +end +``` + +## Parameters + +If no parameter is provided, the subscription's default VPC will be returned. + +`vpc_id` _(optional)_ + +: This resource accepts a single parameter, the VPC ID. + This can be passed either as a string or as a `vpc_id: 'VALUE'` key-value entry in a hash. + +## Properties + +`cidr_block` +: The IPv4 address range that is managed by the VPC. + +`dhcp_options_id` +: The ID of the set of DHCP options associated with the VPC (or `default` if the default options are associated with the VPC). + +`instance_tenancy` +: The allowed tenancy of the instances launched into the VPC. + +`state` +: The state of the VPC. Valid values: `pending` and `available`. + +`vpc_id` +: The ID of the VPC. + +`tags` +: The tags of the VPC. + +`associated_cidr_blocks` +: The associated CIDR blocks. + +`disassociated_cidr_blocks` +: The CIDR blocks that are disassociated. + +`failed_cidr_blocks` +: The failed CIDR block associations. + +`associating_cidr_blocks` +: The CIDR block associations that are yet in the pending stage. + +`disassociating` +: The CIDR block associations that are yet in the disassociating stage. + +`failing` +: The CIDR block associations that are yet in failing stage. + +## Examples + +The following examples show how to use this InSpec audit resource. + +Test the CIDR Block of a named VPC: + +```ruby +describe aws_vpc('VPC-87654321') do + its('cidr_block') { should cmp '10.0.0.0/16' } +end +``` + +Test the state of the VPC: + +```ruby +describe aws_vpc do + its ('STATE') { should eq 'AVAILABLE' } +or equivalently: + + it { should be_available } +end +``` + +Test the allowed tenancy of instances launched into the VPC: + +```ruby +describe aws_vpc do + its ('INSTANCE_TENANCY') { should eq 'DEFAULT' } + it { should be_default_instance } + it { should_not be_dedicated_instance } + it { should_not be_host_instance } +end +``` + +Test tags on the VPC: + +```ruby +describe aws_vpc do + its('TAGS') { should include(:Environment => 'ENV-NAME', + :Name => 'VPC-NAME')} +end +``` + +Test if the IPV6 CIDR Block is associated to a named VPC: + +```ruby +describe aws_vpc do + it { should have_ipv6_cidr_block_associated?(aws_ipv_6_cidr_block_association_set_ipv_6_cidr_block) } +end +``` + +Test if the CIDR Block is associated to a named VPC: + +```ruby +describe aws_vpc do + it { should have_cidr_block_associated?(aws_cidr_block) } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a complete list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/). + +### be_default + +The test will pass if the identified VPC is the default VPC for the region. + +```ruby +describe aws_vpc('VPC-87654321') do + it { should be_default } +end +``` + +### be_available + +The test will pass if the identified VPC has a `available` state. + +```ruby +describe aws_vpc('VPC-87654321') do + it { should be_available } +end +``` + +### be_pending + +Check if the identified VPC has a `pending` state. + +```ruby +describe aws_vpc('VPC-123456') do + it { should be_pending } +end +``` + +### be_default_instance + +Check if the identified VPC has a `default` instance tendency. + +```ruby +describe aws_vpc('VPC-87654321') do + it { should be_default_instance } +end +``` + +### be_dedicated_instance + +Check if the identified VPC has a `dedicated` instance tendency. + +```ruby +describe aws_vpc('VPC-87654321') do + it { should be_dedicated_instance } +end +``` + +### be_host_instance + +Check if the identified VPC has a `host` instance tendency. + +```ruby +describe aws_vpc('VPC-87654321') do + it { should be_host_instance } +end +``` + +### have_cidr_block_associated + +Check if a cidr block is associated to the identified VPC. + +```ruby +describe aws_vpc('VPC-87654321') do + it { should have_cidr_block_associated('10.0.0.0/27') } +end +``` + +### have_cidr_block_association_failed + +Check if a cidr block has failed to associated to the identified VPC. + +```ruby +describe aws_vpc('VPC-87654321') do + it { should have_cidr_block_failed('10.0.0.0/27') } +end +``` + +### have_cidr_block_disassociated + +Check if a cidr block has failed to associated to the identified VPC. + +```ruby +describe aws_vpc('VPC-87654321') do + it { should have_cidr_block_disassociated('10.0.0.0/27') } +end +``` + +### have_ipv6_cidr_block_associated + +Check if the IPV6 cidr block is associated to the identified VPC. + +```ruby +describe aws_vpc('VPC-87654321') do + it { should have_ipv6_cidr_block_associated('2600:1f16:409:6700::/56') } +end +``` + +### have_ipv6_cidr_block_disassociated + +Check if the IPV6 cidr block is disassociated to the identified VPC. + +```ruby +describe aws_vpc('VPC-87654321') do + it { should have_ipv6_cidr_block_disassociated('2600:1f16:409:6700::/56') } +end +``` + +### have_ipv6_cidr_block_association_failed + +Check if the IPV6 cidr block failed to associate to the identified VPC. + +```ruby +describe aws_vpc('VPC-87654321') do + it { should have_ipv6_cidr_block_association_failed('2600:1f16:409:6700::/56') } +end +``` + +### have_network_border_group_value + +Check if the associated IPV6 cidr block has valid network border group value for the identified VPC. + +```ruby +describe aws_vpc('VPC-87654321') do + it { should have_network_border_group_value(ipv6_cidr_block: '2600:1f16:409:6700::/56', network_border_group: 'us-east-2a') } +end +``` + +### have_ipv6_pool_value + +Check if the associated IPV6 cidr block has valid IPv6 Pool value for the identified VPC. + +```ruby +describe aws_vpc('VPC-87654321') do + it { should have_ipv6_pool_value(ipv6_cidr_block: '2600:1f16:409:6700::/56', ipv6_pool: 'Amazon') } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpcsResult" %}} + +You can find the detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint.md new file mode 100644 index 0000000..7527944 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint.md @@ -0,0 +1,225 @@ ++++ +title = "aws_vpc_endpoint resource" + +draft = false + + +[menu.aws] +title = "aws_vpc_endpoint" +identifier = "inspec/resources/aws/aws_vpc_endpoint resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpc_endpoint` InSpec audit resource to test properties of a single specific AWS VPC Endpoint. + +A VPC Endpoint is uniquely identified by the VPC Endpoint ID (e.g vpce-123456abcdef12345) + +For additional information, including details on parameters and properties, see the [AWS documentation on VPC Endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html). + +## Syntax + +Ensure that a VPC Endpoint exists. + +Find a VPC Endpoint by ID: + +```ruby +describe aws_vpc_endpoint('vpce-12345678987654321') do + it { should exist } +end +``` + +Hash syntax for ID: + +```ruby +describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do + it { should exist } +end +``` + +Ensure that a VPC Endpoint is available. + +```ruby +describe aws_vpc_endpoint('vpce-12345678987654321') do + its('state') { should be 'available' } +end +``` + +Alternative using a matcher: + +```ruby +describe aws_vpc_endpoint('vpce-12345678987654321') do + its('state') { should be_available } +end +``` + +Confirm that the route table configured to a VPC Endpoint is as expected. + +```ruby +describe aws_vpc_endpoint('vpce-12345678987654321') do + its('route_table_ids') { should include 'rtb-1234456123456abcde' } +end +``` + +Confirm that the type of a VPC Endpoint is as expected. + +```ruby +describe aws_vpc_endpoint('vpce-12345678987654321') do + its('vpc_endpoint_type') { should be 'Gateway' } +end +``` + +Alternative using a matcher: + +```ruby +describe aws_vpc_endpoint('vpce-12345678987654321') do + its('vpc_endpoint_type') { should be_gateway } +end +``` + +## Parameters + +`vpc_endpoint_id` + +: The VPC endpoint ID. + This can be passed either as a string or as a `vpc_endpoint_id: 'value'` key-value entry in a hash. + +## Properties + +`vpc_endpoint_id` +: The ID of the endpoint. + +`vpc_endpoint_type` +: One of "Interface", "Gateway". + +`vpc_id` +: The ID of the VPC in which the endpoint resides. + +`state` +: State of the VPC Endpoint. One of "pendingacceptance", "pending", "available", "deleting", "deleted", "rejected", "failed", "expired". + +`route_table_ids` +: The route table IDs for the Gateway type endpoint. + +`subnet_ids` +: The subnet IDs for the Interface type endpoint. + +`groups` +: The Security Groups for the Interface type endpoint. + +`private_dns_enabled` +: Boolean value for Private DNS enable status. + +`network_interface_ids` +: The Network Interface IDs for the Interface type endpoint. + +`dns_entries` +: The DNS Entries for the VPC Endpoint. + +`tags` +: The key/value combination of a tag assigned to the resource. + +## Examples + +Ensure a VPC Endpoint is available: + +```ruby +describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do + its('state') { should eq 'available' } +end +``` + +Ensure that the endpoint is of Gateway type: + +```ruby +describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do + its('vpc_endpoint_type') { should eq 'Gateway' } +end +``` + +Check tags : + +```ruby +describe aws_vpc_endpoint do + its('tags') { should include(:Environment => 'env-name', + :Name => 'vpce-name')} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the describe returns at least one result. + +### exist + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do + it { should exist } +end +``` + +```ruby +describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do + it { should_not exist } +end +``` + +### be_available + +Checks if the VPC Endpoint is in available state. +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do + it { should be_available } +end +``` + +```ruby +describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do + it { should_not be_available } +end +``` + +### be_interface + +Checks if the VPC Endpoint type is Interface. +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do + it { should be_interface } +end +``` + +```ruby +describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do + it { should_not be_interface } +end +``` + +### be_gateway + +Checks if the VPC Endpoint type is Gateway. +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do + it { should be_gateway } +end +``` + +```ruby +describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do + it { should_not be_gateway } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpcEndpointsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_notification.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_notification.md new file mode 100644 index 0000000..1e471d4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_notification.md @@ -0,0 +1,121 @@ ++++ +title = "aws_vpc_endpoint_connection_notification resource" + +draft = false + + +[menu.aws] +title = "aws_vpc_endpoint_connection_notification" +identifier = "inspec/resources/aws/aws_vpc_endpoint_connection_notification resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpc_endpoint_connection_notification` Inspec audit resource to test the properties of a single specific AWS VPC endpoint connection notification. + +For additional information, including details on parameters and properties, see the [AWS VPC endpoint connection notification documentation](https://docs.AWS.amazon.com/AWSCloudFormation/latest/UserGuide/AWS-resource-ec2-vpcendpointconnectionnotification.html). + +## Syntax + +Ensure that an AWS VPC endpoint connection notification exists. + +Find a AWS VPC endpoint connection notification by ID: + +```ruby +describe aws_vpc_endpoint_connection_notification('VPCE-NFN-12345678987654321') do + it { should exist } +end +``` + +Hash syntax for ID: + +```ruby +describe aws_vpc_endpoint_connection_notification(connection-notification-id: 'VPCE-NFN-12345678987654321') do + it { should exist } +end +``` + +## Parameters + +`connection_notification_id` _(required)_ + +: This resource expects the AWS VPC endpoint connection notification ID as a parameter. + This can be passed either as a string or as a `connection_notification_id: 'VALUE'` key-value entry in a hash. + +## Properties + +`vpc_endpoint_id` +: The ID of the endpoint. + +`connection_notification_id` +: The ID of the AWS VPC endpoint connection notification. + +`service_id` +: The ID of the endpoint service. + +`connection_notification_type` +: The type of notification. + +`connection_notification_arn` +: The ARN of the SNS topic for the notifications. + +`connection_events` +: The endpoint events to receive a notification about. Valid values: `Accept`, `Connect`, `Delete`, and `Reject`. + +`connection_notification_state` +: The state of the AWS VPC endpoint connection notification. Valid values: `Enabled`, `Disabled`. + +## Examples + +Ensure an AWS VPC endpoint connection notification's ARN is available: + +```ruby +describe aws_vpc_endpoint_connection_notification(connection_notification_id: 'VPCE-NFN-12345678987654321') do + its('CONNECTION_NOTIFICATION_ARN') { should eq 'ARN:AWS:SNS:US-EAST-2:112758395563:AWS-SNS-TOPIC-ENCRYPTION-BLOIXLVRSNFYBLZXNBGCBVHJU' } +end +``` + +Ensure that the VPC endpoint connection notification has a type using a key-value hash: + +```ruby +describe aws_vpc_endpoint_connection_notification(connection_notification_id: 'VPCE-NFN-12345678987654321') do + its('connection_notification_type') { should eq 'TOPIC' } +end +``` + +Verify the ARN of a VPC endpoint connection notification: + +```ruby +describe aws_vpc_endpoint_connection_notification('VPCE-NFN-12345678987654321') do + its('CONNECTION_NOTIFICATION_ARN') { should eq 'ARN:AWS:SNS:US-EAST-2:112758395563:AWS-SNS-TOPIC-ENCRYPTION-BLOIXLVRSNFYBLZXNBGCBVHJU' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For the complete list of the available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The controls will pass if the `describe` returns at least one result. + +### exist + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_vpc_endpoint_connection_notification(connection-notification-id: 'VPCE-NFN-12345678987654321') do + it { should exist } +end +``` + +Use `should` to test the entity should not exists. + +```ruby +describe aws_vpc_endpoint_connection_notification(connection-notification-id: 'VPCE-NFN-12345678987654321') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpcEndpointConnectionNotificationsResult" %}} + +You can find the detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.AWS.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_notifications.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_notifications.md new file mode 100644 index 0000000..ffbf818 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_notifications.md @@ -0,0 +1,116 @@ ++++ +title = "aws_vpc_endpoint_connection_notifications resource" + +draft = false + + +[menu.aws] +title = "aws_vpc_endpoint_connection_notifications" +identifier = "inspec/resources/aws/aws_vpc_endpoint_connection_notifications resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpc_endpoint_connection_notifications` InSpec audit resource to test the properties of multiple AWS VPC endpoint connection notification. + +## Syntax + +Ensure that an AWS VPC endpoint connection notification exists. + +```ruby +describe aws_vpc_endpoint_connection_notifications do + it { should exist } +end +``` + +See the [AWS VPC endpoint connection notification documentation](https://docs.AWS.amazon.com/AWSCloudFormation/latest/UserGuide/AWS-resource-ec2-vpcendpointconnectionnotification.html). + +## Parameters + +This resource does not require any parameters. + +## Properties + +`vpc_endpoint_id` +: The ID of the endpoint. + +`connection_notification_id` +: The ID of the AWS VPC endpoint connection notification. + +`service_id` +: The ID of the endpoint service. + +`connection_notification_type` +: The type of notification. + +`connection_notification_arn` +: The ARN of the SNS topic for the notifications. + +`connection_events` +: The endpoint events to receive a notification about. Valid values: `Accept`, `Connect`, `Delete`, and `Reject`. + +`connection_notification_state` +: The state of the AWS VPC endpoint connection notification. Valid values: `Enabled`, `Disabled`. + +## Examples + +Verify an AWS VPC endpoint connection notification exists using the VPC endpoint ID: + +```ruby +describe aws_vpc_endpoint_connection_notifications.where( vpc_endpoint_id: vpc-12345678 ) + it { should exist } +end +``` + +Ensure a AWS VPC endpoint connection notification exists: + +```ruby +describe aws_vpc_endpoint_connection_notifications.where( connection_notification_id: 'VPCE-NFN-03AD3532A5C71F8AF' ) do + it { should exist } +end +``` + +Confirm that the AWS VPC endpoint connection notification ARN is as expected: + +```ruby +describe aws_vpc_endpoint_connection_notifications do + its('CONNECTION_NOTIFICATION_ARNS') { should include 'ARN:AWS:SNS:US-EAST-2:112758395563:AWS-SNS-TOPIC-ENCRYPTION-BLOIXLVRSNFYBLZXNBGCBVHJU' } +end +``` + +Confirm that the type of AWS VPC endpoint connection notification is as expected: + +```ruby +describe aws_vpc_endpoint_connection_notifications do + its('CONNECTION_NOTIFICATION_TYPES') { should include 'TOPIC' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of the available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The controls will pass if the `describe` returns at least one result. + +### exist + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_vpc_endpoint_connection_notifications(connection-notification-id: 'VPCE-NFN-12345678987654321') do + it { should exist } +end +``` + +Use `should` to test the entity should not exists. + +```ruby +describe aws_vpc_endpoint_connection_notifications(connection-notification-id: 'VPCE-NFN-12345678987654321') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpcEndpointConnectionNotificationsResult" %}} + +You can find the detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.AWS.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_service.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_service.md new file mode 100644 index 0000000..d5f2cb7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_service.md @@ -0,0 +1,155 @@ ++++ +title = "aws_vpc_endpoint_service resource" + +draft = false + + +[menu.aws] +title = "aws_vpc_endpoint_service" +identifier = "inspec/resources/aws/aws_vpc_endpoint_service resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpc_endpoint_service` InSpec audit resource to test the properties of a single AWS VPC endpoint service. + +## Syntax + +An `aws_vpc_endpoint_service` resource block declares the tests for a single AWS VPC endpoint service by `service_name`. + +```ruby +describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do + it { should exist } +end +``` + +## Parameters + +`service_name` _(required)_ + +: The name of the AWS VPC endpoint service. + +: The AWS VPC endpoint service name is required. + It should be passed as a `service_name: 'value'` key-value entry in a hash. + +## Properties + +`service_name` +: The Amazon Resource Name (ARN) of the service. + +`service_id` +: The ID of the endpoint service. + +`service_type` +: The type of service. + +`availability_zones` +: The Availability Zones in which the service is available. + +`owner` +: The AWS account ID of the service owner. + +`base_endpoint_dns_names` +: The DNS names for the service. + +`private_dns_name` +: The private DNS name for the service. + +## Examples + +Test whether VPC endpoint service exists: + +```ruby +describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do + it { should exist } +end +``` + +Test whether the ID of the attached VPC is `vpce-svc-04deb776dc2b8e67f`: + +```ruby +describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do + its('service_id') { should eq 'vpce-svc-04deb776dc2b8e67f' } +end +``` + +Test whether the service_type of the endpoint service is : + +```ruby +describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do + its('service_type') { should eq 'Interface' } +end +``` + +Test whether the availability_zones include a zone of interest: + +```ruby +describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do + its('availability_zones') { should include 'us-east-2a' } +end +``` + +Test whether the base endpoint dns_names include a dns of interest: + +```ruby +describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do + its('base_endpoint_dns_names') { should eq 'vpce-svc-04deb776dc2b8e67f.us-east-2.vpce.amazonaws.com' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For the complete list of available matchers,visit [matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +```ruby +describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do + it { should exist } +end +``` + +### be_interface + +```ruby +describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do + it { should be_interface } +end +``` + +### be_vpc_endpoint_policy_supported + +```ruby +describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do + it { should be_vpc_endpoint_policy_supported } +end +``` + +### be_acceptance_required + +```ruby +describe aws_vpc_endpoint_service(service_name: 'tgw-rtb-08acd74550c99e911', cidr_block: '0.0.0.0/16') do + it { should be_acceptance_required } +end +``` + +### be_manages_vpc_endpoints + +```ruby +describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do + it { should be_manages_vpc_endpoints } +end +``` + +### be_private_dns_name_verified + +```ruby +describe aws_vpc_endpoint_service(service_name: 'tgw-rtb-08acd74550c99e911', cidr_block: '0.0.0.0/17') do + it { should be_private_dns_name_verified } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpcEndpointServicesResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for VPC endpoint services](https://docs.amazonaws.cn/en_us/vpc/latest/userguide/vpc-policy-examples.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_service_permission.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_service_permission.md new file mode 100644 index 0000000..e8328bb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_service_permission.md @@ -0,0 +1,123 @@ ++++ +title = "aws_vpc_endpoint_service_permission resource" + +draft = false + + +[menu.aws] +title = "aws_vpc_endpoint_service_permission" +identifier = "inspec/resources/aws/aws_vpc_endpoint_service_permission resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpc_endpoint_service_permission` InSpec audit resource to test the properties of a single AWS VPC endpoint service permission. + +## Syntax + +An `aws_vpc_endpoint_service_permission` resource block declares the tests for a single AWS VPC endpoint service permission by `service_id` and `principal`. + +```ruby +describe aws_vpc_endpoint_service_permission(service_id: 'VPC_SERVICE_ID', principal: 'arn:aws:iam::AWS_ACCOUNT_ID:user/USER_NAME') do + it { should exist } +end +``` + +## Parameters + +The AWS VPC endpoint service ID is required. + +`service_id` _(required)_ + +: The ID of the VPC endpoint service: + +: - must contain between 1 and 50 alphanumeric characters or hyphens + +- should start with `vpce-svc-` +- cannot end with a hyphen or contain two consecutive hyphens + +: For example, `vpce-svc-04deb776dc2b8e67f`. + +: It can be passed as a `service_id: 'value'` key-value entry in a hash. + +`principal` _(required)_ + +: The ARN of the principal. + It can be passed as a `principal: 'value'` key-value entry in a hash. + +## Properties + +`principal_type` +: The type of principal. + +`principal` +: The Amazon Resource Name (ARN) of the principal. + +## Examples + +Test that a VPC endpoint service permission is available: + +```ruby +describe aws_vpc_endpoint_service_permission(service_id: 'VPC_SERVICE_ID', principal: 'arn:aws:iam::AWS_ACCOUNT_ID:user/USER_NAME') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +```ruby +describe aws_vpc_endpoint_service_permission(service_id: 'VPC_SERVICE_ID', principal: 'arn:aws:iam::AWS_ACCOUNT_ID:user/USER_NAME') do + it { should exist } +end +``` + +### Verify that a principal has a user type + +```ruby +describe aws_vpc_endpoint_service_permission(service_id: 'VPC_SERVICE_ID', principal: 'arn:aws:iam::AWS_ACCOUNT_ID:user/USER_NAME') do + it { should be_principal_type_user } +end +``` + +### Verify that a principal does not have an all type + +```ruby +describe aws_vpc_endpoint_service_permission(service_id: 'VPC_SERVICE_ID', principal: 'arn:aws:iam::AWS_ACCOUNT_ID:user/USER_NAME') do + it { should_not be_principal_type_all } +end +``` + +### Verify that a principal does not have an organization unit type + +```ruby +describe aws_vpc_endpoint_service_permission(service_id: 'VPC_SERVICE_ID', principal: 'arn:aws:iam::AWS_ACCOUNT_ID:user/USER_NAME') do + it { should_not be_principal_type_organization_unit } +end +``` + +### Verify that a principal does not have an account type + +```ruby +describe aws_vpc_endpoint_service_permission(service_id: 'VPC_SERVICE_ID', principal: 'arn:aws:iam::AWS_ACCOUNT_ID:user/USER_NAME') do + it { should_not be_principal_type_account } +end +``` + +### Verify that a principal does not have a role type + +```ruby +describe aws_vpc_endpoint_service_permission(service_id: 'VPC_SERVICE_ID', principal: 'arn:aws:iam::AWS_ACCOUNT_ID:user/USER_NAME') do + it { should_not be_principal_type_role } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpcEndpointServicePermissionsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon VPC endpoint service permissions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpointServicePermissions.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_service_permissions.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_service_permissions.md new file mode 100644 index 0000000..e2b245e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_service_permissions.md @@ -0,0 +1,103 @@ ++++ +title = "aws_vpc_endpoint_service_permissions resource" + +draft = false + + +[menu.aws] +title = "aws_vpc_endpoint_service_permissions" +identifier = "inspec/resources/aws/aws_vpc_endpoint_service_permissions resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpc_endpoint_service_permissions` InSpec audit resource to test the properties of all Amazon VPC endpoint service permissions. To audit a single AWS VPC Endpoint service, use the `aws_vpc_endpoint_service_permission` (singular) resource. + +## Syntax + +An `aws_vpc_endpoint_service_permissions` resource block collects a group of AWS VPC endpoint service permissions descriptions and then tests that group. + +```ruby +describe aws_vpc_endpoint_service_permissions(service_id: 'VPC_SERVICE_ID') + it { should exist } +end +``` + +## Parameters + +The AWS VPC endpoint service ID is required. + +`service_id` _(required)_ + +: The ID of the VPC endpoint service: + +: - must contain between 1 and 50 alphanumeric characters or hyphens + +- should start with `vpce-svc-` +- cannot end with a hyphen or contain two consecutive hyphens + +: For example, `vpce-svc-04deb776dc2b8e67f`. + +: It can be passed as a `service_id: 'value'` key-value entry in a hash. + +## Properties + +`principal_types` +: List of types of principal. + +: **Field**: `principal_type` + +`principals` +: List of the Amazon Resource Name (ARN) of the principal. + +: **Field**: `principal` + +## Examples + +Ensure that exactly three AWS VPC endpoint service permissions exist: + +```ruby +describe aws_vpc_endpoint_service_permissions(service_id: 'VPC_SERVICE_ID') do + its('count') { should eq 3 } +end +``` + +Request the principals of all AWS VPC endpoint service permissions, then test in-depth using `aws_vpc_endpoint_service_permission`: + +```ruby +aws_vpc_endpoint_service_permissions(service_id: 'VPC_SERVICE_ID').principals.each do |principal| + describe aws_vpc_endpoint_service_permission(service_id: 'VPC_SERVICE_ID', principal: 'PRINCIPAL_ARN') do + it { should exists } + it { should be_principal_type_user } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the 'describe' method returns at least one result. + +```ruby +describe aws_vpc_endpoint_service_permissions(service_id: 'VPC_SERVICE_ID').where( PROPERTY: VALUE) do + it { should exist } +end +``` + +Use `should_not` to test an entity that should not exist. + +```ruby +describe aws_vpc_endpoint_service_permissions(service_id: 'VPC_SERVICE_ID').where( PROPERTY: VALUE) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpcEndpointServicePermissionsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon VPC endpoint service permissions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpointServicePermissions.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_services.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_services.md new file mode 100644 index 0000000..e984a65 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoint_services.md @@ -0,0 +1,166 @@ ++++ +title = "aws_vpc_endpoint_services resource" + +draft = false + + +[menu.aws] +title = "aws_vpc_endpoint_services" +identifier = "inspec/resources/aws/aws_vpc_endpoint_services resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpc_endpoint_services` InSpec audit resource to test the properties of all AWS VPC Endpoint Services. +To audit a single endpoint service, use the `aws_vpc_endpoint_service` (singular) resource. + +## Syntax + +An `aws_vpc_endpoint_services` resource block collects a group of VPC endpoint services' descriptions and tests the group. + +```ruby +describe aws_vpc_endpoint_services + it { should exist } +end +``` + +## Properties + +`service_names` +: The Amazon Resource Names (ARN) of the services. + +: **Field**: `service_name` + +`service_ids` +: The IDs of the endpoint services. + +: **Field**: `service_id` + +`service_types` +: The types of services. + +: **Field**: `service_type` + +`availability_zones` +: The Availability Zones in which the services are available. + +: **Field**: `availability_zones` + +`owners` +: The AWS account IDs of the service owners. + +: **Field**: `owner` + +`base_endpoint_dns_names` +: The DNS names for the service. + +: **Field**: `base_endpoint_dns_names` + +`private_dns_name` +: The private DNS name for the service. + +: **Field**: `private_dns_name` + +`vpc_endpoint_policy_supported` +: Whether the service supports endpoint policies. Valid values: `true` or `false`. + +: **Field**: `vpc_endpoint_policy_supported` + +`acceptance_required` +: Whether VPC endpoint connection requests to the service must be accepted by the service owner. Valid values: `true` or `false`. + +: **Field**: `acceptance_required` + +`manages_vpc_endpoints` +: Whether the service manages its VPC endpoints. Valid values: `true` or `false`. + +: **Field**: `manages_vpc_endpoints` + +`tags` +: The tags assigned to the service. + +: **Field**: `tags` + +`private_dns_name_verification_states` +: The verification states of the VPC endpoint service. + +: **Field**: `private_dns_name_verification_states` + +## Examples + +Ensure that exactly three VPC endpoint services exist: + +```ruby +describe aws_vpc_endpoint_services do + its('count') { should eq 3 } +end +``` + +Filter all services in `us-east-2a` availability_zones: + +```ruby +describe aws_vpc_endpoint_services.where{ availability_zones.include?('us-east-2a') } do + it { should exist } +end +``` + +Filter all service where acceptance is required from the service owner: + +```ruby +describe aws_vpc_endpoint_services.where(acceptance_required: true) do + it { should exist } +end +``` + +Filter all static if it manages its vpc endpoints: + +```ruby +describe aws_vpc_endpoint_services.where(manages_vpc_endpoints: true) do + it { should exist } +end +``` + +Filter all private dns name verification states: + +```ruby +describe aws_vpc_endpoint_services.where(private_dns_name_verification_states: 'verified') do + it { should exist } +end +``` + +Request all the service names and check if endpoint policies are supported: + +```ruby +aws_vpc_endpoint_services.service_names.each do |service_name| + describe aws_vpc_endpoint_service(service_name: service_name) do + it { should be_vpc_endpoint_policy_supported } + end +end +``` + +## Matchers + +For the complete list of available matchers, visit [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the 'describe' method returns at least one result. + +```ruby +describe aws_vpc_endpoint_services.where( PROPERTY: VALUE) do + it { should exist } +end +``` + +Use `should_not` to test an entity that should not exist. + +```ruby +describe aws_vpc_endpoint_services.where( PROPERTY: VALUE) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpcEndpointServicesResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for VPC endpoint services](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-policy-examples.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoints.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoints.md new file mode 100644 index 0000000..1bb99ca --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpc_endpoints.md @@ -0,0 +1,121 @@ ++++ +title = "aws_vpc_endpoints resource" + +draft = false + + +[menu.aws] +title = "aws_vpc_endpoints" +identifier = "inspec/resources/aws/aws_vpc_endpoints resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpc_endpoints` InSpec audit resource to test properties of some or all AWS VPC Endpoints. + +VPC Endpoints can be of two types: 'Gateway' and 'Interface'. + +A Gateway type VPC endpoint accepts a route-table whereas an Interface type VPC endpoint takes one or more subnets and one or more security groups. Hence their properties might differ based on the type. + +For additional information, including details on parameters and properties, see the [AWS documentation on VPC Endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html). + +## Syntax + +Ensure that one or more VPC Endpoints exist. + +```ruby +describe aws_vpc_endpoints do + it { should exist } +end +``` + +An `aws_vpc_endpoints` resource block uses an optional filter to select a group of VPC Endpoints and then tests that group. + +## Parameters + +This resource does not require any parameters. + +## Properties + +`vpc_endpoint_ids` +: This property provides a list of the VPC Endpoint IDs that the matched VPC Endpoints serve as strings. + +`vpc_endpoint_types` +: The type of the VPC Endpoint for the match VPC Endpoints. + +`vpc_ids` +: The IDs of the VPCs in which the endpoints reside. + +`service_names` +: The names of the services that the VPC endpoint is assigned with . + +`states` +: The states of the VPC Endpoints. + +`route_table_ids` +: The route table IDs for the Gateway type endpoints. + +`subnet_ids` +: The subnet IDs for the Interface type endpoints. + +`tags` +: A hash of key-value pairs corresponding to the tags associated with the entity. + +`private_dns_enabled` +: Boolean value for Private DNS enable status. + +## Examples + +Ensure a VPC has VPC Endpoints: + +```ruby +describe aws_vpc_endpoints.where( vpc_id: vpc-12345678 ) + it { should exist } +end +``` + +Match count of VPC Endpoints of Gateway type in a particular VPC: + +```ruby +describe aws_vpc_endpoints.where( vpc_id: vpc-12345678 ).where(vpc_endpoint_type: "Gateway") do + its('count') { should eq 4 } +end +``` + +Check tags : + +```ruby +describe aws_vpc_endpoints do + its('tags') { should include(:Environment => 'env-name', + :Name => 'vpce-name')} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the describe returns at least one result. + +Use `should_not` to test the entity should not exist. + +```ruby +describe aws_vpc_endpoints do + it { should exist } +end +``` + +```ruby +describe aws_vpc_endpoints.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpcEndpointsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpcs.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpcs.md new file mode 100644 index 0000000..e092342 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpcs.md @@ -0,0 +1,257 @@ ++++ +title = "aws_vpcs resource" + +draft = false + + +[menu.aws] +title = "aws_vpcs" +identifier = "inspec/resources/aws/aws_vpcs resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpcs` InSpec audit resource to test the properties of some or all AWS Virtual Private Clouds (VPCs) and the CIDR block that is used within the VPC. + +Each VPC is uniquely identified by its `VPC ID`. In addition, each VPC has a non-unique CIDR IP address range (such as 10.0.0.0/16), which it manages. + +Every AWS account has at least one VPC, the "default" VPC, in every region. + +This resource also have the functionality to test the CIDR block. The VPCCidrBlock associates a CIDR block with your VPC. You can only associate a single IPv6 CIDR block with your VPC. The IPv6 CIDR block size is fixed at /56. + +For additional information, including details on parameters and properties, see the [AWS documentation on VPCs](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html). +See the [AWS documentation on VPCCidrBlock](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpccidrblock.html). + +## Syntax + +An `aws_vpcs` resource block uses an optional filter to select a group of VPCs and then tests that group. + +Since you always have at least one VPC:, this will always pass. + +```ruby +describe aws_vpcs do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`cidr_blocks` +: The cidr_blocks property provides a list of the CIDR blocks that the matched VPCs serve as strings. + +: **Field**: `cidr_block` + +`dhcp_options_ids` +: The dhcp_option_set_ids property provides a de-duplicated list of the DHCP option set IDs that the matched VPCs use when assigning IPs to resources. + +: **Field**: `dhcp_options_id` + +`vpc_ids` +: The vpc_ids property provides a list of the IDs of the matched VPCs. + +: **Field**: `vpc_id` + +`states` +: The current state of the VPC. + +: **Field**: `state` + +`instance_tenancies` +: The allowed tenancy of instances launched into the VPC. + +: **Field**: `instance_tenancy` + +`is_default` +: Indicates whether the VPC is the default VPC. + +: **Field**: `is_default` + +`defaults` +: List of all the VPCs that are default. + +: **Field**: `defaults` + +`tags` +: A hash of key-value pairs corresponding to the tags associated with the entity. + +: **Field**: `tags` + +`cidr_block_association_ids` +: List of all the association ID of the IPv4 CIDR blocks. + +: **Field**: `cidr_block_association_ids` + +`associated_cidr_blocks` +: List of all the associated CIDR blocks. + +: **Field**: `associated_cidr_blocks` + +`cidr_block_states` +: List of all the states of the CIDR blocks. + +: **Field**: `cidr_block_states` + +`ipv6_cidr_block_association_ids` +: List of all the association ID of the IPv6 CIDR blocks. + +: **Field**: `ipv6_cidr_block_association_ids` + +`ipv6_cidr_blocks` +: List of all the associated IPV6 CIDR blocks. + +: **Field**: `ipv6_cidr_blocks` + +`ipv6_cidr_block_states` +: List of all the states of the IPV6 CIDR blocks. + +: **Field**: `ipv6_cidr_block_states` + +`ipv6_network_border_groups` +: List of all the network border group options. + +: **Field**: `ipv6_network_border_groups` + +`ipv6_pools` +: List of all IDs of the IPv6 address pool from which the IPv6 CIDR block is allocated. + +: **Field**: `ipv6_pools` + +`entries` +: Provides access to the raw results of the query, which can be treated as an array of hashes. + +: **Field**: Not Applicable + +## Examples + +Ensure all VPCs use the same DHCP option set: + +```ruby +describe aws_vpcs.where { dhcp_options_id != 'DOPT-12345678' } do + it { should_not exist } +end +``` + +Check for a Particular VPC ID: + +```ruby +describe aws_vpcs do + its('vpc_ids') { should include 'VPC-12345678' } +end +``` + +Use the VPC IDs to get a list of Default Security Groups: + +```ruby +aws_vpcs.vpc_ids.each do |vpc_id| + describe aws_security_group(vpc_id: vpc_id, group_name: 'DEFAULT') do + it { should_not allow_in(port: 22) } + end +end +``` + +We shun the `10.0.0.0/8` space: + +```ruby +describe aws_vpcs.where { cidr_block.start_with?('10') } do + it { should_not exist } +end +``` + +Check tags: + +```ruby +describe aws_vpc do + its('tags') { should include(:Environment => 'ENV-NAME', + :Name => 'VPC-NAME')} +end +``` + +Ensure AWS VPC IPV6 CIDR Block plural resource has the correct properties: + +```ruby +describe aws_vpcs.where { ipv6_cidr_blocks.include?('2600:1F16:409:6700::/56') } do + it { should exist } +end +``` + +Ensure AWS VPC CIDR BLOCK failed associations are not fetched: + +```ruby +describe aws_vpcs.where { cidr_block_states.reject?('FAILED') } do + it { should exist } +end +``` + +Ensure AWS VPC CIDR Block plural resource has the associated id: + +```ruby +describe aws_vpcs do + its ('CIDR_BLOCK_ASSOCIATION_IDS') { should include "VPC-CIDR-ASSOC-0123456789" } +end +``` + +Ensure AWS VPC IPv6 CIDR Block plural resource has the associated id: + +```ruby +describe aws_vpcs do + its ('IPV6_CIDR_BLOCK_ASSOCIATION_IDS') { should include "VPC-CIDR-ASSOC-0123456789" } +end +``` + +Ensure AWS VPC CIDR BLOCK disassociated associations are fetched: + +```ruby +describe aws_vpcs.where { ipv6_cidr_block_states.select?('DISASSOCIATED') } do + it { should exist } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a complete list of the available matchers, visit [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exist + +The control will pass if the `describe` returns at least one result. + +Use `should_not` to test the entity should not exist + +```ruby +describe aws_vpcs do + it { should exist } +end +``` + +```ruby +describe aws_vpcs.where( : ) do + it { should_not exist } +end +``` + +### include + +```ruby +describe aws_vpcs do + its ('IPV_6_CIDR_ASSOCIATION_IDS') { should include "VPC-CIDR-ASSOC-0123456789" } + its ('IPV_6_CIDR_STATES') { should include "ASSOCIATED" } + its ('IPV_6_CIDR_NETWORK_BORDER_GROUPS') { should include "US-EAST-2" } + its ('IPV_6_CIDR_IPV_6_POOLS') { should include "AMAZON" } +end +``` + +### be_empty + +```ruby +describe aws_vpcs do + its ('IPV_6_CIDR_STATUS_MESSAGES') { should be_empty } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpcsResult" %}} + +You can find detailed documentation at the [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpn_connection.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpn_connection.md new file mode 100644 index 0000000..9c53f3a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpn_connection.md @@ -0,0 +1,101 @@ ++++ +title = "aws_vpn_connection resource" + +draft = false + + +[menu.aws] +title = "aws_vpn_connection" +identifier = "inspec/resources/aws/aws_vpn_connection resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpn_connection` InSpec audit resource to test the properties of a single AWS VPN connection. + +## Syntax + +An `aws_vpn_connection` resource block declares the tests for a single AWS VPN connection by `vpn_connection_id`. + +```ruby +describe aws_vpn_connection(vpn_connection_id: 'vpn-1234567890') do + it { should exist } +end +``` + +```ruby +describe aws_vpn_connection('vpn-1234567890') do + it { should exist } +end +``` + +## Parameters + +`vpn_connection_id` _(required)_ +: The identifier of the AWS VPN connection. It can be passed either as a string or as a `vpn_connection_id: 'value'` hash key-value entry. + +## Properties + +`vpn_connection_id` +: The identifier of the AWS VPN connection. + +`state` +: The current state of the VPN connection. Possible values are: `pending`, `available`, `deleting`, and `deleted`. + +`type` +: The type of VPN connection that the VPN connection supports. + +`vpn_gateway_id` +: The ID of the associated VPN. + +`tags` +: All tags that are associated with the VPN connection. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/EC2/Types/VpnConnection.html). + +## Examples + +### Test that a VPN connection is available + +```ruby +describe aws_vpn_connection('vpn-1234567890') do + its('vpn_connection_id') { should eq 'vpn-1234567890' } +end +``` + +### Test that a VPN connection status is available + +```ruby +describe aws_vpn_connection('vpn-1234567890') do + its('status') { should eq 'available' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The control passes if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_vpn_connection('vpn-1234567890') do + it { should exist } +end +``` + +### not exist + +Use `should_not` to test that the entity does not exist. + +```ruby +describe aws_vpn_connection('vpn-1234567890') do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpnConnectionsResult" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpn_connections.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpn_connections.md new file mode 100644 index 0000000..9fdb906 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpn_connections.md @@ -0,0 +1,103 @@ ++++ +title = "aws_vpn_connections resource" + +draft = false + + +[menu.aws] +title = "aws_vpn_connections" +identifier = "inspec/resources/aws/aws_vpn_connections resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpn_connections` InSpec audit resource to test the properties of all AWS VPN connections. + +For additional information, including details on parameters and properties, see the [AWS documentation on VPN Connections](https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connections.html). + +## Syntax + +Ensure that one or more VPN connections exist. + +```ruby +describe aws_vpn_connections do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`vpn_connection_ids` +: This property provides all the IDs of the VPN connections. + +`vpn_gateway_ids` +: This property provides all the IDs of the virtual private gateways associated with the VPN connections. + +`outside_ip_addresses` +: This property provides the outside IP addresses of the VPN connections. + +`tunnel_inside_cidrs` +: This property provides the tunnel inside CIDRs of the VPN connections. + +`states` +: This property provides the current state of the VPN connections. + +`types` +: This property provides the current types of VPN connections. + +`tags` +: This property provides the current tags of the VPN connections. + +## Examples + +### Ensure that VPN connections are available + +```ruby +describe aws_vpn_connections do + its('state.uniq') { should eq ['available'] } +end +``` + +### To check tags + +```ruby +describe aws_vpn_connections.where { tags["Name"] == "vpn-connection-example-123" } do + it { should exist } + its('count') { should be 3 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control passes if the describe returns at least one result. + +```ruby +describe aws_vpn_connections do + it { should exist } +end +``` + +### not exists + +Use `should_not` to test whether the entity should not exist. + +```ruby +describe aws_vpn_connections do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpnConnectionsResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpn_gateway.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpn_gateway.md new file mode 100644 index 0000000..f051496 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpn_gateway.md @@ -0,0 +1,111 @@ ++++ +title = "aws_vpn_gateway resource" + +draft = false + + +[menu.aws] +title = "aws_vpn_gateway" +identifier = "inspec/resources/aws/aws_vpn_gateway resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpn_gateway` InSpec audit resource to test the properties of a single AWS VPN gateway. + +## Syntax + +An `aws_vpn_gateway` resource block declares the tests for a single AWS VPN gateway by `vpn_gateway_id`. + +```ruby +describe aws_vpn_gateway(vpn_gateway_id: 'vgw-014aef8a0689b8f43') do + it { should exist } +end +``` + +The value of the `vpn_gateway_id` can be provided as a string. + +```ruby +describe aws_vpn_gateway('vgw-014aef8a0689b8f43') do + it { should exist } +end +``` + +## Parameters + +The AWS VPN gateway ID is required. + +`vpn_group_id` _(required)_ + +: The ID of the VPN gateway: + +: - must contain between 1 and 50 alphanumeric characters or hyphens + +- should start with `vgw-` +- cannot end with a hyphen or contain two consecutive hyphens + +: It can be passed either as a string or as a `vpn_gateway_id: 'value'` key-value entry in a hash. + +## Properties + +`vpn_gateway_id` +: The identifier of the AWS VPN gateway. + +`state` +: The current state of the VPN gateway. Possible values are: `pending`, `available`, `deleting`, `deleted`. + +`type` +: The type of VPN connection that the VPN gateway supports. + +`availability_zone` +: The Availability Zone where the virtual private gateway was created. If not applicable, this field will be be empty. + +`vpc_id` +: The ID of the associated VPC. + +`amazon_side_asn` +: The private Autonomous System Number (ASN) for the Amazon side of a BGP session. + +`tags` +: All tags that are associated to the VPN gateway. + +There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/EC2/Types/VpnGateway.html). + +## Examples + +Test that a VPN Gateway is available and attached: + +```ruby +describe aws_vpn_gateway('vgw-014aef8a0689b8f43') do + its('status') { should eq 'available' } + it { should be_attached } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +```ruby +describe aws_vpn_gateway('vgw-014aef8a0689b8f43') do + it { should exist } +end +``` + +### be_attached to a VPC + +```ruby +describe aws_vpn_gateway('vgw-014aef8a0689b8f43') do + it { should be_attached } + its('vpc_id') { should eq 'vpc-0a510beed76210f2f'} +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpnGatewaysResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ElastiCache](https://docs.amazonaws.cn/en_us/vpc/latest/userguide/vpc-policy-examples.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpn_gateways.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpn_gateways.md new file mode 100644 index 0000000..9b17c8f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_vpn_gateways.md @@ -0,0 +1,101 @@ ++++ +title = "aws_vpn_gateways resource" + +draft = false + + +[menu.aws] +title = "aws_vpn_gateways" +identifier = "inspec/resources/aws/aws_vpn_gateways resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_vpn_gateways` InSpec audit resource to test the properties of all Amazon VPN gateways. To audit a single AWS VPN gateway, use the `aws_vpn_gateway` (singular) resource. + +## Syntax + +An `aws_vpn_gateways` resource block collects a group of AWS VPN descriptions and then tests that group. + +```ruby +describe aws_vpn_gateways + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`vpn_gateway_ids` +: List of unique identifiers that identifies a AWS VPN gateway. + +`states` +: List of the current state of the VPN gateway. Possible values are: `pending`, `available`, `deleting`, `deleted`. + +`types` +: List of the types of VPN connection the VPN gateway supports. + +`availability_zones` +: List of Availability Zone where the virtual private gateway was created. If not applicable, this field will be be empty. + +`vpc_attachments` +: List of VPCs attached to the virtual private gateway. It has a collection of key-pairs of `state` and `vpc_id`. + +`amazon_side_asns` +: List of all the private Autonomous System Number (ASN) for the Amazon side of a BGP session. + +`tags` +: List of all tags that are associated with the VPN gateway. + +## Examples + +Ensure that exactly three AWS VPN gateways exist: + +```ruby +describe aws_vpn_gateways do + its('count') { should eq 3 } +end +``` + +Request the IDs of all AWS VPN gateways, then test in-depth using `aws_vpn_gateway`: + +```ruby +aws_vpn_gateways.vpn_gateway_ids.each do |vpn_gateway_id| + describe aws_vpn_gateway(vpn_gateway_id) do + it { should exists } + it { should be_attached } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control will pass if the 'describe' method returns at least one result. + +```ruby +describe aws_vpn_gateways.where( : ) do + it { should exist } +end +``` + +Use `should_not` to test an entity that should not exist. + +```ruby +describe aws_vpn_gateways.where( : ) do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="EC2:Client:DescribeVpnGatewaysResult" %}} + +You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ElastiCache](https://docs.amazonaws.cn/en_us/vpc/latest/userguide/vpc-policy-examples.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html). diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_byte_match_set.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_byte_match_set.md new file mode 100644 index 0000000..79eac03 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_byte_match_set.md @@ -0,0 +1,126 @@ ++++ +title = "aws_waf_byte_match_set resource" + +draft = false + + +[menu.aws] +title = "aws_waf_byte_match_set" +identifier = "inspec/resources/aws/aws_waf_byte_match_set resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_byte_match_set` Chef InSpec audit resource to test the properties of a single AWS (Web Application Firewall) WAF byte match set. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::WAF::ByteMatchSet` resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-bytematchset.html). + +## Syntax + +Ensure that a byte match set exists. + +```ruby +describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + it { should exist } +end +``` + +## Parameters + +`aws_waf_byte_match_set` _(required)_ + +: The unique identifier for the byte match set. + +## Properties + +`byte_match_set_id` +: The unique identifier for the byte match set. + +`name` +: The name of the byte match set. + +`byte_match_tuples` +: Specifies the bytes (typically a string that corresponds with ASCII characters) that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings. + +`byte_match_tuples_field_to_matches` +: The part of a web request that you want AWS WAF to search, such as a specified header or a query string. + +`byte_match_tuples_field_to_match_types` +: The part of the web request that you want AWS WAF to search for a specified string. + +`byte_match_tuples_field_to_match_data` +: When the value of Type is HEADER , enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer. + +`byte_match_tuples_target_strings` +: The value that you want AWS WAF to search for. + +`byte_match_tuples_text_transformations` +: Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. + +`byte_match_tuples_positional_constraints` +: Within the portion of a web request that you want to search (for example, in the query string, if any), specify where you want AWS WAF to search. + +## Examples + +Ensure a byte match set is available: + +```ruby +describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + its('byte_match_set_id') { should eq 'BYTE_MATCH_SET_ID' } +end +``` + +Ensure a byte match set name is available: + +```ruby +describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + its('name') { should eq 'BYTE_MATCH_SET_NAME' } +end +``` + +Ensure a byte match set type is `REGULAR`: + +```ruby +describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + its('byte_match_tuples_positional_constraints') { should include 'REGULAR' } +end +``` + +## Matchers + +This Chef InSpec audit resource has the following special matchers. + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:GetByteMatchSetResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_byte_match_sets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_byte_match_sets.md new file mode 100644 index 0000000..aeb26d1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_byte_match_sets.md @@ -0,0 +1,89 @@ ++++ +title = "aws_waf_byte_match_sets resource" + +draft = false + + +[menu.aws] +title = "aws_waf_byte_match_sets" +identifier = "inspec/resources/aws/aws_waf_byte_match_sets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_byte_match_sets` Chef InSpec audit resource to test the properties of multiple AWS (Web Application Firewall) WAF byte match sets. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::WAF::ByteMatchSet` resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-bytematchset.html). + +## Syntax + +### Ensure that a byte match set exists + +```ruby +describe aws_waf_byte_match_sets do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`byte_match_set_ids` +: The unique identifier for the ByteMatchSet. + +: **Field**: `byte_match_set_id` + +`names` +: The name of the ByteMatchSet. + +: **Field**: `name` + +## Examples + +Ensure a byte match set is available: + +```ruby +describe aws_waf_byte_match_sets do + its('byte_match_set_ids') { should include 'BYTE_MATCH_SET_ID' } +end +``` + +Ensure a byte match set name is available: + +```ruby +describe aws_waf_byte_match_sets do + its('names') { should include 'BYTE_MATCH_SET_NAME' } +end +``` + +## Matchers + +This Chef InSpec audit resource has the following special matchers. + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_byte_match_sets do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_byte_match_sets do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:ListByteMatchSetsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_ip_set.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_ip_set.md new file mode 100644 index 0000000..077d264 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_ip_set.md @@ -0,0 +1,112 @@ ++++ +title = "aws_waf_ip_set resource" + +draft = false + + +[menu.aws] +title = "aws_waf_ip_set" +identifier = "inspec/resources/aws/aws_waf_ip_set resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_ip_set` Chef InSpec audit resource to test the properties of a single AWS Web Application Firewall (WAF) IP set. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS WAF IPSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-ipset.html). + +## Syntax + +Ensure that IP set exists. + +```ruby +describe aws_waf_ip_set(ip_set_id: 'IP_SET_ID') do + it { should exist } +end +``` + +## Parameters + +`ip_set_id` _(required)_ + +: The ID for an IP set. + +## Properties + +`ip_set_id` +: The IPSetId for an IP set. + +`name` +: A friendly name or description of the IP set. + +`ip_set_descriptors` +: The IP address type (IPV4 or IPV6 ) and the IP address range (in CIDR notation) that web requests originate from. + +`ip_set_descriptors_types` +: Specify IPV4 or IPV6. + +`ip_set_descriptors_values` +: Specify an IPv4 address by using CIDR notation. + +## Examples + +Ensure an IP set is available: + +```ruby +describe aws_waf_ip_set(ip_set_id: 'IP_SET_ID') do + its('ip_set_id') { should eq 'IP_SET_ID' } +end +``` + +Ensure an IP set name is available: + +```ruby +describe aws_waf_ip_set(ip_set_id: 'IP_SET_ID') do + its('name') { should eq 'IP_SET_NAME' } +end +``` + +Ensure an IP set descriptors type is `IPV4`: + +```ruby +describe aws_waf_ip_set(ip_set_id: 'IP_SET_ID') do + its('ip_set_descriptors_types') { should include 'IPV4' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_ip_set(ip_set_id: 'IP_SET_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_ip_set(ip_set_id: 'IP_SET_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_waf_ip_set(ip_set_id: 'IP_SET_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:GetIPSetResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_ip_sets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_ip_sets.md new file mode 100644 index 0000000..563ab09 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_ip_sets.md @@ -0,0 +1,89 @@ ++++ +title = "aws_waf_ip_sets resource" + +draft = false + + +[menu.aws] +title = "aws_waf_ip_sets" +identifier = "inspec/resources/aws/aws_waf_ip_sets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_ip_sets` Chef InSpec audit resource to test the properties of multiple AWS Web Application Firewall (WAF) IP sets. + +For additional information, including details on parameters and properties, see the [AWS documentation on `AWS::WAF::IPSet` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-ipset.html). + +## Syntax + +Ensure that IP set exists. + +```ruby +describe aws_waf_ip_sets do + it { should exist } +end +``` + +## Parameters + +`ip_set_id` _(required)_ + +: The ID for an IP set. + +## Properties + +`ip_set_ids` +: The IPSetId for an IPSet. + +: **Field**: `ip_set_id` + +`names` +: A friendly name or description of the IPSet. + +: **Field**: `name` + +## Examples + +Ensure an IP set is available: + +```ruby +describe aws_waf_ip_sets do + its('ip_set_ids') { should include 'IP_SET_ID' } +end +``` + +Ensure an IP set name is available: + +```ruby +describe aws_waf_ip_sets do + its('names') { should include 'IP_SET_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_ip_sets do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_ip_sets do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:ListIPSetsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_rule.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_rule.md new file mode 100644 index 0000000..efbb4ff --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_rule.md @@ -0,0 +1,125 @@ ++++ +title = "aws_waf_rule resource" + +draft = false + + +[menu.aws] +title = "aws_waf_rule" +identifier = "inspec/resources/aws/aws_waf_rule resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_rule` Chef InSpec audit resource to test the properties of a single AWS WAF (web application firewall) rule. + +The `AWS::WAF::Rule` resource type creates a firewall rule that identifies the web requests that you want to allow, block, or count. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::WAF::Rule` resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-rule.html). + +## Syntax + +Ensure that a WAF rule exists. + +```ruby +describe aws_waf_rule(rule_id: 'RULE_ID') do + it { should exist } +end +``` + +## Parameters + +`rule_id` _(required)_ + +: A unique identifier for a WAF rule. + +## Properties + +`rule_id` +: A unique identifier for a rule. + +`name` +: The name of the rule. + +`metric_name` +: The name of the metrics for this rule. + +`predicates_negated` +: `False` if the AWS WAF rule will allow, block, or count requests based on the settings in the specified `ByteMatchSet`, `IPSet`, `SqlInjectionMatchSet`, `XssMatchSet`, `RegexMatchSet`, `GeoMatchSet`, or `SizeConstraintSet` object. + +`predicates_type` +: The type of predicate in a rule, such as `ByteMatch` or `IPSet`. + +`predicates_data_id` +: A unique identifier for a predicate in a rule, such as `ByteMatchSetId` or `IPSetId`. + +## Examples + +Ensure a rule is available: + +```ruby +describe aws_waf_rule(rule_id: 'RULE_ID') do + its('rule_id') { should eq 'RULE_ID' } +end +``` + +Ensure a rule name is available: + +```ruby +describe aws_waf_rule(rule_id: 'RULE_ID') do + its('name') { should eq 'RULE_ID_NAME' } +end +``` + +Ensure a metric name type is `METRIC_NAME`: + +```ruby +describe aws_waf_rule(rule_id: 'RULE_ID') do + its('metric_name') { should include 'METRIC_NAME' } +end +``` + +Verify the type of data ID should be 'DATA_ID': + +```ruby +describe aws_waf_rule(rule_id: 'RULE_ID') do + its('predicates_data_id') { should include 'DATA_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_rule(rule_id: 'RULE_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_rule(rule_id: 'RULE_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_waf_rule(rule_id: 'RULE_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:GetRuleResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_rules.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_rules.md new file mode 100644 index 0000000..494a4f1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_rules.md @@ -0,0 +1,97 @@ ++++ +title = "aws_waf_rules resource" + +draft = false + + +[menu.aws] +title = "aws_waf_rules" +identifier = "inspec/resources/aws/aws_waf_rules resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_rules` Chef InSpec audit resource to test the properties of multiple AWS WAF (web application firewall) rules. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::WAF::Rule` resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-rule.html). + +## Syntax + +Ensure that a WAF rule exists. + +```ruby +describe aws_waf_rules do + it { should exist } +end +``` + +## Parameters + +No required parameters. + +## Properties + +`rule_ids` +: The unique identifier for the rule. + +: **Field**: `rule_id` + +`names` +: A friendly name or description of the rule. + +: **Field**: `name` + +## Examples + +Ensure a rule is available by rule ID: + +```ruby +describe aws_waf_rules do + its('rule_ids') { should include 'RULE_ID' } +end +``` + +Ensure a rule is available by name: + +```ruby +describe aws_waf_rules do + its('names') { should include 'RULE_NAMES' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_rules do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_rules do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_waf_rules do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:ListRulesResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_size_constraint_set.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_size_constraint_set.md new file mode 100644 index 0000000..4b419a8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_size_constraint_set.md @@ -0,0 +1,131 @@ ++++ +title = "aws_waf_size_constraint_set resource" + +draft = false + + +[menu.aws] +title = "aws_waf_size_constraint_set" +identifier = "inspec/resources/aws/aws_waf_size_constraint_set resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_size_constraint_set` Chef InSpec audit resource to test the properties of a single AWS Web Application Firewall (WAF) size constraint set. + +For additional information, including details on parameters and properties, see the [AWS documentation on `AWS::WAF::SizeConstraintSet` resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-sizeconstraintset.html). + +## Syntax + +Ensure that a size constraint set exists. + +```ruby +describe aws_waf_size_constraint_set(size_constraint_set_id: 'SIZE_CONSTRAINT_SET_ID') do + it { should exist } +end +``` + +## Parameters + +`size_constraint_set_id` _(required)_ + +: A unique identifier for a size constrain set. + +## Properties + +`size_constraint_set_id` +: A unique identifier for a size constrain set. + +`name` +: The name of the size constrain set. + +`size_constraints` +: Specifies the parts of web requests that you want to inspect for cross-site scripting attacks. + +`size_constraints_field_to_match_types` +: The part of the web request that you want AWS WAF to search for a specified string. + +`size_constraints_field_to_match_data` +: When the value of Type is `HEADER`, enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer. + +`size_constraints_text_transformations` +: Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. + +`size_constraints_comparison_operators` +: The type of comparison you want AWS WAF to perform. AWS WAF uses this in combination with the provided Size and FieldToMatch to build an expression in the form of "Size ComparisonOperator size in bytes of FieldToMatch". + +`size_constraints_sizes` +: The size in bytes that you want AWS WAF to compare against the size of the specified FieldToMatch. + +## Examples + +Ensure a size constraint set is available: + +```ruby +describe aws_waf_size_constraint_set(size_constraint_set_id: 'SIZE_CONSTRAINT_SET_ID') do + its('size_constraint_set_id') { should eq 'SIZE_CONSTRAINT_SET_ID' } +end +``` + +Ensure a size constraint set name is available: + +```ruby +describe aws_waf_size_constraint_set(size_constraint_set_id: 'SIZE_CONSTRAINT_SET_ID') do + its('name') { should eq 'SIZE_CONSTRAINT_SET_NAME' } +end +``` + +Ensure an a size constraint set type is `HEADER`: + +```ruby +describe aws_waf_size_constraint_set(size_constraint_set_id: 'SIZE_CONSTRAINT_SET_ID') do + its('size_constraints_field_to_match_types') { should include 'HEADER' } +end +``` + +Verify the size of the constraint set: + +```ruby +describe aws_waf_size_constraint_set(size_constraint_set_id: 'SIZE_CONSTRAINT_SET_ID') do + its('size_constraints_sizes') { should include '5' } +end +``` + +## Matchers + +This Chef InSpec audit resource has the following special matchers. + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_size_constraint_set(size_constraint_set_id: 'SIZE_CONSTRAINT_SET_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_size_constraint_set(size_constraint_set_id: 'SIZE_CONSTRAINT_SET_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_waf_size_constraint_set(size_constraint_set_id: 'SIZE_CONSTRAINT_SET_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:GetSizeConstraintSetResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_size_constraint_sets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_size_constraint_sets.md new file mode 100644 index 0000000..4519afb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_size_constraint_sets.md @@ -0,0 +1,89 @@ ++++ +title = "aws_waf_size_constraint_sets resource" + +draft = false + + +[menu.aws] +title = "aws_waf_size_constraint_sets" +identifier = "inspec/resources/aws/aws_waf_size_constraint_sets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_size_constraint_sets` Chef InSpec audit resource to test the properties of multiple AWS Web Application Firewall (WAF) size constraint sets. + +For additional information, including details on parameters and properties, see the [AWS documentation on AWS WAF SizeConstraintSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-sizeconstraintset.html). + +## Syntax + +Ensure that a size constraint set exists. + +```ruby +describe aws_waf_size_constraint_sets do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`size_constraint_set_ids` +: A unique identifier for a size constraint set. + +: **Field**: `size_constraint_set_id` + +`names` +: The name of the size constraint set. + +: **Field**: `name` + +## Examples + +Ensure a size constraint set is available: + +```ruby +describe aws_waf_size_constraint_sets do + its('size_constraint_set_ids') { should include 'SIZE_CONSTRAINT_SET_ID' } +end +``` + +Ensure a size constraint set name is available: + +```ruby +describe aws_waf_size_constraint_sets do + its('names') { should include 'SIZE_CONSTRAINT_SET_NAME' } +end +``` + +## Matchers + +This Chef InSpec audit resource has the following special matchers. + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_size_constraint_sets do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_size_constraint_sets do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:ListSizeConstraintSetsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_sql_injection_match_set.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_sql_injection_match_set.md new file mode 100644 index 0000000..c70b4ca --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_sql_injection_match_set.md @@ -0,0 +1,115 @@ ++++ +title = "aws_waf_sql_injection_match_set resource" + +draft = false + + +[menu.aws] +title = "aws_waf_sql_injection_match_set" +identifier = "inspec/resources/aws/aws_waf_sql_injection_match_set resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_sql_injection_match_set` InSpec audit resource to test the properties of a single AWS WAF `SqlInjectionMatchSet` object. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::WAF::SqlInjectionMatchSet` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-sqlinjectionmatchset.html). + +## Syntax + +Ensure that a `SqlInjectionMatchSet` object exists. + +```ruby +describe aws_waf_sql_injection_match_set(sql_injection_match_set_id: 'SQL_INJECTION_MATCH_SET_ID') do + it { should exist } +end +``` + +## Parameters + +`sql_injection_match_set_id` _(required)_ + +: A unique identifier for a `SqlInjectionMatchSet` object. + +## Properties + +`sql_injection_match_set_id` +: A unique identifier for a `SqlInjectionMatchSet`. + +`name` +: The name of the `SqlInjectionMatchSet`. + +`sql_injection_match_tuples` +: Specifies the parts of web requests that you want to inspect for cross-site scripting attacks. + +`sql_injection_match_tuples_field_to_match_types` +: The part of the web request that you want AWS WAF to search for a specified string. + +`sql_injection_match_tuples_field_to_match_data` +: When the value of Type is `HEADER`, enter the name of the header that you want AWS WAF to search, for example, `User-Agent` or `Referer`. + +`sql_injection_match_tuples_text_transformations` +: Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. + +## Examples + +Ensure an injection match set is available: + +```ruby +describe aws_waf_sql_injection_match_set(sql_injection_match_set_id: 'SQL_INJECTION_MATCH_SET_ID') do + its('sql_injection_match_set_id') { should eq 'SQL_INJECTION_MATCH_SET_ID' } +end +``` + +Ensure an injection match set is available.: + +```ruby +describe aws_waf_sql_injection_match_set(sql_injection_match_set_id: 'SQL_INJECTION_MATCH_SET_ID') do + its('name') { should eq 'SQL_INJECTION_MATCH_SET_NAME' } +end +``` + +Ensure an injection match set type is `HEADER`: + +```ruby +describe aws_waf_sql_injection_match_set(sql_injection_match_set_id: 'SQL_INJECTION_MATCH_SET_ID') do + its('sql_injection_match_tuples_field_to_match_types') { should include 'HEADER' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_sql_injection_match_set(sql_injection_match_set_id: 'SQL_INJECTION_MATCH_SET_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_sql_injection_match_set(sql_injection_match_set_id: 'SQL_INJECTION_MATCH_SET_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_waf_sql_injection_match_set(sql_injection_match_set_id: 'SQL_INJECTION_MATCH_SET_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:GetSqlInjectionMatchSetResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_sql_injection_match_sets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_sql_injection_match_sets.md new file mode 100644 index 0000000..e1b60e7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_sql_injection_match_sets.md @@ -0,0 +1,97 @@ ++++ +title = "aws_waf_sql_injection_match_sets resource" + +draft = false + + +[menu.aws] +title = "aws_waf_sql_injection_match_sets" +identifier = "inspec/resources/aws/aws_waf_sql_injection_match_sets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_sql_injection_match_sets` Chef InSpec audit resource to test the properties of multiple AWS WAF `SqlInjectionMatchSet` objects. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::WAF::SqlInjectionMatchSet` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-sqlinjectionmatchset.html). + +## Syntax + +Ensure that a `SqlInjectionMatchSet` object exists. + +```ruby +describe aws_waf_sql_injection_match_sets do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`sql_injection_match_set_ids` +: A unique identifier for a `SqlInjectionMatchSet`. + +: **Field**: `sql_injection_match_set_id` + +`names` +: The name of the `SqlInjectionMatchSet`. + +: **Field**: `name` + +## Examples + +Ensure an injection match set is available: + +```ruby +describe aws_waf_sql_injection_match_sets do + its('sql_injection_match_set_ids') { should include 'SQL_INJECTION_MATCH_SET_ID' } +end +``` + +Ensure an injection match set is available: + +```ruby +describe aws_waf_sql_injection_match_sets do + its('names') { should include 'SQL_INJECTION_MATCH_SET_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_sql_injection_match_sets do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_sql_injection_match_sets do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_waf_sql_injection_match_sets do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:ListSqlInjectionMatchSetsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_web_acl.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_web_acl.md new file mode 100644 index 0000000..d10b49b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_web_acl.md @@ -0,0 +1,141 @@ ++++ +title = "aws_waf_web_acl resource" + +draft = false + + +[menu.aws] +title = "aws_waf_web_acl" +identifier = "inspec/resources/aws/aws_waf_web_acl resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_web_acl` InSpec audit resource to test the properties of a single AWS WAF web ACL. + +The `AWS::WAFv2::WebACL` AWS resource defines a collection of rules to use to inspect and control web requests. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::WAFv2::WebACL` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-webacl.html). + +## Syntax + +Ensure that a web ACL exists. + +```ruby +describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do + it { should exist } +end +``` + +## Parameters + +`web_acl_id` _(required)_ + +: The unique identifier for the web ACL. + +## Properties + +`web_acl_id` +: The unique identifier for the web ACL. + +`name` +: The name of the web ACL. + +`default_action.type` +: Specifies how you want AWS WAF to respond to requests that match the settings in a Rule. + +`rules` +: An array that contains the action for each Rule in a `WebACL`, the priority of the `Rule`, and the ID of the `Rule`. + +`rules_priorities` +: Specifies the order in which the Rules in a WebACL are evaluated. + +`rules_rule_ids` +: The RuleId for a Rule. + +`rules_actions` +: Specifies the action that CloudFront or AWS WAF takes when a web request matches the conditions in the Rule. + +`rules_action_types` +: Specifies how you want AWS WAF to respond to requests that match the settings in a Rule. + +`rules_override_actions` +: Use the OverrideAction to test your RuleGroup. + +`rules_override_action_types` +: The type of the OverrideAction to test your RuleGroup. + +`rules_types` +: The rule type, either `REGULAR`, as defined by Rule, `RATE_BASED`, as defined by RateBasedRule, or `GROUP`, as defined by RuleGroup. + +`rules_excluded_rules` +: An array of rules to exclude from a rule group. + +`rules_excluded_rules_rule_ids` +: The unique identifier for the rule to exclude from the rule group. + +`web_acl_arn` +: Tha Amazon Resource Name (ARN) of the web ACL. + +## Examples + +Ensure a web ACL is available: + +```ruby +describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do + its('web_acl_id') { should eq 'WEB_ACL_ID' } +end +``` + +Ensure a web ACL name is available: + +```ruby +describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do + its('name') { should eq 'WEB_ACL_NAME' } +end +``` + +Ensure a web ACL rule type is `REGULAR`: + +```ruby +describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do + its('rules_types') { should include 'REGULAR' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:GetWebACLResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_web_acls.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_web_acls.md new file mode 100644 index 0000000..69a6d77 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_web_acls.md @@ -0,0 +1,99 @@ ++++ +title = "aws_waf_web_acls resource" + +draft = false + + +[menu.aws] +title = "aws_waf_web_acls" +identifier = "inspec/resources/aws/aws_waf_web_acls resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_web_acls` InSpec audit resource to test the properties of multiple of AWS WAF WebACL. + +The `AWS::WAFv2::WebACL` AWS resource defines a collection of rules to use to inspect and control web requests. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::WAFv2::WebACL` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-webacl.html). + +## Syntax + +Ensure that web ACL exists. + +```ruby +describe aws_waf_web_acls do + it { should exist } +end +``` + +## Parameters + +No required parameters. + +## Properties + +`web_acl_ids` +: The unique identifier for the web ACL. + +: **Field**: `web_acl_id` + +`names` +: The name of the web ACL. + +: **Field**: `name` + +## Examples + +Ensure a web ACL is available: + +```ruby +describe aws_waf_web_acls do + its('web_acl_ids') { should include 'WEB_ACL_ID' } +end +``` + +Ensure a web ACL name is available.: + +```ruby +describe aws_waf_web_acls do + its('names') { should include 'WEB_ACL_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_web_acls do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_web_acls do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_waf_web_acls do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:ListWebACLsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_xss_match_match_set.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_xss_match_match_set.md new file mode 100644 index 0000000..525eb0f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_xss_match_match_set.md @@ -0,0 +1,115 @@ ++++ +title = "aws_waf_xss_match_set resource" + +draft = false + + +[menu.aws] +title = "aws_waf_xss_match_set" +identifier = "inspec/resources/aws/aws_waf_xss_match_set resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_xss_match_set` InSpec audit resource to test the properties of a single AWS WAF `XssMatchSet` object. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::WAF::XssMatchSet` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-xssmatchset.html). + +## Syntax + +Ensure that an `XssMatchSet` object exists. + +```ruby +describe aws_waf_xss_match_set(xss_match_set_id: 'XSS_MATCH_SET_ID') do + it { should exist } +end +``` + +## Parameters + +`xss_match_set_id` _(required)_ + +: A unique identifier for an `XssMatchSet`. + +## Properties + +`xss_match_set_id` +: A unique identifier for an `XssMatchSet`. + +`name` +: The name of the `XssMatchSet`. + +`xss_match_tuples` +: Specifies the parts of web requests that you want to inspect for cross-site scripting attacks. + +`xss_match_tuples_field_to_match_types` +: The part of the web request that you want AWS WAF to search for a specified string. + +`xss_match_tuples_field_to_match_data` +: When the value of Type is HEADER , enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer. + +`xss_match_tuples_text_transformations` +: Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. + +## Examples + +Ensure an `XssMatchSet` object is available: + +```ruby +describe aws_waf_xss_match_set(xss_match_set_id: 'XSS_MATCH_SET_ID') do + its('xss_match_set_id') { should eq 'XSS_MATCH_SET_ID' } +end +``` + +Verify the name of an `XssMatchSet` object: + +```ruby +describe aws_waf_xss_match_set(xss_match_set_id: 'XSS_MATCH_SET_ID') do + its('name') { should eq 'XSS_MATCH_SET_NAME' } +end +``` + +Verify an `XssMatchSet` object has a type of `URI`: + +```ruby +describe aws_waf_xss_match_set(xss_match_set_id: 'XSS_MATCH_SET_ID') do + its('xss_match_tuples_field_to_match_types') { should include 'URI' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_xss_match_set(xss_match_set_id: 'XSS_MATCH_SET_ID') do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_xss_match_set(xss_match_set_id: 'XSS_MATCH_SET_ID') do + it { should_not exist } +end +``` + +### be_available + +Use `should` to check if the entity is available. + +```ruby +describe aws_waf_xss_match_set(xss_match_set_id: 'XSS_MATCH_SET_ID') do + it { should be_available } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:GetXssMatchSetResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_xss_match_match_sets.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_xss_match_match_sets.md new file mode 100644 index 0000000..f1260c9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/content/aws_waf_xss_match_match_sets.md @@ -0,0 +1,87 @@ ++++ +title = "aws_waf_xss_match_sets resource" + +draft = false + + +[menu.aws] +title = "aws_waf_xss_match_sets" +identifier = "inspec/resources/aws/aws_waf_xss_match_sets resource" +parent = "inspec/resources/aws" ++++ + +Use the `aws_waf_xss_match_sets` InSpec audit resource to test the properties of multiple AWS WAF `XssMatchSet` objects. + +For additional information, including details on parameters and properties, see the [AWS documentation on the `AWS::WAF::XssMatchSet` resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-xssmatchset.html). + +## Syntax + +Ensure that any `XssMatchSet` object exists. + +```ruby +describe aws_waf_xss_match_sets do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`xss_match_set_ids` +: A unique identifier for an `XssMatchSet`. + +: **Field**: `xss_match_set_id` + +`names` +: The name of the `XssMatchSet`. + +: **Field**: `name` + +## Examples + +Verify an `XssMatchSet` object is available by ID: + +```ruby +describe aws_waf_xss_match_sets do + its('xss_match_set_ids') { should include 'XSS_MATCH_SET_ID' } +end +``` + +Verify an `XssMatchSet` object name is available: + +```ruby +describe aws_waf_xss_match_sets do + its('names') { should include 'XSS_MATCH_SET_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + +```ruby +describe aws_waf_xss_match_sets do + it { should exist } +end +``` + +Use `should_not` to test the entity does not exist. + +```ruby +describe aws_waf_xss_match_sets do + it { should_not exist } +end +``` + +## AWS Permissions + +{{% inspec-aws/aws_permissions_principal action="WAF:Client:ListXssMatchSetsResponse" %}} diff --git a/_vendor/github.com/inspec/inspec-aws/docs-chef-io/layouts/shortcodes/inspec-aws/aws_permissions_principal.md b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/layouts/shortcodes/inspec-aws/aws_permissions_principal.md new file mode 100644 index 0000000..707cbe7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-aws/docs-chef-io/layouts/shortcodes/inspec-aws/aws_permissions_principal.md @@ -0,0 +1,2 @@ + +Your [AWS principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html) will need the `{{ .Get "action" }}` action with `Effect` set to `Allow`. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/assets/release-notes/inspec-azure/release-dates.json b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/assets/release-notes/inspec-azure/release-dates.json new file mode 100644 index 0000000..1532998 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/assets/release-notes/inspec-azure/release-dates.json @@ -0,0 +1,4 @@ +[ + "2021-10-08", + "2022-01-07" +] diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/config.toml b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/config.toml new file mode 100644 index 0000000..c39b86f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/config.toml @@ -0,0 +1,2 @@ +[params.inspec-azure] +gh_path = "https://github.com/inspec/inspec-azure/tree/main/docs-chef-io/content/" diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/_index.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/_index.md new file mode 100644 index 0000000..d6c5ec6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/_index.md @@ -0,0 +1,110 @@ ++++ +title = "About the Chef InSpec Azure resource pack" + +draft = false +linkTitle = "Azure resource pack" +summary = "Chef InSpec resources for auditing Azure." + +[cascade] + [cascade.params] + platform = "azure" + +[menu.azure] + title = "About Azure resources" + identifier = "inspec/resources/azure/about" + parent = "inspec/resources/azure" + weight = 10 ++++ + +Chef InSpec provides resources for auditing Azure infrastructure, including virtual machines, storage accounts, databases, and networking components. These resources help you verify that your Azure environment meets security and compliance requirements. + +## Initialize an InSpec profile for auditing Azure + +You can create a profile for testing Azure resources with `inspec init profile`: + +```bash +inspec init profile --platform azure +``` + +If your `inputs.yml` file contains your Azure project ID, you can execute this sample profile using the following command: + +```bash +inspec exec --input-file=/inputs.yml -t azure:// +``` + +## Set Azure credentials + +To use Chef InSpec Azure resources, you need to create a service principal Name (SPN) to audit an Azure subscription. + +You can create an SPN using the command line or from the Azure Portal: + +- [Azure CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal-cli) +- [PowerShell](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal) +- [Azure Portal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) + +You can specify the SPN information in one of three ways: + +- In the `~/.azure/credentials` file +- As environment variables +- Using Chef InSpec target URIs + +### Set the Azure credentials file + +By default, Chef InSpec looks at `~/.azure/credentials`, and it should contain: + +```powershell +[] +client_id = "" +client_secret = "" +tenant_id = "" +``` + +{{< note >}} + +In the Azure web portal, these values have different labels: + +- The Azure web portal calls the `client_id` the **Application ID** +- The Azure web portal calls the `client_secret` the **Key (Password Type)** +- The Azure web portal calls the `tenant_id` the **Directory ID** + +{{< /note >}} + +After you set up the credentials, you can execute Chef InSpec: + +```bash +inspec exec -t azure:// +``` + +### Provide credentials using environment variables + +As an alternative to the credentials file, you can set the Azure credentials using environment variables: + +- `AZURE_SUBSCRIPTION_ID` +- `AZURE_CLIENT_ID` +- `AZURE_CLIENT_SECRET` +- `AZURE_TENANT_ID` + +For example: + +```bash +AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \ +AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \ +AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W" \ +AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3" inspec exec my-profile -t azure:// +``` + +### Provide credentials using Chef InSpec target option + +If you have several Azure subscriptions configured in your `~/.azure/credentials` file, you can use the Chef InSpec command line `--target` / `-t` option to select a specific subscription ID. For example: + +```bash +inspec exec my-profile -t azure://2fbdbb02-df2e-11e6-bf01-fe55135034f3 +``` + +## Azure resources + +{{< inspec_resources_filter >}} + +The following Chef InSpec Azure resources are available in this resource pack. + +{{< inspec_resources section="azure" platform="azure" >}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_active_directory_domain_service.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_active_directory_domain_service.md new file mode 100644 index 0000000..4224a20 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_active_directory_domain_service.md @@ -0,0 +1,108 @@ ++++ +title = "azure_active_directory_domain_service resource" + +draft = false + + +[menu.azure] +title = "azure_active_directory_domain_service" +identifier = "inspec/resources/azure/azure_active_directory_domain_service resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_active_directory_domain_service` InSpec audit resource to test the properties of an Azure Active Directory service within a tenant. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_active_directory_domain_service(id: 'example.com') do + it { should exist } +end +``` + +## Parameters + +Either one of the following parameters is mandatory. + +`id` +: Domain ID. + + For example, `example.com` + +## Properties + +`id` +: The fully qualified name of the domain. Key, immutable, not nullable, and unique. + +`authenticationType` +: Indicates the configured authentication type for the domain. The value is either `Managed` or `Federated`. + +`availabilityStatus` +: This property is always `null` except when the verify action is used. + +`isAdminManaged` +: The value of the property is `false` if the DNS record management of the domain has been delegated to Microsoft 365. + +`isDefault` +: `true` if this is the default domain used for user creation. There is only one default domain per company. Not nullable. + +`isInitial` +: `true` if this is the initial domain created by Microsoft Online Services (`companyname.onmicrosoft.com`). There is only one initial domain per company. + +`isRoot` +: `true` if the domain is a verified root domain. Otherwise, `false` if the domain is a subdomain or unverified. + +`isVerified` +: `true` if the domain has completed domain ownership verification. + +`passwordNotificationWindowInDays` +: Specifies the number of days before a user receives notification that their password will expire. A default value of `14 days` will be used if the property is not set. + +`passwordValidityPeriodInDays` +: Specifies the length of time that a password is valid before it must be changed. A default value of `90 days` will be used if the property is not set. + +`supportedServices` +: The capabilities assigned to the domain. + +`state` +: Status of asynchronous operations scheduled for the domain. + +## Examples + +Test if an active directory domain is referenced with a valid ID: + +```ruby +describe azure_active_directory_domain_service(id: 'example.com') do + it { should exist } +end +``` + +Test if an active directory domain is referenced with an invalid ID: + +```ruby +describe azure_active_directory_domain_service(id: 'example.com') do + it { should_not exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +describe azure_active_directory_domain_service(id: 'example.onmicrosoft.com') do + it { should exist } +end +``` + +## Azure permissions + +Graph resources require specific privileges granted to your service principal. Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application) for information on how to grant these permissions to your application. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_active_directory_domain_services.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_active_directory_domain_services.md new file mode 100644 index 0000000..1b64b90 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_active_directory_domain_services.md @@ -0,0 +1,161 @@ ++++ +title = "azure_active_directory_domain_services resource" + +draft = false + + +[menu.azure] +title = "azure_active_directory_domain_services" +identifier = "inspec/resources/azure/azure_active_directory_domain_services resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_active_directory_domain_services` InSpec audit resource to test the properties of some or all Azure Active Directory domains within a tenant. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_active_directory_domain_services` resource block returns all Azure Active Directory domains contained within the configured tenant and then tests that group of domains. + +```ruby +describe azure_active_directory_domain_services do + #... +end +``` + +## Parameters + +The following parameters can be passed for targeting specific domains. + +`filter` +: A hash containing the filtering options and their values. The `starts_with_` operator can be used for fuzzy string matching. Parameter names are in the snake case. + + For example, `{ starts_with_given_name: 'J', starts_with_department: 'Core', country: 'United Kingdom', given_name: John}` + +`filter_free_text` +: [OData](https://www.odata.org/getting-started/basic-tutorial/) query string in double quotes, `"`. + + Property names are in camel case. For more information, refer to [Microsoft's query parameters documentation](https://docs.microsoft.com/en-us/graph/query-parameters#filter-parameter). + + For example, `"startswith(displayName,'J') and surname eq 'Doe'"` or `"userType eq 'Guest'"` + +It is advised to use these parameters to narrow down the targeted resources at the server side, Azure Graph API, for a more efficient test. + +## Properties + +`ids` +: A list of fully qualified names of the domain. + + Field: `id` + +`authentication_types` +: A list of the configured authentication types for the domain. + + Field: `authenticationType` + +`availability_statuses` +: A list of domain entities when verify action is set. + + Field: `availabilityStatus` + +`is_admin_manageds` +: A list of admin-managed configurations. + + Field: `isAdminManaged` + +`is_defaults` +: A list of flags to indicate if they are default domains. + + Field: `isDefault` + +`is_initials` +: A list of flags to indicate if they are initial domains created by Microsoft Online Services. + + Field: `isInitial` + +`is_roots` +: A list of flags to indicate if they are verified root domains. + + Field: `isRoot` + +`is_verifieds` +: A list of flags to indicate if the domains have completed domain ownership verification. + + Field: `isVerified` + +`password_notification_window_in_days` +: A list of password notification window days. + + Field: `passwordNotificationWindowInDays` + +`password_validity_period_in_days` +: A list of password validity periods in days. + + Field: `passwordValidityPeriodInDays` + +`supported_services` +: A list of capabilities assigned to the domain. + + Field: `supportedServices` + +`states` +: A list of asynchronous operations scheduled. + + Field: `state` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +The following examples show how to use this InSpec audit resource. + +Check domains with some filtering parameters applied at the server side using 'filter': + +```ruby +describe azure_active_directory_domain_services(filter: {authenticationType: "authenticationType-value"}) do + it { should exist } +end +``` + +Check domains with some filtering parameters applied at the server side using 'filter_free_text': + +```ruby +describe azure_active_directory_domain_services(filter_free_text: "startswith(authenticationType,'authenticationType-value')") do + it { should exist } +end +``` + +Test to ensure there are supported services using client-side filtering: + +```ruby +describe azure_active_directory_domain_services.supportedServices do + it { should_not exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_active_directory_domain_services do + it { should_not exist } +end +``` + +## Azure permissions + +Graph resources require specific privileges granted to your service principal. Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application) for information on how to grant these permissions to your application. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_active_directory_object.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_active_directory_object.md new file mode 100644 index 0000000..a5f077a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_active_directory_object.md @@ -0,0 +1,168 @@ ++++ +title = "azure_active_directory_object resource" + +draft = false + + +[menu.azure] +title = "azure_active_directory_object" +identifier = "inspec/resources/azure/azure_active_directory_object resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_active_directory_object` InSpec audit resource to test the properties of an Azure Active Directory object. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_active_directory_object(id: 'ACTIVE_DIRECTORY_OBJECT_ID') do + it { should exist } +end +``` + +## Parameters + +Parameter `id` is mandatory. + +`id` +: The Active Directory object ID. + + For example, `0bf29229-50d7-433c-b08e-2a5d8b293cb5` + +## Properties + +`id` +: The object's globally unique ID. + +`deletedDateTime` +: The date and time that the object was deleted. + +`classification` +: The classification of the AD object. + +`createdDateTime` +: The created Datetime of the AD object. + +`creationOptions` +: The creationOptions of the AD object. + +`description` +: The description of the AD object. + +`displayName` +: The display name of the AD object. + +`expirationDateTime` +: The expiration Datetime of the AD object. + +`groupTypes` +: The group types of the AD object group. + +`isAssignableToRole` +: The roles assignable to the AD object. + +`mail` +: The configured mail for the AD object. + +`mailEnabled` +: The mail-enabled configuration parameter. + +`mailNickname` +: The mail nickname configuration. + +`membershipRule` +: The membership rule for the AD object. + +`membershipRuleProcessingState` +: The processing state of the membership rule. + +`onPremisesDomainName` +: The specified domain name for the on-premises domain. + +`onPremisesLastSyncDateTime` +: The on-premises latest sync date time. + +`onPremisesNetBiosName` +: The on-premises net bios name. + +`onPremisesSamAccountName` +: The on-premises SAM account name. + +`onPremisesSecurityIdentifier` +: The on-premises security identifier. + +`onPremisesSyncEnabled` +: The on-premises sync enabled configuration. + +`onPremisesProvisioningErrors` +: The on-premises provisioning errors. + +`preferredDataLocation` +: The preferred data location. + +`preferredLanguage` +: The preferred language. + +`proxyAddresses` +: The proxy addresses for the object. + +`renewedDateTime` +: The renewed date time of the AD object. + +`resourceBehaviorOptions` +: The behavior options set for the resource. + +`resourceProvisioningOptions` +: The resource provisioning options set. + +`securityEnabled` +: The security-enabled configured. + +`securityIdentifier` +: The security identifier configured. + +`theme` +: The theme of the object. + +`visibility` +: The visibility status of the object. + +## Examples + +Test if an Active Directory object is referenced with a valid ID: + +```ruby +describe azure_active_directory_object(id: 'ACTIVE_DIRECTORY_OBJECT_ID') do + it { should exist } +end +``` + +Test if an Active Directory object is referenced with an invalid ID: + +```ruby +describe azure_active_directory_object(id: 'ACTIVE_DIRECTORY_OBJECT_ID') do + it { should_not exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +describe azure_active_directory_object(id: 'ACTIVE_DIRECTORY_OBJECT_ID') do + it { should exist } +end +``` + +## Azure permissions + +Graph resources require specific privileges granted to your service principal. Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application) for information on how to grant these permissions to your application. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_active_directory_objects.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_active_directory_objects.md new file mode 100644 index 0000000..0e0e0ad --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_active_directory_objects.md @@ -0,0 +1,90 @@ ++++ +title = "azure_active_directory_objects resource" + +draft = false + + +[menu.azure] +title = "azure_active_directory_objects" +identifier = "inspec/resources/azure/azure_active_directory_objects resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_active_directory_objects` InSpec audit resource to test the properties and configuration of multiple Azure Active Directory objects. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_active_directory_objects` resource block returns all Active Directory objects for the current service principle. + +```ruby +describe azure_active_directory_objects do + #... +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`values` +: A list of the unique directory object values. + + Field: `value` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Iterate over and test the visibility of Active Directory objects: + +```ruby + azure_active_directory_objects.values.each do |value| + describe azure_active_directory_object(id: value) do + it { should exist } + its('visibility') { should_not be_empty } + end + end + +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect the current service principle to have AD objects. + +describe azure_active_directory_objects do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the current service principle not to have AD objects. + +describe azure_active_directory_objects do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_aks_cluster.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_aks_cluster.md new file mode 100644 index 0000000..80b45e8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_aks_cluster.md @@ -0,0 +1,144 @@ ++++ +title = "azure_aks_cluster resource" + +draft = false + + +[menu.azure] +title = "azure_aks_cluster" +identifier = "inspec/resources/azure/azure_aks_cluster resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_aks_cluster` InSpec audit resource to test the properties of an Azure AKS Cluster. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_aks_cluster` resource block identifies an AKS Cluster by `name` and `resource_group`, or the `resource_id`. + +```ruby +describe azure_aks_cluster(resource_group: 'RESOURCE_GROUP', name: 'CLUSTER_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_aks_cluster(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.ContainerService/managedClusters/{ClusterName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the AKS cluster to test. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` + +## Properties + +`identity` +: The identity of the managed cluster, if configured. It is a [managed cluster identity object](https://docs.microsoft.com/en-us/rest/api/aks/managedclusters/get#managedclusteridentity). + +`sku` +: The SKU (pricing tier) of the resource. + +`diagnostic_settings` +: The diagnostic settings for the resource group that the AKS cluster is within. + +`enabled_logging_types` +: The logging types that are enabled for the AKS cluster. + +`disabled_logging_types` +: The logging types that are disabled for the AKS cluster. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/aks/managedclusters/get#managedcluster) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test that an AKS Cluster has the desired network plug-in: + +```ruby +describe azure_aks_cluster('RESOURCE_GROUP', name: 'CLUSTER_NAME') do + its('properties.networkProfile.networkPlugin') { should cmp 'kubenet' } +end +``` + +Loop through all clusters within the subscription: + +```ruby +azure_aks_clusters.ids.each do |resource_id| + describe azure_aks_cluster(resource_id: resource_id) do + its('properties.networkProfile.networkPlugin') { should cmp 'kubenet' } + end +end +``` + +Test that a specified AKS Cluster has the correct number of nodes in pool: + +```ruby +describe azure_aks_cluster('RESOURCE_GROUP', name: 'CLUSTER_NAME') do + its('properties.agentPoolProfiles.first.count') { should cmp 5 } +end +``` + +Test that a specified AKS Cluster has kube-audit logging enabled: + +```ruby +describe azure_aks_cluster('RESOURCE_GROUP', name: 'CLUSTER_NAME') do + its('enabled_logging_types') { should include "kube-audit" } +end +``` + +Test that a specified AKS Cluster has logging enabled on it and no forms of logging are disabled: + +```ruby +describe azure_aks_cluster('RESOURCE_GROUP', name: 'CLUSTER_NAME') do + its('disabled_logging_types.count') { should eq 0 } +end +``` + +See [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_aks_cluster.rb) for more examples. + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect 'CLUSTERNAME' to always exist. + +describe azure_aks_cluster('RESOURCE_GROUP', name: 'CLUSTER_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'CLUSTERNAME' to never exist. + +describe azure_aks_cluster('RESOURCE_GROUP', name: 'CLUSTER_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_aks_clusters.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_aks_clusters.md new file mode 100644 index 0000000..12e6751 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_aks_clusters.md @@ -0,0 +1,116 @@ ++++ +title = "azure_aks_clusters resource" + +draft = false + + +[menu.azure] +title = "azure_aks_clusters" +identifier = "inspec/resources/azure/azure_aks_clusters resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_aks_clusters` InSpec audit resource to test the properties and configuration of multiple Azure AKS Clusters. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_aks_clusters` resource block returns all AKS Clusters, either within a Resource Group (if provided) or within an entire Subscription. + +```ruby +describe azure_aks_clusters do + #... +end +``` + +Or + +```ruby +describe azure_aks_clusters(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that an example Resource Group has the named AKS Cluster: + +```ruby +describe azure_aks_clusters(resource_group: 'RESOURCE_GROUP') do + its('names') { should include('ClusterName') } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect 'EXAMPLEGROUP' Resource Group to have AKS Clusters. + +describe azure_aks_clusters(resource_group: 'EXAMPLEGROUP') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'EMPTYEXAMPLEGROUP' Resource Group not to have AKS Clusters. + +describe azure_aks_clusters(resource_group: 'EMPTYEXAMPLEGROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_api_management.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_api_management.md new file mode 100644 index 0000000..ee1b6f0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_api_management.md @@ -0,0 +1,115 @@ ++++ +title = "azure_api_management resource" + +draft = false + + +[menu.azure] +title = "azure_api_management" +identifier = "inspec/resources/azure/azure_api_management resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_api_management` InSpec audit resource to test the properties and configuration of an Azure API Management Service. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_api_management(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should exist } +end +``` + +```ruby +describe azure_api_management(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.ApiManagement/service/{apim01}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: The unique name of the API Management Service. + +`api_management_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_group` and `api_management_name` + +## Properties + +`identity` +: Managed service identity of the API Management service. It is an [API Management Service](https://docs.microsoft.com/en-us/rest/api/apimanagement/current-ga/api-management-service/get?tabs=HTTP#apimanagementservicegetservice). + +`sku` +: The SKU (pricing tier) of the resource. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/apimanagement/current-ga/api-management-service/get?tabs=HTTP) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test API Management Service's publisher Email value: + +```ruby +describe azure_api_management(resource_group: RESOURCE_GROUP, api_management_name: API_MANAGEMENT_NAME) do + its('properties.publisherEmail') { should eq 'company@inspec.io' } +end +``` + +Loop through resources via plural resource: + +```ruby +azure_api_managements.ids.each do |resource_id| + describe azure_api_management(resource_id: resource_id) do + its('properties.publisherEmail') { should eq 'company@inspec.io' } + end +end +``` + +See [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_api_management.rb) for more examples. + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect 'APIM01' always to exist. + +describe azure_api_management(resource_group: 'RESOURCE_GROUP', name: 'APIM01') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'APIM01' to never exist. + +describe azure_api_management(resource_group: 'RESOURCE_GROUP', name: 'APIM01') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_api_managements.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_api_managements.md new file mode 100644 index 0000000..0fde997 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_api_managements.md @@ -0,0 +1,130 @@ ++++ +title = "azure_api_managements resource" + +draft = false + + +[menu.azure] +title = "azure_api_managements" +identifier = "inspec/resources/azure/azure_api_managements resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_api_managements` InSpec audit resource to test the properties and configuration of Azure API Management Services. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_api_managements` resource block returns all Azure API Management Services, either within a Resource Group (if provided) or an entire Subscription. + +```ruby +describe azure_api_managements do + #... +end +``` + +Or + +```ruby +describe azure_api_managements(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check API Management Services are present: + +```ruby +describe azure_api_managements do + it { should exist } + its('names') { should include 'my-apim' } +end +``` + +Filter the results to include only those with names that match the specified string value: + +```ruby +describe azure_api_managements.where{ name.eql?('production-apim-01') } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect 'EXAMPLEGROUP' Resource Group to have API Management Services. + +describe azure_api_managements(resource_group: 'EXAMPLEGROUP') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'EMPTYEXAMPLEGROUP' Resource Group not to have API Management Services. + +describe azure_api_managements(resource_group: 'EMPTYEXAMPLEGROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_application_gateway.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_application_gateway.md new file mode 100644 index 0000000..8cad8f4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_application_gateway.md @@ -0,0 +1,111 @@ ++++ +title = "azure_application_gateway resource" + +draft = false + + +[menu.azure] +title = "azure_application_gateway" +identifier = "inspec/resources/azure/azure_application_gateway resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_application_gateway` InSpec audit resource to test the properties and configuration of an Azure Application Gateway. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name`, or the `resource_id` must be given as a parameter. + +```ruby +describe azure_application_gateway(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should exist } +end +``` + +```ruby +describe azure_application_gateway(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/applicationGateways/{gatewayName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: The unique name of the targeted resource. + +`application_gateway_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_group` and `application_gateway_name` + +## Properties + +`identity` +: The identity of the application gateway, if configured. It is a [managed service identity object](https://docs.microsoft.com/en-us/rest/api/application-gateway/applicationgateways/get#managedserviceidentity). + +`zones` +: A list of availability zones denoting from where the resource needs to come. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/application-gateway/applicationgateways/get#applicationgateway) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the SSL policy name of an application gateway: + +```ruby +describe azure_application_gateway(resource_group: 'RESOURCE_GROUP', application_gateway_name: 'APPLICATION_GATEWAY_NAME') do + its('properties.sslPolicy.policyName') { should eq 'AppGwSslPolicy20170401S' } +end +``` + +```ruby +describe azure_application_gateway(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/applicationGateways/{gatewayName}') do + its('properties.sslPolicy.policyName') { should eq 'AppGwSslPolicy20170401S' } +end +``` + +See [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_application_gateway.rb) for more examples. + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect 'APPGW-1' always to exist. + +describe azure_application_gateway(resource_group: 'RESOURCE_GROUP', name: 'APPGW-1') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'APPGW-1' never to exist. + +describe azure_application_gateway(resource_group: 'RESOURCE_GROUP', name: 'APPGW-1') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_application_gateways.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_application_gateways.md new file mode 100644 index 0000000..8a90805 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_application_gateways.md @@ -0,0 +1,131 @@ ++++ +title = "azure_application_gateways resource" + +draft = false + + +[menu.azure] +title = "azure_application_gateways" +identifier = "inspec/resources/azure/azure_application_gateways resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_application_gateways` InSpec audit resource to test the properties and configuration of Azure Application Gateways. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_application_gateways` resource block returns all Azure Application Gateways, either within a Resource Group (if provided) or an entire Subscription. + +```ruby +describe azure_application_gateways do + #... +end +``` + +Or + +```ruby +describe azure_application_gateways(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check Application Gateways are present: + +```ruby +describe azure_application_gateways do + it { should exist } + its('names') { should include 'my-appgw' } +end +``` + +Filter the results to include only those with names that match the specified string value: + +```ruby +describe azure_application_gateways.where{ name.eql?('production-appgw-01') } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect 'EXAMPLEGROUP' Resource Group to have Application Gateways. + +describe azure_application_gateways(resource_group: 'EXAMPLEGROUP') do + it { should exist } +end +``` + +### not_exists + +```ruby + +# If we expect 'EMPTYEXAMPLEGROUP' Resource Group not to have Application Gateways. + +describe azure_application_gateways(resource_group: 'EMPTYEXAMPLEGROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_bastion_hosts_resource.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_bastion_hosts_resource.md new file mode 100644 index 0000000..6b747f7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_bastion_hosts_resource.md @@ -0,0 +1,107 @@ ++++ +title = "azure_bastion_hosts_resource resource" + +draft = false + + +[menu.azure] +title = "azure_bastion_hosts_resource" +identifier = "inspec/resources/azure/azure_bastion_hosts_resource resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_bastion_hosts_resource` InSpec audit resource to test the properties related to a Bastion hosts resource. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and bastion hosts resource `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_bastion_hosts_resource(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the virtual network to test. + +Both the parameter sets should be provided for a valid query: `resource_group` and `name`. + +## Properties + +`name` +: Name of the Azure resource to test. + +`tags` +: A list of `tag:value` pairs defined on the resources. + +`type` +: type of Bastion hostname. + +`provisioning_state` +: State of Bastion host name creation. + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/bastion-hosts/get) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test to ensure that the Bastion hosts resource is from the same type: + +```ruby +describe azure_bastion_hosts_resource(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('type') { should eq 'Microsoft.Network/bastionHosts' } +end +``` + +Test to ensure that the Bastion hosts resource is in a successful state: + +```ruby +describe azure_bastion_hosts_resource(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('provisioning_state') { should include('Succeeded') } +end +``` + +Test to ensure that the Bastion hosts resource is from the same location: + +```ruby +describe azure_bastion_hosts_resource(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('location') { should include df_location } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a Bastion hosts resource is found, it will exist. + +describe azure_bastion_hosts_resource(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# Bastion hosts resources that are not found, will not exist. + +describe azure_bastion_hosts_resource(resource_group: 'RESOURCE_GROUP', name: 'DOES_NOT_EXIST') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_bastion_hosts_resources.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_bastion_hosts_resources.md new file mode 100644 index 0000000..f61bec2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_bastion_hosts_resources.md @@ -0,0 +1,125 @@ ++++ +title = "azure_bastion_hosts_resources resource" + +draft = false + + +[menu.azure] +title = "azure_bastion_hosts_resources" +identifier = "inspec/resources/azure/azure_bastion_hosts_resources resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_bastion_hosts_resources` InSpec audit resource to test the properties of Azure Bastion hosts for a resource group or the entire subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_bastion_hosts_resource` resource block returns all Azure Bastion hosts within a resource group (if provided). + +```ruby +describe azure_bastion_hosts_resources(resource_group: 'RESOURCE_GROUP') do + .. +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`name` +: A list of the unique resource names. + + Field: `name` + +`ids` +: A list of Bastion hosts IDs. + + Field: `id` + +`tags` +: A list of `tag:value` pairs defined on the resources. + + Field: `tags` + +`provisioning_states` +: State of Bastion hosts creation. + + Field: `provisioningState` + +`types` +: Types of all the Bastion hosts. + + Field: `type` + +`properties` +: Properties of all the Bastion hosts. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test to ensure that the Bastion hosts resource is from the same type: + +```ruby +describe azure_bastion_hosts_resources(resource_group: 'RESOURCE_GROUP') do + its('type') { should eq 'Microsoft.Network/bastionHosts' } +end +``` + +Test to ensure that the Bastion hosts resource is in a successful state: + +```ruby +describe azure_bastion_hosts_resources(resource_group: 'RESOURCE_GROUP') do + its('provisioning_states') { should include('Succeeded') } +end +``` + +Test to ensure that the Bastion hosts resource is from the same location: + +```ruby +describe azure_bastion_hosts_resources(resource_group: 'RESOURCE_GROUP') do + its('location') { should include df_location } +end +``` + +Test if any Bastion hosts exist in the resource group: + +```ruby +describe azure_bastion_hosts_resources(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Bastion hots are in the resource group. + +describe azure_bastion_hosts_resources(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_blob_service.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_blob_service.md new file mode 100644 index 0000000..3a479aa --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_blob_service.md @@ -0,0 +1,125 @@ ++++ +title = "azure_blob_service resource" + +draft = false + + +[menu.azure] +title = "azure_blob_service" +identifier = "inspec/resources/azure/azure_blob_service resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_blob_service` Chef InSpec audit resource to test the properties of an Azure Storage account's Blob service. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_blob_service` resource block identifies an Azure Blob Service by `resource_group`, or the `storage_account_name`. + +```ruby +describe azure_blob_service(resource_group: 'RESOURCE_GROUP', storage_account_name: 'STORAGE_ACCOUNT_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`storage_account_name` +: Name of the Storage account to test. + +## Properties + +`identity` +: The identity of the managed cluster, if configured. It is a [managed cluster identity object](https://docs.microsoft.com/en-us/rest/api/aks/managedclusters/get#managedclusteridentity). + +`id` +: Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName} + +`name` +: The name of the resource + +`properties.automaticSnapshotPolicyEnabled` +: Deprecated in favor of isVersioningEnabled property. + +`properties.changeFeed` +: The blob service properties for change feed events. + +`properties.containerDeleteRetentionPolicy` +: The blob service properties for container soft delete. + +`properties.cors` +: Specifies CORS rules for the Blob service. You can include up to five CorsRule elements in the request. If no CorsRule elements are included in the request body, all CORS rules will be deleted, and CORS will be disabled for the Blob service. + +`properties.defaultServiceVersion` +: DefaultServiceVersion indicates the default version to use for requests to the Blob service if an incoming request's version is not specified. Possible values include version 2008-10-27 and all more recent versions. + +`properties.deleteRetentionPolicy` +: The blob service properties for blob soft delete. + +`properties.isVersioningEnabled` +: Versioning is enabled if set to true. + +`properties.lastAccessTimeTrackingPolicy` +: The blob service property to configure last access time based tracking policy. + +`properties.restorePolicy` +: The blob service properties for blob restore policy. + +`sku` +: Sku name and tier. + +`type` +: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" + +See [Azure's documentation on Blob service](https://learn.microsoft.com/en-us/rest/api/storagerp/blob-services/get-service-properties?tabs=HTTP) for a full list of available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test sku name in the Blob Service: + +```ruby +describe azure_blob_service(resource_group: 'RESOURCE_GROUP', storage_account_name: 'STORAGE_ACCOUNT_NAME') do + its('sku.name') { should eq 'Standard_RAGRS' } +end +``` + +Test that type: + +```ruby +describe azure_blob_service(resource_group: 'RESOURCE_GROUP', storage_account_name: 'STORAGE_ACCOUNT_NAME') do + its('type') { should eq 'Microsoft.Storage/storageAccounts/blobServices' } +end +``` + +See [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_blob_service.rb) for more examples. + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_blob_service(resource_group: 'RESOURCE_GROUP', storage_account_name: 'STORAGE_ACCOUNT_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_blob_service(resource_group: 'RESOURCE_GROUP', storage_account_name: 'STORAGE_ACCOUNT_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_blob_services.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_blob_services.md new file mode 100644 index 0000000..a07bd0e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_blob_services.md @@ -0,0 +1,108 @@ ++++ +title = "azure_blob_services resource" + +draft = false + + +[menu.azure] +title = "azure_blob_services" +identifier = "inspec/resources/azure/azure_blob_services resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_blob_services` Chef InSpec audit resource to test the properties and configuration of multiple Azure storage accounts' Blob services. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_blob_services` resource block returns all Azure Blob Service, either within a Resource Group (if provided) or within an entire Subscription. + +```ruby +describe azure_blob_services(resource_group: 'RESOURCE_GROUP_NAME', storage_account_name: 'STORAGE_ACCOUNT_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`storage_account_name` +: Name of the Storage account to test. + +## Properties + +`ids` +: Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName} + + Field: `id` + +`names` +: The name of the resource. + + Field: `name` + +`properties` +: The property of the resource. + + Field: `properties` + +`skus` +: Sku name and tier. + + Field: `sku` + +`types` +: The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" + + Field: `type` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +See [Azure's documentation on Blob services](https://learn.microsoft.com/en-us/rest/api/storagerp/blob-services/list?tabs=HTTP) for a full list of available properties. + +## Examples + +Test that an example Resource Group has the named storage account: + +```ruby +describe azure_blob_services(resource_group: 'RESOURCE_GROUP_NAME', storage_account_name: 'STORAGE_ACCOUNT_NAME') do + its('names') { should include('STORAGE_ACCOUNT_NAME') } +end +``` + +See [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_blob_services.rb) for more examples. + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_blob_services(resource_group: 'RESOURCE_GROUP_NAME', storage_account_name: 'STORAGE_ACCOUNT_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_blob_services(resource_group: 'RESOURCE_GROUP_NAME', storage_account_name: 'STORAGE_ACCOUNT_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_cdn_profile.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_cdn_profile.md new file mode 100644 index 0000000..bb43325 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_cdn_profile.md @@ -0,0 +1,105 @@ ++++ +title = "azure_cdn_profile resource" + +draft = false + + +[menu.azure] +title = "azure_cdn_profile" +identifier = "inspec/resources/azure/azure_cdn_profile resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_cdn_profile` Chef InSpec audit resource to test the properties and configuration of an Azure CDN profile. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +Either the `resource_group` and `name`, or the `resource_id` are required . + +```ruby +describe azure_cdn_profile(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should exist } +end +``` + +```ruby +describe azure_cdn_profile(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Cdn/profiles/{profileName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group that the targeted resource resides in. + +`name` +: The unique name of the CDN profile name. + +`resource_id` +: The unique resource ID. `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Cdn/profiles/{profileName}`. + +Provide one of the following parameter sets for a valid query: + +- `resource_id` +- `resource_group` and `name` + +## Properties + +`properties.frontDoorId` +: The ID of the frontdoor. + +For properties applicable to all resources, such as `type`, `name`, `id`, `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +See the [Azure CDN profile documentation](https://docs.microsoft.com/en-us/rest/api/cdn/profiles/get#profile) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Check the resource state of a CDN profile: + +```ruby +describe azure_cdn_profile(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('properties.resourceState') { should eq 'Active' } +end +``` + +Check the resource state of all profiles in a subscription: + +```ruby +azure_cdn_profiles.ids.each do |id| + describe azure_cdn_profile(resource_id: id) do + its('properties.resourceState') { should eq 'Active' } + end +end +``` + +## Matchers + +This Chef InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +Use `exist` if a resource should exist. + +```ruby +describe azure_cdn_profile(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should exist } +end +``` + +Use `should_not` for a resource that should not exist. + +```ruby +describe azure_cdn_profile(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_cdn_profiles.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_cdn_profiles.md new file mode 100644 index 0000000..bd7b9e7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_cdn_profiles.md @@ -0,0 +1,139 @@ ++++ +title = "azure_cdn_profiles resource" + +draft = false + + +[menu.azure] +title = "azure_cdn_profiles" +identifier = "inspec/resources/azure/azure_cdn_profiles resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_cdn_profiles` Chef InSpec audit resource to test properties and configuration of Azure CDN profiles. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_cdn_profiles` resource block returns all Azure CDN profiles, either within a resource group (if provided), or within an entire subscription. + +```ruby +describe azure_cdn_profiles do + #... +end +``` + +or + +```ruby +describe azure_cdn_profiles(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource ids. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +`skus` +: A list of the SKUs of the resources being interrogated. + + Field: `sku` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check that a CDN profile is present: + +````ruby +describe azure_cdn_profiles do + it { should exist } + its('names') { should include 'CDN_PROFILE' } +end +```` + +Filter the CDN profiles by name and verify that it exists: + +```ruby +describe azure_cdn_profiles.where{ name.eql?('CDN_PROFILE_NAME') } do + it { should exist } +end +``` + +Filter the CDN profiles by location and verify that at least one exists: + +```ruby +describe azure_cdn_profiles.where{ location.eql?('eastus-2') } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control will pass if the filter returns at least one result. + +```ruby +describe azure_cdn_profiles(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +Use `should_not` if you expect zero matches. + +```ruby +describe azure_cdn_profiles(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_container_group.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_container_group.md new file mode 100644 index 0000000..797f217 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_container_group.md @@ -0,0 +1,104 @@ ++++ +title = "azure_container_group resource" + +draft = false + + +[menu.azure] +title = "azure_container_group" +identifier = "inspec/resources/azure/azure_container_group resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_container_group` InSpec audit resource to test the properties related to an Azure container group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` is a required parameter, and `resource_group` could be provided as an optional parameter. + +```ruby +describe azure_container_group(resource_group: 'RESOURCE_GROUP_NAME', name: 'CONTAINER_GROUP_NAME') do + it { should exist } + its('name') { should cmp 'demo1' } + its('type') { should cmp 'Microsoft.ContainerInstance/containerGroups' } + its('location') { should cmp 'WestUs'} +end +``` + +```ruby +describe azure_container_group(resource_group: 'RESOURCE_GROUP_NAME', name: 'CONTAINER_GROUP_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure container group to test. + +`resource_group` +: Azure resource group where the targeted resource resides. + +The parameter sets that should be provided for a valid query are `resource_group` and `name`. + +## Properties + +`id` +: The resource ID. + +`name` +: The container group name. + +`type` +: The resource type. + +`location` +: The resource location. + +`properties` +: The properties of the resource. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/container-instances/container-groups/get) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test that the container group has a public IP address: + +```ruby +describe azure_container_group(resource_group: 'RESOURCE_GROUP_NAME', name: 'CONTAINER_GROUP_NAME') do + its('properties.ipAddress.type') { should eq 'Public'} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a container group is found, it will exist. + +describe azure_container_group(resource_group: 'RESOURCE_GROUP_NAME', name: 'CONTAINER_GROUP_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# container groups that are not found, will not exist. +describe azure_container_group(resource_group: 'RESOURCE_GROUP_NAME', name: 'CONTAINER_GROUP_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_container_groups.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_container_groups.md new file mode 100644 index 0000000..1da3472 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_container_groups.md @@ -0,0 +1,164 @@ ++++ +title = "azure_container_groups resource" + +draft = false + + +[menu.azure] +title = "azure_container_groups" +identifier = "inspec/resources/azure/azure_container_groups resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_container_groups` InSpec audit resource to test the properties related to all Azure container groups within a subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_container_groups` resource block returns all Azure container groups within a subscription. + +```ruby +describe azure_container_groups do + #... +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names for all the resources. + + Field: `name` + +`types` +: A list of types for all the resources. + + Field: `type` + +`locations` +: A list of the resource location for all the resources. + + Field: `location` + +`tags` +: A list of tags for all the resources. + + Field: `tags` + +`properties` +: A list of properties all the resources. + + Field: `properties` + +`containers` +: A list of containers within the container group. + + Field: `containers` + +`init_containers` +: A list of init containers for a container group. + + Field: `init_containers` + +`image_registry_credentials` +: A list of image registry credentials through which the container group is created. + + Field: `image_registry_credentials` + +`ip_address` +: A list of IP address type of the container group. + + Field: `ip_address` + +`os_types` +: A list of operating system types required by the containers in the container group. + + Field: `os_type` + +`provisioning_states` +: A list of provisioning states of the container group. + + Field: `provisioning_state` + +`volumes` +: A list of volumes that can be mounted by containers in this container group. + + Field: `volumes` + +`skus` +: A list SKUs for a container group. + + Field: `sku` + +`restart_policies` +: A list of restart policies for all containers within the container group. + + Field: `restart_policy` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test to loop through container groups by their names: + +```ruby +azure_container_groups.names.each do |name| + describe azure_container_group(resource_group: 'RESOURCE_GROUP_NAME', name: 'CONTAINER_GROUP_NAME') do + it { should exist } + end +end +``` + +Test to ensure there are container groups with valid name: + +```ruby +describe azure_container_groups.where(name: 'CONTAINER_GROUP_NAME') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no container groups are present in the subscription. + +describe azure_container_groups do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one container group in the subscription. + +describe azure_container_groups do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_container_registries.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_container_registries.md new file mode 100644 index 0000000..f290e69 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_container_registries.md @@ -0,0 +1,132 @@ ++++ +title = "azure_container_registries resource" + +draft = false + + +[menu.azure] +title = "azure_container_registries" +identifier = "inspec/resources/azure/azure_container_registries resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_container_registries` InSpec audit resource to test the properties and configuration of Azure Container Registries. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_container_registries` resource block returns all Azure Container Registries, within a Resource Group (if provided) or an entire Subscription. + +```ruby +describe azure_container_registries do + #... +end +``` + +or + +```ruby +describe azure_container_registries(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check container registries are present: + +```ruby +describe azure_container_registries do + it { should exist } + its('names') { should include 'my-cr' } +end +``` + +Filter the results to include only those with names match the given string value: + +```ruby +describe azure_container_registries.where{ name.eql?('production-cr-01') } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. + +```ruby +# If we expect 'EXAMPLEGROUP' resource group to have Container Registries. + +describe azure_container_registries(resource_group: 'EXAMPLEGROUP') do + it { should exist } +end +``` + +### not_exists + +Use `should_not` if you expect zero matches. + +```ruby +# If we expect 'EMPTYEXAMPLEGROUP' resource group to not have Container Registries. + +describe azure_container_registries(resource_group: 'EMPTYEXAMPLEGROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_container_registry.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_container_registry.md new file mode 100644 index 0000000..9401245 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_container_registry.md @@ -0,0 +1,111 @@ ++++ +title = "azure_container_registry resource" + +draft = false + + +[menu.azure] +title = "azure_container_registry" +identifier = "inspec/resources/azure/azure_container_registry resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_container_registry` InSpec audit resource to test the properties and configuration of an Azure Container Registry. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +This resource requires the `resource_group` and `name` parameters, or the `resource_id` parameter. + +```ruby +describe azure_container_registry(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should exist } +end +``` + +```ruby +describe azure_container_registry(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.ContainerRegistry/registries/{registryName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: The unique name of the targeted resource. + +`container_registry_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_group` and `container_registry_name` + +## Properties + +`id` +: The identity of the container registry, if configured. + +`sku` +: The SKU of the container registry. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, refer to the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/containerregistry/registries/get#registry) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the status of the retention policy for the container registry: + +```ruby +describe azure_container_registry(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('properties.status.retentionPolicy') { should cmp 'enabled' } +end +``` + +```ruby +describe azure_container_registry(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.ContainerRegistry/registries/{registryName}') do + its('properties.status.retentionPolicy') { should cmp 'enabled' } +end +``` + +See [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_container_registry.rb) for more examples. + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect 'CR-1' to always exist. + +describe azure_container_registry(resource_group: 'RESOURCE_GROUP', name: 'CR-1') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'CR-1' to never exist. + +describe azure_container_registry(resource_group: 'RESOURCE_GROUP', name: 'CR-1') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_cosmosdb_database_account.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_cosmosdb_database_account.md new file mode 100644 index 0000000..8c8864d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_cosmosdb_database_account.md @@ -0,0 +1,109 @@ ++++ +title = "azure_cosmosdb_database_account resource" + +draft = false + + +[menu.azure] +title = "azure_cosmosdb_database_account" +identifier = "inspec/resources/azure/azure_cosmosdb_database_account resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_cosmosdb_database_account` InSpec audit resource to test the properties and configuration of an Azure CosmosDb Database account within a resource group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_cosmosdb_database_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should exist } +end +``` + +```ruby +describe azure_cosmosdb_database_account(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: The unique name of the targeted resource. + +`cosmosdb_database_account` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_group` and `cosmosdb_database_account` + +## Properties + +`location` +: Resource location. For example, `eastus`. + +`kind` +: Indicates the type of database account. For example, `GlobalDocumentDB`, `MongoDB`. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/sql/2021-02-01-preview/databases/get?tabs=HTTP) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test if a GlobalDocumentDB is accessible on public network: + +```ruby +describe azure_cosmosdb_database_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('properties.publicNetworkAccess') { should cmp 'Enabled' } +end +``` + +```ruby +describe azure_cosmosdb_database_account(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}') do + its('properties.publicNetworkAccess') { should cmp 'Enabled' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect 'MY-COSMOS-DB' to always exist. + +describe azure_cosmosdb_database_account(resource_group: 'RESOURCE_GROUP', name: 'MY-COSMOS-DB) do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'MY-COSMOS-DB' to never exist. + +describe azure_cosmosdb_database_account(resource_group: 'RESOURCE_GROUP', name: 'MY-COSMOS-DB') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factories.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factories.md new file mode 100644 index 0000000..3d55f8d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factories.md @@ -0,0 +1,146 @@ ++++ +title = "azure_data_factories resource" + +draft = false + + +[menu.azure] +title = "azure_data_factories" +identifier = "inspec/resources/azure/azure_data_factories resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_factories` InSpec audit resource to test the properties related to data factories for a resource group or the entire subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_data_factories` resource block returns all Azure data factories, either within a resource group (if provided) or within an entire Subscription. + +```ruby +describe azure_data_factories do + #... +end +``` + +or + +```ruby +describe azure_data_factories(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +## Properties + +`names` +: A list of the unique resource names. + + Field: `name` + +`ids` +: A list of data factory IDs. + + Field: `id` + +`tags` +: A list of `tag:value` pairs for the resource. + + Field: `tag` + +`provisioning_states` +: The Data Factory provisioning state. + + Field: `provisioning_state` + +`types` +: The resource type. + + Field: `type` + +`repo_configuration_types` +: The Git or VSTS repository configuration types. + + Field: `repo type` + +`repo_configuration_project_names` +: The VSTS repository project names. + + Field: `project_name` + +`repo_configuration_account_names` +: The Git or VSTS repository account names. + + Field: `account_name` + +`repo_configuration_repository_names` +: The Git or VSTS repository names. + + Field: `repository_name` + +`repo_configuration_collaboration_branches` +: The Git or VSTS repository collaboration branches. + + Field: `collaboration_branch` + +`repo_configuration_root_folders` +: The Git or VSTS repository root folders. + + Field: `root_folder` + +`repo_configuration_tenant_ids` +: The VSTS tenant IDs. + + Field: `tenant_id` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test if any Data Factories exist in the resource group: + +```ruby +describe azure_data_factories(resource_group: 'RESOURCE_GROUP') do + it { should exist } + its('names') { should include "factory_name" } +end +``` + +Test that there are not any Data Factories in a resource group: + +```ruby +# Should not exist if no Data Factory is in the resource group. + +describe azure_data_factories(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +Filter Data Factories in a resource group by properties: + +```ruby +describe azure_data_factories(resource_group: 'RESOURCE_GROUP') do + its('repo_configuration_type') { should include CONFIGURATION_TYPE } + its('repo_configuration_project_name') { should include PROJECT_NAME } + its('repo_configuration_account_name') { should include ACCOUNT_NAME } + its('repo_configuration_repository_name') { should include REPOSITORY_NAME } + its('repo_configuration_collaboration_branch') { should include COLLABORATION_BRANCH } + its('repo_configuration_root_folder') { should include ROOT_FOLDER } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory.md new file mode 100644 index 0000000..15e69ea --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory.md @@ -0,0 +1,110 @@ ++++ +title = "azure_data_factory resource" + +draft = false + + +[menu.azure] +title = "azure_data_factory" +identifier = "inspec/resources/azure/azure_data_factory resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_factory` InSpec audit resource to test the properties of an Azure Data Factory. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and Data Factory `name` are required parameters. + +```ruby +describe azure_data_factory(resource_group: RESOURCE_GROUP, name: NAME) do + it { should exist } + its('name') { should eq factory_name } + its('type') { should eq 'Microsoft.DataFactory/factories' } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: The factory name. + +Both the parameter sets need to be provided for a valid query: `resource_group` and `name`. + +## Properties + +`resource_group` +: Azure resource group that the targeted resource resides in. + +`name` +: Name of the Azure resource to test. + +`type` +: The resource type. + +`provisioning_state` +: The Data Factory provisioning state. + +`repo_configuration_type` +: The Git or VSTS repository configuration type. + +`repo_configuration_project_name` +: The VSTS repository project name. + +`repo_configuration_account_name` +: The Git or VSTS repository account name. + +`repo_configuration_repository_name` +: The Git or VSTS repository name. + +`repo_configuration_collaboration_branch` +: The Git or VSTS repository collaboration branch. + +`repo_configuration_root_folder` +: The Git or VSTS repository root folder. + +`repo_configuration_tenant_id` +: The VSTS tenant ID. + +## Examples + +Test that a Data Factory exists: + +```ruby +describe azure_data_factory(resource_group: resource_group, name: 'DATA_FACTORY_NAME') do + it { should exist } +end +``` + +Test that a Data Factory does not exist: + +```ruby +describe azure_data_factory(resource_group: resource_group, name: 'DATA_FACTORY_NAME') do + it { should_not exist } +end +``` + +Test properties of a Data Factory: + +```ruby +describe azure_data_factory(resource_group: `RESOURCE_GROUP`, name: 'NAME') do + its('repo_configuration_type') { should include REPO_CONFIGURATION_TYPE } + its('repo_configuration_project_name') { should include REPO_CONFIGURATION_PROJECT_NAME } + its('repo_configuration_account_name') { should include REPO_CONFIGURATION_ACCOUNT_NAME } + its('repo_configuration_repository_name') { should include REPO_CONFIGURATION_REPOSITORY_NAME } + its('repo_configuration_collaboration_branch') { should include REPO_CONFIGURATION_COLLABORATION_BRANCH } + its('repo_configuration_root_folder') { should include REPO_CONFIGURATION_ROOT_FOLDER } + its('repo_configuration_tenant_id') { should include REPO_CONFIGURATION_TENANT_ID } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_dataset.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_dataset.md new file mode 100644 index 0000000..f770c01 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_dataset.md @@ -0,0 +1,108 @@ ++++ +title = "azure_data_factory_dataset resource" + +draft = false + + +[menu.azure] +title = "azure_data_factory_dataset" +identifier = "inspec/resources/azure/azure_data_factory_dataset resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_factory_dataset` InSpec audit resource to test the properties related to an Azure Data Factory dataset. + +See the [`Azure Data Factories Dataset documentation`](https://docs.microsoft.com/en-us/rest/api/datafactory/datasets/get) for additional information. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_data_factory_dataset(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME', dataset_name: 'DATASET_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +`dataset_name` _(required)_ +: Name of the Azure resource to test. + +`factory_name` _(required)_ +: The factory name. + +## Properties + +`name` +: Name of the Azure resource to test. + +`id` +: The azure_sentinel_alert_rule type. + +`properties` +: The properties of the resource. + +`type` +: Azure resource type. + +`description` +: The description of dataset type. + +`properties.linkedServiceName.referenceName` +: Reference LinkedService name. + +`properties.linkedServiceName.type` +: Linked service reference type. + +`properties.type` +: The dataset type.`AmazonMWSObjectDataset`, `AvroDataset`. + +## Examples + +Test if properties match: + +```ruby +describe azure_data_factory_dataset(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME', dataset_name: 'DATASET_NAME') do + it { should exist } + its('name') { should eq 'DATASET_NAME'} + its('type') { should eq 'Microsoft.DataFactory/factories/datasets' } + its('properties.description') { should eq 'Description of dataset.' } + its('properties.linkedServiceName.referenceName') { should eq 'LINKED_SERVICE_NAME' } + its('properties.linkedServiceName.type') { should eq 'LinkedServiceReference' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If a dataset should exist. + +describe azure_data_factory_dataset(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME', dataset_name: 'DATASET_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby + +# If a dataset should not exist. + +describe azure_data_factory_dataset(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME', dataset_name: 'DATASET_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_datasets.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_datasets.md new file mode 100644 index 0000000..547b2dc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_datasets.md @@ -0,0 +1,118 @@ ++++ +title = "azure_data_factory_datasets resource" + +draft = false + + +[menu.azure] +title = "azure_data_factory_datasets" +identifier = "inspec/resources/azure/azure_data_factory_datasets resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_factory_datasets` InSpec audit resource to test the properties of multiple Azure Data Factory datasets for a resource group or the entire subscription. + +See the [`Azure Data Factories Dataset documentation`](https://docs.microsoft.com/en-us/rest/api/datafactory/datasets/get) for additional information. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_data_factory_datasets` resource block returns all Azure datasets, either within a resource group (if provided) or within an entire Subscription. + +```ruby +describe azure_data_factory_datasets(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME') do + #... +end +``` + +## Parameters + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +`factory_name` _(required)_ +: The Azure Data factory name. + +## Properties + +`names` +: A list of the unique resource names. + + Field: `name` + +`ids` +: A list of dataset IDs. + + Field: `id` + +`properties` +: A list of properties for the resources. + + Field: `properties` + +`types` +: A list of types for each resource. + + Field: `type` + +`descriptions` +: A list of descriptions of the resources. + + Field: `description` + +`linkedServiceName_referenceNames` +: The list of LinkedService names. + + Field: `linkedServiceName_referenceName` + +`linkedServiceName_types` +: The list of LinkedService types. + + Field: `linkedServiceName_type` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test if properties match: + +```ruby +describe azure_data_factory_datasetsazure_data_factory_datasets(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME') do + its('names') { should include 'DATASET_NAME' } + its('types') { should include 'Microsoft.SecurityInsights/alertRules' } + its('enableds') { should include true } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +Test if any Dataset exists in the Data Factory: + +```ruby +describe azure_data_factory_datasetsazure_data_factory_datasets(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME') do + it { should exist } +end +``` + +Test that there are not any Datasets in a Data Factory: + +```ruby +# Should not exist if no datasets are in the data factory. + +describe azure_data_factory_datasetsazure_data_factory_datasets(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_linked_service.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_linked_service.md new file mode 100644 index 0000000..9980b50 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_linked_service.md @@ -0,0 +1,90 @@ ++++ +title = "azure_data_factory_linked_service resource" + +draft = false + + +[menu.azure] +title = "azure_data_factory_linked_service" +identifier = "inspec/resources/azure/azure_data_factory_linked_service resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_factory_linked_service` InSpec audit resource to test the properties of an Azure Linked service. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group`, `linked_service_name`, and `factory_name` are required parameters. + +```ruby +describe azure_data_factory_linked_service(resource_group: `RESOURCE_GROUP`, factory_name: `FACTORY_NAME`, linked_service_name: `LINKED_SERVICE_NAME`) do +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`factory_name` +: The factory name. + +`linked_service_name` +: The name of the linked service. + +All the parameter sets are required for a valid query: + +- `resource_group` , `factory_name`, and `linked_service_name`. + +## Properties + +`name` +: Name of the Azure resource to test. + +`type` +: The resource type. + +`linked_service_type` +: The linked services type. + +`type_properties` +: The properties of linked service type. + +`properties` +: The properties of the resource. + +## Examples + +Test that a linked service exists: + +```ruby +describe azure_data_factory_linked_service(resource_group: `RESOURCE_GROUP`, factory_name: `FACTORY_NAME`, linked_service_name: `LINKED_SERVICE_NAME`) do + it { should exist } +end +``` + +Test that a linked service does not exist: + +```ruby +describe azure_data_factory_linked_service(resource_group: `RESOURCE_GROUP`, factory_name: `FACTORY_NAME`, linked_service_name: 'should not exit') do + it { should_not exist } +end +``` + +Test properties of a linked service: + +```ruby +describe azure_data_factory_linked_service(resource_group: `RESOURCE_GROUP`, name: 'FACTORY_NAME') do + its('name') { should eq linked_service_name1 } + its('type') { should eq 'Microsoft.DataFactory/factories/linkedservices' } + its('linked_service_type') { should eq 'MYSQL' } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_linked_services.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_linked_services.md new file mode 100644 index 0000000..7de2bfd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_linked_services.md @@ -0,0 +1,110 @@ ++++ +title = "azure_data_factory_linked_services resource" + +draft = false + + +[menu.azure] +title = "azure_data_factory_linked_services" +identifier = "inspec/resources/azure/azure_data_factory_linked_services resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_factory_linked_services` InSpec audit resource to test the properties related to linked services for a resource group or the entire subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_data_factory_linked_services` resource block returns all Azure Linked Services, either within a resource group (if provided) or an entire Subscription. + +```ruby +describe (resource_group: `RESOURCE_GROUP`, factory_name: 'FACTORY_NAME') do + #... +end +``` + +`resource_group` and `factory_name` are required parameters. + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`factory_name` +: Azure factory name for which linked services are retrieved. + +## Properties + +`names` +: A list of the unique resource names. + + Field: `name` + +`ids` +: A list of Linked Services IDs. + + Field: `id` + +`properties` +: A list of properties for the resource. + + Field: `properties` + +`provisioning_states` +: The linked services provisioning state. + + Field: `provisioning_state` + +`linked_service_types` +: The type of linked service resource. + + Field: `linked_service_type` + +`type_properties` +: The linked service type of properties. + + Field: `type_properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test if any linked services exist in the resource group: + +```ruby +describe azure_data_factory_linked_services(resource_group: `RESOURCE_GROUP`, factory_name: 'FACTORY_NAME') do + it { should exist } + its('names') { should include "factory_name" } +end +``` + +Test that there are not any linked services in a resource group: + +```ruby +# Should not exist if no Linked Services are in the resource group. + +describe azure_data_factory_linked_services(resource_group: `RESOURCE_GROUP`, factory_name: 'FACTORY_NAME') do + it { should_not exist } +end +``` + +Filter linked services in a resource group by properties: + +```ruby +describe azure_data_factory_linked_services(resource_group: `RESOURCE_GROUP`, factory_name: 'FACTORY_NAME') do + its('names') { should include linked_service_name1 } + its('types') { should include 'Microsoft.DataFactory/factories/linkedservices' } + its('linked_service_types') { should include('MySql') } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_pipeline.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_pipeline.md new file mode 100644 index 0000000..153d7aa --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_pipeline.md @@ -0,0 +1,81 @@ ++++ +title = "azure_data_factory_pipeline resource" + +draft = false + + +[menu.azure] +title = "azure_data_factory_pipeline" +identifier = "inspec/resources/azure/azure_data_factory_pipeline resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_factory_pipeline` InSpec audit resource to test the properties of an Azure pipeline. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `pipeline_name`, or `factory_name` are required parameters. + +```ruby +describe azure_data_factory_pipeline(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME', pipeline_name: 'PIPELINE_NAME') do + #... +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`factory_name` +: Data factory name where you want to create your pipeline. + +`pipeline_name` +: The pipeline name. + +All the parameter sets need to be provided for a valid query: `resource_group` , `factory_name`, and `pipeline_name` + +## Properties + +`name` +: Name of the Azure resource to test. + +`id` +: The pipeline type. + +`properties` +: The properties of the resource. + +## Examples + +Test that a pipeline exists: + +```ruby +describe azure_data_factory_pipeline(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME', pipeline_name: 'PIPELINE_NAME') do + it { should exist } +end +``` + +Test that a pipeline does not exist: + +```ruby +describe azure_data_factory_pipeline(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME', pipeline_name: 'PIPELINE_NAME') do + it { should_not exist } +end + ``` + +Test properties of a pipeline: + +```ruby +describe azure_data_factory_pipeline(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME', pipeline_name: 'PIPELINE_NAME') do + its('name') { should eq 'PIPELINE_NAME' } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_pipeline_run_resource.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_pipeline_run_resource.md new file mode 100644 index 0000000..3570715 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_pipeline_run_resource.md @@ -0,0 +1,98 @@ ++++ +title = "azure_data_factory_pipeline_run_resource resource" + +draft = false + + +[menu.azure] +title = "azure_data_factory_pipeline_run_resource" +identifier = "inspec/resources/azure/azure_data_factory_pipeline_run_resource resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_factory_pipeline_run_resource` InSpec audit resource to test the properties of an Azure Data Factory pipeline run. + +For additional information, see the [`Azure API documentation on Data Factory pipeline runs`](https://docs.microsoft.com/en-us/rest/api/datafactory/pipeline-runs/query-by-factory). + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_data_factory_pipeline_run_resource(resource_group: `RESOURCE_GROUP`, factory_name: `FACTORY_NAME`, run_id: `RUN_ID`) do + #... +end +``` + +## Parameters + +`resource_group` _(required)_ + +: Azure resource group where the targeted resource resides. + +`factory_name` _(required)_ + +: The factory name. + +`run_id` _(required)_ + +: The name of the pipeline runs. + +## Properties + +`invokedBy.name` +: The unique resource names. + +`pipelineName` +: The pipeline name. + +`status` +: The status of a pipeline run. + +`runId` +: Identifiers of a run. + +`runStart` +: Start time of a pipeline run in ISO8601 format. + +`runEnd` +: End time of a pipeline run in ISO8601 format. + +`runStart` +: The properties of the resource. + +## Examples + +Test properties of a pipeline runs: + +```ruby +describe azure_data_factory_pipeline_run_resource(resource_group: `RESOURCE_GROUP`, name: 'FACTORY_NAME', run_id: `RUN_ID`) do + its('invokedBy.name') { should include 'INVOKED_BY_NAME' } + its('pipelineNames') { should include 'PIPELINE_NAME' } + its('status') { should include 'PIPELINE_STATUS' } +end +``` + +## Matchers + +Test that a pipeline runs exists: + +```ruby +describe azure_data_factory_pipeline_run_resource(resource_group: `RESOURCE_GROUP`, factory_name: `FACTORY_NAME`, run_id: `RUN_ID`) do + it { should exist } +end +``` + +Test that a pipeline runs does not exist: + +```ruby +describe azure_data_factory_pipeline_run_resource(resource_group: `RESOURCE_GROUP`, factory_name: `FACTORY_NAME`, run_id: 'RUN_ID') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_pipeline_run_resources.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_pipeline_run_resources.md new file mode 100644 index 0000000..4032940 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_pipeline_run_resources.md @@ -0,0 +1,113 @@ ++++ +title = "azure_data_factory_pipeline_run_resources resource" + +draft = false + + +[menu.azure] +title = "azure_data_factory_pipeline_run_resources" +identifier = "inspec/resources/azure/azure_data_factory_pipeline_run_resources resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_factory_pipeline_run_resources` InSpec audit resource to test the properties of multiple Azure Data Factory pipeline runs for a resource group or the entire subscription. + +For additional information, see the [`API documentation on Azure Data Factory pipeline runs`](https://docs.microsoft.com/en-us/rest/api/datafactory/pipeline-runs/query-by-factory). + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_data_factory_pipeline_run_resources` resource block returns all Azure Data Factory pipeline runs. + +```ruby +describe azure_data_factory_pipeline_run_resources(resource_group: `RESOURCE_GROUP`, factory_name: 'FACTORY_NAME') do + #... +end +``` + +## Parameters + +`resource_group` _(required)_ + +: Azure resource group where the targeted resource resides. + +`factory_name` _(required)_ + +: Azure factory name for which pipeline runs are retrieved. + +## Properties + +`invokedBy_names` +: A list of the unique resource names. + + Field: `invokedBy_name` + +`pipelineNames` +: A list of the pipeline names. + + Field: `pipelineName` + +`statuses` +: The statuses of the pipeline runs. + + Field: `status` + +`runIds` +: The list of identifiers of runs. + + Field: `runId` + +`runStart` +: The list of start times of pipeline runs in ISO8601 format. + + Field: `runStart` + +`runEnd` +: The list of end times of pipeline runs in ISO8601 format. + + Field: `runEnd` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Filter pipeline runs in a resource group by properties: + +```ruby +describe azure_data_factory_pipeline_run_resources(resource_group: `RESOURCE_GROUP`, factory_name: 'FACTORY_NAME') do + its('invokedBy_names') { should include 'INVOKED_BY_NAME' } + its('pipelineNames') { should include 'PIPELINE_NAME' } + its('statuses') { should include 'PIPELINE_STATUS' } +end +``` + +## Matchers + +Test if any pipeline runs exist in the resource group: + +```ruby +describe azure_data_factory_pipeline_run_resources(resource_group: `RESOURCE_GROUP`, factory_name: 'FACTORY_NAME') do + it { should exist } +end +``` + +Test that there aren't any pipeline runs in a resource group: + +```ruby +# Should not exist if no pipeline runs are in the resource group. + +describe azure_data_factory_pipeline_run_resources(resource_group: `RESOURCE_GROUP`, factory_name: 'FACTORY_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_pipelines.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_pipelines.md new file mode 100644 index 0000000..b929146 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_factory_pipelines.md @@ -0,0 +1,88 @@ ++++ +title = "azure_data_factory_pipelines resource" + +draft = false + + +[menu.azure] +title = "azure_data_factory_pipelines" +identifier = "inspec/resources/azure/azure_data_factory_pipelines resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_factory_pipelines` InSpec audit resource to test the properties related to a pipeline for a resource group or the entire subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +This resource interacts with API versions supported by the resource provider. The `api_version` can be defined as a resource parameter. +If not provided, the latest version will be used. For more information, refer to [`azure_generic_resource`](azure_generic_resource.md). + +Unless defined, the `azure_cloud` global endpoint and default values for the HTTP client will be used. For more information, refer to the resource pack [README](https://github.com/inspec/inspec-azure/blob/main/README.md). For API related information, [`Azure pipeline Docs`](https://docs.microsoft.com/en-us/rest/api/datafactory/pipelines/list-by-factory). + +## Syntax + +An `azure_data_factory_pipelines` resource block returns all Azure pipelines, either within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_data_factory_pipelines(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME') do + #... +end +``` + +`resource_group` and `factory_name` are required parameters. + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`factory_name` +: Azure Factory Name for which pipeline is being retrieved. + +## Properties + +`names` +: A list of the unique resource names. + + Field: `name` + +`ids` +: A list of pipeline IDs. + + Field: `id` + +`properties` +: A list of properties for the resource. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test if any pipeline exists in the resource group: + +```ruby +describe azure_data_factory_pipelines(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME') do + it { should exist } + its('names') { should include 'pipeline_name' } +end +``` + +Test that there are not any pipelines in a resource group: + +```ruby +# Should not exist if no pipelines is in the resource group. + +describe azure_data_factory_pipelines(resource_group: 'RESOURCE_GROUP', factory_name: 'FACTORY_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_lake_storage_gen2_filesystem.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_lake_storage_gen2_filesystem.md new file mode 100644 index 0000000..d1c3074 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_lake_storage_gen2_filesystem.md @@ -0,0 +1,118 @@ ++++ +title = "azure_data_lake_storage_gen2_filesystem resource" + +draft = false + + +[menu.azure] +title = "azure_data_lake_storage_gen2_filesystem" +identifier = "inspec/resources/azure/azure_data_lake_storage_gen2_filesystem resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_lake_storage_gen2_filesystem` InSpec audit resource to test the properties related to Azure Data Lake Storage Gen2 Filesystem. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` and `account_name` are required parameters, and `dns_suffix` is an optional parameter. + +```ruby +describe azure_data_lake_storage_gen2_filesystem(account_name: 'ACCOUNT_NAME', name: 'FILE_SYSTEM') do + it { should exist } +end +``` + +```ruby +describe azure_data_lake_storage_gen2_filesystem(account_name: 'ACCOUNT_NAME', name: 'FILE_SYSTEM') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: Name of the Azure Data Lake Storage Gen2 to test. + +`account_name` _(required)_ + +: Azure storage account name. + +`dns_suffix` _(optional)_ + +: The DNS suffix for the Azure Data Lake Storage endpoint. + +## Properties + +`last_modified` +: Last modified timestamp of the resource. + +`etag` +: HTTP strong entity tag value. + +`x_ms_properties` +: Properties of the filesystem. + +`x_ms_namespace_enabled` +: Boolean string for namespace enablement. + +`x_ms_default_encryption_scope` +: Default encryption scope. + +`x_ms_deny_encryption_scope_override` +: Boolean string for deny encryption scope. + +`x_ms_request_id` +: Request ID. + +`x_ms_version` +: Version of the API. + +`date` +: Date string of the request. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/storageservices/datalakestoragegen2/filesystem/get-properties) for other available properties. + +## Examples + +Test that the Data Lake Storage Gen2 filesystem has namespace enabled: + +```ruby +describe azure_data_lake_storage_gen2_filesystem(account_name: 'ACCOUNT_NAME', name: 'FILE_SYSTEM') do + its('x_ms_namespace_enabled') { should eq 'false' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If the Data Lake Storage Gen2 Filesystem is found, it exists. + +describe azure_data_lake_storage_gen2_filesystem(account_name: 'ACCOUNT_NAME', name: 'FILE_SYSTEM') do + it { should exist } +end +``` + +### not_exists + +```ruby +# Ff the Data Lake Storage Gen2 Filesystem is not found, it exists. + +describe azure_data_lake_storage_gen2_filesystem(account_name: 'ACCOUNT_NAME', name: 'FILE_SYSTEM') do + it { should_not exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `contributor` role on the subscription and `Storage Blob Data Contributor` role on the **ADLS Gen2 Storage Account** you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_lake_storage_gen2_filesystems.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_lake_storage_gen2_filesystems.md new file mode 100644 index 0000000..c799cbe --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_lake_storage_gen2_filesystems.md @@ -0,0 +1,121 @@ ++++ +title = "azure_data_lake_storage_gen2_filesystems resource" + +draft = false + + +[menu.azure] +title = "azure_data_lake_storage_gen2_filesystems" +identifier = "inspec/resources/azure/azure_data_lake_storage_gen2_filesystems resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_lake_storage_gen2_filesystems` InSpec audit resource to test the properties related to all Azure Data Lake Storage Gen2 Filesystems within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_data_lake_storage_gen2_filesystems` resource block returns all Azure Data Lake Storage Gen2 filesystems within a project. + +```ruby +describe azure_data_lake_storage_gen2_filesystems(account_name: 'ACCOUNT_NAME') do + #... +end +``` + +## Parameters + +`account_name` _(required)_ + +: The Azure Storage account name. + +`dns_suffix` _(optional)_ + +: The DNS suffix for the Azure Data Lake Storage endpoint. + +## Properties + +`names` +: Unique names for all Azure Storage Account Filesystems. + + Field: `name` + +`lastModifieds` +: Last modified timestamps of Azure Storage Account Filesystem. + + Field: `lastModified` + +`eTags` +: A list of eTags for all the Azure Storage Account Filesystems. + + Field: `eTag` + +`DefaultEncryptionScopes` +: A list of all Encryption scopes of the ADLS Filesystems. + + Field: `DefaultEncryptionScope` + +`DenyEncryptionScopeOverrides` +: A list of all Deny Encryption Scope Overrides. + + Field: `DenyEncryptionScopeOverrides` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/storageservices/datalakestoragegen2/filesystem/list) for other available properties. + +## Examples + +Loop through Data Lake Storage Gen2 Filesystems by their names and verify that each exists: + +```ruby +azure_data_lake_storage_gen2_filesystems(account_name: 'ACCOUNT_NAME').names.each do |name| + describe azure_data_lake_storage_gen2_filesystem(account_name: 'ACCOUNT_NAME', name: name) do + it { should exist } + end +end +``` + +Test To ensure Data Lake Storage Gen2 Filesystems With :‘$account-encryption-key' encryption scope + +```ruby +describe azure_data_lake_storage_gen2_filesystems(account_name: 'ACCOUNT_NAME').where(DefaultEncryptionScope: '$account-encryption-key') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Data Lake Storage Gen2 filesystems are present in the project and the resource group. + +describe azure_data_lake_storage_gen2_filesystems(account_name: 'ACCOUNT_NAME') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Data Lake Storage Gen2 filesystem in the project and the resource group. + +describe azure_data_lake_storage_gen2_filesystems(account_name: 'ACCOUNT_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_lake_storage_gen2_path.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_lake_storage_gen2_path.md new file mode 100644 index 0000000..0fcd6cd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_lake_storage_gen2_path.md @@ -0,0 +1,131 @@ ++++ +title = "azure_data_lake_storage_gen2_path resource" + +draft = false + + +[menu.azure] +title = "azure_data_lake_storage_gen2_path" +identifier = "inspec/resources/azure/azure_data_lake_storage_gen2_path resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_lake_storage_gen2_path` InSpec audit resource to test the properties related to Azure Data Lake Storage Gen2 Filesystem. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_data_lake_storage_gen2_path(account_name: 'ACCOUNT_NAME', filesystem: 'FILE_SYSTEM', name: 'PATHNAME') do + it { should exist } +end +``` + +```ruby +describe azure_data_lake_storage_gen2_path(account_name: 'ACCOUNT_NAME', filesystem: 'FILE_SYSTEM', name: 'PATH') do + it { should exist } +end +``` + +## Parameters + +`filesystem` _(required)_ +: The filesystem identifier. + +`account_name` _(required)_ +: Azure Storage account name. + +`name` _(required)_ +: The file or directory path. + +`dns_suffix` _(optional)_ +: The DNS suffix for the Azure Data Lake Storage endpoint. + +## Properties + +`last_modified` +: Last modified timestamp of the resource. + +`etag` +: HTTP strong entity tag value. + +`x_ms_properties` +: Properties of the filesystem. + +`x_ms_request_id` +: Request ID. + +`x_ms_version` +: API version. + +`date` +: Date string of the request. + +`content_length` +: Content-Length of the file. + +`content_type` +: Content type. + +`content_md5` +: MD5 of the content uploaded. + +`accept_ranges` +: File size described measurement. `bytes`. + +`x_ms_resource_type` +: Resource type of the uploaded. `file`. + +`x_ms_lease_state` +: If the file is available or not. + +`x_ms_lease_status` +: Status of the lease. + +`x_ms_server_encrypted` +: If the file is encrypted on the server. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/storageservices/datalakestoragegen2/path/get-properties) for other available properties. + +## Examples + +Test that the Data Lake Storage Gen 2 Filesystem Path is server encrypted: + +```ruby +describe azure_data_lake_storage_gen2_path(account_name: 'ACCOUNT_NAME', filesystem: 'FILE_SYSTEM', name: 'PATHNAME') do + its('x_ms_server_encrypted') { should eq 'true' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If the Data Lake Storage Gen 2 Filesystem is found, it will exist. + +describe azure_data_lake_storage_gen2_path(account_name: 'ACCOUNT_NAME', filesystem: 'FILE_SYSTEM', name: 'PATHNAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# if the Data Lake Storage Gen 2 Filesystem is not found, it will not exist. + +describe azure_data_lake_storage_gen2_path(account_name: 'ACCOUNT_NAME', filesystem: 'FILE_SYSTEM', name: 'PATHNAME') do + it { should_not exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `contributor` role on the subscription and `Storage Blob Data Contributor` role on the **ADLS Gen2 Storage Account** you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_lake_storage_gen2_paths.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_lake_storage_gen2_paths.md new file mode 100644 index 0000000..357118b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_data_lake_storage_gen2_paths.md @@ -0,0 +1,117 @@ ++++ +title = "azure_data_lake_storage_gen2_paths resource" + +draft = false + + +[menu.azure] +title = "azure_data_lake_storage_gen2_paths" +identifier = "inspec/resources/azure/azure_data_lake_storage_gen2_paths resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_data_lake_storage_gen2_paths` InSpec audit resource to test the properties related to all Azure Data Lake Storage Gen2 Filesystem paths within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_data_lake_storage_gen2_paths` resource block returns all Azure Data Lake Storage Gen2 Filesystem paths within a project. + +```ruby +describe azure_data_lake_storage_gen2_paths(account_name: 'ACCOUNT_NAME', filesystem: 'ADLS FILESYSTEM') do + #... +end +``` + +## Parameters + +`account_name` _(required)_ +: The Azure Storage account name. + +`filesystem` _(required)_ +: The filesystem identifier. + +`dns_suffix` _(optional)_ +: The DNS suffix for the Azure Data Lake Storage endpoint. + +## Properties + +`names` +: Unique names for all the paths in the Filesystem. + + Field: `name` + +`lastModifieds` +: Last modified timestamps of all the paths in the Filesystem. + + Field: `lastModified` + +`eTags` +: A list of eTags for all the paths in the Filesystem. + + Field: `eTag` + +`contentLengths` +: A list of Content-Length of all the paths in the Filesystem. + + Field: `contentLength` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/storageservices/datalakestoragegen2/path/list) for other available properties. + +## Examples + +Loop through Data Lake Storage Gen2 Filesystem paths by their names: + +```ruby +azure_data_lake_storage_gen2_paths(account_name: 'ACCOUNT_NAME', filesystem: 'ADLS FILESYSTEM').names.each do |name| + describe azure_data_lake_storage_gen2_path(account_name: 'ACCOUNT_NAME', filesystem: 'ADLS FILESYSTEM', name: name) do + it { should exist } + end +end +``` + +Test to ensure Data Lake Storage Gen2 Filesystem paths with file size greater than 2 MB: + +```ruby +describe azure_data_lake_storage_gen2_paths(account_name: 'ACCOUNT_NAME', filesystem: 'ADLS FILESYSTEM').where{ contentLength > 2097152 } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Data Lake Storage Gen2 Filesystems are present in the project and in the resource group. + +describe azure_data_lake_storage_gen2_paths(account_name: 'ACCOUNT_NAME', filesystem: 'ADLS FILESYSTEM') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Migrate Assessment in the project and in the resource group. + +describe azure_data_lake_storage_gen2_paths(account_name: 'ACCOUNT_NAME', filesystem: 'ADLS FILESYSTEM') do + it { should exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `contributor` role on the subscription and `Storage Blob Data Contributor` role on the ADLS Gen2 Storage Account you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_db_migration_service.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_db_migration_service.md new file mode 100644 index 0000000..18935c7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_db_migration_service.md @@ -0,0 +1,136 @@ ++++ +title = "azure_db_migration_service resource" + +draft = false + + +[menu.azure] +title = "azure_db_migration_service" +identifier = "inspec/resources/azure/azure_db_migration_service resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_db_migration_service` InSpec audit resource to test the properties related to a Azure DB Migration Service. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `service_name` are required parameter. + +```ruby +describe azure_db_migration_service(resource_group: 'RESOURCE_GROUP', service_name: 'SERVICE_NAME') do + it { should exist } + its('name') { should cmp 'inspec-cloud-pack-test' } + its('type') { should cmp 'Microsoft.DataMigration/services' } + its('sku.name') { should cmp 'Basic_1vCore' } + its('sku.size') { should cmp '1 vCore' } + its('location') { should cmp 'southcentralus' } +end +``` + +```ruby +describe azure_db_migration_service(resource_group: 'RESOURCE_GROUP', service_name: 'SERVICE_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`service_name` +: Name of the Azure DB Migration service to test. + +The parameter set should be provided for a valid query: `resource_group` and `service_name`. + +## Properties + +`id` +: Resource ID. + +`name` +: DB Migration Service Name. + +`location` +: DB Migration Service Location. + +`type` +: Resource type. + +`kind` +: The resource kind. + +`etag` +: HTTP strong entity tag value. Ignored if submitted. + +`sku.name` +: The unique name of the SKU, such as 'P3'. + +`sku.size` +: The size of the SKU, used when the name alone does not denote a service size or when a SKU has multiple performance classes within a family. For example, 'A1' for virtual machines. + +`sku.tier` +: The tier of the SKU, such as 'Free', 'Basic', 'Standard', or 'Premium'. + +`tags` +: Resource tags. + +`properties.provisioningState` +: The resource's provisioning state. + +`properties.virtualSubnetId` +: The ID of the `Microsoft.Network/virtualNetworks/subnets` resource to which the service should be joined. + +`properties.virtualNicId` +: The ID of the Azure Network Interface. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/datamigration/services/get) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +```ruby +describe azure_db_migration_service(resource_group: 'RESOURCE_GROUP', service_name: 'NAME') do + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +```ruby +describe azure_db_migration_service(resource_group: 'RESOURCE_GROUP', service_name: 'NAME') do + its('sku.name') { should 'Standard_1vCores' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a azure_db_migration_service is found, it will exist. + +describe azure_db_migration_service(resource_group: 'RESOURCE_GROUP', service_name: 'NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# azure_db_migration_services that aren't found, will not exist. + +describe azure_db_migration_service(resource_group: 'RESOURCE_GROUP', service_name: 'NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_db_migration_services.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_db_migration_services.md new file mode 100644 index 0000000..349bf94 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_db_migration_services.md @@ -0,0 +1,164 @@ ++++ +title = "azure_db_migration_services resource" + +draft = false + + +[menu.azure] +title = "azure_db_migration_services" +identifier = "inspec/resources/azure/azure_db_migration_services resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_db_migration_services` InSpec audit resource to test the properties related to Azure DB Migration Service for a resource group or the entire subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_db_migration_services` resource block returns all Azure DB Migration Services within a resource group. + +```ruby +describe azure_db_migration_services(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +or + +```ruby +describe azure_db_migration_services(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names for all the resource names. + + Field: `name` + +`types` +: A list of types for all the resources. + + Field: `type` + +`locations` +: A list of locations for all the resources. + + Field: `location` + +`kinds` +: A list of kinds for all the resources. + + Field: `kind` + +`etags` +: A list of HTTP strong entity tag values. + + Field: `etag` + +`tags` +: A list of resource tags. + + Field: `tags` + +`sku_names` +: A list of SKU names. + + Field: `sku_name` + +`sku_sizes` +: A list of SKU sizes. + + Field: `sku_sizes` + +`sku_tiers` +: A list of SKU tiers. + + Field: `sku_tiers` + +`provisioning_states` +: A list of provisioning_states from the properties. + + Field: `provisioning_state` + +`virtual_nic_ids` +: A list of virtual nic IDs from the properties. + + Field: `virtual_nic_id` + +`virtual_subnet_ids` +: A list of virtual subnet IDs from the properties. + + Field: `virtual_subnet_id` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through DB Migration Services by their names: + +```ruby +azure_db_migration_services(resource_group: 'RESOURCE_GROUP').names.each do |name| + describe azure_db_migration_service(service_name: name) do + it { should exist } + end +end +``` + +Test that there are DB Migration Services that includes a certain string in their names (client-side filtering): + +```ruby +describe azure_db_migration_services(resource_group: 'my-rg').where { name.include?('UAT') } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no db migration service are in the resource group. + +describe azure_db_migration_services(resource_group: 'my-rg') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one db migration service. + +describe azure_db_migration_services(resource_group: 'my-rg') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_ddos_protection_resource.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_ddos_protection_resource.md new file mode 100644 index 0000000..53910b5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_ddos_protection_resource.md @@ -0,0 +1,109 @@ ++++ +title = "azure_ddos_protection_resource resource" + +draft = false + + +[menu.azure] +title = "azure_ddos_protection_resource" +identifier = "inspec/resources/azure/azure_ddos_protection_resource resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_ddos_protection_resource` InSpec audit resource to test the properties of a DDoS protection plan resource. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +The `resource_group` and the DDoS protection plan resource `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_ddos_protection_resource(resource_group: 'RESOURCE_GROUP', name: 'DDOS_PROTECTION_PLAN_NAME') do + it { should exist } +end +``` + +## Parameters + +| Name | Description | +|--------------------------------|--------------------------------------------------------------| +| resource_group | Azure resource group where the targeted resource resides. | +| name | Name of the Azure DDoS protection plan resource to test. | +| resource_id | The Azure DDoS protection plan resource ID to test. | + +## Properties + +`name` +: Name of the Azure DDoS protection plan resource to test. + +`type` +: The resource type. + +`provisioning_state` +: The provisioning state of the DDoS protection plan. Valid values: `Deleting`, `Failed`, `Succeeded`, and `Updating`. + +`virtual_networks` +: The list of virtual networks associated with the DDoS protection plan resource. + +`resource_guid` +: The resource GUID property of the DDoS protection plan resource. It uniquely identifies the resource, even if the user changes its name or migrates the resource across subscriptions or resource groups. + +Also, refer to the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/ddos-protection-plans/get) +for other properties available. Access any attribute in the response by separating the key names with a period (`.`). + +## Examples + +Test to ensure that the DDoS protection plan resource has the correct type: + +```ruby +describe azure_ddos_protection_resource(resource_group: 'RESOURCE_GROUP', name: 'DDOS_PROTECTION_PLAN_NAME') do + its('type') { should eq 'Microsoft.Network/ddosProtectionPlans' } +end +``` + +Test to ensure that the DDoS protection plan resource is in a successful state: + +```ruby +describe azure_ddos_protection_resource(resource_group: 'RESOURCE_GROUP', name: 'DDOS_PROTECTION_PLAN_NAME') do + its('provisioning_state') { should eq 'Succeeded' } +end +``` + +Test to ensure that the DDoS protection plan resource is from the same location: + +```ruby +describe azure_ddos_protection_resource(resource_group: 'RESOURCE_GROUP', name: 'DDOS_PROTECTION_PLAN_NAME') do + its('location') { should eq `RESOURCE_LOCATION` } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a DDoS protection plan resource is found, it will exist. + +describe azure_ddos_protection_resource(resource_group: 'RESOURCE_GROUP', name: 'DDOS_PROTECTION_PLAN_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# DDoS protection plan resources that aren't found, will not exist. + +describe azure_ddos_protection_resource(resource_group: 'RESOURCE_GROUP', name: 'DDOS_PROTECTION_PLAN_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_ddos_protection_resources.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_ddos_protection_resources.md new file mode 100644 index 0000000..913baeb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_ddos_protection_resources.md @@ -0,0 +1,118 @@ ++++ +title = "azure_ddos_protection_resources resource" + +draft = false + + +[menu.azure] +title = "azure_ddos_protection_resources" +identifier = "inspec/resources/azure/azure_ddos_protection_resources resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_ddos_protection_resources` InSpec audit resource to test the properties of DDoS protection plans in a resource group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_ddos_protection_resources` resource block returns all Azure bastion hosts, within a resource group (if provided). + +```ruby +describe azure_ddos_protection_resources(resource_group: 'RESOURCE_GROUP') do + #.... +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +## Properties + +`names` +: A list of the unique resource names. + + Field: `name` + +`ids` +: A list of DDoS protection plan IDs. + + Field: `id` + +`virtual_networks` +: The list of virtual networks associated with the DDoS protection plan resource. + + Field: `virtual_networks` + +`provisioning_states` +: The provisioning states of the DDoS protection plans. + + Field: `provisioning_state` + +`types` +: The types of all the DDoS protection plans. + + Field: `type` + +`resource_guids` +: The resource GUID property of the DDoS protection plan resource. It uniquely identifies the resource, even if the user changes its name or migrates the resource across subscriptions or resource groups. + + Field: `resource_guid` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +Also, refer to the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/ddos-protection-plans/list) for all available properties. Access any attribute in the response by separating the key names with a period (`.`). + +## Examples + +Test to ensure that the DDoS protection plan resource is in a successful state: + +```ruby +describe azure_ddos_protection_resources(resource_group: 'RESOURCE_GROUP') do + its('provisioning_states') { should include('Succeeded') } +end +``` + +Test to ensure that a DDoS protection plan resource is from a location: + +```ruby +describe azure_ddos_protection_resources(resource_group: 'RESOURCE_GROUP') do + its('location') { should include `RESOURCE_LOCATION` } +end +``` + +Test if any DDoS protection plan exists in the resource group: + +```ruby +describe azure_ddos_protection_resources(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no bastion hots are in the resource group. + +describe azure_ddos_protection_resources(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_dns_zones_resource.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_dns_zones_resource.md new file mode 100644 index 0000000..76dd508 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_dns_zones_resource.md @@ -0,0 +1,116 @@ ++++ +title = "azure_dns_zones_resource resource" + +draft = false + + +[menu.azure] +title = "azure_dns_zones_resource" +identifier = "inspec/resources/azure/azure_dns_zones_resource resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_dns_zones_resource` InSpec audit resource to test the properties of an Azure DNS zone. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +This resource requires either the `resource_group`, and DNS zone resource `name` or the `resource_id`. + +```ruby +describe azure_dns_zones_resource(resource_group: 'RESOURCE_GROUP_NAME', name: 'DNS_ZONE_NAME') do + it { should exist } +end +``` + +Or + +```ruby +describe azure_dns_zones_resource(resource_id: 'DNS_ZONE_RESOURCE_ID') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the DNS zone to test. + +`resource_id` +: The resource ID of the DNS zone to test. + +The `resource_group` and `name`, or the `resource_id` are required parameters. + +## Properties + +`name` +: Name of the Azure resource to test. + +`type` +: The type of DNS zone. + +`max_number_of_recordsets` +: The maximum number of record sets that can be created in this DNS zone. + +`number_of_record_sets` +: The current number of record sets in this DNS zone. + +`name_servers` +: The name servers for this DNS zone. + +`properties` +: The properties of the Azure DNS zone resource. + +`location` +: The DNS zone resource location. + +Also, refer to the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/dns/zones/get) +for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test that the Azure DNS zone resource has the correct resource type: + +```ruby +describe azure_dns_zones_resource(resource_group: 'RESOURCE_GROUP_NAME', name: 'DNS_ZONE_NAME') do + its('type') { should eq 'Microsoft.Network/dnszones' } +end +``` + +Test that the location of the Azure DNS zone resource is 'global': + +```ruby +describe azure_dns_zones_resource(resource_group: 'RESOURCE_GROUP_NAME', name: 'DNS_ZONE_NAME') do + its('location') { should eq 'global' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a DNS Zone resource is found, it will exist. + +describe azure_dns_zones_resource(resource_group: 'RESOURCE_GROUP_NAME', name: 'DNS_ZONE_NAME') do + it { should exist } +end + +# DNS Zone resources that aren't found, will not exist. + +describe azure_dns_zones_resource(resource_group: 'RESOURCE_GROUP_NAME', name: 'DNS_ZONE_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_dns_zones_resources.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_dns_zones_resources.md new file mode 100644 index 0000000..d45d48d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_dns_zones_resources.md @@ -0,0 +1,133 @@ ++++ +title = "azure_dns_zones_resources resource" + +draft = false + + +[menu.azure] +title = "azure_dns_zones_resources" +identifier = "inspec/resources/azure/azure_dns_zones_resources resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_dns_zones_resources` InSpec audit resource to test the properties related to all Azure DNS zones for a resource group or an entire subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_dns_zones_resources` resource block returns all Azure DNS Zones within a resource group. + +```ruby +describe azure_dns_zones_resources do + #... +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`name` +: A list of the unique resource names. + + Field: `name` + +`ids` +: A list of DNS zone IDs. + + Field: `id` + +`tags` +: A list of `tag:value` pairs defined on the resources. + + Field: `tags` + +`types` +: A list of the types of all DNS zones. + + Field: `type` + +`properties` +: A list of the properties of the Azure DNS zone resources. + + Field: `properties` + +`max_number_of_recordsets` +: A list of the maximum number of records per record set that can be created in the DNS zones. + + Field: `max_number_of_recordsets` + +`number_of_record_sets` +: A list of the current number of record sets in the DNS zones. + + Field: `number_of_record_sets` + +`name_servers` +: A list of the name servers for the DNS zones. + + Field: `name_servers` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that a DNS zone has the correct type: + +```ruby +describe azure_dns_zones_resources do + its('type') { should include 'Microsoft.Network/dnszones' } +end +``` + +Test that a DNS zone resource has a 'Succeeded' provisioning state: + +```ruby +describe azure_dns_zones_resources do + its('provisioning_states') { should include 'Succeeded' } +end +``` + +Test that a DNS zone has the 'global' location: + +```ruby +describe azure_dns_zones_resources do + its('location') { should include 'global' } +end +``` + +Test if any Azure DNS zone exists in the resource group: + +```ruby +describe azure_dns_zones_resources do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +Test that there are not any Azure DNS zones in the resource group. + +```ruby +describe azure_dns_zones_resources do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_event_hub_authorization_rule.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_event_hub_authorization_rule.md new file mode 100644 index 0000000..c912498 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_event_hub_authorization_rule.md @@ -0,0 +1,112 @@ ++++ +title = "azure_event_hub_authorization_rule resource" + +draft = false + + +[menu.azure] +title = "azure_event_hub_authorization_rule" +identifier = "inspec/resources/azure/azure_event_hub_authorization_rule resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_event_hub_authorization_rule` InSpec audit resource to test the properties and configuration of an Azure Event Hub Authorization Rule within a resource group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group`, `namespace_name`, `event_hub_endpoint` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_event_hub_authorization_rule(resource_group: 'RESOURCE_GROUP', namespace_name: 'EVENT_NAME', event_hub_endpoint: 'HUB_NAME', name: 'AUTH_RULE') do + it { should exist } +end +``` + +```ruby +describe azure_event_hub_authorization_rule(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.EventHub/namespaces/{namespaceName}/eventhubs/{eventHubName}/authorizationRules/{authorizationRuleName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`namespace_name` +: The unique name of the Event Hub Namespace. + +`event_hub_endpoint` +: The unique name of the Event Hub Name. + +`name` +: The unique name of the targeted resource. + +`authorization_rule` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group`, `namespace_name`, `event_hub_endpoint`, and `name` +- `resource_group`, `namespace_name`, `event_hub_endpoint`, and `authorization_rule` + +## Properties + +`properties.rights` +: The list of rights associated with the rule. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/eventhub/stable/authorization-rules-event-hubs/get-authorization-rule?tabs=HTTP) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the name of an Authorization Rule: + +```ruby +describe azure_event_hub_authorization_rule(resource_group: 'RESOURCE_GROUP', namespace_name: 'EVENT_NAME', event_hub_endpoint: 'HUB_NAME', name: 'AUTH_RULE') do + its('name') { should cmp 'my-auth-rule' } +end +``` + +```ruby +describe azure_event_hub_authorization_rule(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.EventHub/namespaces/{namespaceName}/eventhubs/{eventHubName}/authorizationRules/{authorizationRuleName}') do + its('name') { should cmp 'my-auth-rule' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the resource to always exist. + +describe azure_event_hub_authorization_rule(resource_group: 'RESOURCE_GROUP', namespace_name: 'EVENT_NAME', event_hub_endpoint: 'HUB_NAME', name: 'AUTH_RULE') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the resource not to exist. + +describe azure_event_hub_authorization_rule(resource_group: 'RESOURCE_GROUP', namespace_name: 'EVENT_NAME', event_hub_endpoint: 'HUB_NAME', name: 'AUTH_RULE') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_event_hub_event_hub.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_event_hub_event_hub.md new file mode 100644 index 0000000..d1d4efa --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_event_hub_event_hub.md @@ -0,0 +1,109 @@ ++++ +title = "azure_event_hub_event_hub resource" + +draft = false + + +[menu.azure] +title = "azure_event_hub_event_hub" +identifier = "inspec/resources/azure/azure_event_hub_event_hub resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_event_hub_event_hub` InSpec audit resource to test the properties of an Azure Event Hub description within a resource group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group`, `namespace_name` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_event_hub_event_hub(resource_group: 'RESOURCE_GROUP', namespace_name: 'EVENT_NAME', name: 'HUB_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_event_hub_event_hub(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.EventHub/namespaces/{namespaceName}/eventhubs/{eventHubName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`namespace_name` +: The unique name of the Event Hub Namespace. + +`name` +: The unique name of the targeted resource. + +`event_hub_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group`, `namespace_name` and `name` +- `resource_group`, `namespace_name` and `event_hub_name` + +## Properties + +`properties.messageRetentionInDays` +: Number of days to retain the events for this Event Hub. The value should be 1 to 7 days. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/eventhub/get-event-hub) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the message retention time of an event hub: + +```ruby +describe azure_event_hub_event_hub(resource_group: 'RESOURCE_GROUP', namespace_name: 'EVENT_NAME', name: 'HUB_NAME') do + its('properties.messageRetentionInDays') { should cmp 4 } +end +``` + +```ruby +describe azure_event_hub_event_hub(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.EventHub/namespaces/{namespaceName}/eventhubs/{eventHubName}') do + its('properties.messageRetentionInDays') { should cmp 4 } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the resource to always exist. + +describe azure_event_hub_event_hub(resource_group: 'RESOURCE_GROUP', namespace_name: 'EVENT_NAME', name: 'HUB_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the resource not to exist. + +describe azure_event_hub_event_hub(resource_group: 'RESOURCE_GROUP', namespace_name: 'EVENT_NAME', name: 'HUB_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_event_hub_namespace.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_event_hub_namespace.md new file mode 100644 index 0000000..edcefaf --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_event_hub_namespace.md @@ -0,0 +1,106 @@ ++++ +title = "azure_event_hub_namespace resource" + +draft = false + + +[menu.azure] +title = "azure_event_hub_namespace" +identifier = "inspec/resources/azure/azure_event_hub_namespace resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_event_hub_namespace` InSpec audit resource to test the properties and configuration of an Azure Event Hub Namespace within a resource group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_event_hub_namespace(resource_group: 'RESOURCE_GROUP', name: 'EVENT_HUB_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_event_hub_namespace(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.EventHub/namespaces/{namespaceName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: The unique name of the Event Hub Namespace. + +`namespace_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_group` and `namespace_name` + +## Properties + +`properties.kafkaEnabled` +: Value that indicates whether Kafka is enabled for Eventhub Namespace. + +For parameters applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/eventhub/preview/namespaces/get?tabs=HTTP) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test if Kafka is enabled for an Eventhub Namespace: + +```ruby +describe azure_event_hub_namespace(resource_group: 'RESOURCE_GROUP', name: 'EVENT_HUB_NAME') do + its('properties.kafkaEnabled') { should be true } +end +``` + +```ruby +describe azure_event_hub_namespace(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.EventHub/namespaces/{namespaceName}') do + its('properties.kafkaEnabled') { should be true } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the resource to always exist. + +describe azure_event_hub_namespace(resource_group: 'RESOURCE_GROUP', name: 'EVENT_HUB_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the resource not to exist. + +describe azure_event_hub_namespace(resource_group: 'RESOURCE_GROUP', name: 'EVENT_HUB_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_express_route_circuit.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_express_route_circuit.md new file mode 100644 index 0000000..957ba3c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_express_route_circuit.md @@ -0,0 +1,163 @@ ++++ +title = "azure_express_route_circuit resource" + +draft = false + + +[menu.azure] +title = "azure_express_route_circuit" +identifier = "inspec/resources/azure/azure_express_route_circuit resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_express_route_circuit` InSpec audit resource to test the properties of an Azure ExpressRoute circuit resource. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +This resource requires the `resource_group` and ExpressRoute circuit `circuit_name` parameters, or the `resource_id` parameter for a valid query. + +```ruby +describe azure_express_route_circuit(resource_group: 'RESOURCE_GROUP', circuit_name: 'EXPRESS_CIRCUIT_NAME') do + it { should exist } +end +``` + +or + +```ruby +describe azure_express_route_circuit(resource_id: 'RESOURCE_ID') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: The Azure resource group where the targeted resource resides. + +`circuit_name` +: The name of the ExpressRoute circuit. + +`resource_id` +: The resource ID of the ExpressRoute circuit. + +Provide the `resource_group` and `name` parameters, or the `resource_id` parameter for a valid query. + +## Properties + +`resource_group` +: The name of the resource group where the ExpressRoute circuit resource resides. + +`name` +: The name of the ExpressRoute circuit. + +`type` +: The ExpressRoute circuit type. + +`provisioning_state` +: The provisioning state of ExpressRoute circuit resource. + +`location` +: The location of the ExpressRoute circuit resource. + +`service_provider_properties_bandwidth_in_mbps` +: The bandwidth in Mbps of the circuit when the circuit is provisioned on an ExpressRoutePort resource. + +`service_provider_properties_peering_location` +: The ExpressRoute circuit resource service provider peering location. + +`service_provider_properties_name` +: The name of the ExpressRoute circuit service provider name. + +`service_provider_provisioning_state` +: The service provider provisioning state of the ExpressRoute circuit resource. Possible values are `NotProvisioned`, `Provisioning`, `Provisioned`, and `Deprovisioning`. + +`service_key` +: The ServiceKey. + +`stag` +: The identifier of the circuit traffic. Outer tag for `QinQ` encapsulation. + +`global_reach_enabled` +: Flag denoting global reach status. `boolean`. + +`allow_global_reach` +: Flag to enable Global Reach on the ExpressRoute circuit. `boolean`. + +`gateway_manager_etag` +: The GatewayManager Etag. + +`allow_classic_operations` +: Whether `Allow Classic Operations` is set to `true` or `false`. + +`circuit_provisioning_state` +: The `CircuitProvisioningState` state of the resource. + +`sku_name` +: The name of the SKU. + +`sku_tier` +: The tier of the SKU. Possible values are `Basic`, `Local`, `Standard`, or `Premium`. + +`sku_family` +: The family of the SKU. Possible values are: `UnlimitedData` and `MeteredData`. + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/expressroute/express-route-circuits/get) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test an ExpressRoute circuit resource has the correct type: + +```ruby +describe azure_express_route_circuit(resource_group: 'RESOURCE_GROUP', circuit_name: 'EXPRESS_CIRCUIT_NAME') do + its('type') { should eq 'Microsoft.Network/expressRouteCircuits' } +end +``` + +Test an ExpressRoute circuit resource is in a successful state: + +```ruby +describe azure_express_route_circuit(resource_group: 'RESOURCE_GROUP', circuit_name: 'EXPRESS_CIRCUIT_NAME') do + its('provisioning_state') { should eq 'Succeeded' } +end +``` + +Test the location of an ExpressRoute circuit resource: + +```ruby +describe azure_express_route_circuit(resource_group: 'RESOURCE_GROUP', circuit_name: 'EXPRESS_CIRCUIT_NAME') do + its('location') { should eq 'RESOURCE_LOCATION' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If an express circuit resource is found, it will exist. + +describe azure_express_route_circuit(resource_group: 'RESOURCE_GROUP', circuit_name: 'EXPRESS_CIRCUIT_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If an express circuit resources that aren't found, will not exist. + +describe azure_express_route_circuit(resource_group: 'RESOURCE_GROUP', circuit_name: 'DOESNOTEXIST') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_express_route_circuits.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_express_route_circuits.md new file mode 100644 index 0000000..ae46f6f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_express_route_circuits.md @@ -0,0 +1,183 @@ ++++ +title = "azure_express_route_circuits resource" + +draft = false + + +[menu.azure] +title = "azure_express_route_circuits" +identifier = "inspec/resources/azure/azure_express_route_circuits resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_express_route_circuits` InSpec audit resource to test the properties of Azure ExpressRoute circuits for a resource group. + +## Azure REST API version, endpoint, and HTTP client parameters + +This resource interacts with API versions supported by the resource provider. The `api_version` can be defined as a resource parameter. +If not provided, the latest version is used. For more information, refer to [`azure_generic_resource`](azure_generic_resource.md). + +Unless defined, `azure_cloud` global endpoint and default values for the HTTP client is used. For more information, refer to the resource pack [README](https://github.com/inspec/inspec-azure/blob/main/README.md). + +## Syntax + +An `azure_express_route_circuits` resource block returns all Azure ExpressRoute circuits within a resource group. + +```ruby +describe azure_express_route_circuits(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` +: The Azure resource group where the targeted resources resides. + +## Properties + +`names` +: A list of name the resource group in which to create the ExpressRoute circuit. + + Field: `name` + +`ids` +: A list of the ExpressRoute circuit IDs. + + Field: `id` + +`tags` +: A list of `tag:value` pairs of the ExpressRoute circuit resources. + + Field: `tags` + +`provisioning_states` +: The provisioning states of the ExpressRoute circuit resources. + + Field: `provisioning_state` + +`types` +: The types of all the ExpressRoute circuit resources. + + Field: `type` + +`locations` +: The locations of the ExpressRoute circuit resources. + + Field: `location` + +`service_provider_bandwidth_in_mbps` +: A list of the bandwidths in Mbps of the circuits when a circuit is provisioned on an `ExpressRoutePort` resource. + + Field: `service_provider_bandwidth_in_mbps` + +`service_provider_peering_locations` +: A list of The name of the peering location and not the Azure resource location. + + Field: `service_provider_peering_location` + +`service_provider_names` +: The name of the ExpressRoute Service Provider. + + Field: `service_provider_name` + +`service_keys` +: The ServiceKeys of the ExpressRoute circuit resources. + + Field: `service_key` + +`stags` +: The identifiers of the circuit traffic. Outer tag for `QinQ` encapsulation. + + Field: `stag` + +`global_reach_enabled` +: A list of the ExpressRoute circuit that denotes global reach enable status. + + Field: `global_reach_enabled` + +`gateway_manager_etags` +: A list of the `GatewayManager` Etags in the ExpressRoute circuit resources. + + Field: `gateway_manager_etag` + +`allow_classic_operations` +: A list of indicating whether `Allow Classic Operations` in the ExpressRoute circuit resources is set to `true` or `false`. + + Field: `allow_classic_operation` + +`circuit_provisioning_states` +: A list of State of express `circuitHostName` creation. Valid values are `Enabled` or `Disabled`. + + Field: `circuit_provisioning_state` + +`sku_names` +: A list of the SKU names of the ExpressRoute circuits. + + Field: `sku_name` + +`sku_tiers` +: A list of the SKU tiers of the ExpressRoute circuits. Possible values are `Basic`, `Local`, `Standard`, or `Premium`. + + Field: `sku_tier` + +`sku_family` +: A list of the SKU families of the ExpressRoute circuits. Possible values are: `UnlimitedData` and `MeteredData`. + + Field: `sku_family` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/expressroute/express-route-circuits/list?tabs=HTTP) for other available properties. + +## Examples + +Ensure that an ExpressRoute circuit has a 'Succeeded' provisioning state: + +```ruby +describe azure_express_route_circuits(resource_group: 'RESOURCE_GROUP') do + its('provisioning_states') { should include 'Succeeded' } +end +``` + +Test than an ExpressRoute circuit has a specific location: + +```ruby +describe azure_express_route_circuits(resource_group: 'RESOURCE_GROUP') do + its('location') { should include 'EXPRESS_ROUTE_CIRCUIT_LOCATION' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should exist if express_route_circuits are in the resource group. + +describe azure_express_route_circuits(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +### not_exists + +```ruby +# Should not exist if no express_route_circuits are in the resource group + +describe azure_express_route_circuits(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_express_route_providers.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_express_route_providers.md new file mode 100644 index 0000000..40203ba --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_express_route_providers.md @@ -0,0 +1,124 @@ ++++ +title = "azure_express_route_providers resource" + +draft = false + + +[menu.azure] +title = "azure_express_route_providers" +identifier = "inspec/resources/azure/azure_express_route_providers resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_express_route_providers` InSpec audit resource to test the properties related to azure_express_route for a resource group or the entire subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_express_route_providers` resource block returns all Azure azure_express_route, either within a resource group (if provided) or an entire Subscription. + +```ruby +describe azure_express_route_providers do + #... +end +``` + +Or + +```ruby + +describe azure_express_route_providers(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`names` +: A list of the unique resource IDs. + + Field: `name` + +`types` +: A list of all the azure_express_route. + + Field: `type` + +`ids` +: A list of id for all the azure_express_route. + + Field: `id` + +`tags` +: A list of all the express_route names. + + Field: `tag` + +`provisioning_states` +: A list of the status of the request. + + Field: `provisioning_state` + +`peering_locations_list` +: A list of `peering locations` pairs defined on the resources. + + Field: `locations` + +`bandwidths_offered_list` +: A list of `bandwidths offered` pairs defined on the resources. + + Field: `bandwidths` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test if any azure_express_route exists in the resource group: + +```ruby +describe azure_express_route_providers(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +describe azure_express_route_providers do + it { should exist } +end +``` + +Test that there are express_route that includes a string in names (Server Side Filtering via Generic Resource - Recommended): + +```ruby +describe azure_generic_resources(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +```ruby +# Should not exist if no azure_express_route is in the resource group. + +describe azure_express_route_providers(resource_group: 'RESOURCE_GROUP') do + its('provisioning_states') { should include('Succeeded') } + its('peering_locations_list') { should include(["Melbourne", "Sydney"]) } + its('bandwidths_offered_list') { should include('bandwidths_offered') } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_generic_resource.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_generic_resource.md new file mode 100644 index 0000000..ba3d36d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_generic_resource.md @@ -0,0 +1,198 @@ ++++ +title = "azure_generic_resource resource" + +draft = false + + +[menu.azure] +title = "azure_generic_resource" +identifier = "inspec/resources/azure/azure_generic_resource resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_generic_resource` Inspec audit resource to test any valid Azure resource available through Azure Resource Manager. + +## Syntax + +```ruby +describe azure_generic_resource(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('property') { should eq 'value' } +end +``` + +where: + +- Resource parameters are used to query the Azure Resource Manager endpoint for the resource to be tested. +- `property` - This generic resource dynamically creates the properties on the fly based on the resource type that has been targeted. +- `value` - the expected output from the chosen property. + +## Parameters + +The following parameters can be passed for targeting a specific Azure resource. + +`resource_group` +: Azure resource group where the targeted resource has been created. + +`name` +: Name of the Azure resource to test. + +`resource_provider` +: Azure resource provider of the resource to be tested. + +`resource_path` +: Relative path to the resource if it is defined on another resource. The resource path of a subnet in a virtual network would be: `{virtualNetworkName}/subnets`. + +`resource_id` +: Unique ID of Azure resource to be tested. `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}`. + +`resource_uri` +: Azure REST API URI of the resource to be tested. This parameter should be used when a resource does not reside in a resource group. It requires `add_subscription_id` and `name` parameters to be provided together. `/providers/Microsoft.Authorization/policyDefinitions/`. + +`add_subscription_id` +: Indicates whether the `resource_uri` contains the subscription ID. `true` or `false`. + +`tag_name` +: Tag name defined on the Azure resource. `name`. + + When resources are filtered by a tag name and value, the tags for each resource are not returned in the results. + +`tag_value` +: Tag value of the tag defined with the `tag_name`. `external_linux`. + +`api_version` +: API version to use when interrogating the resource. If not set or the resource provider does not support the provided API version, then the latest version for the resource provider will be used. `2017-10-9`, `latest`, and `default`. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `name` +- `resource_group`, `resource_provider` and `name` +- `resource_group`, `resource_provider`, `resource_path` and `name` +- `add_subscription_id`, `resource_uri` and `name` +- `tag_name` and `tag_value` + +Different parameter combinations can be tried. If it is not supported, the InSpec resource or the Azure REST API will raise an error. + +If the Azure Resource Manager endpoint returns multiple resources for a given query, this singular generic resource will fail. In that case, the [plural generic resource](azure_generic_resources.md) should be used. + +## Properties + +The properties that can be tested are dependent on the Azure resource that is tested. One way to see what properties can be tested is by checking their API pages. For example, the [virtual machines API documentation](https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get). + +Also, the [Azure Resources Portal](https://resources.azure.com) can be used to select the resource you are interested in and see what can be tested. + +The following properties apply to almost all resources. + +`id` +: The unique resource identifier. + +`name` +: The name of the resource. + +`type` +: The resource type. + +`location` +: The location of the resource. + +`tags` +: The tag `key:value pairs` if defined on the resource. + +`properties` +: The resource properties. + +For more properties, refer to specific Azure documents for the tested resource. + +## Examples + +Test properties of a virtual machine and the endpoint API version: + +```ruby +describe azure_generic_resource(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('properties.storageProfile.osDisk.osType') { should cmp 'Linux' } + its('properties.storageProfile.osDisk.createOption') { should cmp 'FromImage' } + its('properties.storageProfile.osDisk.name') { should cmp 'linux-external-osdisk' } + its('properties.storageProfile.osDisk.caching') { should cmp 'ReadWrite' } + + its('api_version_used_for_query_state') { should eq 'latest' } +end +``` + +Test to ensure that the API version is used for the Query: + +```ruby +describe azure_generic_resource(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}', api_version: '2017-01-01') do + its('api_version_used_for_query_state') { should eq 'user_provided' } + its('api_version_used_for_query') { should eq '2017-01-01' } +end +``` + +Test to ensure if the tags include specific values: + +```ruby +describe azure_generic_resource(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('tags') { should include(name: 'MyVM') } +end +``` + +Test properties of a virtual machine resides in an Azure Dev Test Lab: + +```ruby +describe azure_generic_resource(resource_provider: 'Microsoft.DevTestLab/labs', resource_path: '{labName}/virtualmachines', resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('properties.userName') { should cmp 'admin' } + its('properties.allowClaim') { should cmp false } +end +``` + +Test a resource group: + +```ruby +describe azure_generic_resource(add_subscription_id: true, resource_uri: '/resourcegroups/', name: 'RESOURCE_GROUP') do + it { should exist } + its('tags') { should include(:owner) } + its('tags') { should include(owner: 'John Doe') } +end +``` + +Test a policy definition: + +```ruby +describe azure_generic_resource(add_subscription_id: true, resource_uri: 'providers/Microsoft.Authorization/policyDefinitions', name: 'POLICY') do + it { should exist } + its('properties.policyRule.then.effect') { should cmp 'deny' } + its('properties.policyType') { should cmp 'Custom' } +end +``` + +For more examples, see the [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_generic_resource.rb). + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +```ruby +# Should not exist if there is no resource with a given name. + +describe azure_generic_resource(name: 'fake_name') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if there is one resource with a given name. + +describe azure_generic_resource(name: 'a_very_unique_name_within_subscription') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_generic_resources.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_generic_resources.md new file mode 100644 index 0000000..ee7c94d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_generic_resources.md @@ -0,0 +1,255 @@ ++++ +title = "azure_generic_resources resource" + +draft = false + + +[menu.azure] +title = "azure_generic_resources" +identifier = "inspec/resources/azure/azure_generic_resources resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_generic_resources` Inspec audit resource to test any valid Azure resources. + +## Syntax + +This resource will interrogate all resources in your subscription available through Azure Resource Manager when initiated without a parameter. + +```ruby +describe azure_generic_resources do + it { should exist } +end +``` + +## Parameters + +The following parameters can be passed for targeting Azure resources. All of them are optional. + +`resource_group` +: Azure resource group where the targeted resources have been created. + + For example, `MyResourceGroup` + +`substring_of_resource_group` +: Substring of an Azure resource group name where the targeted resources have been created. + + For example, `RESOURCE_GROUP` + +`name` +: Name of the Azure resources to test. + + For example, `VM_NAME` + +`substring_of_name` +: Substring a name of the Azure resources to test. + + For example, `NAME` + +`resource_provider` +: Azure resource provider of the resources to be tested. + + For example, `Microsoft.Compute/virtualMachines` + +`tag_name` +: Tag name defined on the Azure resources. + + For example, `name` + +`tag_value` +: Tag value of the tag defined with the `tag_name`. + + For example, `external_linux` + + When resources are filtered by a tag name and value, the tags for each resource are not returned in the results. + +`resource_uri` +: Azure REST API URI of the resources to be tested. This parameter should be used when resources do not reside in resource groups. It requires `add_subscription_id` parameter to be provided together. + + For example, `/providers/Microsoft.Authorization/policyDefinitions/` + +`add_subscription_id` +: Indicates whether the `resource_uri` contains the subscription ID. + + For example, `true` or `false` + +`filter_free_text` +: Filter expression for the endpoints supporting `$filter` parameter. For example, [Azure role assignments](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-rest). This can only be used with the `resource_uri` parameter. + + For example, `"atScope()"` + +Either one of the parameter sets can be provided for a valid query: + +- `resource_group` +- `substring_of_resource_group` +- `name` +- `substring_of_name` +- `substring_of_resource_group` and `substring_of_name` +- `resource_provider` +- `resource_group` and `resource_provider` +- `substring_of_resource_group` and `resource_provider` +- `tag_name` +- `tag_name` and `tag_value` +- `add_subscription_id` and `resource_uri` +- `add_subscription_id`, `resource_uri` and `filter_free_text` + +Different parameter combinations can be tried. If it is not supported, the InSpec resource or the Azure REST API will raise an error. + +It is advised to use these parameter sets to narrow down the targeted resources at the server side, Azure REST API, for a more computing resource-efficient test. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of the unique resource names within a resource group. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources. + + Field: `tags` + +`types` +: A list of resource types. + + Field: `type` + +`locations` +: A list of locations where resources are created. + + Field: `location` + +`created_times` +: A list of created times of the resources. + + Field: `created_time` + +`changed_times` +: A list of changing times of the resources. + + This property is not available when `resource_uri` is used. + + Field: `changed_time` + +`provisioning_states` +: A list of provisioning states of the resources. + + This property is not available when `resource_uri` is used. + + Field: `provisioning_state` + + This property is not available when `resource_uri` is used. + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test all virtual machines in your subscription: + +```ruby +describe azure_generic_resources(resource_provider: 'Microsoft.Compute/virtualMachines') do + it { should exist } + its('count') { should eq 43 } +end +``` + +Test all resources regardless of their type and resource group with a common string in names (Server Side Filtering): + +```ruby +azure_generic_resources(substring_of_name: 'project_a').ids.each do |id| + describe azure_generic_resource(resource_id: id) do + it { should exist } + its('location') { should eq 'eastus' } + end +end +``` + +Test all resources regardless of their type and resource group with a common tag 'name:value' pair (Server Side Filtering): + +```ruby +azure_generic_resources(tag_name: 'demo', tag_value: 'shutdown_at_10_pm').ids.each do |id| + describe azure_generic_resource(resource_id: id) do + it { should exist } + its('location') { should eq 'eastus' } + end +end +``` + +Filters the results to only include those that match the given location (client-side filtering): + +```ruby +describe azure_generic_resources.where(location: 'eastus') do + it { should exist } +end +``` + +Filters the results to only include those that created within last 24 hours (client-side filtering): + +```ruby +describe azure_generic_resources.where{ created_time > Time.now - 86400 } do + it { should exist } +end +``` + +Test policy definitions: + +```ruby +describe azure_generic_resources(add_subscription_id: true, resource_uri: 'providers/Microsoft.Authorization/policyDefinitions') do + it { should exist } +end +``` + +Filter role assignments via 'filter_free_text': + +```ruby +describe azure_generic_resources(add_subscription_id: true, resource_uri: "providers/Microsoft.Authorization/roleAssignments", filter_free_text: "atScope()+and+assignedTo('{abcd1234-abcd-1234}')") do + it { should exist } +end +``` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +For more examples, see the [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_generic_resources.rb). + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +exist + +```ruby +# Should not exist if there is no resource with a given resource group. + +describe azure_generic_resources(resource_group: 'fake_group') do + it { should_not exist } +end +``` + +not_exists + +```ruby +# Should exist if there is at least one resource. + +describe azure_generic_resources(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_graph_generic_resource.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_graph_generic_resource.md new file mode 100644 index 0000000..7460ac3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_graph_generic_resource.md @@ -0,0 +1,96 @@ ++++ +title = "azure_graph_generic_resource resource" + +draft = false + + +[menu.azure] +title = "azure_graph_generic_resource" +identifier = "inspec/resources/azure/azure_graph_generic_resource resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_graph_generic_resource` Inspec audit resource to test any valid Azure resource available through Microsoft Azure Graph API. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_graph_generic_resource(resource: 'RESOURCE', id: 'GUID', select: %w(attributes to be tested)) do + its('property') { should eq 'value' } +end +``` + +where: + +- Resource parameters are used to query Azure Graph API endpoint for the resource to be tested. +- `property` - This generic resource dynamically creates the properties on the fly based on the property names provided with the `select` parameter. +- `value` is the expected output from the chosen property. + +## Parameters + +The following parameters can be passed for targeting a specific Azure resource. + +`resource` +: Azure resource type where the targeted resource belongs. For example, `users`. + +`id` +: Globally unique ID of the targeted resource. For example, `jdoe@example.com`. + +`select` +: The list of query parameters defining which attributes the resource will expose. If not provided, then the predefined attributes will be returned from the API. For example, `givenName`, `surname`, and `department`. + +`api_version` +: API version of the GRAPH API to use when interrogating the resource. If not set, then the predefined stable version will be used. For example, `v1.0`, or `beta`. + +## Properties + +The properties that can be tested are entirely dependent on the Azure Resource that is tested and the query parameters provided with the `select` parameter. + +## Examples + +Test properties of a user account: + +```ruby +describe azure_graph_generic_resource(resource: 'USERS', id: 'jdoe@contoso.com', select: %w{ surname givenName }) do + its('surname') { should cmp 'Doe' } + its('givenName') { should cmp 'John' } +end +``` + +For more examples, see the [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_graph_generic_resource.rb). + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +```ruby +# Should not exist if there is no resource with a given name. + +describe azure_graph_generic_resource(resource: 'users', id: 'fake_id') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if there is one resource with a given name. + +describe azure_graph_generic_resource(resource: 'users', id: 'valid_id') do + it { should exist } +end +``` + +## Azure permissions + +Graph resources require specific privileges granted to your service principal. + +Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application) for information on how to grant these permissions to your application. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_graph_generic_resources.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_graph_generic_resources.md new file mode 100644 index 0000000..0038fd8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_graph_generic_resources.md @@ -0,0 +1,151 @@ ++++ +title = "azure_graph_generic_resources resource" + +draft = false + + +[menu.azure] +title = "azure_graph_generic_resources" +identifier = "inspec/resources/azure/azure_graph_generic_resources resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_graph_generic_resources` Inspec audit resource to test any valid Azure resource available through Microsoft Azure Graph API. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_graph_generic_resources(resource: 'RESOURCE', filter: {starts_with_property_name: 'A'}, select: %w(properties to be tested)) do + its('property') { should eq 'value' } +end +``` + +where: + +- Resource parameters are used to query Azure Graph API endpoint for the resource to be tested. +- `property` - This generic resource dynamically creates the properties on the fly based on the type of resource that has been targeted and the parameters provided with the `select` parameter. +- `value` is the expected output from the chosen property. + +## Parameters + +The following parameters can be passed for targeting specific Azure resources. + +`resource` +: Azure resource type where the targeted resource belongs. This is the only **MANDATORY** parameter. For example, `users`. + +`filter` +: A hash containing the filtering options and their values. The `starts_with_` operator can be used for fuzzy string matching. Parameter names are in the snake case. For example, `{ starts_with_given_name: 'J', starts_with_department: 'Core', country: 'United Kingdom', given_name: John}`. + +`filter_free_text` +: [OData](https://www.odata.org/getting-started/basic-tutorial/) query string in double quotes, `"`. Property names are in the camel case, refer to [Azure query parameters documentation](https://docs.microsoft.com/en-us/graph/query-parameters#filter-parameter) for more information. For example, `"startswith(displayName,'J') and surname eq 'Doe'"`. + +`select` +: A list of the query parameters defining the attributes the resource will expose and to be tested. Property names are in camel case. If not provided then the predefined attributes will be returned from the API. For example, `['givenName', 'surname', 'department']`. + +`api_version` +: API version of the Azure Graph API to use when interrogating the resource. If not set, then the predefined stable version will be used. For example, `v1.0` or `beta`. + +It is advised to use `filter` or `filter_free_text` to narrow down the targeted resources at the server side, Azure Graph API, for a more efficient test. + +## Properties + +Attributes will be created dynamically by pluralizing the name of the properties of the resources and converting them to `snake_case` form. + +For example, if the query parameters are `select: %w{ country department givenName }`, then the parameters will be: + +- `ids` (default) +- `countries` +- `departments` +- `given_names` + +### Filter Criteria + +Returned resources can be filtered by their parameters provided with the `select` option, or the default values returned from the API unless the `select` is used. + +For example, if the query parameters are `select: %w{ country department givenName }`, then the filter criteria will be: + +- `id` (default) +- `country` +- `department` +- `givenName` + +## Examples + +Test a selection of user accounts using the `filter` parameter: + +```ruby +describe azure_graph_generic_resources(resource: 'USERS', filter: { starts_with_given_name: 'J', starts_with_department: 'customer', country: 'United Kingdom' }, select: %w{ country userPrincipalName}) do + it { should exist } + its('countries'.uniq) { should eq ['United Kingdom'] } +end + +Test a selection of user accounts using the `filter_free_text` parameter: + +describe azure_graph_generic_resources(resource: 'USERS', filter_free_text: "startswith(givenName,'J') and startswith(department,'customer') and country eq 'United States'", select: %w{ country userPrincipalName}) do + it { should exist } + its('countries'.uniq) { should eq ['United States'] } +end +``` + +Filter the results to only include that match the given country: + +```ruby +describe azure_graph_generic_resources(resource: 'USERS', select: %w{ country }).where(country: 'United Kingdom') do + it { should exist } +end +``` + +Note:** Client-side filtering isn't recommended. + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +Test `given_names` Parameter: + +```ruby +azure_graph_generic_resources(resource: 'USERS', filter: { starts_with_given_name: 'J' }, select: %w{ givenName }).given_names.each do |name| + describe name do + it { should start_with('J') } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +```ruby +# Should not exist if there is no resource with a given name. + +describe azure_graph_generic_resources(resource: 'USERS', filter: { given_name: 'fake_name'}, select: %w{ givenName }) do + it { should_not exist } +end +``` + +### not_exists + +```ruby + +# Should exist if there is at least one resource with a given name. + +describe azure_graph_generic_resources(resource: 'USERS', filter: { given_name: 'valid_name'}, select: %w{ givenName }) do + it { should exist } +end +``` + +## Azure permissions + +Graph resources require specific privileges granted to your service principal. + +Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application) for information on how to grant these permissions to your application. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_graph_user.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_graph_user.md new file mode 100644 index 0000000..507f3ad --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_graph_user.md @@ -0,0 +1,149 @@ ++++ +title = "azure_graph_user resource" + +draft = false + + +[menu.azure] +title = "azure_graph_user" +identifier = "inspec/resources/azure/azure_graph_user resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_graph_user` InSpec audit resource to test the properties of an Azure Active Directory user within a Tenant. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_graph_user(user_principal_name: 'jdoe@contoso.com') do + it { should exist } +end +``` + +## Parameters + +Either one of the following parameters is mandatory. + +`user_principal_name` +: The user principal name. + + For example, `jdoe@contoso.com` + +`id` +: Globally unique identifier. + + For example, `abcd-1234-efabc-5678` + +`user_id` +: Globally unique identifier (For backward compatibility). + + For example, `abcd-1234-efabc-5678` + +## Properties + +`id` +: The user's globally unique ID. + +`account_enabled` +: Whether the account is enabled. + +`city` +: The user's city. + +`country` +: The user's country. + +`department` +: The user's department. + +`display_name` +: The display name of the user. + +`facsimile_telephone_number` +: The user's facsimile (fax) number. + +`given_name` +: The given name for the user. + +`job_title` +: The user's job title. + +`mail` +: The primary email address of the user. + +`mail_nickname` +: The mail alias for the user. + +`mobile` +: The user's mobile (cell) phone number. + +`password_policies` +: The password policies for the user. + +`password_profile` +: The password profile for the user. + +`postal_code` +: The user's postal (ZIP) code. + +`state` +: The user's state. + +`street_address` +: The user's street address. + +`surname` +: The user's surname (family name or last name). + +`telephone_number` +: The user's telephone number. + +`usage_location` +: A two letter country code (ISO standard 3166). Examples include: `US`, `JP`, and `GB`. + +`user_principal_name` +: The principal name of the user. + +`user_type` +: A string value that can be used to classify user types in your directory, such as `Member` or `Guest`. + +## Examples + +Test if an Active Directory user account is referenced with a valid ID: + +```ruby +describe azure_graph_user(id: 'someValidId') + it { should exist } +end +``` + +Test if an Active Directory user Account is referenced with an invalid ID: + +```ruby +describe azure_graph_user(id: 'someInvalidId') + it { should_not exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +describe azure_graph_user(user_id: 'someUserId') do + it { should exist } +end +``` + +## Azure permissions + +Graph resources require specific privileges granted to your service principal. +Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application) for information on how to grant these permissions to your application. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_graph_users.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_graph_users.md new file mode 100644 index 0000000..ea7d262 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_graph_users.md @@ -0,0 +1,140 @@ ++++ +title = "azure_graph_users resource" + +draft = false + + +[menu.azure] +title = "azure_graph_users" +identifier = "inspec/resources/azure/azure_graph_users resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_graph_users` InSpec audit resource to test the properties of some or all Azure Active Directory users within a Tenant. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_graph_users` resource block returns all Azure Active Directory user accounts within the configured Tenant and then tests that group of users. + +```ruby +describe azure_graph_users do + #... +end +``` + +## Parameters + +The following parameters can be passed for targeting specific users. + +`filter` +: A hash containing the filtering options and their values. The `starts_with_` operator can be used for fuzzy string matching. Parameter names are in the snake case. + + For example, `{ starts_with_given_name: 'J', starts_with_department: 'Core', country: 'United Kingdom', given_name: John}` + +`filter_free_text` +: [OData](https://www.odata.org/getting-started/basic-tutorial/) query string in double quotes, `"`. Property names are in the camel case. See the [Microsoft query parameters documentation](https://docs.microsoft.com/en-us/graph/query-parameters#filter-parameter) for more information. + + For example, `"startswith(displayName,'J') and surname eq 'Doe'"` or `"userType eq 'Guest'"` + +It is advised to use these parameters to narrow down the targeted resources at the server side, Azure Graph API, for a more efficient test. + +## Properties + +`ids` +: The unique identifiers of users. + + Field: `id` + +`object_ids` +: The unique identifiers of users. This is for backward compatibility. Use `ids` instead. + + Field: `id` + +`display_names` +: The display names of users. + + Field: `displayName` + +`given_names` +: The given names of users. + + Field: `givenName` + +`job_titles` +: The job titles of users. + + Field: `jobTitle` + +`mails` +: The email addresses of users. + + Field: `mail` + +`user_types` +: The user types of users. For example, `Member`, `Guest`. + + Field: `userType` + +`user_principal_names` +: The user principal names of users. For example, `jdoe@contoso.com`. + + Field: `userPrincipalName` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +The following examples show how to use this InSpec audit resource. + +Check users with some filtering parameters applied at server side (Using 'filter'): + +```ruby +describe azure_graph_users(filter: {given_name: 'John', starts_with_department: 'Customer'}) do + it { should exist } +end +``` + +Check users with some filtering parameters applied at server side (Using 'filter_free_text'): + +```ruby +describe azure_graph_users(filter_free_text: "startswith(givenName,'J') and startswith(department,'customer') and country eq 'United States'") do + it { should exist } +end +``` + +Ensure there are no guest accounts active (client-side filtering): + +```ruby +describe azure_graph_users.guest_accounts do + it { should_not exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_graph_users do + it { should exist } +end +``` + +## Azure permissions + +Graph resources require specific privileges granted to your service principal. +Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application) for information on how to grant these permissions to your application. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hdinsight_cluster.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hdinsight_cluster.md new file mode 100644 index 0000000..35a748c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hdinsight_cluster.md @@ -0,0 +1,112 @@ ++++ +title = "azure_hdinsight_cluster resource" + +draft = false + + +[menu.azure] +title = "azure_hdinsight_cluster" +identifier = "inspec/resources/azure/azure_hdinsight_cluster resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_hdinsight_cluster` InSpec audit resource to test the properties of an Azure HDInsight Cluster. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_hdinsight_cluster` resource block identifies a HDInsight Cluster by `name` and `resource_group`, or the `resource_id`. + +```ruby +describe azure_hdinsight_cluster(resource_group: 'RESOURCE_GROUP', name: 'CLUSTER_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_hdinsight_cluster(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.HDInsight/clusters/{clusterName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: The unique name of the cluster. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` + +## Properties + +`properties.clusterVersion` +: The version of the cluster. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/hdinsight/2021-06-01/clusters/get?tabs=HTTP) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test that a specified HDInsight Cluster is successfully provisioned: + +```ruby +describe azure_hdinsight_cluster(resource_group: 'RESOURCE_GROUP', name: 'CLUSTER_NAME') do + its('properties.provisioningState') { should cmp 'Succeeded' } +end +``` + +```ruby +describe azure_hdinsight_cluster(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.HDInsight/clusters/{clusterName}') do + its('properties.provisioningState') { should cmp 'Succeeded' } +end +``` + +Test the version of an HDInsight Cluster: + +```ruby +describe azure_hdinsight_cluster(resource_group: 'RESOURCE_GROUP', name: 'CLUSTER_NAME') do + its('properties.clusterVersion') { should cmp '4.0' } +end +``` + +See [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_hdinsight_cluster.rb) for more examples. + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the resource to always exist. + +describe azure_hdinsight_cluster(resource_group: 'RESOURCE_GROUP', name: 'CLUSTER_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the resource not to exist. + +describe azure_hdinsight_cluster(resource_group: 'RESOURCE_GROUP', name: 'CLUSTER_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_asc_operation.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_asc_operation.md new file mode 100644 index 0000000..51d4506 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_asc_operation.md @@ -0,0 +1,104 @@ ++++ +title = "azure_hpc_asc_operation resource" + +draft = false + + +[menu.azure] +title = "azure_hpc_asc_operation" +identifier = "inspec/resources/azure/azure_hpc_asc_operation resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_hpc_asc_operation` InSpec audit resource to test the properties related to an Azure HPC ASC Operation. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name`, `cache_name`, and `resource_group` are required parameters. + +```ruby +describe azure_hpc_asc_operation(location: 'LOCATION', operation_id: 'OPERATION_ID') do + it { should exist } + its('type') { should eq 'Microsoft.StorageCache/Cache/StorageTarget' } + its('location') { should eq 'East US' } +end +``` + +```ruby +describe azure_hpc_asc_operation(location: 'LOCATION', operation_id: 'OPERATION_ID') do + it { should exist } +end +``` + +## Parameters + +`location` _(required)_ +: The name of the region used to look up the operation. + +`operation_id` _(required)_ +: The operation ID that uniquely identifies the asynchronous operation. + +## Properties + +`id` +: The operation ID. + +`name` +: The operation name. + +`startTime` +: The start time of the operation. + +`status` +: The status of the operation. + +`endTime` +: The end time of the operation. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/storagecache/asc-operations/get#ascoperation) for other available properties. + +## Examples + +Test that the HPC ASC operation is succeeded: + +```ruby +describe azure_hpc_asc_operation(location: 'LOCATION', operation_id: 'OPERATION_ID') do + its('status') { should eq 'Succeeded' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If an HPC ASC Operation is found, it will exist. + +describe azure_hpc_asc_operation(location: 'LOCATION', operation_id: 'OPERATION_ID') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If an HPC ASC Operation is not found, it will not exist. + +describe azure_hpc_asc_operation(location: 'LOCATION', operation_id: 'OPERATION_ID') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_cache.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_cache.md new file mode 100644 index 0000000..b05b0dc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_cache.md @@ -0,0 +1,113 @@ ++++ +title = "azure_hpc_cache resource" + +draft = false + + +[menu.azure] +title = "azure_hpc_cache" +identifier = "inspec/resources/azure/azure_hpc_cache resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_hpc_cache` InSpec audit resource to test the properties related to an Azure HPC Cache. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name`, `cache_name`, and `resource_group` are required parameters. + +```ruby +describe azure_hpc_cache(resource_group: 'RESOURCE_GROUP', name: 'HPC_CACHE_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.StorageCache/Cache' } + its('location') { should eq 'East US' } +end +``` + +```ruby +describe azure_hpc_cache(resource_group: 'RESOURCE_GROUP', name: 'HPC_CACHE_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ +: Name of the Azure HPC Cache to test. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`id` +: Resource ID of the HPC Cache. + +`name` +: Name of the HPC Cache. + +`type` +: Type of the HPC Cache, `Microsoft.StorageCache/Cache`. + +`location` +: Region name string. + +`properties` +: The properties of the HPC Cache. + +`properties.cacheSizeGB` +: The size of this HPC Cache (in GB). + +`properties.subnet` +: The subnet used for the HPC Cache. + +`properties.health` +: Health of the HPC Cache. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/storagecache/caches/get#cache) for other available properties. + +## Examples + +Test that the HPC Cache is provisioned: + +```ruby +describe azure_hpc_cache(resource_group: 'RESOURCE_GROUP', name: 'HPC_CACHE_NAME') do + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If an HPC Cache is found, it will exist. + +describe azure_hpc_cache(resource_group: 'RESOURCE_GROUP', name: 'HPC_CACHE_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If an HPC Cache is not found, it will not exist. + +describe azure_hpc_cache(resource_group: 'RESOURCE_GROUP', name: 'HPC_CACHE_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_cache_skus.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_cache_skus.md new file mode 100644 index 0000000..4094d7b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_cache_skus.md @@ -0,0 +1,95 @@ ++++ +title = "azure_hpc_cache_skus resource" + +draft = false + + +[menu.azure] +title = "azure_hpc_cache_skus" +identifier = "inspec/resources/azure/azure_hpc_cache_skus resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_hpc_cache_skus` InSpec audit resource to test the properties related to all Azure HPC Cache SKUs. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_hpc_cache_skus` resource block returns all Azure HPC Cache SKUs. + +```ruby +describe azure_hpc_cache_skus do + #... +end +``` + +## Parameters + +## Properties + +`resourceTypes` +: A resource types list where the SKU applies. + + Field: `resourceType` + +`names` +: A list of SKU names. + + Field: `name` + +`sizes` +: A list of the SKU sizes. + + Field: `size` + +`tiers` +: A tiers list of VM in a scale set. + + Field: `tier` + +`kind` +: The supported kind list of resources. + + Field: `kind` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Ensure that there are Standard tier HPC Cache SKUs: + +```ruby +describe azure_hpc_cache_skus.where(tier: 'STANDARD') do + it { should exist } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exists + +```ruby +# Should not exist if no HPC Cache SKUs are present. + +describe azure_hpc_cache_skus do + it { should_not exist } +end +# Should exist if the filter returns at least one HPC Cache SKUs. + +describe azure_hpc_cache_skus do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_caches.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_caches.md new file mode 100644 index 0000000..ecd1d6c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_caches.md @@ -0,0 +1,125 @@ ++++ +title = "azure_hpc_caches resource" + +draft = false + + +[menu.azure] +title = "azure_hpc_caches" +identifier = "inspec/resources/azure/azure_hpc_caches resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_hpc_caches` InSpec audit resource to test the properties related to all Azure HPC Caches. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_hpc_caches` resource block returns all Azure HPC Caches. + +```ruby +describe azure_hpc_caches do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of HPC Cache names. + + Field: `name` + +`types` +: A list of the HPC Cache types. + + Field: `type` + +`properties` +: A list of Properties for all the HPC Caches. + + Field: `properties` + +`locations` +: A list of the resource locations. + + Field: `location` + +`cacheSizeGBs` +: A list of the sizes of the HPC Cache. + + Field: `cacheSizeGB` + +`subnets` +: A list of subnets used for the HPC Cache. + + Field: `subnet` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through HPC Caches by their names: + +```ruby +azure_hpc_caches.names.each do |name| + describe azure_hpc_cache(resource_group: 'RESOURCE_GROUP', cache_name: 'HPC_CACHE_NAME', name: name) do + it { should exist } + end +end +``` + +Test to ensure that there are provisioned HPC Caches: + +```ruby +describe azure_hpc_caches.where(provisioningState: 'SUCCEEDED') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no HPC Caches are present. + +describe azure_hpc_caches do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one HPC Caches. + +describe azure_hpc_caches do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_storage_target.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_storage_target.md new file mode 100644 index 0000000..bd04941 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_storage_target.md @@ -0,0 +1,116 @@ ++++ +title = "azure_hpc_storage_target resource" + +draft = false + + +[menu.azure] +title = "azure_hpc_storage_target" +identifier = "inspec/resources/azure/azure_hpc_storage_target resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_hpc_storage_target` InSpec audit resource to test the properties related to an Azure HPC Storage Target. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name`, `cache_name`, and `resource_group` are required parameters. + +```ruby +describe azure_hpc_storage_target(resource_group: 'RESOURCE_GROUP', cache_name: 'HPC_CACHE_NAME', name: 'HPC_STORAGE_TARGET_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.StorageCache/Cache/StorageTarget' } + its('location') { should eq 'East US' } +end +``` + +```ruby +describe azure_hpc_storage_target(resource_group: 'RESOURCE_GROUP', cache_name: 'HPC_CACHE_NAME', name: 'HPC_STORAGE_TARGET_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ +: Name of the Azure HPC Storage Targets to test. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +`cache_name` _(required)_ +: Azure HPC Cache name. + +## Properties + +`id` +: Resource ID of the Storage Target. + +`name` +: Name of the Storage Target. + +`type` +: Resource type. + +`location` +: Region name string. + +`properties` +: The properties of the HPC Storage Target. + +`properties.blobNfs` +: The properties when the **targetType** is `blobNfs`. + +`properties.state` +: The storage target operational state. + +`properties.nfs3` +: Properties when the **targetType** is `nfs3`. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/storagecache/storage-targets/get#storagetarget) for other available properties. + +## Examples + +Test that the HPC Storage Target is ready: + +```ruby +describe azure_hpc_storage_target(resource_group: 'RESOURCE_GROUP', cache_name: 'HPC_CACHE_NAME', name: 'HPC_STORAGE_TARGET_NAME') do + its('properties.state') { should eq 'Ready' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If an HPC Storage Target is found, it will exist. + +describe azure_hpc_storage_target(resource_group: 'RESOURCE_GROUP', cache_name: 'HPC_CACHE_NAME', name: 'HPC_STORAGE_TARGET_NAME') do + it { should exist } + +``` + +### not_exists + +```ruby +# if HPC Storage Target is not found, it will not exist. + +describe azure_hpc_storage_target(resource_group: 'RESOURCE_GROUP', cache_name: 'HPC_CACHE_NAME', name: 'HPC_STORAGE_TARGET_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_storage_targets.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_storage_targets.md new file mode 100644 index 0000000..66aad29 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_hpc_storage_targets.md @@ -0,0 +1,128 @@ ++++ +title = "azure_hpc_storage_targets resource" + +draft = false + + +[menu.azure] +title = "azure_hpc_storage_targets" +identifier = "inspec/resources/azure/azure_hpc_storage_targets resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_hpc_storage_targets` InSpec audit resource to test the properties related to all Azure HPC Storage Targets. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_hpc_storage_targets` resource block returns all Azure HPC Storage Targets. + +```ruby +describe azure_hpc_storage_targets(resource_group: 'RESOURCE_GROUP', cache_name: 'HPC_CACHE_NAME') do + #... +end +``` + +## Parameters + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +`cache_name` _(required)_ +: Azure HPC Cache name. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource Names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of Properties for all the HPC Storage Targets. + + Field: `properties` + +`locations` +: A list of the resource locations. + + Field: `location` + +`targetTypes` +: A list of the types of storage target. + + Field: `targetType` + +`states` +: A list of the operational state of the storage target. + + Field: `provisioningState` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through HPC Storage Targets by their names: + +```ruby +azure_hpc_storage_targets(resource_group: 'RESOURCE_GROUP', cache_name: 'HPC_CACHE_NAME').names.each do |name| + describe azure_hpc_storage_target(resource_group: 'RESOURCE_GROUP', cache_name: 'HPC_CACHE_NAME', name: name) do + it { should exist } + end +end +``` + +Test that there are HPC Storage Targets that are ready: + +```ruby +describe azure_hpc_storage_targets(resource_group: 'RESOURCE_GROUP', cache_name: 'HPC_CACHE_NAME').where(state: 'Ready') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no HPC Storage Targets are present. + +describe azure_hpc_storage_targets(resource_group: 'RESOURCE_GROUP', cache_name: 'HPC_CACHE_NAME') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one HPC Storage Targets. + +describe azure_hpc_storage_targets(resource_group: 'RESOURCE_GROUP', cache_name: 'HPC_CACHE_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_iothub.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_iothub.md new file mode 100644 index 0000000..d787bc6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_iothub.md @@ -0,0 +1,106 @@ ++++ +title = "azure_iothub resource" + +draft = false + + +[menu.azure] +title = "azure_iothub" +identifier = "inspec/resources/azure/azure_iothub resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_iothub` InSpec audit resource to test the properties of an Azure IoT hub within a resource group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_iothub(resource_group: 'RESOURCE_GROUP', name: 'IoT_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_iothub(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Devices/IotHubs/{resourceName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: The unique name of the IoT hub. + +`resource_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_group` and `resource_name` + +## Properties + +`sku` +: The SKU of the resource with [these](https://docs.microsoft.com/en-us/rest/api/iothub/iothubresource/get#iothubskuinfo) properties. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/iothub/iothubresource/get#iothubdescription) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test if file upload notifications are enabled: + +```ruby +describe azure_iothub(resource_group: 'RESOURCE_GROUP', name: 'IoT_NAME') do + its('properties.enableFileUploadNotifications') { should cmp true } +end +``` + +```ruby +describe azure_iothub(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Devices/IotHubs/{resourceName}') do + its('properties.enableFileUploadNotifications') { should cmp true } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the resource to always exist. + +describe azure_iothub(resource_group: 'RESOURCE_GROUP', name: 'IoT_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the resource to never exist. + +describe azure_iothub(resource_group: 'RESOURCE_GROUP', name: 'IoT_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_iothub_event_hub_consumer_group.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_iothub_event_hub_consumer_group.md new file mode 100644 index 0000000..e3a7424 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_iothub_event_hub_consumer_group.md @@ -0,0 +1,112 @@ ++++ +title = "azure_iothub_event_hub_consumer_group resource" + +draft = false + + +[menu.azure] +title = "azure_iothub_event_hub_consumer_group" +identifier = "inspec/resources/azure/azure_iothub_event_hub_consumer_group resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_iothub_event_hub_consumer_group` InSpec audit resource to test the properties and configuration of an Azure IoT Hub Event Hub Consumer Group within a resource group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group`, `resource_name`, `event_hub_endpoint`, and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_iothub_event_hub_consumer_group(resource_group: 'RESOURCE_GROUP', resource_name: 'IoT_NAME', event_hub_endpoint: 'EVENT_HUB_NAME', name: 'CONSUMER_GROUP') do + it { should exist } +end +``` + +```ruby +describe azure_iothub_event_hub_consumer_group(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Devices/IotHubs/{resourceName}/eventHubEndpoints/{eventHubEndpointName}/ConsumerGroups/{name}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`resource_name` +: The name of the IoT hub. + +`event_hub_endpoint` +: The name of the Event Hub-compatible endpoint in the IoT hub. + +`name` +: The name of the consumer group to retrieve. + +`consumer_group` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Devices/IotHubs/{resourceName}/eventHubEndpoints/{eventHubEndpointName}/ConsumerGroups/{name}`. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group`, `resource_name`, `event_hub_endpoint` and `name` +- `resource_group`, `resource_name`, `event_hub_endpoint` and `consumer_group` + +## Properties + +`name` +: The Event Hub-compatible consumer group name. + +For properties applicable to all resources, such as `type`, `tags`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/iothub/iothubresource/geteventhubconsumergroup#eventhubconsumergroupinfo) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the resource name: + +```ruby +describe azure_iothub_event_hub_consumer_group(resource_group: 'RESOURCE_GROUP', resource_name: 'IoT_NAME', event_hub_endpoint: 'EVENT_HUB_NAME', name: 'CONSUMER_GROUP') do + its('name') { should cmp 'CONSUMER_GROUP' } +end +``` + +```ruby +describe azure_iothub_event_hub_consumer_group(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Devices/IotHubs/{resourceName}/eventHubEndpoints/{eventHubEndpointName}/ConsumerGroups/{name}') do + its('name') { should cmp 'CONSUMER_GROUP' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the resource to always exist. + +describe azure_iothub_event_hub_consumer_group(resource_group: 'RESOURCE_GROUP', resource_name: 'IoT_NAME', event_hub_endpoint: 'EVENT_HUB_NAME', name: 'CONSUMER_GROUP') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the resource to never exist. + +describe azure_iothub_event_hub_consumer_group(resource_group: 'RESOURCE_GROUP', resource_name: 'IoT_NAME', event_hub_endpoint: 'EVENT_HUB_NAME', name: 'CONSUMER_GROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_iothub_event_hub_consumer_groups.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_iothub_event_hub_consumer_groups.md new file mode 100644 index 0000000..437b70c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_iothub_event_hub_consumer_groups.md @@ -0,0 +1,114 @@ ++++ +title = "azure_iothub_event_hub_consumer_groups resource" + +draft = false + + +[menu.azure] +title = "azure_iothub_event_hub_consumer_groups" +identifier = "inspec/resources/azure/azure_iothub_event_hub_consumer_groups resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_iothub_event_hub_consumer_groups` InSpec audit resource to test the properties and configuration of an Azure IoT Hub Event Hub Consumer Groups within a resource group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +The `resource_group`, `resource_name`, and `event_hub_endpoint` are required parameters. + +```ruby +describe azure_iothub_event_hub_consumer_groups(resource_group: 'RESOURCE_GROUP', resource_name: 'IoT_NAME', event_hub_endpoint: 'EVENT_HUB_NAME') do + its('names') { should include 'CONSUMER_GROUP'} + its('types') { should include 'Microsoft.Devices/IotHubs/EventHubEndpoints/ConsumerGroups' } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`resource_name` +: The name of the IoT hub. + +`event_hub_endpoint` +: The name of the Event Hub-compatible endpoint in the IoT hub. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +`etags` +: A list of etags defined on the resources. + + Field: `etag` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check if a specific consumer group exists: + +```ruby +describe azure_iothub_event_hub_consumer_groups(resource_group: 'RESOURCE_GROUP', resource_name: 'IoT_NAME', event_hub_endpoint: 'EVENT_HUB_NAME') do + its('names') { should include('CONSUMER_GROUP') } +end +``` + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +If we expect at least one resource to exist on a specified endpoint: + +describe azure_iothub_event_hub_consumer_groups(resource_group: 'RESOURCE_GROUP', resource_name: 'IoT_NAME', event_hub_endpoint: 'EVENT_HUB_NAME') do + it { should exist } +end + +If we expect not to exist consumer groups on a specified endpoint: + +describe azure_iothub_event_hub_consumer_groups(resource_group: 'RESOURCE_GROUP', resource_name: 'IoT_NAME', event_hub_endpoint: 'EVENT_HUB_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault.md new file mode 100644 index 0000000..117460a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault.md @@ -0,0 +1,124 @@ ++++ +title = "azure_key_vault resource" + +draft = false + + +[menu.azure] +title = "azure_key_vault" +identifier = "inspec/resources/azure/azure_key_vault resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_key_vault` InSpec audit resource to test the properties related to a key vault. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_key_vault(resource_group: 'RESOURCE_GROUP', name: 'VAULT-101') do + it { should exist } + its('name') { should cmp 'vault-101' } +end +``` + +```ruby +describe azure_key_vault(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.KeyVault/vaults/{vaultName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the Azure resource to test. + +`vault_name` +: Name of the Azure resource to test (for backward compatibility). + +`resource_id` +: The unique resource ID. + +`diagnostic_settings_api_version` +: The endpoint API version for the `diagnostic_settings` property. `2017-05-01-preview` will be used for backward compatibility unless provided. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_group` and `vault_name` + +## Properties + +`diagnostic_settings` +: The active diagnostic settings list for the key vault. + +`diagnostic_settings_logs` +: The logs enabled status of every category for the key vault. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults/get) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test key vault's SKU family: + +```ruby +describe azure_key_vault(resource_group: 'RESOURCE_GROUP', name: 'VAULT_NAME') do + its('properties.sku.family') { should eq 'A' } +end +``` + +Test if the key vault is enabled for disk encryption: + +```ruby +describe azure_key_vault(resource_group: 'RESOURCE_GROUP', name: 'VAULT_NAME') do + its('properties.enabledForDiskEncryption') { should be_true } +end +``` + +Test if Azure key vault audit logging is enabled: + +```ruby +describe azure_key_vault(resource_group: 'RESOURCE_GROUP', name: 'VAULT_NAME') do + its('diagnostic_settings_logs') { should include(true) } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a key vault is found, it will exist. + +describe azure_key_vault(resource_group: 'RESOURCE_GROUP', name: 'VAULT_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# Key vaults that aren't found, will not exist. + +describe azure_key_vault(resource_group: 'RESOURCE_GROUP', name: 'VAULT_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault_key.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault_key.md new file mode 100644 index 0000000..df18900 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault_key.md @@ -0,0 +1,132 @@ ++++ +title = "azure_key_vault_key resource" + +draft = false + + +[menu.azure] +title = "azure_key_vault_key" +identifier = "inspec/resources/azure/azure_key_vault_key resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_key_vault_key` InSpec audit resource to test the properties and configuration of an Azure key within a vault. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_key_vault_key` resource block identifies an Azure key by `vault_name` and `key_name`, or the `key_id`. You may also specify a `key_version`. If no version is specified, the most recent version of the key will be used. + +```ruby +describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY') do + it { should exist } +end +``` + +```ruby +describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY', key_version: '78deebed173b48e48f55abf87ed4cf71') do + it { should exist } +end +``` + +```ruby +describe azure_key_vault_key(key_id: 'https://example_vault.vault.azure.net/keys/key/7df9bf2c3b4347bab213ebe233f0e350') do + it { should exist } +end +``` + +## Parameters + +`vault_name` +: The name of the key vault where the targeted key resides. + +`key_name` +: The name of the key to interrogate. + +`name` +: Alias for the `key_name` parameter. + +`key_version` +: (Optional) - The version of a key. For example, `7df9bf2c3b4347bab213ebe233f0e350`. + +`key_id` +: The unique ID of the key. For example, `https://example_vault.vault.azure.net/keys/key/7df9bf2c3b4347bab213ebe233f0e350`. + +Either one of the parameter sets can be provided for a valid query: + +- `vault_name` and `key_name` +- `vault_name` and `name` +- `key_id` + +## Properties + +`attributes` +: The key management attributes in [this](https://docs.microsoft.com/en-us/rest/api/keyvault/keys/get-key/get-key?tabs=HTTP#keyattributes) format. + +`key` +: The JSON web key in [this](https://docs.microsoft.com/en-us/rest/api/keyvault/keys/get-key/get-key?tabs=HTTP#jsonwebkey) format. + +`managed` +: `true` if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be `true`. + +`tags` +: Application-specific metadata in the form of key-value pairs. + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/keyvault/keys/get-key/get-key?tabs=HTTP) for more details. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the key identifier: + +```ruby +describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY', key_version: '7df9bf2c3b4347bab213ebe233f0e350') do + its('key.kid') { should cmp 'https://example_vault.vault.azure.net/keys/key/7df9bf2c3b4347bab213ebe233f0e350' } +end +``` + +Test if the key is enabled: + +```ruby +describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY') do + its('attributes.enabled') { should eq true } +end +``` + +Test if the rotationploicy is enabled: + +```ruby +describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY') do + it { should have_rotation_policy_enabled } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the key to always exist. + +describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the key to never exist. + +describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault_keys.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault_keys.md new file mode 100644 index 0000000..a178b1c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault_keys.md @@ -0,0 +1,114 @@ ++++ +title = "azure_key_vault_keys resource" + +draft = false + + +[menu.azure] +title = "azure_key_vault_keys" +identifier = "inspec/resources/azure/azure_key_vault_keys resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_key_vault_keys` InSpec audit resource to test the properties and configuration of multiple Azure keys within vaults. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_key_vault_keys` resource block returns all keys within a vault. + +```ruby +describe azure_key_vault_keys(vault_name: 'EXAMPLE_VAULT') do + #... +end +``` + +## Parameters + +`vault_name` + +: The name of the vault. + +## Properties + +`attributes` +: A list of the key management attributes in [this](https://docs.microsoft.com/en-us/rest/api/keyvault/keys/get-key/get-key?tabs=HTTP#keyattributes) format. + + Field: `attributes` + +`kids` +: A list of key IDs. + + Field: `kid` + +`managed` +: A list of boolean values indicating if the keys are managed by key vault or not. + + Field: `managed` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that a vault has the named key: + +```ruby +describe azure_key_vault_keys(vault_name: 'EXAMPLE_VAULT').where { kid.include?('KEY_NAME')} do + it { should exist } + its('count') { should be 1 } +end +``` + +Loop through keys by the key ID: + +```ruby +azure_key_vault_keys(vault_name: 'EXAMPLE_VAULT').kids.each do |kid| + describe azure_key_vault_key(key_id: kid) do + it { should exist } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect to have at least one key in a vault. + +describe azure_key_vault_keys(vault_name: 'EXAMPLE_VAULT') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect not to have any keys in a vault. + +describe azure_key_vault_keys(vault_name: 'EXAMPLE_VAULT') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault_secret.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault_secret.md new file mode 100644 index 0000000..c95363c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault_secret.md @@ -0,0 +1,135 @@ ++++ +title = "azure_key_vault_secret resource" + +draft = false + + +[menu.azure] +title = "azure_key_vault_secret" +identifier = "inspec/resources/azure/azure_key_vault_secret resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_key_vault_secret` InSpec audit resource to test the properties and configuration of an Azure secret within a vault. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_key_vault_secret` resource block identifies an Azure secret by `vault_name` and `secret_name`, or the `secret_id`. You may also specify a `secret_version`. If no version is specified, the most recent version of the secret is used. + +```ruby +describe azure_key_vault_secret(vault_name: 'EXAMPLE_VAULT', secret_name: 'EXAMPLE_SECRET') do + it { should exist } +end +``` + +```ruby +describe azure_key_vault_secret(vault_name: 'EXAMPLE_VAULT', secret_name: 'EXAMPLE_SECRET', secret_version: '78deebed173b48e48f55abf87ed4cf71') do + it { should exist } +end +``` + +```ruby +describe azure_key_vault_secret(secret_id: 'https://example_vault.vault.azure.net/secrets/secret_name/7df9bf2c3b4347bab213ebe233f0e350') do + it { should exist } +end +``` + +## Parameters + +`vault_name` +: The key vault name where the targeted secret resides. + +`secret_name` +: The name of the secret to interrogate. + +`name` +: Alias for the `secret_name` parameter. + +`secret_version` _Optional_ +: The version of a secret. For example, `7df9bf2c3b4347bab213ebe233f0e350`. + +`secret_id` +: The unique ID of the secret. For example, `https://example_vault.vault.azure.net/secrets/secret_name/7df9bf2c3b4347bab213ebe233f0e350`. + +Either one of the parameter sets can be provided for a valid query: + +- `vault_name` and `secret_name` +- `vault_name` and `name` +- `secret_id` + +## Properties + +`id` +: The secret ID. `https://example_vault.vault.azure.net/secrets/secret_name`. + +`kid` +: If this is a secret backing a KV certificate, then this field specifies the corresponding key backing the KV certificate. + +`attributes` +: The secret management attributes in [this](https://docs.microsoft.com/en-us/rest/api/keyvault/secrets/get-secrets/get-secrets?tabs=HTTP#secretattributes) format. + +`contentType` +: The content type of the secret. + +`content_type` +: Alias for the `contentType`. + +`managed` +: `true` if the secret's lifetime is managed by key vault. If this is a secret backing a certificate, then managed will be `true`. + +`tags` +: Application specific metadata in the form of key-value pairs. + +`value` +: The secret's value. + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/keyvault/secrets/get-secrets/get-secrets) for more details. +You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the secret identifier: + +```ruby +describe azure_key_vault_secret(vault_name: 'EXAMPLE_VAULT', secret_name: 'EXAMPLE_SECRET') do + its('id') { should cmp 'https://example_vault.vault.azure.net/secrets/example_secret' } +end +``` + +Test if the secret is enabled: + +```ruby +describe azure_key_vault_secret(vault_name: 'EXAMPLE_VAULT', secret_name: 'EXAMPLE_SECRET') do + its('attributes.enabled') { should eq true } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the secret to always exist. +describe azure_key_vault_secret(vault_name: 'EXAMPLE_VAULT', secret_name: 'EXAMPLE_SECRET') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the secret to never exist. +describe azure_key_vault_secret(vault_name: 'EXAMPLE_VAULT', secret_name: 'EXAMPLE_SECRET') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault_secrets.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault_secrets.md new file mode 100644 index 0000000..17961aa --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vault_secrets.md @@ -0,0 +1,117 @@ ++++ +title = "azure_key_vault_secrets resource" + +draft = false + + +[menu.azure] +title = "azure_key_vault_secrets" +identifier = "inspec/resources/azure/azure_key_vault_secrets resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_key_vault_secrets` InSpec audit resource to test the properties and configuration of multiple Azure secrets within vaults. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_key_vault_secrets` resource block returns all secrets within a vault. + +```ruby +describe azure_key_vault_secrets(vault_name: 'EXAMPLE_VAULT') do + #... +end +``` + +## Parameters + +`vault_name` + +: The name of the vault. + +## Properties + +`attributes` +: A list of the secret management attributes in [this](https://docs.microsoft.com/en-us/rest/api/keyvault/secrets/get-secrets/get-secrets?tabs=HTTP#secretattributes) format. + + Field: `attributes` + +`ids` +: A list of secret IDs. + + Field: `id` + +`managed` +: A list of boolean values indicating if the secrets are managed by key vault or not. + + Field: `managed` + +`contentTypes` +: A list of secrets content type being interrogated. + + Field: `contentType` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that a vault has the named secret: + +```ruby +describe azure_key_vault_secrets(vault_name: 'EXAMPLE_VAULT').where { id.include?('SECRET')} do + it { should exist } + its('count') { should be 1 } +end +``` + +Loop through secrets by their IDs: + +```ruby +azure_key_vault_secrets(vault_name: 'EXAMPLE_VAULT').ids.each do |id| + describe azure_key_vault_secret(secret_id: id) do + it { should exist } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect to have at least one secret in a vault. +describe azure_key_vault_secrets(vault_name: 'EXAMPLE_VAULT') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect not have any secrets in a vault. +describe azure_key_vault_secrets(vault_name: 'EXAMPLE_VAULT') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vaults.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vaults.md new file mode 100644 index 0000000..049d96d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_key_vaults.md @@ -0,0 +1,137 @@ ++++ +title = "azure_key_vaults resource" + +draft = false + + +[menu.azure] +title = "azure_key_vaults" +identifier = "inspec/resources/azure/azure_key_vaults resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_key_vaults` InSpec audit resource to test the properties related to key vaults for a resource group or the entire subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_key_vaults` resource block returns all Azure key vaults, either within a resource group (if provided) or the entire subscription. + +```ruby +describe azure_key_vaults do + #... +end +``` + +Or + +```ruby +describe azure_key_vaults(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of all the key vault names. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources. + + Field: `tags` + +`types` +: A list of types of all the key vaults. + + Field: `type` + +`locations` +: A list of locations for all the key vaults. + + Field: `location` + +`properties` +: A list of properties for all the key vaults. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through key vaults by their IDs: + +```ruby +azure_key_vaults.ids.each do |id| + describe azure_key_vault(resource_id: id) do + it { should exist } + end +end +``` + +Test to ensure there are key vaults that include a certain string in their names (client-side filtering): + +```ruby +describe azure_key_vaults.where { name.include?('deployment') } do + it { should exist } +end +``` + +Test to ensure there are key vaults that include a certain string in their names (Server Side Filtering via Generic Resource - Recommended): + +```ruby +describe azure_generic_resources(resource_provider: 'Microsoft.KeyVault/vaults', substring_of_name: 'deployment') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### not_exists + +```ruby +# Should not exist if no key vaults are in the resource group. + +describe azure_key_vaults(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### exists + +```ruby +# Should exist if the filter returns at least one key vault. + +describe azure_key_vaults(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_load_balancer.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_load_balancer.md new file mode 100644 index 0000000..d4bfbf1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_load_balancer.md @@ -0,0 +1,110 @@ ++++ +title = "azure_load_balancer resource" + +draft = false + + +[menu.azure] +title = "azure_load_balancer" +identifier = "inspec/resources/azure/azure_load_balancer resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_load_balancer` InSpec audit resource to test the properties and configuration of an Azure Load Balancer. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_load_balancer(resource_group: 'RESOURCE_GROUP', name: 'EXAMPLE_LB') do + it { should exist } +end +``` + +```ruby +describe azure_load_balancer(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/loadBalancers/{loadBalancerName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: The unique name of the load balancer. + +`loadbalancer_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_group` and `loadbalancer_name` + +## Properties + +`sku.name` +: Name of a load balancer SKU. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/load-balancer/loadbalancers/get#loadbalancer) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test if a Load Balancer has any inbound nat rules: + +```ruby +describe azure_load_balancer(resource_group: 'RESOURCE_GROUP', name: 'EXAMPLE_LB') do + its('properties.inboundNatRules') { should_not be_empty } +end +``` + +Loop through all Load Balancers in a subscription via 'resource_id': + +```ruby +azure_load_balancers.ids.each do |id| + describe azure_load_balancer(resource_id: id) do + its('properties.inboundNatRules') { should_not be_empty } + end +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the resource to always exist. + +describe azure_load_balancer(resource_group: 'RESOURCE_GROUP', name: 'EXAMPLE_LB') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the resource to never exist. + +describe azure_load_balancer(resource_group: 'RESOURCE_GROUP', name: 'EXAMPLE_LB') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_load_balancers.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_load_balancers.md new file mode 100644 index 0000000..2ad3e8b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_load_balancers.md @@ -0,0 +1,143 @@ ++++ +title = "azure_load_balancers resource" + +draft = false + + +[menu.azure] +title = "azure_load_balancers" +identifier = "inspec/resources/azure/azure_load_balancers resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_load_balancers` InSpec audit resource to test the properties and configuration of Azure Load Balancers. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_load_balancers` resource block returns all Azure Load Balancers, either within a resource group (if provided) or the entire subscription. + +```ruby +describe azure_load_balancers do + #... +end +``` + +Or + +```ruby +describe azure_load_balancers(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +`skus` +: A list of the SKUs of the resources being interrogated. + + Field: `sku` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check Load balancers are present: + +````ruby +describe azure_load_balancers do + it { should exist } + its('names') { should include 'EXAMPLE_LB' } +end +```` + +Filter the results to include only those with names match the specified string value: + +```ruby +describe azure_load_balancers.where{ name.eql?('PRODUCTION-LB') } do + it { should exist } +end +``` + +Filter the results to include only those with location match the specified string value: + +```ruby +describe azure_load_balancers.where{ location.eql?('EASTUS-2') } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. + +```ruby +# If we expect 'EXAMPLEGROUP' resource group to have Load Balancers. +describe azure_load_balancers(resource_group: 'EXAMPLEGROUP') do + it { should exist } +end +``` + +### not_exists + +Use `should_not` if you expect zero matches. + +```ruby +# If we expect 'EMPTYEXAMPLEGROUP' resource group to not have Load Balancers. +describe azure_load_balancers(resource_group: 'EMPTYEXAMPLEGROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_lock.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_lock.md new file mode 100644 index 0000000..5b3cf32 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_lock.md @@ -0,0 +1,103 @@ ++++ +title = "azure_lock resource" + +draft = false + + +[menu.azure] +title = "azure_lock" +identifier = "inspec/resources/azure/azure_lock resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_lock` InSpec audit resource to test the properties and configuration of a Management Lock. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +The Management Lock resources do not follow the common `resouce_group` and `name` patterns for identification. As a result, the `resource_id` must be given as a parameter to the `azure_lock` resource. + +The [`azure_locks`](azure_locks.md) resource can be used for gathering the Management Lock resource IDs to be tested within the desired level, such as subscription, resource group, or individual resource. + +```ruby +describe azure_lock(resource_id: '/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName}/providers/Microsoft.Authorization/locks/{lockName}') do + it { should exist } +end +``` + +## Parameters + +`resource_id` +: The unique resource ID. + +## Properties + +`properties.level` +: The level of the lock. Possible values are: `NotSpecified`, `CanNotDelete`, and `ReadOnly`. For more information, see the [Microsoft lock level documentation](https://docs.microsoft.com/en-us/rest/api/resources/managementlocks/getatresourcelevel#locklevel). + +`properties.notes` +: Notes about the lock. Maximum of 512 characters. + +`properties.owners` +: A list of the owners of the lock with [these](https://docs.microsoft.com/en-us/rest/api/resources/managementlocks/getatresourcelevel#managementlockowner) properties. + +Please note that the properties can vary depending on the `api_version` used for the lookup. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/resources/managementlocks/getatresourcelevel#managementlockobject) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test if a 'ReadOnly' Management Lock exists in a specific resource group: + +```ruby +azure_locks(resource_group: 'EXAMPLE-GROUP').ids.each do |id| + describe azure_lock(resource_id: id) do + its('properties.level') { should_not cmp `ReadOnly` } + end +end +``` + +Test if Management Locks on a specific resource contain a certain String: + +```ruby +azure_locks(resouce_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}').ids.each do |lock_id| + describe azure_lock(resource_id: lock_id) do + it('properties.notes') { should include 'contact jdoe@chef.io' } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_lock(resource_id: '/subscriptions/..{lockName}') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_lock(resource_id: '/subscriptions/..{lockName}') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_locks.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_locks.md new file mode 100644 index 0000000..0288ae6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_locks.md @@ -0,0 +1,143 @@ ++++ +title = "azure_locks resource" + +draft = false + + +[menu.azure] +title = "azure_locks" +identifier = "inspec/resources/azure/azure_locks resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_locks` InSpec audit resource to test the properties and configuration of all Management Locks for an Azure resource or any level below it. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_locks` resource block returns all Management Locks within a resource group (if provided) or the entire subscription. + +```ruby +describe azure_locks do + it { should exist } +end +``` + +Or + +```ruby +describe azure_locks(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +Also, at resource level test can be done by providing the following identifiers: `resource_group`, `resource_name`, and `resource_type` or the `resource_id`. + +```ruby +describe azure_locks(resource_group: 'RESOURCE_GROUP', resource_name: 'VM_NAME`, resource_type: 'Microsoft.Compute/virtualMachines') do + it { should exist } +end +``` + +Or + +```ruby +describe azure_locks(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`resource_name` +: Name of the Azure resource on which the Management Locks are being tested. + +`resource_type` +: Type of the Azure resource on which the Management Locks are being tested. + +`resource_id` +: The unique resource ID of the Azure resource on which the Management Locks are being tested. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group`, `resource_name` and `resource_type` +- `resource_group` +- None for a subscription level test. + +## Properties + +`ids` +: A list of the unique resource IDs of the Management Locks. + + Field: `id` + +`names` +: A list of names of all the Management Locks being interrogated. + + Field: `name` + +`properties` +: A list of properties for all the Management Locks being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check if a specific Management Lock is present for a resource: + +```ruby +describe azure_locks(resource_group: 'RESOURCE_GROUP', resource_name: 'VM_NAME', resource_type: 'Microsoft.Compute/virtualMachines') do + its('names') { should include 'production_agents' } +end +``` + +Filters the results to include only those Management Locks that have the specific name: + +```ruby +describe azure_locks.where{ name.include?('production') } do + it { should exist } +end +``` + +Loop through all virtual machines to test if they have Management Locks defined: + +```ruby +azure_virtual_machines.ids.each do |id| + describe azure_locks(resource_id: id) do + it { should exist } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_locks(resource_group: 'RESOURCE_GROUP', resource_name: 'VM_NAME', resource_type: 'Microsoft.Compute/virtualMachines') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_managed_application.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_managed_application.md new file mode 100644 index 0000000..6c94681 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_managed_application.md @@ -0,0 +1,113 @@ ++++ +title = "azure_managed_application resource" + +draft = false + + +[menu.azure] +title = "azure_managed_application" +identifier = "inspec/resources/azure/azure_managed_application resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_managed_application` InSpec audit resource to test the properties related to an Azure Managed application. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` and `resource_group` are required parameters. + +```ruby +describe azure_managed_application(resource_group: 'RESOURCE_GROUP', name: 'MANAGED_APPLICATION_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.ServiceBus/Namespaces' } + its('location') { should eq 'East US' } +end +``` + +```ruby +describe azure_managed_application(resource_group: 'RESOURCE_GROUP', name: 'MANAGED_APPLICATION_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ +: Name of the Azure managed applications to test. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. `Microsoft.Solutions/applications`. + +`location` +: Resource location. + +`properties` +: The properties of the managed application. + +`properties.plan` +: The plan information. + +`properties.identity` +: The identity of the resource. + +`properties.provisioningState` +: Provisioning state of the namespace. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/managedapplications/applications/get) for other available properties. + +## Examples + +Test that the managed applications are provisioned successfully: + +```ruby +describe azure_managed_application(resource_group: 'RESOURCE_GROUP', name: 'MANAGED_APPLICATION_NAME') do + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a Managed application is found, it will exist. + +describe azure_managed_application(resource_group: 'RESOURCE_GROUP', name: 'MANAGED_APPLICATION_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If a Managed application is not found, it will not exist. + +describe azure_managed_application(resource_group: 'RESOURCE_GROUP', name: 'MANAGED_APPLICATION_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_managed_applications.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_managed_applications.md new file mode 100644 index 0000000..5c32ea8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_managed_applications.md @@ -0,0 +1,135 @@ ++++ +title = "azure_managed_applications resource" + +draft = false + + +[menu.azure] +title = "azure_managed_applications" +identifier = "inspec/resources/azure/azure_managed_applications resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_managed_applications` InSpec audit resource to test the properties related to all Azure Managed applications. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_managed_applications` resource block returns all Azure Managed applications. + +```ruby +describe azure_managed_applications do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource Names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of properties for all the Managed applications. + + Field: `properties` + +`locations` +: A list of the resource locations. + + Field: `location` + +`identities` +: A list of the identity of the resources. + + Field: `identity` + +`plans` +: A list of the plan information. + + Field: `plan` + +`provisioningStates` +: A list of provisioning states of the app. + + Field: `provisioningState` + +`publisherTenantIds` +: A list of the publisher tenant ID. + + Field: `publisherTenantId` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Managed applications by their names: + +```ruby +azure_managed_applications(resource_group: 'RESOURCE_GROUP').names.each do |name| + describe azure_managed_application(resource_group: 'RESOURCE_GROUP', name: name) do + it { should exist } + end +end +``` + +Test that there are Managed applications that are successfully provisioned: + +```ruby +describe azure_managed_applications(resource_group: 'RESOURCE_GROUP').where(provisioningState: 'Succeeded') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Managed applications are present. + +describe azure_managed_applications(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Managed application. + +describe azure_managed_applications(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_management_group.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_management_group.md new file mode 100644 index 0000000..9e47aeb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_management_group.md @@ -0,0 +1,128 @@ ++++ +title = "azure_management_group resource" + +draft = false + + +[menu.azure] +title = "azure_management_group" +identifier = "inspec/resources/azure/azure_management_group resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_management_group` InSpec audit resource to test the properties of an Azure management group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_management_group` resource block identifies a management group by its `name` or the `resource_id`. + +```ruby +describe azure_management_group(name: 'ABCD-1234') do + it { should exist } +end +``` + +```ruby +describe azure_management_group(resource_id: '/providers/Microsoft.Management/managementGroups/{groupId}') do + it { should exist } +end +``` + +## Parameters + +`name` +: Management group name. `20000000-0001-0000-0000-000000000000`. + +`group_id` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. `/providers/Microsoft.Management/managementGroups/{groupId}`. + +`expand` +: Optional. The `expand: 'children'` includes children in the response. The `expand: 'path'` includes the path from the root group to the current group. + +`recurse` +: Optional. The `recurse: true` includes the entire hierarchy in the response. Note that `expand: 'children'` will be set if `recurse` is set to `true`. + +`filter` _Optional_ +: A filter allows the exclusion of subscriptions from results (i.e., `filter: 'children.childType ne Subscription'`). + +Either one of the parameter sets can be provided for a valid query along with the optional parameters: + +- `resource_id` +- `name` +- `group_id` + +## Properties + +`tenant_id` +: The management group tenant ID. + +`parent_name` +: The management group parent name. + +`parent_id` +: The management group parent resource ID. `/providers/Microsoft.Management/managementGroups/{groupId}`. + +`children_display_names` +: The list of management group children display names. + +`children_ids` +: The list of management group children IDs. + +`children_names` +: The list of management group children names. + +`children_types` +: The list of management group children types. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/managementgroups/management-groups/get) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test Tenant ID, Parent Name, Children Display Name: + +```ruby +describe azure_management_group(group_id: 'ABC-1234', recurse: true, expand: 'CHILDREN') do + its('tenant_id') { should eq('00000000-0000-0000-0000-000000000000') } + its('parent_name') { should eq('MyGroupsParentName') } + its('children_display_names') { should include('I am a child of the group!') } +end +``` + +See [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_management_group.rb) for more examples. + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_management_group(name: 'ABCD-1234') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_management_group(name: 'ABCD-1234') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_management_groups.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_management_groups.md new file mode 100644 index 0000000..443dc62 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_management_groups.md @@ -0,0 +1,101 @@ ++++ +title = "azure_management_groups resource" + +draft = false + + +[menu.azure] +title = "azure_management_groups" +identifier = "inspec/resources/azure/azure_management_groups resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_management_groups` InSpec audit resource to test the properties and configuration of multiple Azure management groups. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_management_groups` resource block returns management groups for the authenticated user. + +```ruby +describe azure_management_groups do + #... +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`types` +: A list of types of all the resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that a named Management Group exists: + +```ruby +describe azure_management_groups do + its('names') { should include('ABCD-1234') } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect at least one management group to exist. + +describe azure_management_groups do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect zero matches. + +describe azure_management_groups do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mariadb_server.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mariadb_server.md new file mode 100644 index 0000000..3c42c00 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mariadb_server.md @@ -0,0 +1,132 @@ ++++ +title = "azure_mariadb_server resource" + +draft = false + + +[menu.azure] +title = "azure_mariadb_server" +identifier = "inspec/resources/azure/azure_mariadb_server resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_mariadb_server` InSpec audit resource to test the properties and configuration of an Azure MariaDB Server. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_mariadb_server(resource_group: 'RESOURCE_GROUP', name: 'EXAMPLE_SERVER') do + it { should exist } +end +``` + +```ruby +describe azure_mariadb_server(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.DBforMariaDB/servers/{serverName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the MariaDB server to test. + +`server_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +`firewall_rules_api_version` +: The endpoint api version for the `firewall_rules` property. The latest version will be used unless provided. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_group` and `server_name` + +## Properties + +`firewall_rules` +: A list of all firewall rules in the targeted server. + +`sku` +: The SKU (pricing tier) of the server. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/mariadb/servers/get#server) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test if a MariaDB server is referenced with a valid name: + +```ruby +describe azure_mariadb_server(resource_group: 'RESOURCE_GROUP', name: 'SQL-SERVER-1') do + it { should exist } +end +``` + +Test if a MariaDB server is referenced with an invalid name: + +```ruby +describe azure_mariadb_server(resource_group: 'RESOURCE_GROUP', name: 'I-DONT-EXIST') do + it { should_not exist } +end +``` + +Test if a MariaDB server has firewall rules set: + +```ruby +describe azure_mariadb_server(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('firewall_rules') { should_not be_empty } +end +``` + +Test a MariaDB server's location and maximum replica capacity: + +```ruby +describe azure_mariadb_server(resource_id: '/subscriptions/.../my-server') do + its('properties.replicaCapacity') { should cmp 2 } + its('location') { should cmp 'westeurope' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_mariadb_server(resource_group: 'RESOURCE_GROUP, server_name: 'SQL-SERVER-1') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_mariadb_server(resource_group: 'RESOURCE_GROUP', server_name: 'SQL-SERVER-1') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mariadb_servers.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mariadb_servers.md new file mode 100644 index 0000000..773a033 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mariadb_servers.md @@ -0,0 +1,139 @@ ++++ +title = "azure_mariadb_servers resource" + +draft = false + + +[menu.azure] +title = "azure_mariadb_servers" +identifier = "inspec/resources/azure/azure_mariadb_servers resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_mariadb_servers` InSpec audit resource to test the properties and configuration of multiple Azure MariaDB Servers. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_mariadb_servers` resource block returns all Azure MariaDB Servers within a resource group (if provided) or the entire subscription. + +```ruby +describe azure_mariadb_servers do + #... +end +``` + +Or + +```ruby +describe azure_mariadb_servers(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources. + + Field: `tags` + +`skus` +: A list of the SKUs (pricing tiers) of the servers. + + Field: `sku` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check MariaDB Servers are present: + +```ruby +describe azure_mariadb_servers do + it { should exist } + its('names') { should include 'MY-SERVER-NAME' } +end +``` + +Filters the results to include only those servers that have the specified name (client-side filtering): + +```ruby +describe azure_mariadb_servers.where{ name.include?('production') } do + it { should exist } +end +``` + +Filters the results to include only those servers which reside in a specified location (client-side filtering): + +```ruby +describe azure_mariadb_servers.where{ location.eql?('westeurope') } do + it { should exist } +end +``` + +Filters the results to include only those servers which reside in a specified location and has the specified name (server-side filtering - recommended): + +```ruby +describe azure_generic_resources(resource_provider: 'Microsoft.DBforMariaDB/servers', substring_of_name: 'production', location: 'westeurope') do + it {should exist} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_mariadb_servers do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_pricing.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_pricing.md new file mode 100644 index 0000000..560b0c6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_pricing.md @@ -0,0 +1,92 @@ ++++ +title = "azure_microsoft_defender_pricing resource" + +draft = false + + +[menu.azure] +title = "azure_microsoft_defender_pricing" +identifier = "inspec/resources/azure/azure_microsoft_defender_pricing resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_microsoft_defender_pricing` Chef InSpec audit resource to test the properties of a Microsoft Defender for Cloud pricing configuration. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_microsoft_defender_pricing(name: 'DEFENDER_PRICING_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: The name of the resource. + +## Properties + +`id` +: The ID of the resource. + +`name` +: The name of the resource. + +`type` +: The resource type. + +`properties.deprecated` +: True if the plan is deprecated. If there are replacing plans, they will appear in `replacedBy` property. + +`properties.freeTrialRemainingTime` +: The duration left for the subscriptions free trial period - in ISO 8601 format (e.g. P3Y6M4DT12H30M5S). + +`properties.pricingTier` +: The pricing tier value. Microsoft Defender for Cloud is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. + +`properties.replacedBy` +: List of plans that replace this plan. This property exists only if this plan is deprecated. + +`properties.subPlan` +: The sub-plan selected for a Standard pricing configuration, when more than one sub-plan is available. Each sub-plan enables a set of security features. When not specified, full plan is applied. + +See the [Azure documentation on Defender for Cloud pricing configuration](https://learn.microsoft.com/en-us/rest/api/defenderforcloud/pricings/get) for additional information. You may access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test if a name exists: + +This resource does not have any examples. + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. + +```ruby +describe azure_microsoft_defender_pricing(name: 'DEFENDER_PRICING_NAME') do + it { should exist } +end +``` + +Use `should_not` if you expect zero matches. + +```ruby +describe azure_microsoft_defender_pricing(name: 'DEFENDER_PRICING_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +Graph resources require specific privileges granted to your service principal. Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application) for information on how to grant these permissions to your application. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_pricings.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_pricings.md new file mode 100644 index 0000000..40d5a8f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_pricings.md @@ -0,0 +1,101 @@ ++++ +title = "azure_microsoft_defender_pricings resource" + +draft = false + + +[menu.azure] +title = "azure_microsoft_defender_pricings" +identifier = "inspec/resources/azure/azure_microsoft_defender_pricings resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_microsoft_defender_pricings` Chef InSpec audit resource to test the properties of multiple Microsoft Defender for Cloud pricing configurations. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_microsoft_defender_pricings do + #... +end +``` + +## Parameters + +No required parameters. + +## Properties + +`ids` +: The ID of the resource. + + Field: `id` + +`names` +: The name of the resource. + + Field: `name` + +`types` +: The type of the resource. + + Field: `type` + +`freeTrialRemainingTimes` +: The duration left for the subscriptions free trial period - in ISO 8601 format (e.g. P3Y6M4DT12H30M5S). + + Field: `properties.freeTrialRemainingTime` + +`pricingTiers` +: The pricing tier value. Microsoft Defender for Cloud is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. + + Field: `properties.pricingTier` + +`subPlans` +: The sub-plan selected for a Standard pricing configuration, when more than one sub-plan is available. Each sub-plan enables a set of security features. When not specified, full plan is applied. + + Field: `properties.subPlan` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +See the [Azure documentation on Defender for Cloud pricing configuration](https://learn.microsoft.com/en-us/rest/api/defenderforcloud/pricings/list) for additional information. You may access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +This resource does not have any examples. + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control passes if the filter returns at least one result. + +```ruby +describe azure_microsoft_defender_pricings do + it { should exist } +end +``` + +Use `should_not` if you expect zero matches. + +```ruby +describe azure_microsoft_defender_pricings do + it { should_not exist } +end +``` + +## Azure permissions + +Graph resources require specific privileges granted to your service principal. Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application) for information on how to grant these permissions to your application. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_security_contact.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_security_contact.md new file mode 100644 index 0000000..ad367a4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_security_contact.md @@ -0,0 +1,115 @@ ++++ +title = "azure_microsoft_defender_security_contact resource" + +draft = false + + +[menu.azure] +title = "azure_microsoft_defender_security_contact" +identifier = "inspec/resources/azure/azure_microsoft_defender_security_contact resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_microsoft_defender_security_contact` Chef InSpec audit resource to test the properties of a Microsoft Defender for Cloud Security Contact configuration. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_microsoft_defender_security_contact(name: 'SECURITY_CONTACT_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: The name of the resource. + +## Properties + +`id` +: The ID of the resource. + +`name` +: The name of the resource. + +`type` +: The resource type. + +`properties.notificationsByRole.roles` +: Defines which RBAC roles will get email notifications from Microsoft Defender for Cloud. + +`properties.notificationsByRole.state` +: Defines whether to send email notifications from AMicrosoft Defender for Cloud to persons with specific RBAC roles on the subscription. + +`properties.emails` +: List of email addresses which will get notifications from Microsoft Defender for Cloud by the configurations defined in this security contact. + +`properties.phone` +: The security contact's phone number. + +`properties.alertNotifications.state` +: Defines if email notifications will be sent about new security alerts. + +`properties.alertNotifications.minimalSeverity` +: Defines the minimal alert severity which will be sent as email notifications. + +See the [Azure documentation on Defender for Cloud Security Contact configuration](https://learn.microsoft.com/en-us/rest/api/defenderforcloud/security-contacts/get?tabs=HTTP) for additional information. You may access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test if a name exists: + +```ruby +describe azure_microsoft_defender_security_contact(name: 'SECURITY_CONTACT_NAME') do + its('name') { should eq 'SECURITY_CONTACT_NAME' } +end +``` + +Test if a type exists: + +```ruby +describe azure_microsoft_defender_security_contact(name: 'SECURITY_CONTACT_NAME') do + its('type') { should eq 'Microsoft.Security/securityContacts' } +end +``` + +Test if a notification by role state exists: + +```ruby +describe azure_microsoft_defender_security_contact(name: 'SECURITY_CONTACT_NAME') do + its('properties.notificationsByRole.state') { should eq 'On' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. + +```ruby +describe azure_microsoft_defender_security_contact(name: 'SECURITY_CONTACT_NAME') do + it { should exist } +end +``` + +Use `should_not` if you expect zero matches. + +```ruby +describe azure_microsoft_defender_security_contact(name: 'SECURITY_CONTACT_NAME') do + it { should exist } +end +``` + +## Azure permissions + +Graph resources require specific privileges granted to your service principal. Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application) for information on how to grant these permissions to your application. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_setting.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_setting.md new file mode 100644 index 0000000..2cad12a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_setting.md @@ -0,0 +1,79 @@ ++++ +title = "azure_microsoft_defender_setting resource" + +draft = false + + +[menu.azure] +title = "azure_microsoft_defender_setting" +identifier = "inspec/resources/azure/azure_microsoft_defender_setting resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_microsoft_defender_setting` Chef InSpec audit resource to test the properties of a Microsoft Defender for Cloud Setting configuration. + +## Syntax + +```ruby +describe azure_microsoft_defender_setting(name: 'SETTING_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: The name of the resource. + +## Properties + +`id` +: The ID of the resource. + +`name` +: The name of the resource. + +`kind` +: The resource kind. + +`type` +: The resource type. + +`properties.enabled` +: Is the alert sync setting enabled. + +See the [Azure documentation on Defender for Cloud Settings configuration](https://learn.microsoft.com/en-us/rest/api/defenderforcloud/settings/get?tabs=HTTP) for additional information. You may access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test if a name exists: + +This resource does not have any examples. + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. + +```ruby +describe azure_microsoft_defender_setting(name: 'SETTING_NAME') do + it { should exist } +end +``` + +Use `should_not` if you expect zero matches. + +```ruby +describe azure_microsoft_defender_setting(name: 'SETTING_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +Graph resources require specific privileges granted to your service principal. Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application) for information on how to grant these permissions to your application. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_settings.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_settings.md new file mode 100644 index 0000000..8a64eaa --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_microsoft_defender_settings.md @@ -0,0 +1,92 @@ ++++ +title = "azure_microsoft_defender_settings resource" + +draft = false + + +[menu.azure] +title = "azure_microsoft_defender_settings" +identifier = "inspec/resources/azure/azure_microsoft_defender_settings resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_microsoft_defender_settings` Chef InSpec audit resource to test the properties of multiple Microsoft Defender for Cloud Settings configurations. + +## Syntax + +```ruby +describe azure_microsoft_defender_settings do + it { should exist } +end +``` + +## Parameters + +No required parameters. + +## Properties + +`ids` +: The ID of the resource. + + Field: `id` + +`names` +: The name of the resource. + + Field: `name` + +`types` +: The type of the resource. + + Field: `type` + +`kinds` +: The kind of the resource. + + Field: `kind` + +`properties` +: The properties of the resource. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +See the [Azure documentation on Defender for Cloud Settings configuration](https://learn.microsoft.com/en-us/rest/api/defenderforcloud/settings/list?tabs=HTTP) for additional information. You may access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +This resource does not have any examples. + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control passes if the filter returns at least one result. + +```ruby +describe azure_microsoft_defender_settings do + it { should exist } +end +``` + +Use `should_not` if you expect zero matches. + +```ruby +describe azure_microsoft_defender_settings do + it { should_not exist } +end +``` + +## Azure permissions + +Graph resources require specific privileges granted to your service principal. Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application) for information on how to grant these permissions to your application. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment.md new file mode 100644 index 0000000..d49124e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment.md @@ -0,0 +1,122 @@ ++++ +title = "azure_migrate_assessment resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_assessment" +identifier = "inspec/resources/azure/azure_migrate_assessment resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_assessment` InSpec audit resource to test the properties related to the Azure Migrate assessment. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name`, `resource_group`, `project_name`, and `group_name` are required parameters. + +```ruby +describe azure_migrate_assessment(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', group_name: 'GROUP_NAME', NAME: 'ASSESSMENT_NAME') do + it { should exist } + its('name') { should cmp 'ASSESSMENT_NAME' } + its('type') { should cmp 'Microsoft.Migrate/assessmentprojects/groups/assessments' } +end +``` + +```ruby +describe azure_migrate_assessment(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', group_name: 'GROUP_NAME', NAME: 'ASSESSMENT_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure Migrate assessment to test. + +`resource_group` +: Azure resource group where the targeted resource resides. + +`project_name` +: Azure Migrate assessment project. + +`group_name` +: Unique name of a group within a project. + +The parameter set should be provided for a valid query are `resource_group`, `project_name`, `group_name`, and `name`. + +## Properties + +`id` +: Path reference to the assessment. + +`name` +: Unique name of an assessment. + +`type` +: Object type. + +`eTag` +: For optimistic concurrency control. + +`properties` +: Properties of the assessment. + +`properties.azureDiskType` +: Storage type selected for this disk. + +`properties.currency` +: Currency to report the prices. + +`properties.sizingCriterion` +: Assessment sizing criterion. + +`properties.reservedInstance` +: Azure reserved instance. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Refer to the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/migrate/assessment/assessments/get) for a full list of available properties. Access any attribute in the response by separating the key names with a period (`.`). + +## Examples + +Test that the migrate assessments have a minimum scaling factor: + +```ruby +describe azure_migrate_assessment(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', group_name: 'GROUP_NAME', NAME: 'ASSESSMENT_NAME') do + its('properties.scalingFactor') { should eq 1.0 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a Migrate Assessment is found, it will exist. + +describe azure_migrate_assessment(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', group_name: 'GROUP_NAME', NAME: 'ASSESSMENT_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If Migrate Assessments are not found, it will not exist. + +describe azure_migrate_assessment(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', group_name: 'GROUP_NAME', NAME: 'ASSESSMENT_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_group.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_group.md new file mode 100644 index 0000000..9466bb3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_group.md @@ -0,0 +1,116 @@ ++++ +title = "azure_migrate_assessment_group resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_assessment_group" +identifier = "inspec/resources/azure/azure_migrate_assessment_group resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_assessment_group` InSpec audit resource to test the properties related to an Azure Migrate assessment group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name`, `project_name`, and `resource_group` are required parameters. + +```ruby +describe azure_migrate_assessment_group(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'GROUP_NAME') do + it { should exist } + its('name') { should eq 'GROUP_NAME' } + its('type') { should cmp 'Microsoft.Migrate/assessmentProjects/groups' } +end +``` + +```ruby +describe azure_migrate_assessment_group(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'GROUP_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure Migrate assessment group to test. + +`resource_group` +: Azure resource group where the targeted resource resides. + +`project_name` +: Azure Migrate assessment project. + +The parameter set that should be provided for a valid query is `resource_group`, `project_name`, and `name`. + +## Properties + +`id` +: Path reference to the group. + +`name` +: Name of the group. + +`type` +: Object type. + +`eTag` +: For optimistic concurrency control. + +`properties` +: Properties of the group. + +`properties.areAssessmentsRunning` +: If the assessments are in a running state. + +`properties.assessments` +: List of references to assessments created on this group. + +`properties.machineCount` +: Number of machines part of this group. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/migrate/assessment/groups/get) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the migrate assessment group has at least five machines: + +```ruby +describe azure_migrate_assessment_group(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'GROUP_NAME') do + its('properties.machineCount') { should be >= 5 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a Migrate Assessment Group is found, it will exist. + +describe azure_migrate_assessment_group(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'GROUP_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If Migrate Assessment Group is not found, it will not exist. + +describe azure_migrate_assessment_group(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'GROUP_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_groups.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_groups.md new file mode 100644 index 0000000..7c8c42b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_groups.md @@ -0,0 +1,155 @@ ++++ +title = "azure_migrate_assessment_groups resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_assessment_groups" +identifier = "inspec/resources/azure/azure_migrate_assessment_groups resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_assessment_groups` InSpec audit resource to test the properties related to all Azure Migrate assessment groups within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_migrate_assessment_groups` resource block returns all Azure Migrate assessment groups within a project. + +```ruby +describe azure_migrate_assessment_groups(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + #... +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`project_name` +: Azure Migrate assessment project. + +The parameter set that should be provided for a valid query is `resource_group` and `project_name`. + +## Properties + +`ids` +: Path reference to all the groups. + + Field: `id` + +`names` +: Unique names for all groups. + + Field: `name` + +`types` +: Type of the objects. + + Field: `type` + +`eTags` +: A list of eTags for all the groups. + + Field: `eTag` + +`properties` +: A list of properties for all the groups. + + Field: `properties` + +`areAssessmentsRunnings` +: A list of boolean describing the assessment run state. + + Field: `areAssessmentsRunning` + +`assessments` +: List of references to assessments created on this group. + + Field: `assessments` + +`createdTimestamps` +: List of creation times of the groups. + + Field: `createdTimestamp` + +`groupStatuses` +: List of creation status of the groups. + + Field: `groupStatus` + +`groupTypes` +: List of group types. + + Field: `groupType` + +`machineCounts` +: List of machine counts. + + Field: `machineCount` + +`updatedTimestamps` +: List of updated timestamps of the groups. + + Field: `updatedTimestamp` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through migrate assessment groups by their names: + +```ruby +azure_migrate_assessment_groups(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').names.each do |name| + describe azure_migrate_assessment_group(resource_group: `RESOURCE_GROUP`, project_name: `PROJECT_NAME`, name: `NAME`) do + it { should exist } + end +end +``` + +Test that the assessments are running for migrating assessment groups: + +```ruby +describe azure_migrate_assessment_groups(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').where(areAssessmentsRunning: true) do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Migrate Assessment groups are present in the project. + +describe azure_migrate_assessment_groups(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Migrate Assessment groups in the project. + +describe azure_migrate_assessment_groups(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_machine.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_machine.md new file mode 100644 index 0000000..421873c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_machine.md @@ -0,0 +1,121 @@ ++++ +title = "azure_migrate_assessment_machine resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_assessment_machine" +identifier = "inspec/resources/azure/azure_migrate_assessment_machine resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_assessment_machine` InSpec audit resource to test the properties related to an Azure Migrate assessment machine. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name`, `project_name`, and `resource_group` are required parameters. + +```ruby +describe azure_migrate_assessment_machine(resource_group: 'RESOURCE_GROUP', project_name: 'MIGRATE_ASSESSMENT_PROJECT_NAME' name: 'MIGRATE_ASSESSMENT_MACHINE_NAME') do + it { should exist } + its('name') { should eq 'zoneA_machines_migrate_assessment' } + its('type') { should eq 'Microsoft.Migrate/assessmentprojects/machines' } +end +``` + +```ruby +describe azure_migrate_assessment_machine(resource_group: 'RESOURCE_GROUP', project_name: 'MIGRATE_ASSESSMENT_PROJECT_NAME' name: 'MIGRATE_ASSESSMENT_MACHINE_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: Name of the Azure Migrate assessment machine to test. + +`resource_group` _(required)_ + +: Azure resource group where the targeted resource resides. + +`project_name` _(required)_ + +: The Azure Migrate Assessment project. + +## Properties + +`id` +: Path reference to the assessment. + +`name` +: Unique name of an assessment. + +`type` +: Type of the object. `Microsoft.Migrate/assessmentprojects/machines`. + +`eTag` +: For optimistic concurrency control. + +`properties` +: Properties of the assessment. + +`properties.bootType` +: Boot type of machine. + +`properties.megabytesOfMemory` +: Memory in Megabytes. + +`properties.numberOfCores` +: Processor count. + +`properties.operatingSystemType` +: Operating system type of the machine. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/migrate/assessment/machines/get) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the boot migrate assessment machine: + +```ruby +describe azure_migrate_assessment_machine(resource_group: 'RESOURCE_GROUP', project_name: 'MIGRATE_ASSESSMENT_PROJECT_NAME', name: 'MIGRATE_ASSESSMENT_MACHINE_NAME') do + its('properties.bootType') { should eq 'BIOS' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a migrate assessment machine is found, it exists. + +describe azure_migrate_assessment_machine(resource_group: 'RESOURCE_GROUP', project_name: 'MIGRATE_ASSESSMENT_PROJECT_NAME' name: 'MIGRATE_ASSESSMENT_MACHINE_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If migrate assessment machine is not found, it does not exist. + +describe azure_migrate_assessment_machine(resource_group: 'RESOURCE_GROUP', project_name: 'MIGRATE_ASSESSMENT_PROJECT_NAME' name: 'MIGRATE_ASSESSMENT_MACHINE_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_machines.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_machines.md new file mode 100644 index 0000000..81b4184 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_machines.md @@ -0,0 +1,200 @@ ++++ +title = "azure_migrate_assessment_machines resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_assessment_machines" +identifier = "inspec/resources/azure/azure_migrate_assessment_machines resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_assessment_machines` InSpec audit resource to test the properties related to all Azure Migrate assessment machines within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_migrate_assessment_machines` resource block returns all Azure Migrate assessment machines within a project. + +```ruby +describe azure_migrate_assessment_machines(resource_group: 'RESOURCE_GROUP', project_name: 'MIGRATE_ASSESSMENT_PROJECT_NAME') do + #... +end +``` + +## Parameters + +`resource_group` _(required)_ + +: Azure resource group where the targeted resource resides. + +`project_name` _(required)_ + +: The Azure Migrate Assessment project. + +## Properties + +`ids` +: Path reference to the assessment machines. + + Field: `id` + +`names` +: Unique names for all assessment machines. + + Field: `name` + +`types` +: Type of the objects. + + Field: `type` + +`eTags` +: A list of eTags for all the assessment machines. + + Field: `eTag` + +`properties` +: A list of properties for all the assessment machines. + + Field: `properties` + +`bootTypes` +: A list of boot machines. + + Field: `bootType` + +`createdTimestamps` +: Time when this machine is created. + + Field: `createdTimestamp` + +`datacenterManagementServerArmIds` +: A list of ARM IDs of the data center as tracked by the `Microsoft.OffAzure`. + + Field: `datacenterManagementServerArmId` + +`datacenterManagementServerNames` +: Name of the servers hosting the data center management solution. + + Field: `datacenterManagementServerName` + +`descriptions` +: Descriptions of all the machines. + + Field: `description` + +`discoveryMachineArmIds` +: A list of ARM IDs of the machine as tracked by the `Microsoft.OffAzure`. + + Field: `discoveryMachineArmId` + +`disks` +: Dictionary of disks attached to all the machines. The key is disk ID. Value is a disk object. + + Field: `disks` + +`displayNames` +: User readable names of all the machines as defined by the user in their private data center. + + Field: `displayName` + +`groups` +: A List of references to the groups where the machine is a member. + + Field: `groups` + +`megabytesOfMemories` +: A list of memories in Megabytes. + + Field: `megabytesOfMemory` + +`networkAdapters` +: Dictionary of network adapters attached to all the machines. The key is the network adapter ID. Value is a network adapter object. + + Field: `networkAdapters` + +`numberOfCores` +: Processor counts. + + Field: `numberOfCores` + +`operatingSystemTypes` +: Operating system types of all the machines. + + Field: `operatingSystemType` + +`operatingSystemNames` +: Operating system names of all the machines. + + Field: `operatingSystemName` + +`operatingSystemVersions` +: Operating system versions of all the machines. + + Field: `operatingSystemVersion` + +`updatedTimestamps` +: Time when the machines are last updated. + + Field: `updatedTimestamp` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through migrate assessment machines by their names: + +```ruby +azure_migrate_assessment_machines(resource_group: 'RESOURCE_GROUP', project_name: 'MIGRATE_ASSESSMENT_PROJECT_NAME').names.each do |name| + describe azure_migrate_assessment_machine(resource_group: 'RESOURCE_GROUP', project_name: 'MIGRATE_ASSESSMENT_PROJECT_NAME', group_name: 'MACHINE_GROUP_NAME', name: name) do + it { should exist } + end +end +``` + +Test that there are migrate assessment machines with BIOS boot type: + +```ruby +describe azure_migrate_assessment_machines(resource_group: 'RESOURCE_GROUP', project_name: 'MIGRATE_ASSESSMENT_PROJECT_NAME').where(bootType: 'BIOS') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no migrate assessment machines are present in the project and the resource group. + +describe azure_migrate_assessment_machines(resource_group: 'RESOURCE_GROUP', project_name: 'MIGRATE_ASSESSMENT_PROJECT_NAME') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one migrate assessment machine in the project and the resource group. + +describe azure_migrate_assessment_machines(resource_group: 'RESOURCE_GROUP', project_name: 'MIGRATE_ASSESSMENT_PROJECT_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_project.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_project.md new file mode 100644 index 0000000..08ac8d5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_project.md @@ -0,0 +1,122 @@ ++++ +title = "azure_migrate_assessment_project resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_assessment_project" +identifier = "inspec/resources/azure/azure_migrate_assessment_project resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_assessment_project` InSpec audit resource to test the properties related to an Azure Migrate assessment project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` and `resource_group` are required parameters. + +```ruby +describe azure_migrate_assessment_project(resource_group: 'RESOURCE_GROUP', name: 'ASSESSMENT_PROJECT_NAME') do + it { should exist } + its('name') { should cmp 'ASSESSMENT_PROJECT_NAME' } + its('type') { should cmp 'Microsoft.Migrate/assessmentprojects' } +end +``` + +```ruby +describe azure_migrate_assessment_project(resource_group: 'RESOURCE_GROUP', name: 'ASSESSMENT_PROJECT_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure Migrate assessment project to test. + +`resource_group` +: Azure resource group where the targeted project resides. + +The parameter set that should be provided for a valid query is `resource_group` and `name`. + +## Properties + +`id` +: Path reference to the project. + +`name` +: Project name. + +`type` +: Type of the object. + +`eTag` +: For optimistic concurrency control. + +`properties` +: Properties of the project. + +`location` +: Azure location in which the project is created. + +`properties.assessmentSolutionId` +: Assessment solution ARM ID tracked by `Microsoft.Migrate/migrateProjects`. + +`properties.customerStorageAccountArmId` +: The ARM ID of the storage account is used for interactions when public access is disabled. + +`properties.privateEndpointConnections` +: The list of private endpoint connections to the project. + +`properties.numberOfMachines` +: Number of machines in the project. + +`tags` +: Tags provided by Azure Tagging service. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to the [`azure_generic_resource`](azure_generic_resource#properties). + +Refer to the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/migrate/assessment/projects/get) for other available properties. Access any attribute in the response by separating the key names with a period (`.`). + +## Examples + +Test that the migrate assessment project has a minimum scaling factor: + +```ruby +describe azure_migrate_assessment_project(resource_group: 'RESOURCE_GROUP', name: 'ASSESSMENT_PROJECT_NAME') do + its('properties.numberOfGroups') { should eq 2 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a Migrate Assessment project is found, it will exist. + +describe azure_migrate_assessment_project(resource_group: 'RESOURCE_GROUP', name: 'ASSESSMENT_PROJECT_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If Migrate Assessment project is not found, it will not exist. + +describe azure_migrate_assessment_project(resource_group: 'RESOURCE_GROUP', name: 'ASSESSMENT_PROJECT_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_projects.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_projects.md new file mode 100644 index 0000000..d8ca25f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessment_projects.md @@ -0,0 +1,199 @@ ++++ +title = "azure_migrate_assessment_projects resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_assessment_projects" +identifier = "inspec/resources/azure/azure_migrate_assessment_projects resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_assessment_projects` InSpec audit resource to test the properties related to all Azure Migrate assessment projects within a subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_migrate_assessment_projects` resource block returns all Azure Migrate projects within a subscription. + +```ruby +describe azure_migrate_assessment_projects do + #... +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: Path reference to the projects. + + Field: `id` + +`names` +: Name of the projects. + + Field: `name` + +`types` +: Type of the project. + + Field: `type` + +`eTags` +: A list of eTags for all the assessments. + + Field: `eTag` + +`locations` +: Azure locations in which the project is created. + + Field: `location` + +`tags` +: A list of Tags provided by Azure Tagging service. + + Field: `tags` + +`properties` +: A list of Properties for all the projects. + + Field: `properties` + +`assessmentSolutionIds` +: Assessment solution ARM IDs tracked by `Microsoft.Migrate/migrateProjects`. + + Field: `assessmentSolutionId` + +`createdTimestamps` +: Times when this project is created. Date-Time is represented in ISO-8601 format. + + Field: `createdTimestamp` + +`customerStorageAccountArmIds` +: The ARM IDs of the storage account used for interactions when public access is disabled. + + Field: `customerStorageAccountArmId` + +`customerWorkspaceIds` +: The ARM IDs of the service map workspace created by customer. + + Field: `customerWorkspaceId` + +`customerWorkspaceLocations` +: Locations of the service map workspace created by customer. + + Field: `customerWorkspaceLocation` + +`lastAssessmentTimestamps` +: Times when the last assessment is created. + + Field: `lastAssessmentTimestamp` + +`numberOfAssessments` +: Number of assessments created in the project. + + Field: `numberOfAssessments` + +`numberOfGroups` +: Number of groups created in all the projects. + + Field: `numberOfGroups` + +`numberOfMachines` +: Number of machines in all the projects. + + Field: `numberOfMachines` + +`privateEndpointConnections` +: The list of private endpoint connections to the projects. + + Field: `privateEndpointConnections` + +`projectStatuses` +: Assessment project statuses. + + Field: `projectStatus` + +`provisioningStates` +: Provisioning states of all the projects. + + Field: `provisioningState` + +`publicNetworkAccesses` +: Public network access for all the projects. + + Field: `publicNetworkAccess` + +`serviceEndpoints` +: Service endpoints of all the projects. + + Field: `serviceEndpoint` + +`updatedTimestamps` +: Times when this project is last updated. + + Field: `updatedTimestamp` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through migrate assessment projects by their names: + +```ruby +azure_migrate_assessment_projects.names.each do |name| + describe azure_migrate_assessment_project(resource_group: 'RESOURCE_GROUP', name: name) do + it { should exist } + end +end +``` + +Test to ensure that migrate assessment projects in West Europe location: + +```ruby +describe azure_migrate_assessment_projects.where(location: 'westeurope') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Migrate Assessment projects are present in the subscription. + +describe azure_migrate_assessment_projects do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Migrate Assessment project in the subscription. + +describe azure_migrate_assessment_projects do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessments.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessments.md new file mode 100644 index 0000000..ca2ba2c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_assessments.md @@ -0,0 +1,272 @@ ++++ +title = "azure_migrate_assessments resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_assessments" +identifier = "inspec/resources/azure/azure_migrate_assessments resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_assessments` InSpec audit resource to test the properties related to all Azure Migrate assessments within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_migrate_assessments` resource block returns all Azure Migrate assessments within a project. + +```ruby +describe azure_migrate_assessments(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + #... +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`project_name` +: Azure Migrate assessments project name. + +The parameter set that should be provided for a valid query are `resource_group` and `project_name`. + +## Properties + +`ids` +: Path reference to the assessments. + + Field: `id` + +`names` +: Unique names for all assessments. + + Field: `name` + +`types` +: Type of the objects. + + Field: `type` + +`eTags` +: A list of eTags for all the assessments. + + Field: `eTag` + +`properties` +: A list of Properties for all the assessments. + + Field: `properties` + +`azureDiskTypes` +: Storage type selected for the disk of all the assessments. + + Field: `azureDiskType` + +`azureHybridUseBenefits` +: A HUB discount on windows virtual machines for all the assessments. + + Field: `azureHybridUseBenefit` + +`azureLocations` +: Target Azure locations for which the machines should be assessed. + + Field: `azureLocation` + +`azureOfferCodes` +: Offer codes according to which cost estimation is done. + + Field: `azureOfferCode` + +`azurePricingTiers` +: Pricing tiers for size evaluation. + + Field: `azurePricingTier` + +`azureStorageRedundancies` +: Storage redundancy types offered by Azure. + + Field: `azureStorageRedundancy` + +`azureVmFamilies` +: List of azure VM families. + + Field: `azureVmFamilies` + +`confidenceRatingInPercentages` +: Confidence rating percentages for assessment. + + Field: `confidenceRatingInPercentage` + +`createdTimestamps` +: Time when this project is created. + + Field: `createdTimestamp` + +`currencies` +: Currencies to report the prices. + + Field: `currency` + +`discountPercentages` +: Custom discount percentages to be applied to final costs. + + Field: `discountPercentage` + +`eaSubscriptionIds` +: Enterprise agreement subscription arm IDs. + + Field: `eaSubscriptionId` + +`monthlyBandwidthCosts` +: Monthly network cost estimates for the machines. + + Field: `monthlyBandwidthCost` + +`monthlyComputeCosts` +: Monthly compute cost estimates for the machines. + + Field: `monthlyComputeCost` + +`monthlyPremiumStorageCosts` +: Monthly premium storage cost estimates for the machines. + + Field: `monthlyPremiumStorageCost` + +`monthlyStandardSSDStorageCosts` +: Monthly standard SSD storage cost estimates for the machines. + + Field: `monthlyStandardSSDStorageCost` + +`monthlyStorageCosts` +: Monthly storage cost estimates for the machines. + + Field: `monthlyStorageCost` + +`numberOfMachines` +: Number of assessed machines part of the assessments. + + Field: `numberOfMachines` + +`percentiles` +: Percentiles of performance data used to recommend Azure size. + + Field: `percentile` + +`perfDataEndTimes` +: End times to consider performance data for assessments. + + Field: `perfDataEndTime` + +`perfDataStartTimes` +: Start times to consider performance data for assessments. + + Field: `perfDataStartTime` + +`pricesTimestamps` +: Times when the Azure Prices are queried. + + Field: `pricesTimestamp` + +`reservedInstances` +: Azure reserved instances. + + Field: `reservedInstance` + +`scalingFactors` +: Scaling factors used over utilization data to add a performance buffer for new machines to be created in Azure. + + Field: `scalingFactor` + +`sizingCriterions` +: Assessment sizing criteria. + + Field: `sizingCriterion` + +`stages` +: User configurable setting that describes the status of the assessments. + + Field: `stage` + +`statuses` +: Whether the assessments have been created and are valid. + + Field: `status` + +`timeRanges` +: Time ranges of performance data used to recommend a size. + + Field: `timeRange` + +`updatedTimestamps` +: Times when the project is last updated. + + Field: `updatedTimestamp` + +`vmUptimes` +: Specify the durations for which the VMs are up in the on-premises environment. + + Field: `vmUptime` + +Refer to the [Azure Migrate assements documentation](https://docs.microsoft.com/en-us/rest/api/migrate/assessment/assessments/list-by-project) for additional information. + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through migrate assessments by their names: + +```ruby +azure_migrate_assessments(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME'.names.each do |name| + describe azure_container_group (resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', group_name: 'GROUP_NAME', name: name) do + it { should exist } + end +end +``` + +Test to ensure migrate assessments exist with local redundancy: + +```ruby +describe azure_migrate_assessments(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').where(azureStorageRedundancy: 'LocallyRedundant') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Migrate Assessments are present in the project and the resource group. + +describe azure_migrate_assessments(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Migrate Assessment in the project and the resource group. + +describe azure_migrate_assessments(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project.md new file mode 100644 index 0000000..bcba5f0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project.md @@ -0,0 +1,105 @@ ++++ +title = "azure_migrate_project resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_project" +identifier = "inspec/resources/azure/azure_migrate_project resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_project` InSpec audit resource to test the properties related to an Azure Migrate project. + +## Azure REST API version, endpoint, and HTTP client parameters + +This resource interacts with API versions supported by the resource provider. The `api_version` can be defined as a resource parameter. +If not provided, the latest version will be used. For more information, refer to [`azure_generic_resource`](azure_generic_resource.md). + +Unless defined, `azure_cloud` global endpoint and default values for the HTTP client will be used. For more information, refer to the resource pack [README](https://github.com/inspec/inspec-azure/blob/main/README.md). + +## Syntax + +`name` and `resource_group` are required parameters. + +```ruby +describe azure_migrate_project(resource_group: 'RESOURCE_GROUP', name: 'PROJECT_NAME') do + it { should exist } + its('name') { should eq 'zoneA_migrate_project' } + its('type') { should eq 'Microsoft.Migrate/MigrateProjects' } +end +``` + +```ruby +describe azure_migrate_project(resource_group: 'RESOURCE_GROUP', name: 'PROJECT_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure Migrate project to test. + +`resource_group` +: Azure resource group where the targeted resource resides. + +The parameter set that should be provided for a valid query is `resource_group` and `name`. + +## Properties + +`id` +: Path reference to the Migrate project. + +`eTag` +: The eTag for concurrency control. + +`name` +: Unique name of a Migrate project. + +`type` +: Type of the object. `Microsoft.Migrate/MigrateProject`. + +`properties` +: The nested properties. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, refer to the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/migrate/projects/migrate-projects/get-migrate-project) for other available properties. + +Any attribute in the response nested within properties may be accessed with the key names separated by dots (`.`), and attributes nested in the assessment data are pluralized and listed as a collection. + +## Examples + +Test that The Migrate project has a server instance type: + +```ruby +describe azure_migrate_project(resource_group: 'RESOURCE_GROUP', name: 'PROJECT_NAME') do + its('properties.summary.servers.instanceType') { should eq 'Servers' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a Migrate project is found, it exists. + +describe azure_migrate_project(resource_group: 'RESOURCE_GROUP', name: 'PROJECT_NAME') do + it { should exist } +end + +# If Migrate project is not found, it does not exist. + +describe azure_migrate_project(resource_group: 'RESOURCE_GROUP', name: 'PROJECT_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_database.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_database.md new file mode 100644 index 0000000..abfff12 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_database.md @@ -0,0 +1,129 @@ ++++ +title = "azure_migrate_project_database resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_project_database" +identifier = "inspec/resources/azure/azure_migrate_project_database resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_project_database` InSpec audit resource to test the properties related to an Azure Migrate Project database. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` is a required parameter and `resource_group` is an optional parameter. + +```ruby +describe azure_migrate_project_database(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_DB_NAME') do + it { should exist } + its('name') { should eq 'PROJECT_DB_NAME' } + its('type') { should eq 'Microsoft.Migrate/MigrateProjects/Databases' } + its('solutionNames') { should include 'MIGRATEDBSOLUTION' } +end +``` + +```ruby +describe azure_migrate_project_database(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_DB_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure Migrate project database to test. + +`resource_group` +: Azure resource group where the targeted resource resides. + +`project_name` +: Azure Migrate assessment project. + +The parameter set should be provided for a valid query are `resource_group`, `project_name`, and `name`. + +## Properties + +`id` +: Path reference to the migrate project database. + +`name` +: Unique name of a migrate project database. + +`type` +: Type of the object. `Microsoft.Migrate/MigrateProjects/Databases`. + +`properties` +: Properties of the assessment. + +`properties.assessmentData` +: Assessment details of the database published by various sources. + +`assessmentIds` +: The database assessment scope/IDs. + +`migrationBlockersCounts` +: The number of blocking changes found. + +`breakingChangesCounts` +: The number of breaking changes found. + +`assessmentTargetTypes` +: The assessed target database types. + +`solutionNames` +: The names of the solutions that sent the data. + +`instanceIds` +: The database servers' instance IDs. + +`databaseNames` +: The name of the databases. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/migrate/projects/databases/get-database) for other available properties. Any attribute in the response nested within properties is accessed with the key names separated by dots (`.`), and attributes nested in the assessmentData are pluralized and listed as a collection. + +## Examples + +Test that Migrate Project database has a SQL 'assessmentTargetType': + +```ruby +describe azure_migrate_project_database(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_DB_NAME') do + its('assessmentTargetTypes') { should include 'SQL' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a Migrate Project database is found, it will exist. + +describe azure_migrate_project_database(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_DB_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# if Migrate Project Database is not found, it will not exist. + +describe azure_migrate_project_database(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_DB_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_database_instance.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_database_instance.md new file mode 100644 index 0000000..9446c85 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_database_instance.md @@ -0,0 +1,145 @@ ++++ +title = "azure_migrate_project_database_instance resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_project_database_instance" +identifier = "inspec/resources/azure/azure_migrate_project_database_instance resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_project_database_instance` InSpec audit resource to test the properties of a single Azure Migrate Project database instance. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_migrate_project_database_instance(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'DB_NAME') do + it { should exist } + its('name') { should eq 'sql_db' } + its('type') { should eq 'Microsoft.Migrate/MigrateProjects/DatabaseInstances' } + its('solutionNames') { should include 'migrateDBSolution' } +end +``` + +```ruby +describe azure_migrate_project_database_instance(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'DB_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: Unique name of a database in Azure migration hub. + +`resource_group` _(required)_ + +: Name of the Azure Resource Group where the migrate project is part. + +`project_name` _(required)_ + +: Name of the Azure Migrate project. + +## Properties + +`id` +: Path reference to the Migrate project database instance. + +`name` +: Unique name of an Migrate project database instance. + +`type` +: Type of the object. `Microsoft.Migrate/MigrateProjects/Databases`. + +`properties` +: The properties of the machine. + +`properties.discoveryData` +: The assessment details of the database instance published by various sources. + +`properties.summary` +: The database instances summary per solution. + +`enqueueTimes` +: The time when the message was enqueued. + +`extendedInfos` +: The extended properties of the database server. + +`hostNames` +: The host names of the database servers. + +`instanceIds` +: The database instance IDs. + +`instanceNames` +: The database instance names. + +`instanceTypes` +: The database instance types. + +`instanceVersions` +: The database instance versions. + +`ipAddresses` +: The IP addresses of the database server. IP addresses could be IPv4 or IPv6. + +`lastUpdatedTimes` +: The time of the last modification of the database instance details. + +`portNumbers` +: The port numbers of the database server. + +`solutionNames` +: The names of the solution that sent the data. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/migrate/projects/databases/get-database) for other available properties. + +Any attribute in the response nested within properties may be accessed with the key names separated by dots (`.`), and attributes nested in the assessment data is pluralized and listed as a collection. + +## Examples + +Test that the Migrate Project database instance has a SQL instanceType: + +```ruby +describe azure_migrate_project_database_instance(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'DB_NAME') do + its('instanceTypes') { should include 'SQL' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a Migrate Project database instance is found, it will exist. + +describe azure_migrate_project_database_instance(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'DB_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If Migrate Project database instance is not found, it will not exist. + +describe azure_migrate_project_database_instance(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'DB_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_database_instances.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_database_instances.md new file mode 100644 index 0000000..6f0687c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_database_instances.md @@ -0,0 +1,180 @@ ++++ +title = "azure_migrate_project_database_instances resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_project_database_instances" +identifier = "inspec/resources/azure/azure_migrate_project_database_instances resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_project_database_instances` InSpec audit resource to test the properties of all Azure Migrate Project database instances in a migrate project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_migrate_project_database_instances` resource block returns all Azure Migrate project database instances within a project. + +```ruby +describe azure_migrate_project_database_instances(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + #... +end +``` + +## Parameters + +`resource_group` _(required)_ + +: Name of the Azure Resource Group where the migrate project is part. + +`project_name` _(required)_ + +: Name of the Azure Migrate project. + +## Properties + +`ids` +: Path reference to the project database instances. + + Field: `id` + +`names` +: Unique names for all project database instances. + + Field: `name` + +`types` +: Type of the objects. + + Field: `type` + +`properties` +: A list of properties for all the project database instances. + + Field: `properties` + +`discoveryDatas` +: The assessment details of the database published by various sources. + + Field: `assessmentData` + +`summaries` +: The database instances summaries per solution. + + Field: `summary` + +`lastUpdatedTimes` +: The time of the last modification of the database instance details. + + Field: `lastUpdatedTime` + +`enqueueTimes` +: The time when the message was enqueued. + + Field: `enqueueTimes` + +`extendedInfos` +: The extended properties of the database servers. + + Field: `extendedInfos` + +`hostNames` +: The host names of the database servers. + + Field: `hostNames` + +`instanceIds` +: The database instance IDs. + + Field: `instanceIds` + +`instanceNames` +: The database instance names. + + Field: `instanceNames` + +`instanceTypes` +: The database instance types. + + Field: `instanceTypes` + +`instanceVersions` +: The database instance versions. + + Field: `instanceVersions` + +`ipAddresses` +: The IP addresses of the database server. IP addresses could be IPV4 or IPV6. + + Field: `ipAddresses` + +`portNumbers` +: The port numbers of the database server. + + Field: `portNumbers` + +`solutionNames` +: The names of the solution that sent the data. + + Field: `solutionNames` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Migrate Project database instances by their names: + +```ruby +azure_migrate_project_database_instances(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').names.each do |name| + describe azure_migrate_project_database_instance(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: name) do + it { should exist } + end +end +``` + +Test that there are Migrate Project database instances that are of SQL instance types: + +```ruby +describe azure_migrate_project_database_instances(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').where{ instanceTypes.include?('SQL') } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Migrate Project database instances are present in the project and the resource group. + +describe azure_migrate_project_database_instances(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Migrate project database instance in the project and the resource group. + +describe azure_migrate_project_database_instances(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_databases.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_databases.md new file mode 100644 index 0000000..5b253cb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_databases.md @@ -0,0 +1,190 @@ ++++ +title = "azure_migrate_project_databases resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_project_databases" +identifier = "inspec/resources/azure/azure_migrate_project_databases resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_project_databases` InSpec audit resource to test the properties of all Azure Migrate Project databases within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_migrate_project_databases` resource block returns all Azure Migrate Project databases within a project. + +```ruby +describe azure_migrate_project_databases(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + #... +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`project_name` +: Azure Migrate Project. + +The parameter set should be provided for a valid query is`resource_group` and `project_name`. + +## Properties + +`ids` +: Path reference to the project databases. + + Field: `id` + +`names` +: Unique names for all project databases. + + Field: `name` + +`types` +: Type of the objects. + + Field: `type` + +`properties` +: A list of Properties for all the project databases. + + Field: `properties` + +`assessmentDatas` +: The assessment details of the database published by various sources. + + Field: `assessmentData` + +`assessmentIds` +: The database assessment scopes/IDs. + + Field: `assessmentId` + +`assessmentTargetTypes` +: The assessed target database types. + + Field: `assessmentTargetType` + +`breakingChangesCounts` +: The number of breaking changes found. + + Field: `breakingChangesCount` + +`compatibilityLevels` +: The compatibility levels of the database. + + Field: `compatibilityLevel` + +`databaseNames` +: The database names. + + Field: `databaseName` + +`databaseSizeInMBs` +: The sizes of the databases. + + Field: `databaseSizeInMB` + +`enqueueTimes` +: The list of times the message is enqueued. + + Field: `enqueueTime` + +`extendedInfos` +: The extended properties of all the database. + + Field: `extendedInfo` + +`instanceIds` +: The database server instance IDs. + + Field: `instanceId` + +`isReadyForMigrations` +: The values indicating whether the database is ready for migration. + + Field: `isReadyForMigration` + +`lastAssessedTimes` +: The time when the databases were last assessed. + + Field: `lastAssessedTime` + +`lastUpdatedTimes` +: The time of the last modifications of the database details. + + Field: `lastUpdatedTime` + +`migrationBlockersCounts` +: The number of blocking changes found. + + Field: `migrationBlockersCount` + +`solutionNames` +: The names of the solution that sent the data. + + Field: `solutionName` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Migrate Project databases by their names: + +```ruby +azure_migrate_project_databases(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').names.each do |name| + describe azure_migrate_project_database(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'NAME') do + it { should exist } + end +end +``` + +Test there are Migrate Project databases are ready for migration: + +```ruby +describe azure_migrate_project_databases(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').where{ isReadyForMigration.include?(true) } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Migrate Project databases are present in the project and the resource group. + +describe azure_migrate_project_databases(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Migrate project databases in the project and the resource group. + +describe azure_migrate_project_databases(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_event.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_event.md new file mode 100644 index 0000000..a7d8e64 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_event.md @@ -0,0 +1,105 @@ ++++ +title = "azure_migrate_project_event resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_project_event" +identifier = "inspec/resources/azure/azure_migrate_project_event resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_project_event` InSpec audit resource to test the properties related to an Azure Migrate project event. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group`, `project_name`, and `name` are required parameters. + +```ruby +describe azure_migrate_project_event(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_EVENT_NAME') do + it { should exist } + its('properties.instanceType') { should eq 'SERVERS' } +end +``` + +```ruby +describe azure_migrate_project_event(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_EVENT_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure Migrate Project event to test. + +`resource_group` +: Azure resource group where the targeted resource resides. + +`project_name` +: Azure Migrate Assessment Project name. + +The parameter set should be provided for a valid query is `resource_group`, `project_name`, and `name`. + +## Properties + +`id` +: Path reference to the Migrate project event. + +`name` +: Unique name of a Migrate project event. + +`type` +: Type of the object. `Microsoft.Migrate/MigrateProjects/Databases`. + +`properties` +: Properties of the assessment. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/migrate/projects/events/get-event) for other available properties. + +Any attribute in the response nested within properties is accessed with the key names separated by dots (`.`), and attributes nested in the assessmentData are pluralized and listed as a collection. + +## Examples + +Test that the Migrate project event is of servers 'instanceType': + +```ruby +describe azure_migrate_project_event(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_EVENT_NAME') do + its('properties.instanceType') { should eq 'SERVERS' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a migrate project event is found, it will exist. + +describe azure_migrate_project_event(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_EVENT_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# if migrate project event is not found, it will not exist. + +describe azure_migrate_project_event(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_EVENT_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_events.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_events.md new file mode 100644 index 0000000..4b1f130 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_events.md @@ -0,0 +1,157 @@ ++++ +title = "azure_migrate_project_events resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_project_events" +identifier = "inspec/resources/azure/azure_migrate_project_events resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_project_events` InSpec audit resource to test the properties related to all Azure Migrate project events within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_migrate_project_events` resource block returns all Azure Migrate project events within a project. + +```ruby +describe azure_migrate_project_events(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + #... +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`project_name` +: Azure Migrate Project. + +The parameter set that should be provided for a valid query is `resource_group` and `project_name`. + +## Properties + +`ids` +: Path reference to the project events. + + Field: `id` + +`names` +: Unique names for all project events. + + Field: `name` + +`types` +: Type of the objects. + + Field: `type` + +`properties` +: A list of properties for all the project events. + + Field: `properties` + +`instanceTypes` +: The instance types. + + Field: `instanceType` + +`machines` +: The machines for which the error is reported. + + Field: `machine` + +`errorCodes` +: The error codes. + + Field: `errorCode` + +`errorMessages` +: The error messages. + + Field: `errorMessage` + +`recommendations` +: The recommendations for the error. + + Field: `recommendation` + +`possibleCauses` +: The possible causes for the error. + + Field: `possibleCause` + +`solutions` +: The solutions for which the error is reported. + + Field: `solution` + +`clientRequestIds` +: The client request IDs of the payload for which the event is reported. + + Field: `clientRequestId` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +For more details on the available properties, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/migrate/projects/events/enumerate-events). + +## Examples + +Loop through Migrate Project events by their names: + +```ruby +azure_migrate_project_events(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').names.each do |name| + describe azure_migrate_project_event(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: `PROJECT_EVENT_NAME`) do + it { should exist } + end +end +``` + +Test that there are Migrate Project events for databases: + +```ruby +describe azure_migrate_project_events(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').where(instanceType: 'Databases') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### not_exists + +```ruby +# Should not exist if no migrate project events are present in the project and the resource group. + +describe azure_migrate_project_events(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + it { should_not exist } +end +``` + +### exists + +```ruby +# Should exist if the filter returns at least one migrate project event in the project and the resource group. + +describe azure_migrate_project_events(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_machine.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_machine.md new file mode 100644 index 0000000..c9cd5b2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_machine.md @@ -0,0 +1,118 @@ ++++ +title = "azure_migrate_project_machine resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_project_machine" +identifier = "inspec/resources/azure/azure_migrate_project_machine resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_project_machine` InSpec audit resource to test the properties related to an Azure Migrate Project machine. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group`, `project_name`, and `name` are required parameters. + +```ruby +describe azure_migrate_project_machine(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_MACHINE_NAME') do + it{ should exist } + its('properties.discoveryData') { should_not be_empty } + its('properties.discoveryData.first') { should include({ osType: 'WINDOWSGUEST' }) } +end +``` + +```ruby +describe azure_migrate_project_machine(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_MACHINE_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure Migrate Project machine to test. + +`resource_group` +: Azure resource group where the targeted resource resides. + +`project_name` +: Azure Migrate Assessment Project name. + +The parameter set that must be provided for a valid query is `resource_group`, `project_name`, and `name`. + +## Properties + +`id` +: Path reference to the Migrate Project machine. + +`name` +: Unique name of a Migrate Project machine. + +`type` +: Type of the object. `Microsoft.Migrate/MigrateProjects/Databases`. + +`properties` +: Properties of the assessment. + +`properties.assessmentData` +: The assessment details of the machine published by various sources. + +`properties.discoveryData` +: The discovery details of the machine published by various sources. + +`properties.migrationData` +: The migration details of the machine published by various sources. + +`properties.lastUpdatedTime` +: The time of the last modification of the machine. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/migrate/projects/machines/get-machine) for other available properties. + +Any attribute in the response nested within properties may be accessed with the key names separated by dots (`.`), and attributes nested in the **assessmentData** are pluralized and listed as a collection. + +## Examples + +Test that the Migrate Project machine has a Windows OS: + +```ruby +describe azure_migrate_project_machine(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_MACHINE_NAME') do + its('properties.discoveryData.first') { should include({ osType: 'WINDOWSGUEST' }) } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a migrate project machine is found, it will exist. + +describe azure_migrate_project_machine(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_MACHINE_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If migrate project machine is not found, it will not exist. + +describe azure_migrate_project_machine(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_MACHINE_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_machines.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_machines.md new file mode 100644 index 0000000..0a58e79 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_machines.md @@ -0,0 +1,143 @@ ++++ +title = "azure_migrate_project_machines resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_project_machines" +identifier = "inspec/resources/azure/azure_migrate_project_machines resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_project_machines` InSpec audit resource to test the properties related to all Azure Migrate Project machines within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_migrate_project_machines` resource block returns all Azure Migrate Project machines within a project. + +```ruby +describe azure_migrate_project_machines(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + #... +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`project_name` +: Azure Migrate project name. + +The parameter set that should be provided for a valid query is `resource_group` and `project_name`. + +## Properties + +`ids` +: Path reference to the project machines. + + Field: `id` + +`names` +: Unique names for all project machines. + + Field: `name` + +`types` +: Type of the objects. + + Field: `type` + +`properties` +: A list of properties for all the project machines. + + Field: `properties` + +`discoveryData` +: The discovery details of all the machines published by various sources. + + Field: `discoveryData` + +`assessmentData` +: The assessment details of all the machines published by various sources. + + Field: `assessmentData` + +`migrationData` +: The migration details of all the machines published by various sources. + + Field: `migrationData` + +`lastUpdatedTimes` +: The times of the last modification of all the machines. + + Field: `lastUpdatedTime` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Migrate Project machines by their names: + +```ruby +azure_migrate_project_machines(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').names.each do |name| + describe azure_migrate_project_machine(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: `NAME`) do + it { should exist } + end +end +``` + +Test that there are Migrate Project machines with Windows OS: + +```ruby +describe azure_migrate_project_machines(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').where{ discoveryData.detect{ |data| data[:osType] == 'WINDOWSGUEST' } } do + it { should exist } +end +``` + +Test that the Migrate Project machines are of BIOS boot type: + +```ruby +describe azure_migrate_project_machines(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').where{ discoveryData.detect{ |data| data[:extendedInfo][:bootType] == 'BIOS' } } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Migrate Project machines are present in the project and the resource group. + +describe azure_migrate_project_machines(resource_group: 'migrate_vms', project_name: 'zoneA_migrate_project') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Migrate Project machine in the project and the resource group. + +describe azure_migrate_project_machines(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_solution.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_solution.md new file mode 100644 index 0000000..00ed74c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_solution.md @@ -0,0 +1,119 @@ ++++ +title = "azure_migrate_project_solution resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_project_solution" +identifier = "inspec/resources/azure/azure_migrate_project_solution resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_project_solution` InSpec audit resource to test the properties related to an Azure Migrate Project solution. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` and `resource_group` are required parameters. + +```ruby +describe azure_migrate_project_solution(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_SOLUTION_NAME') do + it { should exist } + its('name') { should cmp 'PROJECT_SOLUTION_NAME' } + its('type') { should cmp 'Microsoft.Migrate/MigrateProjects/Solutions' } +end +``` + +```ruby +describe azure_migrate_project_solution(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_SOLUTION_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure Migrate project solution to test. + +`resource_group` +: Azure resource group where the targeted resource resides. + +`project_name` +: Azure Migrate project. + +The parameter set should be provided for a valid query is`resource_group`, `project_name`, and `name`. + +## Properties + +`id` +: Path reference to the project solution. + +`name` +: Unique name of the project solution. + +`type` +: Object type. `Microsoft.Migrate/MigrateProjects/Solutions`. + +`eTag` +: For optimistic concurrency control. + +`properties` +: Properties of the project Solution. + +`properties.cleanupState` +: The cleanup state of the solution. + +`properties.details` +: The details of the solution. + +`properties.summary` +: The summary of the solution. + +`properties.purpose` +: The purpose of the solution. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/migrate/projects/solutions/get-solution) for other available properties. Any attribute in the response is accessed with the key names separated by dots (`.`). + +## Examples + +Test that the Migrate Project solution is defined for assessment: + +```ruby +describe azure_migrate_project_solution(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_SOLUTION_NAME') do + its('properties.purpose') { should eq 'ASSESSMENT' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a Migrate Project solution is found, it will exist. + +describe azure_migrate_project_solution(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_SOLUTION_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If Migrate Project solutions are not found, it will not exist. + +describe azure_migrate_project_solution(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: 'PROJECT_SOLUTION_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_solutions.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_solutions.md new file mode 100644 index 0000000..13571cd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_migrate_project_solutions.md @@ -0,0 +1,190 @@ ++++ +title = "azure_migrate_project_solutions resource" + +draft = false + + +[menu.azure] +title = "azure_migrate_project_solutions" +identifier = "inspec/resources/azure/azure_migrate_project_solutions resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_migrate_project_solutions` InSpec audit resource to test the properties related to all Azure Migrate Project solutions within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_migrate_project_solutions` resource block returns all Azure Migrate Project solutions within a project. + +```ruby +describe azure_migrate_project_solutions(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + #... +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`project_name` +: Azure Migrate Project. + +The parameter set that should be provided for a valid query is `resource_group` and `project_name`. + +## Properties + +`ids` +: Path reference to the project solutions. + + Field: `id` + +`names` +: Unique names for all project solutions. + + Field: `name` + +`types` +: Type of the objects. + + Field: `type` + +`eTags` +: A list of eTags for all the project solutions. + + Field: `eTag` + +`properties` +: A list of properties for all the project solutions. + + Field: `properties` + +`tools` +: The tool used in all the solutions. + + Field: `tool` + +`purposes` +: The purpose of all the solutions. + + Field: `purpose` + +`goals` +: The goals of all the solutions. + + Field: `goal` + +`statuses` +: The current status of all the solutions. + + Field: `status` + +`cleanupStates` +: The cleanup states of all the solutions. + + Field: `cleanupState` + +`summaries` +: The summary of all the solutions. + + Field: `summary` + +`details` +: The details of all the solutions. + + Field: `details` + +`instanceTypes` +: The Instance types. + + Field: `instanceType` + +`databasesAssessedCounts` +: The count of databases assessed. + + Field: `databasesAssessedCount` + +`databaseInstancesAssessedCounts` +: The count of database instances assessed. + + Field: `databaseInstancesAssessedCount` + +`migrationReadyCounts` +: The count of databases ready for migration. + + Field: `migrationReadyCount` + +`groupCounts` +: The count of groups reported by all the solutions. + + Field: `groupCount` + +`assessmentCounts` +: The count of assessments reported by all the solutions. + + Field: `assessmentCount` + +`extendedDetails` +: The extended details reported by all the solutions. + + Field: `extendedDetails` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Migrate Project solutions by their names: + +```ruby +azure_migrate_project_solutions(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').names.each do |name| + describe azure_migrate_project_solution(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME', name: name) do + it { should exist } + end +end +``` + +Test to ensure the Migrate Project solutions for assessment: + +```ruby +describe azure_migrate_project_solutions(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME').where(purpose: 'Assessment') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### not_exists + +```ruby +# Should not exist if no Migrate Project solutions are present in the project and the resource group. + +describe azure_migrate_project_solutions(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + it { should_not exist } +end +``` + +### exists + +```ruby +# Should exist if the filter returns at least one Migrate Project solution in the project and the resource group. + +describe azure_migrate_project_solutions(resource_group: 'RESOURCE_GROUP', project_name: 'PROJECT_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_monitor_activity_log_alert.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_monitor_activity_log_alert.md new file mode 100644 index 0000000..428614e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_monitor_activity_log_alert.md @@ -0,0 +1,125 @@ ++++ +title = "azure_monitor_activity_log_alert resource" + +draft = false + + +[menu.azure] +title = "azure_monitor_activity_log_alert" +identifier = "inspec/resources/azure/azure_monitor_activity_log_alert resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_monitor_activity_log_alert` InSpec audit resource to test the properties of an Azure Monitor Activity Log Alert. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_monitor_activity_log_alert` resource block identifies an Azure Monitor Activity Log Alert by `name` and `resource_group`, or the `resource_id`. + +```ruby +describe azure_monitor_activity_log_alert(resource_group: 'RESOURCE_GROUP', name: 'ALERT_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_monitor_activity_log_alert(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/activityLogAlerts/{activityLogAlertName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the Activity Log Alert to test. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` + +## Properties + +`operations` +: The list of operations. `['Microsoft.Authorization/policyAssignments/write']`. + +`conditions` +: The list of activity log alert conditions that will cause this alert to activate. + +`scopes` +: A list of resource ID prefixes. The alert will only apply to activity logs with resource IDs that fall under one of these prefixes. + +`enabled?` +: Indicates whether this activity log alert is enabled. Valid values are `true` or `false`. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/monitor/activitylogalerts/get#activitylogalertresource) for other available properties. + +You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test an Activity Log Alert has the correct operation: + +```ruby +describe azure_monitor_activity_log_alert(resource_group: 'RESOURCE_GROUP', name: 'ALERT_NAME') do + its('operations') { should include 'Microsoft.Authorization/policyAssignments/write' } +end +``` + +Test the scope of an Activity Log Alert: + +```ruby +describe azure_monitor_activity_log_alert(resource_group: 'RESOURCE_GROUP', name: 'ALERT_NAME') do + its('scopes') { should include 'subscriptions/{SUBSCRIPTION_ID}' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### enabled + +Test if a resource is enabled. If an activity log alert is not enabled, then none of its actions will be activated. + +```ruby +describe azure_monitor_activity_log_alert(resource_group: 'RESOURCE_GROUP', name: 'ALERT_NAME') do + it { should be_enabled } +end +``` + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_monitor_activity_log_alert(resource_group: 'RESOURCE_GROUP', name: 'ALERT_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_monitor_activity_log_alert(resource_group: 'RESOURCE_GROUP', name: 'ALERT_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_monitor_activity_log_alerts.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_monitor_activity_log_alerts.md new file mode 100644 index 0000000..4e3c07e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_monitor_activity_log_alerts.md @@ -0,0 +1,131 @@ ++++ +title = "azure_monitor_activity_log_alerts resource" + +draft = false + + +[menu.azure] +title = "azure_monitor_activity_log_alerts" +identifier = "inspec/resources/azure/azure_monitor_activity_log_alerts resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_monitor_activity_log_alerts` InSpec audit resource to test the properties and configuration of multiple Azure Monitor Activity Log Alerts. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_monitor_activity_log_alerts` resource block returns all activity log alerts within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_monitor_activity_log_alerts do + it { should exist } +end +``` + +Or + +```ruby +describe azure_monitor_activity_log_alerts(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`location` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`operations` +: A list of operations for all the resources being interrogated. + + Field: `operations` + +`resource_group` +: Azure resource group where the targeted resource resides. + + Field: `resource_group` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that a subscription has the named activity log alert: + +```ruby +describe azure_monitor_activity_log_alerts do + its('names') { should include('ExampleLogAlert') } +end +``` + +Loop through all resources with `resource_id`: + +```ruby +azure_monitor_activity_log_alerts.ids.each do |id| + describe azure_monitor_activity_log_alert(resource_id: id) do + it { should be_enabled } + end +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect 'EXAMPLEGROUP' resource group to have activity log alerts. + +describe azure_monitor_activity_log_alerts(resource_group: 'EXAMPLEGROUP') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'EMPTYEXAMPLEGROUP' resource group not to have activity log alerts. + +describe azure_monitor_activity_log_alerts(resource_group: 'EMPTYEXAMPLEGROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_monitor_log_profile.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_monitor_log_profile.md new file mode 100644 index 0000000..168225f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_monitor_log_profile.md @@ -0,0 +1,132 @@ ++++ +title = "azure_monitor_log_profile resource" + +draft = false + + +[menu.azure] +title = "azure_monitor_log_profile" +identifier = "inspec/resources/azure/azure_monitor_log_profile resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_monitor_log_profile` InSpec audit resource to test the properties and configuration of an Azure Log profile. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` or the `resource_id` are required parameters. + +```ruby +describe azure_monitor_log_profile(name: 'LOG_PROFILE') do + it { should exist } +end +``` + +```ruby +describe azure_monitor_log_profile(resource_id: '/subscriptions/{subscriptionId}/providers/microsoft.insights/logprofiles/{logProfileName}') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the log profile to test. + +`resource_id` +: The unique resource ID. + +## Properties + +`retention_policy` +: The retention policy for the events in the log with [these](https://docs.microsoft.com/en-us/rest/api/monitor/logprofiles/get#retentionpolicy) properties. + +`retention_days` +: The number of days for the log retention in days. A value of `0` means that the events will be retained indefinitely. + +`storage_account` +: A hash containing the `name` and the `resouce_group` of the storage account in which the activity logs are kept. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/monitor/logprofiles/get#logprofileresource) for other available properties. + +You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test if a Log profile is referenced with a valid name: + +```ruby +describe azure_monitor_log_profile(name: 'LOG_PROFILE') do + it { should exist } +end +``` + +Test if a Log profile is referenced with an invalid name: + +```ruby +describe azure_monitor_log_profile(name: 'i-dont-exist') do + it { should_not exist } +end +``` + +Test the retention days of a Log profile: + +```ruby +describe azure_monitor_log_profile(name: 'LOG_PROFILE') do + its('retention_days') { should be 90 } +end +``` + +Test the storage account of a Log profile: + +```ruby +describe azure_monitor_log_profile(resource_id: '/subscriptions/{subscriptionId}/providers/microsoft.insights/logprofiles/{logProfileName}') do + its('storage_account') { should eql(resource_group: 'RESOURCE_GROUP', name: 'STORAGE_ACCOUNT') } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### have_log_retention_enabled + +Test whether the log retention is enabled. + +```ruby +describe azure_monitor_log_profile(name: 'LOG_PROFILE') do + it { should have_log_retention_enabled } +end +``` + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_monitor_log_profile(name: 'LOG_PROFILE') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_monitor_log_profile(name: 'LOG_PROFILE') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_monitor_log_profiles.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_monitor_log_profiles.md new file mode 100644 index 0000000..8e40ceb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_monitor_log_profiles.md @@ -0,0 +1,101 @@ ++++ +title = "azure_monitor_log_profiles resource" + +draft = false + + +[menu.azure] +title = "azure_monitor_log_profiles" +identifier = "inspec/resources/azure/azure_monitor_log_profiles resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_monitor_log_profiles` InSpec audit resource to test the properties and configuration of multiple Azure Log profiles. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_monitor_log_profiles` resource block returns all Azure Log profiles within an entire subscription. + +```ruby +describe azure_monitor_log_profiles do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check if a specific Log profile is present: + +```ruby +describe azure_monitor_log_profiles do + its('names') { should include 'LOG_PROFILE' } +end +``` + +Filter the results by the 'name' property if it includes a certain string: + +```ruby +describe azure_monitor_log_profiles.where{ name.include?('production') } do + it { should exist } +end +``` + +Filter the results to include only those Log profiles that retention policy is enabled: + +```ruby +describe azure_monitor_log_profiles.where{ properties.dig(:retentionPolicy, :enabled) == true } do + it { should exist } + its('count') { should be 4 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_monitor_log_profiles do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_database.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_database.md new file mode 100644 index 0000000..bc29455 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_database.md @@ -0,0 +1,110 @@ ++++ +title = "azure_mysql_database resource" + +draft = false + + +[menu.azure] +title = "azure_mysql_database" +identifier = "inspec/resources/azure/azure_mysql_database resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_mysql_database` InSpec audit resource to test the properties and configuration of an Azure MySQL Database on a MySQL Server. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group`, `server_name` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_mysql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'NAME') do + it { should exist } +end +``` + +```ruby +describe azure_mysql_database(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DBforMySQL/servers/{serverName}/databases/{databaseName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`server_name` +: The name of the server on which the database resides. + +`name` +: The unique name of the database. + +`database_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group`, `server_name`, and `name` +- `resource_group`, `server_name`, and `database_name` + +## Properties + +`properties.charset` +: The charset of the database. + +For properties applicable to all resources, such as `type`, `tags`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/mysql/flexibleserver/databases/get) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the resource name: + +```ruby +describe azure_mysql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'NAME') do + its('name') { should be 'order-db' } +end +``` + +```ruby +describe azure_mysql_database(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DBforMySQL/servers/{serverName}/databases/order-db') do + its('name') { should be 'order-db' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the resource to always exist. + +describe azure_mysql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the resource to never exist. + +describe azure_mysql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_databases.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_databases.md new file mode 100644 index 0000000..8cac2e3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_databases.md @@ -0,0 +1,119 @@ ++++ +title = "azure_mysql_databases resource" + +draft = false + + +[menu.azure] +title = "azure_mysql_databases" +identifier = "inspec/resources/azure/azure_mysql_databases resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_mysql_databases` InSpec audit resource to test the properties and configuration of Azure MySQL Databases. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +The `resource_group` and `server_name` are required parameters. + +```ruby +describe azure_mysql_databases(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`server_name` +: The name of the server in which the database resides. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check resources are present: + +```ruby +describe azure_mysql_databases(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } + its('names') { should include 'my-db' } +end +``` + +Filter the results to include only those with names match the specified string value: + +```ruby +describe azure_mysql_databases.(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME').where{ name.eql?('production-db') } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect resources to exist. + +describe azure_mysql_databases(resource_group: 'EXAMPLEGROUP', server_name: 'SERVER_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect resources not to exist. + +describe azure_mysql_databases(resource_group: 'EXAMPLEGROUP', server_name: 'SERVER_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_server.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_server.md new file mode 100644 index 0000000..8b4eb1e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_server.md @@ -0,0 +1,122 @@ ++++ +title = "azure_mysql_server resource" + +draft = false + + +[menu.azure] +title = "azure_mysql_server" +identifier = "inspec/resources/azure/azure_mysql_server resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_mysql_server` InSpec audit resource to test the properties and configuration of an Azure MySQL server. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_mysql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_mysql_server(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.DBforMySQL/servers/{serverName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the MySql server to test. + +`server_name` +: Name of the MySql server to test. This is for backward compatibility. Use `name` instead. + +`resource_id` +: The unique resource ID. + +`firewall_rules_api_version` +: The endpoint API version for the `firewall_rules` property. The latest version will be used unless provided. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_group` and `server_name` + +## Properties + +`firewall_rules` +: A list of all firewall rules in the targeted server. + +`sku` +: The SKU (pricing tier) of the server. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/mysql/singleserver/servers(2017-12-01)/get) for other available properties. + +You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test if a MySQL server is referenced with a valid name: + +```ruby +describe azure_mysql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + it { should exist } +end +``` + +Test if a MySQL server is referenced with an invalid name: + +```ruby +describe azure_mysql_server(resource_group: 'RESOURCE_GROUP', name: 'i-dont-exist') do + it { should_not exist } +end +``` + +Test if a MySQL server has firewall rules set: + +```ruby +describe azure_mysql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + its('firewall_rules') { should_not be_empty } +end +``` + +Test a MySQL server's fully qualified domain name:, location, and public network access status + +```ruby +describe azure_mysql_server(resource_id: '/subscriptions/.../my-server') do + its('properties.fullyQualifiedDomainName') { should eq 'my-server.mysql.database.azure.com' } + its('properties.publicNetworkAccess') { should cmp 'Enabled' } + its('location') { should cmp 'westeurope' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +describe azure_mysql_server(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME-1') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_server_configuration.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_server_configuration.md new file mode 100644 index 0000000..73a809f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_server_configuration.md @@ -0,0 +1,122 @@ ++++ +title = "azure_mysql_database_configuration resource" + +draft = false + + +[menu.azure] +title = "azure_mysql_database_configuration" +identifier = "inspec/resources/azure/azure_mysql_database_configuration resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_mysql_database_configuration` InSpec audit resource to test the properties of an Azure MySQL Database Configuration on a MySQL Database Server. + +## Syntax + +`resource_group`, `server_name` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_mysql_database_configuration(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'CONFIGURATION_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_mysql_database_configuration(resource_id: 'RESOURCE_ID') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`server_name` +: The name of the server on which the database resides. + +`name` +: The unique name of the database configuration. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group`, `server_name`, and `name` + +## Properties + +`id` +: The id of the resource. + +`name` +: The name of the resource. + +`type` +: The type of the resource. + +`properties.allowedValues` +: Allowed values of the configuration. + +`properties.dataType` +: Data type of the configuration. + +`properties.defaultValue` +: Default value of the configuration. + +`properties.description` +: Description of the configuration. + +`properties.source` +: Source of the configuration. + +`properties.value` +: Value of the configuration. + +For properties applicable to all resources, such as `type`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://learn.microsoft.com/en-us/rest/api/mysql/singleserver/configurations/get?tabs=HTTP) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the resource name: + +```ruby +describe azure_mysql_database_configuration(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'CONFIGURATION_NAME') do + its('name') { should be 'CONFIGURATION_NAME' } +end +``` + +```ruby +describe azure_mysql_database_configuration(resource_id: 'RESOURCE_ID') do + its('name') { should be 'CONFIGURATION_NAME' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the resource to always exist. +describe azure_mysql_database_configuration(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'CONFIGURATION_NAME') do + it { should exist } +end +``` + +```ruby +# If we expect the resource to never exist. +describe azure_mysql_database_configuration(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'CONFIGURATION_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_server_configurations.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_server_configurations.md new file mode 100644 index 0000000..7a851e8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_server_configurations.md @@ -0,0 +1,112 @@ ++++ +title = "azure_mysql_database_configurations resource" + +draft = false + + +[menu.azure] +title = "azure_mysql_database_configurations" +identifier = "inspec/resources/azure/azure_mysql_database_configurations resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_mysql_database_configurations` InSpec audit resource to test the properties of an Azure MySQL Database Configuration on a MySQL Database Server. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +The `resource_group` and `server_name` are required parameters. + +```ruby +describe azure_mysql_database_configuration(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`server_name` +: The name of the server in which the database resides. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check resources are present: + +```ruby +describe azure_mysql_database_configuration(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } + its('names') { should include 'my-db' } +end +``` + +Filter the results to include only those with names match the specified string value: + +```ruby +describe azure_mysql_database_configuration(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME').where{ name.eql?('user-override') } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect resources to exist. + +describe azure_mysql_database_configuration(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } +end +``` + +```ruby +# If we expect resources not to exist. + +describe azure_mysql_database_configuration(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_servers.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_servers.md new file mode 100644 index 0000000..a942e79 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_mysql_servers.md @@ -0,0 +1,134 @@ ++++ +title = "azure_mysql_servers resource" + +draft = false + + +[menu.azure] +title = "azure_mysql_servers" +identifier = "inspec/resources/azure/azure_mysql_servers resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_mysql_servers` InSpec audit resource to test the properties and configuration of multiple Azure MySQL servers. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_mysql_servers` resource block returns all Azure MySQL servers within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_mysql_servers do + #... +end +``` + +Or + +```ruby +describe azure_mysql_servers(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources. + + Field: `tags` + +`skus` +: A list of the SKUs (pricing tiers) of the servers. + + Field: `sku` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check MySQL servers are present + +```ruby +describe azure_mysql_servers do + it { should exist } + its('names') { should include 'my-server-name' } +end +``` + +Filters the results to include only those servers that have the specified name (client-side filtering): + +```ruby +describe azure_mysql_servers.where{ name.include?('production') } do + it { should exist } +end +``` + +Filters the results to include only those servers which reside in a specified location (client-side filtering): + +```ruby +describe azure_mysql_servers.where{ location.eql?('westeurope') } do + it { should exist } +end +``` + +Filters the results to include only those servers which reside in a specified location and have the specified name (server-side filtering - recommended): + +```ruby +describe azure_generic_resources(resource_provider: 'Microsoft.DBforMySQL/servers', substring_of_name: 'production', location: 'westeurope') do + it {should exist} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_mysql_servers do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_interface.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_interface.md new file mode 100644 index 0000000..1c50dc3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_interface.md @@ -0,0 +1,157 @@ ++++ +title = "azure_network_interface resource" + +draft = false + + +[menu.azure] +title = "azure_network_interface" +identifier = "inspec/resources/azure/azure_network_interface resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_network_interface` InSpec audit resource to test the properties and configuration of the Azure Network interface. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_network_interface` resource block identifies an AKS Cluster by `name` and `resource_group`, or the `resource_id`. + +```ruby +describe azure_network_interface(resource_group: 'RESOURCE_GROUP', name: 'NETWORKINTERFACENAME') do + it { should exist } +end +``` + +```ruby +describe azure_network_interface(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkInterfaces/{networkInterfaceName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the AKS cluster to test. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` + +## Properties + +`primary?` +: Indicates whether this is a primary network interface on a virtual machine. + +`ip_configurations` +: A list of [IPConfigurations](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/networkinterfaceipconfigurations/get#networkinterfaceipconfiguration) of the network interface. + +`private_ip` +: The private IP address of the interrogated network interface's primary IP configuration. + +`private_ip_address_list` +: A list of all the private IP addresses of the interrogated network interface. + +`has_private_address_ip?` +: Indicates whether the interrogated network interface has a private IP address. + +`public_ip` +: The public IP address ID of the interrogated network interface's primary IP configuration. `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPAddresses/{publicIpAddressName}`. + +`public_ip_id_list` +: A list of all the public IP address IDs of the interrogated network interface. + +`has_public_address_ip?` +: Indicates whether the interrogated network interface has a public IP address. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/networkinterfaces/get#networkinterface) for other available properties. + +You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test if IP forwarding is enabled: + +```ruby +describe azure_network_interface(resource_group: 'RESOURCE_GROUP', name: 'NETWORK_INTERFACE_NAME') do + its('properties.enableIPForwarding') { should be_true } +end +``` + +Test if the primary IP configuration is set to correct private IP address: + +```ruby +describe azure_network_interface(resource_group: 'RESOURCE_GROUP', name: 'NETWORK_INTERFACE_NAME') do + its('private_ip') { should cmp '172.16.2.6' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### be_primary + +Tests if a network interface is the primary network interface on a virtual machine. + +```ruby +describe azure_network_interface(resource_group: 'RESOURCE_GROUP', name: 'NETWORK_INTERFACE_NAME') do + it {should be_primary} +end +``` + +### have_public_address_ip + +Test if a network interface has a public IP address. + +```ruby +describe azure_network_interface(resource_group: 'RESOURCE_GROUP', name: 'NETWORK_INTERFACE_NAME') do + it { should have_public_address_ip} +end +``` + +### have_private_address_ip + +Test if a network interface has a private IP address. + +```ruby +describe azure_network_interface(resource_group: 'RESOURCE_GROUP', name: 'NETWORK_INTERFACE_NAME') do + it { should have_private_address_ip} +end +``` + +### exists + +```ruby +# If we expect 'NETWORK_INTERFACE_NAME' to always exist. + +describe azure_network_interface(resource_group: 'RESOURCE_GROUP', name: 'NETWORK_INTERFACE_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'NETWORK_INTERFACE_NAME' to never exist. + +describe azure_network_interface(resource_group: 'RESOURCE_GROUP', name: 'NETWORK_INTERFACE_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_interfaces.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_interfaces.md new file mode 100644 index 0000000..6bbab2c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_interfaces.md @@ -0,0 +1,130 @@ ++++ +title = "azure_network_interfaces resource" + +draft = false + + +[menu.azure] +title = "azure_network_interfaces" +identifier = "inspec/resources/azure/azure_network_interfaces resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_network_interfaces` InSpec audit resource to test the properties and configuration of Azure Network interfaces. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_network_interfaces` resource block returns all Azure Network interfaces within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_network_interfaces do + #... +end +``` + +Or + +```ruby +describe azure_network_interfaces(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check network interfaces are present: + +```ruby +describe azure_network_interfaces do + it { should exist } + its('names') { should include 'my-network-interface' } +end +``` + +Filter the results to include only those with names that match the specified string value: + +```ruby +describe azure_network_interfaces.where{ name.include?('my-network') } do + its('count') { should > 3 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect 'EXAMPLEGROUP' resource group to have network interfaces. + +describe azure_network_interfaces(resource_group: 'EXAMPLEGROUP') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'EMPTYEXAMPLEGROUP' resource group to not have network interfaces. + +describe azure_network_interfaces(resource_group: 'EMPTYEXAMPLEGROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_security_group.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_security_group.md new file mode 100644 index 0000000..8609c51 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_security_group.md @@ -0,0 +1,214 @@ ++++ +title = "azure_network_security_group resource" + +draft = false + + +[menu.azure] +title = "azure_network_security_group" +identifier = "inspec/resources/azure/azure_network_security_group resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_network_security_group` InSpec audit resource to test the properties of an Azure Network Security group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_network_security_group` resource block identifies a Network Security group by `name` and `resource_group`, or the `resource_id`. + +```ruby +describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_network_security_group(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the Azure resource to test. + +`resource_id` +: The unique resource ID. `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}`. + +`resource_data` +: In-memory cached Azure Network Security group data. Passing data to this parameter can increase performance since it avoids multiple network calls to the same Azure resource. When provided, it binds the values directly to the resource. Data passed to the `resource_data` parameter could be stale. It is the user's responsibility to refresh the data. + +Provide one of the following parameter sets for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_data` + +## Properties + +`security_rules` +: The set of security rules. + +`default_security_rules` +: The set of default security rules. + +`allow_ssh_from_internet*` +: A boolean value determined by analysing the security rules and default security rules for unrestricted SSH access. `it { should_not allow_ssh_from_internet }`. + +`allow_rdp_from_internet*` +: A boolean value determined by analysing the security rules and default security rules for unrestricted RDP access. `it { should_not allow_rdp_from_internet }`. + +`allow_port_from_internet*` +: A boolean value determined by analysing the security rules and default security rules for unrestricted access to a specified port. `it { should_not allow_port_from_internet('443') }`. + +`allow?**` +: Indicates if a provided criteria is complaint with the security rules including the default ones. `it { should allow(source_ip_range: '10.0.0.0/24'), direction: 'inbound' }`. + +`allowed?**` +: Alias for `allow?`. `it { should be_allowed(source_ip_range: '10.0.0.0/24'), direction: 'inbound' }`. + +`allow_in?**` +: Indicates if a provided criteria is complaint with the **inbound** security rules including the default ones. `it { should_not allow_in(service_tag: 'Internet') }`. + +`allowed_in?**` +: Alias for `allow_in?`. `it { should_not be_allowed_in(service_tag: 'Internet') }`. + +`allow_out?**` +: Indicates if a provided criteria is complaint with the **outbound** security rules including the default ones. `it { should_not allow_out(service_tag: 'Internet') }`. + +`allowed_out?**` +: Alias for `allow_out?`. `it { should_not be_allowed_out(service_tag: 'Internet') }`. + +* These properties do not take the priorities of security rules into account. For example, if suppose there are two security rules. In that case, one of them is allowing SSH from the internet while the other is prohibiting, `allow_ssh_from_internet` will pass without comparing the priority of the conflicting security rules. Therefore, it is recommended to use `allow`, `allow_in`, or `allow_out` properties with which the priorities are considered. + +** These properties do not compare criteria defined by explicit IP ranges with the security rules defined by [Azure service tags](https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview) and vice versa. + +For example, providing that a network security group has a single security rule allowing all traffic from the internet by using `Internet` service tag in the source will fail the `allow_in(ip_range: '64.233.160.0')` test due to incompatible source definitions. This is because the InSpec Azure resource pack has no control over which IP ranges are defined in Azure service tags. Therefore, tests using these methods should be written explicitly for service tags and IP ranges. For more information about network security groups and security rules, see the [Azure network security groups documentation](https://docs.microsoft.com/en-us/azure/virtual-network/security-overview). + +`*ip_range` used in these methods supports IPv4 and IPv6. The IP range criteria should be written in CIDR notation. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/networksecuritygroups/get#networksecuritygroup) for other available properties. Any property in the response may be accessed with the key names separated by dots (`.`). + +## Examples + +Test that a resource group has the specified Network Security group: + +```ruby +describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do + it { should exist } +end +``` + +Test that a Network Security group allows SSH from the internet: + +```ruby +describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do + it { should allow_ssh_from_internet } +end +``` + +Test that a Network Security group allows inbound traffics from a certain IP range in any port and protocol: + +```ruby +describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do + it { should allow(source_ip_range: '10.0.0.0/24', direction: 'inbound') } +end +``` + +Test that a Network Security group allows inbound traffics from internet service tag in port `80` and `TCP` protocol: + +```ruby +describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do + it { should allow(source_service_tag: 'Internet', destination_port: '22', protocol: 'TCP', direction: 'inbound') } +end +``` + +Test that a Network Security group allows inbound traffics from virtual network service tag in a port range and protocol: + +```ruby +describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do + it { should allow(source_service_tag: 'VirtualNetwork', destination_port: %w{22 8080 56-78}, direction: 'inbound') } +end +``` + +Test that a Network Security group allows outbound traffics to a certain IP range in any port and protocol: + +```ruby +describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do + it { should allow(destination_ip_range: '10.0.0.0/24', direction: 'outbound') } +end +``` + +Loop through multiple Network Security groups and verify that each group does not allow inbound traffic from already cached data: + +```ruby +azure_network_security_groups.entries.each do |azure_network_security_group_data| + describe azure_network_security_group(resource_data: azure_network_security_group_data) do + it { should_not allow(destination_ip_range: '10.0.0.0/24', direction: 'inbound') } + end +end +``` + +{{< note >}} + +`allow` requires the `direction` parameter to be set to `inbound` or `outbound` and you must prefix the `ip_range`, `service_tag`, and `port` with `source_` or `destination_` identifiers. + +{{< /note >}} + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the resource returns a result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect 'GROUPNAME' to always exist. + +describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'EMPTYGROUPNAME' to never exist. + +describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do + it { should_not exist } +end +``` + +Test that a Network Security group should not allow UDP from the internet: + +```ruby +describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do + it { should_not allow_udp_from_internet } +end +``` + +Validating Number of days to retain flow log records: + +```ruby +describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do + its('flow_log_retention_period') { should eq 0 } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_security_groups.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_security_groups.md new file mode 100644 index 0000000..182020b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_security_groups.md @@ -0,0 +1,136 @@ ++++ +title = "azure_network_security_groups resource" + +draft = false + + +[menu.azure] +title = "azure_network_security_groups" +identifier = "inspec/resources/azure/azure_network_security_groups resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_network_security_groups` InSpec audit resource to enumerate the Network Security groups. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_network_security_groups` resource block returns all Azure network security groups within a resource group or an entire subscription. + +```ruby +describe azure_network_security_groups do + #... +end +``` + +Or + +```ruby +describe azure_network_security_groups(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the network security groups. + + Field: `location` + +`names` +: A list of all the network security group names. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources. + + Field: `tags` + +`etags` +: A list of etags defined on the resources. + + Field: `etag` + +`properties` +: A list of all properties of all the resources. + + Field: `properties` +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that an example resource group has the named network security group: + +```ruby +describe azure_network_security_groups(resource_group: 'EXAMPLEGROUP') do + its('names') { should include('ExampleNetworkSecurityGroup') } +end +``` + +Filters the Network Security groups at Azure API to only those that match the specified name via a generic resource (Recommended): + +```ruby +Fuzzy string matching: + +describe azure_generic_resources(resource_provider: 'Microsoft.Network/networkSecurityGroups', substring_of_name: 'project_A') do + it { should exist } +end + +Exact name matching: + +describe azure_generic_resources(resource_provider: 'Microsoft.Network/networkSecurityGroups', name: 'project_A') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the resource returns a result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect the 'EXAMPLEGROUP' resource group to have Network Security groups. + +describe azure_network_security_groups(resource_group: 'EXAMPLEGROUP') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the 'EmptyExampleGroup' resource group to not have Network Security groups. + +describe azure_network_security_groups(resource_group: 'EMPTYEXAMPLEGROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_watcher.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_watcher.md new file mode 100644 index 0000000..d3ad522 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_watcher.md @@ -0,0 +1,129 @@ ++++ +title = "azure_network_watcher resource" + +draft = false + + +[menu.azure] +title = "azure_network_watcher" +identifier = "inspec/resources/azure/azure_network_watcher resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_network_watcher` InSpec audit resource to test the properties of an Azure Network Watcher. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_network_watcher` resource block identifies a Network Watcher by `name` and `resource_group`, or the `resource_id`. + +```ruby +describe azure_network_watcher(resource_group: 'RESOURCE_GROUP', name: 'NETWORK_WATCHER_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_network_watcher(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkWatchers/{networkWatcherName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the network watcher resides. + +`name` +: Name of the network watcher to test. + +`resource_id` +: The unique resource ID. + +`flow_logs_api_version` +: The flow log status endpoint API version used for creating `flow_logs` property. The latest version will be used unless provided. A network security group within the same region can be targeted for getting the flow log statuses. For more information, see the [Azure Network Watchers Flow Log Status documentation](https://docs.microsoft.com/en-us/rest/api/network-watcher/networkwatchers/getflowlogstatus). + +`nsg_resource_id` +: The unique resource ID of the network security group being targeted to get the flow log statuses. `/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{networkSecurityGroupName}`. + +`nsg_resource_group` +: The resource group of the network security group being targeted to get the flow log statuses. This requires `nsg_name` to be provided. + +`nsg_name` +: The name of the network security group being targeted to get the flow log statuses. This requires `nsg_resource_group` to be provided. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` + +## Properties + +`provisioning_state` +: The provisioning state of the network watcher resource. For the valid values, see the [Azure Network Watchers ProvisioningState documentation](https://docs.microsoft.com/en-us/rest/api/network-watcher/networkwatchers/get#provisioningstate). + +`flow_logs` +: Information on the configuration of flow log and traffic analytics (optional) in [this format](https://docs.microsoft.com/en-us/rest/api/network-watcher/networkwatchers/getflowlogstatus#flowloginformation). All properties can be accessed via dot notation. For example, `flow_logs.properties.enabled`. This resource supports targeting network security groups defined at resource creation only. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/network-watcher/networkwatchers/get#networkwatcher) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the location of a Network Watcher: + +```ruby +describe azure_network_watcher(resource_group: 'RESOURCE_GROUP', name: 'NETWORK_WATCHER_NAME') do + its('location') { should cmp 'eastus' } +end +``` + +Test the Flow Log status of a Network Security group: + +```ruby +describe azure_network_watcher(resource_group: 'RESOURCE_GROUP', name: 'NETWORK_WATCHER_NAME', nsg_resource_group: 'NSG_RESOURCE_GROUP', nsg_name: 'nsg_eastus') do + its('flow_logs.properties.enabled') { should be true } + its('flow_logs.properties.retentionPolicy.days') { should be >= 90 } +end +``` + +Loop through Network Security groups with the resource ID: + +```ruby +azure_network_security_groups.where(location: 'eastus').ids.each do |nsg_id| + describe azure_network_watcher(resource_group: 'RESOURCE_GROUP', name: 'NETWORK_WATCHER_NAME', nsg_resource_id: nsg_id) do + its('flow_logs.properties.enabled') { should be true } + its('flow_logs.properties.retentionPolicy.days') { should be >= 90 } + end +end +``` + +See [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_network_watcher.rb) for more examples. + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect 'NETWORKWATCHERNAME' to always exist. + +describe azure_network_watcher(resource_group: 'RESOURCE_GROUP', name: 'NETWORK_WATCHER_NAME') do + it { should exist } +end + +# If we expect 'NETWORKWATCHERNAME' to never exist. + +describe azure_network_watcher(resource_group: 'RESOURCE_GROUP', name: 'NETWORK_WATCHER_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_watchers.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_watchers.md new file mode 100644 index 0000000..df4af9a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_network_watchers.md @@ -0,0 +1,111 @@ ++++ +title = "azure_network_watchers resource" + +draft = false + + +[menu.azure] +title = "azure_network_watchers" +identifier = "inspec/resources/azure/azure_network_watchers resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_network_watchers` InSpec audit resource to test the properties and configuration of multiple Azure Network Watchers. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_network_watchers` resource block returns all network watchers within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_network_watchers do + #... +end +``` + +or + +```ruby +describe azure_network_watchers(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that an example resource group has the named network watcher: + +```ruby +describe azure_network_watchers(resource_group: 'EXAMPLEGROUP') do + its('names') { should include('NetworkWatcherName') } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect 'EXAMPLEGROUP' resource group to have Network Watchers. + +describe azure_network_watchers(resource_group: 'ExampleGroup') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'EMPTYEXAMPLEGROUP' resource group to not have Network Watchers. + +describe azure_network_watchers(resource_group: 'EMPTYEXAMPLEGROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_assignments.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_assignments.md new file mode 100644 index 0000000..c961c73 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_assignments.md @@ -0,0 +1,159 @@ ++++ +title = "azure_policy_assignments resource" + +draft = false + + +[menu.azure] +title = "azure_policy_assignments" +identifier = "inspec/resources/azure/azure_policy_assignments resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_policy_assignments` InSpec resource to examine assignments of the Azure policy to resources and resource groups. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_policy_assignments do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +Please review the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/policy/policyassignments/list#policyassignment) for a full description of the available properties. + +`ids` +: The ID of this policy assignment. + +: **Filter**: id + +`types` +: The Azure resource type. + +: **Filter**: type + +`names` +: The names of the policy assignments. + +: **Filter**: name + +`locations` +: The locations of the policy assignments. + +: **Filter**: location + +`tags` +: The tags of the policy assignments. + +: **Filter**: tags + +`displayNames` +: The display names of the policy assignments. + +: **Filter**: displayName + +`policyDefinitionIds` +: The IDs of the policies being assigned by these policy assignments. + +: **Filter**: policyDefinitionId + +`scopes` +: The scope of the policy assignments (which resources they are being attached to). + +: **Filter**: scope + +`notScopes` +: The scopes which are excluded from these policy assignments (blocks inheritance). + +: **Filter**: notScopes + +`parameters` +: The override parameters passed to the base policy by this assignment. + +: **Filter**: parameters + +`enforcementMode` +: The enforcement modes of these policy assignments. + +: **Filter**: enforcementModes + +`assignedBys` +: The IDs that assigned these policies. + +: **Filter**: assignedBy + +`parameterScopes` +: Unknown - no data observed in this field in the wild. + +: **Filter**: parameterScopes + +`created_bys` +: The IDs that created these policy assignments. + +: **Filter**: created_by + +`createdOns` +: The dates these policy assignments were created (as a Ruby Time object). + +: **Filter**: createdOn + +`updatedBys` +: The IDs that updated these policy assignments. + +: **Filter**: updatedBy + +`updatedOns` +: The dates these policy assignments were updated (as a Ruby Time object). + +: **Filter**: updatedOn + +`identityPrincipalIds` +: The principal IDs of the associated managed identities. + +: **Filter**: identityPrincipalId + +`identityTenantIds` +: The tenant IDs of the associated managed identities. + +: **Filter**: identityTenantId + +`identityTypes` +: The identity types of the associated managed identities. + +: **Filter**: identityType + +## Examples + +Check that all assigned policies are in enforcing mode: + +```ruby +describe azure_policy_assignments.where{ enforcement_mode == 'DoNotEnforce' } do + it {should_not exist} + its('display_names') {should eq []} +end +``` + +Check that no policies were modified in the last 30 days: + +```ruby +last_30_days = Time.now() - (60*60*24*30) + +describe azure_policy_assignments.where{ (updatedOn > last_30_days) || (createdOn > last_30_days) } do + it {should_not exist} + its('ids') {should eq []} +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_definition.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_definition.md new file mode 100644 index 0000000..7d43b61 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_definition.md @@ -0,0 +1,126 @@ ++++ +title = "azure_policy_definition resource" + +draft = false + + +[menu.azure] +title = "azure_policy_definition" +identifier = "inspec/resources/azure/azure_policy_definition resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_policy_definition` InSpec audit resource to test the properties and configuration of an Azure Policy definition. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` or the `resource_id` are required parameters. + +```ruby +describe azure_policy_definition(name: 'MY_POLICY') do + it { should exist } +end +``` + +```ruby +describe azure_policy_definition(resource_id: '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/{policyDefinitionName}') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the policy definition. `policyDefinitionName`. + +`built_in` _Optional_ +: Indicates whether the policy definition is built-in. Defaults to `false` if not supplied. This should not be used when `resource_id` is provided. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `name` +- `name` and `built_in` + +## Properties + +`properties.description` +: The policy definition description. + +`properties.displayName` +: The display name of the policy definition. + +`properties.policyType` +: The type of policy definition. Possible values are `NotSpecified`, `BuiltIn`, `Custom`, and `Static`. + +`properties.policyRule` +: The policy rule. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/policy/policy-definitions/get) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test a policy definition display name: + +```ruby +describe azure_policy_definition(name: 'MY_POLICY') do + its('properties.displayName') { should cmp "Enforce 'owner' tag on resource groups" } +end +``` + +Test a policy definition rule: + +```ruby +describe azure_policy_definition(name: 'MY_POLICY', built_in: true ) do + its('properties.policyRule.then.effect') { should cmp 'deny' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### custom + +Test if a policy definition type is `Custom` or not. + +```ruby +describe azure_policy_definition(name: 'MY_POLICY') do + it { should be_custom } +end +``` + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_policy_definition(name: 'MY_POLICY', built_in: true ) do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_policy_definition(name: 'MY_POLICY') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_definitions.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_definitions.md new file mode 100644 index 0000000..52cfae5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_definitions.md @@ -0,0 +1,141 @@ ++++ +title = "azure_policy_definitions resource" + +draft = false + + +[menu.azure] +title = "azure_policy_definitions" +identifier = "inspec/resources/azure/azure_policy_definitions resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_policy_definitions` InSpec audit resource to test the properties and configuration of multiple Azure Policy definitions. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_policy_definitions` resource block returns all policy definitions built-in (if `built_in_only: true`) or within a subscription. + +```ruby +describe azure_policy_definitions do + it { should exist } +end +``` + +Or + +```ruby +describe azure_policy_definitions(built_in_only: true) do + it { should exist } +end +``` + +## Parameters + +`built_in_only` _(optional)_ + +: Indicates whether the interrogated policy definitions are built-in only. Defaults to `false` if not supplied. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`policy_types` +: A list of policy types of all the resources. + + Field: `policy_type` + +`modes` +: A list of modes of all the resources. + + Field: `mode` + +`metadata_versions` +: A list of metadata versions of the resources. + + Field: `metadata_version` + +`metadata_categories` +: A list of metadata categories of the resources. + + Field: `metadata_category` + +`parameters` +: A list of parameters of the resources. + + Field: `parameters` + +`policy_rules` +: A list of policy rules of the resources. + + Field: `policy_rule` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check a specific Policy definition is present: + +```ruby +describe azure_policy_definitions do + its('names') { should include 'my-policy' } +end +``` + +Filters the results to include only those Policy definitions which include the specified name: + +```ruby +describe azure_policy_definitions.where{ name.include?('my-policy') } do + it { should exist } +end +``` + +Filters the results to include only the custom Policy definitions: + +```ruby +describe azure_policy_definitions.where(policy_type: "Custom") do + it { should exist } + its('count') { should be 15 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_policy_definitions do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_exemption.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_exemption.md new file mode 100644 index 0000000..070bae5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_exemption.md @@ -0,0 +1,126 @@ ++++ +title = "azure_policy_exemption resource" + +draft = false + + +[menu.azure] +title = "azure_policy_exemption" +identifier = "inspec/resources/azure/azure_policy_exemption resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_policy_exemption` InSpec audit resource to test the properties related to an Azure Policy Exemption. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_policy_exemption(resource_group: 'RESOURCE_GROUP', name: 'POLICY_EXEMPTION_NAME') do + it { should exist } + its('name') { should cmp '3b8b3f3bbec24cd6af583694' } + its('type') { should cmp 'Microsoft.Authorization/policyExemptions' } + its('properties.exemptionCategory') { should cmp 'Waiver' } + its('properties.policyAssignmentId') { should cmp '/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/CostManagement' } + its('systemData.createdByType') { should cmp 'User' } +end +``` + +```ruby +describe azure_policy_exemption(name: 'POLICY_EXEMPTION_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: The name of the Azure Policy Exemption to test. + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`id` +: Resource ID. + +`name` +: Policy Exemption Name. + +`type` +: Resource type. + +`properties.policyAssignmentId` +: The ID of the policy assignment that is being exempted. + +`properties.policyDefinitionReferenceIds` +: The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. + +`properties.exemptionCategory` +: The policy exemption category. Possible values are `Waiver` and `Mitigated`. + +`properties.displayName` +: The display name of the policy exemption. + +`properties.description` +: The description of the policy exemption. + +`systemData.createdBy` +: The identity that created the resource. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/policy/policy-exemptions/get) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test that the policy exemption category is `Waiver`: + +```ruby +describe azure_policy_exemption(name: 'POLICY_EXEMPTION_NAME') do + its('properties.exemptionCategory') { should eq 'Waiver' } +end +``` + +Test that the definition reference ID list includes a particular reference ID: + +```ruby +describe azure_policy_exemption(resource_group: 'RESOURCE_GROUP', name: 'POLICY_EXEMPTION_NAME') do + its('properties.policyDefinitionReferenceIds') { should include 'POLICY_DEFINITION_REFERENCE_ID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a policy exemption is found, it will exist. + +describe azure_policy_exemption(name: 'POLICY_EXEMPTION_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# policy exemptions that aren't found will not exist. + +describe azure_policy_exemption('3b8b3f3bbec24cd6af583694') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_exemptions.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_exemptions.md new file mode 100644 index 0000000..c7ab158 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_exemptions.md @@ -0,0 +1,172 @@ ++++ +title = "azure_policy_exemptions resource" + +draft = false + + +[menu.azure] +title = "azure_policy_exemptions" +identifier = "inspec/resources/azure/azure_policy_exemptions resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_policy_exemptions` InSpec audit resource to test properties related to all Azure Policy Exemptions for the subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_policy_exemptions` resource block returns all Azure Policy Exemptions within a subscription. + +```ruby +describe azure_policy_exemptions do + #... +end +``` + +## Parameters + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names for all the resources. + + Field: `name` + +`types` +: A list of types for all the resources. + + Field: `type` + +`properties` +: A list of properties for all the resources. + + Field: `properties` + +`system_data` +: A list of System Data for all the resources. + + Field: `system_data` + +`policy_assignment_ids` +: A list of Policy Assignment IDs. + + Field: `policy_assignment_id` + +`policy_definition_reference_ids` +: A list of Policy Definition Reference IDs. + + Field: `policy_definition_reference_ids` + +`exemption_categories` +: A list of categories of exemptions. + + Field: `exemption_category` + +`display_names` +: A list of display names of the exemptions. + + Field: `display_name` + +`descriptions` +: A list of descriptions of the exemptions. + + Field: `description` + +`metadata` +: A list of metadata info of the exemptions. + + Field: `metadata` + +`created_by` +: A list of creators of the exemptions. + + Field: `created_by` + +`created_by_types` +: A list of the type of creators of the exemptions. + + Field: `created_by_type` + +`created_at` +: A list of created_at timestamps of the exemptions. + + Field: `created_at` + +`last_modified_by` +: A list of the last modifiers of the exemptions. + + Field: `last_modified_by` + +`last_modified_by_types` +: A list of the type of modifiers of the exemptions. + + Field: `last_modified_by_type` + +`last_modified_at` +: A list of `modified_at` timestamps of the exemptions. + + Field: `last_modified_at` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Policy Exemptions by their names: + +```ruby +azure_policy_exemptions.names.each do |name| + describe azure_policy_exemption(name: name) do + it { should exist } + end +end +``` + +Test that there are Policy Exemptions that are of waiver exemption category: + +```ruby +describe azure_policy_exemptions.where(exemption_category: 'Waiver') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### not_exists + +```ruby +# Should not exist if no policy exemptions are present in the subscription. + +describe azure_policy_exemptions do + it { should_not exist } +end +``` + +### exists + +```ruby +# Should exist if the filter returns at least one policy exemption in the subscription. + +describe azure_policy_exemptions do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_insights_query_result.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_insights_query_result.md new file mode 100644 index 0000000..4186556 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_insights_query_result.md @@ -0,0 +1,174 @@ ++++ +title = "azure_policy_insights_query_result resource" + +draft = false + + +[menu.azure] +title = "azure_policy_insights_query_result" +identifier = "inspec/resources/azure/azure_policy_insights_query_result resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_policy_insights_query_result` InSpec audit resource to test the properties and configuration of an Azure Policy Insights query result. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +The `policy_definition` and the `resource_id` are required parameters. + +```ruby +describe azure_policy_insights_query_result(policy_definition: 'de875639-505c-4c00-b2ab-bb290dab9a54', resource_id: '/subscriptions/80b824de-ec53-4116-9868-3deeab10b0cd/resourcegroups/jfm-winimgbuilderrg2/providers/microsoft.virtualmachineimages/imagetemplates/win1021h1') do + it { should exist } +end +``` + +```ruby +describe azure_policy_insights_query_result(policy_definition: 'de875639-505c-4c00-b2ab-bb290dab9a54', resource_id: '/subscriptions/80b824de-ec53-4116-9868-3deeab10b0cd/resourcegroups/jfm-winimgbuilderrg2/providers/microsoft.virtualmachineimages/imagetemplates/win1021h1') do + it { should exist } +end +``` + +## Parameters + +`policy_definition` +: Name of the policy definition. `policyDefinitionName`. + +`resource_id` +: The unique resource ID. `/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderId}`. + +Submit both parameters for a valid query: + +- `resource_id` +- `policy_definition` + +## Properties + +`resource_id` +: Resource ID. + +`policy_assignment_id` +: Policy assignment ID. + +`policy_definition_id` +: Policy definition ID. + +`policy_assignment_name` +: Policy assignment name. + +`policy_definition_name` +: Policy definition name. + +`policy_definition_action` +: Policy definition action. For example, `effect`. + +`compliance_state` +: Compliance state of the resource. + +`effective_parameters` +: Effective parameters for the policy assignment. + +`is_compliant` +: Flag indicating whether the resource is compliant against the policy assignment it was evaluated. + +{{< note >}} + +This property is deprecated; please use `ComplianceState` instead. + +{{< /note >}} + +`policy_assignment_owner` +: Policy assignment owner. + +`policy_assignment_parameters` +: Policy assignment parameters. + +`policy_assignment_scope` +: Policy assignment scope. + +`subscription_id` +: Subscription ID. + +`resource_type` +: Resource type. + +`resource_location` +: Resource location. + +`resource_group` +: Resource group name. + +`resource_tags` +: List of resource tags. + +`policy_definition_category` +: Policy definition category. + +`management_group_ids` +: Comma separated list of management group IDs, which represent the hierarchy of the management groups the resource is part of. + +`compliance_reason_code` +: Populated with the failure error code sometimes. + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/policy/policystates/listqueryresultsforsubscription#policystate) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test a policy definition resource type: + +```ruby +describe azure_policy_insights_query_result(policy_definition: 'de875639-505c-4c00-b2ab-bb290dab9a54', resource_id: '/subscriptions/80b824de-ec53-4116-9868-3deeab10b0cd/resourcegroups/jfm-winimgbuilderrg2/providers/microsoft.virtualmachineimages/imagetemplates/win1021h1') do + its('resourceType') { should eq 'Microsoft.VirtualMachineImages/imageTemplates' } +end +``` + +Test a policy definition and policy assignment scope: + +```ruby +describe azure_policy_insights_query_result(policy_definition: 'de875639-505c-4c00-b2ab-bb290dab9a54', resource_id: '/subscriptions/80b824de-ec53-4116-9868-3deeab10b0cd/resourcegroups/jfm-winimgbuilderrg2/providers/microsoft.virtualmachineimages/imagetemplates/win1021h1') do + its('policyAssignmentScope') { should cmp '/subscriptions/80b824de-ec53-4116-9868-3deeab10b0cd' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### compliant + +Test if a policy definition type is `Compliant` or not. + +```ruby +describe azure_policy_insights_query_result(policy_definition: 'de875639-505c-4c00-b2ab-bb290dab9a54', resource_id: '/subscriptions/80b824de-ec53-4116-9868-3deeab10b0cd/resourcegroups/jfm-winimgbuilderrg2/providers/microsoft.virtualmachineimages/imagetemplates/win1021h1') do + it { should be_compliant } +end +``` + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_policy_insights_query_result(policy_definition: 'de875639-505c-4c00-b2ab-bb290dab9a54', resource_id: '/subscriptions/80b824de-ec53-4116-9868-3deeab10b0cd/resourcegroups/jfm-winimgbuilderrg2/providers/microsoft.virtualmachineimages/imagetemplates/win1021h1') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_policy_insights_query_result(policy_definition: 'de875639-505c-4c00-b2ab-bb290dab9a54', resource_id: '/subscriptions/80b824de-ec53-4116-9868-3deeab10b0cd/resourcegroups/jfm-winimgbuilderrg2/providers/microsoft.virtualmachineimages/imagetemplates/win1021h1') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_insights_query_results.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_insights_query_results.md new file mode 100644 index 0000000..e830dc7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_policy_insights_query_results.md @@ -0,0 +1,184 @@ ++++ +title = "azure_policy_insights_query_results resource" + +draft = false + + +[menu.azure] +title = "azure_policy_insights_query_results" +identifier = "inspec/resources/azure/azure_policy_insights_query_results resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_policy_insights_query_results` InSpec audit resource to test properties and configuration of multiple Azure Policy Insights query results. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_policy_insights_query_results` resource block returns all policy insights query results, compliant or not, within a subscription. + +```ruby +describe azure_policy_insights_query_results do + it { should exist } +end +``` + +Or + +```ruby +describe azure_policy_insights_query_results do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`resource_ids` +: A list of the unique resource IDs. + + Field: `resource_id` + +`policy_assignment_ids` +: A list of all policy assignment IDs. + + Field: `policyAssignment_id` + +`policy_definition_ids` +: A list of all policy definition IDs. + + Field: `policyDefinition_id` + +`is_compliant` +: A list of boolean flags indicating whether the resource is compliant or not. + + Field: `is_compliant` + +`subscription_ids` +: A list of subscription IDs. + + Field: `subscription_id` + +`resource_types` +: A list of resource types. + + Field: `resource_type` + +`resource_locations` +: A list of resource locations. + + Field: `resource_location` + +`resource_groups` +: A list of resource group names. + + Field: `resource_group` + +`resource_tags` +: A list of resource tags. + + Field: `resource_tags` + +`policy_assignment_names` +: A list of policy assignment names. + + Field: `policy_assignment_name` + +`policy_definition_names` +: A list of policy definition names. + + Field: `policy_definition_name` + +`policy_assignment_scopes` +: A list of policy assignment scopes. + + Field: `policy_assignment_scope` + +`policy_assignment_parameters` +: A list of policy assignment parameters. + + Field: `policy_assignment_parameters` + +`policy_definition_actions` +: A list of policy definition actions. + + Field: `policy_definition_action` + +`policy_definition_categories` +: A list of policy definition categories. + + Field: `policy_definition_category` + +`management_group_ids` +: A list of management group IDs. + + Field: `management_group_ids` + +`compliance_states` +: A list compliance state of the resource. + + Field: `compliance_state` + +`compliance_reason_codes` +: A list of reason codes recorded for failure. + + Field: `compliance_reason_code` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check if a specific resource type is present: + +```ruby +describe azure_policy_insights_query_results do + its('resource_types') { should include 'Microsoft.VirtualMachineImages/imageTemplates' } +end +``` + +Filters the results to include only those Policy Insights query results that have specified location: + +```ruby +describe azure_policy_insights_query_results.where(resource_location: 'RESOURCE_LOCATION') do + it { should exist } +end +``` + +Filters the results to include only the compliant Policy Insights query results: + +```ruby +describe azure_policy_insights_query_results.where(is_compliant: true) do + it { should exist } + its('count') { should be 120 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect **zero** matches. + +```ruby +describe azure_policy_insights_query_results do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_postgresql_database.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_postgresql_database.md new file mode 100644 index 0000000..7ab4823 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_postgresql_database.md @@ -0,0 +1,110 @@ ++++ +title = "azure_postgresql_database resource" + +draft = false + + +[menu.azure] +title = "azure_postgresql_database" +identifier = "inspec/resources/azure/azure_postgresql_database resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_postgresql_database` InSpec audit resource to test the properties and configuration of an Azure PostgreSQL database on a PostgreSQL server. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group`, `server_name` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_postgresql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'DATABASE_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_postgresql_database(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DBforPostgreSQL/servers/{serverName}/databases/{databaseName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`server_name` +: The name of the server on which the database resides. + +`name` +: The unique name of the database. + +`database_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DBforPostgreSQL/servers/{serverName}/databases/{databaseName}`. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group`, `server_name`, and `name` +- `resource_group`, `server_name`, and `database_name` + +## Properties + +`properties.charset` +: The charset of the database. + +For properties applicable to all resources, such as `type`, `tags`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/postgresql/flexibleserver(preview)/databases/get) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the resource name: + +```ruby +describe azure_postgresql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'DATABASE_NAME') do + its('name') { should be 'order-db' } +end +``` + +```ruby +describe azure_postgresql_database(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DBforPostgreSQL/servers/{serverName}/databases/order-db') do + its('name') { should be 'order-db' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the resource to always exist. + +describe azure_postgresql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'DATABASE_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the resource to never exist. + +describe azure_postgresql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'DATABASE_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_postgresql_databases.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_postgresql_databases.md new file mode 100644 index 0000000..18ef3d8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_postgresql_databases.md @@ -0,0 +1,119 @@ ++++ +title = "azure_postgresql_databases resource" + +draft = false + + +[menu.azure] +title = "azure_postgresql_databases" +identifier = "inspec/resources/azure/azure_postgresql_databases resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_postgresql_databases` InSpec audit resource to test the properties and configuration of Azure PostgreSQL Databases. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +The `resource_group` and `server_name` are required parameters. + +```ruby +describe azure_postgresql_databases(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`server_name` +: The name of the server in which the database resides. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check resources are present: + +````ruby +describe azure_postgresql_databases(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } + its('names') { should include 'my-db' } +end +```` + +Filter the results to include only those with names that match the specified string value: + +```ruby +describe azure_postgresql_databases.(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME').where{ name.eql?('production-db') } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect **zero** matches. + +```ruby +# If we expect resources to exist. + +describe azure_postgresql_databases(resource_group: 'EXAMPLEGROUP', server_name: 'SERVER_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect resources not to exist. + +describe azure_postgresql_databases(resource_group: 'EXAMPLEGROUP', server_name: 'SERVER_NAME) do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_postgresql_server.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_postgresql_server.md new file mode 100644 index 0000000..89d85f7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_postgresql_server.md @@ -0,0 +1,152 @@ ++++ +title = "azure_postgresql_server resource" + +draft = false + + +[menu.azure] +title = "azure_postgresql_server" +identifier = "inspec/resources/azure/azure_postgresql_server resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_postgresql_server` InSpec audit resource to test the properties and configuration of an Azure PostgreSql server. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_postgresql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_postgresql_server(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.DBforPostgreSQL/servers/{serverName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the PostgreSql server to test. + +`server_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +`configurations_api_version` +: The endpoint API version for the `configurations` property. The latest version will be used unless provided. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_group` and `server_name` + +## Properties + +`configurations` +: An object containing all the configurations of a DB server available through [configurations](https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server) endpoint. Configuration values can be accessed as follows, `configurations.client_encoding.properties.value`, `configurations.deadlock_timeout.properties.value`, and so on. + +`sku` +: The SKU (pricing tier) of the server. + +`firewall_rules` +: An object of firewall rules applied on postgresql server. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/postgresql/flexibleserver(preview)/servers/get) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test the administrator's login name of a PostgreSql server: + +```ruby +describe azure_postgresql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + its('properties.administratorLogin') { should cmp 'admin' } +end +``` + +Test the fully qualified domain name of a PostgreSql server: + +```ruby +describe azure_postgresql_server(resource_group: 'RESOURCE_GROUP', name: 'i-dont-exist') do + its('properties.fullyQualifiedDomainName') { should cmp 'pgtestsvc1.postgres.database.azure.com' } +end +``` + +Test the client encoding configuration value of a PostgreSql server: + +```ruby +describe azure_postgresql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + its('configurations.client_encoding.properties.value') { should cmp 'sql_ascii' } +end +``` + +Test the deadlock timeout configuration value of a PostgreSql server: + +```ruby +describe azure_postgresql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + its('configurations.deadlock_timeout.properties.value') { should cmp '1000' } +end +``` + +Test a PostgreSql server's location and maximum replica capacity: + +```ruby +describe azure_postgresql_server(resource_id: '/subscriptions/.../my-server') do + its('properties.replicaCapacity') { should cmp 2 } + its('location') { should cmp 'westeurope' } +end +``` + +Test a PostgreSql server's firewall rules: + +```ruby +describe azure_postgresql_server(resource_id: '/subscriptions/.../my-server') do + its('firewall_rules') { should eq {} } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_postgresql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_postgresql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_postgresql_servers.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_postgresql_servers.md new file mode 100644 index 0000000..53de6b9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_postgresql_servers.md @@ -0,0 +1,138 @@ ++++ +title = "azure_postgresql_servers resource" + +draft = false + + +[menu.azure] +title = "azure_postgresql_servers" +identifier = "inspec/resources/azure/azure_postgresql_servers resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_postgresql_servers` InSpec audit resource to test the properties and configuration of multiple Azure PostgreSQL servers. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_postgresql_servers` resource block returns all Azure PostgreSQL servers within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_postgresql_servers do + it { should exist } +end +``` + +Or + +```ruby +describe azure_postgresql_servers(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources. + + Field: `tags` + +`skus` +: A list of the SKUs (pricing tiers) of the servers. + + Field: `sku` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check a specific PostgreSQL server is present: + +```ruby +describe azure_postgresql_servers do + its('names') { should include 'my-server-name' } +end +``` + +Filters the results to include only those servers having specified names (client-side filtering): + +```ruby +describe azure_postgresql_servers.where{ name.include?('production') } do + it { should exist } +end +``` + +Filters the results to include only those servers residing in a specified location (client-side filtering): + +```ruby +describe azure_postgresql_servers.where{ location.eql?('westeurope') } do + it { should exist } +end +``` + +Filters the results to include only those servers residing in a specified location and has the specified name (server-side filtering - recommended): + +```ruby +describe azure_generic_resources(resource_provider: 'Microsoft.DBforPostgreSQL/servers', substring_of_name: 'production', location: 'westeurope') do + it {should exist} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect **zero** matches. + +```ruby +describe azure_postgresql_servers do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app.md new file mode 100644 index 0000000..f13ae07 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app.md @@ -0,0 +1,93 @@ ++++ +title = "azure_power_bi_app resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_app" +identifier = "inspec/resources/azure/azure_power_bi_app resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_app` InSpec audit resource to test the properties related to Azure Power BI apps. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`app_id` is a required parameter. + +```ruby +describe azure_power_bi_app(app_id: 'APP_ID') do + it { should exist } +end +``` + +## Parameters + +`app_id` _(required)_ + +: The app ID. + +## Properties + +`id` +: The app ID. + +`name` +: The app name. + +`description` +: The app description. + +`publishedBy` +: The app publisher. + +`lastUpdate` +: The last time the app was updated. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/apps/get-app) for other available properties. + +## Examples + +Test that the Power BI app is published by inspec-devs: + +```ruby +describe azure_power_bi_app(app_id: 'APP_ID') do + its('publishedBy') { should eq 'inspec-devs' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If the Azure Power BI app is found, it will exist. + +describe azure_power_bi_app(app_id: 'APP_ID') do + it { should exist } +end +``` + +### not_exists + +```ruby +# if the Azure Power BI app is not found, it will not exist. + +describe azure_power_bi_app(app_id: 'APP_ID') do + it { should_not exist } +end +``` + +## Azure permissions + +This API does not support service principal Authentication. Use your Active Directory account access tokens to access this resource. +Your Active Directory account must have then `App.Read.All` role on the Azure Power BI workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_dashboard.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_dashboard.md new file mode 100644 index 0000000..fa26524 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_dashboard.md @@ -0,0 +1,91 @@ ++++ +title = "azure_power_bi_app_dashboard resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_app_dashboard" +identifier = "inspec/resources/azure/azure_power_bi_app_dashboard resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_app_dashboard` InSpec audit resource to test the properties of an Azure Power BI app dashboard. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_power_bi_app_dashboard(app_id: 'APP_ID', dashboard_id: 'DASHBOARD_ID') do + it { should exist } +end +``` + +## Parameters + +`app_id` _(required)_ +: The app ID. + +`dashboard_id` _(required)_ +: The app dashboard ID. + +## Properties + +`id` +: The app ID. + +`displayName` +: The dashboard display name. + +`embedUrl` +: The dashboard embed URL. + +`isReadOnly` +: Is ReadOnly dashboard. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/apps/get-dashboard) for other available properties. + +## Examples + +Test that the Power BI app dashboard is read-only: + +```ruby +describe azure_power_bi_app_dashboard(app_id: 'APP_ID', dashboard_id: 'DASHBOARD_ID') do + its('isReadOnly') { should eq true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If the Azure Power BI app dashboard is found, it will exist. +describe azure_power_bi_app_dashboard(app_id: 'APP_ID', dashboard_id: 'DASHBOARD_ID') do + it { should exist } +end +``` + +### not_exists + +```ruby +# if the Azure Power BI app dashboard is not found, it will not exist. + +describe azure_power_bi_app_dashboard(app_id: 'APP_ID', dashboard_id: 'DASHBOARD_ID') do + it { should_not exist } +end +``` + +## Azure permissions + +This API does not support service principal authentication. Instead, use the Active Directory (AD) account access token to access this resource. +Your AD account must have the `Dashboard.Read.All` role on the Azure Power BI workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_dashboard_tile.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_dashboard_tile.md new file mode 100644 index 0000000..3375ca6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_dashboard_tile.md @@ -0,0 +1,108 @@ ++++ +title = "azure_power_bi_app_dashboard_tile resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_app_dashboard_tile" +identifier = "inspec/resources/azure/azure_power_bi_app_dashboard_tile resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_app_dashboard_tile` InSpec audit resource to test the properties related to an Azure Power BI app dashboard tile. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`app_id`, `dashboard_id`, and `tile_id` are required parameters. + +```ruby +describe azure_power_bi_app_dashboard_tile(app_id: 'APP_ID', dashboard_id: 'DASHBOARD_ID', tile_id: 'TILE_ID') do + it { should exist } +end +``` + +## Parameters + +`app_id` _(required)_ + +: The app ID. + +`dashboard_id` _(required)_ + +: The app Dashboard ID. + +`tile_id` _(required)_ + +: The app dashboard tile ID. + +## Properties + +`id` +: The tile ID. + +`title` +: The dashboard display name. + +`embedUrl` +: The tile embed URL. + +`rowSpan` +: number of rows a tile should span. + +`colSpan` +: number of columns a tile should span. + +`reportId` +: The report ID, which is available only for tiles created from a report. + +`datasetId` +: The dataset ID, which is available only for tiles created from a report or using a dataset, such as Q&A tiles. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/apps/get-tile) for other available properties. + +## Examples + +Test that the Power BI app dashboard tile is at the left corner: + +```ruby +describe azure_power_bi_app_dashboard_tile(app_id: 'APP_ID', dashboard_id: 'DASHBOARD_ID', tile_id: 'TILE_ID') do + its('rowSpan') { should eq 0 } + its('colSpan') { should eq 0 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If the Azure Power BI app dashboard tile is found, it will exist. + +describe azure_power_bi_app_dashboard_tile(app_id: 'APP_ID', dashboard_id: 'DASHBOARD_ID', tile_id: 'TILE_ID') do + it { should exist } +end +``` + +### not_exists + +```ruby +# if the Azure Power BI app dashboard tile is not found, it will not exist. + +describe azure_power_bi_app_dashboard_tile(app_id: 'APP_ID', dashboard_id: 'DASHBOARD_ID', tile_id: 'TILE_ID') do + it { should_not exist } +end +``` + +## Azure permissions + +This API does not support service principal authentication. Instead, use an Active Directory account access token to access this resource. +Your Active Directory account must have the `Dashboard.Read.All` role on the Azure Power BI workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_dashboard_tiles.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_dashboard_tiles.md new file mode 100644 index 0000000..c07c634 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_dashboard_tiles.md @@ -0,0 +1,132 @@ ++++ +title = "azure_power_bi_app_dashboard_tiles resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_app_dashboard_tiles" +identifier = "inspec/resources/azure/azure_power_bi_app_dashboard_tiles resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_app_dashboard_tiles` InSpec audit resource to test the properties related to all Azure Power BI app dashboard tiles. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_app_dashboard_tiles` resource block returns all Azure Power BI app dashboard tiles. + +```ruby +describe azure_power_bi_app_dashboard_tiles(app_id: 'APP_ID', dashboard_id: 'DASHBOARD_ID') do + #... +end +``` + +## Parameters + +`app_id` _(required)_ + +: The app ID. + +`dashboard_id` _(required)_ + +: The app Dashboard ID. + +## Properties + +`ids` +: List of all app dashboard tile IDs. + + Field: `id` + +`titles` +: List of all the dashboard titles. + + Field: `title` + +`embedUrls` +: List of all the dashboard embed URLs. + + Field: `embedUrl` + +`rowSpans` +: List of all the row span values. + + Field: `rowSpan` + +`colSpans` +: List of all the col span values. + + Field: `colSpan` + +`reportIds` +: List of all the report IDs. + + Field: `reportId` + +`datasetIds` +: List of all the dataset IDs. + + Field: `datasetId` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/apps/get-tiles) for other available properties. + +## Examples + +Loop through Power BI app dashboard tiles by their IDs: + +```ruby +azure_power_bi_app_dashboard_tiles(app_id: 'APP_ID', dashboard_id: 'DASHBOARD_ID').ids.each do |id| + describe azure_power_bi_app_dashboard_tile(app_id: 'APP_ID', dashboard_id: 'DASHBOARD_ID', tile_id: id) do + it { should exist } + end +end +``` + +Test to filter out Power BI app dashboard tiles that are in the left corner: + +```ruby +describe azure_power_bi_app_dashboard_tiles(app_id: 'APP_ID', dashboard_id: 'DASHBOARD_ID').where(rowSpan: 0, colSpan: 0) do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +Use `should` to test that an entity exists. + +```ruby +describe azure_power_bi_app_dashboard_tiles(app_id: 'APP_ID') do + it { should_not exist } +end +``` + +### not_exists + +Use `should_not` to test that the entity does not exist. + +```ruby +describe azure_power_bi_app_dashboard_tiles(app_id: 'APP_ID') do + it { should exist } +end +``` + +## Azure permissions + +This API does not support service principal authentication. Instead, use an Active Directory account access token to access this resource. +Your Active Directory account must have the `Dashboard.Read.All` role on the Azure Power BI workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_dashboards.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_dashboards.md new file mode 100644 index 0000000..25f348b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_dashboards.md @@ -0,0 +1,112 @@ ++++ +title = "azure_power_bi_app_dashboards resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_app_dashboards" +identifier = "inspec/resources/azure/azure_power_bi_app_dashboards resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_app_dashboards` InSpec audit resource to test the properties of all Azure Power BI app dashboards. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_app_dashboards` resource block returns all Azure Power BI app dashboards. + +```ruby +describe azure_power_bi_app_dashboards(app_id: 'APP_ID') do + #... +end +``` + +## Parameters + +`app_id` _(required)_ +: The app ID. + +## Properties + +`ids` +: List of all app IDs. + + Field: `id` + +`displayNames` +: List of all the dashboard display names. + + Field: `displayName` + +`embedUrls` +: List of all the dashboard embed URLs. + + Field: `embedUrl` + +`isReadOnlies` +: List of all the boolean read-only dashboard flags. + + Field: `isReadOnly` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/apps/get-dashboards) for other available properties. + +## Examples + +Loop through Power BI app dashboards by their IDs: + +```ruby +azure_power_bi_app_dashboards(app_id: 'APP_ID').ids.each do |id| + describe azure_power_bi_app_dashboard(app_id: 'APP_ID', dashboard_id: id) do + it { should exist } + end +end +``` + +Test to filter out Power BI app dashboards that are read-only: + +```ruby +describe azure_power_bi_app_dashboards(app_id: 'APP_ID').where(isReadOnly: true) do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Power BI apps are present. + +describe azure_power_bi_app_dashboards(app_id: 'APP_ID') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Power BI app. + +describe azure_power_bi_app_dashboards(app_id: 'APP_ID') do + it { should exist } +end +``` + +## Azure permissions + +This API does not support service principal authentication. Instead, use the Active Directory (AD) account access token to access this resource. +Your AD account must have the `Dashboard.Read.All` role on the Azure Power BI workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_report.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_report.md new file mode 100644 index 0000000..ba9dc95 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_report.md @@ -0,0 +1,101 @@ ++++ +title = "azure_power_bi_app_report resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_app_report" +identifier = "inspec/resources/azure/azure_power_bi_app_report resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_app_report` InSpec audit resource to test the properties related to an Azure Power BI app report. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_power_bi_app_report(app_id: 'APP_ID', report_id: 'REPORT_ID') do + it { should exist } +end +``` + +## Parameters + +`app_id` _(required)_ + +: The app ID. + +`report_id` _(required)_ + +: The app report ID. + +## Properties + +`id` +: The report ID. + +`appId` +: The app ID. + +`embedUrl` +: The report embed URL. + +`datasetId` +: The dataset ID. + +`name` +: The report name. + +`webUrl` +: The report web URL. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/apps/get-report) for other available properties. + +## Examples + +Test that the Power BI app report is paginated and embed URL is present: + +```ruby +describe azure_power_bi_app_report(app_id: 'APP_ID', report_id: 'REPORT_ID') do + its('reportType') { should eq 'PaginatedReport' } + its('embedUrl') { should_not be_empty } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +Use `should` to test that the entity exists. + +```ruby +describe azure_power_bi_app_report(app_id: 'APP_ID', report_id: 'REPORT_ID') do + it { should exist } +end +``` + +### not_exists + +Use `should_not` to test that the entity does not exist. + +```ruby +describe azure_power_bi_app_report(app_id: 'APP_ID', report_id: 'REPORT_ID') do + it { should_not exist } +end +``` + +## Azure permissions + +This API does not support service principal authentication. Instead, use an Active Directory account access token to access this resource. +Your Active Directory account must have the `Report.Read.All` role on the Azure Power BI workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_reports.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_reports.md new file mode 100644 index 0000000..8689ea7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_app_reports.md @@ -0,0 +1,123 @@ ++++ +title = "azure_power_bi_app_reports resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_app_reports" +identifier = "inspec/resources/azure/azure_power_bi_app_reports resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_app_reports` InSpec audit resource to test the properties related to all Azure Power BI app reports. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_app_reports` resource block returns all Azure Power BI app reports. + +```ruby +describe azure_power_bi_app_reports(app_id: 'APP_ID') do + #... +end +``` + +## Parameters + +`app_id` _(required)_ + +: The app ID. + +## Properties + +`ids` +: List of all app report IDs. + + Field: `id` + +`embedUrls` +: List of all the report embed URLs. + + Field: `embedUrl` + +`appIds` +: List of all the app IDs. + + Field: `appId` + +`datasetIds` +: List of all the Dataset IDs. + + Field: `datasetId` + +`names` +: List of all the report names. + + Field: `name` + +`webUrls` +: List of all the report web URLs. + + Field: `webUrl` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/apps/get-reports) for other available properties. + +## Examples + +Loop through Power BI app reports by their IDs: + +```ruby +azure_power_bi_app_reports(app_id: 'APP_ID').ids.each do |id| + describe azure_power_bi_app_report(app_id: 'APP_ID', report_id: id) do + it { should exist } + end +end +``` + +Test to filter out Power BI app reports by report name: + +```ruby +describe azure_power_bi_app_reports(app_id: 'APP_ID').where(name: 'REPORT_NAME') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Power BI app reports are present. + +describe azure_power_bi_app_reports(app_id: 'APP_ID') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Power BI app reports. + +describe azure_power_bi_app_reports(app_id: 'APP_ID') do + it { should exist } +end +``` + +## Azure permissions + +This API does not support service principal authentication. Instead, use an Active Directory account access token to access this resource. +Your Active Directory account must have the `Report.Read.All` role on the Azure Power BI workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_apps.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_apps.md new file mode 100644 index 0000000..433ed15 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_apps.md @@ -0,0 +1,111 @@ ++++ +title = "azure_power_bi_apps resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_apps" +identifier = "inspec/resources/azure/azure_power_bi_apps resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_apps` InSpec audit resource to test the properties related to all Azure Power BI apps. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_apps` resource block returns all Azure Power BI apps. + +```ruby +describe azure_power_bi_apps do + #... +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: List of all app IDs. + + Field: `id` + +`names` +: List of all the app names. + + Field: `name` + +`descriptions` +: List of all the app Descriptions. + + Field: `description` + +`lastUpdates` +: List of all Last updated times of the apps. + + Field: `lastUpdate` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/apps/get-apps) for other available properties. + +## Examples + +Loop through Power BI apps by their IDs: + +```ruby +azure_power_bi_apps.ids.each do |id| + describe azure_power_bi_app(app_id: id) do + it { should exist } + end +end +``` + +Test that a Power BI app named 'Finance' exists: + +```ruby +describe azure_power_bi_apps.where(name: 'Finance') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Power BI apps are present. + +describe azure_power_bi_apps do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Power BI apps. + +describe azure_power_bi_apps do + it { should exist } +end +``` + +## Azure permissions + +This API does not support service principal Authentication. Use your Active Directory account access tokens to access this resource. +Your Active Directory account must have then `App.Read.All` role on the Azure Power BI workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacities.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacities.md new file mode 100644 index 0000000..317fea4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacities.md @@ -0,0 +1,117 @@ ++++ +title = "azure_power_bi_app_capacities resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_app_capacities" +identifier = "inspec/resources/azure/azure_power_bi_app_capacities resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_app_capacities` InSpec audit resource to test the properties related to all Azure Power BI capacities. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_app_capacities` resource block returns all Azure Power BI capacities. + +```ruby +describe azure_power_bi_app_capacities do + #... +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: List of all Power BI capacity IDs. + + Field: `id` + +`displayNames` +: List of all the Power BI capacity names. + + Field: `displayName` + +`admins` +: An array of capacity admins. + + Field: `admin` + +`skus` +: List of all capacity SKUs. + + Field: `sku` + +`states` +: List of the capacity states. + + Field: `state` + +`regions` +: List of the Azure regions where the capacity is provisioned. + + Field: `region` + +`capacityUserAccessRights` +: List of access rights user has on the capacity. + + Field: `capacityUserAccessRight` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/capacities/get-capacities) for other available properties. + +## Examples + +Test to ensure Power BI capacities are active: + +```ruby +describe azure_power_bi_app_capacities.where(state: 'Active') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +Use `should` to test that the entity exists. + +```ruby +describe azure_power_bi_app_capacities do + it { should exist } +end +``` + +### not_exists + +Use `should_not` to test that the entity does not exist. + +```ruby +describe azure_power_bi_app_capacities do + it { should_not exist } +end +``` + +## Azure permissions + +This API does not support service principal authentication. Instead, use an Active Directory account access token to access this resource. +Your Active Directory account must have the `Capacity.Read.All` role on the Azure Power BI workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacity_refreshable.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacity_refreshable.md new file mode 100644 index 0000000..5698c8f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacity_refreshable.md @@ -0,0 +1,114 @@ ++++ +title = "azure_power_bi_capacity_refreshable resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_capacity_refreshable" +identifier = "inspec/resources/azure/azure_power_bi_capacity_refreshable resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_capacity_refreshable` InSpec audit resource to test the properties of an Azure Power BI Capacity refreshable. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_power_bi_capacity_refreshable(capacity_id: 'CAPACITY_ID', name: 'REFRESHABLE_ID') do + it { should exist } +end +``` + +```ruby +describe azure_power_bi_capacity_refreshable(capacity_id: 'CAPACITY_ID', name: 'REFRESHABLE_ID') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: The refreshable ID. + +`capacity_id` _(required)_ + +: The capacity ID. + +## Properties + +`id` +: The object ID of the refreshable. + +`kind` +: The refreshable kind. + +`name` +: Display refreshable name. + +`startTime` +: The start time of the window for which summary data exists. + +`endTime` +: The end time of the window for which summary data exists. + +`refreshCount` +: The number of refreshes within the summary time window. + +`refreshFailures` +: The number of refresh failures within the summary time window. + +`refreshesPerDay` +: The number of refreshes (schedule+onDemand) per day within the summary time window with at most 60. + +`refreshSchedule.days` +: Days to execute the refresh. + +`refreshSchedule.enabled` +: Is the refresh enabled. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/capacities/get-refreshable-for-capacity) for other available properties. + +## Examples + +Test that the Power BI Capacity refreshable schedule is enabled: + +```ruby +describe azure_power_bi_capacity_refreshable(capacity_id: 'CAPACITY_ID', name: 'REFRESHABLE_ID') do + its('refreshSchedules.enabled') { should be_truthy } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If the Power BI Capacity refreshable is found, it will exist. + +describe azure_power_bi_capacity_refreshable(capacity_id: 'CAPACITY_ID', name: 'REFRESHABLE_ID') do + it { should exist } +end +``` + +### not_exists + +```ruby +# if the Power BI Capacity refreshable is not found, it will not exist. +describe azure_power_bi_capacity_refreshable(capacity_id: 'CAPACITY_ID', name: 'REFRESHABLE_ID') do + it { should_not exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `Capacity.Read.All` role on the Azure Power BI Capacity you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacity_refreshables.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacity_refreshables.md new file mode 100644 index 0000000..a7b390f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacity_refreshables.md @@ -0,0 +1,122 @@ ++++ +title = "azure_power_bi_capacity_refreshables resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_capacity_refreshables" +identifier = "inspec/resources/azure/azure_power_bi_capacity_refreshables resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_capacity_refreshables` InSpec audit resource to test the properties of multiple Azure Power BI Capacity refreshables. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_capacity_refreshables` resource block returns all Azure Power BI Capacity refreshables. + +```ruby +describe azure_power_bi_capacity_refreshables do + #... +end +``` + +## Parameters + +`capacity_id` _(optional)_ +: The capacity ID. + +## Properties + +`ids` +: List of all Power BI Capacity refreshable IDs. + + Field: `id` + +`names` +: List of all the Power BI Capacity refreshable names. + + Field: `name` + +`kinds` +: List of all the Power BI Capacity refreshable kinds. + + Field: `kind` + +`refreshCounts` +: List of the number of refreshes within the summary time windows. + + Field: `refreshCount` + +`refreshFailures` +: List of the number of refresh failures within the summary time window. + + Field: `refreshFailures` + +`refreshesPerDays` +: List of the number of refreshes. + + Field: `refreshesPerDay` + +`medianDurations` +: List of the median duration in seconds of a refresh. + + Field: `medianDuration` + +`averageDurations` +: List of the average duration in seconds of a refresh. + + Field: `averageDuration` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +For additional information, refer to the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/capacities/get-refreshables) for other available properties. + +## Examples + +Test to ensure Power BI Capacity refreshable schedules are enabled: + +```ruby +describe azure_power_bi_capacity_refreshables do + its('refreshSchedules') { should_not be empty } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Power BI Capacity refreshables are present. + +describe azure_power_bi_capacity_refreshables do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Power BI Capacity refreshables + +describe azure_power_bi_capacity_refreshables do + it { should exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `Capacity.Read.All` role on the Azure Power BI Capacity you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacity_workload.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacity_workload.md new file mode 100644 index 0000000..00f127f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacity_workload.md @@ -0,0 +1,96 @@ ++++ +title = "azure_power_bi_capacity_workload resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_capacity_workload" +identifier = "inspec/resources/azure/azure_power_bi_capacity_workload resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_capacity_workload` InSpec audit resource to test the properties related to Azure Power BI Capacity workload. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` and `capacity_id` are required parameters. + +```ruby +describe azure_power_bi_capacity_workload(capacity_id: 'CAPACITY_ID', name: 'WORKLOAD_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_power_bi_capacity_workload(capacity_id: 'CAPACITY_ID', name: 'WORKLOAD_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ +: The workload Name. + +`capacity_id` _(required)_ +: The capacity ID. + +## Properties + +`name` +: The workload name. + +`state` +: The capacity workload state. + +`maxMemoryPercentageSetByUser` +: The memory percentage maximum Limit set by the user. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/capacities/get-workload) for other available properties. + +## Examples + +Test that the Power BI Capacity workload is enabled: + +```ruby +describe azure_power_bi_capacity_workload(capacity_id: 'CAPACITY_ID', name: 'WORKLOAD_NAME') do + its('state') { should eq 'Enabled' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If the Power BI Capacity workload is found, it will exist. + +describe azure_power_bi_capacity_workload(capacity_id: 'CAPACITY_ID', name: 'WORKLOAD_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# if the Power BI Capacity workload is not found, it will not exist. + +describe azure_power_bi_capacity_workload(capacity_id: 'CAPACITY_ID', name: 'WORKLOAD_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `Capacity.Read.All` role on the Azure Power BI Capacity you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacity_workloads.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacity_workloads.md new file mode 100644 index 0000000..077b431 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_capacity_workloads.md @@ -0,0 +1,96 @@ ++++ +title = "azure_power_bi_capacity_workloads resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_capacity_workloads" +identifier = "inspec/resources/azure/azure_power_bi_capacity_workloads resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_capacity_workloads` InSpec audit resource to test the properties related to all Azure Power BI Capacity workloads. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_capacity_workloads` resource block returns all Azure Power BI Capacity workloads. + +```ruby +describe azure_power_bi_capacity_workloads(capacity_id: 'CAPACITY_ID') do + #... +end +``` + +## Parameters + +`capacity_id` +: The capacity ID. + +## Properties + +`states` +: List of all Power Bi Capacity Workload IDs. + + Field: `state` + +`names` +: List of all the Power Bi Capacity Workload names. + + Field: `name` + +`maxMemoryPercentageSetByUsers` +: List of all the Power Bi Capacity Workload Kinds. + + Field: `maxMemoryPercentageSetByUser` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/capacities/get-Workloads) for other available properties. + +## Examples + +Test to ensure Power BI Capacity Workload is enabled: + +```ruby +describe azure_power_bi_capacity_workloads(capacity_id: 'CAPACITY_ID').where(state: 'Enabled') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Power BI Capacity Workloads are present. + +describe azure_power_bi_capacity_workloads(capacity_id: 'CAPACITY_ID') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Power BI Capacity Workloads. + +describe azure_power_bi_capacity_workloads(capacity_id: 'CAPACITY_ID') do + it { should exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `Capacity.Read.All` role on the Azure Power BI Capacity you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dashboard.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dashboard.md new file mode 100644 index 0000000..9676727 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dashboard.md @@ -0,0 +1,93 @@ ++++ +title = "azure_power_bi_dashboard resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_dashboard" +identifier = "inspec/resources/azure/azure_power_bi_dashboard resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_dashboard` InSpec audit resource to test the properties related to Azure Power BI Dashboard. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`dashboard_id` is a required parameter, and `group_id` is an optional parameter. + +```ruby +describe azure_power_bi_dashboard(group_id: 'GROUP_ID', dashboard_id: 'dashboard_ID') do + it { should exist } +end +``` + +## Parameters + +`dashboard_id` _(required)_ + +: The dashboard ID. + +`group_id` _(optional)_ + +: The workspace ID. + +## Properties + +`id` +: Power BI dashboard ID. + +`displayName` +: The dashboard display name. + +`embedUrl` +: The dashboard embed URL. + +`isReadOnly` +: Is ReadOnly dashboard. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/dashboards/get-dashboard) for other available properties. + +## Examples + +Test that the Power BI Dashboard is read-only: + +```ruby +describe azure_power_bi_dashboard(group_id: 'GROUP_ID', dashboard_id: 'DASHBOARD_ID') do + its('isReadOnly') { should eq 'true' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# Should exist if the Power BI dashboard is present in the group. + +describe azure_power_bi_dashboard(group_id: 'GROUP_ID', dashboard_id: 'dashboard_ID') do + it { should exist } +end +``` + +### not_exists + +```ruby +# Should not exist if the Power BI dashboard is not present in the group. + +describe azure_power_bi_dashboard(group_id: 'GROUP_ID', dashboard_id: 'dashboard_ID') do + it { should_not exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `Dashboard.Read.All` role on the Azure Power BI Workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dashboard_tile.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dashboard_tile.md new file mode 100644 index 0000000..d80d5ae --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dashboard_tile.md @@ -0,0 +1,104 @@ ++++ +title = "azure_power_bi_dashboard_tile resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_dashboard_tile" +identifier = "inspec/resources/azure/azure_power_bi_dashboard_tile resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_dashboard_tile` InSpec audit resource to test the properties related to an Azure Power BI dashboard tile. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_power_bi_dashboard_tile(group_id: 'GROUP_ID', dashboard_id: 'dashboard_ID', title_id: 'TITLE_ID') do + it { should exist } +end +``` + +## Parameters + +`dashboard_id` _(required)_ + +: The dashboard ID. + +`tile_id` _(required)_ + +: The tile ID. + +`group_id` _(optional)_ + +: The workspace ID. + +## Properties + +`id` +: Power BI dashboard tile ID. + +`title` +: The dashboard display name. + +`embedUrl` +: The tile embed URL. + +`rowSpan` +: The number of rows a tile should span. + +`colSpan` +: The number of columns a tile should span. + +`reportId` +: The report ID available only for tiles created from a report. + +`datasetId` +: The dataset ID available only for tiles created from a report or using a dataset, such as Q&A tiles. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/dashboards/get-tile) for other available properties. + +## Examples + +Test that the Power BI dashboard tile is on the left corner: + +```ruby +describe azure_power_bi_dashboard_tile(group_id: 'GROUP_ID', dashboard_id: 'dashboard_ID', title_id: 'TITLE_ID') do + its('rowSpan') { should eq 0 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# Use should to test for an Azure Power BI dashboard tile that should be in the resource group. + +describe azure_power_bi_dashboard_tile(group_id: 'GROUP_ID', dashboard_id: 'dashboard_ID', title_id: 'TITLE_ID') do + it { should exist } +end +``` + +### not_exists + +```ruby +# Use should_not to test for an Azure Power BI dashboard tile that should not be in the resource group. + +describe azure_power_bi_dashboard_tile(group_id: 'GROUP_ID', dashboard_id: 'dashboard_ID', title_id: 'TITLE_ID') do + it { should_not exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `dashboard.Read.All` role on the Azure Power BI Workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dashboard_tiles.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dashboard_tiles.md new file mode 100644 index 0000000..235e87a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dashboard_tiles.md @@ -0,0 +1,135 @@ ++++ +title = "azure_power_bi_dashboard_tiles resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_dashboard_tiles" +identifier = "inspec/resources/azure/azure_power_bi_dashboard_tiles resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_dashboard_tiles` InSpec audit resource to test the properties related to all Azure Power BI dashboard tiles within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_dashboard_tiles` resource block returns all Azure Power BI dashboard tiles within a dashboard and a group. + +```ruby +describe azure_power_bi_dashboard_tiles(dashboard_id: 'dashboard_ID') do + #... +end +``` + +```ruby +describe azure_power_bi_dashboard_tiles(group_id: 'GROUP_ID') do + #... +end +``` + +## Parameters + +`group_id` _(required)_ +: The workspace ID. + +`dashboard_id` _(optional)_ +: The dashboard ID. + +## Properties + +`ids` +: List of all dashboard IDs. + + Field: `id` + +`titles` +: List of all the titles. + + Field: `title` + +`embedUrls` +: List of all dashboard embed URLs. + + Field: `embedUrl` + +`rowSpans` +: List of all row spans. + + Field: `rowSpan` + +`colSpans` +: List of all col spans. + + Field: `colSpan` + +`reportIds` +: List of all report IDs. + + Field: `reportId` + +`datasetIds` +: List of all dataset IDs. + + Field: `datasetId` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/dashboards/get-dashboards) for other available properties. + +## Examples + +Loop through Power BI dashboard tiles by their IDs: + +```ruby +azure_power_bi_dashboard_tiles.ids.each do |id| + describe azure_power_bi_dashboard_tile(dashboard_id: id) do + it { should exist } + end +end +``` + +Test to ensure all Power BI dashboard tiles that are in the top left corner: + +```ruby +describe azure_power_bi_dashboard_tiles.where(rowSpan: true) do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Use should to test for an Azure Power BI dashboard tile that should be in the resource group. + +describe azure_power_bi_dashboard_tiles do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Use should_not to test for an Azure Power BI dashboard tile that should not be in the resource group. + +describe azure_power_bi_dashboard_tiles do + it { should exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `dashboard.Read.All` role on the Azure Power BI Workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dashboards.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dashboards.md new file mode 100644 index 0000000..7f3ffe9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dashboards.md @@ -0,0 +1,114 @@ ++++ +title = "azure_power_bi_dashboards resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_dashboards" +identifier = "inspec/resources/azure/azure_power_bi_dashboards resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_dashboards` InSpec audit resource to test the properties related to all AzurePower BI Dashboards within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_dashboards` resource block returns all AzurePower BI Dashboards within a group. + +```ruby +describe azure_power_bi_dashboards do + #... +end +``` + +```ruby +describe azure_power_bi_dashboards(group_id: 'GROUP_ID') do + #... +end +``` + +## Parameters + +`group_id` _(optional)_ +: The workspace ID. + +## Properties + +`ids` +: List of all dashboard IDs. + + Field: `id` + +`displayNames` +: List of all the dashboard display names. + + Field: `displayName` + +`embedUrls` +: List of all dashboard embed URLs. + + Field: `embedUrl` + +`isReadOnly` +: List of all read-only dashboards. + + Field: `isReadOnlies` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/dashboards/get-dashboards) for other available properties. + +## Examples + +Loop throughPower BI Dashboards by their IDs: + +```ruby +azure_power_bi_dashboards.ids.each do |id| + describe azure_power_bi_dashboard(dashboard_id: id) do + it { should exist } + end +end +``` + +Test to ensure all Power BI dashboards are ready-only: + +```ruby +describe azure_power_bi_dashboards.where(isReadOnly: true) do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Power BI dashboards are present in the group. + +describe azure_power_bi_dashboards do + it { should_not exist } +end + +# Should exist if the filter returns at least one Power BI dashboard in the group. + +describe azure_power_bi_dashboards do + it { should exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `dashboard.Read.All` role on the Azure Power BI Workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataflow.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataflow.md new file mode 100644 index 0000000..c077434 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataflow.md @@ -0,0 +1,98 @@ ++++ +title = "azure_power_bi_dataflow resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_dataflow" +identifier = "inspec/resources/azure/azure_power_bi_dataflow resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_dataflow` InSpec audit resource to test the properties of a single Azure Power BI dataflow. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_power_bi_dataflow(group_id: 'GROUP_ID', name: 'DATAFLOW_ID') do + it { should exist } +end +``` + +```ruby +describe azure_power_bi_dataflow(group_id: 'GROUP_ID', name: 'DATAFLOW_ID') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: The dataflow ID. + +`group_id` _(required)_ + +: The workspace ID. + +## Properties + +`name` +: The dataflow name. + +`objectId` +: The dataflow ID. + +`description` +: The dataflow description. + +`modelUrl` +: A URL to the dataflow definition file (model.json). + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/dataflows/get-dataflows) for other available properties. + +## Examples + +Test that the Power BI dataflow name exists: + +```ruby +describe azure_power_bi_dataflow(group_id: 'GROUP_ID', name: 'DATAFLOW_ID') do + it { should exist } + its('name') { should eq 'DATAFLOW_NAME' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +Use `should` to test that the entity exists. + +```ruby +describe azure_power_bi_dataflow(group_id: 'GROUP_ID', name: 'DATAFLOW_ID') do + it { should exist } +end +``` + +### not_exists + +Use `should_not` to test if the entity does not exist. + +```ruby +describe azure_power_bi_dataflow(group_id: 'GROUP_ID', name: 'DATAFLOW_ID') do + it { should_not exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `Dataflow.Read.All` role on the Azure Power BI dataflow you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataflow_storage_accounts.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataflow_storage_accounts.md new file mode 100644 index 0000000..26cb846 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataflow_storage_accounts.md @@ -0,0 +1,96 @@ ++++ +title = "azure_power_bi_dataflow_storage_accounts resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_dataflow_storage_accounts" +identifier = "inspec/resources/azure/azure_power_bi_dataflow_storage_accounts resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_dataflow_storage_accounts` InSpec audit resource to test the properties related to all Azure Power BI dataflow storage accounts. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_dataflow_storage_accounts` resource block returns all Azure Power BI dataflow storage accounts. + +```ruby +describe azure_power_bi_dataflow_storage_accounts do + #... +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: List of all Power BI dataflow storage account IDs. + + Field: `id` + +`names` +: List of all the dataflow storage account names. + + Field: `name` + +`isEnableds` +: List of the flags that indicates if workspaces can be assigned to the storage accounts. + + Field: `isEnabled` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/dataflow-storage-accounts/get-dataflow-storage-accounts) for other available properties. + +## Examples + +Test that the Power BI dataflow storage account is enabled: + +```ruby +describe azure_power_bi_dataflow_storage_accounts.where(isEnabled: true) do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Power BI dataflow storage account is present. + +describe azure_power_bi_dataflow_storage_accounts do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Power BI dataflow storage account. + +describe azure_power_bi_dataflow_storage_accounts do + it { should exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `StorageAccount.Read.All` role on the Azure Power BI dataflow storage Account you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataflows.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataflows.md new file mode 100644 index 0000000..0b2802f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataflows.md @@ -0,0 +1,104 @@ ++++ +title = "azure_power_bi_dataflows resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_dataflows" +identifier = "inspec/resources/azure/azure_power_bi_dataflows resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_dataflows` InSpec audit resource to test the properties related to all Azure Power BI dataflows. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_dataflows` resource block returns all Azure Power BI dataflows. + +```ruby +describe azure_power_bi_dataflows(group_id: 'GROUP_ID') do + #... +end +``` + +## Parameters + +`group_id` +: The Workspace ID. + +## Properties + +`objectIds` + +: List of all Power BI dataflow IDs. + + Field: `objectId` + +`names` + +: List of all the Power BI dataflow names. + + Field: `name` + +`descriptions` + +: List of all the Power BI dataflow descriptions. + + Field: `descriptions` + +`modelUrls` + +: List of all URLs to the dataflow definition file + + Field: `modelUrl` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test to ensure Power BI Dataflow for Finance exists: + +```ruby +describe azure_power_bi_dataflows(group_id: 'GROUP_ID').where(name: 'DATAFLOW_NAME') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Power BI dataflows are present. + +describe azure_power_bi_dataflows(group_id: 'GROUP_ID') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Power BI dataflows. + +describe azure_power_bi_dataflows(group_id: 'GROUP_ID') do + it { should exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `Dataflow.Read.All` role on the Azure Power BI Dataflow you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataset.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataset.md new file mode 100644 index 0000000..7a49b17 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataset.md @@ -0,0 +1,105 @@ ++++ +title = "azure_power_bi_dataset resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_dataset" +identifier = "inspec/resources/azure/azure_power_bi_dataset resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_dataset` InSpec audit resource to test the properties related to an Azure Power BI dataset. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_power_bi_dataset(name: 'DATASET_ID') do + it { should exist } +end +``` + +```ruby +describe azure_power_bi_dataset(group_id: 'GROUP_ID', name: 'DATASET_ID') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ +: The dataset ID. + +`group_id` _(optional)_ +: The workspace ID. + +## Properties + +`name` +: The dataset name. + +`addRowsAPIEnabled` +: Whether the dataset allows adding new rows. + +`configuredBy` +: The dataset owner. + +`isRefreshable` +: Can this dataset be refreshed. + +`isEffectiveIdentityRequired` +: Whether the dataset requires an effective identity. This indicates that you must send an effective identity using the GenerateToken API. + +`isEffectiveIdentityRolesRequired` +: Whether RLS is defined inside the PBIX file. This indicates that you must specify a role. + +`isOnPremGatewayRequired` +: dataset requires an On-premises Data Gateway. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/datasets/get-dataset) for other available properties. + +## Examples + +Test that the Power BI dataset requires an on-prem gateway: + +```ruby +describe azure_power_bi_dataset(name: 'DATASET_ID') do + it { should exist } + its('IsOnPremGatewayRequired') { should eq true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If the Power BI dataset is found, it will exist. + +describe azure_power_bi_dataset(name: 'DATASET_ID') do + it { should exist } +end +``` + +### not_exists + +```ruby +# if the Power BI dataset is not found, it will not exist. + +describe azure_power_bi_dataset(name: 'DATASET_ID') do + it { should_not exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `Dataset.Read.All` role on the Azure Power BI dataset you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataset_datasources.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataset_datasources.md new file mode 100644 index 0000000..fa8f3bc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_dataset_datasources.md @@ -0,0 +1,103 @@ ++++ +title = "azure_power_bi_dataset_datasources resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_dataset_datasources" +identifier = "inspec/resources/azure/azure_power_bi_dataset_datasources resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_dataset_datasources` Chef InSpec audit resource to test the properties of all Azure Power BI dataset data sources. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_dataset_datasources` resource block returns all Azure Power BI dataset data sources. + +```ruby +describe azure_power_bi_dataset_datasources(dataset_id: 'DATASET_ID') do + #... +end +``` + +## Parameters + +`dataset_id` _(required)_ +: The dataset ID. + +`group_id` _(optional)_ +: The workspace ID. + +## Properties + +`datasourceIds` +: List of all Power BI data source IDs. + + Field: `datasourceId` + +`gatewayIds` +: List of all the bound gateway IDs. + + Field: `gatewayId` + +`datasourceTypes` +: List of the data source types. + + Field: `datasourceType` + +`connectionDetails` +: List of the data source connection details. + + Field: `connectionDetails` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/datasets/get-datasources) for other available properties. + +## Examples + +Verify that a Power BI dataset data source for a server exists: + +```ruby +describe azure_power_bi_dataset_datasources(dataset_id: 'DATASET_ID').where{ connectionDetails[:server] == 'CONNECTION_SERVER' } do + it { should exist } +end +``` + +## Matchers + +This Chef InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +### exists + +Verify that a Power BI dataset data source is not present. + +```ruby +describe azure_power_bi_dataset_datasources(dataset_id: 'DATASET_ID') do + it { should_not exist } +end +``` + +### not_exists + +Verify that at least one Power BI dataset data source exists. + +``` ruby +describe azure_power_bi_dataset_datasources(dataset_id: 'DATASET_ID') do + it { should exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `Dataset.Read.All` role on the Azure Power BI data set you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_datasets.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_datasets.md new file mode 100644 index 0000000..5573ad9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_datasets.md @@ -0,0 +1,117 @@ ++++ +title = "azure_power_bi_datasets resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_datasets" +identifier = "inspec/resources/azure/azure_power_bi_datasets resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_datasets` InSpec audit resource to test the properties of all Azure Power BI datasets. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_datasets` resource block returns all Azure Power BI datasets. + +```ruby +describe azure_power_bi_datasets do + #... +end +``` + +## Parameters + +`group_id` _(optional)_ +: The workspace ID. + +## Properties + +`ids` +: List of all Power BI dataset IDs. + + Field: `id` + +`names` +: List of all the Power BI dataset names. + + Field: `name` + +`addRowsAPIEnableds` +: List of boolean flags which describe whether the dataset allows adding new rows. + + Field: `addRowsAPIEnabled` + +`isRefreshables` +: List of boolean flags that represent refreshable parameters of datasets. + + Field: `isRefreshable` + +`isEffectiveIdentityRequireds` +: List of boolean flags that represent effective identity. + + Field: `isEffectiveIdentityRequired` + +`isEffectiveIdentityRolesRequireds` +: List of boolean flags that describe whether `RLS` is defined inside the `PBIX` file. + + Field: `isEffectiveIdentityRolesRequired` + +`isOnPremGatewayRequireds` +: List of boolean flags that describe whether the dataset requires an On-premises Data Gateway. + + Field: `isOnPremGatewayRequired` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/datasets/get-datasets) for other available properties. + +## Examples + +Test to ensure the Power BI dataset is refreshable: + +```ruby +describe azure_power_bi_datasets.where(isRefreshable: true) do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Power BI datasets are present. + +describe azure_power_bi_datasets do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Power BI dataset. + +describe azure_power_bi_datasets do + it { should exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `Dataset.Read.All` role on the Azure Power BI dataset you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_embedded_capacities.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_embedded_capacities.md new file mode 100644 index 0000000..e87064d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_embedded_capacities.md @@ -0,0 +1,145 @@ ++++ +title = "azure_power_bi_embedded_capacities resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_embedded_capacities" +identifier = "inspec/resources/azure/azure_power_bi_embedded_capacities resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_embedded_capacities` InSpec audit resource to test the properties related to all Azure Power BI Embedded Capacities within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_embedded_capacities` resource block returns all Azure Power BI Embedded Capacities within a project. + +```ruby +describe azure_power_bi_embedded_capacities do + #... +end +``` + +## Parameters + +`account_name` +: The Azure Storage account name. + +`dns_suffix` +: The DNS suffix for the Azure Data Lake Storage endpoint. + +The following parameters are optional,`account_name` and `dns_suffix`. + +## Properties + +`ids` +: A list of Power BI dedicated resources. + + Field: `id` + +`names` +: The names of all the Power BI dedicated resources. + + Field: `name` + +`locations` +: A location list of all the Power BI dedicated resources. + + Field: `location` + +`modes` +: A list of all the capacity modes. + + Field: `mode` + +`provisioningStates` +: A list of all provisioning states. + + Field: `provisioningState` + +`states` +: The current state of all Power BI dedicated resources. + + Field: `state` + +`sku_names` +: The SKU name of the Power BI dedicated resource. + + Field: `sku_name` + +`sku_tiers` +: The SKU tier of the Power BI dedicated resource. + + Field: `sku_tier` + +`sku_capacities` +: The SKU capacities of the Power BI dedicated resource. + + Field: `sku_capacity` + +`administration_members` +: A collection of dedicated capacity administrators. + + Field: `administration_members` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Power BI Embedded Capacities by their names: + +```ruby +azure_power_bi_embedded_capacities.names.each do |name| + describe azure_power_bi_embedded_capacity(resource_group: 'RESOURCE_GROUP', name: name) do + it { should exist } + end +end +``` + +Test to ensure Power BI Embedded Capacities where `sku_capacities` greater than 1: + +```ruby +describe azure_power_bi_embedded_capacities.where(sku_capacity > 1 ) do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should exist if the filter returns at least one Migrate Assessment in the project and the resource group. + +describe azure_power_bi_embedded_capacities do + it { should exist } +end +``` + +### not_exists + +```ruby +# Should not exist if no Power BI Embedded Capacities are present in the project and the resource group. + +describe azure_power_bi_embedded_capacities do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_embedded_capacity.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_embedded_capacity.md new file mode 100644 index 0000000..1599d11 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_embedded_capacity.md @@ -0,0 +1,116 @@ ++++ +title = "azure_power_bi_embedded_capacity resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_embedded_capacity" +identifier = "inspec/resources/azure/azure_power_bi_embedded_capacity resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_embedded_capacity` InSpec audit resource to test the properties related to an Azure Power BI Embedded Capacity. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +The `name` and `resource_group` are required parameters. + +```ruby +describe azure_power_bi_embedded_capacity(resource_group: 'RESOURCE_GROUP', name: 'POWER_BI_EMBEDDED') do + it { should exist } +end +``` + +```ruby +describe azure_power_bi_embedded_capacity(resource_group: 'RESOURCE_GROUP', name: 'POWER_BI_EMBEDDED') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Power BI Embedded Capacity to test. + +`resource_group` +: Azure Resource Group. + +The parameter set for a valid query that should be provided is `name` and `account_name`. + +## Properties + +`id` +: An identifier that represents the Power BI dedicated resource. + +`location` +: Location of the Power BI dedicated resource. + +`name` +: The name of the Power BI dedicated resource. + +`properties.administration` +: A collection of dedicated capacity administrators. + +`properties.mode` +: The capacity mode. + +`properties.state` +: The current state of Power BI dedicated resource. The state is to indicate more states outside of resource provisioning. + +`sku` +: The SKU of the Power BI dedicated resource. + +`tags` +: Key-value pairs of additional resource provisioning properties. + +`type` +: The type of the Power BI dedicated resource. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi-embedded/capacities/get-details) for other available properties. + +## Examples + +Test that the Power BI Embedded Capacity: + +```ruby +describe azure_power_bi_embedded_capacity(resource_group: 'RESOURCE_GROUP', name: 'POWER_BI_EMBEDDED') do + its('count') { should eq 1.0 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If the Power BI Embedded Capacity is found, it will exist. + +describe azure_power_bi_embedded_capacity(resource_group: 'RESOURCE_GROUP', name: 'POWER_BI_EMBEDDED') do + it { should exist } +end +``` + +### not_exists + +```ruby +# if the Power BI Embedded Capacity is not found, it will not exist. + +describe azure_power_bi_embedded_capacity(resource_group: 'RESOURCE_GROUP', name: 'POWER_BI_EMBEDDED') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_gateway.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_gateway.md new file mode 100644 index 0000000..d8f6c05 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_gateway.md @@ -0,0 +1,91 @@ ++++ +title = "azure_power_bi_gateway resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_gateway" +identifier = "inspec/resources/azure/azure_power_bi_gateway resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_gateway` InSpec audit resource to test the properties related to an Azure Power BI gateway. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +The `gateway_id` is a required parameter. + +```ruby +describe azure_power_bi_gateway(gateway_id: 'GATEWAY_ID') do + it { should exist } +end +``` + +## Parameters + +`gateway_id` _(required)_ +: The gateway ID. + +## Properties + +`id` +: The gateway ID. + +`name` +: The gateway name. + +`type` +: The gateway type. + +`publicKey.exponent` +: The public key exponent. + +`publicKey.modulus` +: The public key modulus. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/gateways/get-gateway) for other available properties. + +## Examples + +Test that the Power BI gateway's exponent is 'AQAB': + +```ruby +describe azure_power_bi_gateway(gateway_id: 'GATEWAY_ID') do + its('publicKey.exponent') { should eq 'AQAB' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If the Azure Power BI gateway is found, it will exist. + +describe azure_power_bi_gateway(gateway_id: 'GATEWAY_ID') do + it { should exist } +end +``` + +### not_exists + +```ruby +# if the Azure Power BI gateway is not found, it will not exist. + +describe azure_power_bi_gateway(gateway_id: 'GATEWAY_ID') do + it { should_not exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `Dataset.Read.All` role on the Azure Power BI Workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_gateways.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_gateways.md new file mode 100644 index 0000000..1f54b14 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_power_bi_gateways.md @@ -0,0 +1,111 @@ ++++ +title = "azure_power_bi_gateways resource" + +draft = false + + +[menu.azure] +title = "azure_power_bi_gateways" +identifier = "inspec/resources/azure/azure_power_bi_gateways resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_power_bi_gateways` InSpec audit resource to test the properties related to all Azure Power BI gateways. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_power_bi_gateways` resource block returns all Azure Power BI gateways. + +```ruby +describe azure_power_bi_gateways do + #... +end +``` + +## Properties + +`ids` +: List of all gateway IDs. + + Field: `id` + +`names` +: List of all the gateway names. + + Field: `name` + +`types` +: List of all the gateway types. + + Field: `type` + +`exponents` +: List of all public key exponents. + + Field: `exponent` + +`modulus` +: List of all public key modulus. + + Field: `modulus` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/power-bi/Gateways/get-Gateways) for other available properties. + +## Examples + +Loop through Power BI gateways by their IDs: + +```ruby +azure_power_bi_gateways.ids.each do |id| + describe azure_power_bi_gateway(gateway_id: id) do + it { should exist } + end +end +``` + +Test to ensure all Power BI gateways exponent is 'AQAB': + +```ruby +describe azure_power_bi_gateways.where(exponent: 'AQAB') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Power BI gateways are present. + +describe azure_power_bi_gateways do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Power BI gateway. + +describe azure_power_bi_gateways do + it { should exist } +end +``` + +## Azure permissions + +Your [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) must have the `Dataset.Read.All` role on the Azure Power BI Workspace you wish to test. diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_public_ip.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_public_ip.md new file mode 100644 index 0000000..8d935ee --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_public_ip.md @@ -0,0 +1,104 @@ ++++ +title = "azure_public_ip resource" + +draft = false + + +[menu.azure] +title = "azure_public_ip" +identifier = "inspec/resources/azure/azure_public_ip resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_public_ip` InSpec audit resource to test the properties of an Azure Public IP address. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_public_ip` resource block identifies a public IP address by `name` and `resource_group`, or the `resource_id`. + +```ruby +describe azure_public_ip(resource_group: 'RESOURCE_GROUP', name: 'ADDRESS_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_public_ip(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPAddresses/{publicIpAddressName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: The unique name of the public IP address. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` + +## Properties + +`properties.ipAddress` +: The IP address associated with the public IP address resource. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/publicipaddresses/get#publicipaddress) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the IP Address of a Public IP Resource: + +```ruby +describe azure_public_ip(resource_group: 'RESOURCE_GROUP', name: 'ADDRESS_NAME') do + its('properties.ipAddress') { should cmp '51.224.11.75' } +end +``` + +```ruby +describe azure_public_ip(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPAddresses/{publicIpAddressName}') do + its('properties.ipAddress') { should cmp '51.224.11.75' } +end +``` + +See [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_public_ip.rb) for more examples. + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the resource to always exist. + +describe azure_public_ip(resource_group: 'RESOURCE_GROUP', name: 'ADDRESS_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the resource not to exist. + +describe azure_public_ip(resource_group: 'RESOURCE_GROUP', name: 'ADDRESS_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_redis_cache.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_redis_cache.md new file mode 100644 index 0000000..742d2cb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_redis_cache.md @@ -0,0 +1,146 @@ ++++ +title = "azure_redis_cache resource" + +draft = false + + +[menu.azure] +title = "azure_redis_cache" +identifier = "inspec/resources/azure/azure_redis_cache resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_redis_cache` InSpec audit resource to test the properties related to an Azure Redis cache. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name` are required parameters. + +```ruby +describe azure_redis_cache(resource_group: 'RESOURCE_GROUP', name: 'REDIS_CACHE_NAME') do + it { should exist } + its('name') { should cmp 'REDIS_CACHE_NAME' } + its('type') { should cmp 'Microsoft.Cache/Redis' } + its('sku.name') { should cmp 'Standard' } + its('sku.family') { should cmp 'C' } + its('location') { should cmp 'southcentralus' } +end +``` + +```ruby +describe azure_redis_cache(resource_group: 'RESOURCE_GROUP', name: 'REDIS_CACHE_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the Azure Redis cache to test. + +The parameter set should be provided for a valid query are `resource_group` and `name`. + +## Properties + +`id` +: Resource ID. + +`name` +: Redis cache name. + +`location` +: Redis cache location. + +`type` +: Resource type. + +`tags` +: Resource tags. + +`properties.sku.name` +: The type of Redis cache to deploy. Valid values are `Basic`, `Standard`, and `Premium`. + +`properties.sku.family` +: The SKU family to use. Valid values are `C` and `P` (C = Basic/Standard, P = Premium). + +`properties.sku.capacity` +: The size of the Redis cache to deploy. Valid values are `C` (Basic/Standard; family: 0, 1, 2, 3, 4, 5, 6) and `P` (Premium, family: 1, 2, 3, 4). + +`properties.provisioningState` +: The resource's provisioning state. + +`properties.redisVersion` +: Redis version. + +`properties.enableNonSslPort` +: Specifies whether the non-SSL Redis server port (6379) is enabled. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/redis/redis/get) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test that the Redis instance's provisioning status equals 'Succeeded': + +```ruby +describe azure_redis_cache(resource_group: 'RESOURCE_GROUP', name: 'REDIS_CACHE_NAME') do + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +Test that the Redis instance Skuname equals 'Standard': + +Skuname is the Redis cache to deploy. Valid values are `Basic`, `Standard`, and `Premium`. + +```ruby +describe azure_redis_cache(resource_group: 'RESOURCE_GROUP', name: 'REDIS_CACHE_NAME') do + its('properties.sku.name') { should eq 'Standard' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a Redis cache is found, it will exist. + +describe azure_redis_cache(resource_group: 'RESOURCE_GROUP', name: 'REDIS_CACHE_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby + +# Redis Caches that aren't found, will not exist. +describe azure_redis_cache(resource_group: 'RESOURCE_GROUP', name: 'REDIS_CACHE_NAME') do + it { should_not exist } +end +``` + +### be_enabled_non_ssl_port + +Ensure that the Redis cache supports non-SSL ports. + +```ruby +describe azure_redis_cache(resource_group: 'RESOURCE_GROUP', name: 'REDIS_CACHE_NAME') do + it { should be_enabled_non_ssl_port } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_redis_caches.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_redis_caches.md new file mode 100644 index 0000000..6951449 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_redis_caches.md @@ -0,0 +1,225 @@ ++++ +title = "azure_redis_caches resource" + +draft = false + + +[menu.azure] +title = "azure_redis_caches" +identifier = "inspec/resources/azure/azure_redis_caches resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_redis_caches` InSpec audit resource to test the properties of multiple Azure Redis caches in a resource group or an entire subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_redis_caches` resource block returns all Azure Redis caches within a resource group. + +```ruby +describe azure_redis_caches(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +or + +```ruby +describe azure_redis_caches(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +The parameter should be provided for a valid query is `resource_group`. + +`resource_group` +: Azure resource group where the targeted resource resides. + +## Properties + +`IDs` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of name for all the resource names. + + Field: `name` + +`types` +: A list of types for all the resources. + + Field: `type` + +`locations` +: A list of locations for all the resources. + + Field: `location` + +`properties` +: A list of properties for all the resources. + + Field: `properties` + +`tags` +: A list of resource tags. + + Field: `tags` + +`sku_names` +: A list of the types of Redis caches to deploy. + + Field: `sku_name` + +`sku_capacities` +: A list of the sizes of the Redis caches to deploy. + + Field: `sku_capacity` + +`sku_families` +: A list of the SKU families to use. + + Field: `sku_family` + +`instances_ssl_ports` +: A list of Redis instance SSL Ports. + + Field: `instances_ssl_ports` + +`is_master_instance` +: A list of Redis instance `is_master` flag. + + Field: `is_master_instance` + +`is_primary_instance` +: A list of Redis instance `is_primary` flag. + + Field: `is_primary_instance` + +`max_clients` +: A list of max clients in Redis configuration. + + Field: `max_clients` + +`max_memory_reserves` +: A list of max memory reserves in Redis configuration. + + Field: `max_memory_reserved` + +`max_fragmentation_memory_reserves` +: A list of max fragmentation memory reserves in Redis configuration. + + Field: `max_fragmentation_memory_reserved` + +`max_memory_deltas` +: A list of max memory deltas in Redis configuration. + + Field: `max_memory_delta` + +`provisioning_states` +: A list of provisioning_states from the properties. + + Field: `provisioning_state` + +`redis_versions` +: A list of Redis versions from the properties. + + Field: `redis_version` + +`enable_non_ssl_port` +: A list of Redis caches where the non-SSL Redis server port (6379) is enabled. + + Field: `enable_non_ssl_port` + +`public_network_access` +: A list of public network access from the properties. + + Field: `public_network_access` + +`access_keys` +: A list of access keys from the properties. + + Field: `access_keys` + +`host_names` +: A list of host names from the properties. + + Field: `host_name` + +`ports` +: A list of ports from the properties. + + Field: `port` + +`ssl_ports` +: A list of SSL ports from the properties. + + Field: `ssl_port` + +`linked_servers` +: A list of linked servers from the Redis caches. + + Field: `linked_servers` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Redis Caches by their names: + +```ruby +azure_redis_caches(resource_group: 'RESOURCE_GROUP').names.each do |name| + describe azure_redis_cache(name: name) do + it { should exist } + end +end +``` + +Test that there is Redis cache with a specific string in its names using client-side filtering: + +```ruby +describe azure_redis_caches(resource_group: 'RESOURCE_GROUP').where { name.include?('spec-client') } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Redis caches are in the resource group. + +describe azure_redis_caches(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Redis cache. + +describe azure_redis_caches(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_group.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_group.md new file mode 100644 index 0000000..e505c1c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_group.md @@ -0,0 +1,112 @@ ++++ +title = "azure_resource_group resource" + +draft = false + + +[menu.azure] +title = "azure_resource_group" +identifier = "inspec/resources/azure/azure_resource_group resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_resource_group` InSpec audit resource to test the properties and configuration of an Azure resource group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` or the `resource_id` are required parameters. + +```ruby +describe azure_resource_group(name: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +```ruby +describe azure_resource_group(resource_id: '/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the resource group. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `name` + +## Properties + +`properties.provisioningState` +: The provisioning state. `Succeeded`. + +For properties applicable to all resources, such as `type`, `name`, `id`, `location`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/policy/policy-definitions/get) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test a resource group location: + +```ruby +describe azure_resource_group(name: 'RESOURCE_GROUP') do + its('location') { should cmp 'eastus' } +end +``` + +Test a resource group provisioning state: + +```ruby +describe azure_resource_group(name: 'RESOURCE_GROUP') do + its('properties.provisioningState') { should cmp 'Succeeded' } +end +``` + +Test a resource group tags: + +```ruby +describe azure_resource_group(name: 'RESOURCE_GROUP') do + its('tags') { should include(:owner) } + its('tags') { should include(owner: 'InSpec') } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If we expect a resource group to always exist. + +describe azure_resource_group(name: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource group to never exist. + +describe azure_resource_group(name: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_groups.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_groups.md new file mode 100644 index 0000000..605d597 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_groups.md @@ -0,0 +1,106 @@ ++++ +title = "azure_resource_groups resource" + +draft = false + + +[menu.azure] +title = "azure_resource_groups" +identifier = "inspec/resources/azure/azure_resource_groups resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_resource_groups` InSpec audit resource to test the properties and configuration of multiple Azure resource groups. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_resource_groups` resource block returns all resource groups within a subscription. + +```ruby +describe azure_resource_groups do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: A list of the unique resource group IDs. + + Field: `id` + +`names` +: A list of names of all the resource groups. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resource groups. + + Field: `tags` + +`locations` +: A list of locations of all the resource groups. + + Field: `location` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check if a specific resource group is present: + +```ruby +describe azure_resource_groups do + its('names') { should include 'my-resource-group' } +end +``` + +Filters the results to include only those resource groups that have the specified name: + +```ruby +describe azure_resource_groups.where{ name.include?('my-resource-group') } do + it { should exist } +end +``` + +Filters the results to include only the resource groups that have specified tag: + +```ruby +describe azure_resource_groups.where{ tags.has_key?('owner') && tags['owner'] == "InSpec" } do + it { should exist } + its('count') { should be 15 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_resource_groups do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_availability_status.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_availability_status.md new file mode 100644 index 0000000..d766355 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_availability_status.md @@ -0,0 +1,102 @@ ++++ +title = "azure_resource_health_availability_status resource" + +draft = false + + +[menu.azure] +title = "azure_resource_health_availability_status" +identifier = "inspec/resources/azure/azure_resource_health_availability_status resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_resource_health_availability_status` InSpec audit resource to test the properties related to an Azure Resource Health availability status. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group`, `resource_type`, and `name` are required parameters. + +```ruby +describe azure_resource_health_availability_status(resource_group: 'AZURE_RESOURCE_GROUP', resource_type: 'AZURE_RESOURCE_TYPE', name: 'RESOURCE_NAME') do + it { should exist } + its('name') { should cmp 'current' } + its('type') { should cmp 'Microsoft.ResourceHealth/AvailabilityStatuses' } + its('location') { should cmp 'ukwest' } + its('properties.availabilityState') { should cmp 'Available' } + its('properties.reasonChronicity') { should cmp 'Persistent' } +end +``` + +## Parameters + +`name` +: Name of the Azure resource to test. + +`resource_group` +: Azure resource group where the targeted resource resides. + +`resource_type` +: Azure resource type of the targeted resource. + +The parameter set should be provided for a valid query are `resource_group`, `resource_type`, and `name`. + +## Properties + +`id` +: Azure Resource Manager Identity for the `availabilityStatuses` resource. + +`name` +: current. + +`type` +: `Microsoft.ResourceHealth/AvailabilityStatuses`. + +`location` +: Azure Resource Manager geo location of the resource. + +`properties` +: Properties of availability state. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/resourcehealth/availability-statuses/get-by-resource) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test availability status of a resource: + +```ruby +describe azure_resource_health_availability_status(resource_group: 'AZURE_RESOURCE_GROUP', resource_type: 'AZURE_RESOURCE_TYPE', name: 'RESOURCE_NAME') do + its('properties.availabilityState') { should eq 'Available' } +end +``` + +Test the chronicity type of a resource: + +```ruby +describe azure_resource_health_availability_status(resource_group: 'AZURE_RESOURCE_GROUP', resource_type: 'AZURE_RESOURCE_TYPE', name: 'RESOURCE_NAME') do + its('properties.reasonChronicity') { should include 'Persistent' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a resource status is found, it will exist. + +describe azure_resource_health_availability_status(resource_group: 'AZURE_RESOURCE_GROUP', resource_type: 'AZURE_RESOURCE_TYPE', name: 'RESOURCE_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_availability_statuses.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_availability_statuses.md new file mode 100644 index 0000000..d17ebc7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_availability_statuses.md @@ -0,0 +1,114 @@ ++++ +title = "azure_resource_health_availability_statuses resource" + +draft = false + + +[menu.azure] +title = "azure_resource_health_availability_statuses" +identifier = "inspec/resources/azure/azure_resource_health_availability_statuses resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_resource_health_availability_statuses` InSpec audit resource to test the properties related to all Azure Availability Statuses for the subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_resource_health_availability_statuses` resource block returns all Azure Availability Statuses within a subscription. + +```ruby +describe azure_resource_health_availability_statuses do + #... +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: A list of the Azure Resource Manager Identity for the `availabilityStatuses` resources. + + Field: `id` + +`names` +: current. + + Field: `name` + +`types` +: `Microsoft.ResourceHealth/AvailabilityStatuses`. + + Field: `type` + +`properties` +: A list of Properties of availability state. + + Field: `properties` + +`locations` +: A list of Azure Resource Manager geo locations of the resource. + + Field: `location` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through availability statuses by resource ID: + +```ruby +azure_resource_health_availability_statuses.ids.each do |id| + describe azure_resource_health_availability_status(resource_id: id) do + it { should exist } + end +end +``` + +Test that there are availability statuses that have an 'Available' availability state: + +```ruby +describe azure_resource_health_availability_statuses.where{ properties.select{|prop| prop.availabilityState == 'Available' } } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no availability statuses are present in the subscription. + +describe azure_resource_health_availability_statuses do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one availability status in the subscription. + +describe azure_resource_health_availability_statuses do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_emerging_issue.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_emerging_issue.md new file mode 100644 index 0000000..9adb07d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_emerging_issue.md @@ -0,0 +1,100 @@ ++++ +title = "azure_resource_health_emerging_issue resource" + +draft = false + + +[menu.azure] +title = "azure_resource_health_emerging_issue" +identifier = "inspec/resources/azure/azure_resource_health_emerging_issue resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_resource_health_emerging_issue` InSpec audit resource to test the properties related to an Azure Resource Health Emerging issue. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` is a required parameter. + +```ruby +describe azure_resource_health_emerging_issue(name: 'EMERGING_ISSUE_NAME') do + it { should exist } + its('properties.statusActiveEvents') { should be_empty } +end +``` + +```ruby +describe azure_resource_health_emerging_issue(name: 'EMERGING_ISSUE_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure Resource Health emerging issue to test. + +## Properties + +`id` +: Fully qualified resource ID for the resource. + +`name` +: The name of the resource. + +`type` +: The type of resource. + +`properties.statusActiveEvents` +: The list of emerging issues of the active event type. + +`properties.statusBanners` +: The list of emerging issues of banner type. + +`properties.refreshTimestamp` +: Timestamp for when last time refreshed for ongoing emerging issue. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/resourcehealth/emerging-issues/get) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test that there are emerging issues with an active event type: + +```ruby +describe azure_resource_health_emerging_issue(name: 'default') do + its('properties.statusActiveEvents') { should_not be_empty } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If an emerging issue is found, it will exist. +describe azure_resource_health_emerging_issue(name: 'default') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If no emerging issues are found, it will not exist. +describe azure_resource_health_emerging_issue(name: 'default') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_emerging_issues.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_emerging_issues.md new file mode 100644 index 0000000..cd3d848 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_emerging_issues.md @@ -0,0 +1,101 @@ ++++ +title = "azure_resource_health_emerging_issues resource" + +draft = false + + +[menu.azure] +title = "azure_resource_health_emerging_issues" +identifier = "inspec/resources/azure/azure_resource_health_emerging_issues resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_resource_health_emerging_issues` InSpec audit resource to test the properties related to all Azure Resource Health Emerging issues. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_resource_health_emerging_issues` resource block returns all Azure Resource Health Emerging issues. + +```ruby +describe azure_resource_health_emerging_issues do + #... +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names for all the resources. + + Field: `name` + +`types` +: A list of types for all the resources. + + Field: `type` + +`properties` +: A list of Properties for all the resources. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +See [Azure's documentation](https://docs.microsoft.com/en-us/rest/api/resourcehealth/emerging-issues/get) for other available properties. + +## Examples + +Test that there are emerging health issues that are of lower severity: + +```ruby +describe azure_resource_health_emerging_issues.where{ properties.select{|prop| prop.statusActiveEvents.select{ |event| event.severity == 'Warning' } } } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no service health emerging issues are present. + +describe azure_resource_health_emerging_issues do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one service health emerging issue. + +describe azure_resource_health_emerging_issues do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_events.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_events.md new file mode 100644 index 0000000..c5ad7b1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_resource_health_events.md @@ -0,0 +1,132 @@ ++++ +title = "azure_resource_health_events resource" + +draft = false + + +[menu.azure] +title = "azure_resource_health_events" +identifier = "inspec/resources/azure/azure_resource_health_events resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_resource_health_events` InSpec audit resource to test the properties related to all Azure Resource Health events for the subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_resource_health_events` resource block returns all Azure Resource Health events within a subscription or for a particular resource. + +```ruby +describe azure_resource_health_events do + #... +end +``` + +or + +```ruby +describe azure_resource_health_events(resource_group: 'RESOURCE_GROUP', resource_type: 'RESOURCE_TYPE', resource_id: 'RESOURCE_ID') do + #... +end +``` + +## Parameters + +{{< note >}} + +To list all service health events in a subscription, do not provide any parameters. +To list events for a particular resource, pass in all three parameters listed below. +If one or more parameters are missing then all events in a subscription will be returned. + +{{< /note >}} + +`resource_group` +: Azure resource group where the targeted resource resides. + +`resource_type` +: The name of the resource type. + +`resource_id` +: The unique identifier of the resource. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names for all the resources. + + Field: `name` + +`types` +: A list of resource types for all the resources. + + Field: `type` + +`properties` +: A list of properties for all the resources. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +See the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/resourcehealth/events/list-by-single-resource) for other available properties. + +## Examples + +Test that there are health events that have a service issue: + +```ruby +describe azure_resource_health_events.where{ properties.select{|prop| prop.eventType == 'ServiceIssue' } } do + it { should exist } +end +``` + +Test that there are health events for a particular resource: + +```ruby +describe azure_resource_health_events(resource_group: 'RESOURCE_GROUP', resource_type: 'RESOURCE_TYPE', resource_id: 'RESOURCE_ID') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no service health events are present in the subscription. + +describe azure_resource_health_events do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one service health events in the subscription. + +describe azure_resource_health_events do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_role_definition.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_role_definition.md new file mode 100644 index 0000000..14936fa --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_role_definition.md @@ -0,0 +1,110 @@ ++++ +title = "azure_role_definition resource" + +draft = false + + +[menu.azure] +title = "azure_role_definition" +identifier = "inspec/resources/azure/azure_role_definition resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_role_definition` InSpec audit resource to test the properties and configuration of an Azure role definition. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` or the `resource_id` are required parameters. + +```ruby +describe azure_role_definition(name: 'abcd-1234') do + it { should exist } +end +``` + +```ruby +describe azure_role_definition(resource_id: '/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the role definition. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `name` + +## Properties + +`role_name` +: The role name. + +`role_type` +: The role type. `BuiltInRole`. + +`assignable_scopes` +: Role definition assignable scopes. + +`permissions_allowed` +: A list of allowed actions within role definition permissions. + +`permissions_not_allowed` +: A list of denied actions within role definition permissions. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/authorization/roledefinitions/get#roledefinition) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test allowed permissions on a role definition: + +```ruby +describe azure_role_definition(name: 'policy-reader-only') + it { should exist } + its('permissions_allowed') { should include 'Microsoft.Authorization/policyassignments/read'} + its('permissions_allowed') { should_not include 'Microsoft.Authorization/policyassignments/write'} + its('permissions_allowed') { should_not include '*'} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_role_definition(name: 'abcd-1234') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_role_definition(name: 'abcd-1234') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_role_definitions.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_role_definitions.md new file mode 100644 index 0000000..6f61ee4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_role_definitions.md @@ -0,0 +1,120 @@ ++++ +title = "azure_role_definitions resource" + +draft = false + + +[menu.azure] +title = "azure_role_definitions" +identifier = "inspec/resources/azure/azure_role_definitions resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_role_definitions` InSpec audit resource to test the properties and configuration of multiple Azure role definitions. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_role_definitions` resource block returns all role definitions within a subscription. + +```ruby +describe azure_role_definitions do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`role_names` +: A list of role names of all the role definitions being interrogated. + + Field: `role_name` + +`types` +: A list of role type of all the role definitions being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check a specific role definition is present: + +```ruby +describe azure_role_definitions do + its('names') { should include 'my-role' } +end +``` + +Filter the results to include only those role definitions that have the specified name: + +```ruby +describe azure_role_definitions.where{ name.include?('my-role') } do + it { should exist } +end +``` + +Filter the results to include only the built-in role definitions: + +```ruby +describe azure_role_definitions.where{ type == "BuiltInRole" } do + it { should exist } + its('count') { should be 15 } +end +``` + +Filter the results to include only the role definitions that contain 'Kubernetes' in the role name: + +```ruby +describe azure_role_definitions.where{ role_name.include?('Kubernetes') } do + it { should exist } + its('count') { should be 15 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_role_definitions do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_security_center_policies.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_security_center_policies.md new file mode 100644 index 0000000..2bdbbbd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_security_center_policies.md @@ -0,0 +1,101 @@ ++++ +title = "azure_security_center_policies resource" + +draft = false + + +[menu.azure] +title = "azure_security_center_policies" +identifier = "inspec/resources/azure/azure_security_center_policies resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_security_center_policies` InSpec audit resource to test the properties and configuration of multiple Azure Policies. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_subscriptions` resource block returns all security policies for a subscription. + +```ruby +describe azure_security_center_policies do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`policy_names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check if a specific policy is present: + +```ruby +describe azure_security_center_policies do + its('names') { should include 'my-policy' } +end +``` + +Filter the results to include only those policies that have a specified string in their names: + +```ruby +describe azure_security_center_policies.where{ name.include?('production') } do + it { should exist } +end +``` + +Filter the results to include only those policies that the log collection is enabled: + +```ruby +describe azure_security_center_policies.where{ properties[:logCollection] == 'On' } do + it { should exist } + its('count') { should eq 4 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_security_center_policies do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_security_center_policy.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_security_center_policy.md new file mode 100644 index 0000000..de7520f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_security_center_policy.md @@ -0,0 +1,191 @@ ++++ +title = "azure_security_center_policy resource" + +draft = false + + +[menu.azure] +title = "azure_security_center_policy" +identifier = "inspec/resources/azure/azure_security_center_policy resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_security_center_policy` InSpec audit resource to test the properties and configuration of an Azure security policy. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_security_center_policy` resource block will lookup the `default` policy unless `resource_group` and `name`, or the `resource_id` parameter is given. + +```ruby +# The default security policy will be interrogated. + +describe azure_security_center_policy do + its('name') { should cmp 'default' } +end +``` + +```ruby +describe azure_security_center_policy(resource_group: 'RESOURCE_GROUP', name: 'POLICY_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_security_center_policy(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/microsoft.Security/policies/{policy-name}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the security policy to test. + +`resource_id` +: The unique resource ID. `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/microsoft.Security/policies/{policy-name}`. + +`default_policy_api_version*` +: The endpoint API version for the `default_policy` property. The latest version will be used unless provided. + +`auto_provisioning_settings_api_version*` +: The endpoint API version for the `auto_provisioning_settings` property. The latest version will be used unless provided. + +* It will be ignored unless the default policy is tested. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `name: 'default'`: This is for backward compatibility. It is advised not to pass any parameters if the default security policy is tested. + +## Properties + +`log_collection` +: Indicates if the log collection is enabled (`On`, `Off`). + +`pricing_tier` +: Cost/Feature Model under which the subscription is operating. + +`patch` +: Indicates if patch scanner notifications are enabled (`On`, `Off`). + +`baseline` +: Indicates if baseline scanner notifications are enabled (`On`, `Off`). + +`anti_malware` +: Indicates if anti-malware protection task notifications are enabled (`On`, `Off`). + +`network_security_groups` +: Indicates if network security group recommendations are enabled are enabled (`On`, `Off`). + +`web_application_firewall` +: Indicates if WAF protection task notifications are enabled (`On`, `Off`). + +`vulnerability_assessment` +: Indicates if vulnerability assessment recommendations are enabled (`On`, `Off`). + +`storage_encryption` +: Indicates if storage encryption recommendations are enabled (`On`, `Off`). + +`just_in_time_network_access` +: Indicates if just in time network access recommendations are enabled (`On`, `Off`). + +`app_whitelisting` +: Indicates if app whitelisting recommendations are enabled (`On`, `Off`). + +`sql_auditing` +: Indicates if sql auditing recommendations are enabled (`On`, `Off`). + +`sql_transparent_data_encryption` +: Indicates if sql transparent data encryption recommendations are enabled (`On`, `Off`). + +`notifications_enabled` +: Indicates if security alerts are emailed to the security contact (`true`, `false`). + +`send_security_email_to_admin` +: Indicates if the subscription admin will receive security alerts (`true`, `false`). + +`contact_emails` +: Contains a list of security email addresses. + +`contact_phone` +: Contains the security contact phone number. + +`default_policy*` +: This is the default set of policies monitored by Azure security center. + +`auto_provisioning_settings*` +: This is the default auto provisioning setting for the subscription. + +*Only applicable to the default security policy. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test if log collection is enabled: + +```ruby +describe azure_security_center_policy(resource_group: 'my-rg', name: 'my_policy') do + its('log_collection') { should cmp 'On' } +end +``` + +Test If Notifications are Enabled: + +```ruby +describe azure_security_center_policy(resource_group: 'RESOURCE_GROUP', name: 'POLICY_NAME') do + its('notifications_enabled') { should be true } +end +``` + +See [integration tests](https://github.com/inspec/inspec-azure/blob/main/test/integration/verify/controls/azure_security_center_policy.rb) for more examples. + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### have_auto_provisioning_enabled + +Test if auto provisioning is enabled. This can be used via the default security policy only. + +```ruby +describe azure_security_center_policy do + it { should have_auto_provisioning_enabled } +end +``` + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_security_center_policy(resource_group: 'RESOURCE_GROUP', name: 'POLICY_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_security_center_policy(resource_group: 'RESOURCE_GROUP', name: 'POLICY_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_namespace.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_namespace.md new file mode 100644 index 0000000..2103fe1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_namespace.md @@ -0,0 +1,116 @@ ++++ +title = "azure_service_bus_namespace resource" + +draft = false + + +[menu.azure] +title = "azure_service_bus_namespace" +identifier = "inspec/resources/azure/azure_service_bus_namespace resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_bus_namespace` InSpec audit resource to test the properties related to an Azure Service Bus Namespace. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` and `resource_group` are required parameters. + +```ruby +describe azure_service_bus_namespace(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_BUS_NAMESPACE') do + it { should exist } + its('type') { should eq 'Microsoft.ServiceBus/Namespaces' } + its('location') { should eq 'East US' } +end +``` + +```ruby +describe azure_service_bus_namespace(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_BUS_NAMESPACE') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ +: Name of the Azure Service Bus namespaces to test. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. `Microsoft.ServiceBus/Namespaces`. + +`location` +: The Geo-location where the resource lives. + +`properties` +: The properties of the Service Bus Namespace. + +`properties.serviceBusEndpoint` +: Endpoint you can use to perform Service Bus operations. + +`properties.metricId` +: Identifier for Azure Insights metrics. + +`properties.provisioningState` +: Provisioning state of the Namespace. + +`sku.name` +: Name of this SKU. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/servicebus/stable/namespaces/get) for other available properties. + +## Examples + +Test that the Service Bus Namespaces are provisioned successfully: + +```ruby +describe azure_service_bus_namespace(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_BUS_NAMESPACE') do + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a Service Bus Namespace is found, it will exist. + +describe azure_service_bus_namespace(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_BUS_NAMESPACE') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If Service Bus Namespace is not found, it will not exist. + +describe azure_service_bus_namespace(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_BUS_NAMESPACE') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_namespaces.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_namespaces.md new file mode 100644 index 0000000..7ea516c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_namespaces.md @@ -0,0 +1,140 @@ ++++ +title = "azure_service_bus_namespaces resource" + +draft = false + + +[menu.azure] +title = "azure_service_bus_namespaces" +identifier = "inspec/resources/azure/azure_service_bus_namespaces resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_bus_namespaces` InSpec audit resource to test the properties related to all Azure Service Bus Namespaces within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_service_bus_namespaces` resource block returns all Azure Service Bus Namespaces within a project. + +```ruby +describe azure_service_bus_namespaces do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of properties for all the Service Bus Namespaces. + + Field: `properties` + +`locations` +: A list of the Geo-locations. + + Field: `location` + +`serviceBusEndpoints` +: A list of endpoints you can use to perform Service Bus operations. + + Field: `serviceBusEndpoint` + +`metricIds` +: A list of identifiers for Azure Insights metrics. + + Field: `metricId` + +`provisioningStates` +: A list of provisioning states of the namespace. + + Field: `provisioningState` + +`sku_names` +: A list of names for the sku. + + Field: `sku_name` + +`sku_tiers` +: A list of tiers for the sku. + + Field: `sku_tier` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Service Bus Namespaces by their names: + +```ruby +azure_service_bus_namespaces(resource_group: 'RESOURCE_GROUP').names.each do |name| + describe azure_service_bus_namespace(resource_group: 'RESOURCE_GROUP', name: name) do + it { should exist } + end +end +``` + +Test that there are Service Bus Namespaces that are successfully provisioned: + +```ruby +describe azure_service_bus_namespaces(resource_group: 'RESOURCE_GROUP').where(provisioningState: 'Succeeded') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Service Bus Namespaces are present. + +describe azure_service_bus_namespaces(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Service Bus Namespaces. + +describe azure_service_bus_namespaces(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_regions.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_regions.md new file mode 100644 index 0000000..24a3bce --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_regions.md @@ -0,0 +1,115 @@ ++++ +title = "azure_service_bus_regions resource" + +draft = false + + +[menu.azure] +title = "azure_service_bus_regions" +identifier = "inspec/resources/azure/azure_service_bus_regions resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_bus_regions` InSpec audit resource to test the properties related to all Azure Service Bus regions. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_service_bus_regions` resource block returns all Azure Service Bus regions. + +```ruby +describe azure_service_bus_regions(sku: 'SKU_NAME') do + #... +end +``` + +## Parameters + +`sku` _(required)_ +: The sku type. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of properties for all the Service Bus regions. + + Field: `properties` + +`locations` +: A list of the resource locations. + + Field: `location` + +`codes` +: A list of region codes. + + Field: `code` + +`fullNames` +: A list of full names of the regions. + + Field: `fullName` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that there are Service Bus regions that are successfully provisioned: + +```ruby +describe azure_service_bus_regions(sku: 'SKU_NAME').where(code: 'Central US') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Service Bus regions are present. + +describe azure_service_bus_regions(sku: 'SKU_NAME') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Service Bus region. + +describe azure_service_bus_regions(sku: 'SKU_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_subscription.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_subscription.md new file mode 100644 index 0000000..3aa39ce --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_subscription.md @@ -0,0 +1,108 @@ ++++ +title = "azure_service_bus_subscription resource" + +draft = false + + +[menu.azure] +title = "azure_service_bus_subscription" +identifier = "inspec/resources/azure/azure_service_bus_subscription resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_bus_subscription` InSpec audit resource to test the properties related to an Azure Service Bus subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_service_bus_subscription(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', topic_name: 'TOPIC_NAME', name: 'SUBSCRIPTION_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.ServiceBus/Namespaces/Topics/Subscriptions/Rules' } + its('properties.filterType') { should eq 'SqlFilter' } +end +``` + +## Parameters + +`name` _(required)_ +: Name of the Azure Service Bus subscription to test. + +`namespace_name` _(required)_ +: The namespace name. + +`topic_name` _(required)_ +: The topic name. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. + +`properties` +: The properties of the Service Bus subscription. + +`properties.lockDuration` +: ISO 8061 lock duration timespan for the subscription. The default value is **1 minute**. + +`properties.status` +: Enumerates the possible values for the status of a messaging entity. + +`properties.countDetails` +: Message count details. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/servicebus/stable/subscriptions/get) for other available properties. + +## Examples + +Test that the Service Bus subscription is active: + +```ruby +describe azure_service_bus_subscription(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', topic_name: 'TOPIC_NAME', name: 'SUBSCRIPTION_NAME') do + its('properties.status') { should eq 'Active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a Service Bus subscription is found, it will exist. + +describe azure_service_bus_subscription(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', topic_name: 'TOPIC_NAME', name: 'SUBSCRIPTION_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If a Service Bus subscription is not found, it will not exist. + +describe azure_service_bus_subscription(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', topic_name: 'TOPIC_NAME', name: 'SUBSCRIPTION_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_subscription_rule.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_subscription_rule.md new file mode 100644 index 0000000..ac40a7c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_subscription_rule.md @@ -0,0 +1,111 @@ ++++ +title = "azure_service_bus_subscription_rule resource" + +draft = false + + +[menu.azure] +title = "azure_service_bus_subscription_rule" +identifier = "inspec/resources/azure/azure_service_bus_subscription_rule resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_bus_subscription_rule` InSpec audit resource to test the properties related to an Azure Service Bus subscription rule. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_service_bus_subscription_rule(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', subscription_name: "SUBSCRIPTION_NAME", topic_name: 'TOPIC_NAME', name: 'SUBSCRIPTION_RULE_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.ServiceBus/Namespaces/Topics/Subscriptions/Rules' } + its('properties.filterType') { should eq 'SqlFilter' } +end +``` + +## Parameters + +`name` _(required)_ +: Name of the Azure Service Bus subscription rule to test. + +`namespace_name` _(required)_ +: The namespace name. + +`subscription_name` _(required)_ +: The subscription name. + +`topic_name` _(required)_ +: The topic name. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. + +`properties` +: The properties of the Service Bus subscription rule. + +`properties.action` +: Represents the filter actions that are allowed for the transformation of a message that has been matched by a filter expression. + +`properties.filterType` +: Filter type that is evaluated against a BrokeredMessage. + +`properties.sqlFilter` +: Properties of sqlFilter. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/servicebus/stable/rules/get) for other available properties. + +## Examples + +Test that the Service Bus subscription rule is of SQL Filter type: + +```ruby +describe azure_service_bus_subscription_rule(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', subscription_name: "SUBSCRIPTION_NAME", topic_name: 'TOPIC_NAME', name: 'SUBSCRIPTION_RULE_NAME') do + its('properties.filterType') { should eq 'SqlFilter' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a Service Bus subscription rule is found, it will exist. + +describe azure_service_bus_subscription_rule(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', subscription_name: "SUBSCRIPTION_NAME", topic_name: 'TOPIC_NAME', name: 'SUBSCRIPTION_RULE_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If a Service Bus subscription rule is not found, it will not exist. + +describe azure_service_bus_subscription_rule(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', subscription_name: "SUBSCRIPTION_NAME", topic_name: 'TOPIC_NAME', name: 'SUBSCRIPTION_RULE_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_subscription_rules.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_subscription_rules.md new file mode 100644 index 0000000..d77124c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_subscription_rules.md @@ -0,0 +1,119 @@ ++++ +title = "azure_service_bus_subscription_rules resource" + +draft = false + + +[menu.azure] +title = "azure_service_bus_subscription_rules" +identifier = "inspec/resources/azure/azure_service_bus_subscription_rules resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_bus_subscription_rules` InSpec audit resource to test the properties related to all Azure Service Bus subscription rules. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_service_bus_subscription_rules` resource block returns all Azure Service Bus subscription rules. + +```ruby +describe azure_service_bus_subscription_rules(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', subscription_name: 'SUBSCRIPTION_NAME', topic_name: 'TOPIC_NAME') do + #... +end +``` + +## Parameters + +`namespace_name` _(required)_ +: The namespace name. + +`subscription_name` _(required)_ +: The subscription name. + +`topic_name` _(required)_ +: The topic name. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of properties for all the Service Bus subscription rules. + + Field: `properties` + +`filterTypes` +: A list of the filter types. + + Field: `filterType` + +`sqlFilter` +: A list of sqlFilters. + + Field: `sqlFilter` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that there are Service Bus subscription rules that are of SQL Filter type: + +```ruby +describe azure_service_bus_subscription_rules(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', subscription_name: 'SUBSCRIPTION_NAME', topic_name: 'TOPIC_NAME').where(filterType: 'SqlFilter') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Service Bus subscription rules are present. + +describe azure_service_bus_subscription_rules(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', subscription_name: 'SUBSCRIPTION_NAME', topic_name: 'TOPIC_NAME') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Service Bus subscription rule. + +describe azure_service_bus_subscription_rules(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', subscription_name: 'SUBSCRIPTION_NAME', topic_name: 'TOPIC_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_subscriptions.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_subscriptions.md new file mode 100644 index 0000000..c046dbd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_subscriptions.md @@ -0,0 +1,116 @@ ++++ +title = "azure_service_bus_subscriptions resource" + +draft = false + + +[menu.azure] +title = "azure_service_bus_subscriptions" +identifier = "inspec/resources/azure/azure_service_bus_subscriptions resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_bus_subscriptions` InSpec audit resource to test the properties related to all Azure Service Bus subscriptions. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_service_bus_subscriptions` resource block returns all Azure Service Bus subscriptions. + +```ruby +describe azure_service_bus_subscriptions(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', topic_name: 'TOPIC_NAME') do + #... +end +``` + +## Parameters + +`namespace_name` _(required)_ +: The namespace name. + +`topic_name` _(required)_ +: The topic name. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of properties for all the Service Bus subscriptions. + + Field: `properties` + +`lockDurations` +: A list of the lock duration timespans. + + Field: `lockDuration` + +`statuses` +: A list of statuses of a messaging entity. + + Field: `status` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that there are Service Bus subscriptions that are active: + +```ruby +describe azure_service_bus_subscriptions(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', topic_name: 'TOPIC_NAME').where(status: 'Active') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Service Bus subscriptions are present. + +describe azure_service_bus_subscriptions(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', topic_name: 'TOPIC_NAME') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Service Bus subscription. + +describe azure_service_bus_subscriptions(resource_group: 'RESOURCE_GROUP', namespace_name: 'NAMESPACE_NAME', topic_name: 'TOPIC_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_topic.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_topic.md new file mode 100644 index 0000000..d56a4d2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_topic.md @@ -0,0 +1,113 @@ ++++ +title = "azure_service_bus_topic resource" + +draft = false + + +[menu.azure] +title = "azure_service_bus_topic" +identifier = "inspec/resources/azure/azure_service_bus_topic resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_bus_topic` InSpec audit resource to test the properties related to an Azure Service Bus topic. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_service_bus_topic(resource_group: 'RESOURCE_GROUP', namespace_name: 'SERVICE_BUS_NAMESPACE_NAME', name: 'SERVICE_BUS_NAMESPACE') do + it { should exist } + its('type') { should eq 'Microsoft.ServiceBus/Namespaces/Topics' } +end +``` + +```ruby +describe azure_service_bus_topic(resource_group: 'RESOURCE_GROUP', namespace_name: 'SERVICE_BUS_NAMESPACE_NAME', name: 'SERVICE_BUS_NAMESPACE') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ +: Name of the Azure Service Bus topics to test. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +`namespace_name` _(required)_ +: Name of the namespace where the topic resides. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. `Microsoft.ServiceBus/Namespaces/Topics`. + +`properties` +: The properties of the Service Bus topic. + +`properties.maxSizeInMegabytes` +: Maximum size of the topic in megabytes, the memory size allocated for the topic. The default value is **1024**. + +`properties.sizeInBytes` +: Size of the topic, in bytes. + +`properties.status` +: Enumerates the possible values for the status of a messaging entity. + +`properties.countDetails` +: Message count details. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/servicebus/stable/topics/get) for other available properties. + +## Examples + +Test that the Service Bus topics are provisioned successfully: + +```ruby +describe azure_service_bus_topic(resource_group: 'RESOURCE_GROUP', namespace_name: 'SERVICE_BUS_NAMESPACE_NAME', name: 'SERVICE_BUS_NAMESPACE') do + its('properties.status') { should eq 'Active' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a Service Bus topic is found, it will exist. + +describe azure_service_bus_topic(resource_group: 'RESOURCE_GROUP', namespace_name: 'SERVICE_BUS_NAMESPACE_NAME', name: 'SERVICE_BUS_NAMESPACE') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If Service Bus topic is not found, it will not exist. + +describe azure_service_bus_topic(resource_group: 'RESOURCE_GROUP', namespace_name: 'SERVICE_BUS_NAMESPACE_NAME', name: 'SERVICE_BUS_NAMESPACE') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_topics.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_topics.md new file mode 100644 index 0000000..25ef9af --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_bus_topics.md @@ -0,0 +1,135 @@ ++++ +title = "azure_service_bus_topics resource" + +draft = false + + +[menu.azure] +title = "azure_service_bus_topics" +identifier = "inspec/resources/azure/azure_service_bus_topics resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_bus_topics` InSpec audit resource to test the properties related to all Azure Service Bus topics within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_service_bus_topics` resource block returns all Azure Service Bus topics within a project. + +`name`, `namespace_name`, and `resource_group` are the required parameters. + +```ruby +describe azure_service_bus_topics(resource_group: 'RESOURCE_GROUP', namespace_name: 'SERVICE_BUS_NAMESPACE_NAME') do + #... +end +``` + +## Parameters + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. `MyResourceGroup`. + +`namespace_name` _(required)_ +: Name of the namespace where the topic resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of properties for all the Service Bus topics. + + Field: `properties` + +`maxSizeInMegabytes` +: A list of maximum sizes of the topics. + + Field: `maxSizeInMegabytes` + +`sizeInBytes` +: A list of sizes of the topics. + + Field: `sizeInBytes` + +`statuses` +: A list of the status of a messaging entity. + + Field: `status` + +`countDetails` +: A list of message count details. + + Field: `countDetails` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Service Bus topics by their names: + +```ruby +azure_service_bus_topics(resource_group: 'RESOURCE_GROUP', namespace_name: 'SERVICE_BUS_NAMESPACE_NAME').names.each do |name| + describe azure_service_bus_topic(resource_group: 'RESOURCE_GROUP', namespace_name: 'SERVICE_BUS_NAMESPACE_NAME', name: name) do + it { should exist } + end +end +``` + +Test that there are Service Bus topics that are successfully provisioned: + +```ruby +describe azure_service_bus_topics(resource_group: 'RESOURCE_GROUP', namespace_name: 'SERVICE_BUS_NAMESPACE_NAME').where(status: 'Active') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Service Bus topics are present. + +describe azure_service_bus_topics(resource_group: 'RESOURCE_GROUP', namespace_name: 'SERVICE_BUS_NAMESPACE_NAME') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Service Bus topic. + +describe azure_service_bus_topics(resource_group: 'RESOURCE_GROUP', namespace_name: 'SERVICE_BUS_NAMESPACE_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_application.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_application.md new file mode 100644 index 0000000..15eff1b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_application.md @@ -0,0 +1,114 @@ ++++ +title = "azure_service_fabric_mesh_application resource" + +draft = false + + +[menu.azure] +title = "azure_service_fabric_mesh_application" +identifier = "inspec/resources/azure/azure_service_fabric_mesh_application resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_fabric_mesh_application` InSpec audit resource to test the properties of an Azure Service Fabric Mesh application. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_service_fabric_mesh_application(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_APP_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.ServiceFabricMesh/applications' } + its('location') { should eq 'eastus' } +end +``` + +```ruby +describe azure_service_fabric_mesh_application(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_APP_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ +: Name of the Azure Service Fabric Mesh applications to test. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. `Microsoft.ServiceFabricMesh/applications`. + +`location` +: The Geo-location where the resource lives. + +`properties` +: The properties of the Service Fabric Mesh application. + +`properties.description` +: User-readable description of the application. + +`properties.debugParams` +: Internal use. + +`properties.provisioningState` +: State of the resource. + +`properties.healthState` +: The health state of a resource such as application, Service, or Network. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/servicefabric/sfmeshrp-api-application_get) for other available properties. + +## Examples + +Test that the Service Fabric Mesh application is provisioned successfully: + +```ruby +describe azure_service_fabric_mesh_application(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_APP_NAME') do + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a Service Fabric Mesh application is found, it will exist. + +describe azure_service_fabric_mesh_application(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_APP_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If a Service Fabric Mesh application is not found, it will not exist. + +describe azure_service_fabric_mesh_application(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_APP_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_applications.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_applications.md new file mode 100644 index 0000000..7169513 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_applications.md @@ -0,0 +1,130 @@ ++++ +title = "azure_service_fabric_mesh_applications resource" + +draft = false + + +[menu.azure] +title = "azure_service_fabric_mesh_applications" +identifier = "inspec/resources/azure/azure_service_fabric_mesh_applications resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_fabric_mesh_applications` InSpec audit resource to test the properties of all Azure Service Fabric Mesh applications. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_service_fabric_mesh_applications` resource block returns all Azure Service Fabric Mesh applications. + +```ruby +describe azure_service_fabric_mesh_applications do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of Properties for all the Service Fabric Mesh applications. + + Field: `properties` + +`locations` +: A list of the Geo-locations. + + Field: `location` + +`provisioningStates` +: A list of provisioning states of the Service Fabric Mesh applications. + + Field: `provisioningState` + +`healthStates` +: A list of the health states of a resource such as application, Service, or Network. + + Field: `healthState` + +`serviceNames` +: A list of the services in the application. + + Field: `serviceNames` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Service Fabric Mesh applications by their names: + +```ruby +azure_service_fabric_mesh_applications(resource_group: 'RESOURCE_GROUP').names.each do |name| + describe azure_service_fabric_mesh_application(resource_group: 'RESOURCE_GROUP', name: name) do + it { should exist } + end +end +``` + +Test that there are Service Fabric Mesh applications that are successfully provisioned: + +```ruby +describe azure_service_fabric_mesh_applications(resource_group: 'RESOURCE_GROUP').where(provisioningState: 'Succeeded') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Service Fabric Mesh applications are present. + +describe azure_service_fabric_mesh_applications(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Service Fabric Mesh application. + +describe azure_service_fabric_mesh_applications(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_network.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_network.md new file mode 100644 index 0000000..e878160 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_network.md @@ -0,0 +1,115 @@ ++++ +title = "azure_service_fabric_mesh_network resource" + +draft = false + + +[menu.azure] +title = "azure_service_fabric_mesh_network" +identifier = "inspec/resources/azure/azure_service_fabric_mesh_network resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_fabric_mesh_network` InSpec audit resource to test the properties of an Azure Service Fabric Mesh network. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` and `resource_group` are required parameters. + +```ruby +describe azure_service_fabric_mesh_network(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_NETWORK_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.ServiceFabricMesh/networks' } + its('location') { should eq 'eastus' } +end +``` + +```ruby +describe azure_service_fabric_mesh_network(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_NETWORK_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure Service Fabric Mesh networks to test. + +`resource_group` +: Azure resource group where the targeted resource resides. + +The parameter set that should be provided for a valid query is `resource_group` and `name`. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. `Microsoft.ServiceFabricMesh/networks`. + +`location` +: The Geo-location where the resource lives. + +`properties` +: The properties of the Service Fabric Mesh network. + +`properties.addressPrefix` +: the address prefix for this network. + +`properties.provisioningState` +: State of the resource. + +`properties.ingressConfig.qosLevel` +: The QoS tier for ingress. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/servicefabric/sfmeshrp-api-network_get) for other available properties. + +## Examples + +Test that the Service Fabric Mesh network is provisioned successfully: + +```ruby +describe azure_service_fabric_mesh_network(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_NETWORK_NAME') do + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a Service Fabric Mesh network is found, it will exist. + +describe azure_service_fabric_mesh_network(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_NETWORK_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If a Service Fabric Mesh network is not found, it will not exist. + +describe azure_service_fabric_mesh_network(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_NETWORK_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_networks.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_networks.md new file mode 100644 index 0000000..6a1ea31 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_networks.md @@ -0,0 +1,125 @@ ++++ +title = "azure_service_fabric_mesh_networks resource" + +draft = false + + +[menu.azure] +title = "azure_service_fabric_mesh_networks" +identifier = "inspec/resources/azure/azure_service_fabric_mesh_networks resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_fabric_mesh_networks` InSpec audit resource to test the properties of all Azure Service Fabric Mesh networks. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_service_fabric_mesh_networks` resource block returns all Azure Service Fabric Mesh networks. + +```ruby +describe azure_service_fabric_mesh_networks do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of Properties for all the Service Fabric Mesh networks. + + Field: `properties` + +`locations` +: A list of the Geo-locations. + + Field: `location` + +`provisioningStates` +: A list of provisioning states of the Service Fabric Mesh networks. + + Field: `provisioningState` + +`addressPrefixes` +: A list of address prefixes. + + Field: `addressPrefix` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Service Fabric Mesh networks by their names: + +```ruby +azure_service_fabric_mesh_networks(resource_group: 'RESOURCE_GROUP').names.each do |name| + describe azure_service_fabric_mesh_network(resource_group: 'RESOURCE_GROUP', name: name) do + it { should exist } + end +end +``` + +Test that there are Service Fabric Mesh networks that are successfully provisioned: + +```ruby +describe azure_service_fabric_mesh_networks(resource_group: 'RESOURCE_GROUP').where(provisioningState: 'Succeeded') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Service Fabric Mesh networks are present. + +describe azure_service_fabric_mesh_networks(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Service Fabric Mesh networks. + +describe azure_service_fabric_mesh_networks(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_replica.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_replica.md new file mode 100644 index 0000000..39a21ab --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_replica.md @@ -0,0 +1,105 @@ ++++ +title = "azure_service_fabric_mesh_replica resource" + +draft = false + + +[menu.azure] +title = "azure_service_fabric_mesh_replica" +identifier = "inspec/resources/azure/azure_service_fabric_mesh_replica resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_fabric_mesh_replica` InSpec audit resource to test the properties of an Azure Service Fabric Mesh replica. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_service_fabric_mesh_replica(resource_group: 'RESOURCE_GROUP', application_name: 'SERVICE_FABRIC_MESH_APPLICATION_NAME', service_name: 'SERVICE_FABRIC_MESH_SERVICE_NAME', name: 'SERVICE_FABRIC_MESH_SERVICE_REPLICA_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.ServiceFabricMesh/applications' } + its('location') { should eq 'eastus' } +end +``` + +```ruby +describe azure_service_fabric_mesh_replica(resource_group: 'RESOURCE_GROUP', application_name: 'SERVICE_FABRIC_MESH_APPLICATION_NAME', service_name: 'SERVICE_FABRIC_MESH_SERVICE_NAME', name: 'SERVICE_FABRIC_MESH_SERVICE_REPLICA_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ +: Name of the Azure Service Fabric Mesh replicas to test. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +`application_name` _(required)_ +: The identity of the application. + +`service_name` _(required)_ +: The identity of the service. + +## Properties + +`osType` +: The Operating system type required by the code in service. + +`codePackages` +: Describes the set of code packages that form the service. + +`networkRefs` +: The names of the private networks that this service needs to be part. + +`replicaName` +: Name of the replica. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/servicefabric/sfmeshrp-api-replica_get) for other available properties. + +## Examples + +Test that the Service Fabric Mesh replica Replica is equal to 1: + +```ruby +describe azure_service_fabric_mesh_replica(resource_group: 'RESOURCE_GROUP', application_name: 'SERVICE_FABRIC_MESH_APPLICATION_NAME', service_name: 'SERVICE_FABRIC_MESH_SERVICE_NAME', name: 'SERVICE_FABRIC_MESH_SERVICE_REPLICA_NAME') do + its('replicaName') { should eq '1' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a Service Fabric Mesh replica is found, it will exist. + +describe azure_service_fabric_mesh_replica(resource_group: 'RESOURCE_GROUP', application_name: 'SERVICE_FABRIC_MESH_APPLICATION_NAME', service_name: 'SERVICE_FABRIC_MESH_SERVICE_NAME', name: 'SERVICE_FABRIC_MESH_SERVICE_REPLICA_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If a Service Fabric Mesh replica is not found, it will not exist. + +describe azure_service_fabric_mesh_replica(resource_group: 'RESOURCE_GROUP', application_name: 'SERVICE_FABRIC_MESH_APPLICATION_NAME', service_name: 'SERVICE_FABRIC_MESH_SERVICE_NAME', name: 'SERVICE_FABRIC_MESH_SERVICE_REPLICA_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_replicas.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_replicas.md new file mode 100644 index 0000000..b2bd373 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_replicas.md @@ -0,0 +1,106 @@ ++++ +title = "azure_service_fabric_mesh_replicas resource" + +draft = false + + +[menu.azure] +title = "azure_service_fabric_mesh_replicas" +identifier = "inspec/resources/azure/azure_service_fabric_mesh_replicas resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_fabric_mesh_replicas` InSpec audit resource to test the properties of all Azure Service Fabric Mesh replicas. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_service_fabric_mesh_replicas` resource block returns all Azure Service Fabric Mesh replicas. + +```ruby +describe azure_service_fabric_mesh_replicas(resource_group: 'RESOURCE_GROUP', application_name: 'SERVICE_FABRIC_MESH_APPLICATION_NAME', service_name: 'SERVICE_FABRIC_MESH_SERVICE_NAME') do + #... +end +``` + +## Parameters + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +`application_name` _(required)_ +: The identity of the application. + +`service_name` _(required)_ +: The identity of the service. + +## Properties + +`osTypes` +: A list of OS Types. + + Field: `osType` + +`codePackages` +: A list of code packages. + + Field: `codePackages` + +`networkRefs` +: A list of the network refs. + + Field: `networkRefs` + +`replicaNames` +: A list of the replica names. + + Field: `replicaName` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that there are Service Fabric Mesh replicas with at least one replica: + +```ruby +describe azure_service_fabric_mesh_replicas(resource_group: 'RESOURCE_GROUP', application_name: 'SERVICE_FABRIC_MESH_APPLICATION_NAME', service_name: 'SERVICE_FABRIC_MESH_SERVICE_NAME').where{ replicaName > 1 } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Service Fabric Mesh replicas are present. + +describe azure_service_fabric_mesh_replicas(resource_group: 'RESOURCE_GROUP', application_name: 'SERVICE_FABRIC_MESH_APPLICATION_NAME', service_name: 'SERVICE_FABRIC_MESH_SERVICE_NAME') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Service Fabric Mesh replica. + +describe azure_service_fabric_mesh_replicas(resource_group: 'RESOURCE_GROUP', application_name: 'SERVICE_FABRIC_MESH_APPLICATION_NAME', service_name: 'SERVICE_FABRIC_MESH_SERVICE_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_service.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_service.md new file mode 100644 index 0000000..0550157 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_service.md @@ -0,0 +1,107 @@ ++++ +title = "azure_service_fabric_mesh_service resource" + +draft = false + + +[menu.azure] +title = "azure_service_fabric_mesh_service" +identifier = "inspec/resources/azure/azure_service_fabric_mesh_service resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_fabric_mesh_service` InSpec audit resource to test the properties of an Azure Service Fabric Mesh service. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_service_fabric_mesh_service(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_SERVICE_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.ServiceFabricMesh/applications' } +end +``` + +```ruby +describe azure_service_fabric_mesh_service(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_SERVICE_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ +: Name of the Azure Service Fabric Mesh service to test. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. `Microsoft.ServiceFabricMesh/services`. + +`properties` +: The properties of the **Service Fabric Mesh Service**. + +`properties.osType` +: The Operating system type required by the code in service. + +`properties.replicaCount` +: The number of replicas of the service to create. Defaults to 1 if not specified. + +`properties.healthState` +: Describes the health state of a services resource. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/servicefabric/sfmeshrp-api-service_get) for other available properties. + +## Examples + +Test that the 'Service Fabric Mesh Service' is healthy: + +```ruby +describe azure_service_fabric_mesh_service(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_SERVICE_NAME') do + its('properties.healthState') { should eq 'Ok' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a Service Fabric Mesh Service is found, it will exist. + +describe azure_service_fabric_mesh_service(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_SERVICE_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If Service Fabric Mesh Service is not found, it will not exist. + +describe azure_service_fabric_mesh_service(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_SERVICE_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_services.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_services.md new file mode 100644 index 0000000..5984f6d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_services.md @@ -0,0 +1,125 @@ ++++ +title = "azure_service_fabric_mesh_services resource" + +draft = false + + +[menu.azure] +title = "azure_service_fabric_mesh_services" +identifier = "inspec/resources/azure/azure_service_fabric_mesh_services resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_fabric_mesh_services` InSpec audit resource to test the properties of all Azure Service Fabric Mesh services within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_service_fabric_mesh_services` resource block returns all Azure service Fabric Mesh services within a project. + +```ruby +describe azure_service_fabric_mesh_services do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of Properties for all the service Fabric Mesh services. + + Field: `properties` + +`osTypes` +: The Operating system type required by the code in services. + + Field: `replicaCount` + +`replicaCounts` +: The number of replicas of the service to create. Defaults to 1 if not specified. + + Field: `metricId` + +`healthStates` +: The health state of a services resource. + + Field: `healthState` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through service Fabric Mesh services by their names: + +```ruby +azure_service_fabric_mesh_services(resource_group: 'RESOURCE_GROUP').names.each do |name| + describe azure_service_fabric_mesh_service(resource_group: 'RESOURCE_GROUP', name: name) do + it { should exist } + end +end +``` + +Test that there are service Fabric Mesh services that are healthy: + +```ruby +describe azure_service_fabric_mesh_services(resource_group: 'RESOURCE_GROUP').where(replicaCounts: 2) do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no service Fabric Mesh services are present. + +describe azure_service_fabric_mesh_services(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one service Fabric Mesh services. + +describe azure_service_fabric_mesh_services(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_volume.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_volume.md new file mode 100644 index 0000000..f4c92e9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_volume.md @@ -0,0 +1,111 @@ ++++ +title = "azure_service_fabric_mesh_volume resource" + +draft = false + + +[menu.azure] +title = "azure_service_fabric_mesh_volume" +identifier = "inspec/resources/azure/azure_service_fabric_mesh_volume resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_fabric_mesh_volume` InSpec audit resource to test the properties of an Azure Service Fabric Mesh volume. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_service_fabric_mesh_volume(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_VOLUME_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.ServiceFabricMesh/applications' } + its('location') { should eq 'eastus' } +end +``` + +```ruby +describe azure_service_fabric_mesh_volume(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_VOLUME_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ +: Name of the Azure Service Fabric Mesh volumes to test. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. `Microsoft.ServiceFabricMesh/applications`. + +`location` +: The Geo-location where the resource lives. + +`properties` +: The properties of the Service Fabric Mesh volume. + +`properties.description` +: User-readable description of the application. + +`properties.provisioningState` +: State of the resource. + +`properties.azureFileParameters.shareName` +: Name of the Azure Files file share that provides storage for the volume. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/servicefabric/sfmeshrp-api-volume_get) for other available properties. + +## Examples + +Test that the Service Fabric Mesh volume is provisioned successfully: + +```ruby +describe azure_service_fabric_mesh_volume(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_VOLUME_NAME') do + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a Service Fabric Mesh volume is found, it will exist. + +describe azure_service_fabric_mesh_volume(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_VOLUME_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If Service Fabric Mesh volume is not found, it will not exist. + +describe azure_service_fabric_mesh_volume(resource_group: 'RESOURCE_GROUP', name: 'SERVICE_FABRIC_MESH_VOLUME_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_volumes.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_volumes.md new file mode 100644 index 0000000..3c7b783 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_service_fabric_mesh_volumes.md @@ -0,0 +1,130 @@ ++++ +title = "azure_service_fabric_mesh_volumes resource" + +draft = false + + +[menu.azure] +title = "azure_service_fabric_mesh_volumes" +identifier = "inspec/resources/azure/azure_service_fabric_mesh_volumes resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_service_fabric_mesh_volumes` InSpec audit resource to test the properties of all Azure Service Fabric Mesh volumes. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_service_fabric_mesh_volumes` resource block returns all Azure Service Fabric Mesh volumes. + +```ruby +describe azure_service_fabric_mesh_volumes do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of Properties for all the Service Fabric Mesh volumes. + + Field: `properties` + +`locations` +: A list of the Geo-locations. + + Field: `location` + +`provisioningStates` +: A list of provisioning states of the Service Fabric Mesh volumes. + + Field: `provisioningState` + +`providers` +: A list of providers of the volume. + + Field: `provider` + +`shareNames` +: A list of the Name of the Azure Files file share that provides storage for the volume. + + Field: `shareName` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Service Fabric Mesh volumes by their names: + +```ruby +azure_service_fabric_mesh_volumes(resource_group: 'RESOURCE_GROUP').names.each do |name| + describe azure_service_fabric_mesh_volume(resource_group: 'RESOURCE_GROUP', name: name) do + it { should exist } + end +end +``` + +Test that there are Service Fabric Mesh volumes that are successfully provisioned: + +```ruby +describe azure_service_fabric_mesh_volumes(resource_group: 'RESOURCE_GROUP').where(provisioningState: 'Succeeded') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Service Fabric Mesh volumes are present. + +describe azure_service_fabric_mesh_volumes(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Service Fabric Mesh volume. + +describe azure_service_fabric_mesh_volumes(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_snapshot.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_snapshot.md new file mode 100644 index 0000000..697300c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_snapshot.md @@ -0,0 +1,122 @@ ++++ +title = "azure_snapshot resource" + +draft = false + + +[menu.azure] +title = "azure_snapshot" +identifier = "inspec/resources/azure/azure_snapshot resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_snapshot` InSpec audit resource to test the properties and configuration of an Azure snapshot. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name` are required parameters. + +```ruby +describe azure_snapshot(resource_group: 'RESOURCE_GROUP', name: 'SNAPSHOT_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +`name` _(required)_ +: The name of the snapshot that is being created. + +## Properties + +`id` +: The id of the snapshot. + +`name` +: The name of the snapshot. + +`type` +: The type of the snapshot. + +`location` +: The location of the snapshot. + +`properties` +: The properties of the snapshot. + +`sku` +: The sku of the snapshot. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +See the [Azure documentation](https://learn.microsoft.com/en-us/rest/api/compute/snapshots/get?tabs=HTTP) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test if a snapshot is referenced with a valid name: + +```ruby +describe azure_snapshot(resource_group: 'RESOURCE_GROUP', name: 'SNAPSHOT_NAME') do + it { should exist } +end +``` + +Test if a snapshot is referenced with an invalid name: + +```ruby +describe azure_snapshot(resource_group: 'RESOURCE_GROUP', name: 'SNAPSHOT_NAME') do + it { should_not exist } +end +``` + +Test if a snapshot has the `Windows' operating system type: + +```ruby +describe azure_snapshot(resource_group: 'RESOURCE_GROUP', name: 'SNAPSHOT_NAME') do + its('properties.osType') { should cmp 'Windows' } +end +``` + +Test if the snapshot has a valid disk size: + +```ruby +describe azure_snapshot(resource_group: 'RESOURCE_GROUP', name: 'SNAPSHOT_NAME') do + its('properties.diskSizeGB') { should cmp 127 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +Use `should exist` to test for a resource that should exist. + +```ruby +describe azure_snapshot(resource_group: 'RESOURCE_GROUP', name: 'SNAPSHOT_NAME') do + it { should exist } +end +``` + +Use `should_not exist` to test for a resource that should not exist. + +```ruby +describe azure_snapshot(resource_group: 'RESOURCE_GROUP', name: 'SNAPSHOT_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_snapshots.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_snapshots.md new file mode 100644 index 0000000..fcb10a5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_snapshots.md @@ -0,0 +1,109 @@ ++++ +title = "azure_snapshots resource" + +draft = false + + +[menu.azure] +title = "azure_snapshots" +identifier = "inspec/resources/azure/azure_snapshots resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_snapshots` InSpec audit resource to test the properties and configurations of multiple Azure snapshots. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_snapshots do + it { should exist } +end +``` + +## Parameters + +No required parameters. + +## Properties + +`ids` +: The id of the snapshot. + + Field: `id` + +`names` +: The name of the snapshot. + + Field: `name` + +`types` +: The type of the snapshot. + + Field: `type` + +`locations` +: The location of the snapshot. + + Field: `location` + +`properties` +: The properties of the snapshot. + + Field: `properties` + +`skus` +: The sku of the snapshot. + + Field: `sku` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +See the [Azure documentation](https://learn.microsoft.com/en-us/rest/api/compute/snapshots/list-by-resource-group?tabs=HTTP) for other available properties. + +## Examples + +Test if a snapshot has a valid type: + +```ruby +describe azure_snapshots do + its('types') { should cmp 'Microsoft.Compute/snapshots' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +Use `should exist` to test that a resource exists. + +```ruby +describe azure_snapshots do + it { should exist } +end +``` + +Use `should_not exist` to test that resources do not exist. + +```ruby +describe azure_snapshots do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_database.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_database.md new file mode 100644 index 0000000..78dc42a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_database.md @@ -0,0 +1,153 @@ ++++ +title = "azure_sql_database resource" + +draft = false + + +[menu.azure] +title = "azure_sql_database" +identifier = "inspec/resources/azure/azure_sql_database resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_database` InSpec audit resource to test the properties and configuration of an Azure SQL Database. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group`, `server_name`, and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_sql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'DB_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_sql_database(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`server_name` +: The name of the server on which the database resides. + +`name` +: Name of the SQL database to test. + +`database_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +`auditing_settings_api_version` +: The endpoint API version for the `auditing_settings` property. The latest version will be used unless provided. + +`threat_detection_settings_api_version` +: The endpoint API version for the `threat_detection_settings` property. The latest version will be used unless provided. + +`encryption_settings_api_version` +: The endpoint API version for the `encryption_settings` property. The latest version will be used unless provided. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group`, `server_name`, and `name` +- `resource_group`, `server_name`, and `database_name` + +## Properties + +`encryption_settings` +: Database's transparent data encryption configuration with [these](https://docs.microsoft.com/en-us/rest/api/sql/transparentdataencryptions/get#transparentdataencryption) properties. + +`auditing_settings` +: Database's blob auditing policy with [these](https://docs.microsoft.com/en-us/rest/api/sql/database%20auditing%20settings/get#databaseblobauditingpolicy) properties. + +`threat_detection_settings` +: Threat detection settings for the targeted database with [these](https://docs.microsoft.com/en-us/rest/api/sql/databasethreatdetectionpolicies/get#databasesecurityalertpolicy) properties. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/sql/databases/get#database) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test if a SQL database is referenced with a valid name: + +```ruby +describe azure_sql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'DB_NAME') do + it { should exist } +end +``` + +Test if a SQL database is referenced with an invalid name: + +```ruby +describe azure_sql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'DB_NAME') do + it { should_not exist } +end +``` + +Test if a SQL database has transparent data encryption is enabled: + +```ruby +describe azure_sql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'DB_NAME') do + its('encryption_settings.properties.status') { should cmp 'Enabled' } +end +``` + +Test if a SQL database auditing is enabled: + +```ruby +describe azure_sql_database(resource_group: 'inspec-rg', server_name: 'customer_server', name: 'order-db') do + its('auditing_settings.properties.status') { should cmp 'Enabled' } +end +``` + +Test if a SQL database threat detection is enabled: + +```ruby +describe azure_sql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'DB_NAME') do + its('threat_detection_settings.properties.status') { should cmp 'Enabled' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_sql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'DB_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_sql_database(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME', name: 'DB_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_database_server_vulnerability_assessment.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_database_server_vulnerability_assessment.md new file mode 100644 index 0000000..639baa6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_database_server_vulnerability_assessment.md @@ -0,0 +1,100 @@ ++++ +title = "azure_sql_database_server_vulnerability_assessment resource" + +draft = false + + +[menu.azure] +title = "azure_sql_database_server_vulnerability_assessment" +identifier = "inspec/resources/azure/azure_sql_database_server_vulnerability_assessment resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_database_server_vulnerability_assessment` InSpec audit resource to test the properties and configuration of an Azure SQL Database server vulnerability assessment. + +## Syntax + +`resource_group` and `server_name` are required parameters. + +```ruby +describe azure_sql_database_server_vulnerability_assessment(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +`server_name` _(required)_ +: The name of the server on which the database resides. + +## Properties + +`id` +: The ID of the resource. + +`name` +: The name of the resource. The name of the vulnerability assessment is `default`. + +`type` +: The type of the resource. + +`properties.recurringScans.isEnabled` +: Recurring scans state. + +`properties.recurringScans.emailSubscriptionAdmins` +: Specifies that the schedule scan notification will be is sent to the subscription administrators. + +`properties.recurringScans.emails` +: Specifies an array of e-mail addresses to which the scan notification is sent. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +See the [Azure documentation](https://learn.microsoft.com/en-us/rest/api/sql/2020-11-01-preview/server-vulnerability-assessments/get?tabs=HTTP) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test if a SQL database server vulnerability assessment has recurring scans enabled: + +```ruby +describe azure_sql_database_server_vulnerability_assessment(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + its('properties.recurringScans.isEnabled') { should eq false } +end +``` + +Verify the type of the resource: + +```ruby +describe azure_sql_database_server_vulnerability_assessment(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + its('type') { should eq 'Microsoft.Sql/servers/vulnerabilityAssessments' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control passes if the filter returns a result. Use `should_not` if a resource should not exist. + +```ruby +describe azure_sql_database_server_vulnerability_assessment(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_sql_database_server_vulnerability_assessment(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_database_server_vulnerability_assessments.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_database_server_vulnerability_assessments.md new file mode 100644 index 0000000..5b71e95 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_database_server_vulnerability_assessments.md @@ -0,0 +1,129 @@ ++++ +title = "azure_sql_database_server_vulnerability_assessments resource" + +draft = false + + +[menu.azure] +title = "azure_sql_database_server_vulnerability_assessments" +identifier = "inspec/resources/azure/azure_sql_database_server_vulnerability_assessments resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_database_server_vulnerability_assessments` InSpec audit resource to test the properties and configuration of multiple Azure SQL Database server vulnerability assessments. + +## Syntax + +The `resource_group` and `server_name` are required parameters. + +```ruby +describe azure_sql_database_server_vulnerability_assessments(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +`server_name` _(required)_ +: The name of the server in which the database resides. + +## Properties + +`ids` +: The ID of the resource. + + Field: `id` + +`names` +: The name of the resource. The name of the vulnerability assessment is `default`. + + Field: `name` + +`types` +: The type of the resource. + + Field: `type` + +`isEnabled` +: Recurring scans state. + + Field: `properties.recurringScans.isEnabled` + +`emailSubscriptionAdmins` +: Specifies that the schedule scan notification will be is sent to the subscription administrators. + + Field: `properties.recurringScans.emailSubscriptionAdmins` + +`emails` +: Specifies an array of e-mail addresses to which the scan notification is sent. + + Field: `properties.recurringScans.emails` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check resources are present: + +````ruby +describe azure_sql_database_server_vulnerability_assessments(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } + its('names') { should include 'Default' } +end +```` + +Filter the results to include only those with names that match the specified string value: + +```ruby +describe azure_sql_database_server_vulnerability_assessments(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } +end +``` + +Verify the types of the resource: + +```ruby +describe azure_sql_database_server_vulnerability_assessments(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + its('types') { should include 'Microsoft.Sql/servers/vulnerabilityAssessments' } +``` + +Verify whether the recurring scans are enabled or not: + +```ruby +describe azure_sql_database_server_vulnerability_assessments(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + its('isEnabled') { should include false } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_sql_database_server_vulnerability_assessments(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_sql_database_server_vulnerability_assessments(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_databases.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_databases.md new file mode 100644 index 0000000..485df37 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_databases.md @@ -0,0 +1,137 @@ ++++ +title = "azure_sql_databases resource" + +draft = false + + +[menu.azure] +title = "azure_sql_databases" +identifier = "inspec/resources/azure/azure_sql_databases resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_databases` InSpec audit resource to test the properties and configuration of Azure SQL Databases. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +The `resource_group` and `server_name` are required parameters. + +```ruby +describe azure_sql_databases(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`server_name` +: The name of the server in which the database resides. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`kinds` +: A list of kinds of all the resources being interrogated. + + Field: `kind` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check resources are present: + +````ruby +describe azure_sql_databases(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } + its('names') { should include 'my-db' } +end +```` + +Filter the results to include only those with names that match the specified string value: + +```ruby +describe azure_sql_databases.(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME').where{ name.eql?('production-db') } do + it { should exist } +end +``` + +Filter the results to include only those with 'GRS' storage account type: + +```ruby +describe azure_sql_databases.(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME').where{ properties[:storageAccountType] == 'GRS' } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect resources to exist. + +describe azure_sql_databases(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect resources not to exist. + +describe azure_sql_databases(resource_group: 'RESOURCE_GROUP', server_name: 'SERVER_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_managed_instance.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_managed_instance.md new file mode 100644 index 0000000..f5379ac --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_managed_instance.md @@ -0,0 +1,114 @@ ++++ +title = "azure_sql_managed_instance resource" + +draft = false + + +[menu.azure] +title = "azure_sql_managed_instance" +identifier = "inspec/resources/azure/azure_sql_managed_instance resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_managed_instance` InSpec audit resource to test the properties related to an Azure SQL managed instance. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` and`resource_group` are required parameters. + +```ruby +describe azure_sql_managed_instance(resource_group: 'RESOURCE_GROUP', name: 'INSTANCE_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.Sql/managedInstances' } + its('location') { should eq 'eastus' } +end +``` + +```ruby +describe azure_sql_managed_instance(resource_group: 'RESOURCE_GROUP', name: 'INSTANCE_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure SQL managed instances to test. + +`resource_group` +: Azure resource group where the targeted resource resides. + +The parameter set that should be provided for a valid query is `resource_group` and `name`. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. + +`location` +: Resource location. + +`properties` +: The properties of the SQL-Managed Instance. + +`properties.minimalTlsVersion` +: Minimal TLS version. Allowed values are `None`, `1.0`, `1.1`, and `1.2`. + +`properties.maintenanceConfigurationId` +: Specifies maintenance configuration ID to apply to this managed instance. + +`properties.provisioningState` +: Provisioning state of the SQL-managed instance. + +`sku.name` +: The name of the SKU, typically a letter with a number code. For example, `P3`. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties` refer to [`azure_generic_resource`](azure_generic_resource#properties). Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/sql/2021-02-01-preview/managed-instances/get) for other available properties. + +## Examples + +Test that the SQL managed instances are provisioned successfully: + +```ruby +describe azure_sql_managed_instance(resource_group: 'RESOURCE_GROUP', name: 'INSTANCE_NAME') do + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a SQL-managed instance is found, it will exist. + +describe azure_sql_managed_instance(resource_group: 'RESOURCE_GROUP', name: 'INSTANCE_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# if SQL managed instance is not found, it will not exist. + +describe azure_sql_managed_instance(resource_group: 'RESOURCE_GROUP', name: 'INSTANCE_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_managed_instances.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_managed_instances.md new file mode 100644 index 0000000..a122075 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_managed_instances.md @@ -0,0 +1,136 @@ ++++ +title = "azure_sql_managed_instances resource" + +draft = false + + +[menu.azure] +title = "azure_sql_managed_instances" +identifier = "inspec/resources/azure/azure_sql_managed_instances resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_managed_instances` InSpec audit resource to test the properties related to all Azure SQL-managed instances within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_sql_managed_instances` resource block returns all Azure SQL-managed instances within a project. + +```ruby +describe azure_sql_managed_instances do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The Azure resource group where the targeted resource resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of properties for all the SQL-managed instances. + + Field: `properties` + +`locations` +: A list of the locations. + + Field: `location` + +`provisioningStates` +: A list of provisioning states of all the SQL-managed instances. + + Field: `provisioningState` + +`minimalTlsVersions` +: A list of minimalTlsVersion for all the SQL-managed instances. + + Field: `minimalTlsVersion` + +`sku_names` +: A list of names for the sku. + + Field: `sku_name` + +`sku_tiers` +: A list of tiers for the sku. + + Field: `sku_tier` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through SQL managed instances by their names: + +```ruby +azure_sql_managed_instances(resource_group: 'RESOURCE_GROUP').names.each do |name| + describe azure_sql_managed_instance(resource_group: 'RESOURCE_GROUP', name: name) do + it { should exist } + end +end +``` + +Test that there are SQL-managed instances that are successfully provisioned: + +```ruby +describe azure_sql_managed_instances.where(provisioningState: 'Succeeded') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no SQL-Managed Instances are present. + +describe azure_sql_managed_instances do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one SQL-Managed Instance. + +describe azure_sql_managed_instances do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_server.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_server.md new file mode 100644 index 0000000..a8a499b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_server.md @@ -0,0 +1,169 @@ ++++ +title = "azure_sql_server resource" + +draft = false + + +[menu.azure] +title = "azure_sql_server" +identifier = "inspec/resources/azure/azure_sql_server resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_server` InSpec audit resource to test the properties and configuration of an Azure SQL Server. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_sql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_sql_server(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the SQL server to test. + +`server_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +`firewall_rules_api_version` +: The endpoint API version for the `firewall_rules` property. The latest version will be used unless provided. + +`auditing_settings_api_version` +: The endpoint API version for the `auditing_settings` property. The latest version will be used unless provided. + +`threat_detection_settings_api_version` +: The endpoint API version for the `threat_detection_settings` property. The latest version will be used unless provided. + +`administrators_api_version` +: The endpoint API version for the `administrators` property. The latest version will be used unless provided. + +`encryption_protector_api_version` +: The endpoint API version for the `encryption_protector` property. The latest version will be used unless provided. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_group` and `server_name` + +## Properties + +`firewall_rules` +: A list of all firewall rules in the targeted server with [these](https://docs.microsoft.com/en-us/rest/api/sql/firewallrules/listbyserver#firewallrulelistresult) properties. + +`administrators` +: A list of all administrators for the targeted server with [these](https://docs.microsoft.com/en-us/rest/api/sql/serverazureadadministrators/listbyserver#serverazureadadministrator) properties. + +`encryption_protector` +: A list of all encryption protectors for the targeted server with [these](https://docs.microsoft.com/en-us/rest/api/sql/encryptionprotectors/listbyserver#encryptionprotector) properties. + +`auditing_settings` +: Auditing settings for the targeted server with [these](https://docs.microsoft.com/en-us/rest/api/sql/server%20auditing%20settings/listbyserver#serverblobauditingpolicylistresult) properties. + +`threat_detection_settings` +: Threat detection settings for the targeted server with [these](https://docs.microsoft.com/en-us/rest/api/sql/databasethreatdetectionpolicies/get#databasesecurityalertpolicy) properties. + +`sku` +: The SKU (pricing tier) of the server. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/sql/servers/get#server) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test if a SQL server is referenced with a valid name: + +```ruby +describe azure_sql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + it { should exist } +end +``` + +Test if a SQL server is referenced with an invalid name: + +```ruby +describe azure_sql_server(resource_group: 'RESOURCE_GROUP', name: 'i-dont-exist') do + it { should_not exist } +end +``` + +Test if a SQL server has firewall rules set: + +```ruby +describe azure_sql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + its('firewall_rules') { should_not be_empty } +end +``` + +Test a SQL server's location and kind: + +```ruby +describe azure_sql_server(resource_id: '/subscriptions/.../my-server') do + its('kind') { should cmp 'v12.0' } + its('location') { should cmp 'westeurope' } +end +``` + +Test a SQL server's auditing settings: + +```ruby +describe azure_sql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + its('auditing_settings.properties.state') { should cmp 'Disabled' } + its('auditing_settings.properties.retentionDays') { should be 0 } + its('auditing_settings.properties.isStorageSecondaryKeyInUse') { should be false } + its('auditing_settings.properties.isAzureMonitorTargetEnabled') { should be false } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_sql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_sql_server(resource_group: 'RESOURCE_GROUP', name: 'SERVER_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_servers.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_servers.md new file mode 100644 index 0000000..2bd77c1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_servers.md @@ -0,0 +1,143 @@ ++++ +title = "azure_sql_servers resource" + +draft = false + + +[menu.azure] +title = "azure_sql_servers" +identifier = "inspec/resources/azure/azure_sql_servers resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_servers` InSpec audit resource to test the properties and configuration of multiple Azure SQL Servers. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_sql_servers` resource block returns all Azure SQL Servers, either within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_sql_servers do + it { should exist } +end +``` + +Or + +```ruby +describe azure_sql_servers(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`kinds` +: A list of kinds of all the resources being interrogated. + + Field: `kind` + +`tags` +: A list of `tag:value` pairs defined on the resources. + + Field: `tags` + +`skus` +: A list of the SKUs (pricing tiers) of the servers. + + Field: `sku` + +`types` +: A list of the types of resources being interrogated. + + Field: `type` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Checks if a specific SQL server is present: + +```ruby +describe azure_sql_servers do + its('names') { should include 'my-server-name' } +end +``` + +Filters the results to include only those servers that have the specified name (client-side filtering): + +```ruby +describe azure_sql_servers.where{ name.include?('production') } do + it { should exist } +end +``` + +Filters the results to include only those servers that reside in a specified location (client-side filtering): + +```ruby +describe azure_sql_servers.where{ location.eql?('westeurope') } do + it { should exist } +end +``` + +Filters the results to include only those servers that reside in a specified location and have the specified name (server-side filtering - recommended): + +```ruby +describe azure_generic_resources(resource_provider: 'Microsoft.Sql/servers', substring_of_name: 'production', location: 'westeurope') do + it {should exist} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_sql_servers do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine.md new file mode 100644 index 0000000..b01328f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine.md @@ -0,0 +1,105 @@ ++++ +title = "azure_sql_virtual_machine resource" + +draft = false + + +[menu.azure] +title = "azure_sql_virtual_machine" +identifier = "inspec/resources/azure/azure_sql_virtual_machine resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_virtual_machine` Chef InSpec audit resource to test the properties of an Azure SQL virtual machine. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_sql_virtual_machine(resource_group: 'RESOURCE_GROUP', name: 'SQL_VM_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.SqlVirtualMachine/sqlVirtualMachines' } + its('location') { should eq 'eastus' } +end +``` + +```ruby +describe azure_sql_virtual_machine(resource_group: 'RESOURCE_GROUP', name: 'SQL_VM_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: Name of the Azure SQL Virtual Machine to test. + +`resource_group` _(required)_ + +: Azure resource group where the targeted resource resides. + +## Properties + +`id` +: The resource ID. + +`name` +: The resource name. + +`type` +: The resource type. `Microsoft.SqlVirtualMachine/sqlVirtualMachines`. + +`location` +: The resource location. + +`properties` +: The properties of the SQL virtual machine. + +`properties.provisioningState` +: State of the resource. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/get) for other available properties. + +## Examples + +Test that the SQL virtual machine is provisioned successfully: + +```ruby +describe azure_sql_virtual_machine(resource_group: 'RESOURCE_GROUP', name: 'SQL_VM_NAME') do + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a SQL Virtual Machine is found, it will exist. + +describe azure_sql_virtual_machine(resource_group: 'RESOURCE_GROUP', name: 'SQL_VM_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If SQL Virtual Machine is not found, it will not exist. + +describe azure_sql_virtual_machine(resource_group: 'RESOURCE_GROUP', name: 'SQL_VM_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine_group.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine_group.md new file mode 100644 index 0000000..0324a7b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine_group.md @@ -0,0 +1,107 @@ ++++ +title = "azure_sql_virtual_machine_group resource" + +draft = false + + +[menu.azure] +title = "azure_sql_virtual_machine_group" +identifier = "inspec/resources/azure/azure_sql_virtual_machine_group resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_virtual_machine_group` InSpec audit resource to test the properties related to an Azure SQL virtual machine group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` and `resource_group` are required parameters. + +```ruby +describe azure_sql_virtual_machine_group(resource_group: 'RESOURCE_GROUP', name: 'SQL_VIRTUAL_MACHINE_GROUP') do + it { should exist } + its('type') { should eq 'Microsoft.SqlVirtualMachine/sqlVirtualMachineGroups' } + its('location') { should eq 'eastus' } +end +``` + +```ruby +describe azure_sql_virtual_machine_group(resource_group: 'RESOURCE_GROUP', name: 'SQL_VIRTUAL_MACHINE_GROUP') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: Name of the Azure SQL virtual machine group to test. + +`resource_group` _(required)_ + +: Azure resource group where the targeted resource resides. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. `Microsoft.SqlVirtualMachine/sqlVirtualMachineGroups`. + +`location` +: The Geo-location where the resource lives. + +`properties` +: The properties of the SQL virtual machine group. + +`properties.provisioningState` +: State of the resource. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/sqlvm/2021-11-01-preview/sql-virtual-machine-groups/get) for other available properties. + +## Examples + +Test that the SQL virtual machine group is provisioned successfully: + +```ruby +describe azure_sql_virtual_machine_group(resource_group: 'RESOURCE_GROUP', name: 'SQL_VIRTUAL_MACHINE_GROUP') do + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a SQL virtual machine group is found, it will exist. + +describe azure_sql_virtual_machine_group(resource_group: 'RESOURCE_GROUP', name: 'SQL_VIRTUAL_MACHINE_GROUP') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If SQL virtual machine group is not found, it will not exist. + +describe azure_sql_virtual_machine_group(resource_group: 'RESOURCE_GROUP', name: 'SQL_VIRTUAL_MACHINE_GROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine_group_availability_listener.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine_group_availability_listener.md new file mode 100644 index 0000000..fa1e0fb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine_group_availability_listener.md @@ -0,0 +1,105 @@ ++++ +title = "azure_sql_virtual_machine_group_availability_listener resource" + +draft = false + + +[menu.azure] +title = "azure_sql_virtual_machine_group_availability_listener" +identifier = "inspec/resources/azure/azure_sql_virtual_machine_group_availability_listener resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_virtual_machine_group_availability_listener` InSpec audit resource to test the properties related to an Azure SQL virtual machine group availability listener. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_sql_virtual_machine_group_availability_listener(resource_group: 'RESOURCE_GROUP', sql_virtual_machine_group_name: 'SQL_VIRTUAL_MACHINE_GROUP_NAME', name: 'AVAILABILITY_LISTENER_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.SqlVirtualMachine/sqlVirtualMachineGroups/availabilityGroupListeners' } +end +``` + +```ruby +describe azure_sql_virtual_machine_group_availability_listener(resource_group: 'RESOURCE_GROUP', sql_virtual_machine_group_name: 'SQL_VIRTUAL_MACHINE_GROUP_NAME', name: 'AVAILABILITY_LISTENER_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ + +: Name of the Azure SQL virtual machine group availability listeners to test. + +`resource_group` _(required)_ + +: Azure resource group where the targeted resource resides. + +`sql_virtual_machine_group_name` _(required)_ + +: The Azure SQL virtual machine group name. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. + +`properties` +: The properties of the SQL virtual machine group availability listener. + +`properties.provisioningState` +: State of the resource. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/servicefabric/sfmeshrp-api-application_get) for other available properties. + +## Examples + +Test that the SQL virtual machine group availability listener is provisioned successfully: + +```ruby +describe azure_sql_virtual_machine_group_availability_listener(resource_group: 'RESOURCE_GROUP', sql_virtual_machine_group_name: 'SQL_VIRTUAL_MACHINE_GROUP_NAME', name: 'AVAILABILITY_LISTENER_NAME') do + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a SQL virtual machine group availability listener is found, it will exist. + +describe azure_sql_virtual_machine_group_availability_listener(resource_group: 'RESOURCE_GROUP', sql_virtual_machine_group_name: 'SQL_VIRTUAL_MACHINE_GROUP_NAME', name: 'AVAILABILITY_LISTENER_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# if SQL virtual machine group availability listener is not found, it will not exist + +describe azure_sql_virtual_machine_group_availability_listener(resource_group: 'RESOURCE_GROUP', sql_virtual_machine_group_name: 'SQL_VIRTUAL_MACHINE_GROUP_NAME', name: 'AVAILABILITY_LISTENER_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine_group_availability_listeners.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine_group_availability_listeners.md new file mode 100644 index 0000000..d6aef7f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine_group_availability_listeners.md @@ -0,0 +1,120 @@ ++++ +title = "azure_sql_virtual_machine_group_availability_listeners resource" + +draft = false + + +[menu.azure] +title = "azure_sql_virtual_machine_group_availability_listeners" +identifier = "inspec/resources/azure/azure_sql_virtual_machine_group_availability_listeners resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_virtual_machine_group_availability_listeners` InSpec audit resource to test the properties related to all Azure SQL virtual machine group availability listeners. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_sql_virtual_machine_group_availability_listeners` resource block returns all Azure SQL virtual machine group availability listeners. + +```ruby +describe azure_sql_virtual_machine_group_availability_listeners(resource_group: 'RESOURCE_GROUP', sql_virtual_machine_group_name: 'SQL_VIRTUAL_MACHINE_GROUP_NAME') do + #... +end +``` + +## Parameters + +`resource_group` _(required)_ + +: Azure resource group where the targeted resource resides. + +`sql_virtual_machine_group_name` _(required)_ + +: Azure SQL virtual machine group name. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of Properties for all the SQL virtual machine group availability listeners. + + Field: `properties` + +`provisioningStates` +: A list of provisioning states of the SQL virtual machine group availability listeners. + + Field: `provisioningState` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through SQL virtual machine group availability listeners by their names: + +```ruby +azure_sql_virtual_machine_group_availability_listeners(resource_group: 'RESOURCE_GROUP', sql_virtual_machine_group_name: 'SQL_VIRTUAL_MACHINE_GROUP_NAME').names.each do |name| + describe azure_sql_virtual_machine_group_availability_listener(resource_group: 'RESOURCE_GROUP', sql_virtual_machine_group_name: 'SQL_VIRTUAL_MACHINE_GROUP_NAME', name: name) do + it { should exist } + end +end +``` + +Test that there are SQL virtual machine group availability listeners that are successfully provisioned: + +```ruby +describe azure_sql_virtual_machine_group_availability_listeners(resource_group: 'RESOURCE_GROUP', sql_virtual_machine_group_name: 'SQL_VIRTUAL_MACHINE_GROUP_NAME').where(provisioningState: 'Succeeded') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no SQL virtual machine group availability listeners are present. + +describe azure_sql_virtual_machine_group_availability_listeners(resource_group: 'RESOURCE_GROUP', sql_virtual_machine_group_name: 'SQL_VIRTUAL_MACHINE_GROUP_NAME') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one SQL virtual machine group availability listener. + +describe azure_sql_virtual_machine_group_availability_listeners(resource_group: 'RESOURCE_GROUP', sql_virtual_machine_group_name: 'SQL_VIRTUAL_MACHINE_GROUP_NAME') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine_groups.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine_groups.md new file mode 100644 index 0000000..116b75f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machine_groups.md @@ -0,0 +1,121 @@ ++++ +title = "azure_sql_virtual_machine_groups resource" + +draft = false + + +[menu.azure] +title = "azure_sql_virtual_machine_groups" +identifier = "inspec/resources/azure/azure_sql_virtual_machine_groups resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_virtual_machine_groups` InSpec audit resource to test the properties related to all Azure SQL virtual machine groups. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_sql_virtual_machine_groups` resource block returns all Azure SQL Virtual Machine groups. + +```ruby +describe azure_sql_virtual_machine_groups do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: Azure resource group where the targeted resource resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of properties for all the SQL virtual machine groups. + + Field: `properties` + +`locations` +: A list of the resource locations. + + Field: `location` + +`provisioningStates` +: A list of provisioning states of the SQL virtual machine groups. + + Field: `provisioningState` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through SQL virtual machine groups by their names: + +```ruby +azure_sql_virtual_machine_groups(resource_group: 'RESOURCE_GROUP').names.each do |name| + describe azure_sql_virtual_machine_group(resource_group: 'RESOURCE_GROUP', name: name) do + it { should exist } + end +end +``` + +Test that there are SQL virtual machine groups that are successfully provisioned: + +```ruby +describe azure_sql_virtual_machine_groups(resource_group: 'RESOURCE_GROUP').where(provisioningState: 'Succeeded') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no SQL Virtual Machine Groups are present. + +describe azure_sql_virtual_machine_groups(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one SQL Virtual Machine group. + +describe azure_sql_virtual_machine_groups(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machines.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machines.md new file mode 100644 index 0000000..19ba8c5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_sql_virtual_machines.md @@ -0,0 +1,121 @@ ++++ +title = "azure_sql_virtual_machines resource" + +draft = false + + +[menu.azure] +title = "azure_sql_virtual_machines" +identifier = "inspec/resources/azure/azure_sql_virtual_machines resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_sql_virtual_machines` InSpec audit resource to test the properties of all Azure SQL virtual machines. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_sql_virtual_machines` resource block returns all Azure SQL virtual machines. + +```ruby +describe azure_sql_virtual_machines do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: Azure resource group where the targeted resource resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of Properties for all the SQL virtual machines. + + Field: `properties` + +`locations` +: A list of the Geo-locations. + + Field: `location` + +`provisioningStates` +: A list of provisioning states of the SQL virtual machines. + + Field: `provisioningState` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through SQL virtual machines by their names: + +```ruby +azure_sql_virtual_machines(resource_group: 'RESOURCE_GROUP').names.each do |name| + describe azure_sql_virtual_machine(resource_group: 'RESOURCE_GROUP', name: name) do + it { should exist } + end +end +``` + +Test that there are SQL virtual machines that are successfully provisioned: + +```ruby +describe azure_sql_virtual_machines(resource_group: 'RESOURCE_GROUP').where(provisioningState: 'Succeeded') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no SQL virtual machines are present. + +describe azure_sql_virtual_machines(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one SQL virtual machine. + +describe azure_sql_virtual_machines(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_storage_account.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_storage_account.md new file mode 100644 index 0000000..e1a9a2a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_storage_account.md @@ -0,0 +1,203 @@ ++++ +title = "azure_storage_account resource" + +draft = false + + +[menu.azure] +title = "azure_storage_account" +identifier = "inspec/resources/azure/azure_storage_account resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_storage_account` InSpec audit resource to test the properties related to an Azure Storage account. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_storage_account` resource block identifies an Azure storage account by `name` and `resource_group`, or the `resource_id`. + +```ruby +describe azure_storage_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should exist } +end +``` + +```ruby +describe azure_storage_account(resource_id: '/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: The name of the storage account within the specified resource group. + +`resource_id` +: The unique resource ID. + +`activity_log_alert_api_version` +: The activity log alerts endpoint API version used in the `have_recently_generated_access_key` matcher. The latest version will be used unless provided. + +`storage_service_endpoint_api_version` +: The storage service endpoint API version. `2019-12-12` will be used unless provided. + +`resource_data` +: In-memory cached Azure Network security group data. Passing data to this parameter can increase performance since it avoids multiple network calls to the same Azure resource. When provided, it binds the values directly to the resource. Data passed to the `resource_data` parameter could be stale. It is the user's responsibility to refresh the data. + +Pass one of the following parameter sets for a valid query: + +- `resource_id` +- `resource_group` and `name` +- `resource_data` + +## Properties + +`queues*` +: Lists all of the queues in a given storage account. For more information, see the [Azure Storage Services List Queues documentation](https://docs.microsoft.com/en-us/rest/api/storageservices/list-queues1). + +`queue_properties*` +: Gets the properties of a storage account's Queue service, including properties for Storage Analytics and CORS (Cross-Origin Resource Sharing) rules. For more information, see the [Azure Queue Service Properties documentation](https://docs.microsoft.com/en-us/rest/api/storageservices/get-queue-service-properties). + +`blobs*` +: Lists all of the blob containers in a given storage account. For more information, see the [Azure Storage Services List Containers](https://docs.microsoft.com/en-us/rest/api/storageservices/list-containers2). + +`blob_properties*` +: Gets the properties of a storage account's Blob service, including properties for Storage Analytics and CORS (Cross-Origin Resource Sharing) rules. For more information, see the [Azure Storage Services Blob Service Properties documentation](https://docs.microsoft.com/en-us/rest/api/storageservices/get-blob-service-properties). + +`table_properties*` +: Gets the properties of a storage account's Table service, including properties for Storage Analytics and CORS (Cross-Origin Resource Sharing) rules. For more information, see the [Azure Storage Services Table Service Properties documentation](https://docs.microsoft.com/en-us/rest/api/storageservices/get-table-service-properties). + +*: These Azure endpoints return data in XML format. However, they're converted to make the properties accessible with dot notation. + +The property names are in snake case, `property_name`. Therefore, you can test `` with `its('enumeration_results.service_endpoint)`. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/storagerp/storageaccounts/getproperties#storageaccount) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test the primary endpoints: + +```ruby +describe azure_storage_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('properties.primaryEndpoints.blob') { should cmp 'https://mysa.blob.core.windows.net/' } + its('properties.primaryEndpoints.queue') { should cmp 'https://mysa.queue.core.windows.net/' } + its('properties.primaryEndpoints.table') { should cmp 'https://mysa.table.core.windows.net/' } + its('properties.primaryEndpoints.file') { should cmp 'https://mysa.file.core.windows.net/' } +end +``` + +Verify that only HTTPS is supported: + +```ruby +describe azure_storage_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('properties.supportsHttpsTrafficOnly') { should be true } +end +``` + +Test queues service endpoint: + +```ruby +describe azure_storage_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('queues.enumeration_results.service_endpoint') { should cmp 'https://mysa.queue.core.windows.net/' } +end +``` + +Test Blobs service endpoint: + +```ruby +describe azure_storage_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('blobs.enumeration_results.service_endpoint') { should cmp 'https://mysa.blob.core.windows.net/' } +end +``` + +Test queue properties logging version: + +```ruby +describe azure_storage_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('queue_properties.logging.version') { should cmp '1.0' } +end +``` + +Test Blob properties logging version: + +```ruby +describe azure_storage_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('blob_properties.logging.version') { should cmp '1.0' } +end +``` + +Test table properties logging version: + +```ruby +describe azure_storage_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + its('table_properties.logging.version') { should cmp '1.0' } +end +``` + +Loop through all storage accounts and test a blob service endpoint exists from already cached data: + +```ruby +azure_storage_accounts.entries.each do |azure_storage_account_data| + describe azure_storage_account(resource_data: azure_storage_account_data) do + its('blobs.enumeration_results.service_endpoint') { should cmp 'https://mysa.blob.core.windows.net/' } + end +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### have_encryption_enabled + +Test if encryption is enabled. + +```ruby +describe azure_storage_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should have_encryption_enabled } +end +``` + +### have_recently_generated_access_key + +Test if an access key has been generated within the last **90** days. + +```ruby +describe azure_storage_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should have_recently_generated_access_key } +end +``` + +### exists + +```ruby +# If we expect the resource to always exist. + +describe azure_storage_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the resource to never exist. + +describe azure_storage_account(resource_group: 'RESOURCE_GROUP', name: 'NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_storage_account_blob_container.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_storage_account_blob_container.md new file mode 100644 index 0000000..703056e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_storage_account_blob_container.md @@ -0,0 +1,130 @@ ++++ +title = "azure_storage_account_blob_container resource" + +draft = false + + +[menu.azure] +title = "azure_storage_account_blob_container" +identifier = "inspec/resources/azure/azure_storage_account_blob_container resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_storage_account_blob_container` InSpec audit resource to test the properties related to a Blob Container in an Azure Storage account. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group`, `storage_account_name`, and `name` or the `resource_id` are required parameters. + +```ruby +describe azure_storage_account_blob_container(resource_group: 'RESOURCE_GROUP', storage_account_name: 'ACCOUNT_NAME', name: 'LOGS') do + it { should exist } +end +``` + +```ruby +describe azure_storage_account_blob_container(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/blobServices/default/containers/{containerName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`storage_account_name` +: The name of the storage account within the specified resource group. + +`name` +: The name of the blob container within the specified storage account. + +`blob_container_name` +: Alias for the `name` parameter. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group`, `storage_account_name` and `name` +- `resource_group`, `storage_account_name` and `blob_container_name` + +## Properties + +`properties.deleted` +: Indicates whether the Blob Container was deleted. + +`properties.lastModifiedTime` +: Returns the date and time the container was last modified. + +`properties.remainingRetentionDays` +: Remaining retention days for soft deleted blob container. + +`properties.publicAccess` +: Specifies whether data in the container may be accessed publicly and the level of access. See the [Azure blob containers PublicAccess documentation](https://docs.microsoft.com/en-us/rest/api/storagerp/blobcontainers/get#publicaccess) for valid values. + +For properties applicable to all resources, such as `type`, `tags`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, refer to the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/storagerp/blobcontainers/get#blobcontainer) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test if a Blob Container is deleted: + +```ruby +describe azure_storage_account_blob_container(resource_group: 'RESOURCE_GROUP', storage_account_name: 'DEFAULT', name: 'LOGS') do + its('properties.deleted') { should be true } +end +``` + +Ensure that the Blob Container is private: + +```ruby +describe azure_storage_account_blob_container(resource_group: 'RESOURCE_GROUP', storage_account_name: 'PRODUCTION', name: 'LOGS') do + its('properties') { should have_attributes(publicAccess: 'None') } +end +``` + +Loop through resources via 'resource_id': + +```ruby +azure_storage_account_blob_containers.(resource_group: 'RESOURCE_GROUP', storage_account_name: 'PRODUCTION').ids.each do |id| + describe azure_storage_account_blob_container(resource_id: id) do + its('properties') { should have_attributes(publicAccess: 'None') } + end +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect the resource to always exist. + +describe azure_storage_account_blob_container(resource_group: 'RESOURCE_GROUP', storage_account_name: 'PRODUCTION', name: 'LOGS') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect the resource to never exist. + +describe azure_storage_account_blob_container(resource_group: 'RESOURCE_GROUP', storage_account_name: 'PRODUCTION', name: 'LOGS') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_storage_account_blob_containers.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_storage_account_blob_containers.md new file mode 100644 index 0000000..58f3cbc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_storage_account_blob_containers.md @@ -0,0 +1,110 @@ ++++ +title = "azure_storage_account_blob_containers resource" + +draft = false + + +[menu.azure] +title = "azure_storage_account_blob_containers" +identifier = "inspec/resources/azure/azure_storage_account_blob_containers resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_storage_account_blob_containers` InSpec audit resource to test the properties and configuration of Blob Containers within an Azure Storage Account. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +The `resource_group` and `storage_account_name` are required parameters. + +```ruby +describe azurerm_storage_account_blob_containers(resource_group: 'RESOURCE_GROUP', storage_account_name: 'PRODUCTION') do + its('names') { should include 'my-container'} +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`storage_account_name` +: The name of the storage account within the specified resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`etags` +: A list of etags defined on the resources. + + Field: `etag` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check if a specific container exists: + +```ruby +describe azurerm_storage_account_blob_containers(resource_group: 'RESOURCE_GROUP', storage_account_name: 'PRODUCTION') do + its('names') { should include('my-container') } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +If we expect at least one resource to exist on a specified account: + +```ruby +describe azurerm_storage_account_blob_containers(resource_group: 'RESOURCE_GROUP', storage_account_name: 'PRODUCTION') do + it { should exist } +end +``` + +### not_exists + +If we expect not to exist containers on a specified account: + +```ruby +describe azurerm_storage_account_blob_containers(resource_group: 'RESOURCE_GROUP', storage_account_name: 'PRODUCTION') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_storage_accounts.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_storage_accounts.md new file mode 100644 index 0000000..ee2a5f8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_storage_accounts.md @@ -0,0 +1,120 @@ ++++ +title = "azure_storage_accounts resource" + +draft = false + + +[menu.azure] +title = "azure_storage_accounts" +identifier = "inspec/resources/azure/azure_storage_accounts resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_storage_accounts` InSpec audit resource to test the properties and configuration of multiple Azure Storage accounts. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_storage_accounts` resource block returns all Azure storage accounts, either within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_storage_accounts do + #... +end +``` + +Or + +```ruby +describe azure_storage_accounts(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`type` +: A list of types of all the resources being interrogated. + + Field: `type` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`properties` +: A list of all properties of all the resources. + + Field: `properties` +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check if a specific storage account exists: + +```ruby +describe azurerm_storage_accounts(resource_group: 'RESOURCE_GROUP') do + its('names') { should include('mysa') } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect at least one account to exist in a resource group. + +describe azure_storage_accounts(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect no storage accounts to exist in a resource group. + +describe azure_storage_accounts(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_streaming_analytics_function.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_streaming_analytics_function.md new file mode 100644 index 0000000..ec9e28d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_streaming_analytics_function.md @@ -0,0 +1,109 @@ ++++ +title = "azure_streaming_analytics_function resource" + +draft = false + + +[menu.azure] +title = "azure_streaming_analytics_function" +identifier = "inspec/resources/azure/azure_streaming_analytics_function resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_streaming_analytics_function` InSpec audit resource to test the properties and configuration of an Azure Streaming Analytics function. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group`,`job_name/name`, and `function_name` are required parameters. + +```ruby +describe azure_streaming_analytics_function(resource_group: 'RESOURCE_GROUP', job_name: 'JOB_NAME', function_name: 'FUNCTION_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`job_name` +: Name of the job. + +`function_name` +: Name of the function made in the job mentioned. + +All three parameters are required for a valid query. + +## Properties + +`properties.binding` +: The physical binding of the function. For example, in the Azure Machine Learning web service's case, this describes the endpoint. + +`properties.inputs` +: A list of inputs describing the parameters of the function. + +`properties.binding` +: The output of the function. + +`etag` +: The current entity tag for the function. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/streamanalytics/) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test that a resource group has the specified type: + +```ruby +describe azure_streaming_analytics_function(resource_group: 'RESOURCE_GROUP', job_name: 'JOB_NAME', function_name: 'FUNCTION_NAME') do + it { should exist } + its('type') { should cmp 'Microsoft.StreamAnalytics/streamingjobs/functions' } + its('properties.type') { should cmp 'Scalar' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +Test streaming function to ensure it's using Javascript UDF: + +```ruby +describe azure_streaming_analytics_function(resource_group: 'RESOURCE_GROUP', job_name: 'JOB_NAME', function_name: 'FUNCTION_NAME') do + its('properties.binding.type') { should cmp 'Microsoft.StreamAnalytics/JavascriptUdf' } +end +``` + +### exists + +If we expect a resource to always exist. + +```ruby +describe azure_streaming_analytics_function(resource_group: 'RESOURCE_GROUP', job_name: 'JOB_NAME', function_name: 'FUNCTION_NAME') do + it { should exist } +end +``` + +### not_exists + +If we expect a resource to never exist. + +```ruby +describe azure_streaming_analytics_function(resource_group: 'RESOURCE_GROUP', job_name: 'JOB_NAME', function_name: 'FUNCTION_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_streaming_analytics_functions.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_streaming_analytics_functions.md new file mode 100644 index 0000000..13a45ab --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_streaming_analytics_functions.md @@ -0,0 +1,109 @@ ++++ +title = "azure_streaming_analytics_functions resource" + +draft = false + + +[menu.azure] +title = "azure_streaming_analytics_functions" +identifier = "inspec/resources/azure/azure_streaming_analytics_functions resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_streaming_analytics_functions` InSpec audit resource to test the properties and configuration of multiple Azure Streaming Analytics functions. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_streaming_analytics_functions` resource block returns all functions under a job. + +```ruby +describe azure_streaming_analytics_functions(resource_group: "RESOURCE_GROUP", job_name: "AZURE_STREAMING_JOB_NAME") do + #... +end +``` + +## Parameters + +`resource_group` _(required)_ + +: Azure resource group where the targeted resource resides. + +`job_name` _(required)_ + +: Name of the job. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/streamanalytics/) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that the names should be an array: + +```ruby +describe azure_streaming_analytics_functions(resource_group: "RESOURCE_GROUP", job_name: "AZURE_STREAMING_JOB_NAME") do + its('names') { should be_an(Array) } +end + +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. + +```ruby +describe azure_streaming_analytics_functions(resource_group: "RESOURCE_GROUP", job_name: "AZURE_STREAMING_JOB_NAME") do + it { should exist } +end +``` + +### not_exists + +Use `should_not` if you expect zero matches. + +```ruby +describe azure_streaming_analytics_functions(resource_group: "RESOURCE_GROUP", job_name: "AZURE_STREAMING_JOB_NAME") do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_subnet.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_subnet.md new file mode 100644 index 0000000..5787f66 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_subnet.md @@ -0,0 +1,115 @@ ++++ +title = "azure_subnet resource" + +draft = false + + +[menu.azure] +title = "azure_subnet" +identifier = "inspec/resources/azure/azure_subnet resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_subnet` InSpec audit resource to test the properties related to a subnet for a given virtual network. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group`, `vnet`, and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_subnet(resource_group: 'RESOURCE_GROUP', vnet: 'VNET_NAME', name: 'SUBNET_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_subnet(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnName}/subnets/{subnetName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`vnet` +: Name of the Azure virtual network where the subnet is created. + +`name` +: Name of the Azure subnet to test. + +`resource_id` +: The unique resource ID. + +Provide one of the following parameter sets for a valid query: + +- `resource_id` +- `resource_group`, `vnet`, and `name` + +## Properties + +`address_prefix` + +: The address prefix for the subnet. + +`nsg` + +: The network security group attached to the subnet. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/subnets/get#subnet) for other available properties. +Any property in the response may be accessed with the key names separated by dots (`.`). + +## Examples + +Ensure that the subnets address prefix is configured as expected: + +```ruby +describe azure_subnet(resource_group: 'RESOURCE_GROUP', vnet: 'VNET_NAME', name: 'SUBNET_NAME') do + its('address_prefix') { should eq '192.168.0.0/24' } +end +``` + +Ensure that the subnet is attached to the right network security group: + +```ruby +describe azure_subnet(resource_group: 'RESOURCE_GROUP', vnet: 'VNET_NAME', name: 'SUBNET_NAME') do + its('nsg') { should eq 'NetworkSecurityGroupName'} +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a subnet is found, it will exist. + +describe azure_subnet(resource_group: 'RESOURCE_GROUP', vnet: 'VNET_NAME', name: 'SUBNET_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# subnets that aren't found, will not exist. + +describe azure_subnet(resource_group: 'RESOURCE_GROUP', vnet: 'VNET_NAME', name: 'SUBNET_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_subnets.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_subnets.md new file mode 100644 index 0000000..fca2014 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_subnets.md @@ -0,0 +1,97 @@ ++++ +title = "azure_subnets resource" + +draft = false + + +[menu.azure] +title = "azure_subnets" +identifier = "inspec/resources/azure/azure_subnets resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_subnets` InSpec audit resource to test the properties related to subnets of a virtual network. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +The `resource_group` and `vnet` are required parameters. + +```ruby +describe azure_subnets(resource_group: 'RESOURCE_GROUP', vnet: 'VNET_NAME') do + #... +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`vnet` +: The virtual network where the subnet you wish to test is a part of. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of all the resources being interrogated. + + Field: `name` + +`etags` +: A list of etags defined on the resources. + + Field: `etag` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Exists if any subnets exist for a specified virtual network in the resource group: + +```ruby +describe azure_subnets(resource_group: 'RESOURCE_GROUP', vnet: 'VNET_NAME') do + it { should exist } +end +``` + +Filters the results to only those that match the specified name: + +```ruby +describe azure_subnets(resource_group: 'RESOURCE_GROUP', vnet: 'VNET_NAME') + .where(name: 'MySubnet') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no subnets are in the virtual network. + +describe azure_subnets(resource_group: 'RESOURCE_GROUP', vnet: 'VNET_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_subscription.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_subscription.md new file mode 100644 index 0000000..c2dc0c0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_subscription.md @@ -0,0 +1,168 @@ ++++ +title = "azure_subscription resource" + +draft = false + + +[menu.azure] +title = "azure_subscription" +identifier = "inspec/resources/azure/azure_subscription resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_subscription` InSpec audit resource to test the properties of the current subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +This resource will retrieve the current subscription ID that InSpec uses unless it is provided via `id` or `resource_id` parameters. + +```ruby +describe azure_subscription do + it { should exist } +end +``` + +Or + +```ruby +describe azure_subscription(id: '2e0b423p-aaaa-bbbb-1111-ee558463aabbd') do + it { should exist } +end +``` + +Or + +```ruby +describe azure_subscription(resource_id: '/subscriptions/2e0b423p-aaaa-bbbb-1111-ee558463aabbd') do + it { should exist } +end +``` + +## Parameters + +`id` +: The ID of the target subscription. `2e0b423p-aaaa-bbbb-1111-ee558463aabbd`. + +`resource_id` +: The fully qualified ID for the subscription. `/subscriptions/2e0b423p-aaaa-bbbb-1111-ee558463aabbd`. + +`locations_api_version` +: The endpoint API version for the `locations` property. Optional. The latest version will be used unless provided. + +## Properties + +`name` +: The subscription display name. + +`id` +: The subscription ID. `2e0b423p-aaaa-bbbb-1111-ee558463aabbd`. + +`locations` +: The list of all available geo-location names that have the `metadata.physicalLocation` is set. + +`all_locations` +: The list of all available geo-location names. This includes physical and logical locations. + +`physical_locations*` +: The list of all available geo-location names with the `metadata.regionType` is set to `Physical`. + +`logical_locations` +: The list of all available geo-location names with the `metadata.regionType` is set to `Logical`. + +`locations_list` +: The list of all available geo-location objects in [this](https://docs.microsoft.com/en-us/rest/api/resources/subscriptions/listlocations#location) format. + +`managedByTenants` +: An array containing the [tenants](https://docs.microsoft.com/en-us/rest/api/resources/subscriptions/get#managedbytenant) managing the subscription. + +`diagnostic_settings` +: The diagnostic settings set at a subscription level. + +`diagnostic_settings_enabled_logging` +: The enabled logging types from diagnostic settings set at a subscription level. + +`diagnostic_settings_disabled_logging` +: The disabled logging types from diagnostic settings set at a subscription level. + +* `physical_locations` might be different than the `locations` property depending on the API version. +This is because of the change in the Azure API terminology. It is advised to see the [official documentation](https://docs.microsoft.com/en-us/rest/api/resources/subscriptions/listlocations) for more information. + +For properties applicable to all resources, such as `type` and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/resources/subscriptions/get#subscription) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test subscription`s display name: + +```ruby +describe azure_subscription do + its('name') { should cmp 'Demo Resources' } +end +``` + +Test subscription`s authorization source: + +```ruby +describe azure_subscription do + its('authorizationSource') { should cmp 'RoleBased' } +end +``` + +Test subscription`s locations: + +```ruby +describe azure_subscription do + its('locations') { should include('eastus') } +end +``` + +Test subscription`s enabled logging types (via diagnostic settings): + +```ruby +describe azure_subscription do + its('diagnostic_settings_enabled_logging_types') { should include('ResourceHealth') } +end +``` + +Test subscription`s disabled logging types (via diagnostic settings): + +```ruby +describe azure_subscription do + its('diagnostic_settings_disabled_logging_types') { should include('Recommendation') } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_subscription do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_subscription(id: 'fake_id') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_subscriptions.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_subscriptions.md new file mode 100644 index 0000000..e77f207 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_subscriptions.md @@ -0,0 +1,89 @@ ++++ +title = "azure_subscriptions resource" + +draft = false + + +[menu.azure] +title = "azure_subscriptions" +identifier = "inspec/resources/azure/azure_subscriptions resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_subscriptions` InSpec audit resource to test the properties and configuration of all Azure subscriptions for a tenant. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_subscriptions` resource block returns all subscriptions for a tenant. + +```ruby +describe azure_subscriptions do + it { should exist } +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: A list of the subscription IDs. + + Field: `id` + +`names` +: A list of display names of all the subscriptions. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the subscriptions. + + Field: `tags` + +`tenant_ids` +: A list of tenant IDs of all the subscriptions. + + Field: `tenant_id` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Check a specific subscription is present: + +```ruby +describe azure_subscriptions do + its('names') { should include 'my-subscription' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +describe azure_subscriptions do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_synapse_notebook.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_synapse_notebook.md new file mode 100644 index 0000000..d42835d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_synapse_notebook.md @@ -0,0 +1,115 @@ ++++ +title = "azure_synapse_notebook resource" + +draft = false + + +[menu.azure] +title = "azure_synapse_notebook" +identifier = "inspec/resources/azure/azure_synapse_notebook resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_synapse_notebook` InSpec audit resource to test the properties related to an Azure Synapse notebook in a Synapse workspace. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +This resource requires the `endpoint` and `name` parameters for a valid query. + +```ruby +describe azure_synapse_notebook(endpoint: 'WORKSPACE_DEVELOPMENT_ENDPOINT', name: 'NOTEBOOK_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_synapse_notebook(endpoint: 'WORKSPACE_DEVELOPMENT_ENDPOINT', name: 'NOTEBOOK_NAME') do + it { should exist } + its('name') { should eq 'NOTEBOOK_NAME' } + its('type') { should eq 'Microsoft.Synapse/workspaces/notebooks' } + its('properties.sessionProperties.executorCores') { should eq CORE_NUMBER } +end +``` + +## Parameters + +`endpoint` +: The Azure Synapse workspace development endpoint. + +`name` +: Name of the Azure Synapse Notebook to test. + +This resource requires the `endpoint` and `name` parameters for a valid query. + +## Properties + +`id` +: Fully qualified resource ID for the resource. + +`name` +: The name of the resource. + +`type` +: The type of the resource. + +`etag` +: The resource Etag. + +`properties` +: The properties of the notebook. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/synapse/data-plane/notebook/get-notebook) for other available properties. + +Access any property in the response by separating the key names with a period (`.`). + +## Examples + +Test that there are four cores for each executor: + +```ruby +describe azure_synapse_notebook(endpoint: 'WORKSPACE_DEVELOPMENT_ENDPOINT', name: 'NOTEBOOK_NAME') do + its('properties.sessionProperties.executorCores') { should eq 4 } +end +``` + +Test that the notebook uses the Python kernel: + +```ruby +describe azure_synapse_notebook(endpoint: 'WORKSPACE_DEVELOPMENT_ENDPOINT', name: 'NOTEBOOK_NAME') do + its('properties.metadata.language_info.name') { should 'Python' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a Synapse Notebook is found, it will exist. + +describe azure_synapse_notebook(endpoint: 'WORKSPACE_DEVELOPMENT_ENDPOINT', name: 'NOTEBOOK_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# Synapse Notebooks that aren't found, will not exist. + +describe azure_synapse_notebook(endpoint: 'WORKSPACE_DEVELOPMENT_ENDPOINT', name: 'NOTEBOOK_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_synapse_notebooks.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_synapse_notebooks.md new file mode 100644 index 0000000..306379d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_synapse_notebooks.md @@ -0,0 +1,117 @@ ++++ +title = "azure_synapse_notebooks resource" + +draft = false + + +[menu.azure] +title = "azure_synapse_notebooks" +identifier = "inspec/resources/azure/azure_synapse_notebooks resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_synapse_notebooks` InSpec audit resource to test the properties related to all Azure Synapse notebooks in a Synapse Analytics workspace. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_synapse_notebooks` resource block returns all Azure Synapse notebooks within a Synapse workspace. + +```ruby +describe azure_synapse_notebooks(endpoint: 'WORKSPACE_DEVELOPMENT_ENDPOINT') do + #... +end +``` + +## Parameters + +This resource requires the `endpoint` parameter for a valid query. + +`endpoint` +: The Azure Synapse workspace development endpoint. + +## Properties + +`ids` +: A list of the unique fully qualified resource IDs. + + Field: `id` + +`names` +: A list of names for all the Synapse notebooks. + + Field: `name` + +`types` +: A list of types for all the resources. + + Field: `type` + +`properties` +: A list of properties for all the notebooks. + + Field: `properties` + +`etags` +: A list of resource Etags. + + Field: `tags` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Synapse Notebooks by their names: + +```ruby +azure_synapse_notebooks(endpoint: 'WORKSPACE_DEVELOPMENT_ENDPOINT').names.each do |name| + describe azure_synapse_notebook(endpoint: 'WORKSPACE_DEVELOPMENT_ENDPOINT', name: name) do + it { should exist } + end +end +``` + +Test that there are Synapse Notebooks that include a certain string in their names (client-side filtering): + +```ruby +describe azure_synapse_notebooks(endpoint: 'WORKSPACE_DEVELOPMENT_ENDPOINT').where { name.include?('analytics-trends') } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if there aren't any Synapse notebooks in the resource group. + +describe azure_synapse_notebooks(endpoint: 'WORKSPACE_DEVELOPMENT_ENDPOINT') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Synapse notebook. + +describe azure_synapse_notebooks(endpoint: 'WORKSPACE_DEVELOPMENT_ENDPOINT') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_synapse_workspace.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_synapse_workspace.md new file mode 100644 index 0000000..499f0ae --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_synapse_workspace.md @@ -0,0 +1,105 @@ ++++ +title = "azure_synapse_workspace resource" + +draft = false + + +[menu.azure] +title = "azure_synapse_workspace" +identifier = "inspec/resources/azure/azure_synapse_workspace resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_synapse_workspace` InSpec audit resource to test the properties related to an Azure Synapse workspace. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +```ruby +describe azure_synapse_workspace(resource_group: 'RESOURCE_GROUP', name: 'SYNAPSE_WORKSPACE_NAME') do + it { should exist } + its('type') { should eq 'Microsoft.SqlVirtualMachine/sqlVirtualMachineGroups' } + its('location') { should eq 'eastus' } +end +``` + +```ruby +describe azure_synapse_workspace(resource_group: 'RESOURCE_GROUP', name: 'SYNAPSE_WORKSPACE_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` _(required)_ +: Name of the Azure Synapse workspace to test. + +`resource_group` _(required)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. `Microsoft.Synapse/workspaces`. + +`location` +: The Geo-location where the resource lives. + +`properties` +: The properties of the Synapse workspaces. + +`properties.provisioningState` +: State of the resource. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/synapse/workspaces/get) for other available properties. + +## Examples + +Test that the Synapse workspaces are provisioned successfully: + +```ruby +describe azure_synapse_workspace(resource_group: 'RESOURCE_GROUP', name: 'SYNAPSE_WORKSPACE_NAME') do + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a Synapse workspace is found, it will exist. + +describe azure_synapse_workspace(resource_group: 'RESOURCE_GROUP', name: 'SYNAPSE_WORKSPACE_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If Synapse workspaces are not found, it will not exist. + +describe azure_synapse_workspace(resource_group: 'RESOURCE_GROUP', name: 'SYNAPSE_WORKSPACE_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_synapse_workspaces.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_synapse_workspaces.md new file mode 100644 index 0000000..feaf7b0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_synapse_workspaces.md @@ -0,0 +1,120 @@ ++++ +title = "azure_synapse_workspaces resource" + +draft = false + + +[menu.azure] +title = "azure_synapse_workspaces" +identifier = "inspec/resources/azure/azure_synapse_workspaces resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_synapse_workspaces` InSpec audit resource to test the properties related to all Azure Synapse workspaces. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_synapse_workspaces` resource block returns all Azure Synapse workspaces. + +```ruby +describe azure_synapse_workspaces do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ +: Azure resource group where the targeted resource resides. + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of the resource types. + + Field: `type` + +`properties` +: A list of properties for all the Synapse workspaces. + + Field: `properties` + +`locations` +: A list of the Geo-locations. + + Field: `location` + +`provisioningStates` +: A list of provisioning states of the Synapse workspaces. + + Field: `provisioningState` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Synapse workspaces by their names: + +```ruby +azure_synapse_workspaces.names.each do |name| + describe azure_synapse_workspace(resource_group: 'RESOURCE_GROUP', name: name) do + it { should exist } + end +end +``` + +Test that there are Synapse workspaces that are successfully provisioned: + +```ruby +describe azure_synapse_workspaces(resource_group: 'RESOURCE_GROUP').where(provisioningState: 'Succeeded') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Synapse workspaces are present. + +describe azure_synapse_workspaces(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Synapse workspace. + +describe azure_synapse_workspaces(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_machine.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_machine.md new file mode 100644 index 0000000..59a3c67 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_machine.md @@ -0,0 +1,157 @@ ++++ +title = "azure_virtual_machine resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_machine" +identifier = "inspec/resources/azure/azure_virtual_machine resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_machine` InSpec audit resource to test the properties related to a virtual machine. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and virtual machine `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_virtual_machine(resource_group: 'RESOURCE_GROUP', name: 'VM_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_virtual_machine(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the Azure resource to test. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` + +## Properties + +`admin_username` +: The admin user name. + +`resources` +: The virtual machine child extension resources. + +`zones` +: The virtual machine's availability zones. `its('zones') should include('zone1', 'zone2')`. + +`installed_extensions_types` +: List of all installed extensions' types for the virtual machine. `its('installed_extensions_types') { should include('ExtensionType') }`. + +`installed_extensions_names` +: List of all installed extensions' names for the virtual machine. `its('installed_extensions_names') { should include('ExtensionName') }`. + +`has_monitoring_agent_installed?` +: Indicates whether a monitoring agent is installed. + +`has_endpoint_protection_installed?` +: Indicates whether a list of endpoint protection extension types are installed. `it { should have_endpoint_protection_installed(%w{ep_type_1 ep_type_2}) }`. + +`has_only_approved_extensions?` +: Indicates whether only provided extension types are installed. `it { should have_only_approved_extensions(%w{extension_type_1 extension_type_2}) }`. + +`os_disk_name` +: The virtual machine's operating system disk name. `its('os_disk_name') { should cmp 'OsDiskName' }`. + +`data_disk_names` +: The virtual machine's data disk names. `its('data_disk_names') { should include('DataDisk1') }`. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get#virtualmachine) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Ensure that the virtual machine has the expected data Disks: + +```ruby +describe azure_virtual_machine(resource_group: 'MyResourceGroup', name: 'MyVmName') do + its('data_disk_names') { should include('DataDisk1') } +end +``` + +Ensure that the Virtual Machine has the Expected Monitoring Agent Installed: + +```ruby +describe azure_virtual_machine(resource_group: 'MyResourceGroup', name: 'MyVmName') do + it { should have_monitoring_agent_installed } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a virtual machine is found, it will exist. + +describe azure_virtual_machine(resource_group: 'RESOURCE_GROUP', name: 'VM_NAME') do + it { should exist } +end + +# virtual machines that are not found, will not exist. + +describe azure_virtual_machine(resource_group: 'RESOURCE_GROUP', name: 'VM_NAME') do + it { should_not exist } +end +``` + +### have_only_approved_extensions + +```ruby +# Check if a virtual machine has only approved extensions. The check will fail if an extension is used that's not on the list. + +describe azure_virtual_machine(resource_group: 'RESOURCE_GROUP', name: 'VM_NAME') do + it { should have_only_approved_extensions(['ApprovedExtension', 'OtherApprovedExtensions']) } +end +``` + +### have_monitoring_agent_installed + +```ruby +# Will be true if the MicrosoftMonitoringAgent is installed (Windows only). + +describe azure_virtual_machine(resource_group: 'MyResourceGroup', name: 'MyVmName') do + it { should have_monitoring_agent_installed } +end +``` + +### have_endpoint_protection_installed + +```ruby +# Will be true if any of the given extensions are installed. + +describe azure_virtual_machine(resource_group: 'RESOURCE_GROUP', name: 'VM_NAME') do + it { should have_endpoint_protection_installed(['Extension1', 'Extension2']) } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_machine_disk.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_machine_disk.md new file mode 100644 index 0000000..081991b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_machine_disk.md @@ -0,0 +1,152 @@ ++++ +title = "azure_virtual_machine_disk resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_machine_disk" +identifier = "inspec/resources/azure/azure_virtual_machine_disk resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_machine_disk` InSpec audit resource to test the properties and configuration of an Azure disk. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name`, or the `resource_id` are required parameters. + +```ruby +describe azure_virtual_machine_disk(resource_group: 'RESOURCE_GROUP', name: 'EXAMPLE_DISK') do + it { should exist } +end +``` + +```ruby +describe azure_virtual_machine_disk(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/disks/{diskName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the disk to test. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` + +## Properties + +`encryption_enabled*` +: Indicates whether the `properties.EncryptionSettingsCollection.enabled` is `true` or `false`. Note that this will return `nil` unless the encryption status is defined on the resource explicitly. + +`rest_encryption_type` +: The type of key used to encrypt the data of the disk. + +`sku` +: The SKU (pricing tier) of the disk. + +`managedBy` +: A relative URI containing the ID of the VM that has the disk attached. + +`properties.diskSizeBytes` +: The size of the disk in bytes. + +* The disk can still be encrypted at rest with a platform key, even though the `encryption_enabled` is `nil`. See the [Azure Virtual Machines Server-side encryption documentation](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption) for more details on disk encryption. + +For properties applicable to all resources, such as `type`, `name`, `location`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/compute/disks/get#disk) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test if a disk is referenced with a valid name: + +```ruby +describe azure_virtual_machine_disk(resource_group: 'RESOURCE_GROUP', name: 'OS_DISK') do + it { should exist } +end +``` + +Test if a disk is referenced with an invalid name: + +```ruby +describe azure_virtual_machine_disk(resource_group: 'RESOURCE_GROUP', name: 'i-dont-exist') do + it { should_not exist } +end +``` + +Test the VM that the disk is attached: + +```ruby +describe azure_virtual_machine_disk(resource_group: 'RESOURCE_GROUP', name: 'OS_DISK') do + its('managedBy') { should cmp '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}' } +end +``` + +Test the key type used to encrypt the data at rest: + +```ruby +describe azure_virtual_machine_disk(resource_group: 'RESOURCE_GROUP', name: 'OS_DISK') do + its('rest_encryption_type') { should cmp 'EncryptionAtRestWithPlatformKey' } +end +``` + +Test a disk's size in bytes: + +```ruby +describe azure_virtual_machine_disk(resource_group: 'RESOURCE_GROUP', name: 'OS_DISK') do + its('properties.diskSizeBytes') { should cmp 136367308800 } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### attached + +Test if a disk is attached to a virtual machine. + +```ruby +describe azure_virtual_machine_disk(resource_group: 'RESOURCE_GROUP', name: 'OS_DISK') do + it { should be_attached } +end +``` + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_virtual_machine_disk(resource_group: 'RESOURCE_GROUP', name: 'OS_DISK') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_virtual_machine_disk(resource_group: 'RESOURCE_GROUP', name: 'OS_DISK') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_machine_disks.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_machine_disks.md new file mode 100644 index 0000000..302cdf3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_machine_disks.md @@ -0,0 +1,151 @@ ++++ +title = "azure_virtual_machine_disks resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_machine_disks" +identifier = "inspec/resources/azure/azure_virtual_machine_disks resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_machine_disks` InSpec audit resource to test the properties related to disks for a resource group or the entire subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_virtual_machine_disks` resource block returns all disks within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_virtual_machine_disks do + it { should exist } +end +``` + +Or + +```ruby +describe azure_virtual_machine_disks(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`attached` +: Indicates whether the disk is currently mounted to a running VM. + + Field: `attached` + +`resource_group` +: A list of resource groups for all the disks. + + Field: `resource_group` + +`names` +: A list of names for all the disks. + + Field: `name` + +`locations` +: A list of locations of the disks. + + Field: `location` + +`properties` +: A list of properties of the disks. + + Field: `properties` + +`tags` +: A list of `tag:value` pairs defined on the resources. + + Field: `tags` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Filter the attached disks: + +```ruby +describe azure_virtual_machine_disks(resource_group: 'RESOURCE_GROUP').where(attached: true) do + it { should exist } + its('count') { should eq 3} +end +``` + +Loop through disks by their IDs: + +```ruby +azure_virtual_machine_disks.ids.each do |id| + describe azure_virtual_machine_disk(resource_id: id) do + it { should exist } + end +end +``` + +Test that there are disks that include a certain string in their names (client-side filtering): + +```ruby +describe azure_virtual_machine_disks(resource_group: 'RESOURCE_GROUP').where { name.include?('Windows') } do + it { should exist } +end +``` + +Test that there are disks that include a certain string in their names (Server Side Filtering via Generic Resource - Recommended): + +```ruby +describe azure_generic_resources(resource_provider: 'Microsoft.Compute/disks', substring_of_name: 'Windows') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no disks are in the resource group. + +describe azure_virtual_machine_disks(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns a single virtual machine. + +describe azure_virtual_machine_disks.where(attached: true ) do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_machines.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_machines.md new file mode 100644 index 0000000..23a1e65 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_machines.md @@ -0,0 +1,161 @@ ++++ +title = "azure_virtual_machines resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_machines" +identifier = "inspec/resources/azure/azure_virtual_machines resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_machines` InSpec audit resource to test the properties related to virtual machines for a resource group or the entire subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_virtual_machines` resource block returns all Azure virtual machines within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_virtual_machines do + #... +end +``` + +Or + +```ruby +describe azure_virtual_machines(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`os_disks` +: A list of OS disk names for all the virtual machines. + + Field: `os_disk` + +`data_disks` +: A list of data disks for all the virtual machines. + + Field: `data_disks` + +`vm_names` +: A list of all the virtual machine names. + + Field: `name` + +`platforms` +: A list of virtual machine operation system platforms. Supported values are `windows` and `linux`. + + Field: `platform` + +`tags` +: A list of `tag:value` pairs defined on the resources. + + Field: `tags` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test if any virtual machines exist in the resource group: + +```ruby +describe azure_virtual_machines(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +Filters Based on Platform: + +```ruby +describe azure_virtual_machines(resource_group: 'RESOURCE_GROUP').where(platform: 'windows') do + it { should exist } +end +``` + +Loop through virtual machines by their IDs: + +```ruby +azure_virtual_machines.ids.each do |id| + describe azure_virtual_machine(resource_id: id) do + it { should exist } + end +end +``` + +Test if there are Windows virtual machines: + +```ruby +describe azure_virtual_machines(resource_group: 'RESOURCE_GROUP').where(platform: 'windows') do + it { should exist } +end +``` + +Test that there are virtual machines that includes a certain string in their names (client-side filtering): + +```ruby +describe azure_virtual_machines(resource_group: 'MyResourceGroup').where { name.include?('WindowsVm') } do + it { should exist } +end +``` + +Test that there are virtual machine that includes a certain string in their names (Server Side Filtering via Generic Resource - Recommended): + +```ruby +describe azure_generic_resources(resource_group: 'RESOURCE_GROUP', resource_provider: 'Microsoft.Compute/virtualMachine', substring_of_name: 'WindowsVm') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no virtual machines are in the resource group. + +describe azure_virtual_machines(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns a single virtual machine. + +describe azure_virtual_machines(resource_group: 'RESOURCE_GROUP').where(platform: 'windows') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network.md new file mode 100644 index 0000000..3af0107 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network.md @@ -0,0 +1,130 @@ ++++ +title = "azure_virtual_network resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_network" +identifier = "inspec/resources/azure/azure_virtual_network resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_network` InSpec audit resource to test the properties related to a virtual network. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and virtual network `name` or the `resource_id` are required parameters. + +```ruby +describe azure_virtual_network(resource_group: 'RESOURCE_GROUP', name: 'VNET_NAME') do + it { should exist } +end +``` + +```ruby +describe azure_virtual_network(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the virtual network to test. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` + +## Properties + +`subnets` +: The list of subnet names that are attached to this virtual network. `its('subnets') { should eq ["MySubnetName"] }`. + +`address_space` +: The list of address spaces used by the virtual network. `its('address_space') { should eq ["x.x.x.x/x"] }`. + +`dns_servers` +: The list of DNS servers configured for the virtual network. The virtual network returns these IP addresses when virtual machines makes a DHCP request. `its('dns_servers') { should eq ["x.x.x.x", "x.x.x.x"] }`. + +`vnet_peerings` +: A mapping of names and the virtual network ids of the virtual network peerings. `its('vnet_peerings') { should eq "MyVnetPeeringConnection"=>"PeeringConnectionID"}`. + +`enable_ddos_protection` +: Boolean value showing if Azure DDoS standard protection is enabled on the virtual network. `its('enable_ddos_protection') { should eq true }`. + +`enable_vm_protection` +: Boolean value showing if the virtual network has VM protection enabled. `its('enable_vm_protection') { should eq false }`. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/virtualnetworks/get#virtualnetwork) for other available properties. Any property in the response may be accessed with the key names separated by dots (`.`). + +## Examples + +Ensure that the Virtual Network exists in the east US region: + +```ruby +describe azure_virtual_network(resource_group: 'RESOURCE_GROUP', name: 'VNET_NAME') do + it { should exist } + its('location') { should eq 'eastus' } +end +``` + +Ensure that the Virtual Network's DNS servers are configured as expected: + +```ruby +describe azure_virtual_network(resource_group: 'RESOURCE_GROUP', name: 'VNET_NAME') do + its('dns_servers') { should eq ["192.168.0.6"] } +end +``` + +Ensure that the Virtual Network's address space is configured as expected: + +```ruby +describe azure_virtual_network(resource_group: 'RESOURCE_GROUP', name: 'VNET_NAME') do + its('address_space') { should eq ["192.168.0.0/24"] } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a virtual network is found, it will exist. + +describe azure_virtual_network(resource_group: 'RESOURCE_GROUP', name: 'VNET_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# Virtual networks that are not found, will not exist. + +describe azure_virtual_network(resource_group: 'RESOURCE_GROUP', name: 'DOESNOTEXIST') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_gateway.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_gateway.md new file mode 100644 index 0000000..62d3b40 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_gateway.md @@ -0,0 +1,108 @@ ++++ +title = "azure_virtual_network_gateway resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_network_gateway" +identifier = "inspec/resources/azure/azure_virtual_network_gateway resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_network_gateway` InSpec audit resource to test the properties and configuration of an Azure Virtual Network Gateway. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name` are required parameters. + +```ruby +describe azure_virtual_network_gateway(resource_group: 'RESOURCE_GROUP', name: 'VIRTUAL_NETWORK_NAME') do + it { should exist } +end +``` + +## Parameters + +`resource_group` _(REQUIRED)_ + +: The Azure resource group where the targeted resource resides. + +`name` _(REQUIRED)_ + +: The unique name of the targeted resource. + +## Properties + +`name` +: The resource name. + +`id` +: The resource ID. + +`etag` +: A unique read-only string that changes whenever the resource is updated. + +`type` +: The resource type. + +`location` +: The resource location. + +`tags` +: The resource tags. + +`properties.bgpSettings` +: The virtual network gateway's BGP speaker settings. + +`properties.provisioningState` +: The provisioning state of the virtual network gateway resource. + +`properties.vpnClientConfiguration` +: The reference to the VpnClientConfiguration resource, which represents the P2S VpnClient configurations. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/network-gateway/virtual-network-gateways/get) for other available properties. Any attribute in the response is accessed with the key names separated by dots (`.`). + +## Examples + +Test the VPN client protocol of a virtual network gateway: + +```ruby +describe azure_virtual_network_gateway(resource_group: 'RESOURCE_GROUP', name: 'VIRTUAL_NETWORK_NAME') do + its('properties.vpnClientConfiguration.vpnClientProtocols') { should include 'OpenVPN' } +end +``` + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). + +### exists + +```ruby +# If we expect a virtual network gateway to always exist. + +describe azure_virtual_network_gateway(resource_group: 'RESOURCE_GROUP', name: 'VIRTUAL_NETWORK_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a virtual network gateway to never exist. + +describe azure_virtual_network_gateway(resource_group: 'RESOURCE_GROUP', name: 'VIRTUAL_NETWORK_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_gateway_connection.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_gateway_connection.md new file mode 100644 index 0000000..24a9f0e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_gateway_connection.md @@ -0,0 +1,108 @@ ++++ +title = "azure_virtual_network_gateway_connection resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_network_gateway_connection" +identifier = "inspec/resources/azure/azure_virtual_network_gateway_connection resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_network_gateway_connection` InSpec audit resource to test the properties related to an Azure Virtual Network Gateway connection. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` and `resource_group` are required parameters. + +```ruby +describe azure_virtual_network_gateway_connection(resource_group: 'RESOURCE_GROUP', name: 'VIRTUAL_NETWORK_NAME') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure Virtual Network Gateway connection to test. + +`resource_group` +: Azure resource group name where the targeted resource resides. + +The parameter set should be provided for a valid query is `resource_group` and `name`. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. + +`eTag` +: A unique read-only string that changes whenever the resource is updated. + +`location` +: Resource location. + +`properties.provisioningState` +: The provisioning state of the virtual network gateway resource. + +`properties.connectionType` +: Gateway connection type. + +`properties.useLocalAzureIpAddresses` +: Use private local Azure IP for the connection. + +`properties.ipsecPolicies` +: The IPSec Policies to be considered by this connection. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/network-gateway/virtual-network-gateway-connections/get) for other available properties. Any attribute in the response is accessed with the key names separated by dots (`.`). + +## Examples + +Test that the Virtual Network Gateway connection protocol is IKEv1: + +```ruby +describe azure_virtual_network_gateway_connection(resource_group: 'RESOURCE_GROUP', name: 'VIRTUAL_NETWORK_NAME') do + its('connectionProtocol') { should eq 'IKEv1' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a Virtual Network Gateway connection is found, it will exist. + +describe azure_virtual_network_gateway_connection(resource_group: 'RESOURCE_GROUP', name: 'VIRTUAL_NETWORK_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If Virtual Network Gateway connection is not found, it will not exist. + +describe azure_virtual_network_gateway_connection(resource_group: 'RESOURCE_GROUP', name: 'VIRTUAL_NETWORK_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_gateway_connections.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_gateway_connections.md new file mode 100644 index 0000000..27b6027 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_gateway_connections.md @@ -0,0 +1,149 @@ ++++ +title = "azure_virtual_network_gateway_connections resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_network_gateway_connections" +identifier = "inspec/resources/azure/azure_virtual_network_gateway_connections resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_network_gateway_connections` InSpec audit resource to test the properties related to all Azure Virtual Network Gateway connections within a project. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_virtual_network_gateway_connections` resource block returns all Azure Virtual Network Gateway connections within a project. + +```ruby +describe azure_virtual_network_gateway_connections(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` +: Azure resource group name where the targeted resource resides. + +The parameter set should be provided for a valid query: + +- `resource_group` + +## Properties + +`ids` +: A list of resource IDs. + + Field: `id` + +`names` +: A list of resource names. + + Field: `name` + +`types` +: A list of types. + + Field: `type` + +`eTags` +: A list of eTags. + + Field: `eTag` + +`locations` +: A list of all locations. + + Field: `location` + +`properties` +: A list of Properties for all the virtual network gateway connections. + + Field: `properties` + +`provisioningStates` +: A list of provisioning states. + + Field: `provisioningState` + +`connectionTypes` +: A list of gateway connection types. + + Field: `connectionType` + +`connectionProtocols` +: A list of connection protocols used for this connection. + + Field: `connectionProtocol` + +`useLocalAzureIpAddresses` +: A list of private local Azure IPs for the connection. + + Field: `datacenterManagementServerName` + +`ipsecPolicies` +: A list of all the IPSec policies to be considered by this connection. + + Field: `ipsecPolicies` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through Virtual Network Gateway connection by their names: + +```ruby +azure_virtual_network_gateway_connections(resource_group: 'RESOURCE_GROUP').names.each do |name| + describe azure_virtual_network_gateway_connection(resource_group: 'RESOURCE_GROUP', name: name) do + it { should exist } + end +end +``` + +Test that there are Virtual Network Gateway connections with IPsec type: + +```ruby +describe azure_virtual_network_gateway_connections(resource_group: 'RESOURCE_GROUP').where(connectionType: 'VPN_CONNECTION_TYPE') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no Virtual Network Gateway connection is present in the project and the resource group. + +describe azure_virtual_network_gateway_connections(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one Virtual Network Gateway connection in the project and the resource group. + +describe azure_virtual_network_gateway_connections(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="reader" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_gateways.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_gateways.md new file mode 100644 index 0000000..7b4a108 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_gateways.md @@ -0,0 +1,116 @@ ++++ +title = "azure_virtual_network_gateways resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_network_gateways" +identifier = "inspec/resources/azure/azure_virtual_network_gateways resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_network_gateways` InSpec audit resource to test the properties and configuration of multiple Azure Virtual Network Gateways. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_virtual_network_gateways` resource block returns all VPN gateways within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_virtual_network_gateways do + #... +end +``` + +Or + +```ruby +describe azure_virtual_network_gateways(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the resources being interrogated. + + Field: `location` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that an example resource group has the named VPN gateway: + +```ruby +describe azure_virtual_network_gateways(resource_group: 'EXAMPLEGROUP') do + its('names') { should include('ExampleName') } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect 'EXAMPLEGROUP' resource group to have VPN Gateways. + +describe azure_virtual_network_gateways(resource_group: 'EXAMPLEGROUP') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'EMPTYEXAMPLEGROUP' resource group to not have VPN Gateways. + +describe azure_virtual_network_gateways(resource_group: 'EMPTYEXAMPLEGROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_peering.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_peering.md new file mode 100644 index 0000000..6621f4e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_peering.md @@ -0,0 +1,101 @@ ++++ +title = "azure_virtual_network_peering resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_network_peering" +identifier = "inspec/resources/azure/azure_virtual_network_peering resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_network_peering` InSpec audit resource to test the properties related to peering for a virtual network. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +This resource requires either the `resource_id` parameter or the `resource_group`, `vnet,` and `name` parameters. + +```ruby +describe azure_virtual_network_peering(resource_group: 'RESOURCE_GROUP',vnet: 'VIRTUAL-NETWORK-NAME' name: 'VIRTUAL-NETWORK-PEERING-NAME') do + it { should exist } +end +``` + +```ruby +describe azure_virtual_network_peering(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnName}/virtualNetworkPeerings/{virtualNetworkPeeringName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`vnet` +: Name of the Azure virtual network where the virtual network peering is created. + +`name` +: Name of the Azure virtual network peering to test. + +`resource_id` +: The unique resource ID. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group`, `vnet` and `name` + +## Properties + +`peering_state` +: The peering state for the virtual network peering. `its('peering_state') { should eq "Connected" }`. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/virtual-network-peerings/get#virtualnetworkpeering) for other available properties. Any property in the response may be accessed with the key names separated by dots (`.`). + +## Examples + +Ensure that the Virtual Network Peering state is connected: + +```ruby +describe azure_virtual_network_peering(resource_group: 'RESOURCE_GROUP',vnet: 'VIRTUAL-NETWORK-NAME' name: 'VIRTUAL-NETWORK-PEERING-NAME') do + its('peering_state') { should eq 'Connected' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# If a Virtual Network Peering is found, it will exist. + +describe azure_virtual_network_peering(resource_group: 'RESOURCE_GROUP',vnet: 'VIRTUAL-NETWORK-NAME' name: 'VIRTUAL-NETWORK-PEERING-NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# Virtual Network Peerings that are not found, will not exist. + +describe azure_virtual_network_peering(resource_group: 'RESOURCE_GROUP',vnet: 'VIRTUAL-NETWORK-NAME' name: 'VIRTUAL-NETWORK-PEERING-NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_peerings.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_peerings.md new file mode 100644 index 0000000..29320c2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_network_peerings.md @@ -0,0 +1,97 @@ ++++ +title = "azure_virtual_network_peerings resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_network_peerings" +identifier = "inspec/resources/azure/azure_virtual_network_peerings resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_network_peerings` InSpec audit resource to test the properties related to virtual network peerings of a virtual network. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `vnet` are required parameters. + +```ruby +describe azure_virtual_network_peerings(resource_group: 'RESOURCE_GROUP', vnet: 'VIRTUAL-NETWORK-NAME') do + #... +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`vnet` +: The virtual network where the network PEERING you wish to test is part. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of all the resources being interrogated. + + Field: `name` + +`etags` +: A list of etags defined on the resources. + + Field: `etag` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Exists if any virtual network peerings exist for a given virtual network in the resource group: + +```ruby +describe azure_virtual_network_peerings(resource_group: 'MyResourceGroup', vnet: 'virtual-network-name') do + it { should exist } +end +``` + +Filters the results to only those that match the given name: + +```ruby +describe azure_virtual_network_peerings(resource_group: 'RESOURCE_GROUP', vnet: 'VIRTUAL-NETWORK-NAME') do + .where(name: 'MyVirtualNetworkPeering') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no virtual network peerings are in the virtual network. + +describe azure_virtual_network_peerings(resource_group: 'RESOURCE_GROUP', vnet: 'VIRTUAL-NETWORK-NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_networks.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_networks.md new file mode 100644 index 0000000..b5c7329 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_networks.md @@ -0,0 +1,141 @@ ++++ +title = "azure_virtual_networks resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_networks" +identifier = "inspec/resources/azure/azure_virtual_networks resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_networks` InSpec audit resource to test the properties related to virtual networks within your subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_virtual_networks` resource block returns all Azure virtual networks within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_virtual_networks do + #... +end +``` + +Or + +```ruby +describe azure_virtual_networks(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`locations` +: A list of locations for all the virtual networks. + + Field: `location` + +`names` +: A list of all the virtual network names. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources. + + Field: `tags` + +`etags` +: A list of etags defined on the resources. + + Field: `etag` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Exists if any virtual networks exist in the resource group: + +```ruby +describe azure_virtual_networks(resource_group: 'RESOURCE_GROUP') do + it { should exist } +end +``` + +Filters the results to only those that match the given name (Client Side): + +```ruby +Insist that MyVnetName exists: + +describe azure_virtual_networks(resource_group: 'RESOURCE_GROUP').where(name: 'VNET_NAME') do + it { should exist } +end +``` + +```ruby +Insist that you have at least one virtual network that starts with 'prefix': + +describe azure_virtual_networks(resource_group: 'RESOURCE_GROUP').where { name.include?('project_A') } do + it { should exist } +end +``` + +Filters the networks at Azure API to only those that match the given name via a generic resource (Recommended): + +```ruby +Fuzzy string matching: + +describe azure_generic_resources(resource_group: 'RESOURCE_GROUP', resource_provider: 'Microsoft.Network/virtualNetworks', substring_of_name: 'project_A') do + it { should exist } +end +``` + +```ruby + +Exact name matching: + +describe azure_generic_resources(resource_group: 'RESOURCE_GROUP', resource_provider: 'Microsoft.Network/virtualNetworks', name: 'MyVnetName') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no virtual networks are in the resource group. + +describe azure_virtual_networks(resource_group: 'RESOURCE_GROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_wan.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_wan.md new file mode 100644 index 0000000..2c0f97b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_wan.md @@ -0,0 +1,116 @@ ++++ +title = "azure_virtual_wan resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_wan" +identifier = "inspec/resources/azure/azure_virtual_wan resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_wan` InSpec audit resource to test the properties related to an Azure Virtual WAN in a given resource group. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`name` and `resource_group` are required parameters. + +```ruby +describe azure_virtual_wan(resource_group: 'RESOURCE_GROUP', name: 'DEFAULT_WAN') do + it { should exist } + its('properties.provisioningState') { should eq 'Succeeded' } +end +``` + +```ruby +describe azure_virtual_wan(resource_group: 'RESOURCE_GROUP', name: 'DEFAULT_WAN') do + it { should exist } +end +``` + +## Parameters + +`name` +: Name of the Azure Virtual WAN to test. + +`resource_group` +: The resource group name of the VirtualWan. + +## Properties + +`id` +: Resource ID. + +`name` +: Resource name. + +`type` +: Resource type. + +`etag` +: A unique read-only string that changes whenever the resource is updated. + +`location` +: Resource location. + +`properties.provisioningState` +: The provisioning state of the Virtual WAN resource. + +`properties.disableVpnEncryption` +: VPN encryption to be disabled or not. + +`properties.allowBranchToBranchTraffic` +: True if branch-to-branch traffic is allowed. + +`properties.office365LocalBreakoutCategory` +: The office local breakout category. + +`properties.type` +: The type of the Virtual WAN. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/virtualwan/virtual-wans/get) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +Test that a Virtual WAN's encryption is not disabled: + +```ruby +describe azure_virtual_wan(resource_group: 'RESOURCE_GROUP', name: 'DEFAULT_WAN') do + its('properties.disableVpnEncryption') { should_not be_falsey } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a Virtual WAN is found, it will exist. + +describe azure_virtual_wan(resource_group: 'RESOURCE_GROUP', name: 'DEFAULT_WAN') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If no Virtual WAN's are found, it will not exist. + +describe azure_virtual_wan(resource_group: 'RESOURCE_GROUP', name: 'DEFAULT_WAN') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_wans.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_wans.md new file mode 100644 index 0000000..d1333b9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_virtual_wans.md @@ -0,0 +1,105 @@ ++++ +title = "azure_virtual_wans resource" + +draft = false + + +[menu.azure] +title = "azure_virtual_wans" +identifier = "inspec/resources/azure/azure_virtual_wans resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_virtual_wans` InSpec audit resource to test the properties related to all Azure Virtual WANs in a subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_virtual_wans` resource block returns all Azure Virtual WANs in a subscription. + +```ruby +describe azure_virtual_wans do + #... +end +``` + +## Parameters + +This resource does not require any parameters. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names for all the resources. + + Field: `name` + +`etags` +: A list of etag for all the resources. + + Field: `etag` + +`types` +: A list of types for all the resources. + + Field: `type` + +`locations` +: A list of locations for all the resources. + + Field: `location` + +`properties` +: A list of properties for all the resources. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that the Virtual WAN type is standard: + +```ruby +describe azure_virtual_wans.where{ properties.select{|prop| prop.type == 'Standard' } } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no virtual WANs are present. + +describe azure_virtual_wans do + it { should_not exist } +end + +# Should exist if the filter returns at least one virtual WAN. + +describe azure_virtual_wans do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_web_app_function.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_web_app_function.md new file mode 100644 index 0000000..81d7fcc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_web_app_function.md @@ -0,0 +1,120 @@ ++++ +title = "azure_web_app_function resource" + +draft = false + + +[menu.azure] +title = "azure_web_app_function" +identifier = "inspec/resources/azure/azure_web_app_function resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_web_app_function` InSpec audit resource to test the properties related to an Azure function. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `site_name` and `function_name` or the `resource_id` are required parameters. + +```ruby +describe azure_web_app_function(resource_group: resource_group, site_name: site_name, function_name: function_name) do + it { should exist } + its('name') { should cmp "#{site_name}/#{function_name}" } + its('type') { should cmp 'Microsoft.Web/sites/functions' } + its('properties.name') { should cmp function_name } + its('properties.language') { should cmp 'Javascript' } +end +``` + +```ruby +describe azure_web_app_function(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Web/sites/{siteName}/functions/{functionName}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the Azure function app to test. `FunctionApp`. + +`site_name` +: Name of the Azure function app to test (for backward compatibility). `FunctionApp`. + +`function_name` +: Name of the Azure function to test `Function`. + +`resource_id` +: The unique resource ID. `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Web/sites/{siteName}/functions/{functionName}`. + +Either one of the parameter sets can be provided for a valid query: + +- `resource_id` +- `resource_group` and `name` and `function_name` +- `resource_group` and `site_name` and `function_name` + +## Properties + +`config_href` +: Config URI. + +`function_app_id` +: Function app ID. + +`language` +: The function language. + +`isDisabled` +: Gets or sets a value indicating whether the function is disabled. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/appservice/webapps/getfunction#functionenvelope) for other available properties. You can access any attribute in the response with the key names separated by dots (`.`). + +## Examples + +```ruby +describe azure_web_app_function(resource_group: 'RESOURCE_GROUP', site_name: 'functions-http', function_name: 'HttpTrigger1') do + its('properties.language') { should eq 'Javascript' } +end +``` + +```ruby +describe azure_web_app_function(resource_group: 'RESOURCE_GROUP', site_name: 'functions-http', function_name: 'HttpTrigger1') do + its('properties.isDisabled') { should be_false } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +### exists + +```ruby +# If a key vault is found, it will exist. + +describe azure_web_app_function(resource_group: 'RESOURCE_GROUP', site_name: 'functions-http', function_name: 'HttpTrigger1') do + it { should exist } +end +``` + +### not_exists + +```ruby +# Key vaults that are not found, will not exist. + +describe azure_web_app_function(resource_group: 'RESOURCE_GROUP', site_name: 'functions-http', function_name: 'HttpTrigger1') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_web_app_functions.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_web_app_functions.md new file mode 100644 index 0000000..7825768 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_web_app_functions.md @@ -0,0 +1,128 @@ ++++ +title = "azure_web_app_functions resource" + +draft = false + + +[menu.azure] +title = "azure_web_app_functions" +identifier = "inspec/resources/azure/azure_web_app_functions resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_web_app_functions` InSpec audit resource to test the properties related to azure functions for a resource group or the entire subscription. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_web_app_functions` resource block returns all Azure functions within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_web_app_functions(resource_group: 'RESOURCE_GROUP', site_name: 'function-app-http') do + #... +end +``` + +or + +```ruby +describe azure_web_app_functions(resource_group: 'RESOURCE_GROUP', site_name: 'function-app-http') do + #... +end +``` + +## Parameters + +`resource_group` + +: The name of the resource group. + +`site_name` + +: The name of the function App. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of all the key vault names. + + Field: `name` + +`types` +: A list of types of all the functions. + + Field: `type` + +`locations` +: A list of locations for all the functions. + + Field: `location` + +`properties` +: A list of properties for all the functions. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Loop through functions by their IDs: + +```ruby +azure_web_app_functions(resource_group: 'RESOURCE_GROUP', site_name: 'function-app-http').ids.each do |id| + describe azure_web_app_function(resource_id: id) do + it { should exist } + end +end +``` + +Test that there are functions that include a certain string in their names (client-side filtering): + +```ruby +describe azure_web_app_functions(resource_group: 'RESOURCE_GROUP', site_name: 'function-app-http').where { name.include?('queue') } do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +```ruby +# Should not exist if no functions are in the resource group. + +describe azure_web_app_functions(resource_group: 'RESOURCE_GROUP', site_name: 'function-app-http') do + it { should_not exist } +end +``` + +### not_exists + +```ruby +# Should exist if the filter returns at least one key vault. + +describe azure_web_app_functions(resource_group: 'RESOURCE_GROUP', site_name: 'function-app-http') do + it { should exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_webapp.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_webapp.md new file mode 100644 index 0000000..827af0a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_webapp.md @@ -0,0 +1,132 @@ ++++ +title = "azure_webapp resource" + +draft = false + + +[menu.azure] +title = "azure_webapp" +identifier = "inspec/resources/azure/azure_webapp resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_webapp` InSpec audit resource to test the properties and configuration of an Azure webapp. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +`resource_group` and `name` or the `resource_id` are required parameters. + +```ruby +describe azure_webapp(resource_group: 'RESOURCE_GROUP', name: 'MY_APP') do + it { should exist } +end +``` + +```ruby +describe azure_webapp(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}') do + it { should exist } +end +``` + +## Parameters + +`resource_group` +: Azure resource group where the targeted resource resides. + +`name` +: Name of the webapp to test. `my_webapp`. + +`resource_id` +: The unique resource ID. `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}`. + +`auth_settings_api_version` +: The endpoint API version for the `auth_settings` property. The latest version will be used unless provided. + +`configuration_api_version` +: The endpoint API version for the `configuration` property. The latest version will be used unless provided. + +`supported_stacks_api_version` +: The endpoint API version for the `supported_stacks` property. The latest version will be used unless provided. + +Either one of the parameter sets can be provided for a valid query along with the optional ones: + +- `resource_id` +- `resource_group` and `name` + +## Properties + +`auth_settings` +: Authentication/Authorization settings of the interrogated app with [these](https://docs.microsoft.com/en-us/rest/api/appservice/webapps/getauthsettings#siteauthsettings) properties. + +`configuration` +: Configuration of an app, such as platform version, default documents, virtual applications, or always on. For more information, see the [Azure Web Apps SiteConfigResource documentation](https://docs.microsoft.com/en-us/rest/api/appservice/webapps/getconfiguration#siteconfigresource). + +`supported_stacks` +: Available application frameworks and their versions with [these](https://docs.microsoft.com/en-us/rest/api/appservice/provider/getavailablestacks#applicationstackcollection) properties. + +For properties applicable to all resources, such as `type`, `name`, `id`, and `properties`, refer to [`azure_generic_resource`](azure_generic_resource#properties). + +Also, see the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/appservice/webapps/get#site) for other available properties. +You can access any attribute in the response with the key names separated by dots (`.`). For example, `properties.`. + +## Examples + +Test that a resource group has the specified Webapp and verify it's authentication settings:, platform-specific security token storing is enabled + +```ruby +describe azure_webapp(resource_group: 'EXAMPLE', name: 'WEBAPP_NAME') do + it { should exist } + its('auth_settings.properties') { should have_attributes(enabled: true ) } + its('configuration.properties') { should have_attributes(tokenStoreEnabled: true) } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +Test webapp to ensure it's using the latest supported version of :.NET + +```ruby +describe azure_webapp(resource_group: 'EXAMPLE', name: 'WEBAPP_NAME') do + it { should be_using_latest('aspnet') } +end +``` + +Test webapp to ensure it's using the latest supported version of Python: + +```ruby +describe azure_webapp(resource_group: 'EXAMPLE', name: 'WEBAPP_NAME') do + it { should be_using_latest('python') } +end +``` + +### exists + +```ruby +# If we expect a resource to always exist. + +describe azure_webapp(resource_group: 'RESOURCE_GROUP', name: 'WEBAPP_NAME') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect a resource to never exist. + +describe azure_webapp(resource_group: 'RESOURCE_GROUP', name: 'WEBAPP_NAME') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_webapps.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_webapps.md new file mode 100644 index 0000000..178c5fa --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/azure_webapps.md @@ -0,0 +1,111 @@ ++++ +title = "azure_webapps resource" + +draft = false + + +[menu.azure] +title = "azure_webapps" +identifier = "inspec/resources/azure/azure_webapps resource" +parent = "inspec/resources/azure" ++++ + +Use the `azure_webapps` InSpec audit resource to test the properties and configuration of multiple Azure web applications. + +## Azure REST API version, endpoint, and HTTP client parameters + +{{< readfile file="content/reusable/md/inspec_azure_common_parameters.md" >}} + +## Syntax + +An `azure_webapps` resource block returns all webapps within a resource group (if provided) or an entire subscription. + +```ruby +describe azure_webapps do + #... +end +``` + +Or + +```ruby +describe azure_webapps(resource_group: 'RESOURCE_GROUP') do + #... +end +``` + +## Parameters + +`resource_group` _(optional)_ + +: The name of the resource group. + +## Properties + +`ids` +: A list of the unique resource IDs. + + Field: `id` + +`names` +: A list of names of all the resources being interrogated. + + Field: `name` + +`tags` +: A list of `tag:value` pairs defined on the resources being interrogated. + + Field: `tags` + +`properties` +: A list of properties for all the resources being interrogated. + + Field: `properties` + +{{< note >}} + +{{< readfile file="content/reusable/md/inspec_filter_table.md" >}} + +{{< /note>}} + +## Examples + +Test that an example resource group has the named web application: + +```ruby +describe azure_webapps(resource_group: 'EXAMPLEGROUP') do + its('names') { should include('my_web_app') } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exists + +The control passes if the filter returns at least one result. Use `should_not` if you expect zero matches. + +```ruby +# If we expect 'EXAMPLEGROUP' resource group to have at least one web application. + +describe azure_webapps(resource_group: 'EXAMPLEGROUP') do + it { should exist } +end +``` + +### not_exists + +```ruby +# If we expect 'EMPTYEXAMPLEGROUP' resource group to not have any web applications. + +describe azure_webapps(resource_group: 'EMPTYEXAMPLEGROUP') do + it { should_not exist } +end +``` + +## Azure permissions + +{{% inspec-azure/azure_permissions_service_principal role="contributor" %}} diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/reusable/index.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/reusable/index.md new file mode 100644 index 0000000..5bddbd6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/reusable/index.md @@ -0,0 +1,10 @@ ++++ +[[cascade]] + [cascade.build] + list = 'never' + publishResources = false + render = 'never' + +## https://gohugo.io/content-management/build-options/#example--headless-section +## Content in this directory isn't published but can be included in other pages. ++++ diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/reusable/md/inspec_azure_common_parameters.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/reusable/md/inspec_azure_common_parameters.md new file mode 100644 index 0000000..20e499e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/content/reusable/md/inspec_azure_common_parameters.md @@ -0,0 +1,9 @@ + +This resource interacts with API versions supported by the resource provider. +You can specify the `api_version` as a resource parameter to use a specific version of the Azure REST API. +If you don't specify an API version, this resource uses the latest version available. +For more information about API versioning, see the [`azure_generic_resource`](../azure_generic_resource). + +By default, this resource uses the `azure_cloud` global endpoint and default HTTP client settings. +You can override these settings if you need to connect to a different Azure environment (such as Azure Government or Azure China). +For more information about configuration options, see the [resource pack README](https://github.com/inspec/inspec-azure). diff --git a/_vendor/github.com/inspec/inspec-azure/docs-chef-io/layouts/shortcodes/inspec-azure/azure_permissions_service_principal.md b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/layouts/shortcodes/inspec-azure/azure_permissions_service_principal.md new file mode 100644 index 0000000..8e66f3c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-azure/docs-chef-io/layouts/shortcodes/inspec-azure/azure_permissions_service_principal.md @@ -0,0 +1,2 @@ + +Your [Service Principal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) must be set up with at least a `{{ .Get "role" }}` role on the subscription you wish to test. diff --git a/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/_index.md b/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/_index.md new file mode 100644 index 0000000..468be91 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/_index.md @@ -0,0 +1,41 @@ ++++ +title = "About the Chef InSpec Docker resource pack" +draft = false +linkTitle = "Docker resource pack" +summary = "Chef InSpec resources for auditing Docker" + +[cascade] + [cascade.params] + platform = "docker" + +[menu.docker] +title = "About Docker resources" +identifier = "inspec/resources/docker/about" +parent = "inspec/resources/docker" +weight = 10 ++++ + +The Chef InSpec Docker resource pack allows you to audit Docker environments, including containers, images, services, and plugins. + +## Support + +The InSpec Docker resources were part of InSpec core through InSpec 6. +Starting in InSpec 7, they're released separately as a Ruby gem. + +## Usage + +To add this resource pack to an InSpec profile, add the `inspec-docker-resources` gem as a dependency in your `inspec.yml` file: + +```yaml +depends: + - name: inspec-docker-resources + gem: inspec-docker-resources +``` + +## Docker resources + +{{< inspec_resources_filter >}} + +The following Chef InSpec Docker resources are available in this resource pack. + +{{< inspec_resources section="docker" platform="docker" >}} diff --git a/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker.md b/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker.md new file mode 100644 index 0000000..1f8a346 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker.md @@ -0,0 +1,270 @@ ++++ +title = "docker resource" +draft = false + + +[menu.docker] + title = "docker" + identifier = "inspec/resources/docker/docker.md docker resource" + parent = "inspec/resources/docker" ++++ + +Use the `docker` Chef InSpec audit resource to test configuration data for the Docker daemon. It is a very comprehensive resource. See also: [docker_container](/inspec/resources/docker_container/) and [docker_image](/inspec/resources/docker_image/), too. + +## Syntax + +A `docker` resource block allows you to write tests for many containers: + +```ruby +describe docker.containers do + its('images') { should_not include 'u12:latest' } +end +``` + +or: + +```ruby +describe docker.containers.where { names == 'flamboyant_allen' } do + it { should be_running } +end +``` + +where + +- `.where()` may specify a specific item and value, to which the resource parameters are compared +- `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `status` are valid parameters for `containers` + +The `docker` resource block also declares allows you to write test for many images: + +```ruby +describe docker.images do + its('repositories') { should_not include 'insecure_image' } +end +``` + +or if you want to query specific images: + +```ruby +describe docker.images.where { repository == 'ubuntu' && tag == '12.04' } do + it { should_not exist } +end +``` + +where + +- `.where()` may specify a specific filter and expected value, against which parameters are compared + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Return all running containers + +```ruby +docker.containers.running?.ids.each do |id| + describe docker.object(id) do + its('State.Health.Status') { should eq 'healthy' } + end +end +``` + +### Verify a Docker Server and Client version + +```ruby +describe docker.version do + its('Server.Version') { should cmp >= '1.12'} + its('Client.Version') { should cmp >= '1.12'} +end +``` + +### Iterate over all containers to verify host configuration + +```ruby +docker.containers.ids.each do |id| + # call Docker inspect for a specific container id + describe docker.object(id) do + its(%w(HostConfig Privileged)) { should cmp false } + its(%w(HostConfig Privileged)) { should_not cmp true } + end +end +``` + +### Iterate over all images to verify the container was built without ADD instruction + +```ruby +docker.images.ids.each do |id| + describe command("docker history #{id}| grep 'ADD'") do + its('stdout') { should eq '' } + end +end +``` + +### Verify that health-checks are enabled for a container + +```ruby +describe docker.object('71b5df59442b') do + its(%w(Config Healthcheck)) { should_not eq nil } +end +``` + +## How to run the DevSec Docker baseline profile + +There are two ways to run the `docker-baseline` profile to test Docker via the `docker` resource. + +Clone the profile: + +```bash +git clone https://github.com/dev-sec/cis-docker-benchmark.git +``` + +and then run: + +```bash +inspec exec cis-docker-benchmark +``` + +Or execute the profile directly via URL: + +```bash +inspec exec https://github.com/dev-sec/cis-docker-benchmark +``` + +## Resource Parameters + +- `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `status` are valid parameters for `containers` + +## Resource Parameter Examples + +### containers + +`containers` returns information about containers as returned by [docker ps -a](https://docs.docker.com/engine/reference/commandline/ps/). + +```ruby +describe docker.containers do + its('ids') { should include 'sha:71b5df59...442b' } + its('commands') { should_not include '/bin/sh' } + its('images') { should_not include 'u12:latest' } + its('ports') { should include '0.0.0.0:1234->1234/tcp' } + its('labels') { should include 'License=GPLv2' } +end +``` + +### object('id') + +`object` returns low-level information about Docker objects. It is calling [docker inspect](https://docs.docker.com/engine/reference/commandline/info/) under the hood. + +```ruby +describe docker.object(id) do + its('Configuration.Path') { should eq 'value' } +end +``` + +### images + +`images` returns information about a Docker image as returned by [docker images](https://docs.docker.com/engine/reference/commandline/images/). + +```ruby +describe docker.images do + its('ids') { should include 'sha:12b5df59...442b' } + its('repositories') { should_not include 'my_image' } + its('tags') { should_not include 'unwanted_tag' } + its('sizes') { should_not include '1.41 GB' } +end +``` + +### plugins + +`plugins` returns information about Docker plugins as returned by [docker plugin ls](https://docs.docker.com/engine/reference/commandline/plugin/). + +```ruby +describe docker.plugins do + its('names') { should include ['store/weaveworks/net-plugin', 'docker4x/cloudstor'] } + its('ids') { should cmp ['6ea8176de74b', '771d3ee7c7ea'] } + its('versions') { should cmp ['2.3.0', '18.03.1-ce-aws1'] } + its('enabled') { should cmp [true, false] } +end +``` + +### info + +`info` returns the parsed result of [docker info](https://docs.docker.com/engine/reference/commandline/info/) + +```ruby +describe docker.info do + its('Configuration.Path') { should eq 'value' } +end +``` + +### version + +`info` returns the parsed result of [docker version](https://docs.docker.com/engine/reference/commandline/version/) + +```ruby +describe docker.version do + its('Server.Version') { should cmp >= '1.12'} + its('Client.Version') { should cmp >= '1.12'} +end +``` + +## Properties + +- `id` +- `image` +- `repo` +- `tag` +- `ports` +- `command` + +## Property Examples + +### id + +```ruby +describe docker_container(name: 'an-echo-server') do + its('id') { should_not eq '' } +end +``` + +### image + +```ruby +describe docker_container(name: 'an-echo-server') do + its('image') { should eq 'busybox:latest' } +end +``` + +### repo + +```ruby +describe docker_container(name: 'an-echo-server') do + its('repo') { should eq 'busybox' } +end +``` + +### tag + +```ruby +describe docker_container(name: 'an-echo-server') do + its('tag') { should eq 'latest' } +end +``` + +### ports + +```ruby +describe docker_container(name: 'an-echo-server') do + its('ports') { should eq '0.0.0.0:1234->1234/tcp' } +end +``` + +### command + +```ruby +describe docker_container(name: 'an-echo-server') do + its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker_container.md b/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker_container.md new file mode 100644 index 0000000..eaea5c9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker_container.md @@ -0,0 +1,175 @@ ++++ +title = "docker_container resource" +draft = false + + +[menu.docker] + title = "docker_container" + identifier = "inspec/resources/docker/docker_container.md docker_container resource" + parent = "inspec/resources/docker" ++++ + +Use the `docker_container` Chef InSpec audit resource to test a Docker container. + +## Syntax + +A `docker_container` resource block declares the configuration data to be tested: + +```ruby +describe docker_container('container') do + it { should exist } + it { should be_running } + its('id') { should_not eq '' } + its('image') { should eq 'busybox:latest' } + its('repo') { should eq 'busybox' } + its('tag') { should eq 'latest' } + its('ports') { should eq [] } + its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' } +end +``` + +## Resource Parameter Examples + +### name + +The container name can be provided with the `name` resource parameter. + +```ruby +describe docker_container(name: 'an-echo-server') do + it { should exist } + it { should be_running } +end +``` + +### container id + +Alternatively, you can pass in the container id. + +```ruby +describe docker_container(id: '71b5df59442b') do + it { should exist } + it { should be_running } +end +``` + +## Property Examples + +The following examples show how to use this Chef InSpec resource. + +### id + +The `id` property tests the container ID. + +```ruby +its('id') { should eq 'sha:71b5df59...442b' } +``` + +### Repo + +The `repo` property tests the value of the image repository. + +```ruby +its('repo') { should eq 'REPO' } +``` + +### tag + +The `tag` property tests the value of the image tag. + +```ruby +its('tag') { should eq 'LATEST' } +``` + +### ports + +The `ports` property tests the value of the Docker ports. + +```ruby +its('ports') { should eq '0.0.0.0:1234->1234/tcp' } +``` + +### command + +The `command` property tests the value of the container run command. + +```ruby +its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' } +``` + +### Verify a running container + +```ruby +describe docker_container('an-echo-server') do + it { should exist } + it { should be_running } + its('id') { should_not eq '' } + its('image') { should eq 'busybox:latest' } + its('repo') { should eq 'busybox' } + its('tag') { should eq 'latest' } + its('ports') { should eq [] } + its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + The specific matchers of this resource are: `exist`, `be_running`, `have_volume?`. + +### exist + +The `exist` matcher specifies if the container exists. + +```ruby +it { should exist } +``` + +### be_running + +The `be_running` matcher checks if the container is running. + +```ruby +it { should be_running } +``` + +### have_volume? + +The `have_volume?` matcher checks if the container has mounted volumes. + +```ruby +it { should have_volume?(destination_path_in_container, source_path_in_source) } +``` + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Ensures container exists + +The below test passes if the container `wonderful_wozniak` exists as part of the Docker instances. + +```ruby +describe docker_container('wonderful_wozniak') do + it { should exist } +end +``` + +### Ensures container is in running status + +The below test passes if the container `trusting_williams` exists as part of the Docker instances and the status is running. + +```ruby +describe docker_container('trusting_williams') do + it { should be_running } +end +``` + +### Ensures container has mounted volumes + +The below test passes if the container `quizzical_williamson` exists as part of the Docker instances, the status is running, and has mounted volume on `/app` in the container from the source path of `/var/lib/docker/volumes/myvol2/_data` + +```ruby +describe docker_container('quizzical_williamson') do + it { should have_volume('/app', '/var/lib/docker/volumes/myvol2/_data') } +end +``` diff --git a/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker_image.md b/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker_image.md new file mode 100644 index 0000000..54a8a65 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker_image.md @@ -0,0 +1,174 @@ ++++ +title = "docker_image resource" +draft = false + + +[menu.docker] + title = "docker_image" + identifier = "inspec/resources/docker/docker_image.md docker_image resource" + parent = "inspec/resources/docker" ++++ + +Use the `docker_image` Chef InSpec audit resource to verify a Docker image. A Docker Image is a template that contains the application and all the dependencies required to run an application on Docker. + +## Syntax + +A `docker_image` resource block declares the image. + +```ruby +describe docker_image('ALPINE:LATEST') do + it { should exist } + its('id') { should eq 'sha256:4a415e...a526' } + its('repo') { should eq 'ALPINE' } + its('tag') { should eq 'LATEST' } +end +``` + +### Resource Parameter Examples + +The resource allows you to pass with an image ID. + +```ruby +describe docker_image(id: ID) do + ... +end +``` + +If the tag is missing for an image, `LATEST` is assumed as default. + +```ruby +describe docker_image('ALPINE') do + ... +end +``` + +You can also pass the repository and tag values as separate values. + +```ruby +describe docker_image(repo: 'ALPINE', tag: 'LATEST') do + ... +end +``` + +## Properties + +### id + +The `id` property returns the full image ID. + +```ruby +its('id') { should eq 'sha256:4a415e3663882fbc554ee830889c68a33b3585503892cc718a4698e91ef2a526' } +``` + +### image + +The `image` property tests the value of the image. It is a combination of `repository/tag`. + +```ruby +its('image') { should eq 'ALPINE:LATEST' } +``` + +### repo + +The `repo` property tests the value of the repository name. + +```ruby +its('repo') { should eq 'ALPINE' } +``` + +### tag + +The `tag` property tests the value of the image tag. + +```ruby +its('tag') { should eq 'LATEST' } +``` + +### Low-level information of docker image as docker_image's property + +#### inspection + +The property allows testing the low-level information of docker image returned by `docker inspect [docker_image]`. Use hash format `'key' => 'value` for testing the information. + +```ruby +its(:inspection) { should include "Key" => "Value" } +its(:inspection) { should include "Key" => + { + "SubKey" => "Value1", + "SubKey" => "Value2" + } +} +``` + +Additionally, all keys of the low-level information are valid properties and can be passed in three ways when writing the test. + +- Serverspec's syntax + +```ruby +its(['key']) { should eq some_value } +its(['key1.key2.key3']) { should include some_value } +``` + +- InSpec's syntax + +```ruby +its(['key']) { should eq some_value } +its(['key1', 'key2', 'key3']) { should include some_value } +``` + +- Combination of Serverspec and InSpec + +```ruby +its(['key1.key2', 'key3']) { should include some_value } +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The `exist` matcher tests if the image is available on the node. + +```ruby +it { should exist } +``` + +## Examples + +### Test if a docker image exists and verifies the image properties: ID, image, repo, and tag + +```ruby +describe docker_image('ALPINE:LATEST') do + it { should exist } + its('id') { should eq 'sha256:4a415e...a526' } + its('image') { should eq 'ALPINE:LATEST' } + its('repo') { should eq 'ALPINE' } + its('tag') { should eq 'LATEST' } +end +``` + +### Test if a docker image exists and verifies the low-level information: Architecture, Config.Cmd, and GraphDriver + +```ruby +describe docker_image('ubuntu:latest') do + it { should exist } + its(['Architecture']) { should eq 'ARM64' } + its(['Config.Cmd']) { should include 'BASH' } + its(['GraphDriver.Data.MergedDir']) { should include "/var/lib/docker/overlay2/4336ba2a87c8d82abaa9ee5afd3ac20ea275bf05502d74d8d8396f8f51a4736c/merged" } + its(:inspection) { should include 'Architecture' => 'ARM64' } + its(:inspection) { should_not include 'Architecture' => 'i386' } + its(:inspection) { should include "GraphDriver" => + { + "Data" => { + "MergedDir" => "/var/lib/docker/overlay2/4336ba2a87c8d82abaa9ee5afd3ac20ea275bf05502d74d8d8396f8f51a4736c/merged", + "UpperDir" => "/var/lib/docker/overlay2/4336ba2a87c8d82abaa9ee5afd3ac20ea275bf05502d74d8d8396f8f51a4736c/diff", + "WorkDir"=> "/var/lib/docker/overlay2/4336ba2a87c8d82abaa9ee5afd3ac20ea275bf05502d74d8d8396f8f51a4736c/work" + }, + "Name" => "overlay2" + } + } +end +``` diff --git a/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker_plugin.md b/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker_plugin.md new file mode 100644 index 0000000..c90ebac --- /dev/null +++ b/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker_plugin.md @@ -0,0 +1,90 @@ ++++ +title = "docker_plugin resource" +draft = false + + +[menu.docker] + title = "docker_plugin" + identifier = "inspec/resources/docker/docker_plugin.md docker_plugin resource" + parent = "inspec/resources/docker" ++++ + +Use the `docker_plugin` Chef InSpec audit resource to verify a Docker plugin. + +## Syntax + +A `docker_plugin` resource block declares the plugin: + +```ruby +describe docker_plugin('rexray/ebs') do + it { should exist } + its('id') { should_not eq '0ac30b93ad40' } + its('version') { should eq '0.11.1' } + it { should be_enabled } +end +``` + +## Resource Parameter Examples + +The resource allows you to pass in an plugin id: + +```ruby +describe docker_plugin(id: plugin_id) do + it { should be_enabled } +end +``` + +## Properties + +### id + +The `id` property returns the full plugin id: + +```ruby +its('id') { should eq '0ac30b93ad40' } +``` + +### version + +The `version` property tests the value of plugin version: + +```ruby +its('version') { should eq '0.11.0' } +``` + +## Examples + +### Test a Docker plugin + +```ruby +describe docker_plugin('rexray/ebs') do + it { should exist } + its('id') { should_not eq '0ac30b93ad40' } + its('version') { should eq '0.11.1' } + it { should be_enabled } +end +``` + +## Matchers + +For a full list of available matchers, please visit our [Universal Matchers](/inspec/matchers/). + +### exist + +The `exist` matcher tests if the plugin is available on the node: + +```ruby +describe docker_plugin('rexray/ebs') do + it { should exist } +end +``` + +### enabled + +The `be_enabled` matcher tests if the plugin is enabled: + +```ruby +describe docker_plugin('rexray/ebs') do + it { should be_enabled } +end +``` diff --git a/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker_service.md b/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker_service.md new file mode 100644 index 0000000..59ffed7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-docker-resources/docs-chef-io/content/docker_service.md @@ -0,0 +1,136 @@ ++++ +title = "docker_service resource" +draft = false + + +[menu.docker] + title = "docker_service" + identifier = "inspec/resources/docker/docker_service.md docker_service resource" + parent = "inspec/resources/docker" ++++ + +Use the `docker_service` Chef InSpec audit resource to verify a docker swarm service. + +## Syntax + +A `docker_service` resource block declares the service by name: + +```ruby +describe docker_service('foo') do + it { should exist } + its('id') { should eq 'docker-service-id' } + its('repo') { should eq 'alpine' } + its('tag') { should eq 'latest' } +end +``` + +## Resource Parameter Examples + +The resource allows you to pass in a service id: + +```ruby +describe docker_service(id: 'docker-service-id') do + ... +end +``` + +You can also pass in the fully-qualified image: + +```ruby +describe docker_service(image: 'localhost:5000/alpine:latest') do + ... +end +``` + +## Property Examples + +The following examples show how to use Chef InSpec `docker_service` resource. + +### id + +The `id` property returns the service id: + +```ruby +its('id') { should eq 'docker-service-id' } +``` + +### image + +The `image` property is a combination of `repository:tag` it tests the value of the image: + +```ruby +its('image') { should eq 'alpine:latest' } +``` + +### mode + +The `mode` property tests the value of the service mode: + +```ruby +its('mode') { should eq 'replicated' } +``` + +### name + +The `name` property tests the value of the service name: + +```ruby +its('name') { should eq 'foo' } +``` + +### ports + +The `ports` property tests the value of the service's published ports: + +```ruby +its('ports') { should include '*:8000->8000/tcp' } +``` + +### repo + +The `repo` property tests the value of the repository name: + +```ruby +its('repo') { should eq 'alpine' } +``` + +### replicas + +The `replicas` property tests the value of the service's replica count: + +```ruby +its('replicas') { should eq '3/3' } +``` + +### tag + +The `tag` property tests the value of image tag: + +```ruby +its('tag') { should eq 'latest' } +``` + +### Test a docker service + +```ruby +describe docker_service('foo') do + it { should exist } + its('id') { should eq 'docker-service-id' } + its('repo') { should eq 'alpine' } + its('tag') { should eq 'latest' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The `exist` matcher tests if the image is available on the node: + +```ruby +it { should exist } +``` diff --git a/_vendor/github.com/inspec/inspec-elasticsearch-resources/docs-chef-io/content/_index.md b/_vendor/github.com/inspec/inspec-elasticsearch-resources/docs-chef-io/content/_index.md new file mode 100644 index 0000000..2d5c8b7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-elasticsearch-resources/docs-chef-io/content/_index.md @@ -0,0 +1,40 @@ ++++ +title = "About the Chef InSpec Elasticsearch resource pack" +draft = false +linkTitle = "Elasticsearch resource pack" +summary = "Chef InSpec resources for auditing Elasticsearch." + +[cascade] + [cascade.params] + platform = "elasticsearch" + +[menu.elasticsearch] + title = "About Elasticsearch resources" + identifier = "inspec/resources/elasticsearch/about" + parent = "inspec/resources/elasticsearch" + weight = 10 ++++ + +The Chef InSpec Elasticsearch resources allow you to audit and test the configuration, status, and security of Elasticsearch clusters. + +## Support + +The InSpec Elasticsearch resources were originally included as part of InSpec core through version 6. Starting with InSpec 7, they are distributed separately as a Ruby gem. + +## Usage + +To use these resources in an InSpec profile, add the `inspec-elasticsearch-resources` gem as a dependency in your `inspec.yml` file: + +```yaml +depends: + - name: inspec-elasticsearch-resources + gem: inspec-elasticsearch-resources +``` + +## Elasticsearch resources + +{{< inspec_resources_filter >}} + +The following Chef InSpec Elasticsearch resources are available in this resource pack. + +{{< inspec_resources section="elasticsearch" platform="elasticsearch" >}} diff --git a/_vendor/github.com/inspec/inspec-elasticsearch-resources/docs-chef-io/content/elasticsearch.md b/_vendor/github.com/inspec/inspec-elasticsearch-resources/docs-chef-io/content/elasticsearch.md new file mode 100644 index 0000000..a88591e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-elasticsearch-resources/docs-chef-io/content/elasticsearch.md @@ -0,0 +1,264 @@ ++++ +title = "elasticsearch resource" +draft = false + +[menu.elasticsearch] + title = "elasticsearch" + identifier = "inspec/resources/elasticsearch/elasticsearch.md elasticsearch resource" + parent = "inspec/resources/elasticsearch" ++++ + +Use the `elasticsearch` resource to test the status of a node against a running +Elasticsearch cluster. Chef InSpec retrieves the node list from the cluster node URL +provided (defaults to `http://localhost:9200`) and provides the ability to query +a variety of settings and statuses. + +## Syntax + +```ruby +describe elasticsearch do + its('property') { should cmp 'value' } +end +``` + +## Parameters + +The `elasticsearch` resource accepts several optional resource parameters: + +`url` +: the top-level URL of an Elasticsearch node in the cluster. If your Elasticsearch installation is not served out of the top-level directory at the host, be sure to specify the full URL; for example: `http://my-load-balancer/elasticsearch`. Default: `http://localhost:9200` + +`username` +: a username to use to log in with HTTP-Basic authentication. If `username` is provided, a `password` must also be provided. + +`password` +: a password to use to log in with HTTP-Basic authentication. If `password` is provided, a `username` must also be provided. + +`ssl_verify` +: if `false`, SSL certificate validation will be disabled. Default: `true` + +In addition, the `elasticsearch` resource allows for filtering the nodes returned by property before executing the tests: + +```ruby +describe elasticsearch.where { node_name == 'one-off-node' } do + its('version') { should eq '1.2.3' } +end +``` + +```ruby +describe elasticsearch.where { process.mlockall == false } do + its('count') { should cmp 0 } +end +``` + +To simply check if nodes exist that match the criteria, use the `exist` matcher: + +```ruby +describe elasticsearch.where { cluster_name == 'my_cluster' } do + it { should exist } +end +``` + +## Properties + +The following are the different properties of the resource: + +Since the `elasticsearch` resource is meant for use on a cluster, each property will return an array of the values for each node that matches any provided search criteria. Using InSpec's `cmp` matcher helps avoid issues when comparing values when there is only a single match (i.e. when the cluster only contains a single node or the `where` filter criteria provided only returns a single node). + +### build_hash + +The `build hash` property returns the build hash for each of the nodes. + +```ruby +its('build_hash') { should cmp 'b2f0c09' } +``` + +### cluster_name + +The `cluster_name` property returns the cluster names of each of the nodes. + +```ruby +its('cluster_name') { should cmp 'my_cluster' } +``` + +### host + +The `host` property returns the hostname of each of the nodes. This may return an IP address if the node is improperly performing DNS resolution or has no hostname set. + +```ruby +its('host') { should cmp 'my.hostname.mycompany.biz' } +``` + +### http + +The `http` property returns a hash of HTTP-related settings for each of the nodes. In this example, the `first` method is used to grab only the first node's HTTP-related info and is a way of removing the item from the Array if only one node is being queried. + +```ruby +its('http.first.max_content_length_in_bytes') { should cmp 123456 } +``` + +### ingest + +The `ingest` property returns ingest-related settings and capabilities, such as available processors. + +```ruby +its('ingest.first.processors.count') { should be >= 1 } +``` + +### ip + +The `ip` property returns the IP address of each of the nodes. + +```ruby +its('ip') { should cmp '192.168.1.100' } +``` + +### jvm + +The `jvm` property returns Java Virtual Machine related parameters for each of the nodes. + +```ruby +its('jvm.first.version') { should cmp '1.8.0_141' } +``` + +### module_list + +The `module_list` property returns a list of enabled modules for each node in the cluster. + +```ruby +its('module_list.first') { should include 'my_module' } +``` + +### modules + +The `modules` property returns detailed information about each enabled module for each node in the cluster. + +```ruby +its('modules.first') { should include 'lang-groovy' } +``` + +### node_name + +The `node_name` property returns the node name for each node in the cluster. + +```ruby +its('node_name') { should cmp 'node1' } +``` + +### node_id + +The `node_id` property returns the node IDs of each of the nodes in the cluster. + +```ruby +its('node_id') { should include 'my_node_id' } +``` + +### os + +The `os` property returns OS-related information about each node in the cluster. + +```ruby +its('os.first.arch') { should cmp 'amd64' } +``` + +### plugin_list + +The `plugin_list` property returns a list of enabled plugins for each node in the cluster. For more additional information about each plugin, use the `plugins` property. + +```ruby +its('plugin_list.first') { should include 'my_plugin' } +``` + +### plugins + +The `plugins` property returns detailed information about each enabled plugin for each node in the cluster. + +```ruby +its('plugins.first') { should include 'my_plugin' } +``` + +### process + +The `process` property returns process information for each node in the cluster, such as the process ID. + +```ruby +its('process.first.mlockall') { should cmp true } +``` + +### roles + +The `roles` property returns the role for each of the nodes in the cluster. + +```ruby +its('roles') { should include 'master' } +``` + +### settings + +The `settings` property returns all the configuration settings for each node in the cluster. These settings usually include those set in the elasticsearch.yml as well as those set via `-Des.` or `-E` flags at startup. Use the `inspec shell` to explore the various setting keys that are available. + +```ruby +its('settings.first.path.home') { should cmp '/usr/share/elasticsearch' } +``` + +### total_indexing_buffer + +The `total_indexing_buffer` property returns the total indexing buffer for each node in the cluster. + +```ruby +its('total_indexing_buffer') { should cmp 123456 } +``` + +### transport + +The `transport` property returns transport-related settings for each node in the cluster, such as the bound and published addresses. + +```ruby +its('transport.first.bound_address') { should cmp '1.2.3.4:9200' } +``` + +### transport_address + +The `transport_address` property returns the bound transport address for each node in the cluster. + +```ruby +its('transport_address') { should cmp '1.2.3.4:9200' } +``` + +### version + +The `version` property returns the version of Elasticsearch running on each node of the cluster. + +```ruby +its('version') { should cmp '5.5.2' } +``` + +## Examples + +This example demonstrates how to test a specific Elasticsearch module by using Ruby code to locate the module and verify its properties. This approach uses the `modules` property to get detailed module information, while the `module_list` property can be used for a simple list of enabled module names: + +```ruby +modules = elasticsearch.modules.first +lang_groovy_module = modules.find { |mod| mod.name == 'lang-groovy' } + +describe 'lang-groovy module version' do + subject { lang_groovy_module } + its('version') { should cmp '5.5.2' } +end +``` + +This example shows how to verify the properties of a specific Elasticsearch plugin. Similar to modules, you can use the `plugins` property for detailed plugin information, or the `plugin_list` property for a simple list of enabled plugin names: + +```ruby +plugins = elasticsearch.plugins.first +my_plugin = plugins.find { |plugin| plugin.name == 'my_plugin' } + +describe 'my_plugin plugin version' do + subject { my_plugin } + its('version') { should cmp '1.2.3' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} \ No newline at end of file diff --git a/_vendor/github.com/inspec/inspec-elasticsearch-resources/docs-chef-io/hugo.toml b/_vendor/github.com/inspec/inspec-elasticsearch-resources/docs-chef-io/hugo.toml new file mode 100644 index 0000000..6402796 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-elasticsearch-resources/docs-chef-io/hugo.toml @@ -0,0 +1,2 @@ +# [params.inspec-elasticsearch-resources] +# gh_path = "https://github.com/inspec/inspec-elasticsearch-resources/tree/main/docs-chef-io/content/" diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/_index.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/_index.md new file mode 100644 index 0000000..3d9c735 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/_index.md @@ -0,0 +1,58 @@ ++++ +title = "About the Chef InSpec Google Cloud Platform resource pack" +draft = false +linkTitle = "GCP resource pack" +summary = "Chef InSpec resources for auditing Google Cloud Platform." + +[cascade] + [cascade.params] + platform = "gcp" + +[menu.gcp] + title = "About GCP resources" + identifier = "inspec/resources/gcp/about" + parent = "inspec/resources/gcp" + weight = 10 ++++ + +Chef InSpec has resources for auditing Google Cloud Platform (GCP). + +## Prerequisites + +To use Chef InSpec GCP resources: + +- [Install and configure the Google Cloud SDK](https://cloud.google.com/sdk/docs/). + +## Initialize an InSpec profile for auditing GCP + +To use the GCP resources, follow these steps: + +1. Create a [service account](https://cloud.google.com/docs/authentication/getting-started) with the scopes appropriate for your needs. + +1. Download the credential JSON file, for example `project-credentials.json`, to your workspace and activate your service account: + + ```bash + gcloud auth activate-service-account --key-file project-credentials.json + ``` + +1. Create an InSpec profile for testing GCP resources: + + ```bash + inspec init profile --platform gcp + ``` + +1. Create controls using the resources listed below. + +1. Assuming the `inputs.yml` file contains your GCP project ID, you execute the profile can then be executed using the following command: + + ```bash + inspec exec --input-file=/inputs.yml -t gcp:// + ``` + +## Google Cloud Platform resources + +The following InSpec Google Cloud resources are available in this resource pack. + +{{< inspec_resources_filter >}} + +{{< inspec_resources section="gcp" platform="gcp" >}} diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_access_level.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_access_level.md new file mode 100644 index 0000000..37dc1c3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_access_level.md @@ -0,0 +1,102 @@ ++++ +title = "google_access_context_manager_access_level resource" + +draft = false + + +[menu.gcp] +title = "google_access_context_manager_access_level" +identifier = "inspec/resources/gcp/google_access_context_manager_access_level resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_access_context_manager_access_level` InSpec audit resource to to test a Google Cloud AccessLevel resource. + +## Examples + +```ruby +policy_name = google_access_context_manager_access_policies(org_id: '190694428152').names.first + +describe google_access_context_manager_access_level(parent: policy_name, name: "ip_subnet") do + it { should exist } + its('title') { should cmp "ip_subnet" } + its('basic.conditions.size') { should cmp 1 } + its('basic.conditions.first.ip_subnetworks') { should include "192.0.2.0/24" } +end + +describe google_access_context_manager_access_level(parent: policy_name, name: "none") do + it { should_not exist } +end + +``` + +## Properties + +Properties that can be accessed from the `google_access_context_manager_access_level` resource: + + + * `title`: Human readable title. Must be unique within the Policy. + + * `description`: Description of the AccessLevel and its use. Does not affect behavior. + + * `basic`: A set of predefined conditions for the access level and a combining function. + + * `combining_function`: How the conditions list should be combined to determine if a request is granted this AccessLevel. If AND is used, each Condition in conditions must be satisfied for the AccessLevel to be applied. If OR is used, at least one Condition in conditions must be satisfied for the AccessLevel to be applied. + Possible values: + * AND + * OR + + * `conditions`: A set of requirements for the AccessLevel to be granted. + + * `ip_subnetworks`: A list of CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed. + + * `required_access_levels`: A list of other access levels defined in the same Policy, referenced by resource name. Referencing an AccessLevel which does not exist is an error. All access levels listed must be granted for the Condition to be true. Format: accessPolicies/{policy_id}/accessLevels/{short_name} + + * `members`: An allowed list of members (users, service accounts). Using groups is not supported yet. The signed-in user originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, not present in any groups, etc.). Formats: `user:{emailid}`, `serviceAccount:{emailid}` + + * `negate`: Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields, each field must be false for the Condition overall to be satisfied. Defaults to false. + + * `device_policy`: Device specific restrictions, all restrictions must hold for the Condition to be true. If not specified, all devices are allowed. + + * `require_screen_lock`: Whether or not screenlock is required for the DevicePolicy to be true. Defaults to false. + + * `allowed_encryption_statuses`: A list of allowed encryptions statuses. An empty list allows all statuses. + + * `allowed_device_management_levels`: A list of allowed device management levels. An empty list allows all management levels. + + * `os_constraints`: A list of allowed OS versions. An empty list allows all types and all versions. + + * `minimum_version`: The minimum allowed OS version. If not set, any version of this OS satisfies the constraint. Format: "major.minor.patch" such as "10.5.301", "9.2.1". + + * `os_type`: The operating system type of the device. + Possible values: + * OS_UNSPECIFIED + * DESKTOP_MAC + * DESKTOP_WINDOWS + * DESKTOP_LINUX + * DESKTOP_CHROME_OS + + * `require_admin_approval`: Whether the device needs to be approved by the customer admin. + + * `require_corp_owned`: Whether the device needs to be corp owned. + + * `regions`: The request must originate from one of the provided countries/regions. Format: A valid ISO 3166-1 alpha-2 code. + + * `custom`: Custom access level conditions are set using the Cloud Common Expression Language to represent the necessary conditions for the level to apply to a request. See CEL spec at: https://github.com/google/cel-spec. + + * `expr`: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. This page details the objects and attributes that are used to the build the CEL expressions for custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `title`: Title for the expression, i.e. a short string describing its purpose. + + * `description`: Description of the expression + + * `location`: String indicating the location of the expression for error reporting, e.g. a file name and a position in the file + + * `parent`: Name of the parent access policy + + * `name`: Name of the access level + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_access_levels.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_access_levels.md new file mode 100644 index 0000000..16ebf38 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_access_levels.md @@ -0,0 +1,44 @@ ++++ +title = "google_access_context_manager_access_levels resource" + +draft = false + + +[menu.gcp] +title = "google_access_context_manager_access_levels" +identifier = "inspec/resources/gcp/google_access_context_manager_access_levels resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_access_context_manager_access_levels` InSpec audit resource to to test a Google Cloud AccessLevel resource. + +## Examples + +```ruby +policy_name = google_access_context_manager_access_policies(org_id: '190694428152').names.first + +describe google_access_context_manager_access_levels(parent: policy_name) do + its('names') { should include "ip_subnet" } +end + +``` + +## Properties + +Properties that can be accessed from the `google_access_context_manager_access_levels` resource: + +See [google_access_context_manager_access_level](google_access_context_manager_access_level) for more detailed information. + + * `titles`: an array of `google_access_context_manager_access_level` title + * `descriptions`: an array of `google_access_context_manager_access_level` description + * `basics`: an array of `google_access_context_manager_access_level` basic + * `customs`: an array of `google_access_context_manager_access_level` custom + * `parents`: an array of `google_access_context_manager_access_level` parent + * `names`: an array of `google_access_context_manager_access_level` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_access_policies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_access_policies.md new file mode 100644 index 0000000..ff1f3c4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_access_policies.md @@ -0,0 +1,41 @@ ++++ +title = "google_access_context_manager_access_policies resource" + +draft = false + + +[menu.gcp] +title = "google_access_context_manager_access_policies" +identifier = "inspec/resources/gcp/google_access_context_manager_access_policies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_access_context_manager_access_policies` InSpec audit resource to test a Google Cloud AccessPolicy resource. + +## Examples + +```ruby +describe google_access_context_manager_access_policies(org_id: '190694428152') do + its('count') { should be >= 1 } + its('titles') { should include 'policytitle' } +end +``` + +## Properties + +Properties that can be accessed from the `google_access_context_manager_access_policies` resource: + +See [google_access_context_manager_access_policy](google_access_context_manager_access_policy) for more detailed information. + + * `names`: an array of `google_access_context_manager_access_policy` name + * `create_times`: an array of `google_access_context_manager_access_policy` create_time + * `update_times`: an array of `google_access_context_manager_access_policy` update_time + * `parents`: an array of `google_access_context_manager_access_policy` parent + * `titles`: an array of `google_access_context_manager_access_policy` title + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_access_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_access_policy.md new file mode 100644 index 0000000..05cba4d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_access_policy.md @@ -0,0 +1,45 @@ ++++ +title = "google_access_context_manager_access_policy resource" + +draft = false + + +[menu.gcp] +title = "google_access_context_manager_access_policy" +identifier = "inspec/resources/gcp/google_access_context_manager_access_policy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_access_context_manager_access_policy` InSpec audit resource to to test a Google Cloud AccessPolicy resource. + +## Examples + +```ruby +describe.one do + google_access_context_manager_access_policies(org_id: '190694428152').names.each do |policy_name| + describe google_access_context_manager_access_policy(name: policy_name) do + it { should exist } + its('title') { should cmp 'policytitle' } + its('parent') { should match '190694428152' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_access_context_manager_access_policy` resource: + + + * `name`: Resource name of the AccessPolicy. Format: accessPolicies/{policy_id} + + * `create_time`: Time the AccessPolicy was created in UTC. + + * `update_time`: Time the AccessPolicy was updated in UTC. + + * `parent`: The parent of this AccessPolicy in the Cloud Resource Hierarchy. Format: organizations/{organization_id} + + * `title`: Human readable title. Does not affect behavior. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_service_perimeter.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_service_perimeter.md new file mode 100644 index 0000000..830ee73 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_service_perimeter.md @@ -0,0 +1,82 @@ ++++ +title = "google_access_context_manager_service_perimeter resource" + +draft = false + + +[menu.gcp] +title = "google_access_context_manager_service_perimeter" +identifier = "inspec/resources/gcp/google_access_context_manager_service_perimeter resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_access_context_manager_service_perimeter` InSpec audit resource to to test a Google Cloud ServicePerimeter resource. + +## Examples + +```ruby +describe.one do + google_access_context_manager_access_policies(org_id: '190694428152').names.each do |policy_name| + describe google_access_context_manager_service_perimeter(policy_name: policy_name, name: 'restrict_all') do + it { should exist } + its('title') { should cmp 'restrict_all' } + its('status.restricted_services') { should include 'storage.googleapis.com' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_access_context_manager_service_perimeter` resource: + + + * `title`: Human readable title. Must be unique within the Policy. + + * `description`: Description of the ServicePerimeter and its use. Does not affect behavior. + + * `create_time`: Time the AccessPolicy was created in UTC. + + * `update_time`: Time the AccessPolicy was updated in UTC. + + * `perimeter_type`: Specifies the type of the Perimeter. There are two types: regular and bridge. Regular Service Perimeter contains resources, access levels, and restricted services. Every resource can be in at most ONE regular Service Perimeter. In addition to being in a regular service perimeter, a resource can also be in zero or more perimeter bridges. A perimeter bridge only contains resources. Cross project operations are permitted if all effected resources share some perimeter (whether bridge or regular). Perimeter Bridge does not contain access levels or services: those are governed entirely by the regular perimeter that resource is in. Perimeter Bridges are typically useful when building more complex topologies with many independent perimeters that need to share some data with a common perimeter, but should not be able to share data among themselves. + Possible values: + * PERIMETER_TYPE_REGULAR + * PERIMETER_TYPE_BRIDGE + + * `status`: ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries. + + * `resources`: A list of GCP resources that are inside of the service perimeter. Currently only projects are allowed. Format: projects/{project_number} + + * `access_levels`: A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via GCP calls with request origins within the perimeter. For Service Perimeter Bridge, must be empty. Format: accessPolicies/{policy_id}/accessLevels/{access_level_name} + + * `restricted_services`: GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if `storage.googleapis.com` is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. + + * `vpc_accessible_services`: Specifies how APIs are allowed to communicate within the Service Perimeter. + + * `enable_restriction`: Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowedServices'. + + * `allowed_services`: The list of APIs usable within the Service Perimeter. Must be empty unless `enableRestriction` is True. + + * `spec`: Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the `useExplicitDryRunSpec` flag is set. + + * `resources`: A list of GCP resources that are inside of the service perimeter. Currently only projects are allowed. Format: projects/{project_number} + + * `access_levels`: A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via GCP calls with request origins within the perimeter. For Service Perimeter Bridge, must be empty. Format: accessPolicies/{policy_id}/accessLevels/{access_level_name} + + * `restricted_services`: GCP services that are subject to the Service Perimeter restrictions. Must contain a list of services. For example, if `storage.googleapis.com` is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. + + * `vpc_accessible_services`: Specifies how APIs are allowed to communicate within the Service Perimeter. + + * `enable_restriction`: Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowedServices'. + + * `allowed_services`: The list of APIs usable within the Service Perimeter. Must be empty unless `enableRestriction` is True. + + * `use_explicit_dry_run_spec`: Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. useExplicitDryRunSpec must bet set to True if any of the fields in the spec are set to non-default values. + + * `parent`: The AccessPolicy this ServicePerimeter lives in. Format: accessPolicies/{policy_id} + + * `name`: Resource name for the ServicePerimeter. The short_name component must begin with a letter and only include alphanumeric and '_'. Format: accessPolicies/{policy_id}/servicePerimeters/{short_name} + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_service_perimeters.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_service_perimeters.md new file mode 100644 index 0000000..128c24c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_access_context_manager_service_perimeters.md @@ -0,0 +1,50 @@ ++++ +title = "google_access_context_manager_service_perimeters resource" + +draft = false + + +[menu.gcp] +title = "google_access_context_manager_service_perimeters" +identifier = "inspec/resources/gcp/google_access_context_manager_service_perimeters resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_access_context_manager_service_perimeters` InSpec audit resource to to test a Google Cloud ServicePerimeter resource. + +## Examples + +```ruby +describe.one do + google_access_context_manager_access_policies(org_id: '190694428152').names.each do |policy_name| + describe google_access_context_manager_service_perimeters(policy_name: policy_name) do + its('names') { should include 'restrict_all' } + its('titles') { should include 'restrict_all' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_access_context_manager_service_perimeters` resource: + +See [google_access_context_manager_service_perimeter](google_access_context_manager_service_perimeter) for more detailed information. + + * `titles`: an array of `google_access_context_manager_service_perimeter` title + * `descriptions`: an array of `google_access_context_manager_service_perimeter` description + * `create_times`: an array of `google_access_context_manager_service_perimeter` create_time + * `update_times`: an array of `google_access_context_manager_service_perimeter` update_time + * `perimeter_types`: an array of `google_access_context_manager_service_perimeter` perimeter_type + * `statuses`: an array of `google_access_context_manager_service_perimeter` status + * `specs`: an array of `google_access_context_manager_service_perimeter` spec + * `use_explicit_dry_run_specs`: an array of `google_access_context_manager_service_perimeter` use_explicit_dry_run_spec + * `parents`: an array of `google_access_context_manager_service_perimeter` parent + * `names`: an array of `google_access_context_manager_service_perimeter` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_endpoint_attachment.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_endpoint_attachment.md new file mode 100644 index 0000000..ba99315 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_endpoint_attachment.md @@ -0,0 +1,74 @@ ++++ +title = "google_apigee_endpoint_attachment resource" + +draft = false + + + +[menu.gcp] +title = "google_apigee_endpoint_attachment" +identifier = "inspec/resources/gcp/google_apigee_endpoint_attachment resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_apigee_endpoint_attachment` InSpec audit resource to test the properties of a Google Cloud EndpointAttachment resource. + +## Examples + +```ruby +describe google_apigee_endpoint_attachment(name: ' value_name') do + it { should exist } + its('host') { should cmp 'value_host' } + its('connection_state') { should cmp 'value_connectionstate' } + its('service_attachment') { should cmp 'value_serviceattachment' } + its('location') { should cmp 'value_location' } + its('name') { should cmp 'value_name' } + its('state') { should cmp 'value_state' } + +end + +describe google_apigee_endpoint_attachment(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_apigee_endpoint_attachment` resource: + +## Properties + +Properties that can be accessed from the `google_apigee_endpoint_attachment` resource: + + + * `host`: Output only. Host that can be used in either the HTTP target endpoint directly or as the host in target server. + + * `connection_state`: Output only. State of the endpoint attachment connection to the service attachment. + Possible values: + * CONNECTION_STATE_UNSPECIFIED + * UNAVAILABLE + * PENDING + * ACCEPTED + * REJECTED + * CLOSED + * FROZEN + * NEEDS_ATTENTION + + * `service_attachment`: Format: projects/*/regions/*/serviceAttachments/* + + * `location`: Required. Location of the endpoint attachment. + + * `name`: Name of the endpoint attachment. Use the following structure in your request: `organizations/{org}/endpointAttachments/{endpoint_attachment}` + + * `state`: Output only. State of the endpoint attachment. Values other than `ACTIVE` mean the resource is not ready to use. + Possible values: + * STATE_UNSPECIFIED + * CREATING + * ACTIVE + * DELETING + * UPDATING + + +## GCP permissions + +Ensure the [Apigee API](https://console.cloud.google.com/apis/library/apigee.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_endpoint_attachments.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_endpoint_attachments.md new file mode 100644 index 0000000..43ddc7c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_endpoint_attachments.md @@ -0,0 +1,63 @@ ++++ +title = "google_apigee_endpoint_attachments resource" + +draft = false + + + +[menu.gcp] +title = "google_apigee_endpoint_attachments" +identifier = "inspec/resources/gcp/google_apigee_endpoint_attachments resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_apigee_endpoint_attachments` InSpec audit resource to test the properties of a Google Cloud EndpointAttachment resource. + +## Examples + +```ruby + describe google_apigee_endpoint_attachments() do + it { should exist } + its('hosts') { should include 'value_host' } + its('connection_states') { should include 'value_connectionstate' } + its('service_attachments') { should include 'value_serviceattachment' } + its('locations') { should include 'value_location' } + its('names') { should include 'value_name' } + its('states') { should include 'value_state' } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_apigee_endpoint_attachments` resource: + +See [google_apigee_endpoint_attachment](google_apigee_endpoint_attachment) for more detailed information. + +* `hosts`: an array of `google_apigee_endpoint_attachment` host +* `connection_states`: an array of `google_apigee_endpoint_attachment` connection_state +* `service_attachments`: an array of `google_apigee_endpoint_attachment` service_attachment +* `locations`: an array of `google_apigee_endpoint_attachment` location +* `names`: an array of `google_apigee_endpoint_attachment` name +* `states`: an array of `google_apigee_endpoint_attachment` state + +## Properties + +Properties that can be accessed from the `google_apigee_endpoint_attachments` resource: + +See [google_apigee_endpoint_attachment](google_apigee_endpoint_attachment) for more detailed information. + +* `hosts`: an array of `google_apigee_endpoint_attachment` host +* `connection_states`: an array of `google_apigee_endpoint_attachment` connection_state +* `service_attachments`: an array of `google_apigee_endpoint_attachment` service_attachment +* `locations`: an array of `google_apigee_endpoint_attachment` location +* `names`: an array of `google_apigee_endpoint_attachment` name +* `states`: an array of `google_apigee_endpoint_attachment` state + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Apigee API](https://console.cloud.google.com/apis/library/apigee.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization.md new file mode 100644 index 0000000..9e90e8a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization.md @@ -0,0 +1,188 @@ ++++ +title = "google_apigee_organization resource" + +draft = false + + +[menu.gcp] +title = "google_apigee_organization" +identifier = "inspec/resources/gcp/google_apigee_organization resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_apigee_organization` InSpec audit resource to to test a Google Cloud Organization resource. + +## Examples + +```ruby +describe google_apigee_organization(name: ' value_name') do + it { should exist } + its('api_consumer_data_encryption_key_name') { should cmp 'value_apiconsumerdataencryptionkeyname' } + its('runtime_database_encryption_key_name') { should cmp 'value_runtimedatabaseencryptionkeyname' } + its('runtime_type') { should cmp 'value_runtimetype' } + its('type') { should cmp 'value_type' } + its('authorized_network') { should cmp 'value_authorizednetwork' } + its('project_id') { should cmp 'value_projectid' } + its('description') { should cmp 'value_description' } + its('ca_certificate') { should cmp 'value_cacertificate' } + its('subscription_type') { should cmp 'value_subscriptiontype' } + its('customer_name') { should cmp 'value_customername' } + its('created_at') { should cmp 'value_createdat' } + its('last_modified_at') { should cmp 'value_lastmodifiedat' } + its('subscription_plan') { should cmp 'value_subscriptionplan' } + its('state') { should cmp 'value_state' } + its('name') { should cmp 'value_name' } + its('control_plane_encryption_key_name') { should cmp 'value_controlplaneencryptionkeyname' } + its('analytics_region') { should cmp 'value_analyticsregion' } + its('api_consumer_data_location') { should cmp 'value_apiconsumerdatalocation' } + its('display_name') { should cmp 'value_displayname' } + its('apigee_project_id') { should cmp 'value_apigeeprojectid' } + its('expires_at') { should cmp 'value_expiresat' } + its('billing_type') { should cmp 'value_billingtype' } + +end + +describe google_apigee_organization(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_apigee_organization` resource: + + + * `api_consumer_data_encryption_key_name`: Cloud KMS key name used for encrypting API consumer data. Required for US/EU regions when [BillingType](#BillingType) is `SUBSCRIPTION`. When [BillingType](#BillingType) is `EVALUATION` or the region is not US/EU, a Google-Managed encryption key will be used. Format: `projects/*/locations/*/keyRings/*/cryptoKeys/*` + + * `runtime_database_encryption_key_name`: Cloud KMS key name used for encrypting the data that is stored and replicated across runtime instances. Update is not allowed after the organization is created. Required when [RuntimeType](#RuntimeType) is `CLOUD`. If not specified when [RuntimeType](#RuntimeType) is `TRIAL`, a Google-Managed encryption key will be used. For example: "projects/foo/locations/us/keyRings/bar/cryptoKeys/baz". **Note:** Not supported for Apigee hybrid. + + * `environments`: Output only. List of environments in the Apigee organization. + + * `runtime_type`: Required. Runtime type of the Apigee organization based on the Apigee subscription purchased. + Possible values: + * RUNTIME_TYPE_UNSPECIFIED + * CLOUD + * HYBRID + + * `type`: Not used by Apigee. + Possible values: + * TYPE_UNSPECIFIED + * TYPE_TRIAL + * TYPE_PAID + * TYPE_INTERNAL + + * `portal_disabled`: Configuration for the Portals settings. + + * `authorized_network`: Compute Engine network used for Service Networking to be peered with Apigee runtime instances. See [Getting started with the Service Networking API](https://cloud.google.com/service-infrastructure/docs/service-networking/getting-started). Valid only when [RuntimeType](#RuntimeType) is set to `CLOUD`. The value must be set before the creation of a runtime instance and can be updated only when there are no runtime instances. For example: `default`. Apigee also supports shared VPC (that is, the host network project is not the same as the one that is peering with Apigee). See [Shared VPC overview](https://cloud.google.com/vpc/docs/shared-vpc). To use a shared VPC network, use the following format: `projects/{host-project-id}/{region}/networks/{network-name}`. For example: `projects/my-sharedvpc-host/global/networks/mynetwork` **Note:** Not supported for Apigee hybrid. + + * `project_id`: Output only. Project ID associated with the Apigee organization. + + * `description`: Description of the Apigee organization. + + * `ca_certificate`: Output only. Base64-encoded public certificate for the root CA of the Apigee organization. Valid only when [RuntimeType](#RuntimeType) is `CLOUD`. + + * `subscription_type`: Output only. DEPRECATED: This will eventually be replaced by BillingType. Subscription type of the Apigee organization. Valid values include trial (free, limited, and for evaluation purposes only) or paid (full subscription has been purchased). See [Apigee pricing](https://cloud.google.com/apigee/pricing/). + Possible values: + * SUBSCRIPTION_TYPE_UNSPECIFIED + * PAID + * TRIAL + + * `addons_config`: Add-on configurations for the Apigee organization. + + * `integration_config`: Configuration for the Integration add-on. + + * `enabled`: Flag that specifies whether the Integration add-on is enabled. + + * `api_security_config`: Configurations of the API Security add-on. + + * `enabled`: Flag that specifies whether the API security add-on is enabled. + + * `expires_at`: Output only. Time at which the API Security add-on expires in in milliseconds since epoch. If unspecified, the add-on will never expire. + + * `monetization_config`: Configuration for the Monetization add-on. + + * `enabled`: Flag that specifies whether the Monetization add-on is enabled. + + * `connectors_platform_config`: Configuration for the Connectors Platform add-on. + + * `expires_at`: Output only. Time at which the Connectors Platform add-on expires in milliseconds since epoch. If unspecified, the add-on will never expire. + + * `enabled`: Flag that specifies whether the Connectors Platform add-on is enabled. + + * `analytics_config`: Configuration for the Analytics add-on. + + * `expire_time_millis`: Output only. Time at which the Analytics add-on expires in milliseconds since epoch. If unspecified, the add-on will never expire. + + * `state`: Output only. The state of the Analytics add-on. + Possible values: + * ADDON_STATE_UNSPECIFIED + * ENABLING + * ENABLED + * DISABLING + * DISABLED + + * `enabled`: Whether the Analytics add-on is enabled. + + * `update_time`: Output only. The latest update time. + + * `advanced_api_ops_config`: Configuration for the Advanced API Ops add-on. + + * `enabled`: Flag that specifies whether the Advanced API Ops add-on is enabled. + + * `customer_name`: Not used by Apigee. + + * `created_at`: Output only. Time that the Apigee organization was created in milliseconds since epoch. + + * `last_modified_at`: Output only. Time that the Apigee organization was last modified in milliseconds since epoch. + + * `subscription_plan`: Output only. Subscription plan that the customer has purchased. Output only. + Possible values: + * SUBSCRIPTION_PLAN_UNSPECIFIED + * SUBSCRIPTION_2021 + * SUBSCRIPTION_2024 + + * `properties`: Message for compatibility with legacy Edge specification for Java Properties object in JSON. + + * `property`: List of all properties in the object + + * `value`: The property value + + * `name`: The property key + + * `state`: Output only. State of the organization. Values other than ACTIVE means the resource is not ready to use. + Possible values: + * STATE_UNSPECIFIED + * CREATING + * ACTIVE + * DELETING + * UPDATING + + * `name`: Output only. Name of the Apigee organization. + + * `disable_vpc_peering`: Optional. Flag that specifies whether the VPC Peering through Private Google Access should be disabled between the consumer network and Apigee. Valid only when RuntimeType is set to CLOUD. Required if an authorizedNetwork on the consumer project is not provided, in which case the flag should be set to true. The value must be set before the creation of any Apigee runtime instance and can be updated only when there are no runtime instances. **Note:** Apigee will be deprecating the vpc peering model that requires you to provide 'authorizedNetwork', by making the non-peering model as the default way of provisioning Apigee organization in future. So, this will be a temporary flag to enable the transition. Not supported for Apigee hybrid. + + * `control_plane_encryption_key_name`: Cloud KMS key name used for encrypting control plane data that is stored in a multi region. Required when [BillingType](#BillingType) is `SUBSCRIPTION`. When [BillingType](#BillingType) is `EVALUATION`, a Google-Managed encryption key will be used. Format: `projects/*/locations/*/keyRings/*/cryptoKeys/*` + + * `analytics_region`: Required. DEPRECATED: This field will eventually be deprecated and replaced with a differently-named field. Primary Google Cloud region for analytics data storage. For valid values, see [Create an Apigee organization](https://cloud.google.com/apigee/docs/api-platform/get-started/create-org). + + * `api_consumer_data_location`: This field is needed only for customers with control plane in US or EU. Apigee stores some control plane data only in single region. This field determines which single region Apigee should use. For example: "us-west1" when control plane is in US or "europe-west2" when control plane is in EU. + + * `display_name`: Display name for the Apigee organization. Unused, but reserved for future use. + + * `apigee_project_id`: Output only. Apigee Project ID associated with the organization. Use this project to allowlist Apigee in the Service Attachment when using private service connect with Apigee. + + * `expires_at`: Output only. Time that the Apigee organization is scheduled for deletion. + + * `attributes`: Not used by Apigee. + + * `billing_type`: Billing type of the Apigee organization. See [Apigee pricing](https://cloud.google.com/apigee/pricing). + Possible values: + * BILLING_TYPE_UNSPECIFIED + * SUBSCRIPTION + * EVALUATION + * PAYG + + +## GCP permissions + +Ensure the [Apigee API](https://console.cloud.google.com/apis/library/apigee.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_api.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_api.md new file mode 100644 index 0000000..49c22b8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_api.md @@ -0,0 +1,65 @@ ++++ +title = "google_apigee_organization_api resource" + +draft = false + + +[menu.gcp] +title = "google_apigee_organization_api" +identifier = "inspec/resources/gcp/google_apigee_organization_api resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_apigee_organization_api` InSpec audit resource to to test a Google Cloud OrganizationApi resource. + +## Examples + +```ruby +describe google_apigee_organization_api(parent: ' value_parent', name: ' value_name') do + it { should exist } + its('latest_revision_id') { should cmp 'value_latestrevisionid' } + its('api_proxy_type') { should cmp 'value_apiproxytype' } + its('name') { should cmp 'value_name' } + +end + +describe google_apigee_organization_api(parent: ' value_parent', name: "does_not_exit") do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_apigee_organization_api` resource: + + + * `revision`: Output only. List of revisions defined for the API proxy. + + * `latest_revision_id`: Output only. The id of the most recently created revision for this api proxy. + + * `meta_data`: Metadata common to many entities in this API. + + * `last_modified_at`: Time at which the API proxy was most recently modified, in milliseconds since epoch. + + * `created_at`: Time at which the API proxy was created, in milliseconds since epoch. + + * `sub_type`: The type of entity described + + * `api_proxy_type`: Output only. The type of the API proxy. + Possible values: + * API_PROXY_TYPE_UNSPECIFIED + * PROGRAMMABLE + * CONFIGURABLE + + * `read_only`: Output only. Whether this proxy is read-only. A read-only proxy cannot have new revisions created through calls to CreateApiProxyRevision. A proxy is read-only if it was generated by an archive. + + * `labels`: User labels applied to this API Proxy. + + * `additional_properties`: + + * `name`: Output only. Name of the API proxy. + + +## GCP permissions + +Ensure the [Apigee API](https://console.cloud.google.com/apis/library/apigee.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_apis.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_apis.md new file mode 100644 index 0000000..348f6e3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_apis.md @@ -0,0 +1,44 @@ ++++ +title = "google_apigee_organization_apis resource" + +draft = false + + +[menu.gcp] +title = "google_apigee_organization_apis" +identifier = "inspec/resources/gcp/google_apigee_organization_apis resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_apigee_organization_apis` InSpec audit resource to to test a Google Cloud OrganizationApi resource. + +## Examples + +```ruby + describe google_apigee_organization_apis(parent: ' value_parent') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_apigee_organization_apis` resource: + +See [google_apigee_organization_api](google_apigee_organization_api) for more detailed information. + + * `revisions`: an array of `google_apigee_organization_api` revision + * `latest_revision_ids`: an array of `google_apigee_organization_api` latest_revision_id + * `meta_data`: an array of `google_apigee_organization_api` meta_data + * `api_proxy_types`: an array of `google_apigee_organization_api` api_proxy_type + * `read_onlies`: an array of `google_apigee_organization_api` read_only + * `labels`: an array of `google_apigee_organization_api` labels + * `names`: an array of `google_apigee_organization_api` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Apigee API](https://console.cloud.google.com/apis/library/apigee.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_envgroup.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_envgroup.md new file mode 100644 index 0000000..e730114 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_envgroup.md @@ -0,0 +1,55 @@ ++++ +title = "google_apigee_organization_envgroup resource" + +draft = false + + +[menu.gcp] +title = "google_apigee_organization_envgroup" +identifier = "inspec/resources/gcp/google_apigee_organization_envgroup resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_apigee_organization_envgroup` InSpec audit resource to to test a Google Cloud OrganizationEnvgroup resource. + +## Examples + +``` +describe google_apigee_organization_envgroup(name: ' value_name') do + it { should exist } + its('name') { should cmp 'value_name' } + its('hostnames') { should include 'value_hostname' } + its('last_modified_at') { should cmp 'value_lastmodifiedat' } + its('state') { should cmp 'value_state' } + its('created_at') { should cmp 'value_createdat' } +end + +describe google_apigee_organization_envgroup(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_apigee_organization_envgroup` resource: + + * `name`: ID of the environment group. + + * `last_modified_at`: The time at which the environment group was last updated as milliseconds since epoch. + + * `hostnames`: Host names for this environment group. + + * `state`: State of the environment group. Values other than ACTIVE means the resource is not ready to use. + + Possible values: + * STATE_UNSPECIFIED + * CREATING + * ACTIVE + * DELETING + * UPDATING + + * `created_at`: The time at which the environment group was created as milliseconds since epoch. + +## GCP permissions + +Ensure the [Apigee API](https://console.cloud.google.com/apis/library/apigee.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_envgroup_attachment.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_envgroup_attachment.md new file mode 100644 index 0000000..15c37b4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_envgroup_attachment.md @@ -0,0 +1,48 @@ ++++ +title = "google_apigee_organization_envgroup_attachment resource" + +draft = false + + +[menu.gcp] +title = "google_apigee_organization_envgroup_attachment" +identifier = "inspec/resources/gcp/google_apigee_organization_envgroup_attachment resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_apigee_organization_envgroup_attachment` InSpec audit resource to to test a Google Cloud OrganizationEnvgroupAttachment resource. + +## Examples + +``` +describe google_apigee_organization_envgroup_attachment(name: ' value_name') do + it { should exist } + its('created_at') { should cmp 'value_createdat' } + its('environment') { should cmp 'value_environment' } + its('environment_group_id') { should cmp 'value_environmentgroupid' } + its('name') { should cmp 'value_name' } + +end + +describe google_apigee_organization_envgroup_attachment(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_apigee_organization_envgroup_attachment` resource: + + + * `created_at`: The time at which the environment group attachment was created as milliseconds since epoch. + + * `environment`: ID of the attached environment. + + * `environment_group_id`: ID of the environment group. + + * `name`: ID of the environment group attachment. + + +## GCP permissions + +Ensure the [Apigee API](https://console.cloud.google.com/apis/library/apigee.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_envgroup_attachments.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_envgroup_attachments.md new file mode 100644 index 0000000..135e5fd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_envgroup_attachments.md @@ -0,0 +1,41 @@ ++++ +title = "google_apigee_organization_envgroup_attachments resource" + +draft = false + + +[menu.gcp] +title = "google_apigee_organization_envgroup_attachments" +identifier = "inspec/resources/gcp/google_apigee_organization_envgroup_attachments resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_apigee_organization_envgroup_attachments` InSpec audit resource to to test a Google Cloud OrganizationEnvgroupAttachment resource. + +## Examples + +``` + describe google_apigee_organization_envgroup_attachments(parent: ' value_parent') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_apigee_organization_envgroup_attachments` resource: + +See [google_apigee_organization_envgroup_attachment](google_apigee_organization_envgroup_attachment) for more detailed information. + + * `created_ats`: an array of `google_apigee_organization_envgroup_attachment` created_at + * `environments`: an array of `google_apigee_organization_envgroup_attachment` environment + * `environment_group_ids`: an array of `google_apigee_organization_envgroup_attachment` environment_group_id + * `names`: an array of `google_apigee_organization_envgroup_attachment` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Apigee API](https://console.cloud.google.com/apis/library/apigee.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_envgroups.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_envgroups.md new file mode 100644 index 0000000..da63a55 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_envgroups.md @@ -0,0 +1,42 @@ ++++ +title = "google_apigee_organization_envgroups resource" + +draft = false + + +[menu.gcp] +title = "google_apigee_organization_envgroups" +identifier = "inspec/resources/gcp/google_apigee_organization_envgroups resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_apigee_organization_envgroups` InSpec audit resource to to test a Google Cloud OrganizationEnvgroup resource. + +## Examples + +``` + describe google_apigee_organization_envgroups(parent: 'value_parent') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_apigee_organization_envgroups` resource: + +See [google_apigee_organization_envgroup](google_apigee_organization_envgroup) for more detailed information. + + * `names`: an array of `google_apigee_organization_envgroup` name + * `last_modified_ats`: an array of `google_apigee_organization_envgroup` last_modified_at + * `hostnames`: an array of `google_apigee_organization_envgroup` hostnames + * `states`: an array of `google_apigee_organization_envgroup` state + * `created_ats`: an array of `google_apigee_organization_envgroup` created_at + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Apigee API](https://console.cloud.google.com/apis/library/apigee.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_instance_attachment.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_instance_attachment.md new file mode 100644 index 0000000..12fcfdc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_instance_attachment.md @@ -0,0 +1,49 @@ ++++ +title = "google_apigee_organization_instance_attachment resource" + +draft = false + + + +[menu.gcp] +title = "google_apigee_organization_instance_attachment" +identifier = "inspec/resources/gcp/google_apigee_organization_instance_attachment resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_apigee_organization_instance_attachment` InSpec audit resource to test the properties of a Google Cloud OrganizationInstanceAttachment resource. + +## Examples + +```ruby +describe google_apigee_organization_instance_attachment(parent:'value_parent', name:'value_name') do + it { should exist } + its('name') { should cmp 'value_name' } + its('environment') { should cmp 'value_environment' } + its('created_at') { should cmp 'value_createdat' } +end + +describe google_apigee_organization_instance_attachment(parent:'value_parent',name: "does-not-exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_apigee_organization_instance_attachment` resource: + +## Properties + +Properties that can be accessed from the `google_apigee_organization_instance_attachment` resource: + + + * `name`: Output only. ID of the attachment. + + * `environment`: ID of the attached environment. + + * `created_at`: Output only. Time the attachment was created in milliseconds since epoch. + + +## GCP permissions + +Ensure the [Apigee API](https://console.cloud.google.com/apis/library/apigee.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_instance_attachments.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_instance_attachments.md new file mode 100644 index 0000000..2c0c778 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organization_instance_attachments.md @@ -0,0 +1,54 @@ ++++ +title = "google_apigee_organization_instance_attachments resource" + +draft = false + + + +[menu.gcp] +title = "google_apigee_organization_instance_attachments" +identifier = "inspec/resources/gcp/google_apigee_organization_instance_attachments resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_apigee_organization_instance_attachments` InSpec audit resource to test the properties of a Google Cloud OrganizationInstanceAttachment resource. + +## Examples + +```ruby + describe google_apigee_organization_instance_attachments(parent: 'value_parent') do + it { should exist } + its('names') { should include 'value_name' } + its('environments') { should include 'value_environment' } + its('created_ats') { should include 'value_createdat' } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_apigee_organization_instance_attachments` resource: + +See [google_apigee_organization_instance_attachment](google_apigee_organization_instance_attachment) for more detailed information. + +* `names`: an array of `google_apigee_organization_instance_attachment` name +* `environments`: an array of `google_apigee_organization_instance_attachment` environment +* `created_ats`: an array of `google_apigee_organization_instance_attachment` created_at + +## Properties + +Properties that can be accessed from the `google_apigee_organization_instance_attachments` resource: + +See [google_apigee_organization_instance_attachment](google_apigee_organization_instance_attachment) for more detailed information. + +* `names`: an array of `google_apigee_organization_instance_attachment` name +* `environments`: an array of `google_apigee_organization_instance_attachment` environment +* `created_ats`: an array of `google_apigee_organization_instance_attachment` created_at + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Apigee API](https://console.cloud.google.com/apis/library/apigee.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organizations.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organizations.md new file mode 100644 index 0000000..388b644 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_apigee_organizations.md @@ -0,0 +1,65 @@ ++++ +title = "google_apigee_organizations resource" + +draft = false + + +[menu.gcp] +title = "google_apigee_organizations" +identifier = "inspec/resources/gcp/google_apigee_organizations resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_apigee_organizations` InSpec audit resource to to test a Google Cloud Organization resource. + +## Examples + +```ruby + describe google_apigee_organizations(parent: ' value_parent') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_apigee_organizations` resource: + +See [google_apigee_organization](google_apigee_organization) for more detailed information. + + * `api_consumer_data_encryption_key_names`: an array of `google_apigee_organization` api_consumer_data_encryption_key_name + * `runtime_database_encryption_key_names`: an array of `google_apigee_organization` runtime_database_encryption_key_name + * `environments`: an array of `google_apigee_organization` environments + * `runtime_types`: an array of `google_apigee_organization` runtime_type + * `types`: an array of `google_apigee_organization` type + * `portal_disableds`: an array of `google_apigee_organization` portal_disabled + * `authorized_networks`: an array of `google_apigee_organization` authorized_network + * `project_ids`: an array of `google_apigee_organization` project_id + * `descriptions`: an array of `google_apigee_organization` description + * `ca_certificates`: an array of `google_apigee_organization` ca_certificate + * `subscription_types`: an array of `google_apigee_organization` subscription_type + * `addons_configs`: an array of `google_apigee_organization` addons_config + * `customer_names`: an array of `google_apigee_organization` customer_name + * `created_ats`: an array of `google_apigee_organization` created_at + * `last_modified_ats`: an array of `google_apigee_organization` last_modified_at + * `subscription_plans`: an array of `google_apigee_organization` subscription_plan + * `properties`: an array of `google_apigee_organization` properties + * `states`: an array of `google_apigee_organization` state + * `names`: an array of `google_apigee_organization` name + * `disable_vpc_peerings`: an array of `google_apigee_organization` disable_vpc_peering + * `control_plane_encryption_key_names`: an array of `google_apigee_organization` control_plane_encryption_key_name + * `analytics_regions`: an array of `google_apigee_organization` analytics_region + * `api_consumer_data_locations`: an array of `google_apigee_organization` api_consumer_data_location + * `display_names`: an array of `google_apigee_organization` display_name + * `apigee_project_ids`: an array of `google_apigee_organization` apigee_project_id + * `expires_ats`: an array of `google_apigee_organization` expires_at + * `attributes`: an array of `google_apigee_organization` attributes + * `billing_types`: an array of `google_apigee_organization` billing_type + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Apigee API](https://console.cloud.google.com/apis/library/apigee.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_appengine_standard_app_version.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_appengine_standard_app_version.md new file mode 100644 index 0000000..a891172 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_appengine_standard_app_version.md @@ -0,0 +1,81 @@ ++++ +title = "google_appengine_standard_app_version resource" + +draft = false + + +[menu.gcp] +title = "google_appengine_standard_app_version" +identifier = "inspec/resources/gcp/google_appengine_standard_app_version resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_appengine_standard_app_version` InSpec audit resource to to test a Google Cloud StandardAppVersion resource. + +## Examples + +```ruby +describe google_appengine_standard_app_version(project: 'chef-gcp-inspec', location: 'europe-west2', version_id: 'v2', service: 'default') do + it { should exist } + its('version_id') { should eq 'v2' } + its('runtime') { should eq 'nodejs10' } +end +``` + +## Properties + +Properties that can be accessed from the `google_appengine_standard_app_version` resource: + + + * `name`: Full path to the Version resource in the API. Example, "v1". + + * `version_id`: Relative name of the version within the service. For example, `v1`. Version names can contain only lowercase letters, numbers, or hyphens. Reserved names,"default", "latest", and any name with the prefix "ah-". + + * `runtime`: Desired runtime. Example python27. + + * `threadsafe`: Whether multiple requests can be dispatched to this version at once. + + * `vpc_access_connector`: Enables VPC connectivity for standard apps. + + * `name`: Full Serverless VPC Access Connector name e.g. /projects/my-project/locations/us-central1/connectors/c1. + + * `inbound_services`: A list of the types of messages that this application is able to receive. + + * `instance_class`: Instance class that is used to run this version. Valid values are AutomaticScaling: F1, F2, F4, F4_1G BasicScaling or ManualScaling: B1, B2, B4, B4_1G, B8 Defaults to F1 for AutomaticScaling and B2 for ManualScaling and BasicScaling. If no scaling is specified, AutomaticScaling is chosen. + + * `automatic_scaling`: Automatic scaling is based on request rate, response latencies, and other application metrics. + + * `max_concurrent_requests`: Number of concurrent requests an automatic scaling instance can accept before the scheduler spawns a new instance. Defaults to a runtime-specific value. + + * `max_idle_instances`: Maximum number of idle instances that should be maintained for this version. + + * `max_pending_latency`: Maximum amount of time that a request should wait in the pending queue before starting a new instance to handle it. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". + + * `min_idle_instances`: Minimum number of idle instances that should be maintained for this version. Only applicable for the default version of a service. + + * `min_pending_latency`: Minimum amount of time a request should wait in the pending queue before starting a new instance to handle it. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". + + * `standard_scheduler_settings`: Scheduler settings for standard environment. + + * `target_cpu_utilization`: Target CPU utilization ratio to maintain when scaling. Should be a value in the range [0.50, 0.95], zero, or a negative value. + + * `target_throughput_utilization`: Target throughput utilization ratio to maintain when scaling. Should be a value in the range [0.50, 0.95], zero, or a negative value. + + * `min_instances`: Minimum number of instances to run for this version. Set to zero to disable minInstances configuration. + + * `max_instances`: Maximum number of instances to run for this version. Set to zero to disable maxInstances configuration. + + * `basic_scaling`: Basic scaling creates instances when your application receives requests. Each instance will be shut down when the application becomes idle. Basic scaling is ideal for work that is intermittent or driven by user activity. + + * `idle_timeout`: Duration of time after the last request that an instance must wait before the instance is shut down. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". Defaults to 900s. + + * `max_instances`: Maximum number of instances to create for this version. Must be in the range [1.0, 200.0]. + + * `manual_scaling`: A service with manual scaling runs continuously, allowing you to perform complex initialization and rely on the state of its memory over time. + + * `instances`: Number of instances to assign to the service at the start. **Note:** When managing the number of instances at runtime through the App Engine Admin API or the (now deprecated) Python 2 Modules API set_num_instances() you must use `lifecycle.ignore_changes = ["manual_scaling"[0].instances]` to prevent drift detection. + + +## GCP permissions + +Ensure the [App Engine Admin API](https://console.cloud.google.com/apis/library/appengine.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_appengine_standard_app_versions.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_appengine_standard_app_versions.md new file mode 100644 index 0000000..414c07a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_appengine_standard_app_versions.md @@ -0,0 +1,47 @@ ++++ +title = "google_appengine_standard_app_versions resource" + +draft = false + + +[menu.gcp] +title = "google_appengine_standard_app_versions" +identifier = "inspec/resources/gcp/google_appengine_standard_app_versions resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_appengine_standard_app_versions` InSpec audit resource to to test a Google Cloud StandardAppVersion resource. + +## Examples + +```ruby +describe google_appengine_standard_app_versions(project: 'chef-gcp-inspec', location: 'europe-west2',service: 'default') do + its('runtimes') { should include 'nodejs10' } +end +``` + +## Properties + +Properties that can be accessed from the `google_appengine_standard_app_versions` resource: + +See [google_appengine_standard_app_version](google_appengine_standard_app_version) for more detailed information. + + * `names`: an array of `google_appengine_standard_app_version` name + * `version_ids`: an array of `google_appengine_standard_app_version` version_id + * `runtimes`: an array of `google_appengine_standard_app_version` runtime + * `threadsaves`: an array of `google_appengine_standard_app_version` threadsafe + * `vpc_access_connectors`: an array of `google_appengine_standard_app_version` vpc_access_connector + * `inbound_services`: an array of `google_appengine_standard_app_version` inbound_services + * `instance_classes`: an array of `google_appengine_standard_app_version` instance_class + * `automatic_scalings`: an array of `google_appengine_standard_app_version` automatic_scaling + * `basic_scalings`: an array of `google_appengine_standard_app_version` basic_scaling + * `manual_scalings`: an array of `google_appengine_standard_app_version` manual_scaling + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [App Engine Admin API](https://console.cloud.google.com/apis/library/appengine.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_artifactregistry_project_location_repositories.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_artifactregistry_project_location_repositories.md new file mode 100644 index 0000000..7bc8b39 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_artifactregistry_project_location_repositories.md @@ -0,0 +1,53 @@ ++++ +title = "google_artifactregistry_project_location_repositories resource" + +draft = false + + +[menu.gcp] +title = "google_artifactregistry_project_location_repositories" +identifier = "inspec/resources/gcp/google_artifactregistry_project_location_repositories resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_artifactregistry_project_location_repositories` InSpec audit resource to to test a Google Cloud ProjectLocationRepository resource. + +## Examples + +```ruby + describe google_artifactregistry_project_location_repositories(parent: ' value_parent') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_artifactregistry_project_location_repositories` resource: + +See [google_artifactregistry_project_location_repository](google_artifactregistry_project_location_repository) for more detailed information. + + * `maven_configs`: an array of `google_artifactregistry_project_location_repository` maven_config + * `docker_configs`: an array of `google_artifactregistry_project_location_repository` docker_config + * `virtual_repository_configs`: an array of `google_artifactregistry_project_location_repository` virtual_repository_config + * `remote_repository_configs`: an array of `google_artifactregistry_project_location_repository` remote_repository_config + * `names`: an array of `google_artifactregistry_project_location_repository` name + * `formats`: an array of `google_artifactregistry_project_location_repository` format + * `descriptions`: an array of `google_artifactregistry_project_location_repository` description + * `labels`: an array of `google_artifactregistry_project_location_repository` labels + * `create_times`: an array of `google_artifactregistry_project_location_repository` create_time + * `update_times`: an array of `google_artifactregistry_project_location_repository` update_time + * `kms_key_names`: an array of `google_artifactregistry_project_location_repository` kms_key_name + * `modes`: an array of `google_artifactregistry_project_location_repository` mode + * `cleanup_policies`: an array of `google_artifactregistry_project_location_repository` cleanup_policies + * `size_bytes`: an array of `google_artifactregistry_project_location_repository` size_bytes + * `satisfies_pzs`: an array of `google_artifactregistry_project_location_repository` satisfies_pzs + * `cleanup_policy_dry_runs`: an array of `google_artifactregistry_project_location_repository` cleanup_policy_dry_run + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Artifact Registry API](https://console.cloud.google.com/apis/library/artifactregistry.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_artifactregistry_project_location_repository.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_artifactregistry_project_location_repository.md new file mode 100644 index 0000000..4e6bb3c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_artifactregistry_project_location_repository.md @@ -0,0 +1,173 @@ ++++ +title = "google_artifactregistry_project_location_repository resource" + +draft = false + + +[menu.gcp] +title = "google_artifactregistry_project_location_repository" +identifier = "inspec/resources/gcp/google_artifactregistry_project_location_repository resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_artifactregistry_project_location_repository` InSpec audit resource to to test a Google Cloud ProjectLocationRepository resource. + +## Examples + +```ruby +describe google_artifactregistry_project_location_repository(name: ' value_name') do + it { should exist } + +end + +describe google_artifactregistry_project_location_repository(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_artifactregistry_project_location_repository` resource: + + + * `maven_config`: MavenRepositoryConfig is maven related repository details. Provides additional configuration details for repositories of the maven format type. + + * `allow_snapshot_overwrites`: The repository with this flag will allow publishing the same snapshot versions. + + * `version_policy`: Version policy defines the versions that the registry will accept. + Possible values: + * VERSION_POLICY_UNSPECIFIED + * RELEASE + * SNAPSHOT + + * `docker_config`: DockerRepositoryConfig is docker related repository details. Provides additional configuration details for repositories of the docker format type. + + * `immutable_tags`: The repository which enabled this flag prevents all tags from being modified, moved or deleted. This does not prevent tags from being created. + + * `virtual_repository_config`: Virtual repository configuration. + + * `upstream_policies`: Policies that configure the upstream artifacts distributed by the Virtual Repository. Upstream policies cannot be set on a standard repository. + + * `id`: The user-provided ID of the upstream policy. + + * `repository`: A reference to the repository resource, for example: `projects/p1/locations/us-central1/repositories/repo1`. + + * `priority`: Entries with a greater priority value take precedence in the pull order. + + * `remote_repository_config`: Remote repository configuration. + + * `docker_repository`: Configuration for a Docker remote repository. + + * `public_repository`: One of the publicly available Docker repositories supported by Artifact Registry. + Possible values: + * PUBLIC_REPOSITORY_UNSPECIFIED + * DOCKER_HUB + + * `maven_repository`: Configuration for a Maven remote repository. + + * `public_repository`: One of the publicly available Maven repositories supported by Artifact Registry. + Possible values: + * PUBLIC_REPOSITORY_UNSPECIFIED + * MAVEN_CENTRAL + + * `npm_repository`: Configuration for a Npm remote repository. + + * `public_repository`: One of the publicly available Npm repositories supported by Artifact Registry. + Possible values: + * PUBLIC_REPOSITORY_UNSPECIFIED + * NPMJS + + * `python_repository`: Configuration for a Python remote repository. + + * `public_repository`: One of the publicly available Python repositories supported by Artifact Registry. + Possible values: + * PUBLIC_REPOSITORY_UNSPECIFIED + * PYPI + + * `apt_repository`: Configuration for an Apt remote repository. + + * `public_repository`: Publicly available Apt repositories constructed from a common repository base and a custom repository path. + + * `repository_base`: A common public repository base for Apt. + Possible values: + * REPOSITORY_BASE_UNSPECIFIED + * DEBIAN + * UBUNTU + * DEBIAN_SNAPSHOT + + * `repository_path`: A custom field to define a path to a specific repository from the base. + + * `yum_repository`: Configuration for a Yum remote repository. + + * `public_repository`: Publicly available Yum repositories constructed from a common repository base and a custom repository path. + + * `repository_base`: A common public repository base for Yum. + Possible values: + * REPOSITORY_BASE_UNSPECIFIED + * CENTOS + * CENTOS_DEBUG + * CENTOS_VAULT + * CENTOS_STREAM + * ROCKY + * EPEL + + * `repository_path`: A custom field to define a path to a specific repository from the base. + + * `description`: The description of the remote source. + + * `upstream_credentials`: The credentials to access the remote repository. + + * `username_password_credentials`: Username and password credentials. + + * `username`: The username to access the remote repository. + + * `password_secret_version`: The Secret Manager key version that holds the password to access the remote repository. Must be in the format of `projects/{project}/secrets/{secret}/versions/{version}`. + + * `name`: The name of the repository, for example: `projects/p1/locations/us-central1/repositories/repo1`. + + * `format`: Optional. The format of packages that are stored in the repository. + Possible values: + * FORMAT_UNSPECIFIED + * DOCKER + * MAVEN + * NPM + * APT + * YUM + * GOOGET + * PYTHON + * KFP + * GO + + * `description`: The user-provided description of the repository. + + * `labels`: Labels with user-defined metadata. This field may contain up to 64 entries. Label keys and values may be no longer than 63 characters. Label keys must begin with a lowercase letter and may only contain lowercase letters, numeric characters, underscores, and dashes. + + * `additional_properties`: + + * `create_time`: Output only. The time when the repository was created. + + * `update_time`: Output only. The time when the repository was last updated. + + * `kms_key_name`: The Cloud KMS resource name of the customer managed encryption key that's used to encrypt the contents of the Repository. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. This value may not be changed after the Repository has been created. + + * `mode`: Optional. The mode of the repository. + Possible values: + * MODE_UNSPECIFIED + * STANDARD_REPOSITORY + * VIRTUAL_REPOSITORY + * REMOTE_REPOSITORY + + * `cleanup_policies`: Optional. Cleanup policies for this repository. Cleanup policies indicate when certain package versions can be automatically deleted. Map keys are policy IDs supplied by users during policy creation. They must unique within a repository and be under 128 characters in length. + + * `additional_properties`: Artifact policy configuration for repository cleanup policies. + + * `size_bytes`: Output only. The size, in bytes, of all artifact storage in this repository. Repositories that are generally available or in public preview use this to calculate storage costs. + + * `satisfies_pzs`: Output only. If set, the repository satisfies physical zone separation. + + * `cleanup_policy_dry_run`: Optional. If true, the cleanup pipeline is prevented from deleting versions in this repository. + + +## GCP permissions + +Ensure the [Artifact Registry API](https://console.cloud.google.com/apis/library/artifactregistry.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigquery_dataset.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigquery_dataset.md new file mode 100644 index 0000000..9e36926 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigquery_dataset.md @@ -0,0 +1,102 @@ ++++ +title = "google_bigquery_dataset resource" + +draft = false + + +[menu.gcp] +title = "google_bigquery_dataset" +identifier = "inspec/resources/gcp/google_bigquery_dataset resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_bigquery_dataset` InSpec audit resource to to test a Google Cloud Dataset resource. + +## Examples + +```ruby +describe google_bigquery_dataset(project: 'chef-gcp-inspec', name: 'inspec_gcp_dataset') do + it { should exist } + + its('friendly_name') { should eq 'A BigQuery dataset test' } + its('location') { should eq 'EU' } + its('description') { should eq 'Test BigQuery dataset description' } + its('name') { should eq 'inspec_gcp_dataset' } + its('default_table_expiration_ms') { should cmp '3600000' } +end + +describe.one do + google_bigquery_dataset(project: 'chef-gcp-inspec', name: 'inspec_gcp_dataset').access.each do |dataset_access| + describe dataset_access do + its('role') { should eq 'WRITER' } + its('special_group') { should eq 'projectWriters' } + end + end +end + +describe google_bigquery_dataset(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_bigquery_dataset` resource: + + + * `access`: An array of objects that define dataset access for one or more entities. + + * `domain`: A domain to grant access to. Any users signed in with the domain specified will be granted the specified access + + * `group_by_email`: An email address of a Google Group to grant access to. + + * `role`: Describes the rights granted to the user specified by the other member of the access object. Basic, predefined, and custom roles are supported. Predefined roles that have equivalent basic roles are swapped by the API to their basic counterparts. See [official docs](https://cloud.google.com/bigquery/docs/access-control). + + * `special_group`: A special group to grant access to. Possible values include: * `projectOwners`: Owners of the enclosing project. * `projectReaders`: Readers of the enclosing project. * `projectWriters`: Writers of the enclosing project. * `allAuthenticatedUsers`: All authenticated BigQuery users. + + * `user_by_email`: An email address of a user to grant access to. For example: fred@example.com + + * `iam_member`: Some other type of member that appears in the IAM Policy but isn't a user, group, domain, or special group. For example: `allUsers` + + * `view`: A view from a different dataset to grant access to. Queries executed against that view will have read access to tables in this dataset. The role field is not required when this field is set. If that view is updated by any user, access to the view needs to be granted again via an update operation. + + * `dataset_id`: The ID of the dataset containing this table. + + * `project_id`: The ID of the project containing this table. + + * `table_id`: The ID of the table. The ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_). The maximum length is 1,024 characters. + + * `creation_time`: The time when this dataset was created, in milliseconds since the epoch. + + * `dataset_reference`: A reference that identifies the dataset. + + * `dataset_id`: A unique ID for this dataset, without the project name. The ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_). The maximum length is 1,024 characters. + + * `project_id`: The ID of the project containing this dataset. + + * `default_table_expiration_ms`: The default lifetime of all tables in the dataset, in milliseconds. The minimum value is 3600000 milliseconds (one hour). Once this property is set, all newly-created tables in the dataset will have an `expirationTime` property set to the creation time plus the value in this property, and changing the value will only affect new tables, not existing ones. When the `expirationTime` for a given table is reached, that table will be deleted automatically. If a table's `expirationTime` is modified or removed before the table expires, or if you provide an explicit `expirationTime` when creating a table, that value takes precedence over the default expiration time indicated by this property. + + * `default_partition_expiration_ms`: The default partition expiration for all partitioned tables in the dataset, in milliseconds. Once this property is set, all newly-created partitioned tables in the dataset will have an `expirationMs` property in the `timePartitioning` settings set to this value, and changing the value will only affect new tables, not existing ones. The storage in a partition will have an expiration time of its partition time plus this value. Setting this property overrides the use of `defaultTableExpirationMs` for partitioned tables: only one of `defaultTableExpirationMs` and `defaultPartitionExpirationMs` will be used for any new partitioned table. If you provide an explicit `timePartitioning.expirationMs` when creating or updating a partitioned table, that value takes precedence over the default partition expiration time indicated by this property. + + * `description`: A user-friendly description of the dataset + + * `etag`: A hash of the resource. + + * `friendly_name`: A descriptive name for the dataset + + * `id`: The fully-qualified unique name of the dataset in the format projectId:datasetId. The dataset name without the project name is given in the datasetId field + + * `labels`: The labels associated with this dataset. You can use these to organize and group your datasets + + * `last_modified_time`: The date when this dataset or any of its tables was last modified, in milliseconds since the epoch. + + * `location`: The geographic location where the dataset should reside. See [official docs](https://cloud.google.com/bigquery/docs/dataset-locations). There are two types of locations, regional or multi-regional. A regional location is a specific geographic place, such as Tokyo, and a multi-regional location is a large geographic area, such as the United States, that contains at least two geographic places. The default value is multi-regional location `US`. Changing this forces a new resource to be created. + + * `default_encryption_configuration`: The default encryption key for all tables in the dataset. Once this property is set, all newly-created partitioned tables in the dataset will have encryption key set to this value, unless table creation request (or query) overrides the key. + + * `kms_key_name`: Describes the Cloud KMS encryption key that will be used to protect destination BigQuery table. The BigQuery Service Account associated with your project requires access to this encryption key. + + +## GCP permissions + +Ensure the [BigQuery API](https://console.cloud.google.com/apis/library/bigquery-json.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigquery_datasets.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigquery_datasets.md new file mode 100644 index 0000000..e551686 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigquery_datasets.md @@ -0,0 +1,56 @@ ++++ +title = "google_bigquery_datasets resource" + +draft = false + + +[menu.gcp] +title = "google_bigquery_datasets" +identifier = "inspec/resources/gcp/google_bigquery_datasets resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_bigquery_datasets` InSpec audit resource to to test a Google Cloud Dataset resource. + +## Examples + +```ruby +describe google_bigquery_datasets(project: 'chef-gcp-inspec') do + its('count') { should be >= 1 } + its('friendly_names') { should include 'A BigQuery dataset test' } + its('locations') { should include 'EU' } +end + +google_bigquery_datasets(project: 'chef-gcp-inspec').ids.each do |name| + google_bigquery_dataset(project: 'chef-gcp-inspec', name: name.split(':').last).access.each do |access| + describe access do + # No bigquery dataset should allow access to allUsers + its('iam_member') { should_not cmp 'allUsers' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_bigquery_datasets` resource: + +See [google_bigquery_dataset](google_bigquery_dataset) for more detailed information. + + * `dataset_references`: an array of `google_bigquery_dataset` dataset_reference + * `default_partition_expiration_ms`: an array of `google_bigquery_dataset` default_partition_expiration_ms + * `etags`: an array of `google_bigquery_dataset` etag + * `friendly_names`: an array of `google_bigquery_dataset` friendly_name + * `ids`: an array of `google_bigquery_dataset` id + * `labels`: an array of `google_bigquery_dataset` labels + * `locations`: an array of `google_bigquery_dataset` location + * `default_encryption_configurations`: an array of `google_bigquery_dataset` default_encryption_configuration + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [BigQuery API](https://console.cloud.google.com/apis/library/bigquery-json.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigquery_table.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigquery_table.md new file mode 100644 index 0000000..6019b79 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigquery_table.md @@ -0,0 +1,263 @@ ++++ +title = "google_bigquery_table resource" + +draft = false + + +[menu.gcp] +title = "google_bigquery_table" +identifier = "inspec/resources/gcp/google_bigquery_table resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_bigquery_table` InSpec audit resource to to test a Google Cloud Table resource. + +## Examples + +```ruby +describe google_bigquery_table(project: 'chef-gcp-inspec', dataset: 'inspec_gcp_dataset', name: 'inspec_gcp_bigquery_table') do + it { should exist } + + its('expiration_time') { should cmp '1738882264000' } + its('time_partitioning.type') { should eq 'DAY' } + its('description') { should eq 'A BigQuery table' } +end + +describe google_bigquery_table(project: 'chef-gcp-inspec', dataset: 'inspec_gcp_dataset', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_bigquery_table` resource: + + + * `table_reference`: Reference describing the ID of this table + + * `dataset_id`: The ID of the dataset containing this table + + * `project_id`: The ID of the project containing this table + + * `table_id`: The ID of the the table + + * `clustering`: One or more fields on which data should be clustered. Only top-level, non-repeated, simple-type fields are supported. When you cluster a table using multiple columns, the order of columns you specify is important. The order of the specified columns determines the sort order of the data. + + * `creation_time`: The time when this dataset was created, in milliseconds since the epoch. + + * `description`: A user-friendly description of the dataset + + * `friendly_name`: A descriptive name for this table + + * `id`: An opaque ID uniquely identifying the table. + + * `labels`: The labels associated with this dataset. You can use these to organize and group your datasets + + * `last_modified_time`: The time when this table was last modified, in milliseconds since the epoch. + + * `location`: The geographic location where the table resides. This value is inherited from the dataset. + + * `name`: Name of the table + + * `num_bytes`: The size of this table in bytes, excluding any data in the streaming buffer. + + * `num_long_term_bytes`: The number of bytes in the table that are considered "long-term storage". + + * `num_rows`: The number of rows of data in this table, excluding any data in the streaming buffer. + + * `require_partition_filter`: If set to true, queries over this table require a partition filter that can be used for partition elimination to be specified. + + * `type`: Describes the table type + Possible values: + * TABLE + * VIEW + * EXTERNAL + + * `view`: The view definition. + + * `use_legacy_sql`: Specifies whether to use BigQuery's legacy SQL for this view + + * `user_defined_function_resources`: Describes user-defined function resources used in the query. + + * `inline_code`: An inline resource that contains code for a user-defined function (UDF). Providing a inline code resource is equivalent to providing a URI for a file containing the same code. + + * `resource_uri`: A code resource to load from a Google Cloud Storage URI (gs://bucket/path). + + * `time_partitioning`: If specified, configures time-based partitioning for this table. + + * `expiration_ms`: Number of milliseconds for which to keep the storage for a partition. + + * `field`: If not set, the table is partitioned by pseudo column, referenced via either '_PARTITIONTIME' as TIMESTAMP type, or '_PARTITIONDATE' as DATE type. If field is specified, the table is instead partitioned by this field. The field must be a top-level TIMESTAMP or DATE field. Its mode must be NULLABLE or REQUIRED. + + * `type`: The only type supported is DAY, which will generate one partition per day. + Possible values: + * DAY + + * `streaming_buffer`: Contains information regarding this table's streaming buffer, if one is present. This field will be absent if the table is not being streamed to or if there is no data in the streaming buffer. + + * `estimated_bytes`: A lower-bound estimate of the number of bytes currently in the streaming buffer. + + * `estimated_rows`: A lower-bound estimate of the number of rows currently in the streaming buffer. + + * `oldest_entry_time`: Contains the timestamp of the oldest entry in the streaming buffer, in milliseconds since the epoch, if the streaming buffer is available. + + * `schema`: Describes the schema of this table + + * `fields`: Describes the fields in a table. + + * `description`: The field description. The maximum length is 1,024 characters. + + * `fields`: Describes the nested schema fields if the type property is set to RECORD. + + * `mode`: The field mode + Possible values: + * NULLABLE + * REQUIRED + * REPEATED + + * `name`: The field name + + * `type`: The field data type + Possible values: + * STRING + * BYTES + * INTEGER + * FLOAT + * TIMESTAMP + * DATE + * TIME + * DATETIME + * RECORD + + * `encryption_configuration`: Custom encryption configuration + + * `kms_key_name`: Describes the Cloud KMS encryption key that will be used to protect destination BigQuery table. The BigQuery Service Account associated with your project requires access to this encryption key. + + * `expiration_time`: The time when this table expires, in milliseconds since the epoch. If not present, the table will persist indefinitely. + + * `external_data_configuration`: Describes the data format, location, and other properties of a table stored outside of BigQuery. By defining these properties, the data source can then be queried as if it were a standard BigQuery table. + + * `autodetect`: Try to detect schema and format options automatically. Any option specified explicitly will be honored. + + * `compression`: The compression type of the data source + Possible values: + * GZIP + * NONE + + * `ignore_unknown_values`: Indicates if BigQuery should allow extra values that are not represented in the table schema + + * `max_bad_records`: The maximum number of bad records that BigQuery can ignore when reading data + + * `source_format`: The data format + Possible values: + * CSV + * GOOGLE_SHEETS + * NEWLINE_DELIMITED_JSON + * AVRO + * DATASTORE_BACKUP + * BIGTABLE + * ORC + + * `source_uris`: The fully-qualified URIs that point to your data in Google Cloud. For Google Cloud Storage URIs: Each URI can contain one '*' wildcard character and it must come after the 'bucket' name. Size limits related to load jobs apply to external data sources. For Google Cloud Bigtable URIs: Exactly one URI can be specified and it has be a fully specified and valid HTTPS URL for a Google Cloud Bigtable table. For Google Cloud Datastore backups, exactly one URI can be specified. Also, the '*' wildcard character is not allowed. + + * `schema`: The schema for the data. Schema is required for CSV and JSON formats + + * `fields`: Describes the fields in a table. + + * `description`: The field description + + * `fields`: Describes the nested schema fields if the type property is set to RECORD + + * `mode`: Field mode. + Possible values: + * NULLABLE + * REQUIRED + * REPEATED + + * `name`: Field name + + * `type`: Field data type + Possible values: + * STRING + * BYTES + * INTEGER + * FLOAT + * TIMESTAMP + * DATE + * TIME + * DATETIME + * RECORD + + * `google_sheets_options`: Additional options if sourceFormat is set to GOOGLE_SHEETS. + + * `skip_leading_rows`: The number of rows at the top of a Google Sheet that BigQuery will skip when reading the data. + + * `csv_options`: Additional properties to set if sourceFormat is set to CSV. + + * `allow_jagged_rows`: Indicates if BigQuery should accept rows that are missing trailing optional columns + + * `allow_quoted_newlines`: Indicates if BigQuery should allow quoted data sections that contain newline characters in a CSV file + + * `encoding`: The character encoding of the data + Possible values: + * UTF-8 + * ISO-8859-1 + + * `field_delimiter`: The separator for fields in a CSV file + + * `quote`: The value that is used to quote data sections in a CSV file + + * `skip_leading_rows`: The number of rows at the top of a CSV file that BigQuery will skip when reading the data. + + * `bigtable_options`: Additional options if sourceFormat is set to BIGTABLE. + + * `ignore_unspecified_column_families`: If field is true, then the column families that are not specified in columnFamilies list are not exposed in the table schema + + * `read_rowkey_as_string`: If field is true, then the rowkey column families will be read and converted to string. + + * `column_families`: List of column families to expose in the table schema along with their types. + + * `columns`: Lists of columns that should be exposed as individual fields as opposed to a list of (column name, value) pairs. + + * `encoding`: The encoding of the values when the type is not STRING + Possible values: + * TEXT + * BINARY + + * `field_name`: If the qualifier is not a valid BigQuery field identifier, a valid identifier must be provided as the column field name and is used as field name in queries. + + * `only_read_latest`: If this is set, only the latest version of value in this column are exposed + + * `qualifier_string`: Qualifier of the column + + * `type`: The type to convert the value in cells of this column + Possible values: + * BYTES + * STRING + * INTEGER + * FLOAT + * BOOLEAN + + * `encoding`: The encoding of the values when the type is not STRING + Possible values: + * TEXT + * BINARY + + * `family_id`: Identifier of the column family. + + * `only_read_latest`: If this is set only the latest version of value are exposed for all columns in this column family + + * `type`: The type to convert the value in cells of this column family + Possible values: + * BYTES + * STRING + * INTEGER + * FLOAT + * BOOLEAN + + * `dataset`: Name of the dataset + + +## GCP permissions + +Ensure the [BigQuery API](https://console.cloud.google.com/apis/library/bigquery-json.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigquery_tables.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigquery_tables.md new file mode 100644 index 0000000..29b6707 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigquery_tables.md @@ -0,0 +1,63 @@ ++++ +title = "google_bigquery_tables resource" + +draft = false + + +[menu.gcp] +title = "google_bigquery_tables" +identifier = "inspec/resources/gcp/google_bigquery_tables resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_bigquery_tables` InSpec audit resource to to test a Google Cloud Table resource. + +## Examples + +```ruby +describe.one do + google_bigquery_tables(project: 'chef-gcp-inspec', dataset: 'inspec_gcp_dataset').table_references.each do |table_reference| + describe google_bigquery_table(project: 'chef-gcp-inspec', dataset: 'inspec_gcp_dataset', name: table_reference.table_id) do + its('expiration_time') { should cmp '1738882264000' } + its('description') { should eq 'A BigQuery table' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_bigquery_tables` resource: + +See [google_bigquery_table](google_bigquery_table) for more detailed information. + + * `table_references`: an array of `google_bigquery_table` table_reference + * `clusterings`: an array of `google_bigquery_table` clustering + * `creation_times`: an array of `google_bigquery_table` creation_time + * `friendly_names`: an array of `google_bigquery_table` friendly_name + * `ids`: an array of `google_bigquery_table` id + * `labels`: an array of `google_bigquery_table` labels + * `last_modified_times`: an array of `google_bigquery_table` last_modified_time + * `locations`: an array of `google_bigquery_table` location + * `num_bytes`: an array of `google_bigquery_table` num_bytes + * `num_long_term_bytes`: an array of `google_bigquery_table` num_long_term_bytes + * `num_rows`: an array of `google_bigquery_table` num_rows + * `require_partition_filters`: an array of `google_bigquery_table` require_partition_filter + * `types`: an array of `google_bigquery_table` type + * `views`: an array of `google_bigquery_table` view + * `time_partitionings`: an array of `google_bigquery_table` time_partitioning + * `streaming_buffers`: an array of `google_bigquery_table` streaming_buffer + * `schemas`: an array of `google_bigquery_table` schema + * `encryption_configurations`: an array of `google_bigquery_table` encryption_configuration + * `expiration_times`: an array of `google_bigquery_table` expiration_time + * `external_data_configurations`: an array of `google_bigquery_table` external_data_configuration + * `datasets`: an array of `google_bigquery_table` dataset + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [BigQuery API](https://console.cloud.google.com/apis/library/bigquery-json.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_cluster.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_cluster.md new file mode 100644 index 0000000..eaa793f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_cluster.md @@ -0,0 +1,84 @@ ++++ +title = "google_bigtableadmin_cluster resource" + +draft = false + + + +[menu.gcp] +title = "google_bigtableadmin_cluster" +identifier = "inspec/resources/gcp/google_bigtableadmin_cluster resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_bigtableadmin_cluster` InSpec audit resource to test the properties of a Google Cloud Cluster resource. + +## Examples + +```ruby +describe google_bigtableadmin_cluster(name: 'value_name') do + it { should exist } + its('name') { should cmp 'value_name' } + its('location') { should cmp 'value_location' } + its('state') { should cmp 'value_state' } + its('default_storage_type') { should cmp 'value_defaultstoragetype' } +end + +describe google_bigtableadmin_cluster(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_bigtableadmin_cluster` resource: + +## Properties + +Properties that can be accessed from the `google_bigtableadmin_cluster` resource: + + + * `name`: The unique name of the cluster. Values are of the form `projects/{project}/instances/{instance}/clusters/a-z*`. + + * `location`: Immutable. The location where this cluster's nodes and storage reside. For best performance, clients should be located as close as possible to this cluster. Currently only zones are supported, so values should be of the form `projects/{project}/locations/{zone}`. + + * `state`: Output only. The current state of the cluster. + Possible values: + * STATE_NOT_KNOWN + * READY + * CREATING + * RESIZING + * DISABLED + + * `serve_nodes`: The number of nodes in the cluster. If no value is set, Cloud Bigtable automatically allocates nodes based on your data footprint and optimized for 50% storage utilization. + + * `cluster_config`: Configuration for a cluster. + + * `cluster_autoscaling_config`: Autoscaling config for a cluster. + + * `autoscaling_limits`: Limits for the number of nodes a Cluster can autoscale up/down to. + + * `min_serve_nodes`: Required. Minimum number of nodes to scale down to. + + * `max_serve_nodes`: Required. Maximum number of nodes to scale up to. + + * `autoscaling_targets`: The Autoscaling targets for a Cluster. These determine the recommended nodes. + + * `cpu_utilization_percent`: The cpu utilization that the Autoscaler should be trying to achieve. This number is on a scale from 0 (no utilization) to 100 (total utilization), and is limited between 10 and 80, otherwise it will return INVALID_ARGUMENT error. + + * `storage_utilization_gib_per_node`: The storage utilization that the Autoscaler should be trying to achieve. This number is limited between 2560 (2.5TiB) and 5120 (5TiB) for a SSD cluster and between 8192 (8TiB) and 16384 (16TiB) for an HDD cluster, otherwise it will return INVALID_ARGUMENT error. If this value is set to 0, it will be treated as if it were set to the default value: 2560 for SSD, 8192 for HDD. + + * `default_storage_type`: Immutable. The type of storage used by this cluster to serve its parent instance's tables, unless explicitly overridden. + Possible values: + * STORAGE_TYPE_UNSPECIFIED + * SSD + * HDD + + * `encryption_config`: Cloud Key Management Service (Cloud KMS) settings for a CMEK-protected cluster. + + * `kms_key_name`: Describes the Cloud KMS encryption key that will be used to protect the destination Bigtable cluster. The requirements for this key are: 1) The Cloud Bigtable service account associated with the project that contains this cluster must be granted the `cloudkms.cryptoKeyEncrypterDecrypter` role on the CMEK key. 2) Only regional keys can be used and the region of the CMEK key must match the region of the cluster. Values are of the form `projects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}` + + +## GCP permissions + +Ensure the [https://bigtableadmin.googleapis.com/](https://console.cloud.google.com/apis/library/bigtableadmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_cluster_backup.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_cluster_backup.md new file mode 100644 index 0000000..a54659f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_cluster_backup.md @@ -0,0 +1,86 @@ ++++ +title = "google_bigtableadmin_cluster_backup resource" + +draft = false + + + +[menu.gcp] +title = "google_bigtableadmin_cluster_backup" +identifier = "inspec/resources/gcp/google_bigtableadmin_cluster_backup resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_bigtableadmin_cluster_backup` InSpec audit resource to test the properties of a Google Cloud ClusterBackup resource. + +## Examples + +```ruby +describe google_bigtableadmin_cluster_backup(name: ' value_name') do + it { should exist } + its('name') { should cmp 'value_name' } + its('source_table') { should cmp 'value_sourcetable' } + its('source_backup') { should cmp 'value_sourcebackup' } + its('expire_time') { should cmp 'value_expiretime' } + its('start_time') { should cmp 'value_starttime' } + its('end_time') { should cmp 'value_endtime' } + its('size_bytes') { should cmp 'value_sizebytes' } + its('state') { should cmp 'value_state' } +end + +describe google_bigtableadmin_cluster_backup(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_bigtableadmin_cluster_backup` resource: + +## Properties + +Properties that can be accessed from the `google_bigtableadmin_cluster_backup` resource: + + + * `name`: A globally unique identifier for the backup which cannot be changed. Values are of the form `projects/{project}/instances/{instance}/clusters/{cluster}/ backups/_a-zA-Z0-9*` The final segment of the name must be between 1 and 50 characters in length. The backup is stored in the cluster identified by the prefix of the backup name of the form `projects/{project}/instances/{instance}/clusters/{cluster}`. + + * `source_table`: Required. Immutable. Name of the table from which this backup was created. This needs to be in the same instance as the backup. Values are of the form `projects/{project}/instances/{instance}/tables/{source_table}`. + + * `source_backup`: Output only. Name of the backup from which this backup was copied. If a backup is not created by copying a backup, this field will be empty. Values are of the form: projects//instances//clusters//backups/ + + * `expire_time`: Required. The expiration time of the backup, with microseconds granularity that must be at least 6 hours and at most 90 days from the time the request is received. Once the `expire_time` has passed, Cloud Bigtable will delete the backup and free the resources used by the backup. + + * `start_time`: Output only. `start_time` is the time that the backup was started (i.e. approximately the time the CreateBackup request is received). The row data in this backup will be no older than this timestamp. + + * `end_time`: Output only. `end_time` is the time that the backup was finished. The row data in the backup will be no newer than this timestamp. + + * `size_bytes`: Output only. Size of the backup in bytes. + + * `state`: Output only. The current state of the backup. + Possible values: + * STATE_UNSPECIFIED + * CREATING + * READY + + * `encryption_info`: Encryption information for a given resource. If this resource is protected with customer managed encryption, the in-use Cloud Key Management Service (Cloud KMS) key version is specified along with its status. + + * `encryption_type`: Output only. The type of encryption used to protect this resource. + Possible values: + * ENCRYPTION_TYPE_UNSPECIFIED + * GOOGLE_DEFAULT_ENCRYPTION + * CUSTOMER_MANAGED_ENCRYPTION + + * `encryption_status`: The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `kms_key_version`: Output only. The version of the Cloud KMS key specified in the parent cluster that is in use for the data underlying this table. + + +## GCP permissions + +Ensure the [https://bigtableadmin.googleapis.com/](https://console.cloud.google.com/apis/library/bigtableadmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_cluster_backups.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_cluster_backups.md new file mode 100644 index 0000000..2b5f91f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_cluster_backups.md @@ -0,0 +1,71 @@ ++++ +title = "google_bigtableadmin_cluster_backups resource" + +draft = false + + + +[menu.gcp] +title = "google_bigtableadmin_cluster_backups" +identifier = "inspec/resources/gcp/google_bigtableadmin_cluster_backups resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_bigtableadmin_cluster_backups` InSpec audit resource to test the properties of a Google Cloud ClusterBackup resource. + +## Examples + +```ruby + describe google_bigtableadmin_cluster_backups(parent: 'value_parent') do + it { should exist } + its('name') { should include 'value_name' } + its('source_table') { should include 'value_sourcetable' } + its('source_backup') { should include 'value_sourcebackup' } + its('expire_time') { should include 'value_expiretime' } + its('start_time') { should include 'value_starttime' } + its('end_time') { should include 'value_endtime' } + its('size_bytes') { should include 'value_sizebytes' } + its('state') { should include 'value_state' } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_bigtableadmin_cluster_backups` resource: + +See [google_bigtableadmin_cluster_backup](google_bigtableadmin_cluster_backup) for more detailed information. + +* `names`: an array of `google_bigtableadmin_cluster_backup` name +* `source_tables`: an array of `google_bigtableadmin_cluster_backup` source_table +* `source_backups`: an array of `google_bigtableadmin_cluster_backup` source_backup +* `expire_times`: an array of `google_bigtableadmin_cluster_backup` expire_time +* `start_times`: an array of `google_bigtableadmin_cluster_backup` start_time +* `end_times`: an array of `google_bigtableadmin_cluster_backup` end_time +* `size_bytes`: an array of `google_bigtableadmin_cluster_backup` size_bytes +* `states`: an array of `google_bigtableadmin_cluster_backup` state +* `encryption_infos`: an array of `google_bigtableadmin_cluster_backup` encryption_info + +## Properties + +Properties that can be accessed from the `google_bigtableadmin_cluster_backups` resource: + +See [google_bigtableadmin_cluster_backup](google_bigtableadmin_cluster_backup) for more detailed information. + +* `names`: an array of `google_bigtableadmin_cluster_backup` name +* `source_tables`: an array of `google_bigtableadmin_cluster_backup` source_table +* `source_backups`: an array of `google_bigtableadmin_cluster_backup` source_backup +* `expire_times`: an array of `google_bigtableadmin_cluster_backup` expire_time +* `start_times`: an array of `google_bigtableadmin_cluster_backup` start_time +* `end_times`: an array of `google_bigtableadmin_cluster_backup` end_time +* `size_bytes`: an array of `google_bigtableadmin_cluster_backup` size_bytes +* `states`: an array of `google_bigtableadmin_cluster_backup` state +* `encryption_infos`: an array of `google_bigtableadmin_cluster_backup` encryption_info + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://bigtableadmin.googleapis.com/](https://console.cloud.google.com/apis/library/bigtableadmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_clusters.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_clusters.md new file mode 100644 index 0000000..25bec0b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_clusters.md @@ -0,0 +1,63 @@ ++++ +title = "google_bigtableadmin_clusters resource" + +draft = false + + + +[menu.gcp] +title = "google_bigtableadmin_clusters" +identifier = "inspec/resources/gcp/google_bigtableadmin_clusters resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_bigtableadmin_clusters` InSpec audit resource to test the properties of a Google Cloud Cluster resource. + +## Examples + +```ruby + describe google_bigtableadmin_clusters(parent: ' value_parent') do + it { should exist } + its('names') { should include 'value_name' } + its('locations') { should include 'value_location' } + its('states') { should include 'value_state' } + its('default_storage_types') { should include 'value_defaultstoragetype' } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_bigtableadmin_clusters` resource: + +See [google_bigtableadmin_cluster](google_bigtableadmin_cluster) for more detailed information. + +* `names`: an array of `google_bigtableadmin_cluster` name +* `locations`: an array of `google_bigtableadmin_cluster` location +* `states`: an array of `google_bigtableadmin_cluster` state +* `serve_nodes`: an array of `google_bigtableadmin_cluster` serve_nodes +* `cluster_configs`: an array of `google_bigtableadmin_cluster` cluster_config +* `default_storage_types`: an array of `google_bigtableadmin_cluster` default_storage_type +* `encryption_configs`: an array of `google_bigtableadmin_cluster` encryption_config + +## Properties + +Properties that can be accessed from the `google_bigtableadmin_clusters` resource: + +See [google_bigtableadmin_cluster](google_bigtableadmin_cluster) for more detailed information. + +* `names`: an array of `google_bigtableadmin_cluster` name +* `locations`: an array of `google_bigtableadmin_cluster` location +* `states`: an array of `google_bigtableadmin_cluster` state +* `serve_nodes`: an array of `google_bigtableadmin_cluster` serve_nodes +* `cluster_configs`: an array of `google_bigtableadmin_cluster` cluster_config +* `default_storage_types`: an array of `google_bigtableadmin_cluster` default_storage_type +* `encryption_configs`: an array of `google_bigtableadmin_cluster` encryption_config + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://bigtableadmin.googleapis.com/](https://console.cloud.google.com/apis/library/bigtableadmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_instance_app_profile.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_instance_app_profile.md new file mode 100644 index 0000000..5ad0719 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_instance_app_profile.md @@ -0,0 +1,84 @@ ++++ +title = "google_bigtableadmin_instance_app_profile resource" + +draft = false + + + +[menu.gcp] +title = "google_bigtableadmin_instance_app_profile" +identifier = "inspec/resources/gcp/google_bigtableadmin_instance_app_profile resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_bigtableadmin_instance_app_profile` InSpec audit resource to test the properties of a Google Cloud InstanceAppProfile resource. + +## Examples + +```ruby +describe google_bigtableadmin_instance_app_profile(name: 'value_name') do + it { should exist } + its('name') { should cmp 'value_name' } + its('etag') { should cmp 'value_etag' } + its('description') { should cmp 'value_description' } + its('priority') { should cmp 'value_priority' } + +end + +describe google_bigtableadmin_instance_app_profile(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_bigtableadmin_instance_app_profile` resource: + +## Properties + +Properties that can be accessed from the `google_bigtableadmin_instance_app_profile` resource: + + + * `name`: The unique name of the app profile. Values are of the form `projects/{project}/instances/{instance}/appProfiles/_a-zA-Z0-9*`. + + * `etag`: Strongly validated etag for optimistic concurrency control. Preserve the value returned from `GetAppProfile` when calling `UpdateAppProfile` to fail the request if there has been a modification in the mean time. The `update_mask` of the request need not include `etag` for this protection to apply. See [Wikipedia](https://en.wikipedia.org/wiki/HTTP_ETag) and [RFC 7232](https://tools.ietf.org/html/rfc7232#section-2.3) for more details. + + * `description`: Long form description of the use case for this AppProfile. + + * `multi_cluster_routing_use_any`: Read/write requests are routed to the nearest cluster in the instance, and will fail over to the nearest cluster that is available in the event of transient errors or delays. Clusters in a region are considered equidistant. Choosing this option sacrifices read-your-writes consistency to improve availability. + + * `cluster_ids`: The set of clusters to route to. The order is ignored; clusters will be tried in order of distance. If left empty, all clusters are eligible. + + * `single_cluster_routing`: Unconditionally routes all read/write requests to a specific cluster. This option preserves read-your-writes consistency but does not improve availability. + + * `cluster_id`: The cluster to which read/write requests should be routed. + + * `allow_transactional_writes`: Whether or not `CheckAndMutateRow` and `ReadModifyWriteRow` requests are allowed by this app profile. It is unsafe to send these requests to the same table/row/column in multiple clusters. + + * `priority`: This field has been deprecated in favor of `standard_isolation.priority`. If you set this field, `standard_isolation.priority` will be set instead. The priority of requests sent using this app profile. + Possible values: + * PRIORITY_UNSPECIFIED + * PRIORITY_LOW + * PRIORITY_MEDIUM + * PRIORITY_HIGH + + * `standard_isolation`: Standard options for isolating this app profile's traffic from other use cases. + + * `priority`: The priority of requests sent using this app profile. + Possible values: + * PRIORITY_UNSPECIFIED + * PRIORITY_LOW + * PRIORITY_MEDIUM + * PRIORITY_HIGH + + * `data_boost_isolation_read_only`: Data Boost is a serverless compute capability that lets you run high-throughput read jobs and queries on your Bigtable data, without impacting the performance of the clusters that handle your application traffic. Data Boost supports read-only use cases with single-cluster routing. + + * `compute_billing_owner`: The Compute Billing Owner for this Data Boost App Profile. + Possible values: + * COMPUTE_BILLING_OWNER_UNSPECIFIED + * HOST_PAYS + + +## GCP permissions + +Ensure the [https://bigtableadmin.googleapis.com/](https://console.cloud.google.com/apis/library/bigtableadmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_instance_app_profiles.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_instance_app_profiles.md new file mode 100644 index 0000000..d1a6610 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_bigtableadmin_instance_app_profiles.md @@ -0,0 +1,62 @@ ++++ +title = "google_bigtableadmin_instance_app_profiles resource" + +draft = false + + + +[menu.gcp] +title = "google_bigtableadmin_instance_app_profiles" +identifier = "inspec/resources/gcp/google_bigtableadmin_instance_app_profiles resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_bigtableadmin_instance_app_profiles` InSpec audit resource to test the properties of a Google Cloud InstanceAppProfile resource. + +## Examples + +```ruby + describe google_bigtableadmin_instance_app_profiles(parent: ' value_parent') do + it { should exist } + its('names') { should include 'value_name' } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_bigtableadmin_instance_app_profiles` resource: + +See [google_bigtableadmin_instance_app_profile](google_bigtableadmin_instance_app_profile) for more detailed information. + +* `names`: an array of `google_bigtableadmin_instance_app_profile` name +* `etags`: an array of `google_bigtableadmin_instance_app_profile` etag +* `descriptions`: an array of `google_bigtableadmin_instance_app_profile` description +* `multi_cluster_routing_use_anies`: an array of `google_bigtableadmin_instance_app_profile` multi_cluster_routing_use_any +* `single_cluster_routings`: an array of `google_bigtableadmin_instance_app_profile` single_cluster_routing +* `priorities`: an array of `google_bigtableadmin_instance_app_profile` priority +* `standard_isolations`: an array of `google_bigtableadmin_instance_app_profile` standard_isolation +* `data_boost_isolation_read_onlies`: an array of `google_bigtableadmin_instance_app_profile` data_boost_isolation_read_only + +## Properties + +Properties that can be accessed from the `google_bigtableadmin_instance_app_profiles` resource: + +See [google_bigtableadmin_instance_app_profile](google_bigtableadmin_instance_app_profile) for more detailed information. + +* `names`: an array of `google_bigtableadmin_instance_app_profile` name +* `etags`: an array of `google_bigtableadmin_instance_app_profile` etag +* `descriptions`: an array of `google_bigtableadmin_instance_app_profile` description +* `multi_cluster_routing_use_anies`: an array of `google_bigtableadmin_instance_app_profile` multi_cluster_routing_use_any +* `single_cluster_routings`: an array of `google_bigtableadmin_instance_app_profile` single_cluster_routing +* `priorities`: an array of `google_bigtableadmin_instance_app_profile` priority +* `standard_isolations`: an array of `google_bigtableadmin_instance_app_profile` standard_isolation +* `data_boost_isolation_read_onlies`: an array of `google_bigtableadmin_instance_app_profile` data_boost_isolation_read_only + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://bigtableadmin.googleapis.com/](https://console.cloud.google.com/apis/library/bigtableadmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_billing_project_billing_info.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_billing_project_billing_info.md new file mode 100644 index 0000000..67b0745 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_billing_project_billing_info.md @@ -0,0 +1,38 @@ ++++ +title = "google_billing_project_billing_info resource" + +draft = false + + +[menu.gcp] +title = "google_billing_project_billing_info" +identifier = "inspec/resources/gcp/google_billing_project_billing_info resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_billing_project_billing_info` InSpec audit resource to to test a Google Cloud ProjectBillingInfo resource. + +## Examples + +```ruby +describe google_billing_project_billing_info(project_id: 'chef-gcp-inspec') do + it { should exist } + + its('billing_account_name') { should eq 'billingAccounts/012345-567890-ABCDEF' } + its('billing_enabled') { should eq true } +end +``` + +## Properties + +Properties that can be accessed from the `google_billing_project_billing_info` resource: + + + * `project_id`: The project id to retrieve billing info for. + + * `billing_account_name`: The resource name of the billing account associated with the project, if any. For example, `billingAccounts/012345-567890-ABCDEF`. + + * `billing_enabled`: True if the project is associated with an open billing account, to which usage on the project is charged. False if the project is associated with a closed billing account, or no billing account at all, and therefore cannot use paid services. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloud_scheduler_job.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloud_scheduler_job.md new file mode 100644 index 0000000..f60b43a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloud_scheduler_job.md @@ -0,0 +1,114 @@ ++++ +title = "google_cloud_scheduler_job resource" + +draft = false + + +[menu.gcp] +title = "google_cloud_scheduler_job" +identifier = "inspec/resources/gcp/google_cloud_scheduler_job resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_cloud_scheduler_job` InSpec audit resource to to test a Google Cloud Job resource. + +## Examples + +```ruby +describe google_cloud_scheduler_job(project: 'chef-gcp-inspec', region: us-central1, name: 'job-name') do + it { should exist } + + its('description') { should cmp 'A description' } + its('schedule') { should cmp '*/8 * * * *' } + its('time_zone') { should cmp 'America/New_York' } + its('http_target.http_method') { should cmp 'POST' } + its('http_target.uri') { should cmp 'https://example.com/ping' } +end +``` + +## Properties + +Properties that can be accessed from the `google_cloud_scheduler_job` resource: + + + * `name`: The name of the job. + + * `description`: A human-readable description for the job. This string must not contain more than 500 characters. + + * `schedule`: Describes the schedule on which the job will be executed. + + * `time_zone`: Specifies the time zone to be used in interpreting schedule. The value of this field must be a time zone name from the tz database. + + * `state`: State of the job. + Possible values: + * ENABLED + * PAUSED + + * `attempt_deadline`: The deadline for job attempts. If the request handler does not respond by this deadline then the request is cancelled and the attempt is marked as a DEADLINE_EXCEEDED failure. The failed attempt can be viewed in execution logs. Cloud Scheduler will retry the job according to the RetryConfig. The allowed duration for this deadline is: * For HTTP targets, between 15 seconds and 30 minutes. * For App Engine HTTP targets, between 15 seconds and 24 hours. * **Note**: For PubSub targets, this field is ignored - setting it will introduce an unresolvable diff. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s" + + * `retry_config`: By default, if a job does not complete successfully, meaning that an acknowledgement is not received from the handler, then it will be retried with exponential backoff according to the settings + + * `retry_count`: The number of attempts that the system will make to run a job using the exponential backoff procedure described by maxDoublings. Values greater than 5 and negative values are not allowed. + + * `max_retry_duration`: The time limit for retrying a failed job, measured from time when an execution was first attempted. If specified with retryCount, the job will be retried until both limits are reached. A duration in seconds with up to nine fractional digits, terminated by 's'. + + * `min_backoff_duration`: The minimum amount of time to wait before retrying a job after it fails. A duration in seconds with up to nine fractional digits, terminated by 's'. + + * `max_backoff_duration`: The maximum amount of time to wait before retrying a job after it fails. A duration in seconds with up to nine fractional digits, terminated by 's'. + + * `max_doublings`: The time between retries will double maxDoublings times. A job's retry interval starts at minBackoffDuration, then doubles maxDoublings times, then increases linearly, and finally retries retries at intervals of maxBackoffDuration up to retryCount times. + + * `pubsub_target`: Pub/Sub target If the job providers a Pub/Sub target the cron will publish a message to the provided topic + + * `topic_name`: The full resource name for the Cloud Pub/Sub topic to which messages will be published when a job is delivered. ~>**NOTE:** The topic name must be in the same format as required by PubSub's PublishRequest.name, e.g. `projects/my-project/topics/my-topic`. + + * `data`: The message payload for PubsubMessage. Pubsub message must contain either non-empty data, or at least one attribute. A base64-encoded string. + + * `attributes`: Attributes for PubsubMessage. Pubsub message must contain either non-empty data, or at least one attribute. + + * `app_engine_http_target`: App Engine HTTP target. If the job providers a App Engine HTTP target the cron will send a request to the service instance + + * `http_method`: Which HTTP method to use for the request. + + * `app_engine_routing`: App Engine Routing setting for the job. + + * `service`: App service. By default, the job is sent to the service which is the default service when the job is attempted. + + * `version`: App version. By default, the job is sent to the version which is the default version when the job is attempted. + + * `instance`: App instance. By default, the job is sent to an instance which is available when the job is attempted. + + * `relative_uri`: The relative URI. The relative URL must begin with "/" and must be a valid HTTP relative URL. It can contain a path, query string arguments, and \# fragments. If the relative URL is empty, then the root path "/" will be used. No spaces are allowed, and the maximum length allowed is 2083 characters + + * `body`: HTTP request body. A request body is allowed only if the HTTP method is POST or PUT. It will result in invalid argument error to set a body on a job with an incompatible HttpMethod. A base64-encoded string. + + * `headers`: HTTP request headers. This map contains the header field names and values. Headers can be set when the job is created. + + * `http_target`: HTTP target. If the job providers a http_target the cron will send a request to the targeted url + + * `uri`: The full URI path that the request will be sent to. + + * `http_method`: Which HTTP method to use for the request. + + * `body`: HTTP request body. A request body is allowed only if the HTTP method is POST, PUT, or PATCH. It is an error to set body on a job with an incompatible HttpMethod. A base64-encoded string. + + * `headers`: This map contains the header field names and values. Repeated headers are not supported, but a header value can contain commas. + + * `oauth_token`: Contains information needed for generating an OAuth token. This type of authorization should be used when sending requests to a GCP endpoint. + + * `service_account_email`: Service account email to be used for generating OAuth token. The service account must be within the same project as the job. + + * `scope`: OAuth scope to be used for generating OAuth access token. If not specified, "https://www.googleapis.com/auth/cloud-platform" will be used. + + * `oidc_token`: Contains information needed for generating an OpenID Connect token. This type of authorization should be used when sending requests to third party endpoints or Cloud Run. + + * `service_account_email`: Service account email to be used for generating OAuth token. The service account must be within the same project as the job. + + * `audience`: Audience to be used when generating OIDC token. If not specified, the URI specified in target will be used. + + * `region`: Region where the scheduler job resides + + +## GCP permissions + +Ensure the [Cloud Scheduler](https://console.cloud.google.com/apis/library/cloudscheduler.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloud_scheduler_jobs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloud_scheduler_jobs.md new file mode 100644 index 0000000..0ed3fd1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloud_scheduler_jobs.md @@ -0,0 +1,56 @@ ++++ +title = "google_cloud_scheduler_jobs resource" + +draft = false + + +[menu.gcp] +title = "google_cloud_scheduler_jobs" +identifier = "inspec/resources/gcp/google_cloud_scheduler_jobs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_cloud_scheduler_jobs` InSpec audit resource to to test a Google Cloud Job resource. + +## Examples + +```ruby +google_cloud_scheduler_jobs(project: 'chef-gcp-inspec', region: ).names.each do |name| + describe google_cloud_scheduler_job(project: 'chef-gcp-inspec', region: us-central1, name: name) do + it { should exist } + + its('description') { should cmp 'A description' } + its('schedule') { should cmp '*/8 * * * *' } + its('time_zone') { should cmp 'America/New_York' } + its('http_target.http_method') { should cmp 'POST' } + its('http_target.uri') { should cmp 'https://example.com/ping' } + end +end +``` + +## Properties + +Properties that can be accessed from the `google_cloud_scheduler_jobs` resource: + +See [google_cloud_scheduler_job](google_cloud_scheduler_job) for more detailed information. + + * `names`: an array of `google_cloud_scheduler_job` name + * `descriptions`: an array of `google_cloud_scheduler_job` description + * `schedules`: an array of `google_cloud_scheduler_job` schedule + * `time_zones`: an array of `google_cloud_scheduler_job` time_zone + * `states`: an array of `google_cloud_scheduler_job` state + * `attempt_deadlines`: an array of `google_cloud_scheduler_job` attempt_deadline + * `retry_configs`: an array of `google_cloud_scheduler_job` retry_config + * `pubsub_targets`: an array of `google_cloud_scheduler_job` pubsub_target + * `app_engine_http_targets`: an array of `google_cloud_scheduler_job` app_engine_http_target + * `http_targets`: an array of `google_cloud_scheduler_job` http_target + * `regions`: an array of `google_cloud_scheduler_job` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Scheduler](https://console.cloud.google.com/apis/library/cloudscheduler.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloudbuild_trigger.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloudbuild_trigger.md new file mode 100644 index 0000000..46126d0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloudbuild_trigger.md @@ -0,0 +1,244 @@ ++++ +title = "google_cloudbuild_trigger resource" + +draft = false + + +[menu.gcp] +title = "google_cloudbuild_trigger" +identifier = "inspec/resources/gcp/google_cloudbuild_trigger resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_cloudbuild_trigger` InSpec audit resource to to test a Google Cloud Trigger resource. + +## Examples + +```ruby +describe google_cloudbuild_triggers(project: 'chef-gcp-inspec') do + its('count') { should eq 1 } +end + +google_cloudbuild_triggers(project: 'chef-gcp-inspec').ids.each do |id| + describe google_cloudbuild_trigger(project: 'chef-gcp-inspec', id: id) do + its('filename') { should eq 'cloudbuild.yaml' } + its('trigger_template.branch_name') { should eq 'trigger-branch' } + its('trigger_template.repo_name') { should eq 'trigger-repo' } + its('trigger_template.project_id') { should eq 'trigger-project' } + end +end +``` + +## Properties + +Properties that can be accessed from the `google_cloudbuild_trigger` resource: + + + * `id`: The unique identifier for the trigger. + + * `name`: Name of the trigger. Must be unique within the project. + + * `description`: Human-readable description of the trigger. + + * `tags`: Tags for annotation of a BuildTrigger + + * `disabled`: Whether the trigger is disabled or not. If true, the trigger will never result in a build. + + * `create_time`: Time when the trigger was created. + + * `substitutions`: Substitutions data for Build resource. + + * `filename`: Path, from the source root, to a file whose contents is used for the template. Either a filename or build template must be provided. + + * `ignored_files`: ignoredFiles and includedFiles are file glob matches using https://golang.org/pkg/path/filepath/#Match extended with support for `**`. If ignoredFiles and changed files are both empty, then they are not used to determine whether or not to trigger a build. If ignoredFiles is not empty, then we ignore any files that match any of the ignored_file globs. If the change has no files that are outside of the ignoredFiles globs, then we do not trigger a build. + + * `included_files`: ignoredFiles and includedFiles are file glob matches using https://golang.org/pkg/path/filepath/#Match extended with support for `**`. If any of the files altered in the commit pass the ignoredFiles filter and includedFiles is empty, then as far as this filter is concerned, we should trigger the build. If any of the files altered in the commit pass the ignoredFiles filter and includedFiles is not empty, then we make sure that at least one of those files matches a includedFiles glob. If not, then we do not trigger a build. + + * `trigger_template`: Template describing the types of source changes to trigger a build. Branch and tag names in trigger templates are interpreted as regular expressions. Any branch or tag change that matches that regular expression will trigger a build. + + * `project_id`: ID of the project that owns the Cloud Source Repository. If omitted, the project ID requesting the build is assumed. + + * `repo_name`: Name of the Cloud Source Repository. If omitted, the name "default" is assumed. + + * `dir`: Directory, relative to the source root, in which to run the build. This must be a relative path. If a step's dir is specified and is an absolute path, this value is ignored for that step's execution. + + * `invert_regex`: Only trigger a build if the revision regex does NOT match the revision regex. + + * `branch_name`: Name of the branch to build. Exactly one a of branch name, tag, or commit SHA must be provided. This field is a regular expression. + + * `tag_name`: Name of the tag to build. Exactly one of a branch name, tag, or commit SHA must be provided. This field is a regular expression. + + * `commit_sha`: Explicit commit SHA to build. Exactly one of a branch name, tag, or commit SHA must be provided. + + * `github`: Describes the configuration of a trigger that creates a build whenever a GitHub event is received. + + * `owner`: Owner of the repository. For example: The owner for https://github.com/googlecloudplatform/cloud-builders is "googlecloudplatform". + + * `name`: Name of the repository. For example: The name for https://github.com/googlecloudplatform/cloud-builders is "cloud-builders". + + * `pull_request`: filter to match changes in pull requests. Specify only one of pullRequest or push. + + * `branch`: Regex of branches to match. + + * `comment_control`: Whether to block builds on a "/gcbrun" comment from a repository owner or collaborator. + Possible values: + * COMMENTS_DISABLED + * COMMENTS_ENABLED + * COMMENTS_ENABLED_FOR_EXTERNAL_CONTRIBUTORS_ONLY + + * `invert_regex`: If true, branches that do NOT match the git_ref will trigger a build. + + * `push`: filter to match changes in refs, like branches or tags. Specify only one of pullRequest or push. + + * `invert_regex`: When true, only trigger a build if the revision regex does NOT match the git_ref regex. + + * `branch`: Regex of branches to match. Specify only one of branch or tag. + + * `tag`: Regex of tags to match. Specify only one of branch or tag. + + * `build`: Contents of the build template. Either a filename or build template must be provided. + + * `source`: The location of the source files to build. + + * `storage_source`: Location of the source in an archive file in Google Cloud Storage. + + * `bucket`: Google Cloud Storage bucket containing the source. + + * `object`: Google Cloud Storage object containing the source. This object must be a gzipped archive file (.tar.gz) containing source to build. + + * `generation`: Google Cloud Storage generation for the object. If the generation is omitted, the latest generation will be used + + * `repo_source`: Location of the source in a Google Cloud Source Repository. + + * `project_id`: ID of the project that owns the Cloud Source Repository. If omitted, the project ID requesting the build is assumed. + + * `repo_name`: Name of the Cloud Source Repository. + + * `dir`: Directory, relative to the source root, in which to run the build. This must be a relative path. If a step's dir is specified and is an absolute path, this value is ignored for that step's execution. + + * `invert_regex`: Only trigger a build if the revision regex does NOT match the revision regex. + + * `substitutions`: Substitutions to use in a triggered build. Should only be used with triggers.run + + * `branch_name`: Regex matching branches to build. Exactly one a of branch name, tag, or commit SHA must be provided. The syntax of the regular expressions accepted is the syntax accepted by RE2 and described at https://github.com/google/re2/wiki/Syntax + + * `tag_name`: Regex matching tags to build. Exactly one a of branch name, tag, or commit SHA must be provided. The syntax of the regular expressions accepted is the syntax accepted by RE2 and described at https://github.com/google/re2/wiki/Syntax + + * `commit_sha`: Explicit commit SHA to build. Exactly one a of branch name, tag, or commit SHA must be provided. + + * `tags`: Tags for annotation of a Build. These are not docker tags. + + * `images`: A list of images to be pushed upon the successful completion of all build steps. The images are pushed using the builder service account's credentials. The digests of the pushed images will be stored in the Build resource's results field. If any of the images fail to be pushed, the build status is marked FAILURE. + + * `substitutions`: Substitutions data for Build resource. + + * `queue_ttl`: TTL in queue for this build. If provided and the build is enqueued longer than this value, the build will expire and the build status will be EXPIRED. The TTL starts ticking from createTime. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". + + * `logs_bucket`: Google Cloud Storage bucket where logs should be written. Logs file names will be of the format ${logsBucket}/log-${build_id}.txt. + + * `timeout`: Amount of time that this build should be allowed to run, to second granularity. If this amount of time elapses, work on the build will cease and the build status will be TIMEOUT. This timeout must be equal to or greater than the sum of the timeouts for build steps within the build. The expected format is the number of seconds followed by s. Default time is ten minutes (600s). + + * `secrets`: Secrets to decrypt using Cloud Key Management Service. + + * `kms_key_name`: Cloud KMS key name to use to decrypt these envs. + + * `secret_env`: Map of environment variable name to its encrypted value. Secret environment variables must be unique across all of a build's secrets, and must be used by at least one build step. Values can be at most 64 KB in size. There can be at most 100 secret values across all of a build's secrets. + + * `steps`: The operations to be performed on the workspace. + + * `name`: The name of the container image that will run this particular build step. If the image is available in the host's Docker daemon's cache, it will be run directly. If not, the host will attempt to pull the image first, using the builder service account's credentials if necessary. The Docker daemon's cache will already have the latest versions of all of the officially supported build steps (see https://github.com/GoogleCloudPlatform/cloud-builders for images and examples). The Docker daemon will also have cached many of the layers for some popular images, like "ubuntu", "debian", but they will be refreshed at the time you attempt to use them. If you built an image in a previous build step, it will be stored in the host's Docker daemon's cache and is available to use as the name for a later build step. + + * `args`: A list of arguments that will be presented to the step when it is started. If the image used to run the step's container has an entrypoint, the args are used as arguments to that entrypoint. If the image does not define an entrypoint, the first element in args is used as the entrypoint, and the remainder will be used as arguments. + + * `env`: A list of environment variable definitions to be used when running a step. The elements are of the form "KEY=VALUE" for the environment variable "KEY" being given the value "VALUE". + + * `id`: Unique identifier for this build step, used in `wait_for` to reference this build step as a dependency. + + * `entrypoint`: Entrypoint to be used instead of the build step image's default entrypoint. If unset, the image's default entrypoint is used + + * `dir`: Working directory to use when running this step's container. If this value is a relative path, it is relative to the build's working directory. If this value is absolute, it may be outside the build's working directory, in which case the contents of the path may not be persisted across build step executions, unless a `volume` for that path is specified. If the build specifies a `RepoSource` with `dir` and a step with a `dir`, which specifies an absolute path, the `RepoSource` `dir` is ignored for the step's execution. + + * `secret_env`: A list of environment variables which are encrypted using a Cloud Key Management Service crypto key. These values must be specified in the build's `Secret`. + + * `timeout`: Time limit for executing this build step. If not defined, the step has no time limit and will be allowed to continue to run until either it completes or the build itself times out. + + * `timing`: Output only. Stores timing information for executing this build step. + + * `volumes`: List of volumes to mount into the build step. Each volume is created as an empty volume prior to execution of the build step. Upon completion of the build, volumes and their contents are discarded. Using a named volume in only one step is not valid as it is indicative of a build request with an incorrect configuration. + + * `name`: Name of the volume to mount. Volume names must be unique per build step and must be valid names for Docker volumes. Each named volume must be used by at least two build steps. + + * `path`: Path at which to mount the volume. Paths must be absolute and cannot conflict with other volume paths on the same build step or with certain reserved volume paths. + + * `wait_for`: The ID(s) of the step(s) that this build step depends on. This build step will not start until all the build steps in `wait_for` have completed successfully. If `wait_for` is empty, this build step will start when all previous build steps in the `Build.Steps` list have completed successfully. + + * `artifacts`: Artifacts produced by the build that should be uploaded upon successful completion of all build steps. + + * `images`: A list of images to be pushed upon the successful completion of all build steps. The images will be pushed using the builder service account's credentials. The digests of the pushed images will be stored in the Build resource's results field. If any of the images fail to be pushed, the build is marked FAILURE. + + * `objects`: A list of objects to be uploaded to Cloud Storage upon successful completion of all build steps. Files in the workspace matching specified paths globs will be uploaded to the Cloud Storage location using the builder service account's credentials. The location and generation of the uploaded objects will be stored in the Build resource's results field. If any objects fail to be pushed, the build is marked FAILURE. + + * `location`: Cloud Storage bucket and optional object path, in the form "gs://bucket/path/to/somewhere/". Files in the workspace matching any path pattern will be uploaded to Cloud Storage with this location as a prefix. + + * `paths`: Path globs used to match files in the build's workspace. + + * `timing`: Output only. Stores timing information for pushing all artifact objects. + + * `start_time`: Start of time span. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `end_time`: End of time span. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `options`: Special options for this build. + + * `source_provenance_hash`: Requested hash for SourceProvenance. + + * `requested_verify_option`: Requested verifiability options. + Possible values: + * NOT_VERIFIED + * VERIFIED + + * `machine_type`: Compute Engine machine type on which to run the build. + Possible values: + * UNSPECIFIED + * N1_HIGHCPU_8 + * N1_HIGHCPU_32 + + * `disk_size_gb`: Requested disk size for the VM that runs the build. Note that this is NOT "disk free"; some of the space will be used by the operating system and build utilities. Also note that this is the minimum disk size that will be allocated for the build -- the build may run with a larger disk than requested. At present, the maximum disk size is 1000GB; builds that request more than the maximum are rejected with an error. + + * `substitution_option`: Option to specify behavior when there is an error in the substitution checks. NOTE this is always set to ALLOW_LOOSE for triggered builds and cannot be overridden in the build configuration file. + Possible values: + * MUST_MATCH + * ALLOW_LOOSE + + * `dynamic_substitutions`: Option to specify whether or not to apply bash style string operations to the substitutions. NOTE this is always enabled for triggered builds and cannot be overridden in the build configuration file. + + * `log_streaming_option`: Option to define build log streaming behavior to Google Cloud Storage. + Possible values: + * STREAM_DEFAULT + * STREAM_ON + * STREAM_OFF + + * `worker_pool`: Option to specify a WorkerPool for the build. Format projects/{project}/workerPools/{workerPool} This field is experimental. + + * `logging`: Option to specify the logging mode, which determines if and where build logs are stored. + Possible values: + * LOGGING_UNSPECIFIED + * LEGACY + * GCS_ONLY + * STACKDRIVER_ONLY + * NONE + + * `env`: A list of global environment variable definitions that will exist for all build steps in this build. If a variable is defined in both globally and in a build step, the variable will use the build step value. The elements are of the form "KEY=VALUE" for the environment variable "KEY" being given the value "VALUE". + + * `secret_env`: A list of global environment variables, which are encrypted using a Cloud Key Management Service crypto key. These values must be specified in the build's Secret. These variables will be available to all build steps in this build. + + * `volumes`: Global list of volumes to mount for ALL build steps Each volume is created as an empty volume prior to starting the build process. Upon completion of the build, volumes and their contents are discarded. Global volume names and paths cannot conflict with the volumes defined a build step. Using a global volume in a build with only one step is not valid as it is indicative of a build request with an incorrect configuration. + + * `name`: Name of the volume to mount. Volume names must be unique per build step and must be valid names for Docker volumes. Each named volume must be used by at least two build steps. + + * `path`: Path at which to mount the volume. Paths must be absolute and cannot conflict with other volume paths on the same build step or with certain reserved volume paths. + + +## GCP permissions + +Ensure the [Cloud Build API](https://console.cloud.google.com/apis/library/cloudbuild.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloudbuild_triggers.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloudbuild_triggers.md new file mode 100644 index 0000000..a758d4a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloudbuild_triggers.md @@ -0,0 +1,59 @@ ++++ +title = "google_cloudbuild_triggers resource" + +draft = false + + +[menu.gcp] +title = "google_cloudbuild_triggers" +identifier = "inspec/resources/gcp/google_cloudbuild_triggers resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_cloudbuild_triggers` InSpec audit resource to to test a Google Cloud Trigger resource. + +## Examples + +```ruby +describe google_cloudbuild_triggers(project: 'chef-gcp-inspec') do + its('count') { should eq 1 } +end + +google_cloudbuild_triggers(project: 'chef-gcp-inspec').ids.each do |id| + describe google_cloudbuild_trigger(project: 'chef-gcp-inspec', id: id) do + its('filename') { should eq 'cloudbuild.yaml' } + its('trigger_template.branch_name') { should eq 'trigger-branch' } + its('trigger_template.repo_name') { should eq 'trigger-repo' } + its('trigger_template.project_id') { should eq 'trigger-project' } + end +end +``` + +## Properties + +Properties that can be accessed from the `google_cloudbuild_triggers` resource: + +See [google_cloudbuild_trigger](google_cloudbuild_trigger) for more detailed information. + + * `ids`: an array of `google_cloudbuild_trigger` id + * `names`: an array of `google_cloudbuild_trigger` name + * `descriptions`: an array of `google_cloudbuild_trigger` description + * `tags`: an array of `google_cloudbuild_trigger` tags + * `disableds`: an array of `google_cloudbuild_trigger` disabled + * `create_times`: an array of `google_cloudbuild_trigger` create_time + * `substitutions`: an array of `google_cloudbuild_trigger` substitutions + * `filenames`: an array of `google_cloudbuild_trigger` filename + * `ignored_files`: an array of `google_cloudbuild_trigger` ignored_files + * `included_files`: an array of `google_cloudbuild_trigger` included_files + * `trigger_templates`: an array of `google_cloudbuild_trigger` trigger_template + * `githubs`: an array of `google_cloudbuild_trigger` github + * `builds`: an array of `google_cloudbuild_trigger` build + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Build API](https://console.cloud.google.com/apis/library/cloudbuild.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloudfunctions_cloud_function.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloudfunctions_cloud_function.md new file mode 100644 index 0000000..96bce04 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloudfunctions_cloud_function.md @@ -0,0 +1,95 @@ ++++ +title = "google_cloudfunctions_cloud_function resource" + +draft = false + + +[menu.gcp] +title = "google_cloudfunctions_cloud_function" +identifier = "inspec/resources/gcp/google_cloudfunctions_cloud_function resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_cloudfunctions_cloud_function` InSpec audit resource to to test a Google Cloud CloudFunction resource. + +## Examples + +```ruby +describe google_cloudfunctions_cloud_function(project: 'chef-gcp-inspec', location: 'europe-west1', name: 'inspec-gcp-function') do + it { should exist } + its('description') { should eq 'A description of the function' } + its('available_memory_mb') { should eq '128' } + its('https_trigger.url') { should match /\/inspec-gcp-function$/ } + its('entry_point') { should eq 'hello' } + its('environment_variables') { should include('MY_ENV_VAR' => 'val1') } +end + +describe google_cloudfunctions_cloud_function(project: 'chef-gcp-inspec', location: 'europe-west1', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_cloudfunctions_cloud_function` resource: + + + * `name`: A user-defined name of the function. Function names must be unique globally and match pattern `projects/*/locations/*/functions/*`. + + * `description`: User-provided description of a function. + + * `status`: Status of the function deployment. + Possible values: + * CLOUD_FUNCTION_STATUS_UNSPECIFIED + * ACTOVE + * OFFLINE + * DEPLOY_IN_PROGRESS + * DELETE_IN_PROGRESS + * UNKNOWN + + * `entry_point`: The name of the function (as defined in source code) that will be executed. Defaults to the resource name suffix, if not specified. For backward compatibility, if function with given name is not found, then the system will try to use function named "function". For Node.js this is name of a function exported by the module specified in source_location. + + * `runtime`: The runtime in which the function is going to run. If empty, defaults to Node.js 6. + + * `timeout`: The function execution timeout. Execution is considered failed and can be terminated if the function is not completed at the end of the timeout period. Defaults to 60 seconds. + + * `available_memory_mb`: The amount of memory in MB available for a function. + + * `service_account_email`: The email of the service account for this function. + + * `update_time`: The last update timestamp of a Cloud Function + + * `version_id`: The version identifier of the Cloud Function. Each deployment attempt results in a new version of a function being created. + + * `labels`: A set of key/value label pairs associated with this Cloud Function. + + * `environment_variables`: Environment variables that shall be available during function execution. + + * `source_archive_url`: The Google Cloud Storage URL, starting with gs://, pointing to the zip archive which contains the function. + + * `source_upload_url`: The Google Cloud Storage signed URL used for source uploading. + + * `source_repository`: The source repository where a function is hosted. + + * `url`: The URL pointing to the hosted repository where the function is defined + + * `deployed_url`: The URL pointing to the hosted repository where the function were defined at the time of deployment. + + * `https_trigger`: An HTTPS endpoint type of source that can be triggered via URL. + + * `url`: The deployed url for the function. + + * `event_trigger`: An HTTPS endpoint type of source that can be triggered via URL. + + * `event_type`: The type of event to observe. For example: `providers/cloud.storage/eventTypes/object.change` and `providers/cloud.pubsub/eventTypes/topic.publish`. + + * `resource`: The resource(s) from which to observe events, for example, `projects/_/buckets/myBucket.` + + * `service`: The hostname of the service that should be observed. + + * `location`: The location of this cloud function. + + +## GCP permissions + +Ensure the [Cloud Functions API](https://console.cloud.google.com/apis/library/cloudfunctions.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloudfunctions_cloud_functions.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloudfunctions_cloud_functions.md new file mode 100644 index 0000000..67ac610 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_cloudfunctions_cloud_functions.md @@ -0,0 +1,56 @@ ++++ +title = "google_cloudfunctions_cloud_functions resource" + +draft = false + + +[menu.gcp] +title = "google_cloudfunctions_cloud_functions" +identifier = "inspec/resources/gcp/google_cloudfunctions_cloud_functions resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_cloudfunctions_cloud_functions` InSpec audit resource to to test a Google Cloud CloudFunction resource. + +## Examples + +```ruby +describe google_cloudfunctions_cloud_functions(project: 'chef-gcp-inspec', location: 'europe-west1') do + its('descriptions') { should include 'A description of the function' } + its('entry_points') { should include 'hello' } +end +``` + +## Properties + +Properties that can be accessed from the `google_cloudfunctions_cloud_functions` resource: + +See [google_cloudfunctions_cloud_function](google_cloudfunctions_cloud_function) for more detailed information. + + * `names`: an array of `google_cloudfunctions_cloud_function` name + * `descriptions`: an array of `google_cloudfunctions_cloud_function` description + * `statuses`: an array of `google_cloudfunctions_cloud_function` status + * `entry_points`: an array of `google_cloudfunctions_cloud_function` entry_point + * `runtimes`: an array of `google_cloudfunctions_cloud_function` runtime + * `timeouts`: an array of `google_cloudfunctions_cloud_function` timeout + * `available_memory_mbs`: an array of `google_cloudfunctions_cloud_function` available_memory_mb + * `service_account_emails`: an array of `google_cloudfunctions_cloud_function` service_account_email + * `update_times`: an array of `google_cloudfunctions_cloud_function` update_time + * `version_ids`: an array of `google_cloudfunctions_cloud_function` version_id + * `labels`: an array of `google_cloudfunctions_cloud_function` labels + * `environment_variables`: an array of `google_cloudfunctions_cloud_function` environment_variables + * `source_archive_urls`: an array of `google_cloudfunctions_cloud_function` source_archive_url + * `source_upload_urls`: an array of `google_cloudfunctions_cloud_function` source_upload_url + * `source_repositories`: an array of `google_cloudfunctions_cloud_function` source_repository + * `https_triggers`: an array of `google_cloudfunctions_cloud_function` https_trigger + * `event_triggers`: an array of `google_cloudfunctions_cloud_function` event_trigger + * `locations`: an array of `google_cloudfunctions_cloud_function` location + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Functions API](https://console.cloud.google.com/apis/library/cloudfunctions.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_composer_project_location_environment.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_composer_project_location_environment.md new file mode 100644 index 0000000..74b37eb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_composer_project_location_environment.md @@ -0,0 +1,273 @@ ++++ +title = "google_composer_project_location_environment resource" + +draft = false + + +[menu.gcp] +title = "google_composer_project_location_environment" +identifier = "inspec/resources/gcp/google_composer_project_location_environment resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_composer_project_location_environment` InSpec audit resource to to test a Google Cloud ProjectLocationEnvironment resource. + +## Examples + +```ruby +describe google_composer_project_location_environment(name: ' value_name') do + it { should exist } + its('name') { should cmp 'value_name' } + its('uuid') { should cmp 'value_uuid' } + its('state') { should cmp 'value_state' } + its('create_time') { should cmp 'value_createtime' } + its('update_time') { should cmp 'value_updatetime' } + its('satisfies_pzs') { should cmp 'value_satisfies_pzs' } + its('config.gke_cluster') { should cmp 'value_gke_cluster' } + its('labels.additional_properties') { should cmp label_hash } + its('storage_config.bucket') { should cmp 'value_bucket_id' } +end + +describe google_composer_project_location_environment(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_composer_project_location_environment` resource: + + + * `name`: The resource name of the environment, in the form: "projects/{projectId}/locations/{locationId}/environments/{environmentId}" EnvironmentId must start with a lowercase letter followed by up to 63 lowercase letters, numbers, or hyphens, and cannot end with a hyphen. + + * `config`: Configuration information for an environment. + + * `gke_cluster`: Output only. The Kubernetes Engine cluster used to run this environment. + + * `dag_gcs_prefix`: Output only. The Cloud Storage prefix of the DAGs for this environment. Although Cloud Storage objects reside in a flat namespace, a hierarchical file tree can be simulated using "/"-delimited object name prefixes. DAG objects for this environment reside in a simulated directory with the given prefix. + + * `node_count`: The number of nodes in the Kubernetes Engine cluster that will be used to run this environment. This field is supported for Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*. + + * `software_config`: Specifies the selection and configuration of software inside the environment. + + * `image_version`: The version of the software running in the environment. This encapsulates both the version of Cloud Composer functionality and the version of Apache Airflow. It must match the regular expression `composer-([0-9]+(\.[0-9]+\.[0-9]+(-preview\.[0-9]+)?)?|latest)-airflow-([0-9]+(\.[0-9]+(\.[0-9]+)?)?)`. When used as input, the server also checks if the provided version is supported and denies the request for an unsupported version. The Cloud Composer portion of the image version is a full [semantic version](https://semver.org), or an alias in the form of major version number or `latest`. When an alias is provided, the server replaces it with the current Cloud Composer version that satisfies the alias. The Apache Airflow portion of the image version is a full semantic version that points to one of the supported Apache Airflow versions, or an alias in the form of only major or major.minor versions specified. When an alias is provided, the server replaces it with the latest Apache Airflow version that satisfies the alias and is supported in the given Cloud Composer version. In all cases, the resolved image version is stored in the same field. See also [version list](/composer/docs/concepts/versioning/composer-versions) and [versioning overview](/composer/docs/concepts/versioning/composer-versioning-overview). + + * `airflow_config_overrides`: Optional. Apache Airflow configuration properties to override. Property keys contain the section and property names, separated by a hyphen, for example "core-dags_are_paused_at_creation". Section names must not contain hyphens ("-"), opening square brackets ("["), or closing square brackets ("]"). The property name must not be empty and must not contain an equals sign ("=") or semicolon (";"). Section and property names must not contain a period ("."). Apache Airflow configuration property names must be written in [snake_case](https://en.wikipedia.org/wiki/Snake_case). Property values can contain any character, and can be written in any lower/upper case format. Certain Apache Airflow configuration property values are [blocked](/composer/docs/concepts/airflow-configurations), and cannot be overridden. + + * `additional_properties`: + + * `pypi_packages`: Optional. Custom Python Package Index (PyPI) packages to be installed in the environment. Keys refer to the lowercase package name such as "numpy" and values are the lowercase extras and version specifier such as "==1.12.0", "[devel,gcp_api]", or "[devel]>=1.8.2, <1.9.2". To specify a package without pinning it to a version specifier, use the empty string as the value. + + * `additional_properties`: + + * `env_variables`: Optional. Additional environment variables to provide to the Apache Airflow scheduler, worker, and webserver processes. Environment variable names must match the regular expression `a-zA-Z_*`. They cannot specify Apache Airflow software configuration overrides (they cannot match the regular expression `AIRFLOW__[A-Z0-9_]+__[A-Z0-9_]+`), and they cannot match any of the following reserved names: * `AIRFLOW_HOME` * `C_FORCE_ROOT` * `CONTAINER_NAME` * `DAGS_FOLDER` * `GCP_PROJECT` * `GCS_BUCKET` * `GKE_CLUSTER_NAME` * `SQL_DATABASE` * `SQL_INSTANCE` * `SQL_PASSWORD` * `SQL_PROJECT` * `SQL_REGION` * `SQL_USER` + + * `additional_properties`: + + * `python_version`: Optional. The major version of Python used to run the Apache Airflow scheduler, worker, and webserver processes. Can be set to '2' or '3'. If not specified, the default is '3'. Cannot be updated. This field is only supported for Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*. Environments in newer versions always use Python major version 3. + + * `scheduler_count`: Optional. The number of schedulers for Airflow. This field is supported for Cloud Composer environments in versions composer-1.*.*-airflow-2.*.*. + + * `node_config`: The configuration information for the Kubernetes Engine nodes running the Apache Airflow software. + + * `location`: Optional. The Compute Engine [zone](/compute/docs/regions-zones) in which to deploy the VMs used to run the Apache Airflow software, specified as a [relative resource name](/apis/design/resource_names#relative_resource_name). For example: "projects/{projectId}/zones/{zoneId}". This `location` must belong to the enclosing environment's project and location. If both this field and `nodeConfig.machineType` are specified, `nodeConfig.machineType` must belong to this `location`; if both are unspecified, the service will pick a zone in the Compute Engine region corresponding to the Cloud Composer location, and propagate that choice to both fields. If only one field (`location` or `nodeConfig.machineType`) is specified, the location information from the specified field will be propagated to the unspecified field. This field is supported for Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*. + + * `machine_type`: Optional. The Compute Engine [machine type](/compute/docs/machine-types) used for cluster instances, specified as a [relative resource name](/apis/design/resource_names#relative_resource_name). For example: "projects/{projectId}/zones/{zoneId}/machineTypes/{machineTypeId}". The `machineType` must belong to the enclosing environment's project and location. If both this field and `nodeConfig.location` are specified, this `machineType` must belong to the `nodeConfig.location`; if both are unspecified, the service will pick a zone in the Compute Engine region corresponding to the Cloud Composer location, and propagate that choice to both fields. If exactly one of this field and `nodeConfig.location` is specified, the location information from the specified field will be propagated to the unspecified field. The `machineTypeId` must not be a [shared-core machine type](/compute/docs/machine-types#sharedcore). If this field is unspecified, the `machineTypeId` defaults to "n1-standard-1". This field is supported for Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*. + + * `network`: Optional. The Compute Engine network to be used for machine communications, specified as a [relative resource name](/apis/design/resource_names#relative_resource_name). For example: "projects/{projectId}/global/networks/{networkId}". If unspecified, the "default" network ID in the environment's project is used. If a [Custom Subnet Network](/vpc/docs/vpc#vpc_networks_and_subnets) is provided, `nodeConfig.subnetwork` must also be provided. For [Shared VPC](/vpc/docs/shared-vpc) subnetwork requirements, see `nodeConfig.subnetwork`. + + * `subnetwork`: Optional. The Compute Engine subnetwork to be used for machine communications, specified as a [relative resource name](/apis/design/resource_names#relative_resource_name). For example: "projects/{projectId}/regions/{regionId}/subnetworks/{subnetworkId}" If a subnetwork is provided, `nodeConfig.network` must also be provided, and the subnetwork must belong to the enclosing environment's project and location. + + * `disk_size_gb`: Optional. The disk size in GB used for node VMs. Minimum size is 30GB. If unspecified, defaults to 100GB. Cannot be updated. This field is supported for Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*. + + * `oauth_scopes`: Optional. The set of Google API scopes to be made available on all node VMs. If `oauth_scopes` is empty, defaults to ["https://www.googleapis.com/auth/cloud-platform"]. Cannot be updated. This field is supported for Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*. + + * `service_account`: Optional. The Google Cloud Platform Service Account to be used by the node VMs. If a service account is not specified, the "default" Compute Engine service account is used. Cannot be updated. + + * `tags`: Optional. The list of instance tags applied to all node VMs. Tags are used to identify valid sources or targets for network firewalls. Each tag within the list must comply with [RFC1035](https://www.ietf.org/rfc/rfc1035.txt). Cannot be updated. + + * `ip_allocation_policy`: Configuration for controlling how IPs are allocated in the GKE cluster running the Apache Airflow software. + + * `use_ip_aliases`: Optional. Whether or not to enable Alias IPs in the GKE cluster. If `true`, a VPC-native cluster is created. This field is only supported for Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*. Environments in newer versions always use VPC-native GKE clusters. + + * `cluster_secondary_range_name`: Optional. The name of the GKE cluster's secondary range used to allocate IP addresses to pods. For Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*, this field is applicable only when `use_ip_aliases` is true. + + * `cluster_ipv4_cidr_block`: Optional. The IP address range used to allocate IP addresses to pods in the GKE cluster. For Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*, this field is applicable only when `use_ip_aliases` is true. Set to blank to have GKE choose a range with the default size. Set to /netmask (e.g. `/14`) to have GKE choose a range with a specific netmask. Set to a [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation (e.g. `10.96.0.0/14`) from the RFC-1918 private networks (e.g. `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`) to pick a specific range to use. + + * `services_secondary_range_name`: Optional. The name of the services' secondary range used to allocate IP addresses to the GKE cluster. For Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*, this field is applicable only when `use_ip_aliases` is true. + + * `services_ipv4_cidr_block`: Optional. The IP address range of the services IP addresses in this GKE cluster. For Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*, this field is applicable only when `use_ip_aliases` is true. Set to blank to have GKE choose a range with the default size. Set to /netmask (e.g. `/14`) to have GKE choose a range with a specific netmask. Set to a [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation (e.g. `10.96.0.0/14`) from the RFC-1918 private networks (e.g. `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`) to pick a specific range to use. + + * `enable_ip_masq_agent`: Optional. Deploys 'ip-masq-agent' daemon set in the GKE cluster and defines nonMasqueradeCIDRs equals to pod IP range so IP masquerading is used for all destination addresses, except between pods traffic. See: https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent + + * `private_environment_config`: The configuration information for configuring a Private IP Cloud Composer environment. + + * `enable_private_environment`: Optional. If `true`, a Private IP Cloud Composer environment is created. If this field is set to true, `IPAllocationPolicy.use_ip_aliases` must be set to true for Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*. + + * `private_cluster_config`: Configuration options for the private GKE cluster in a Cloud Composer environment. + + * `enable_private_endpoint`: Optional. If `true`, access to the public endpoint of the GKE cluster is denied. + + * `master_ipv4_cidr_block`: Optional. The CIDR block from which IPv4 range for GKE master will be reserved. If left blank, the default value of '172.16.0.0/23' is used. + + * `master_ipv4_reserved_range`: Output only. The IP range in CIDR notation to use for the hosted master network. This range is used for assigning internal IP addresses to the GKE cluster master or set of masters and to the internal load balancer virtual IP. This range must not overlap with any other ranges in use within the cluster's network. + + * `web_server_ipv4_cidr_block`: Optional. The CIDR block from which IP range for web server will be reserved. Needs to be disjoint from `private_cluster_config.master_ipv4_cidr_block` and `cloud_sql_ipv4_cidr_block`. This field is supported for Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*. + + * `cloud_sql_ipv4_cidr_block`: Optional. The CIDR block from which IP range in tenant project will be reserved for Cloud SQL. Needs to be disjoint from `web_server_ipv4_cidr_block`. + + * `web_server_ipv4_reserved_range`: Output only. The IP range reserved for the tenant project's App Engine VMs. This field is supported for Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*. + + * `cloud_composer_network_ipv4_cidr_block`: Optional. The CIDR block from which IP range for Cloud Composer Network in tenant project will be reserved. Needs to be disjoint from private_cluster_config.master_ipv4_cidr_block and cloud_sql_ipv4_cidr_block. This field is supported for Cloud Composer environments in versions composer-2.*.*-airflow-*.*.* and newer. + + * `cloud_composer_network_ipv4_reserved_range`: Output only. The IP range reserved for the tenant project's Cloud Composer network. This field is supported for Cloud Composer environments in versions composer-2.*.*-airflow-*.*.* and newer. + + * `enable_privately_used_public_ips`: Optional. When enabled, IPs from public (non-RFC1918) ranges can be used for `IPAllocationPolicy.cluster_ipv4_cidr_block` and `IPAllocationPolicy.service_ipv4_cidr_block`. + + * `cloud_composer_connection_subnetwork`: Optional. When specified, the environment will use Private Service Connect instead of VPC peerings to connect to Cloud SQL in the Tenant Project, and the PSC endpoint in the Customer Project will use an IP address from this subnetwork. + + * `networking_config`: Configuration options for networking connections in the Composer 2 environment. + + * `connection_type`: Optional. Indicates the user requested specifc connection type between Tenant and Customer projects. You cannot set networking connection type in public IP environment. + Possible values: + * CONNECTION_TYPE_UNSPECIFIED + * VPC_PEERING + * PRIVATE_SERVICE_CONNECT + + * `web_server_network_access_control`: Network-level access control policy for the Airflow web server. + + * `allowed_ip_ranges`: A collection of allowed IP ranges with descriptions. + + * `value`: IP address or range, defined using CIDR notation, of requests that this rule applies to. Examples: `192.168.1.1` or `192.168.0.0/16` or `2001:db8::/32` or `2001:0db8:0000:0042:0000:8a2e:0370:7334`. IP range prefixes should be properly truncated. For example, `1.2.3.4/24` should be truncated to `1.2.3.0/24`. Similarly, for IPv6, `2001:db8::1/32` should be truncated to `2001:db8::/32`. + + * `description`: Optional. User-provided description. It must contain at most 300 characters. + + * `database_config`: The configuration of Cloud SQL instance that is used by the Apache Airflow software. + + * `machine_type`: Optional. Cloud SQL machine type used by Airflow database. It has to be one of: db-n1-standard-2, db-n1-standard-4, db-n1-standard-8 or db-n1-standard-16. If not specified, db-n1-standard-2 will be used. Supported for Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*. + + * `zone`: Optional. The Compute Engine zone where the Airflow database is created. If zone is provided, it must be in the region selected for the environment. If zone is not provided, a zone is automatically selected. The zone can only be set during environment creation. Supported for Cloud Composer environments in versions composer-2.*.*-airflow-*.*.*. + + * `web_server_config`: The configuration settings for the Airflow web server App Engine instance. Supported for Cloud Composer environments in versions composer-1.*.*-airflow-*.*.* + + * `machine_type`: Optional. Machine type on which Airflow web server is running. It has to be one of: composer-n1-webserver-2, composer-n1-webserver-4 or composer-n1-webserver-8. If not specified, composer-n1-webserver-2 will be used. Value custom is returned only in response, if Airflow web server parameters were manually changed to a non-standard values. + + * `encryption_config`: The encryption options for the Cloud Composer environment and its dependencies.Supported for Cloud Composer environments in versions composer-1.*.*-airflow-*.*.*. + + * `kms_key_name`: Optional. Customer-managed Encryption Key available through Google's Key Management Service. Cannot be updated. If not specified, Google-managed key will be used. + + * `maintenance_window`: The configuration settings for Cloud Composer maintenance window. The following example: ``` { "startTime":"2019-08-01T01:00:00Z" "endTime":"2019-08-01T07:00:00Z" "recurrence":"FREQ=WEEKLY;BYDAY=TU,WE" } ``` would define a maintenance window between 01 and 07 hours UTC during each Tuesday and Wednesday. + + * `start_time`: Required. Start time of the first recurrence of the maintenance window. + + * `end_time`: Required. Maintenance window end time. It is used only to calculate the duration of the maintenance window. The value for end-time must be in the future, relative to `start_time`. + + * `recurrence`: Required. Maintenance window recurrence. Format is a subset of [RFC-5545](https://tools.ietf.org/html/rfc5545) `RRULE`. The only allowed values for `FREQ` field are `FREQ=DAILY` and `FREQ=WEEKLY;BYDAY=...` Example values: `FREQ=WEEKLY;BYDAY=TU,WE`, `FREQ=DAILY`. + + * `workloads_config`: The Kubernetes workloads configuration for GKE cluster associated with the Cloud Composer environment. Supported for Cloud Composer environments in versions composer-2.*.*-airflow-*.*.* and newer. + + * `scheduler`: Configuration for resources used by Airflow schedulers. + + * `cpu`: Optional. CPU request and limit for a single Airflow scheduler replica. + + * `memory_gb`: Optional. Memory (GB) request and limit for a single Airflow scheduler replica. + + * `storage_gb`: Optional. Storage (GB) request and limit for a single Airflow scheduler replica. + + * `count`: Optional. The number of schedulers. + + * `web_server`: Configuration for resources used by Airflow web server. + + * `cpu`: Optional. CPU request and limit for Airflow web server. + + * `memory_gb`: Optional. Memory (GB) request and limit for Airflow web server. + + * `storage_gb`: Optional. Storage (GB) request and limit for Airflow web server. + + * `worker`: Configuration for resources used by Airflow workers. + + * `cpu`: Optional. CPU request and limit for a single Airflow worker replica. + + * `memory_gb`: Optional. Memory (GB) request and limit for a single Airflow worker replica. + + * `storage_gb`: Optional. Storage (GB) request and limit for a single Airflow worker replica. + + * `min_count`: Optional. Minimum number of workers for autoscaling. + + * `max_count`: Optional. Maximum number of workers for autoscaling. + + * `triggerer`: Configuration for resources used by Airflow triggerers. + + * `count`: Optional. The number of triggerers. + + * `cpu`: Optional. CPU request and limit for a single Airflow triggerer replica. + + * `memory_gb`: Optional. Memory (GB) request and limit for a single Airflow triggerer replica. + + * `environment_size`: Optional. The size of the Cloud Composer environment. This field is supported for Cloud Composer environments in versions composer-2.*.*-airflow-*.*.* and newer. + Possible values: + * ENVIRONMENT_SIZE_UNSPECIFIED + * ENVIRONMENT_SIZE_SMALL + * ENVIRONMENT_SIZE_MEDIUM + * ENVIRONMENT_SIZE_LARGE + + * `airflow_uri`: Output only. The URI of the Apache Airflow Web UI hosted within this environment (see [Airflow web interface](/composer/docs/how-to/accessing/airflow-web-interface)). + + * `airflow_byoid_uri`: Output only. The 'bring your own identity' variant of the URI of the Apache Airflow Web UI hosted within this environment, to be accessed with external identities using workforce identity federation (see [Access environments with workforce identity federation](/composer/docs/composer-2/access-environments-with-workforce-identity-federation)). + + * `master_authorized_networks_config`: Configuration options for the master authorized networks feature. Enabled master authorized networks will disallow all external traffic to access Kubernetes master through HTTPS except traffic from the given CIDR blocks, Google Compute Engine Public IPs and Google Prod IPs. + + * `enabled`: Whether or not master authorized networks feature is enabled. + + * `cidr_blocks`: Up to 50 external networks that could access Kubernetes master through HTTPS. + + * `display_name`: User-defined name that identifies the CIDR block. + + * `cidr_block`: CIDR block that must be specified in CIDR notation. + + * `recovery_config`: The Recovery settings of an environment. + + * `scheduled_snapshots_config`: The configuration for scheduled snapshot creation mechanism. + + * `enabled`: Optional. Whether scheduled snapshots creation is enabled. + + * `snapshot_location`: Optional. The Cloud Storage location for storing automatically created snapshots. + + * `snapshot_creation_schedule`: Optional. The cron expression representing the time when snapshots creation mechanism runs. This field is subject to additional validation around frequency of execution. + + * `time_zone`: Optional. Time zone that sets the context to interpret snapshot_creation_schedule. + + * `resilience_mode`: Optional. Resilience mode of the Cloud Composer Environment. This field is supported for Cloud Composer environments in versions composer-2.2.0-airflow-*.*.* and newer. + Possible values: + * RESILIENCE_MODE_UNSPECIFIED + * HIGH_RESILIENCE + + * `uuid`: Output only. The UUID (Universally Unique IDentifier) associated with this environment. This value is generated when the environment is created. + + * `state`: The current state of the environment. + Possible values: + * STATE_UNSPECIFIED + * CREATING + * RUNNING + * UPDATING + * DELETING + * ERROR + + * `create_time`: Output only. The time at which this environment was created. + + * `update_time`: Output only. The time at which this environment was last modified. + + * `labels`: Optional. User-defined labels for this environment. The labels map can contain no more than 64 entries. Entries of the labels map are UTF8 strings that comply with the following restrictions: * Keys must conform to regexp: \p{Ll}\p{Lo}{0,62} * Values must conform to regexp: [\p{Ll}\p{Lo}\p{N}_-]{0,63} * Both keys and values are additionally constrained to be <= 128 bytes in size. + + * `additional_properties`: + + * `satisfies_pzs`: Output only. Reserved for future use. + + * `storage_config`: The configuration for data storage in the environment. + + * `bucket`: Optional. The name of the Cloud Storage bucket used by the environment. No `gs://` prefix. + + +## GCP permissions + +Ensure the [https://composer.googleapis.com/](https://console.cloud.google.com/apis/library/composer.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_composer_project_location_environments.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_composer_project_location_environments.md new file mode 100644 index 0000000..421f8bd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_composer_project_location_environments.md @@ -0,0 +1,52 @@ ++++ +title = "google_composer_project_location_environments resource" + +draft = false + + +[menu.gcp] +title = "google_composer_project_location_environments" +identifier = "inspec/resources/gcp/google_composer_project_location_environments resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_composer_project_location_environments` InSpec audit resource to to test a Google Cloud ProjectLocationEnvironment resource. + +## Examples + +```ruby + describe google_composer_project_location_environments(parent: ' value_parent') do + it { should exist } + its('name') { should include('value_name') } + its('uuid') { should include('value_uuid') } + its('state') { should include('value_state') } + its('create_time') { should include('value_createtime') } + its('update_time') { should include('value_updatetime') } + its('satisfies_pzs') { should include('value_satisfies_pzs') } + end +``` + +## Properties + +Properties that can be accessed from the `google_composer_project_location_environments` resource: + +See [google_composer_project_location_environment](google_composer_project_location_environment) for more detailed information. + + * `names`: an array of `google_composer_project_location_environment` name + * `configs`: an array of `google_composer_project_location_environment` config + * `uuids`: an array of `google_composer_project_location_environment` uuid + * `states`: an array of `google_composer_project_location_environment` state + * `create_times`: an array of `google_composer_project_location_environment` create_time + * `update_times`: an array of `google_composer_project_location_environment` update_time + * `labels`: an array of `google_composer_project_location_environment` labels + * `satisfies_pzs`: an array of `google_composer_project_location_environment` satisfies_pzs + * `storage_configs`: an array of `google_composer_project_location_environment` storage_config + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://composer.googleapis.com/](https://console.cloud.google.com/apis/library/composer.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_composer_project_location_image_versions.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_composer_project_location_image_versions.md new file mode 100644 index 0000000..323bdc1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_composer_project_location_image_versions.md @@ -0,0 +1,39 @@ ++++ +title = "google_composer_project_location_image_versions resource" + +draft = false + + +[menu.gcp] +title = "google_composer_project_location_image_versions" +identifier = "inspec/resources/gcp/google_composer_project_location_image_versions resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_composer_project_location_image_versions` InSpec audit resource to to test a Google Cloud ProjectLocationImageVersion resource. + +## Examples + +```ruby + describe google_composer_project_location_image_versions(parent: ' value_parent') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_composer_project_location_image_versions` resource: + +See [google_composer_project_location_image_version](google_composer_project_location_image_version) for more detailed information. + + * `image_versions`: an array of `google_composer_project_location_image_version` image_versions + * `next_page_tokens`: an array of `google_composer_project_location_image_version` next_page_token + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://composer.googleapis.com/](https://console.cloud.google.com/apis/library/composer.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_accelerator_type.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_accelerator_type.md new file mode 100644 index 0000000..7cd57e1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_accelerator_type.md @@ -0,0 +1,58 @@ ++++ +title = "google_compute_accelerator_type resource" + +draft = false + + +[menu.gcp] +title = "google_compute_accelerator_type" +identifier = "inspec/resources/gcp/google_compute_accelerator_type resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_accelerator_type` InSpec audit resource to to test a Google Cloud AcceleratorType resource. + +## Examples + +```ruby +describe google_compute_accelerator_type(project: 'chef-gcp-inspec', zone: 'us-east1-b', name: 'accelerator_id') do + it { should exist } + it { should be_up } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_accelerator_type` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `deprecated`: The deprecation status associated with this accelerator type. + + * `state`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to DELETED. This is only informational and the status will not change unless the client explicitly changes it. + + * `deprecated`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to DEPRECATED. This is only informational and the status will not change unless the client explicitly changes it. + + * `obsolete`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to OBSOLETE. This is only informational and the status will not change unless the client explicitly changes it. + + * `replacement`: The URL of the suggested replacement for a deprecated resource. The suggested replacement resource must be the same kind of resource as the deprecated resource. + + * `state`: The deprecation state of this resource. This can be DEPRECATED, OBSOLETE, or DELETED. Operations which create a new resource using a DEPRECATED resource will return successfully, but with a warning indicating the deprecated resource and recommending its replacement. Operations which use OBSOLETE or DELETED resources will be rejected and result in an error. + Possible values: + * DEPRECATED + * OBSOLETE + * DELETED + + * `description`: An optional textual description of the resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. + + * `zone`: The name of the zone where the accelerator type resides. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_accelerator_types.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_accelerator_types.md new file mode 100644 index 0000000..e6f4a2e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_accelerator_types.md @@ -0,0 +1,44 @@ ++++ +title = "google_compute_accelerator_types resource" + +draft = false + + +[menu.gcp] +title = "google_compute_accelerator_types" +identifier = "inspec/resources/gcp/google_compute_accelerator_types resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_accelerator_types` InSpec audit resource to to test a Google Cloud AcceleratorType resource. + +## Examples + +```ruby +describe google_compute_accelerator_types(project: 'chef-gcp-inspec', zone: 'us-east1-b') do +it { should exist } +it { should be_up } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_accelerator_types` resource: + +See [google_compute_accelerator_type](google_compute_accelerator_type) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_accelerator_type` creation_timestamp + * `deprecateds`: an array of `google_compute_accelerator_type` deprecated + * `descriptions`: an array of `google_compute_accelerator_type` description + * `ids`: an array of `google_compute_accelerator_type` id + * `names`: an array of `google_compute_accelerator_type` name + * `zones`: an array of `google_compute_accelerator_type` zone + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_address.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_address.md new file mode 100644 index 0000000..3a72eab --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_address.md @@ -0,0 +1,111 @@ ++++ +title = "google_compute_address resource" + +draft = false + + +[menu.gcp] +title = "google_compute_address" +identifier = "inspec/resources/gcp/google_compute_address resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_address` is used to test a Google Address resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_address(project: 'chef-gcp-inspec', location: 'europe-west2', name: 'inspec-gcp-global-address') do + it { should exist } + its('address') { should eq '10.2.0.3' } + its('address_type') { should eq 'INTERNAL' } + its('user_count') { should eq 0 } +end + +describe google_compute_address(project: 'chef-gcp-inspec', location: 'europe-west2', name: 'nonexistent') do + it { should_not exist } +end +``` + +### Test that a GCP compute address IP exists + + describe google_compute_address(project: 'chef-inspec-gcp', location: 'europe-west2', name: 'compute-address') do + its('address_ip_exists') { should be true } + end + +### Test that a GCP compute address is in a particular status + + describe google_compute_address(project: 'chef-inspec-gcp', location: 'europe-west2', name: 'compute-address') do + its('status') { should eq "IN_USE" } + end + +### Test that a GCP compute address IP has the expected number of users + + describe google_compute_address(project: 'chef-inspec-gcp', location: 'europe-west2', name: 'compute-address') do + its('user_count') { should eq 1 } + end + +### Test that the first user of a GCP compute address has the expected resource name + + describe google_compute_address(project: 'chef-inspec-gcp', location: 'europe-west2', name: 'compute-address') do + its('user_resource_name') { should eq "gcp_ext_vm_name" } + end + + +## Properties + +Properties that can be accessed from the `google_compute_address` resource: + + + * `address`: The static external IP address represented by this resource. Only IPv4 is supported. An address may only be specified for INTERNAL address types. The IP address must be inside the specified subnetwork, if any. + + * `address_type`: The type of address to reserve. + Possible values: + * INTERNAL + * EXTERNAL + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `purpose`: The purpose of this resource, which can be one of the following values: * GCE_ENDPOINT for addresses that are used by VM instances, alias IP ranges, internal load balancers, and similar resources. * SHARED_LOADBALANCER_VIP for an address that can be used by multiple internal load balancers. * VPC_PEERING for addresses that are reserved for VPC peer networks. This should only be set when using an Internal address. + Possible values: + * GCE_ENDPOINT + * VPC_PEERING + * SHARED_LOADBALANCER_VIP + + * `network_tier`: The networking tier used for configuring this address. If this field is not specified, it is assumed to be PREMIUM. + Possible values: + * PREMIUM + * STANDARD + + * `subnetwork`: The URL of the subnetwork in which to reserve the address. If an IP address is specified, it must be within the subnetwork's IP range. This field can only be used with INTERNAL type with GCE_ENDPOINT/DNS_RESOLVER purposes. + + * `users`: The URLs of the resources that are using this address. + + * `labels`: (Beta only) Labels to apply to this address. A list of key->value pairs. + + * `label_fingerprint`: (Beta only) The fingerprint used for optimistic locking of this resource. Used internally during updates. + + * `status`: The status of the address, which can be one of RESERVING, RESERVED, or IN_USE. An address that is RESERVING is currently in the process of being reserved. A RESERVED address is currently reserved and available to use. An IN_USE address is currently being used by another resource and is not available. + Possible values: + * RESERVING + * RESERVED + * IN_USE + + * `region`: URL of the region where the regional address resides. This field is not applicable to global addresses. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_addresses.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_addresses.md new file mode 100644 index 0000000..87e7cb5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_addresses.md @@ -0,0 +1,58 @@ ++++ +title = "google_compute_addresses resource" + +draft = false + + +[menu.gcp] +title = "google_compute_addresses" +identifier = "inspec/resources/gcp/google_compute_addresses resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_addresses` is used to test a Google Address resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_addresses(project: 'chef-gcp-inspec', location: 'europe-west2') do + its('addresses') { should include '10.2.0.3' } + its('names') { should include 'inspec-gcp-global-address' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_addresses` resource: + +See [google_compute_address](google_compute_address) for more detailed information. + + * `addresses`: an array of `google_compute_address` address + * `address_types`: an array of `google_compute_address` address_type + * `creation_timestamps`: an array of `google_compute_address` creation_timestamp + * `descriptions`: an array of `google_compute_address` description + * `ids`: an array of `google_compute_address` id + * `names`: an array of `google_compute_address` name + * `purposes`: an array of `google_compute_address` purpose + * `network_tiers`: an array of `google_compute_address` network_tier + * `subnetworks`: an array of `google_compute_address` subnetwork + * `users`: an array of `google_compute_address` users + * `labels`: (Beta only) an array of `google_compute_address` labels + * `label_fingerprints`: (Beta only) an array of `google_compute_address` label_fingerprint + * `statuses`: an array of `google_compute_address` status + * `regions`: an array of `google_compute_address` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_autoscaler.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_autoscaler.md new file mode 100644 index 0000000..e96d2df --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_autoscaler.md @@ -0,0 +1,121 @@ ++++ +title = "google_compute_autoscaler resource" + +draft = false + + +[menu.gcp] +title = "google_compute_autoscaler" +identifier = "inspec/resources/gcp/google_compute_autoscaler resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_autoscaler` is used to test a Google Autoscaler resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_autoscaler(project: 'chef-gcp-inspec', zone: 'zone', name: 'inspec-gcp-autoscaler') do + it { should exist } + + its('target') { should match /\/inspec-gcp-igm$/ } + its('autoscaling_policy.max_num_replicas') { should eq '5' } + its('autoscaling_policy.min_num_replicas') { should eq '1' } + its('autoscaling_policy.cool_down_period_sec') { should eq '60' } + its('autoscaling_policy.cpu_utilization.utilization_target') { should eq '0.5' } +end + +describe google_compute_autoscaler(project: 'chef-gcp-inspec', zone: 'zone', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_autoscaler` resource: + + + * `id`: Unique identifier for the resource. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. The name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. + + * `autoscaling_policy`: The configuration parameters for the autoscaling algorithm. You can define one or more of the policies for an autoscaler: cpuUtilization, customMetricUtilizations, and loadBalancingUtilization. If none of these are specified, the default will be to autoscale based on cpuUtilization to 0.6 or 60%. + + * `min_num_replicas`: The minimum number of replicas that the autoscaler can scale down to. This cannot be less than 0. If not provided, autoscaler will choose a default value depending on maximum number of instances allowed. + + * `max_num_replicas`: The maximum number of instances that the autoscaler can scale up to. This is required when creating or updating an autoscaler. The maximum number of replicas should not be lower than minimal number of replicas. + + * `cool_down_period_sec`: The number of seconds that the autoscaler should wait before it starts collecting information from a new instance. This prevents the autoscaler from collecting information when the instance is initializing, during which the collected usage would not be reliable. The default time autoscaler waits is 60 seconds. Virtual machine initialization times might vary because of numerous factors. We recommend that you test how long an instance may take to initialize. To do this, create an instance and time the startup process. + + * `mode`: Defines operating mode for this policy. + Possible values: + * OFF + * ONLY_UP + * ON + + * `scale_down_control`: (Beta only) Defines scale down controls to reduce the risk of response latency and outages due to abrupt scale-in events + + * `max_scaled_down_replicas`: A nested object resource + + * `fixed`: Specifies a fixed number of VM instances. This must be a positive integer. + + * `percent`: Specifies a percentage of instances between 0 to 100%, inclusive. For example, specify 80 for 80%. + + * `time_window_sec`: How long back autoscaling should look when computing recommendations to include directives regarding slower scale down, as described above. + + * `scale_in_control`: Defines scale in controls to reduce the risk of response latency and outages due to abrupt scale-in events + + * `max_scaled_in_replicas`: A nested object resource + + * `fixed`: Specifies a fixed number of VM instances. This must be a positive integer. + + * `percent`: Specifies a percentage of instances between 0 to 100%, inclusive. For example, specify 80 for 80%. + + * `time_window_sec`: How long back autoscaling should look when computing recommendations to include directives regarding slower scale down, as described above. + + * `cpu_utilization`: Defines the CPU utilization policy that allows the autoscaler to scale based on the average CPU utilization of a managed instance group. + + * `utilization_target`: The target CPU utilization that the autoscaler should maintain. Must be a float value in the range (0, 1]. If not specified, the default is 0.6. If the CPU level is below the target utilization, the autoscaler scales down the number of instances until it reaches the minimum number of instances you specified or until the average CPU of your instances reaches the target utilization. If the average CPU is above the target utilization, the autoscaler scales up until it reaches the maximum number of instances you specified or until the average utilization reaches the target utilization. + + * `predictive_method`: (Beta only) Indicates whether predictive autoscaling based on CPU metric is enabled. Valid values are: - NONE (default). No predictive method is used. The autoscaler scales the group to meet current demand based on real-time metrics. - OPTIMIZE_AVAILABILITY. Predictive autoscaling improves availability by monitoring daily and weekly load patterns and scaling out ahead of anticipated demand. + + * `custom_metric_utilizations`: Configuration parameters of autoscaling based on a custom metric. + + * `metric`: The identifier (type) of the Stackdriver Monitoring metric. The metric cannot have negative values. The metric must have a value type of INT64 or DOUBLE. + + * `single_instance_assignment`: (Beta only) If scaling is based on a per-group metric value that represents the total amount of work to be done or resource usage, set this value to an amount assigned for a single instance of the scaled group. The autoscaler will keep the number of instances proportional to the value of this metric, the metric itself should not change value due to group resizing. For example, a good metric to use with the target is `pubsub.googleapis.com/subscription/num_undelivered_messages` or a custom metric exporting the total number of requests coming to your instances. A bad example would be a metric exporting an average or median latency, since this value can't include a chunk assignable to a single instance, it could be better used with utilization_target instead. + + * `utilization_target`: The target value of the metric that autoscaler should maintain. This must be a positive value. A utilization metric scales number of virtual machines handling requests to increase or decrease proportionally to the metric. For example, a good metric to use as a utilizationTarget is www.googleapis.com/compute/instance/network/received_bytes_count. The autoscaler will work to keep this value constant for each of the instances. + + * `utilization_target_type`: Defines how target utilization value is expressed for a Stackdriver Monitoring metric. + Possible values: + * GAUGE + * DELTA_PER_SECOND + * DELTA_PER_MINUTE + + * `filter`: (Beta only) A filter string to be used as the filter string for a Stackdriver Monitoring TimeSeries.list API call. This filter is used to select a specific TimeSeries for the purpose of autoscaling and to determine whether the metric is exporting per-instance or per-group data. You can only use the AND operator for joining selectors. You can only use direct equality comparison operator (=) without any functions for each selector. You can specify the metric in both the filter string and in the metric field. However, if specified in both places, the metric must be identical. The monitored resource type determines what kind of values are expected for the metric. If it is a gce_instance, the autoscaler expects the metric to include a separate TimeSeries for each instance in a group. In such a case, you cannot filter on resource labels. If the resource type is any other value, the autoscaler expects this metric to contain values that apply to the entire autoscaled instance group and resource label filtering can be performed to point autoscaler at the correct TimeSeries to scale upon. This is called a per-group metric for the purpose of autoscaling. If not specified, the type defaults to gce_instance. You should provide a filter that is selective enough to pick just one TimeSeries for the autoscaled group or for each of the instances (if you are using gce_instance resource type). If multiple TimeSeries are returned upon the query execution, the autoscaler will sum their respective values to obtain its scaling value. + + * `load_balancing_utilization`: Configuration parameters of autoscaling based on a load balancer. + + * `utilization_target`: Fraction of backend capacity utilization (set in HTTP(s) load balancing configuration) that autoscaler should maintain. Must be a positive float value. If not defined, the default is 0.8. + + * `scaling_schedules`: (Beta only) Scaling schedules defined for an autoscaler. Multiple schedules can be set on an autoscaler and they can overlap. + + * `target`: URL of the managed instance group that this autoscaler will scale. + + * `zone`: URL of the zone where the instance group resides. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_autoscalers.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_autoscalers.md new file mode 100644 index 0000000..0ded63a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_autoscalers.md @@ -0,0 +1,58 @@ ++++ +title = "google_compute_autoscalers resource" + +draft = false + + +[menu.gcp] +title = "google_compute_autoscalers" +identifier = "inspec/resources/gcp/google_compute_autoscalers resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_autoscalers` is used to test a Google Autoscaler resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +autoscalers = google_compute_autoscalers(project: 'chef-gcp-inspec', zone: 'zone') +describe.one do + autoscalers.autoscaling_policies.each do |autoscaling_policy| + describe autoscaling_policy do + its('max_num_replicas') { should eq '5' } + its('min_num_replicas') { should eq '1' } + its('cool_down_period_sec') { should eq '60' } + its('cpu_utilization.utilization_target') { should eq '0.5' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_autoscalers` resource: + +See [google_compute_autoscaler](google_compute_autoscaler) for more detailed information. + + * `ids`: an array of `google_compute_autoscaler` id + * `creation_timestamps`: an array of `google_compute_autoscaler` creation_timestamp + * `names`: an array of `google_compute_autoscaler` name + * `descriptions`: an array of `google_compute_autoscaler` description + * `autoscaling_policies`: an array of `google_compute_autoscaler` autoscaling_policy + * `targets`: an array of `google_compute_autoscaler` target + * `zones`: an array of `google_compute_autoscaler` zone + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_backend_bucket.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_backend_bucket.md new file mode 100644 index 0000000..f5d3931 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_backend_bucket.md @@ -0,0 +1,84 @@ ++++ +title = "google_compute_backend_bucket resource" + +draft = false + + +[menu.gcp] +title = "google_compute_backend_bucket" +identifier = "inspec/resources/gcp/google_compute_backend_bucket resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_backend_bucket` is used to test a Google BackendBucket resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_backend_bucket(project: 'chef-gcp-inspec', name: 'inspec-gcp-backend-bucket') do + it { should exist } + its('description') { should eq 'Backend bucket example' } + its('enable_cdn') { should be 'true' } + its('bucket_name') { should eq 'gcp-inspec-storage-bucket' } +end + +describe google_compute_backend_bucket(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_backend_bucket` resource: + + + * `bucket_name`: Cloud Storage bucket name. + + * `cdn_policy`: Cloud CDN configuration for this Backend Bucket. + + * `signed_url_cache_max_age_sec`: Maximum number of seconds the response to a signed URL request will be considered fresh. After this time period, the response will be revalidated before being served. When serving responses to signed URL requests, Cloud CDN will internally behave as though all responses from this backend had a "Cache-Control: public, max-age=[TTL]" header, regardless of any existing Cache-Control header. The actual headers served in responses will not be altered. + + * `default_ttl`: (Beta only) Specifies the default TTL for cached content served by this origin for responses that do not have an existing valid TTL (max-age or s-max-age). + + * `max_ttl`: (Beta only) Specifies the maximum allowed TTL for cached content served by this origin. + + * `client_ttl`: (Beta only) Specifies the maximum allowed TTL for cached content served by this origin. + + * `negative_caching`: (Beta only) Negative caching allows per-status code TTLs to be set, in order to apply fine-grained caching for common errors or redirects. + + * `negative_caching_policy`: (Beta only) Sets a cache TTL for the specified HTTP status code. negativeCaching must be enabled to configure negativeCachingPolicy. Omitting the policy and leaving negativeCaching enabled will use Cloud CDN's default cache TTLs. + + * `code`: (Beta only) The HTTP status code to define a TTL against. Only HTTP status codes 300, 301, 308, 404, 405, 410, 421, 451 and 501 can be specified as values, and you cannot specify a status code more than once. + + * `ttl`: (Beta only) The TTL (in seconds) for which to cache responses with the corresponding status code. The maximum allowed value is 1800s (30 minutes), noting that infrequently accessed objects may be evicted from the cache before the defined TTL. + + * `cache_mode`: (Beta only) Specifies the cache setting for all responses from this backend. The possible values are: USE_ORIGIN_HEADERS, FORCE_CACHE_ALL and CACHE_ALL_STATIC + Possible values: + * USE_ORIGIN_HEADERS + * FORCE_CACHE_ALL + * CACHE_ALL_STATIC + + * `serve_while_stale`: (Beta only) Serve existing content from the cache (if available) when revalidating content with the origin, or when an error is encountered when refreshing the cache. + + * `custom_response_headers`: (Beta only) Headers that the HTTP/S load balancer should add to proxied responses. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional textual description of the resource; provided by the client when the resource is created. + + * `enable_cdn`: If true, enable Cloud CDN for this BackendBucket. + + * `id`: Unique identifier for the resource. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_backend_buckets.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_backend_buckets.md new file mode 100644 index 0000000..aaad3db --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_backend_buckets.md @@ -0,0 +1,52 @@ ++++ +title = "google_compute_backend_buckets resource" + +draft = false + + +[menu.gcp] +title = "google_compute_backend_buckets" +identifier = "inspec/resources/gcp/google_compute_backend_buckets resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_backend_buckets` is used to test a Google BackendBucket resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_backend_buckets(project: 'chef-gcp-inspec', name: 'inspec-gcp-backend-bucket') do + its('descriptions') { should include 'Backend bucket example' } + its('bucket_names') { should include 'gcp-inspec-storage-bucket' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_backend_buckets` resource: + +See [google_compute_backend_bucket](google_compute_backend_bucket) for more detailed information. + + * `bucket_names`: an array of `google_compute_backend_bucket` bucket_name + * `cdn_policies`: an array of `google_compute_backend_bucket` cdn_policy + * `custom_response_headers`: (Beta only) an array of `google_compute_backend_bucket` custom_response_headers + * `creation_timestamps`: an array of `google_compute_backend_bucket` creation_timestamp + * `descriptions`: an array of `google_compute_backend_bucket` description + * `enable_cdns`: an array of `google_compute_backend_bucket` enable_cdn + * `ids`: an array of `google_compute_backend_bucket` id + * `names`: an array of `google_compute_backend_bucket` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_backend_service.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_backend_service.md new file mode 100644 index 0000000..ca4047e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_backend_service.md @@ -0,0 +1,259 @@ ++++ +title = "google_compute_backend_service resource" + +draft = false + + +[menu.gcp] +title = "google_compute_backend_service" +identifier = "inspec/resources/gcp/google_compute_backend_service resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_backend_service` is used to test a Google BackendService resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_backend_service(project: 'chef-gcp-inspec', name: 'inspec-gcp-backend-service') do + it { should exist } + its('description') { should eq 'A description' } + its('port_name') { should eq 'http' } + its('protocol') { should eq 'HTTP' } + its('timeout_sec') { should eq '10' } + its('enable_cdn') { should eq 'true' } +end + +describe google_compute_backend_service(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_backend_service` resource: + + + * `affinity_cookie_ttl_sec`: Lifetime of cookies in seconds if session_affinity is GENERATED_COOKIE. If set to 0, the cookie is non-persistent and lasts only until the end of the browser session (or equivalent). The maximum allowed value for TTL is one day. When the load balancing scheme is INTERNAL, this field is not used. + + * `backends`: The set of backends that serve this BackendService. + + * `balancing_mode`: Specifies the balancing mode for this backend. For global HTTP(S) or TCP/SSL load balancing, the default is UTILIZATION. Valid values are UTILIZATION, RATE (for HTTP(S)) and CONNECTION (for TCP/SSL). + Possible values: + * UTILIZATION + * RATE + * CONNECTION + + * `capacity_scaler`: A multiplier applied to the group's maximum servicing capacity (based on UTILIZATION, RATE or CONNECTION). Default value is 1, which means the group will serve up to 100% of its configured capacity (depending on balancingMode). A setting of 0 means the group is completely drained, offering 0% of its available Capacity. Valid range is [0.0,1.0]. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `group`: The fully-qualified URL of an Instance Group or Network Endpoint Group resource. In case of instance group this defines the list of instances that serve traffic. Member virtual machine instances from each instance group must live in the same zone as the instance group itself. No two backends in a backend service are allowed to use same Instance Group resource. For Network Endpoint Groups this defines list of endpoints. All endpoints of Network Endpoint Group must be hosted on instances located in the same zone as the Network Endpoint Group. Backend services cannot mix Instance Group and Network Endpoint Group backends. Note that you must specify an Instance Group or Network Endpoint Group resource using the fully-qualified URL, rather than a partial URL. + + * `max_connections`: The max number of simultaneous connections for the group. Can be used with either CONNECTION or UTILIZATION balancing modes. For CONNECTION mode, either maxConnections or one of maxConnectionsPerInstance or maxConnectionsPerEndpoint, as appropriate for group type, must be set. + + * `max_connections_per_instance`: The max number of simultaneous connections that a single backend instance can handle. This is used to calculate the capacity of the group. Can be used in either CONNECTION or UTILIZATION balancing modes. For CONNECTION mode, either maxConnections or maxConnectionsPerInstance must be set. + + * `max_connections_per_endpoint`: The max number of simultaneous connections that a single backend network endpoint can handle. This is used to calculate the capacity of the group. Can be used in either CONNECTION or UTILIZATION balancing modes. For CONNECTION mode, either maxConnections or maxConnectionsPerEndpoint must be set. + + * `max_rate`: The max requests per second (RPS) of the group. Can be used with either RATE or UTILIZATION balancing modes, but required if RATE mode. For RATE mode, either maxRate or one of maxRatePerInstance or maxRatePerEndpoint, as appropriate for group type, must be set. + + * `max_rate_per_instance`: The max requests per second (RPS) that a single backend instance can handle. This is used to calculate the capacity of the group. Can be used in either balancing mode. For RATE mode, either maxRate or maxRatePerInstance must be set. + + * `max_rate_per_endpoint`: The max requests per second (RPS) that a single backend network endpoint can handle. This is used to calculate the capacity of the group. Can be used in either balancing mode. For RATE mode, either maxRate or maxRatePerEndpoint must be set. + + * `max_utilization`: Used when balancingMode is UTILIZATION. This ratio defines the CPU utilization target for the group. The default is 0.8. Valid range is [0.0, 1.0]. + + * `circuit_breakers`: Settings controlling the volume of connections to a backend service. This field is applicable only when the load_balancing_scheme is set to INTERNAL_SELF_MANAGED. + + * `connect_timeout`: (Beta only) The timeout for new network connections to hosts. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive. + + * `max_requests_per_connection`: Maximum requests for a single backend connection. This parameter is respected by both the HTTP/1.1 and HTTP/2 implementations. If not specified, there is no limit. Setting this parameter to 1 will effectively disable keep alive. + + * `max_connections`: The maximum number of connections to the backend cluster. Defaults to 1024. + + * `max_pending_requests`: The maximum number of pending requests to the backend cluster. Defaults to 1024. + + * `max_requests`: The maximum number of parallel requests to the backend cluster. Defaults to 1024. + + * `max_retries`: The maximum number of parallel retries to the backend cluster. Defaults to 3. + + * `consistent_hash`: Consistent Hash-based load balancing can be used to provide soft session affinity based on HTTP headers, cookies or other properties. This load balancing policy is applicable only for HTTP connections. The affinity to a particular destination host will be lost when one or more hosts are added/removed from the destination service. This field specifies parameters that control consistent hashing. This field only applies if the load_balancing_scheme is set to INTERNAL_SELF_MANAGED. This field is only applicable when locality_lb_policy is set to MAGLEV or RING_HASH. + + * `http_cookie`: Hash is based on HTTP Cookie. This field describes a HTTP cookie that will be used as the hash key for the consistent hash load balancer. If the cookie is not present, it will be generated. This field is applicable if the sessionAffinity is set to HTTP_COOKIE. + + * `ttl`: Lifetime of the cookie. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive. + + * `name`: Name of the cookie. + + * `path`: Path to set for the cookie. + + * `http_header_name`: The hash based on the value of the specified header field. This field is applicable if the sessionAffinity is set to HEADER_FIELD. + + * `minimum_ring_size`: The minimum number of virtual nodes to use for the hash ring. Larger ring sizes result in more granular load distributions. If the number of hosts in the load balancing pool is larger than the ring size, each host will be assigned a single virtual node. Defaults to 1024. + + * `cdn_policy`: Cloud CDN configuration for this BackendService. + + * `cache_key_policy`: The CacheKeyPolicy for this CdnPolicy. + + * `include_host`: If true requests to different hosts will be cached separately. + + * `include_protocol`: If true, http and https requests will be cached separately. + + * `include_query_string`: If true, include query string parameters in the cache key according to query_string_whitelist and query_string_blacklist. If neither is set, the entire query string will be included. If false, the query string will be excluded from the cache key entirely. + + * `query_string_blacklist`: Names of query string parameters to exclude in cache keys. All other parameters will be included. Either specify query_string_whitelist or query_string_blacklist, not both. '&' and '=' will be percent encoded and not treated as delimiters. + + * `query_string_whitelist`: Names of query string parameters to include in cache keys. All other parameters will be excluded. Either specify query_string_whitelist or query_string_blacklist, not both. '&' and '=' will be percent encoded and not treated as delimiters. + + * `signed_url_cache_max_age_sec`: Maximum number of seconds the response to a signed URL request will be considered fresh, defaults to 1hr (3600s). After this time period, the response will be revalidated before being served. When serving responses to signed URL requests, Cloud CDN will internally behave as though all responses from this backend had a "Cache-Control: public, max-age=[TTL]" header, regardless of any existing Cache-Control header. The actual headers served in responses will not be altered. + + * `default_ttl`: (Beta only) Specifies the default TTL for cached content served by this origin for responses that do not have an existing valid TTL (max-age or s-max-age). + + * `max_ttl`: (Beta only) Specifies the maximum allowed TTL for cached content served by this origin. + + * `client_ttl`: (Beta only) Specifies the maximum allowed TTL for cached content served by this origin. + + * `negative_caching`: (Beta only) Negative caching allows per-status code TTLs to be set, in order to apply fine-grained caching for common errors or redirects. + + * `negative_caching_policy`: (Beta only) Sets a cache TTL for the specified HTTP status code. negativeCaching must be enabled to configure negativeCachingPolicy. Omitting the policy and leaving negativeCaching enabled will use Cloud CDN's default cache TTLs. + + * `code`: (Beta only) The HTTP status code to define a TTL against. Only HTTP status codes 300, 301, 308, 404, 405, 410, 421, 451 and 501 can be specified as values, and you cannot specify a status code more than once. + + * `ttl`: (Beta only) The TTL (in seconds) for which to cache responses with the corresponding status code. The maximum allowed value is 1800s (30 minutes), noting that infrequently accessed objects may be evicted from the cache before the defined TTL. + + * `cache_mode`: (Beta only) Specifies the cache setting for all responses from this backend. The possible values are: USE_ORIGIN_HEADERS, FORCE_CACHE_ALL and CACHE_ALL_STATIC + Possible values: + * USE_ORIGIN_HEADERS + * FORCE_CACHE_ALL + * CACHE_ALL_STATIC + + * `serve_while_stale`: (Beta only) Serve existing content from the cache (if available) when revalidating content with the origin, or when an error is encountered when refreshing the cache. + + * `connection_draining`: Settings for connection draining + + * `draining_timeout_sec`: Time for which instance will be drained (not accept new connections, but still work to finish started). + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `custom_request_headers`: Headers that the HTTP/S load balancer should add to proxied requests. + + * `custom_response_headers`: (Beta only) Headers that the HTTP/S load balancer should add to proxied responses. + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. + + * `description`: An optional description of this resource. + + * `enable_cdn`: If true, enable Cloud CDN for this BackendService. + + * `health_checks`: The set of URLs to the HttpHealthCheck or HttpsHealthCheck resource for health checking this BackendService. Currently at most one health check can be specified. A health check must be specified unless the backend service uses an internet or serverless NEG as a backend. For internal load balancing, a URL to a HealthCheck resource must be specified instead. + + * `id`: The unique identifier for the resource. + + * `iap`: Settings for enabling Cloud Identity Aware Proxy + + * `enabled`: Enables IAP. + + * `oauth2_client_id`: OAuth2 Client ID for IAP + + * `oauth2_client_secret`: OAuth2 Client Secret for IAP + + * `oauth2_client_secret_sha256`: OAuth2 Client Secret SHA-256 for IAP + + * `load_balancing_scheme`: Indicates whether the backend service will be used with internal or external load balancing. A backend service created for one type of load balancing cannot be used with the other. + Possible values: + * EXTERNAL + * INTERNAL_SELF_MANAGED + + * `locality_lb_policy`: The load balancing algorithm used within the scope of the locality. The possible values are - * ROUND_ROBIN - This is a simple policy in which each healthy backend is selected in round robin order. * LEAST_REQUEST - An O(1) algorithm which selects two random healthy hosts and picks the host which has fewer active requests. * RING_HASH - The ring/modulo hash load balancer implements consistent hashing to backends. The algorithm has the property that the addition/removal of a host from a set of N hosts only affects 1/N of the requests. * RANDOM - The load balancer selects a random healthy host. * ORIGINAL_DESTINATION - Backend host is selected based on the client connection metadata, i.e., connections are opened to the same address as the destination address of the incoming connection before the connection was redirected to the load balancer. * MAGLEV - used as a drop in replacement for the ring hash load balancer. Maglev is not as stable as ring hash but has faster table lookup build times and host selection times. For more information about Maglev, refer to https://ai.google/research/pubs/pub44824 This field is applicable only when the load_balancing_scheme is set to INTERNAL_SELF_MANAGED. + Possible values: + * ROUND_ROBIN + * LEAST_REQUEST + * RING_HASH + * RANDOM + * ORIGINAL_DESTINATION + * MAGLEV + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `outlier_detection`: Settings controlling eviction of unhealthy hosts from the load balancing pool. This field is applicable only when the load_balancing_scheme is set to INTERNAL_SELF_MANAGED. + + * `base_ejection_time`: The base time that a host is ejected for. The real time is equal to the base time multiplied by the number of times the host has been ejected. Defaults to 30000ms or 30s. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `consecutive_errors`: Number of errors before a host is ejected from the connection pool. When the backend host is accessed over HTTP, a 5xx return code qualifies as an error. Defaults to 5. + + * `consecutive_gateway_failure`: The number of consecutive gateway failures (502, 503, 504 status or connection errors that are mapped to one of those status codes) before a consecutive gateway failure ejection occurs. Defaults to 5. + + * `enforcing_consecutive_errors`: The percentage chance that a host will be actually ejected when an outlier status is detected through consecutive 5xx. This setting can be used to disable ejection or to ramp it up slowly. Defaults to 100. + + * `enforcing_consecutive_gateway_failure`: The percentage chance that a host will be actually ejected when an outlier status is detected through consecutive gateway failures. This setting can be used to disable ejection or to ramp it up slowly. Defaults to 0. + + * `enforcing_success_rate`: The percentage chance that a host will be actually ejected when an outlier status is detected through success rate statistics. This setting can be used to disable ejection or to ramp it up slowly. Defaults to 100. + + * `interval`: Time interval between ejection sweep analysis. This can result in both new ejections as well as hosts being returned to service. Defaults to 10 seconds. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `max_ejection_percent`: Maximum percentage of hosts in the load balancing pool for the backend service that can be ejected. Defaults to 10%. + + * `success_rate_minimum_hosts`: The number of hosts in a cluster that must have enough request volume to detect success rate outliers. If the number of hosts is less than this setting, outlier detection via success rate statistics is not performed for any host in the cluster. Defaults to 5. + + * `success_rate_request_volume`: The minimum number of total requests that must be collected in one interval (as defined by the interval duration above) to include this host in success rate based outlier detection. If the volume is lower than this setting, outlier detection via success rate statistics is not performed for that host. Defaults to 100. + + * `success_rate_stdev_factor`: This factor is used to determine the ejection threshold for success rate outlier ejection. The ejection threshold is the difference between the mean success rate, and the product of this factor and the standard deviation of the mean success rate: mean - (stdev * success_rate_stdev_factor). This factor is divided by a thousand to get a double. That is, if the desired factor is 1.9, the runtime value should be 1900. Defaults to 1900. + + * `port_name`: Name of backend port. The same name should appear in the instance groups referenced by this service. Required when the load balancing scheme is EXTERNAL. + + * `protocol`: The protocol this BackendService uses to communicate with backends. The default is HTTP. **NOTE**: HTTP2 is only valid for beta HTTP/2 load balancer types and may result in errors if used with the GA API. + Possible values: + * HTTP + * HTTPS + * HTTP2 + * TCP + * SSL + * GRPC + + * `security_policy`: The security policy associated with this backend service. + + * `session_affinity`: Type of session affinity to use. The default is NONE. Session affinity is not applicable if the protocol is UDP. + Possible values: + * NONE + * CLIENT_IP + * CLIENT_IP_PORT_PROTO + * CLIENT_IP_PROTO + * GENERATED_COOKIE + * HEADER_FIELD + * HTTP_COOKIE + + * `timeout_sec`: How many seconds to wait for the backend before considering it a failed request. Default is 30 seconds. Valid range is [1, 86400]. + + * `log_config`: This field denotes the logging options for the load balancer traffic served by this backend service. If logging is enabled, logs will be exported to Stackdriver. + + * `enable`: Whether to enable logging for the load balancer traffic served by this backend service. + + * `sample_rate`: This field can only be specified if logging is enabled for this backend service. The value of the field must be in [0, 1]. This configures the sampling rate of requests to the load balancer where 1.0 means all logged requests are reported and 0.0 means no logged requests are reported. The default value is 1.0. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_backend_services.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_backend_services.md new file mode 100644 index 0000000..db3f9eb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_backend_services.md @@ -0,0 +1,72 @@ ++++ +title = "google_compute_backend_services resource" + +draft = false + + +[menu.gcp] +title = "google_compute_backend_services" +identifier = "inspec/resources/gcp/google_compute_backend_services resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_backend_services` is used to test a Google BackendService resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_backend_services(project: 'chef-gcp-inspec') do + its('count') { should be >= 1 } + its('names') { should include 'inspec-gcp-backend-service' } + its('port_names') { should include 'http' } + its('protocols') { should include 'HTTP' } + its('timeout_secs') { should include '10' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_backend_services` resource: + +See [google_compute_backend_service](google_compute_backend_service) for more detailed information. + + * `affinity_cookie_ttl_secs`: an array of `google_compute_backend_service` affinity_cookie_ttl_sec + * `backends`: an array of `google_compute_backend_service` backends + * `circuit_breakers`: an array of `google_compute_backend_service` circuit_breakers + * `consistent_hashes`: an array of `google_compute_backend_service` consistent_hash + * `cdn_policies`: an array of `google_compute_backend_service` cdn_policy + * `connection_drainings`: an array of `google_compute_backend_service` connection_draining + * `creation_timestamps`: an array of `google_compute_backend_service` creation_timestamp + * `custom_request_headers`: an array of `google_compute_backend_service` custom_request_headers + * `custom_response_headers`: (Beta only) an array of `google_compute_backend_service` custom_response_headers + * `fingerprints`: an array of `google_compute_backend_service` fingerprint + * `descriptions`: an array of `google_compute_backend_service` description + * `enable_cdns`: an array of `google_compute_backend_service` enable_cdn + * `health_checks`: an array of `google_compute_backend_service` health_checks + * `ids`: an array of `google_compute_backend_service` id + * `iaps`: an array of `google_compute_backend_service` iap + * `load_balancing_schemes`: an array of `google_compute_backend_service` load_balancing_scheme + * `locality_lb_policies`: an array of `google_compute_backend_service` locality_lb_policy + * `names`: an array of `google_compute_backend_service` name + * `outlier_detections`: an array of `google_compute_backend_service` outlier_detection + * `port_names`: an array of `google_compute_backend_service` port_name + * `protocols`: an array of `google_compute_backend_service` protocol + * `security_policies`: an array of `google_compute_backend_service` security_policy + * `session_affinities`: an array of `google_compute_backend_service` session_affinity + * `timeout_secs`: an array of `google_compute_backend_service` timeout_sec + * `log_configs`: an array of `google_compute_backend_service` log_config + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_disk.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_disk.md new file mode 100644 index 0000000..46aa86f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_disk.md @@ -0,0 +1,129 @@ ++++ +title = "google_compute_disk resource" + +draft = false + + +[menu.gcp] +title = "google_compute_disk" +identifier = "inspec/resources/gcp/google_compute_disk resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_disk` is used to test a Google Disk resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +most_recent_image = google_compute_image(project: 'debian-cloud', name: 'debian-10-buster-v20191014') + +describe google_compute_disk(project: 'chef-gcp-inspec', name: 'inspec-snapshot-disk', zone: 'zone') do + it { should exist } + # Test that the image is the most recent image for the family + its('source_image') { should match most_recent_image.self_link } + its('type') { should match 'pd-standard' } +end + +describe.one do + google_compute_disk(project: 'chef-gcp-inspec', name: 'inspec-snapshot-disk', zone: 'zone').labels.each_pair do |key, value| + describe key do + it { should cmp "environment" } + end + end +end + +describe google_compute_disk(project: 'chef-gcp-inspec', name: 'nonexistent', zone: 'zone') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_disk` resource: + + + * `label_fingerprint`: The fingerprint used for optimistic locking of this resource. Used internally during updates. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `id`: The unique identifier for the resource. + + * `last_attach_timestamp`: Last attach timestamp in RFC3339 text format. + + * `last_detach_timestamp`: Last detach timestamp in RFC3339 text format. + + * `labels`: Labels to apply to this disk. A list of key->value pairs. + + * `licenses`: Any applicable publicly visible licenses. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `size_gb`: Size of the persistent disk, specified in GB. You can specify this field when creating a persistent disk using the sourceImage or sourceSnapshot parameter, or specify it alone to create an empty persistent disk. If you specify this field along with sourceImage or sourceSnapshot, the value of sizeGb must not be less than the size of the sourceImage or the size of the snapshot. + + * `users`: Links to the users of the disk (attached instances) in form: project/zones/zone/instances/instance + + * `physical_block_size_bytes`: Physical block size of the persistent disk, in bytes. If not present in a request, a default value is used. Currently supported sizes are 4096 and 16384, other sizes may be added in the future. If an unsupported value is requested, the error message will list the supported values for the caller's project. + + * `interface`: (Beta only) Specifies the disk interface to use for attaching this disk, which is either SCSI or NVME. The default is SCSI. + Possible values: + * SCSI + * NVME + + * `type`: URL of the disk type resource describing which disk type to use to create the disk. Provide this when creating the disk. + + * `source_image`: The source image used to create this disk. If the source image is deleted, this field will not be set. To create a disk with one of the public operating system images, specify the image by its family name. For example, specify family/debian-9 to use the latest Debian 9 image: projects/debian-cloud/global/images/family/debian-9 Alternatively, use a specific version of a public operating system image: projects/debian-cloud/global/images/debian-9-stretch-vYYYYMMDD To create a disk with a private image that you created, specify the image name in the following format: global/images/my-private-image You can also specify a private image by its image family, which returns the latest version of the image in that family. Replace the image name with family/family-name: global/images/family/my-private-family + + * `resource_policies`: (Beta only) Resource policies applied to this disk for automatic snapshot creations. + + * `multi_writer`: (Beta only) Indicates whether or not the disk can be read/write attached to more than one instance. + + * `zone`: A reference to the zone where the disk resides. + + * `source_image_encryption_key`: The customer-supplied encryption key of the source image. Required if the source image is protected by a customer-supplied encryption key. + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. + + * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `kms_key_name`: The name of the encryption key that is stored in Google Cloud KMS. + + * `kms_key_service_account`: The service account used for the encryption request for the given KMS key. If absent, the Compute Engine Service Agent service account is used. + + * `source_image_id`: The ID value of the image used to create this disk. This value identifies the exact image that was used to create this persistent disk. For example, if you created the persistent disk from an image that was later deleted and recreated under the same name, the source image ID would identify the exact version of the image that was used. + + * `disk_encryption_key`: Encrypts the disk using a customer-supplied encryption key. After you encrypt a disk with a customer-supplied key, you must provide the same key if you use the disk later (e.g. to create a disk snapshot or an image, or to attach the disk to a virtual machine). Customer-supplied encryption keys do not protect access to metadata of the disk. If you do not provide an encryption key when creating the disk, then the disk will be encrypted using an automatically generated key and you do not need to provide a key to use the disk later. + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. + + * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `kms_key_name`: The name of the encryption key that is stored in Google Cloud KMS. Your project's Compute Engine System service account (`service-{{PROJECT_NUMBER}}@compute-system.iam.gserviceaccount.com`) must have `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature. + + * `kms_key_service_account`: The service account used for the encryption request for the given KMS key. If absent, the Compute Engine Service Agent service account is used. + + * `source_snapshot`: The source snapshot used to create this disk. You can provide this as a partial or full URL to the resource. If the snapshot is in another project than this disk, you must supply a full URL. For example, the following are valid values: * `https://www.googleapis.com/compute/v1/projects/project/global/snapshots/snapshot` * `projects/project/global/snapshots/snapshot` * `global/snapshots/snapshot` + + * `source_snapshot_encryption_key`: The customer-supplied encryption key of the source snapshot. Required if the source snapshot is protected by a customer-supplied encryption key. + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. + + * `kms_key_name`: The name of the encryption key that is stored in Google Cloud KMS. + + * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `kms_key_service_account`: The service account used for the encryption request for the given KMS key. If absent, the Compute Engine Service Agent service account is used. + + * `source_snapshot_id`: The unique ID of the snapshot used to create this disk. This value identifies the exact snapshot that was used to create this persistent disk. For example, if you created the persistent disk from a snapshot that was later deleted and recreated under the same name, the source snapshot ID would identify the exact version of the snapshot that was used. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_disk_type.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_disk_type.md new file mode 100644 index 0000000..34885e3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_disk_type.md @@ -0,0 +1,62 @@ ++++ +title = "google_compute_disk_type resource" + +draft = false + + +[menu.gcp] +title = "google_compute_disk_type" +identifier = "inspec/resources/gcp/google_compute_disk_type resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_disk_type` InSpec audit resource to to test a Google Cloud DiskType resource. + +## Examples + +```ruby +describe google_compute_disk_type(project: 'chef-gcp-inspec', zone: 'us-east1-b', name: 'disk_type_name') do + it { should exist } + it { should be_up } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_disk_type` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `default_disk_size_gb`: Server-defined default disk size in GB. + + * `deprecated`: The deprecation status associated with this disk type. + + * `deleted`: An optional RFC3339 timestamp on or after which the deprecation state of this resource will be changed to DELETED. + + * `deprecated`: An optional RFC3339 timestamp on or after which the deprecation state of this resource will be changed to DEPRECATED. + + * `obsolete`: An optional RFC3339 timestamp on or after which the deprecation state of this resource will be changed to OBSOLETE. + + * `replacement`: The URL of the suggested replacement for a deprecated resource. The suggested replacement resource must be the same kind of resource as the deprecated resource. + + * `state`: The deprecation state of this resource. This can be DEPRECATED, OBSOLETE, or DELETED. Operations which create a new resource using a DEPRECATED resource will return successfully, but with a warning indicating the deprecated resource and recommending its replacement. Operations which use OBSOLETE or DELETED resources will be rejected and result in an error. + Possible values: + * DEPRECATED + * OBSOLETE + * DELETED + + * `description`: An optional description of this resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. + + * `valid_disk_size`: An optional textual description of the valid disk size, such as "10GB-10TB". + + * `zone`: A reference to the zone where the disk type resides. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_disk_types.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_disk_types.md new file mode 100644 index 0000000..9d22cc6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_disk_types.md @@ -0,0 +1,46 @@ ++++ +title = "google_compute_disk_types resource" + +draft = false + + +[menu.gcp] +title = "google_compute_disk_types" +identifier = "inspec/resources/gcp/google_compute_disk_types resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_disk_types` InSpec audit resource to to test a Google Cloud DiskType resource. + +## Examples + +```ruby +describe google_compute_disk_types(project: 'chef-gcp-inspec', zone: 'us-east1-b') do +it { should exist } +it { should be_up } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_disk_types` resource: + +See [google_compute_disk_type](google_compute_disk_type) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_disk_type` creation_timestamp + * `default_disk_size_gbs`: an array of `google_compute_disk_type` default_disk_size_gb + * `deprecateds`: an array of `google_compute_disk_type` deprecated + * `descriptions`: an array of `google_compute_disk_type` description + * `ids`: an array of `google_compute_disk_type` id + * `names`: an array of `google_compute_disk_type` name + * `valid_disk_sizes`: an array of `google_compute_disk_type` valid_disk_size + * `zones`: an array of `google_compute_disk_type` zone + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_disks.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_disks.md new file mode 100644 index 0000000..21148a3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_disks.md @@ -0,0 +1,70 @@ ++++ +title = "google_compute_disks resource" + +draft = false + + +[menu.gcp] +title = "google_compute_disks" +identifier = "inspec/resources/gcp/google_compute_disks resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_disks` is used to test a Google Disk resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +most_recent_image = google_compute_image(project: 'debian-cloud', name: 'debian-10-buster-v20191014') +describe google_compute_disks(project: 'chef-gcp-inspec', zone: 'zone') do + it { should exist } + its('names') { should include 'inspec-snapshot-disk' } + its('source_images') { should include most_recent_image.self_link } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_disks` resource: + +See [google_compute_disk](google_compute_disk) for more detailed information. + + * `label_fingerprints`: an array of `google_compute_disk` label_fingerprint + * `creation_timestamps`: an array of `google_compute_disk` creation_timestamp + * `descriptions`: an array of `google_compute_disk` description + * `ids`: an array of `google_compute_disk` id + * `last_attach_timestamps`: an array of `google_compute_disk` last_attach_timestamp + * `last_detach_timestamps`: an array of `google_compute_disk` last_detach_timestamp + * `labels`: an array of `google_compute_disk` labels + * `licenses`: an array of `google_compute_disk` licenses + * `names`: an array of `google_compute_disk` name + * `size_gbs`: an array of `google_compute_disk` size_gb + * `users`: an array of `google_compute_disk` users + * `physical_block_size_bytes`: an array of `google_compute_disk` physical_block_size_bytes + * `interfaces`: (Beta only) an array of `google_compute_disk` interface + * `types`: an array of `google_compute_disk` type + * `source_images`: an array of `google_compute_disk` source_image + * `resource_policies`: (Beta only) an array of `google_compute_disk` resource_policies + * `multi_writers`: (Beta only) an array of `google_compute_disk` multi_writer + * `zones`: an array of `google_compute_disk` zone + * `source_image_encryption_keys`: an array of `google_compute_disk` source_image_encryption_key + * `source_image_ids`: an array of `google_compute_disk` source_image_id + * `disk_encryption_keys`: an array of `google_compute_disk` disk_encryption_key + * `source_snapshots`: an array of `google_compute_disk` source_snapshot + * `source_snapshot_encryption_keys`: an array of `google_compute_disk` source_snapshot_encryption_key + * `source_snapshot_ids`: an array of `google_compute_disk` source_snapshot_id + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_external_vpn_gateway.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_external_vpn_gateway.md new file mode 100644 index 0000000..16d88f3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_external_vpn_gateway.md @@ -0,0 +1,58 @@ ++++ +title = "google_compute_external_vpn_gateway resource" + +draft = false + + +[menu.gcp] +title = "google_compute_external_vpn_gateway" +identifier = "inspec/resources/gcp/google_compute_external_vpn_gateway resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_external_vpn_gateway` InSpec audit resource to to test a Google Cloud externalVpnGateway resource. + +## Examples + +```ruby +describe google_compute_external_vpn_gateway(project: 'chef-gcp-inspec', name: 'external-gateway') do + it { should exist } + it { should be_up } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_external_vpn_gateway` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `redundancy_type`: Indicates the user-supplied redundancy type of this external VPN gateway. + Possible values: + * SINGLE_IP_INTERNALLY_REDUNDANT + * TWO_IPS_REDUNDANCY + * FOUR_IPS_REDUNDANCY + + * `interfaces`: A list of interfaces for this external VPN gateway. If your peer-side gateway is an on-premises gateway and non-AWS cloud providers gateway, at most two interfaces can be provided for an external VPN gateway. If your peer side is an AWS virtual private gateway, four interfaces should be provided for an external VPN gateway. + + * `id`: The numeric ID of this interface. The allowed input values for this id for different redundancy types of external VPN gateway: SINGLE_IP_INTERNALLY_REDUNDANT - 0 TWO_IPS_REDUNDANCY - 0, 1 FOUR_IPS_REDUNDANCY - 0, 1, 2, 3' + + * `ip_address`: IP address of the interface in the external VPN gateway. Only IPv4 is supported. This IP address can be either from your on-premise gateway or another Cloud provider's VPN gateway, it cannot be an IP address from Google Compute Engine. + + * `labels`: map (key: string, value: string) Labels for this resource. These can only be added or modified by the setLabels method. Each label key/value pair must comply with RFC1035. Label values may be empty. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + + * `label_fingerprint`: A fingerprint for the labels being applied to this ExternalVpnGateway, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve an ExternalVpnGateway. + + * `next_page_token`: This token allows you to get the next page of results for list requests. If the number of results is larger than maxResults, use the nextPageToken as a value for the query parameter pageToken in the next list request. Subsequent list requests will have their own nextPageToken to continue paging through the results. + + * `description`: An optional textual description of the resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_external_vpn_gateways.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_external_vpn_gateways.md new file mode 100644 index 0000000..066a0cb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_external_vpn_gateways.md @@ -0,0 +1,47 @@ ++++ +title = "google_compute_external_vpn_gateways resource" + +draft = false + + +[menu.gcp] +title = "google_compute_external_vpn_gateways" +identifier = "inspec/resources/gcp/google_compute_external_vpn_gateways resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_external_vpn_gateways` InSpec audit resource to to test a Google Cloud externalVpnGateway resource. + +## Examples + +```ruby +describe google_compute_external_vpn_gateways(project: 'chef-gcp-inspec') do +it { should exist } +it { should be_up } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_external_vpn_gateways` resource: + +See [google_compute_external_vpn_gateway](google_compute_external_vpn_gateway) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_external_vpn_gateway` creation_timestamp + * `redundancy_types`: an array of `google_compute_external_vpn_gateway` redundancy_type + * `interfaces`: an array of `google_compute_external_vpn_gateway` interfaces + * `labels`: an array of `google_compute_external_vpn_gateway` labels + * `label_fingerprints`: an array of `google_compute_external_vpn_gateway` label_fingerprint + * `next_page_tokens`: an array of `google_compute_external_vpn_gateway` next_page_token + * `descriptions`: an array of `google_compute_external_vpn_gateway` description + * `ids`: an array of `google_compute_external_vpn_gateway` id + * `names`: an array of `google_compute_external_vpn_gateway` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_firewall.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_firewall.md new file mode 100644 index 0000000..fba8fa2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_firewall.md @@ -0,0 +1,144 @@ ++++ +title = "google_compute_firewall resource" + +draft = false + + +[menu.gcp] +title = "google_compute_firewall" +identifier = "inspec/resources/gcp/google_compute_firewall resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_firewall` is used to test a Google Firewall resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_firewall(project: 'chef-gcp-inspec', name: 'inspec-gcp-firewall') do + its('direction') { should cmp 'INGRESS' } + its('log_config_enabled?') { should be true } + its('source_tags') { should include 'some-tag' } +end +``` + +### Test that a GCP compute firewall allows SSH access on port 22 + + describe google_compute_firewall(project: 'chef-inspec-gcp', name: 'firewall-rule') do + its('allowed_ssh?') { should be true } + end + +### Test that a GCP compute firewall does not allow HTTP access on port 80 + + describe google_compute_firewall(project: 'chef-inspec-gcp', name: 'firewall-rule') do + its('allowed_http?') { should be false } + end + +### Test that a GCP compute firewall allows HTTPS access on port 443 + + describe google_compute_firewall(project: 'chef-inspec-gcp', name: 'firewall-rule') do + its('allowed_https?') { should be true } + end + +### Test the direction of a GCP compute firewall e.g. "INGRESS" or "EGRESS" + + describe google_compute_firewall(project: 'chef-inspec-gcp', name: 'firewall-rule') do + its('direction') { should eq "INGRESS" } + end + +### Test the source IP range list for the GCP compute firewall is not open to the world + + describe google_compute_firewall(project: 'chef-inspec-gcp', name: 'firewall-rule') do + its('source_ranges') { should_not eq ["0.0.0.0/0"] } + # or using helpers + its('direction') { should eq "INGRESS" } + it { should_not allow_ip_ranges ["0.0.0.0/0"] } + end + +### Test whether or not a port/protocol is defined for a given firewall rule + + describe google_compute_firewall(project: 'chef-inspec-gcp', name: 'firewall-rule') do + # similar to the http / ssh helpers above + it { should_not allow_port_protocol("22", "tcp") } + it { should allow_port_protocol("80", "tcp") } + end + +### Test whether firewall rule allows ingress/egress for specified tags + + describe google_compute_firewall(project: 'chef-inspec-gcp', name: 'firewall-rule') do + its('direction') { should eq "INGRESS" } + it { should allow_source_tags ["allow-gcp-tag"] } + it { should allow_target_tags ["allow-gcp-other-tag"] } + # stricter + it { should allow_source_tags_only ["allow-gcp-tag"] } + it { should allow_target_tags_only ["allow-gcp-other-tag"] } + end + + +## Properties + +Properties that can be accessed from the `google_compute_firewall` resource: + + + * `allowed`: The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection. + + * `ip_protocol`: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number. + + * `ports`: An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `denied`: The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection. + + * `ip_protocol`: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number. + + * `ports`: An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `destination_ranges`: If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. Only IPv4 is supported. + + * `direction`: Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, it is NOT supported to specify destinationRanges; For EGRESS traffic, it is NOT supported to specify sourceRanges OR sourceTags. + Possible values: + * INGRESS + * EGRESS + + * `disabled`: Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled. + + * `log_config`: This field denotes the logging options for a particular firewall rule. If logging is enabled, logs will be exported to Cloud Logging. + + * `enable`: This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver. + + * `metadata`: This field denotes whether to include or exclude metadata for firewall logs. + Possible values: + * EXCLUDE_ALL_METADATA + * INCLUDE_ALL_METADATA + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `network`: URL of the network resource for this firewall rule. If not specified when creating a firewall rule, the default network is used: global/networks/default If you choose to specify this property, you can specify the network as a full or partial URL. For example, the following are all valid URLs: https://www.googleapis.com/compute/v1/projects/myproject/global/ networks/my-network projects/myproject/global/networks/my-network global/networks/default + + * `priority`: Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority. + + * `source_ranges`: If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. Only IPv4 is supported. + + * `source_service_accounts`: If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. + + * `source_tags`: If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. + + * `target_service_accounts`: A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network. + + * `target_tags`: A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_firewalls.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_firewalls.md new file mode 100644 index 0000000..9b14b2d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_firewalls.md @@ -0,0 +1,86 @@ ++++ +title = "google_compute_firewalls resource" + +draft = false + + +[menu.gcp] +title = "google_compute_firewalls" +identifier = "inspec/resources/gcp/google_compute_firewalls resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_firewalls` is used to test a Google Firewall resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_firewalls(project: 'chef-gcp-inspec') do + its('count') { should be >= 1 } + its('firewall_names') { should include 'inspec-gcp-firewall' } + its('firewall_directions') { should include 'INGRESS' } +end +``` + +### Test that there are no more than a specified number of firewalls available for the project + + describe google_compute_firewalls(project: 'chef-inspec-gcp') do + its('count') { should be <= 100} + end + +### Test that an expected firewall is available for the project + + describe google_compute_firewalls(project: 'chef-inspec-gcp') do + its('firewall_names') { should include "my-app-firewall-rule" } + end + +### Test that a particular named rule does not exist + + describe google_compute_firewalls(project: 'chef-inspec-gcp') do + its('firewall_names') { should_not include "default-allow-ssh" } + end + +### Test there are no firewalls for the "INGRESS" direction + + describe google_compute_firewalls(project: 'chef-inspec-gcp').where(firewall_direction: 'INGRESS') do + it { should_not exist } + end + +## Properties + +Properties that can be accessed from the `google_compute_firewalls` resource: + +See [google_compute_firewall](google_compute_firewall) for more detailed information. + + * `alloweds`: an array of `google_compute_firewall` allowed + * `creation_timestamps`: an array of `google_compute_firewall` creation_timestamp + * `denieds`: an array of `google_compute_firewall` denied + * `descriptions`: an array of `google_compute_firewall` description + * `destination_ranges`: an array of `google_compute_firewall` destination_ranges + * `firewall_directions`: an array of `google_compute_firewall` direction + * `disableds`: an array of `google_compute_firewall` disabled + * `log_configs`: an array of `google_compute_firewall` log_config + * `firewall_ids`: an array of `google_compute_firewall` id + * `firewall_names`: an array of `google_compute_firewall` name + * `networks`: an array of `google_compute_firewall` network + * `priorities`: an array of `google_compute_firewall` priority + * `source_ranges`: an array of `google_compute_firewall` source_ranges + * `source_service_accounts`: an array of `google_compute_firewall` source_service_accounts + * `source_tags`: an array of `google_compute_firewall` source_tags + * `target_service_accounts`: an array of `google_compute_firewall` target_service_accounts + * `target_tags`: an array of `google_compute_firewall` target_tags + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_forwarding_rule.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_forwarding_rule.md new file mode 100644 index 0000000..986af64 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_forwarding_rule.md @@ -0,0 +1,140 @@ ++++ +title = "google_compute_forwarding_rule resource" + +draft = false + + +[menu.gcp] +title = "google_compute_forwarding_rule" +identifier = "inspec/resources/gcp/google_compute_forwarding_rule resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_forwarding_rule` is used to test a Google ForwardingRule resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_forwarding_rule(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'udp-forwarding-rule') do + it { should exist } + its('region') { should match 'europe-west2' } + its('creation_timestamp') { should be > Time.now - 365*60*60*24*10 } + its('load_balancing_scheme') { should match 'EXTERNAL' } + its('port_range') { should match "500-500" } + its('ip_protocol') { should match "UDP" } +end + +describe google_compute_forwarding_rule(project: 'chef-gcp-inspec', region: 'europe-west2', name: "nonexistent") do + it { should_not exist } +end +``` + +### Test that a GCP compute forwarding_rule exists + + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do + it { should exist } + end + +### Test when a GCP compute forwarding_rule was created + + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do + its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 } + end + +### Test for an expected forwarding_rule identifier + + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do + its('id') { should eq 12345567789 } + end + +### Test that a forwarding_rule load_balancing_scheme is as expected + + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do + its('load_balancing_scheme') { should eq "INTERNAL" } + end + +### Test that a forwarding_rule IP address is as expected + + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do + its('ip_address') { should eq "10.0.0.1" } + end + +### Test that a forwarding_rule is associated with the expected network + + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do + its('network') { should match "gcp_network_name" } + end + +## Properties + +Properties that can be accessed from the `google_compute_forwarding_rule` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `is_mirroring_collector`: Indicates whether or not this load balancer can be used as a collector for packet mirroring. To prevent mirroring loops, instances behind this load balancer will not have their traffic mirrored even if a PacketMirroring rule applies to them. This can only be set to true for load balancers that have their loadBalancingScheme set to INTERNAL. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `id`: The unique identifier for the resource. + + * `ip_address`: The IP address that this forwarding rule is serving on behalf of. Addresses are restricted based on the forwarding rule's load balancing scheme (EXTERNAL or INTERNAL) and scope (global or regional). When the load balancing scheme is EXTERNAL, for global forwarding rules, the address must be a global IP, and for regional forwarding rules, the address must live in the same region as the forwarding rule. If this field is empty, an ephemeral IPv4 address from the same scope (global or regional) will be assigned. A regional forwarding rule supports IPv4 only. A global forwarding rule supports either IPv4 or IPv6. When the load balancing scheme is INTERNAL, this can only be an RFC 1918 IP address belonging to the network/subnet configured for the forwarding rule. By default, if this field is empty, an ephemeral internal IP address will be automatically allocated from the IP range of the subnet or network configured for this forwarding rule. An address can be specified either by a literal IP address or a URL reference to an existing Address resource. The following examples are all valid: * 100.1.2.3 * https://www.googleapis.com/compute/v1/projects/project/regions/ region/addresses/address * projects/project/regions/region/addresses/address * regions/region/addresses/address * global/addresses/address * address + + * `ip_protocol`: The IP protocol to which this rule applies. When the load balancing scheme is INTERNAL, only TCP and UDP are valid. + Possible values: + * TCP + * UDP + * ESP + * AH + * SCTP + * ICMP + + * `backend_service`: A BackendService to receive the matched traffic. This is used only for INTERNAL load balancing. + + * `load_balancing_scheme`: This signifies what the ForwardingRule will be used for and can be EXTERNAL, INTERNAL, or INTERNAL_MANAGED. EXTERNAL is used for Classic Cloud VPN gateways, protocol forwarding to VMs from an external IP address, and HTTP(S), SSL Proxy, TCP Proxy, and Network TCP/UDP load balancers. INTERNAL is used for protocol forwarding to VMs from an internal IP address, and internal TCP/UDP load balancers. INTERNAL_MANAGED is used for internal HTTP(S) load balancers. + Possible values: + * EXTERNAL + * INTERNAL + * INTERNAL_MANAGED + + * `name`: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `network`: For internal load balancing, this field identifies the network that the load balanced IP should belong to for this Forwarding Rule. If this field is not specified, the default network will be used. This field is only used for INTERNAL load balancing. + + * `port_range`: This field is used along with the target field for TargetHttpProxy, TargetHttpsProxy, TargetSslProxy, TargetTcpProxy, TargetVpnGateway, TargetPool, TargetInstance. Applicable only when IPProtocol is TCP, UDP, or SCTP, only packets addressed to ports in the specified range will be forwarded to target. Forwarding rules with the same [IPAddress, IPProtocol] pair must have disjoint port ranges. Some types of forwarding target have constraints on the acceptable ports: * TargetHttpProxy: 80, 8080 * TargetHttpsProxy: 443 * TargetTcpProxy: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 5222 * TargetSslProxy: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 5222 * TargetVpnGateway: 500, 4500 + + * `ports`: This field is used along with the backend_service field for internal load balancing. When the load balancing scheme is INTERNAL, a single port or a comma separated list of ports can be configured. Only packets addressed to these ports will be forwarded to the backends configured with this forwarding rule. You may specify a maximum of up to 5 ports. + + * `subnetwork`: The subnetwork that the load balanced IP should belong to for this Forwarding Rule. This field is only used for INTERNAL load balancing. If the network specified is in auto subnet mode, this field is optional. However, if the network is in custom subnet mode, a subnetwork must be specified. + + * `target`: The URL of the target resource to receive the matched traffic. The target must live in the same region as the forwarding rule. The forwarded traffic must be of a type appropriate to the target object. + + * `allow_global_access`: If true, clients can access ILB from all regions. Otherwise only allows from the local region the ILB is located at. + + * `labels`: (Beta only) Labels to apply to this forwarding rule. A list of key->value pairs. + + * `label_fingerprint`: (Beta only) The fingerprint used for optimistic locking of this resource. Used internally during updates. + + * `all_ports`: For internal TCP/UDP load balancing (i.e. load balancing scheme is INTERNAL and protocol is TCP/UDP), set this to true to allow packets addressed to any ports to be forwarded to the backends configured with this forwarding rule. Used with backend service. Cannot be set if port or portRange are set. + + * `network_tier`: The networking tier used for configuring this address. If this field is not specified, it is assumed to be PREMIUM. + Possible values: + * PREMIUM + * STANDARD + + * `service_label`: An optional prefix to the service name for this Forwarding Rule. If specified, will be the first label of the fully qualified service name. The label must be 1-63 characters long, and comply with RFC1035. Specifically, the label must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. This field is only used for INTERNAL load balancing. + + * `service_name`: The internal fully qualified service name for this Forwarding Rule. This field is only used for INTERNAL load balancing. + + * `region`: A reference to the region where the regional forwarding rule resides. This field is not applicable to global forwarding rules. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_forwarding_rules.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_forwarding_rules.md new file mode 100644 index 0000000..42ee915 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_forwarding_rules.md @@ -0,0 +1,90 @@ ++++ +title = "google_compute_forwarding_rules resource" + +draft = false + + +[menu.gcp] +title = "google_compute_forwarding_rules" +identifier = "inspec/resources/gcp/google_compute_forwarding_rules resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_forwarding_rules` is used to test a Google ForwardingRule resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_forwarding_rules(project: 'chef-gcp-inspec', region: 'europe-west2') do + its('forwarding_rule_names') { should include 'udp-forwarding-rule' } +end +``` + +### Test that there are no more than a specified number of forwarding_rules available for the project and region + + describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('count') { should be <= 100} + end + +### Test that an expected forwarding_rule identifier is present in the project and region + + describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('forwarding_rule_ids') { should include 12345678975432 } + end + + +### Test that an expected forwarding_rule name is available for the project and region + + describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('forwarding_rule_names') { should include "forwarding_rule-name" } + end + +### Test that an expected forwarding_rule network name is not present for the project and region + + describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('forwarding_rule_networks') { should not include "network-name" } + end + +## Properties + +Properties that can be accessed from the `google_compute_forwarding_rules` resource: + +See [google_compute_forwarding_rule](google_compute_forwarding_rule) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_forwarding_rule` creation_timestamp + * `is_mirroring_collectors`: an array of `google_compute_forwarding_rule` is_mirroring_collector + * `descriptions`: an array of `google_compute_forwarding_rule` description + * `forwarding_rule_ids`: an array of `google_compute_forwarding_rule` id + * `ip_addresses`: an array of `google_compute_forwarding_rule` ip_address + * `ip_protocols`: an array of `google_compute_forwarding_rule` ip_protocol + * `backend_services`: an array of `google_compute_forwarding_rule` backend_service + * `forwarding_rule_load_balancing_schemes`: an array of `google_compute_forwarding_rule` load_balancing_scheme + * `forwarding_rule_names`: an array of `google_compute_forwarding_rule` name + * `forwarding_rule_networks`: an array of `google_compute_forwarding_rule` network + * `port_ranges`: an array of `google_compute_forwarding_rule` port_range + * `ports`: an array of `google_compute_forwarding_rule` ports + * `subnetworks`: an array of `google_compute_forwarding_rule` subnetwork + * `targets`: an array of `google_compute_forwarding_rule` target + * `allow_global_accesses`: an array of `google_compute_forwarding_rule` allow_global_access + * `labels`: (Beta only) an array of `google_compute_forwarding_rule` labels + * `label_fingerprints`: (Beta only) an array of `google_compute_forwarding_rule` label_fingerprint + * `all_ports`: an array of `google_compute_forwarding_rule` all_ports + * `network_tiers`: an array of `google_compute_forwarding_rule` network_tier + * `service_labels`: an array of `google_compute_forwarding_rule` service_label + * `service_names`: an array of `google_compute_forwarding_rule` service_name + * `regions`: an array of `google_compute_forwarding_rule` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_address.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_address.md new file mode 100644 index 0000000..1da2392 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_address.md @@ -0,0 +1,77 @@ ++++ +title = "google_compute_global_address resource" + +draft = false + + +[menu.gcp] +title = "google_compute_global_address" +identifier = "inspec/resources/gcp/google_compute_global_address resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_global_address` is used to test a Google GlobalAddress resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_global_address(project: 'chef-gcp-inspec', name: 'inspec-gcp-global-address') do + it { should exist } + its('ip_version') { should eq 'IPV6' } +end + +describe google_compute_global_address(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_global_address` resource: + + + * `address`: The static external IP address represented by this resource. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. + + * `id`: The unique identifier for the resource. This identifier is defined by the server. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `labels`: (Beta only) Labels to apply to this address. A list of key->value pairs. + + * `label_fingerprint`: (Beta only) The fingerprint used for optimistic locking of this resource. Used internally during updates. + + * `ip_version`: The IP Version that will be used by this address. The default value is `IPV4`. + Possible values: + * IPV4 + * IPV6 + + * `region`: A reference to the region where the regional address resides. + + * `prefix_length`: The prefix length of the IP range. If not present, it means the address field is a single IP address. This field is not applicable to addresses with addressType=EXTERNAL, or addressType=INTERNAL when purpose=PRIVATE_SERVICE_CONNECT + + * `address_type`: The type of the address to reserve. * EXTERNAL indicates public/external single IP address. * INTERNAL indicates internal IP ranges belonging to some network. + Possible values: + * EXTERNAL + * INTERNAL + + * `purpose`: The purpose of the resource. For global internal addresses it can be * VPC_PEERING - for peer networks * PRIVATE_SERVICE_CONNECT - for ([Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html) only) Private Service Connect networks This should only be set when using an Internal address. + Possible values: + * VPC_PEERING + * PRIVATE_SERVICE_CONNECT + + * `network`: The URL of the network in which to reserve the IP range. The IP range must be in RFC1918 space. The network cannot be deleted if there are any reserved IP ranges referring to it. This should only be set when using an Internal address. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_addresses.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_addresses.md new file mode 100644 index 0000000..f81c38c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_addresses.md @@ -0,0 +1,58 @@ ++++ +title = "google_compute_global_addresses resource" + +draft = false + + +[menu.gcp] +title = "google_compute_global_addresses" +identifier = "inspec/resources/gcp/google_compute_global_addresses resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_global_addresses` is used to test a Google GlobalAddress resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_global_addresses(project: 'chef-gcp-inspec', name: 'inspec-gcp-global-address') do + its('count') { should be >= 1 } + its('names') { should include 'inspec-gcp-global-address' } + its('ip_versions') { should include 'IPV6' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_global_addresses` resource: + +See [google_compute_global_address](google_compute_global_address) for more detailed information. + + * `addresses`: an array of `google_compute_global_address` address + * `creation_timestamps`: an array of `google_compute_global_address` creation_timestamp + * `descriptions`: an array of `google_compute_global_address` description + * `ids`: an array of `google_compute_global_address` id + * `names`: an array of `google_compute_global_address` name + * `labels`: (Beta only) an array of `google_compute_global_address` labels + * `label_fingerprints`: (Beta only) an array of `google_compute_global_address` label_fingerprint + * `ip_versions`: an array of `google_compute_global_address` ip_version + * `regions`: an array of `google_compute_global_address` region + * `prefix_lengths`: an array of `google_compute_global_address` prefix_length + * `address_types`: an array of `google_compute_global_address` address_type + * `purposes`: an array of `google_compute_global_address` purpose + * `networks`: an array of `google_compute_global_address` network + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_forwarding_rule.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_forwarding_rule.md new file mode 100644 index 0000000..64fe7df --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_forwarding_rule.md @@ -0,0 +1,95 @@ ++++ +title = "google_compute_global_forwarding_rule resource" + +draft = false + + +[menu.gcp] +title = "google_compute_global_forwarding_rule" +identifier = "inspec/resources/gcp/google_compute_global_forwarding_rule resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_global_forwarding_rule` is used to test a Google GlobalForwardingRule resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_global_forwarding_rule(project: 'chef-gcp-inspec', name: 'inspec-gcp-global-forwarding-rule') do + it { should exist } + its('port_range') { should eq '80-80' } + its('target') { should match /\/inspec-gcp-http-proxy$/ } +end + +describe google_compute_global_forwarding_rule(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_global_forwarding_rule` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `id`: The unique identifier for the resource. + + * `ip_address`: The IP address that this forwarding rule is serving on behalf of. Addresses are restricted based on the forwarding rule's load balancing scheme (external or internal) and scope (global or regional). The address must be a global IP for external global forwarding rules. If this field is empty, an ephemeral IPv4 address from the same scope (global) is chosen. Global forwarding rules supports either IPv4 or IPv6. When the load balancing scheme is INTERNAL_SELF_MANAGED, this must be a URL reference to an existing Address resource (internal regional static IP address), with a purpose of GCE_END_POINT and addressType of INTERNAL. ([Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html) only) This must be a URL reference to an existing Address resource (internal global static IP address), with a purpose of PRIVATE_SERVICE_CONNECT and addressType of INTERNAL. An address can be specified either by a literal IP address or a URL reference to an existing Address resource. The following examples are all valid: * 100.1.2.3 * https://www.googleapis.com/compute/v1/projects/project/regions/ region/addresses/address * projects/project/regions/region/addresses/address * regions/region/addresses/address * global/addresses/address * address + + * `ip_protocol`: The IP protocol to which this rule applies. When the load balancing scheme is INTERNAL_SELF_MANAGED, only TCP is valid. This field must not be set if the global address is configured as a purpose of PRIVATE_SERVICE_CONNECT and addressType of INTERNAL + Possible values: + * TCP + * UDP + * ESP + * AH + * SCTP + * ICMP + + * `ip_version`: The IP Version that will be used by this global forwarding rule. + Possible values: + * IPV4 + * IPV6 + + * `labels`: (Beta only) Labels to apply to this forwarding rule. A list of key->value pairs. + + * `label_fingerprint`: (Beta only) The fingerprint used for optimistic locking of this resource. Used internally during updates. + + * `load_balancing_scheme`: This signifies what the GlobalForwardingRule will be used for. The value of INTERNAL_SELF_MANAGED means that this will be used for Internal Global HTTP(S) LB. The value of EXTERNAL means that this will be used for External Global Load Balancing (HTTP(S) LB, External TCP/UDP LB, SSL Proxy) ([Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html) only) Note: This field must be set "" if the global address is configured as a purpose of PRIVATE_SERVICE_CONNECT and addressType of INTERNAL. + Possible values: + * EXTERNAL + * INTERNAL_SELF_MANAGED + + * `metadata_filters`: Opaque filter criteria used by Loadbalancer to restrict routing configuration to a limited set xDS compliant clients. In their xDS requests to Loadbalancer, xDS clients present node metadata. If a match takes place, the relevant routing configuration is made available to those proxies. For each metadataFilter in this list, if its filterMatchCriteria is set to MATCH_ANY, at least one of the filterLabels must match the corresponding label provided in the metadata. If its filterMatchCriteria is set to MATCH_ALL, then all of its filterLabels must match with corresponding labels in the provided metadata. metadataFilters specified here can be overridden by those specified in the UrlMap that this ForwardingRule references. metadataFilters only applies to Loadbalancers that have their loadBalancingScheme set to INTERNAL_SELF_MANAGED. + + * `filter_match_criteria`: Specifies how individual filterLabel matches within the list of filterLabels contribute towards the overall metadataFilter match. MATCH_ANY - At least one of the filterLabels must have a matching label in the provided metadata. MATCH_ALL - All filterLabels must have matching labels in the provided metadata. + Possible values: + * MATCH_ANY + * MATCH_ALL + + * `filter_labels`: The list of label value pairs that must match labels in the provided metadata based on filterMatchCriteria This list must not be empty and can have at the most 64 entries. + + * `name`: Name of the metadata label. The length must be between 1 and 1024 characters, inclusive. + + * `value`: The value that the label must match. The value has a maximum length of 1024 characters. + + * `name`: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `network`: This field is not used for external load balancing. For INTERNAL_SELF_MANAGED load balancing, this field identifies the network that the load balanced IP should belong to for this global forwarding rule. If this field is not specified, the default network will be used. + + * `port_range`: This field is used along with the target field for TargetHttpProxy, TargetHttpsProxy, TargetSslProxy, TargetTcpProxy, TargetVpnGateway, TargetPool, TargetInstance. Applicable only when IPProtocol is TCP, UDP, or SCTP, only packets addressed to ports in the specified range will be forwarded to target. Forwarding rules with the same [IPAddress, IPProtocol] pair must have disjoint port ranges. Some types of forwarding target have constraints on the acceptable ports: * TargetHttpProxy: 80, 8080 * TargetHttpsProxy: 443 * TargetTcpProxy: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 5222 * TargetSslProxy: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, 5222 * TargetVpnGateway: 500, 4500 + + * `target`: The URL of the target resource to receive the matched traffic. The forwarded traffic must be of a type appropriate to the target object. For INTERNAL_SELF_MANAGED load balancing, only HTTP and HTTPS targets are valid. ([Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html) only) For global address with a purpose of PRIVATE_SERVICE_CONNECT and addressType of INTERNAL, only "all-apis" and "vpc-sc" are valid. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_forwarding_rules.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_forwarding_rules.md new file mode 100644 index 0000000..d7b8009 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_forwarding_rules.md @@ -0,0 +1,58 @@ ++++ +title = "google_compute_global_forwarding_rules resource" + +draft = false + + +[menu.gcp] +title = "google_compute_global_forwarding_rules" +identifier = "inspec/resources/gcp/google_compute_global_forwarding_rules resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_global_forwarding_rules` is used to test a Google GlobalForwardingRule resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_global_forwarding_rules(project: 'chef-gcp-inspec') do + its('count') { should be >= 1 } + its('port_ranges') { should include '80-80' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_global_forwarding_rules` resource: + +See [google_compute_global_forwarding_rule](google_compute_global_forwarding_rule) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_global_forwarding_rule` creation_timestamp + * `descriptions`: an array of `google_compute_global_forwarding_rule` description + * `ids`: an array of `google_compute_global_forwarding_rule` id + * `ip_addresses`: an array of `google_compute_global_forwarding_rule` ip_address + * `ip_protocols`: an array of `google_compute_global_forwarding_rule` ip_protocol + * `ip_versions`: an array of `google_compute_global_forwarding_rule` ip_version + * `labels`: (Beta only) an array of `google_compute_global_forwarding_rule` labels + * `label_fingerprints`: (Beta only) an array of `google_compute_global_forwarding_rule` label_fingerprint + * `load_balancing_schemes`: an array of `google_compute_global_forwarding_rule` load_balancing_scheme + * `metadata_filters`: an array of `google_compute_global_forwarding_rule` metadata_filters + * `names`: an array of `google_compute_global_forwarding_rule` name + * `networks`: an array of `google_compute_global_forwarding_rule` network + * `port_ranges`: an array of `google_compute_global_forwarding_rule` port_range + * `targets`: an array of `google_compute_global_forwarding_rule` target + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_network_endpoint_group.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_network_endpoint_group.md new file mode 100644 index 0000000..6f266a1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_network_endpoint_group.md @@ -0,0 +1,125 @@ ++++ +title = "google_compute_global_network_endpoint_group resource" + +draft = false + + +[menu.gcp] +title = "google_compute_global_network_endpoint_group" +identifier = "inspec/resources/gcp/google_compute_global_network_endpoint_group resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_global_network_endpoint_group` InSpec audit resource to to test a Google Cloud GlobalNetworkEndpointGroup resource. + +## Examples + +```ruby +describe google_compute_global_network_endpoint_group(project: 'chef-gcp-inspec', name: 'inspec-gcp-global-endpoint-group') do + it { should exist } + its('default_port') { should cmp '90' } + its('kind') { should cmp '' } + its('id') { should cmp '' } + its('creation_timestamp') { should cmp '' } + its('self_link') { should cmp '' } + its('name') { should cmp 'inspec-gcp-global-endpoint-group' } + its('description') { should cmp '' } + its('network_endpoint_type') { should cmp 'INTERNET_IP_PORT' } + its('region') { should cmp '' } + its('zone') { should cmp '' } + its('network') { should cmp '' } + its('subnetwork') { should cmp '' } + its('psc_target_service') { should cmp '' } +end + +describe google_compute_global_network_endpoint_group(project: 'chef-gcp-inspec',name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_global_network_endpoint_group` resource: + + + * `kind`: [Output Only] Type of the resource. Always compute#networkEndpointGroup for network endpoint group. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `name`: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `network_endpoint_type`: Type of network endpoints in this network endpoint group. Can be one of GCE_VM_IP, GCE_VM_IP_PORT, NON_GCP_PRIVATE_IP_PORT, INTERNET_FQDN_PORT, INTERNET_IP_PORT, SERVERLESS, PRIVATE_SERVICE_CONNECT. + Possible values: + * GCE_VM_IP + * GCE_VM_IP_PORT + * INTERNET_FQDN_PORT + * INTERNET_IP_PORT + * NON_GCP_PRIVATE_IP_PORT + * PRIVATE_SERVICE_CONNECT + * SERVERLESS + + * `size`: [Output only] Number of network endpoints in the network endpoint group. + + * `region`: [Output Only] The URL of the region where the network endpoint group is located. + + * `zone`: [Output Only] The URL of the zone where the network endpoint group is located. + + * `network`: The URL of the network to which all network endpoints in the NEG belong. Uses "default" project network if unspecified. + + * `subnetwork`: Optional URL of the subnetwork to which all network endpoints in the NEG belong. + + * `default_port`: The default port used if the port number is not specified in the network endpoint. + + * `annotations`: Metadata defined as annotations on the network endpoint group. + + * `additional_properties`: + + * `cloud_run`: Configuration for a Cloud Run network endpoint group (NEG). The service must be provided explicitly or in the URL mask. The tag is optional, may be provided explicitly or in the URL mask. Note: Cloud Run service must be in the same project and located in the same region as the Serverless NEG. + + * `service`: Cloud Run service is the main resource of Cloud Run. The service must be 1-63 characters long, and comply with RFC1035. Example value: "run-service". + + * `tag`: Optional Cloud Run tag represents the "named-revision" to provide additional fine-grained traffic routing information. The tag must be 1-63 characters long, and comply with RFC1035. Example value: "revision-0010". + + * `url_mask`: A template to parse and fields from a request URL. URL mask allows for routing to multiple Run services without having to create multiple network endpoint groups and backend services. For example, request URLs "foo1.domain.com/bar1" and "foo1.domain.com/bar2" can be backed by the same Serverless Network Endpoint Group (NEG) with URL mask ".domain.com/". The URL mask will parse them to { service="bar1", tag="foo1" } and { service="bar2", tag="foo2" } respectively. + + * `app_engine`: Configuration for an App Engine network endpoint group (NEG). The service is optional, may be provided explicitly or in the URL mask. The version is optional and can only be provided explicitly or in the URL mask when service is present. Note: App Engine service must be in the same project and located in the same region as the Serverless NEG. + + * `service`: Optional serving service. The service name is case-sensitive and must be 1-63 characters long. Example value: "default", "my-service". + + * `version`: Optional serving version. The version name is case-sensitive and must be 1-100 characters long. Example value: "v1", "v2". + + * `url_mask`: A template to parse service and version fields from a request URL. URL mask allows for routing to multiple App Engine services without having to create multiple Network Endpoint Groups and backend services. For example, the request URLs "foo1-dot-appname.appspot.com/v1" and "foo1-dot-appname.appspot.com/v2" can be backed by the same Serverless NEG with URL mask "-dot-appname.appspot.com/". The URL mask will parse them to { service = "foo1", version = "v1" } and { service = "foo1", version = "v2" } respectively. + + * `cloud_function`: Configuration for a Cloud Function network endpoint group (NEG). The function must be provided explicitly or in the URL mask. Note: Cloud Function must be in the same project and located in the same region as the Serverless NEG. + + * `function`: A user-defined name of the Cloud Function. The function name is case-sensitive and must be 1-63 characters long. Example value: "func1". + + * `url_mask`: A template to parse function field from a request URL. URL mask allows for routing to multiple Cloud Functions without having to create multiple Network Endpoint Groups and backend services. For example, request URLs " mydomain.com/function1" and "mydomain.com/function2" can be backed by the same Serverless NEG with URL mask "/". The URL mask will parse them to { function = "function1" } and { function = "function2" } respectively. + + * `psc_target_service`: The target service url used to set up private service connection to a Google API or a PSC Producer Service Attachment. An example value is: "asia-northeast3-cloudkms.googleapis.com" + + * `psc_data`: All data that is specifically relevant to only network endpoint groups of type PRIVATE_SERVICE_CONNECT. + + * `consumer_psc_address`: [Output Only] Address allocated from given subnetwork for PSC. This IP address acts as a VIP for a PSC NEG, allowing it to act as an endpoint in L7 PSC-XLB. + + * `psc_connection_id`: [Output Only] The PSC connection id of the PSC Network Endpoint Group Consumer. + + * `psc_connection_status`: [Output Only] The connection status of the PSC Forwarding Rule. + Possible values: + * ACCEPTED + * CLOSED + * NEEDS_ATTENTION + * PENDING + * REJECTED + * STATUS_UNSPECIFIED + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_network_endpoint_groups.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_network_endpoint_groups.md new file mode 100644 index 0000000..8d895fb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_network_endpoint_groups.md @@ -0,0 +1,59 @@ ++++ +title = "google_compute_global_network_endpoint_groups resource" + +draft = false + + +[menu.gcp] +title = "google_compute_global_network_endpoint_groups" +identifier = "inspec/resources/gcp/google_compute_global_network_endpoint_groups resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_global_network_endpoint_groups` InSpec audit resource to to test a Google Cloud GlobalNetworkEndpointGroup resource. + +## Examples + +```ruby +describe google_compute_global_network_endpoint_groups(project: 'chef-gcp-inspec') do + it { should exist } + its('default_ports') { should include '90' } + its('names') { should include 'inspec-gcp-global-endpoint-group' } + its('network_endpoint_types'){ should include 'INTERNET_IP_PORT' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_global_network_endpoint_groups` resource: + +See [google_compute_global_network_endpoint_group](google_compute_global_network_endpoint_group) for more detailed information. + + * `kinds`: an array of `google_compute_global_network_endpoint_group` kind + * `ids`: an array of `google_compute_global_network_endpoint_group` id + * `creation_timestamps`: an array of `google_compute_global_network_endpoint_group` creation_timestamp + * `self_links`: an array of `google_compute_global_network_endpoint_group` self_link + * `names`: an array of `google_compute_global_network_endpoint_group` name + * `descriptions`: an array of `google_compute_global_network_endpoint_group` description + * `network_endpoint_types`: an array of `google_compute_global_network_endpoint_group` network_endpoint_type + * `sizes`: an array of `google_compute_global_network_endpoint_group` size + * `regions`: an array of `google_compute_global_network_endpoint_group` region + * `zones`: an array of `google_compute_global_network_endpoint_group` zone + * `networks`: an array of `google_compute_global_network_endpoint_group` network + * `subnetworks`: an array of `google_compute_global_network_endpoint_group` subnetwork + * `default_ports`: an array of `google_compute_global_network_endpoint_group` default_port + * `annotations`: an array of `google_compute_global_network_endpoint_group` annotations + * `cloud_runs`: an array of `google_compute_global_network_endpoint_group` cloud_run + * `app_engines`: an array of `google_compute_global_network_endpoint_group` app_engine + * `cloud_functions`: an array of `google_compute_global_network_endpoint_group` cloud_function + * `psc_target_services`: an array of `google_compute_global_network_endpoint_group` psc_target_service + * `psc_data`: an array of `google_compute_global_network_endpoint_group` psc_data + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_operation.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_operation.md new file mode 100644 index 0000000..e8c69dd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_operation.md @@ -0,0 +1,65 @@ ++++ +title = "google_compute_global_operation resource" + +draft = false + + +[menu.gcp] +title = "google_compute_global_operation" +identifier = "inspec/resources/gcp/google_compute_global_operation resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_global_operation` InSpec audit resource to to test a Google Cloud GlobalOperation resource. + +## Examples + +```ruby +describe google_compute_global_operation(project: 'chef-gcp-inspec', name: 'operation-1634799391539-5ced765030229-be5d5765-6623920f') do + it { should exist } + it { should be_up } + its('operation_type') { should include 'delete' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_global_operation` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format.This field is deprecated. + + * `description`: An optional textual description of the resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the operation. + + * `zone`: The URL of the zone where the operation resides. Only applicable when performing per-zone operations. + + * `client_operation_id`: The value of requestId if you provided it in the request. Not present otherwise. + + * `operation_type`: The type of operation, such as insert, update, or delete, and so on. + + * `user`: User who requested the operation, for example: user@example.com. + + * `progress`: An optional progress indicator that ranges from 0 to 100. There is no requirement that this be linear or support any granularity of operations. This should not be used to guess when the operation will be complete. This number should monotonically increase as the operation progresses. + + * `insert_time`: The time that this operation was requested. This value is in RFC3339 text format. + + * `start_time`: The time that this operation was started by the server. This value is in RFC3339 text format. + + * `end_time`: The time that this operation was completed. This value is in RFC3339 text format. + + * `status`: The status of the operation, which can be one of the following: * PENDING * PENDINGPENDING * DONE + Possible values: + * PENDING + * PENDING + * DONE + + * `status_message`: An optional textual description of the current status of the operation. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_operations.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_operations.md new file mode 100644 index 0000000..2fc07ca --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_global_operations.md @@ -0,0 +1,53 @@ ++++ +title = "google_compute_global_operations resource" + +draft = false + + +[menu.gcp] +title = "google_compute_global_operations" +identifier = "inspec/resources/gcp/google_compute_global_operations resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_global_operations` InSpec audit resource to to test a Google Cloud GlobalOperation resource. + +## Examples + +```ruby +describe google_compute_global_operations(project: 'chef-gcp-inspec') do + it { should exist } + it { should be_up } + its('operation_type') { should include 'delete' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_global_operations` resource: + +See [google_compute_global_operation](google_compute_global_operation) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_global_operation` creation_timestamp + * `descriptions`: an array of `google_compute_global_operation` description + * `ids`: an array of `google_compute_global_operation` id + * `names`: an array of `google_compute_global_operation` name + * `zones`: an array of `google_compute_global_operation` zone + * `client_operation_ids`: an array of `google_compute_global_operation` client_operation_id + * `operation_types`: an array of `google_compute_global_operation` operation_type + * `users`: an array of `google_compute_global_operation` user + * `progresses`: an array of `google_compute_global_operation` progress + * `insert_times`: an array of `google_compute_global_operation` insert_time + * `start_times`: an array of `google_compute_global_operation` start_time + * `end_times`: an array of `google_compute_global_operation` end_time + * `statuses`: an array of `google_compute_global_operation` status + * `status_messages`: an array of `google_compute_global_operation` status_message + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_health_check.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_health_check.md new file mode 100644 index 0000000..32bba0b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_health_check.md @@ -0,0 +1,196 @@ ++++ +title = "google_compute_health_check resource" + +draft = false + + +[menu.gcp] +title = "google_compute_health_check" +identifier = "inspec/resources/gcp/google_compute_health_check resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_health_check` is used to test a Google HealthCheck resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_health_check(project: 'chef-gcp-inspec', name: 'inspec-gcp-health-check') do + it { should exist } + its('timeout_sec') { should eq '10' } + its('tcp_health_check.port') { should eq '80' } +end + +describe google_compute_health_check(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_health_check` resource: + + + * `check_interval_sec`: How often (in seconds) to send a health check. The default value is 5 seconds. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `healthy_threshold`: A so-far unhealthy instance will be marked healthy after this many consecutive successes. The default value is 2. + + * `id`: The unique identifier for the resource. This identifier is defined by the server. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `timeout_sec`: How long (in seconds) to wait before claiming failure. The default value is 5 seconds. It is invalid for timeoutSec to have greater value than checkIntervalSec. + + * `unhealthy_threshold`: A so-far healthy instance will be marked unhealthy after this many consecutive failures. The default value is 2. + + * `type`: Specifies the type of the healthCheck, either TCP, SSL, HTTP or HTTPS. If not specified, the default is TCP. Exactly one of the protocol-specific health check field must be specified, which must match type field. + Possible values: + * TCP + * SSL + * HTTP + * HTTPS + * HTTP2 + + * `http_health_check`: A nested object resource + + * `host`: The value of the host header in the HTTP health check request. If left empty (default value), the public IP on behalf of which this health check is performed will be used. + + * `request_path`: The request path of the HTTP health check request. The default value is /. + + * `response`: The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII. + + * `port`: The TCP port number for the HTTP health check request. The default value is 80. + + * `port_name`: Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence. + + * `proxy_header`: Specifies the type of proxy header to append before sending data to the backend. + Possible values: + * NONE + * PROXY_V1 + + * `port_specification`: Specifies how port is selected for health checking, can be one of the following values: * `USE_FIXED_PORT`: The port number in `port` is used for health checking. * `USE_NAMED_PORT`: The `portName` is used for health checking. * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, HTTP health check follows behavior specified in `port` and `portName` fields. + Possible values: + * USE_FIXED_PORT + * USE_NAMED_PORT + * USE_SERVING_PORT + + * `https_health_check`: A nested object resource + + * `host`: The value of the host header in the HTTPS health check request. If left empty (default value), the public IP on behalf of which this health check is performed will be used. + + * `request_path`: The request path of the HTTPS health check request. The default value is /. + + * `response`: The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII. + + * `port`: The TCP port number for the HTTPS health check request. The default value is 443. + + * `port_name`: Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence. + + * `proxy_header`: Specifies the type of proxy header to append before sending data to the backend. + Possible values: + * NONE + * PROXY_V1 + + * `port_specification`: Specifies how port is selected for health checking, can be one of the following values: * `USE_FIXED_PORT`: The port number in `port` is used for health checking. * `USE_NAMED_PORT`: The `portName` is used for health checking. * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, HTTPS health check follows behavior specified in `port` and `portName` fields. + Possible values: + * USE_FIXED_PORT + * USE_NAMED_PORT + * USE_SERVING_PORT + + * `tcp_health_check`: A nested object resource + + * `request`: The application data to send once the TCP connection has been established (default value is empty). If both request and response are empty, the connection establishment alone will indicate health. The request data can only be ASCII. + + * `response`: The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII. + + * `port`: The TCP port number for the TCP health check request. The default value is 443. + + * `port_name`: Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence. + + * `proxy_header`: Specifies the type of proxy header to append before sending data to the backend. + Possible values: + * NONE + * PROXY_V1 + + * `port_specification`: Specifies how port is selected for health checking, can be one of the following values: * `USE_FIXED_PORT`: The port number in `port` is used for health checking. * `USE_NAMED_PORT`: The `portName` is used for health checking. * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, TCP health check follows behavior specified in `port` and `portName` fields. + Possible values: + * USE_FIXED_PORT + * USE_NAMED_PORT + * USE_SERVING_PORT + + * `ssl_health_check`: A nested object resource + + * `request`: The application data to send once the SSL connection has been established (default value is empty). If both request and response are empty, the connection establishment alone will indicate health. The request data can only be ASCII. + + * `response`: The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII. + + * `port`: The TCP port number for the SSL health check request. The default value is 443. + + * `port_name`: Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence. + + * `proxy_header`: Specifies the type of proxy header to append before sending data to the backend. + Possible values: + * NONE + * PROXY_V1 + + * `port_specification`: Specifies how port is selected for health checking, can be one of the following values: * `USE_FIXED_PORT`: The port number in `port` is used for health checking. * `USE_NAMED_PORT`: The `portName` is used for health checking. * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, SSL health check follows behavior specified in `port` and `portName` fields. + Possible values: + * USE_FIXED_PORT + * USE_NAMED_PORT + * USE_SERVING_PORT + + * `http2_health_check`: A nested object resource + + * `host`: The value of the host header in the HTTP2 health check request. If left empty (default value), the public IP on behalf of which this health check is performed will be used. + + * `request_path`: The request path of the HTTP2 health check request. The default value is /. + + * `response`: The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII. + + * `port`: The TCP port number for the HTTP2 health check request. The default value is 443. + + * `port_name`: Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence. + + * `proxy_header`: Specifies the type of proxy header to append before sending data to the backend. + Possible values: + * NONE + * PROXY_V1 + + * `port_specification`: Specifies how port is selected for health checking, can be one of the following values: * `USE_FIXED_PORT`: The port number in `port` is used for health checking. * `USE_NAMED_PORT`: The `portName` is used for health checking. * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, HTTP2 health check follows behavior specified in `port` and `portName` fields. + Possible values: + * USE_FIXED_PORT + * USE_NAMED_PORT + * USE_SERVING_PORT + + * `grpc_health_check`: A nested object resource + + * `port`: The port number for the health check request. Must be specified if portName and portSpecification are not set or if port_specification is USE_FIXED_PORT. Valid values are 1 through 65535. + + * `port_name`: Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence. + + * `port_specification`: Specifies how port is selected for health checking, can be one of the following values: * `USE_FIXED_PORT`: The port number in `port` is used for health checking. * `USE_NAMED_PORT`: The `portName` is used for health checking. * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, gRPC health check follows behavior specified in `port` and `portName` fields. + Possible values: + * USE_FIXED_PORT + * USE_NAMED_PORT + * USE_SERVING_PORT + + * `grpc_service_name`: The gRPC service name for the health check. The value of grpcServiceName has the following meanings by convention: - Empty serviceName means the overall status of all services at the backend. - Non-empty serviceName means the health of that gRPC service, as defined by the owner of the service. The grpcServiceName can only be ASCII. + + * `log_config`: (Beta only) Configure logging on this health check. + + * `enable`: Indicates whether or not to export logs. This is false by default, which means no health check logging will be done. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_health_check_service.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_health_check_service.md new file mode 100644 index 0000000..0d579c3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_health_check_service.md @@ -0,0 +1,60 @@ ++++ +title = "google_compute_health_check_service resource" + +draft = false + + +[menu.gcp] +title = "google_compute_health_check_service" +identifier = "inspec/resources/gcp/google_compute_health_check_service resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_health_check_service` InSpec audit resource to to test a Google Cloud HealthCheckService resource. + +## Examples + +```ruby +describe google_compute_health_check_service(project: 'chef-gcp-inspec', region: 'us-central1', name: 'instance-group-2') do +it { should exist } +its('name') { should eq 'instance-group-2' } +its('health_status_aggregation_policy') { should eq 'NO_AGGREGATION' } +end + +describe google_compute_health_check_service(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'nonexistent') do +it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_health_check_service` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format.This field is deprecated. + + * `description`: An optional textual description of the resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. + + * `health_status_aggregation_policy`: Optional. Policy for how the results from multiple health checks for the same endpoint are aggregated. Defaults to NO_AGGREGATION if unspecified. NO_AGGREGATION. An EndpointHealth message is returned for each pair in the health check service. AND. If any health check of an endpoint reports UNHEALTHY, then UNHEALTHY is the HealthState of the endpoint. If all health checks report HEALTHY, the HealthState of the endpoint is HEALTHY. + Possible values: + * HEALTHY + * UNHEALTHY + + * `health_checks`: A list of URLs to the HealthCheck resources. Must have at least one HealthCheck, and not more than 10. HealthCheck resources must have portSpecification=USE_SERVING_PORT or portSpecification=USE_FIXED_PORT. For regional HealthCheckService, the HealthCheck must be regional and in the same region. For global HealthCheckService, HealthCheck must be global. Mix of regional and global HealthChecks is not supported. Multiple regional HealthChecks must belong to the same region. Regional HealthChecks must belong to the same region as zones of NEGs. + + * `network_endpoint_groups`: A list of URLs to the NetworkEndpointGroup resources. Must not have more than 100. For regional HealthCheckService, NEGs must be in zones in the region of the HealthCheckService. + + * `notification_endpoints`: A list of URLs to the NotificationEndpoint resources. Must not have more than 10. A list of endpoints for receiving notifications of change in health status. For regional HealthCheckService, NotificationEndpoint must be regional and in the same region. For global HealthCheckService, NotificationEndpoint must be global. + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a HealthCheckService. An up-to-date fingerprint must be provided in order to patch/update the HealthCheckService; Otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the HealthCheckService. A base64-encoded string. + + * `next_page_token`: This token allows you to get the next page of results for list requests. If the number of results is larger than maxResults, use the nextPageToken as a value for the query parameter pageToken in the next list request. Subsequent list requests will have their own nextPageToken to continue paging through the results. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_health_check_services.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_health_check_services.md new file mode 100644 index 0000000..0564a61 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_health_check_services.md @@ -0,0 +1,49 @@ ++++ +title = "google_compute_health_check_services resource" + +draft = false + + +[menu.gcp] +title = "google_compute_health_check_services" +identifier = "inspec/resources/gcp/google_compute_health_check_services resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_health_check_services` InSpec audit resource to to test a Google Cloud HealthCheckService resource. + +## Examples + +```ruby +describe google_compute_health_check_services(project: 'chef-gcp-inspec', region: 'us-central1') do + it { should exist } + its('names') { should include 'instance-group-2' } + its('health_status_aggregation_policies') { should include 'NO_AGGREGATION' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_health_check_services` resource: + +See [google_compute_health_check_service](google_compute_health_check_service) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_health_check_service` creation_timestamp + * `descriptions`: an array of `google_compute_health_check_service` description + * `ids`: an array of `google_compute_health_check_service` id + * `names`: an array of `google_compute_health_check_service` name + * `health_status_aggregation_policies`: an array of `google_compute_health_check_service` health_status_aggregation_policy + * `health_checks`: an array of `google_compute_health_check_service` health_checks + * `network_endpoint_groups`: an array of `google_compute_health_check_service` network_endpoint_groups + * `notification_endpoints`: an array of `google_compute_health_check_service` notification_endpoints + * `fingerprints`: an array of `google_compute_health_check_service` fingerprint + * `next_page_tokens`: an array of `google_compute_health_check_service` next_page_token + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_health_checks.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_health_checks.md new file mode 100644 index 0000000..b09ec93 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_health_checks.md @@ -0,0 +1,60 @@ ++++ +title = "google_compute_health_checks resource" + +draft = false + + +[menu.gcp] +title = "google_compute_health_checks" +identifier = "inspec/resources/gcp/google_compute_health_checks resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_health_checks` is used to test a Google HealthCheck resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_health_checks(project: 'chef-gcp-inspec') do + its('names') { should include 'inspec-gcp-health-check' } + its('timeout_secs') { should include '10' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_health_checks` resource: + +See [google_compute_health_check](google_compute_health_check) for more detailed information. + + * `check_interval_secs`: an array of `google_compute_health_check` check_interval_sec + * `creation_timestamps`: an array of `google_compute_health_check` creation_timestamp + * `descriptions`: an array of `google_compute_health_check` description + * `healthy_thresholds`: an array of `google_compute_health_check` healthy_threshold + * `ids`: an array of `google_compute_health_check` id + * `names`: an array of `google_compute_health_check` name + * `timeout_secs`: an array of `google_compute_health_check` timeout_sec + * `unhealthy_thresholds`: an array of `google_compute_health_check` unhealthy_threshold + * `types`: an array of `google_compute_health_check` type + * `http_health_checks`: an array of `google_compute_health_check` http_health_check + * `https_health_checks`: an array of `google_compute_health_check` https_health_check + * `tcp_health_checks`: an array of `google_compute_health_check` tcp_health_check + * `ssl_health_checks`: an array of `google_compute_health_check` ssl_health_check + * `http2_health_checks`: an array of `google_compute_health_check` http2_health_check + * `grpc_health_checks`: an array of `google_compute_health_check` grpc_health_check + * `log_configs`: (Beta only) an array of `google_compute_health_check` log_config + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_http_health_check.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_http_health_check.md new file mode 100644 index 0000000..e820cbd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_http_health_check.md @@ -0,0 +1,66 @@ ++++ +title = "google_compute_http_health_check resource" + +draft = false + + +[menu.gcp] +title = "google_compute_http_health_check" +identifier = "inspec/resources/gcp/google_compute_http_health_check resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_http_health_check` is used to test a Google HttpHealthCheck resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_http_health_check(project: 'chef-gcp-inspec', name: 'inspec-gcp-http-health-check') do + it { should exist } + its('timeout_sec') { should eq '20' } + its('request_path') { should eq '/health_check' } + its('check_interval_sec') { should eq '20' } +end + +describe google_compute_http_health_check(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_http_health_check` resource: + + + * `check_interval_sec`: How often (in seconds) to send a health check. The default value is 5 seconds. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `healthy_threshold`: A so-far unhealthy instance will be marked healthy after this many consecutive successes. The default value is 2. + + * `host`: The value of the host header in the HTTP health check request. If left empty (default value), the public IP on behalf of which this health check is performed will be used. + + * `id`: The unique identifier for the resource. This identifier is defined by the server. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `port`: The TCP port number for the HTTP health check request. The default value is 80. + + * `request_path`: The request path of the HTTP health check request. The default value is /. + + * `timeout_sec`: How long (in seconds) to wait before claiming failure. The default value is 5 seconds. It is invalid for timeoutSec to have greater value than checkIntervalSec. + + * `unhealthy_threshold`: A so-far healthy instance will be marked unhealthy after this many consecutive failures. The default value is 2. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_http_health_checks.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_http_health_checks.md new file mode 100644 index 0000000..06efd06 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_http_health_checks.md @@ -0,0 +1,56 @@ ++++ +title = "google_compute_http_health_checks resource" + +draft = false + + +[menu.gcp] +title = "google_compute_http_health_checks" +identifier = "inspec/resources/gcp/google_compute_http_health_checks resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_http_health_checks` is used to test a Google HttpHealthCheck resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_http_health_checks(project: 'chef-gcp-inspec') do + its('names') { should include 'inspec-gcp-http-health-check' } + its('timeout_secs') { should include '20' } + its('check_interval_secs') { should include '20' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_http_health_checks` resource: + +See [google_compute_http_health_check](google_compute_http_health_check) for more detailed information. + + * `check_interval_secs`: an array of `google_compute_http_health_check` check_interval_sec + * `creation_timestamps`: an array of `google_compute_http_health_check` creation_timestamp + * `descriptions`: an array of `google_compute_http_health_check` description + * `healthy_thresholds`: an array of `google_compute_http_health_check` healthy_threshold + * `hosts`: an array of `google_compute_http_health_check` host + * `ids`: an array of `google_compute_http_health_check` id + * `names`: an array of `google_compute_http_health_check` name + * `ports`: an array of `google_compute_http_health_check` port + * `request_paths`: an array of `google_compute_http_health_check` request_path + * `timeout_secs`: an array of `google_compute_http_health_check` timeout_sec + * `unhealthy_thresholds`: an array of `google_compute_http_health_check` unhealthy_threshold + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_https_health_check.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_https_health_check.md new file mode 100644 index 0000000..f26b0e5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_https_health_check.md @@ -0,0 +1,67 @@ ++++ +title = "google_compute_https_health_check resource" + +draft = false + + +[menu.gcp] +title = "google_compute_https_health_check" +identifier = "inspec/resources/gcp/google_compute_https_health_check resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_https_health_check` is used to test a Google HttpsHealthCheck resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_https_health_check(project: 'chef-gcp-inspec', name: 'inspec-gcp-https-health-check') do + it { should exist } + its('timeout_sec') { should eq '15' } + its('request_path') { should eq '/https_health_check' } + its('check_interval_sec') { should eq '15' } + its('unhealthy_threshold') { should eq '3' } +end + +describe google_compute_https_health_check(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_https_health_check` resource: + + + * `check_interval_sec`: How often (in seconds) to send a health check. The default value is 5 seconds. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `healthy_threshold`: A so-far unhealthy instance will be marked healthy after this many consecutive successes. The default value is 2. + + * `host`: The value of the host header in the HTTPS health check request. If left empty (default value), the public IP on behalf of which this health check is performed will be used. + + * `id`: The unique identifier for the resource. This identifier is defined by the server. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `port`: The TCP port number for the HTTPS health check request. The default value is 80. + + * `request_path`: The request path of the HTTPS health check request. The default value is /. + + * `timeout_sec`: How long (in seconds) to wait before claiming failure. The default value is 5 seconds. It is invalid for timeoutSec to have greater value than checkIntervalSec. + + * `unhealthy_threshold`: A so-far healthy instance will be marked unhealthy after this many consecutive failures. The default value is 2. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_https_health_checks.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_https_health_checks.md new file mode 100644 index 0000000..2eba5e6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_https_health_checks.md @@ -0,0 +1,56 @@ ++++ +title = "google_compute_https_health_checks resource" + +draft = false + + +[menu.gcp] +title = "google_compute_https_health_checks" +identifier = "inspec/resources/gcp/google_compute_https_health_checks resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_https_health_checks` is used to test a Google HttpsHealthCheck resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_https_health_checks(project: 'chef-gcp-inspec') do + its('names') { should include 'inspec-gcp-https-health-check' } + its('timeout_secs') { should include '15' } + its('check_interval_secs') { should include '15' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_https_health_checks` resource: + +See [google_compute_https_health_check](google_compute_https_health_check) for more detailed information. + + * `check_interval_secs`: an array of `google_compute_https_health_check` check_interval_sec + * `creation_timestamps`: an array of `google_compute_https_health_check` creation_timestamp + * `descriptions`: an array of `google_compute_https_health_check` description + * `healthy_thresholds`: an array of `google_compute_https_health_check` healthy_threshold + * `hosts`: an array of `google_compute_https_health_check` host + * `ids`: an array of `google_compute_https_health_check` id + * `names`: an array of `google_compute_https_health_check` name + * `ports`: an array of `google_compute_https_health_check` port + * `request_paths`: an array of `google_compute_https_health_check` request_path + * `timeout_secs`: an array of `google_compute_https_health_check` timeout_sec + * `unhealthy_thresholds`: an array of `google_compute_https_health_check` unhealthy_threshold + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_image.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_image.md new file mode 100644 index 0000000..50475b1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_image.md @@ -0,0 +1,148 @@ ++++ +title = "google_compute_image resource" + +draft = false + + +[menu.gcp] +title = "google_compute_image" +identifier = "inspec/resources/gcp/google_compute_image resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_image` is used to test a Google Image resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_image(project: 'chef-gcp-inspec', name: 'inspec-image') do + it { should exist } + its('disk_size_gb') { should cmp 3 } +end + +describe google_compute_image(project: 'chef-gcp-inspec', name: 'notfound') do + it { should_not exist } +end +``` + +### Test that a GCP compute image is in a particular status e.g. "READY" means available for use + + describe google_compute_image(project: 'chef-inspec-gcp', location: 'europe-west2', name: 'compute-address') do + its('status') { should eq "READY" } + end + +### Test that a GCP compute image has the expected family + + describe google_compute_image(project: 'chef-inspec-gcp', name: 'ubuntu') do + its('family') { should match "ubuntu" } + end + +## Properties + +Properties that can be accessed from the `google_compute_image` resource: + + + * `archive_size_bytes`: Size of the image tar.gz archive stored in Google Cloud Storage (in bytes). + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `deprecated`: The deprecation status associated with this image. + + * `deleted`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to DELETED. This is only informational and the status will not change unless the client explicitly changes it. + + * `deprecated`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to DEPRECATED. This is only informational and the status will not change unless the client explicitly changes it. + + * `obsolete`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to OBSOLETE. This is only informational and the status will not change unless the client explicitly changes it. + + * `replacement`: The URL of the suggested replacement for a deprecated resource. The suggested replacement resource must be the same kind of resource as the deprecated resource. + + * `state`: The deprecation state of this resource. This can be DEPRECATED, OBSOLETE, or DELETED. Operations which create a new resource using a DEPRECATED resource will return successfully, but with a warning indicating the deprecated resource and recommending its replacement. Operations which use OBSOLETE or DELETED resources will be rejected and result in an error. + Possible values: + * DEPRECATED + * OBSOLETE + * DELETED + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `disk_size_gb`: Size of the image when restored onto a persistent disk (in GB). + + * `family`: The name of the image family to which this image belongs. You can create disks by specifying an image family instead of a specific image name. The image family always returns its latest image that is not deprecated. The name of the image family must comply with RFC1035. + + * `guest_os_features`: A list of features to enable on the guest operating system. Applicable only for bootable images. + + * `type`: The type of supported feature. Read [Enabling guest operating system features](https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images#guest-os-features) to see a list of available options. + Possible values: + * MULTI_IP_SUBNET + * SECURE_BOOT + * SEV_CAPABLE + * UEFI_COMPATIBLE + * VIRTIO_SCSI_MULTIQUEUE + * WINDOWS + * GVNIC + + * `id`: The unique identifier for the resource. This identifier is defined by the server. + + * `image_encryption_key`: Encrypts the image using a customer-supplied encryption key. After you encrypt an image with a customer-supplied key, you must provide the same key if you use the image later (e.g. to create a disk from the image) + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. + + * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `kms_key_name`: (Beta only) The name of the encryption key that is stored in Google Cloud KMS. + + * `labels`: Labels to apply to this Image. + + * `label_fingerprint`: The fingerprint used for optimistic locking of this resource. Used internally during updates. + + * `licenses`: Any applicable license URI. + + * `name`: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `raw_disk`: The parameters of the raw disk image. + + * `container_type`: The format used to encode and transmit the block device, which should be TAR. This is just a container and transmission format and not a runtime format. Provided by the client when the disk image is created. + Possible values: + * TAR + + * `sha1_checksum`: An optional SHA1 checksum of the disk image before unpackaging. This is provided by the client when the disk image is created. + + * `source`: The full Google Cloud Storage URL where disk storage is stored You must provide either this property or the sourceDisk property but not both. + + * `source_disk`: The source disk to create this image based on. You must provide either this property or the rawDisk.source property but not both to create an image. + + * `source_disk_encryption_key`: The customer-supplied encryption key of the source disk. Required if the source disk is protected by a customer-supplied encryption key. + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. + + * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `kms_key_name`: (Beta only) The name of the encryption key that is stored in Google Cloud KMS. + + * `source_disk_id`: The ID value of the disk used to create this image. This value may be used to determine whether the image was taken from the current or a previous instance of a given disk name. + + * `source_image`: URL of the source image used to create this image. In order to create an image, you must provide the full or partial URL of one of the following: * The selfLink URL * This property * The rawDisk.source URL * The sourceDisk URL + + * `source_snapshot`: URL of the source snapshot used to create this image. In order to create an image, you must provide the full or partial URL of one of the following: * The selfLink URL * This property * The sourceImage URL * The rawDisk.source URL * The sourceDisk URL + + * `source_type`: The type of the image used to create this disk. The default and only value is RAW + Possible values: + * RAW + + * `self_link`: The self link of the image + + * `status`: The status of the image. Either `READY` `PENDING` or `FAILED`. + Possible values: + * READY + * PENDING + * FAILED + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_image_family_view.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_image_family_view.md new file mode 100644 index 0000000..9d091f0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_image_family_view.md @@ -0,0 +1,147 @@ ++++ +title = "google_compute_image_family_view resource" + +draft = false + + +[menu.gcp] +title = "google_compute_image_family_view" +identifier = "inspec/resources/gcp/google_compute_image_family_view resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_image_family_view` InSpec audit resource to to test a Google Cloud ImageFamilyView resource. + +## Examples + +```ruby + +describe google_compute_image_family_view(project: 'chef-gcp-inspec', zone: 'us-central1-c', name: 'test') do + it { should exist } + its('image_name') { should eq 'image-1' } + its('image_source_type') { should eq 'RAW' } + its('image_family') { should eq 'test' } +end + +``` + +## Properties + +Properties that can be accessed from the `google_compute_image_family_view` resource: + + + * `image`: The latest image that is part of the specified image family in the requested location, and that is not deprecated. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format.This field is deprecated. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `id`: The unique identifier for the resource. This identifier is defined by the server. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `source_type`: The type of the image used to create this disk. The default and only value is RAW + Possible values: + * RAW + + * `deprecated`: The deprecation status associated with this disk type. + + * `deleted`: An optional RFC3339 timestamp on or after which the deprecation state of this resource will be changed to DELETED. + + * `deprecated`: An optional RFC3339 timestamp on or after which the deprecation state of this resource will be changed to DEPRECATED. + + * `obsolete`: An optional RFC3339 timestamp on or after which the deprecation state of this resource will be changed to OBSOLETE. + + * `replacement`: The URL of the suggested replacement for a deprecated resource. The suggested replacement resource must be the same kind of resource as the deprecated resource. + + * `state`: The deprecation state of this resource. This can be DEPRECATED, OBSOLETE, or DELETED. Operations which create a new resource using a DEPRECATED resource will return successfully, but with a warning indicating the deprecated resource and recommending its replacement. Operations which use OBSOLETE or DELETED resources will be rejected and result in an error. + Possible values: + * DEPRECATED + * OBSOLETE + * DELETED + + * `raw_disk`: The parameters of the raw disk image. + + * `source`: The full Google Cloud Storage URL where the raw disk image archive is stored. The following are valid formats for the URL: https://storage.googleapis.com/bucketName/image_archive_name https://storage.googleapis.com/bucketName/folder_name/image_archive_name In order to create an image, you must provide the full or partial URL of one of the following: The rawDisk.source URL The sourceDisk URL The sourceImage URL The sourceSnapshot URL + + * `sha1_checksum`: [Deprecated] This field is deprecated. An optional SHA1 checksum of the disk image before unpackaging provided by the client when the disk image is created. + + * `container_type`: The format used to encode and transmit the block device, which should be TAR. This is just a container and transmission format and not a runtime format. Provided by the client when the disk image is created. + Possible values: + * TAR + * UNDEFINED_CONTAINER_TYPE + + * `status`: The status of the image. An image can be used to create other resources, such as instances, only after the image has been successfully created and the status is set to * READY * FAILED * PENDING + Possible values: + * FAILED + * PENDING + * READY + + * `archive_size_bytes`: Size of the image tar.gz archive stored in Google Cloud Storage (in bytes). + + * `disk_size_gb`: Size of the image tar.gz archive stored in Google Cloud Storage (in bytes). + + * `source_disk`: URL of the source disk used to create this image. For example, the following are valid values: https://www.googleapis.com/compute/v1/projects/project/zones/zone/disks/disk projects/project/zones/zone/disks/disk zones/zone/disks/disk In order to create an image, you must provide the full or partial URL of one of the following: The rawDisk.source URL The sourceDisk URL The sourceImage URL The sourceSnapshot URL + + * `source_disk_id`: The ID value of the disk used to create this image. This value may be used to determine whether the image was taken from the current or a previous instance of a given disk name. + + * `licenses`: Any applicable license URI. + + * `storage_locations`: Any applicable license URI. + + * `family`: The name of the image family to which this image belongs. You can create disks by specifying an image family instead of a specific image name. The image family always returns its latest image that is not deprecated. The name of the image family must comply with RFC1035. + + * `image_encryption_key`: The deprecation status associated with this disk type. + + * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `kms_key_service_account`: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used. For example: "kmsKeyServiceAccount": "name@ projectId.iam.gserviceaccount.com/ + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + + * `rsa_encrypted_key`: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFH z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoD D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" The key must meet the following requirements before you can provide it to Compute Engine: The key is wrapped using a RSA public key certificate provided by Google. After being wrapped, the key must be encoded in RFC 4648 base64 encoding. Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem + + * `kms_key_name`: The name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/ kms_project_id/locations/ region/keyRings/key_region/cryptoKeys/key + + * `source_disk_encryption_key`: Encrypts the image using a customer-supplied encryption key. After you encrypt an image with a customer-supplied key, you must provide the same key if you use the image later (e.g. to create a disk from the image). Customer-supplied encryption keys do not protect access to metadata of the disk. If you do not provide an encryption key when creating the image, then the disk will be encrypted using an automatically generated key and you do not need to provide a key to use the image later. + + * `sha256`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + + * `kms_key_service_account`: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used. For example: "kmsKeyServiceAccount": "name@ projectId.iam.gserviceaccount.com/ + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + + * `rsa_encrypted_key`: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFH z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoD D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" The key must meet the following requirements before you can provide it to Compute Engine: The key is wrapped using a RSA public key certificate provided by Google. After being wrapped, the key must be encoded in RFC 4648 base64 encoding. Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem + + * `kms_key_name`: The name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/ kms_project_id/locations/ region/keyRings/key_region/cryptoKeys/key + + * `source_snapshot_encryption_key`: The deprecation status associated with this disk type. + + * `pk`: The Platform Key (PK). + + * `content`: The raw content in the secure keys file. A base64-encoded string. + + * `file_type`: The file type of source file. + + * `keks`: The Key Database (db). + + * `content`: The raw content in the secure keys file. A base64-encoded string. + + * `file_type`: The file type of source file. + + * `dbs`: The Key Database (db). + + * `content`: The raw content in the secure keys file. A base64-encoded string. + + * `file_type`: The file type of source file. + + * `dbxs`: The forbidden key database (dbx). + + * `content`: The raw content in the secure keys file. A base64-encoded string. + + * `file_type`: The file type of source file. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance.md new file mode 100644 index 0000000..d19d1a6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance.md @@ -0,0 +1,279 @@ ++++ +title = "google_compute_instance resource" + +draft = false + + +[menu.gcp] +title = "google_compute_instance" +identifier = "inspec/resources/gcp/google_compute_instance resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_instance` is used to test a Google Instance resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_instance(project: 'chef-gcp-inspec', zone: 'zone', name: 'inspec-instance') do + it { should exist } + its('machine_type') { should match 'n1-standard-1' } + its('tags.items') { should include 'foo' } + its('tags.items') { should include 'bar' } + its('tag_count') { should cmp 2 } + its('service_account_scopes') { should include 'https://www.googleapis.com/auth/compute.readonly' } + its('metadata_keys') { should include '123' } + its('metadata_values') { should include 'asdf' } +end + +describe google_compute_instance(project: 'chef-gcp-inspec', zone: 'zone', name: 'nonexistent') do + it { should_not exist } +end +``` + +### Test that a GCP compute instance does not exist + + describe google_compute_instance(project: 'chef-inspec-gcp', zone: 'us-east1-b', name: 'inspec-test-vm-not-there') do + it { should_not exist } + end + +### Test that a GCP compute instance is in the expected state ([explore possible states here](https://cloud.google.com/compute/docs/instances/checking-instance-status)) + + describe google_compute_instance(project: 'chef-inspec-gcp', zone: 'us-east1-b', name: 'inspec-test-vm') do + its('status') { should eq 'RUNNING' } + end + +### Test that a GCP compute instance is the expected size + + describe google_compute_instance(project: 'chef-inspec-gcp', zone: 'us-east1-b', name: 'inspec-test-vm') do + its('machine_type') { should match "f1-micro" } + end + +### Test that a GCP compute instance has the expected CPU platform + + describe google_compute_instance(project: 'chef-inspec-gcp', zone: 'us-east1-b', name: 'inspec-test-vm') do + its('cpu_platform') { should match "Intel" } + end + +### Test that a GCP compute instance has the expected number of attached disks + + describe google_compute_instance(project: 'chef-inspec-gcp', zone: 'us-east1-b', name: 'inspec-test-vm') do + its('disk_count'){should eq 2} + end + +### Test that a GCP compute instance has the expected number of attached network interfaces + + describe google_compute_instance(project: 'chef-inspec-gcp', zone: 'us-east1-b', name: 'inspec-test-vm') do + its('network_interfaces_count'){should eq 1} + end + +### Test that a GCP compute instance has the expected number of tags + + describe google_compute_instance(project: 'chef-inspec-gcp', zone: 'us-east1-b', name: 'inspec-test-vm') do + its('tag_count'){should eq 1} + end + +### Test that a GCP compute instance has a single public IP address + + describe google_compute_instance(project: 'chef-inspec-gcp', zone: 'us-east1-b', name: 'inspec-test-vm') do + its('first_network_interface_nat_ip_exists'){ should be true } + its('first_network_interface_name'){ should eq "external-nat" } + its('first_network_interface_type'){ should eq "one_to_one_nat" } + end + +### Test that a particular compute instance label key is present + + describe google_compute_instance(project: 'chef-inspec-gcp', zone: 'us-east1-b', name: 'inspec-test-vm') do + its('labels_keys') { should include 'my_favourite_label' } + end + +### Test that a particular compute instance label value is matching regexp + describe google_compute_instance(project: 'chef-inspec-gcp', zone:'us-east1-b', name:'inspec-test-vm').label_value_by_key('business-area') do + it { should match '^(marketing|research)$' } + end + +### Test that a particular compute instance metadata key is present + describe google_compute_instance(project: 'chef-inspec-gcp', zone:'us-east1-b', name:'inspec-test-vm') do + its('metadata_keys') { should include 'patching-type' } + end + +### Test that a particular compute instance metadata value is matching regexp + describe google_compute_instance(project: 'chef-inspec-gcp', zone:'us-east1-b', name:'inspec-test-vm').metadata_value_by_key('patching-window') do + it { should match '^\d{1}-\d{2}$' } + end + +## Properties + +Properties that can be accessed from the `google_compute_instance` resource: + + + * `can_ip_forward`: Allows this instance to send and receive packets with non-matching destination or source IPs. This is required if you plan to use this instance to forward routes. + + * `cpu_platform`: The CPU platform used by this instance. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `deletion_protection`: Whether the resource should be protected against deletion. + + * `disks`: An array of disks that are associated with the instances that are created from this template. + + * `auto_delete`: Specifies whether the disk will be auto-deleted when the instance is deleted (but not when the disk is detached from the instance). Tip: Disks should be set to autoDelete=true so that leftover disks are not left behind on machine deletion. + + * `boot`: Indicates that this is a boot disk. The virtual machine will use the first partition of the disk for its root filesystem. + + * `device_name`: Specifies a unique device name of your choice that is reflected into the /dev/disk/by-id/google-* tree of a Linux operating system running within the instance. This name can be used to reference the device for mounting, resizing, and so on, from within the instance. + + * `disk_encryption_key`: Encrypts or decrypts a disk using a customer-supplied encryption key. + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. + + * `rsa_encrypted_key`: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. + + * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `index`: Assigns a zero-based index to this disk, where 0 is reserved for the boot disk. For example, if you have many disks attached to an instance, each disk would have a unique index number. If not specified, the server will choose an appropriate value. + + * `initialize_params`: Specifies the parameters for a new disk that will be created alongside the new instance. Use initialization parameters to create boot disks or local SSDs attached to the new instance. + + * `disk_name`: Specifies the disk name. If not specified, the default is to use the name of the instance. + + * `disk_size_gb`: Specifies the size of the disk in base-2 GB. + + * `disk_type`: Reference to a disk type. Specifies the disk type to use to create the instance. If not specified, the default is pd-standard. + + * `source_image`: The source image to create this disk. When creating a new instance, one of initializeParams.sourceImage or disks.source is required. To create a disk with one of the public operating system images, specify the image by its family name. + + * `source_image_encryption_key`: The customer-supplied encryption key of the source image. Required if the source image is protected by a customer-supplied encryption key. Instance templates do not store customer-supplied encryption keys, so you cannot create disks for instances in a managed instance group if the source images are encrypted with your own keys. + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. + + * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `interface`: Specifies the disk interface to use for attaching this disk, which is either SCSI or NVME. The default is SCSI. Persistent disks must always use SCSI and the request will fail if you attempt to attach a persistent disk in any other format than SCSI. + Possible values: + * SCSI + * NVME + + * `mode`: The mode in which to attach this disk, either READ_WRITE or READ_ONLY. If not specified, the default is to attach the disk in READ_WRITE mode. + Possible values: + * READ_WRITE + * READ_ONLY + + * `source`: Reference to a disk. When creating a new instance, one of initializeParams.sourceImage or disks.source is required. If desired, you can also attach existing non-root persistent disks using this property. This field is only applicable for persistent disks. + + * `type`: Specifies the type of the disk, either SCRATCH or PERSISTENT. If not specified, the default is PERSISTENT. + Possible values: + * SCRATCH + * PERSISTENT + + * `licenses`: Any applicable publicly visible licenses. + + * `guest_accelerators`: List of the type and count of accelerator cards attached to the instance + + * `accelerator_count`: The number of the guest accelerator cards exposed to this instance. + + * `accelerator_type`: Full or partial URL of the accelerator type resource to expose to this instance. + + * `hostname`: The hostname of the instance to be created. The specified hostname must be RFC1035 compliant. If hostname is not specified, the default hostname is [INSTANCE_NAME].c.[PROJECT_ID].internal when using the global DNS, and [INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal when using zonal DNS. + + * `id`: The unique identifier for the resource. This identifier is defined by the server. + + * `label_fingerprint`: The fingerprint used for optimistic locking of this resource. Used internally during updates. + + * `labels`: Labels to apply to this instance. A list of key->value pairs. + + * `metadata`: The metadata key/value pairs to assign to instances that are created from this template. These pairs can consist of custom metadata or predefined keys. + + * `machine_type`: A reference to a machine type which defines VM kind. + + * `min_cpu_platform`: Specifies a minimum CPU platform for the VM instance. Applicable values are the friendly names of CPU platforms + + * `name`: The name of the resource, provided by the client when initially creating the resource. The resource name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `network_interfaces`: An array of configurations for this interface. This specifies how this interface is configured to interact with other network services, such as connecting to the internet. Only one network interface is supported per instance. + + * `access_configs`: An array of configurations for this interface. Currently, only one access config, ONE_TO_ONE_NAT, is supported. If there are no accessConfigs specified, then this instance will have no external internet access. + + * `name`: The name of this access configuration. The default and recommended name is External NAT but you can use any arbitrary string you would like. For example, My external IP or Network Access. + + * `nat_ip`: Reference to an address. An external IP address associated with this instance. Specify an unused static external IP address available to the project or leave this field undefined to use an IP from a shared ephemeral IP address pool. If you specify a static external IP address, it must live in the same region as the zone of the instance. + + * `type`: The type of configuration. The default and only option is ONE_TO_ONE_NAT. + Possible values: + * ONE_TO_ONE_NAT + + * `set_public_ptr`: Specifies whether a public DNS PTR record should be created to map the external IP address of the instance to a DNS domain name. + + * `public_ptr_domain_name`: The DNS domain name for the public PTR record. You can set this field only if the setPublicPtr field is enabled. + + * `network_tier`: This signifies the networking tier used for configuring this access configuration. If an AccessConfig is specified without a valid external IP address, an ephemeral IP will be created with this networkTier. If an AccessConfig with a valid external IP address is specified, it must match that of the networkTier associated with the Address resource owning that IP. + Possible values: + * PREMIUM + * STANDARD + + * `alias_ip_ranges`: An array of alias IP ranges for this network interface. Can only be specified for network interfaces on subnet-mode networks. + + * `ip_cidr_range`: The IP CIDR range represented by this alias IP range. This IP CIDR range must belong to the specified subnetwork and cannot contain IP addresses reserved by system or used by other network interfaces. This range may be a single IP address (e.g. 10.2.3.4), a netmask (e.g. /24) or a CIDR format string (e.g. 10.1.2.0/24). + + * `subnetwork_range_name`: Optional subnetwork secondary range name specifying the secondary range from which to allocate the IP CIDR range for this alias IP range. If left unspecified, the primary range of the subnetwork will be used. + + * `name`: The name of the network interface, generated by the server. For network devices, these are eth0, eth1, etc + + * `network`: Specifies the title of an existing network. When creating an instance, if neither the network nor the subnetwork is specified, the default network global/networks/default is used; if the network is not specified but the subnetwork is specified, the network is inferred. + + * `network_ip`: An IPv4 internal network address to assign to the instance for this network interface. If not specified by the user, an unused internal IP is assigned by the system. + + * `subnetwork`: Reference to a VPC network. If the network resource is in legacy mode, do not provide this property. If the network is in auto subnet mode, providing the subnetwork is optional. If the network is in custom subnet mode, then this field should be specified. + + * `scheduling`: Sets the scheduling options for this instance. + + * `automatic_restart`: Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). You can only set the automatic restart option for standard instances. Preemptible instances cannot be automatically restarted. + + * `on_host_maintenance`: Defines the maintenance behavior for this instance. For standard instances, the default behavior is MIGRATE. For preemptible instances, the default and only possible behavior is TERMINATE. For more information, see Setting Instance Scheduling Options. + + * `preemptible`: Defines whether the instance is preemptible. This can only be set during instance creation, it cannot be set or changed after the instance has been created. + + * `service_accounts`: A list of service accounts, with their specified scopes, authorized for this instance. Only one service account per VM instance is supported. + + * `email`: Email address of the service account. + + * `scopes`: The list of scopes to be made available for this service account. + + * `shielded_instance_config`: Configuration for various parameters related to shielded instances. + + * `enable_secure_boot`: Defines whether the instance has Secure Boot enabled. + + * `enable_vtpm`: Defines whether the instance has the vTPM enabled + + * `enable_integrity_monitoring`: Defines whether the instance has integrity monitoring enabled. + + * `status`: The status of the instance. One of the following values: PROVISIONING, STAGING, RUNNING, STOPPING, SUSPENDING, SUSPENDED, and TERMINATED. As a user, use RUNNING to keep a machine "on" and TERMINATED to turn a machine off + Possible values: + * PROVISIONING + * STAGING + * RUNNING + * STOPPING + * SUSPENDING + * SUSPENDED + * TERMINATED + + * `status_message`: An optional, human-readable explanation of the status. + + * `tags`: A list of tags to apply to this instance. Tags are used to identify valid sources or targets for network firewalls and are specified by the client during instance creation. The tags can be later modified by the setTags method. Each tag within the list must comply with RFC1035. + + * `fingerprint`: Specifies a fingerprint for this request, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata. + + * `items`: An array of tags. Each tag must be 1-63 characters long, and comply with RFC1035. + + * `zone`: A reference to the zone where the machine resides. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_group.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_group.md new file mode 100644 index 0000000..8001a33 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_group.md @@ -0,0 +1,81 @@ ++++ +title = "google_compute_instance_group resource" + +draft = false + + +[menu.gcp] +title = "google_compute_instance_group" +identifier = "inspec/resources/gcp/google_compute_instance_group resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_instance_group` is used to test a Google InstanceGroup resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_instance_group(project: 'chef-gcp-inspec', zone: 'zone', name: 'inspec-instance-group') do + it { should exist } + its('description') { should cmp 'My instance group for testing' } + its('named_ports.count') { should cmp 1 } + its('named_ports.first.name') { should cmp 'https' } + its('named_ports.first.port') { should cmp '8080' } +end + +describe google_compute_instance_group(project: 'chef-gcp-inspec', zone: 'zone', name: 'nonexistent') do + it { should_not exist } +end +``` + +### Test that a GCP compute instance group has the expected size + + describe google_compute_instance_group(project: 'chef-inspec-gcp', zone: 'europe-west2-a', name: 'gcp-inspec-test') do + its('size') { should eq 2 } + end + +### Test that a GCP compute instance group has a port with supplied name and value + + describe google_compute_instance_group(project: 'chef-inspec-gcp', zone: 'europe-west2-a', name: 'gcp-inspec-test') do + its('port_name') { should eq "http" } + its('port_value') { should eq 80 } + end + + +## Properties + +Properties that can be accessed from the `google_compute_instance_group` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `id`: A unique identifier for this instance group. + + * `name`: The name of the instance group. The name must be 1-63 characters long, and comply with RFC1035. + + * `named_ports`: Assigns a name to a port number. For example: {name: "http", port: 80}. This allows the system to reference ports by the assigned name instead of a port number. Named ports can also contain multiple ports. For example: [{name: "http", port: 80},{name: "http", port: 8080}] Named ports apply to all instances in this instance group. + + * `name`: The name for this named port. The name must be 1-63 characters long, and comply with RFC1035. + + * `port`: The port number, which can be a value between 1 and 65535. + + * `network`: The network to which all instances in the instance group belong. + + * `region`: The region where the instance group is located (for regional resources). + + * `subnetwork`: The subnetwork to which all instances in the instance group belong. + + * `zone`: A reference to the zone where the instance group resides. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_group_manager.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_group_manager.md new file mode 100644 index 0000000..3122471 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_group_manager.md @@ -0,0 +1,92 @@ ++++ +title = "google_compute_instance_group_manager resource" + +draft = false + + +[menu.gcp] +title = "google_compute_instance_group_manager" +identifier = "inspec/resources/gcp/google_compute_instance_group_manager resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_instance_group_manager` is used to test a Google InstanceGroupManager resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_instance_group_manager(project: 'chef-gcp-inspec', zone: 'zone', name: 'inspec-gcp-igm') do + it { should exist } + + its('base_instance_name') { should eq 'igm' } + its('named_ports.count') { should cmp 1 } + its('named_ports.first.name') { should eq 'port' } + its('named_ports.first.port') { should eq '80' } +end + +describe google_compute_instance_group_manager(project: 'chef-gcp-inspec', zone: 'zone', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_instance_group_manager` resource: + + + * `base_instance_name`: The base instance name to use for instances in this group. The value must be 1-58 characters long. Instances are named by appending a hyphen and a random four-character string to the base instance name. The base instance name must comply with RFC1035. + + * `creation_timestamp`: The creation timestamp for this managed instance group in RFC3339 text format. + + * `current_actions`: The list of instance actions and the number of instances in this managed instance group that are scheduled for each of those actions. + + * `abandoning`: The total number of instances in the managed instance group that are scheduled to be abandoned. Abandoning an instance removes it from the managed instance group without deleting it. + + * `creating`: The number of instances in the managed instance group that are scheduled to be created or are currently being created. If the group fails to create any of these instances, it tries again until it creates the instance successfully. If you have disabled creation retries, this field will not be populated; instead, the creatingWithoutRetries field will be populated. + + * `creating_without_retries`: The number of instances that the managed instance group will attempt to create. The group attempts to create each instance only once. If the group fails to create any of these instances, it decreases the group's targetSize value accordingly. + + * `deleting`: The number of instances in the managed instance group that are scheduled to be deleted or are currently being deleted. + + * `none`: The number of instances in the managed instance group that are running and have no scheduled actions. + + * `recreating`: The number of instances in the managed instance group that are scheduled to be recreated or are currently being being recreated. Recreating an instance deletes the existing root persistent disk and creates a new disk from the image that is defined in the instance template. + + * `refreshing`: The number of instances in the managed instance group that are being reconfigured with properties that do not require a restart or a recreate action. For example, setting or removing target pools for the instance. + + * `restarting`: The number of instances in the managed instance group that are scheduled to be restarted or are currently being restarted. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `id`: A unique identifier for this resource + + * `instance_group`: The instance group being managed + + * `instance_template`: The instance template that is specified for this managed instance group. The group uses this template to create all new instances in the managed instance group. + + * `name`: The name of the managed instance group. The name must be 1-63 characters long, and comply with RFC1035. + + * `named_ports`: Named ports configured for the Instance Groups complementary to this Instance Group Manager. + + * `name`: The name for this named port. The name must be 1-63 characters long, and comply with RFC1035. + + * `port`: The port number, which can be a value between 1 and 65535. + + * `region`: The region this managed instance group resides (for regional resources). + + * `target_pools`: TargetPool resources to which instances in the instanceGroup field are added. The target pools automatically apply to all of the instances in the managed instance group. + + * `target_size`: The target number of running instances for this managed instance group. Deleting or abandoning instances reduces this number. Resizing the group changes this number. + + * `zone`: The zone the managed instance group resides. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_group_managers.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_group_managers.md new file mode 100644 index 0000000..4c29d9c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_group_managers.md @@ -0,0 +1,56 @@ ++++ +title = "google_compute_instance_group_managers resource" + +draft = false + + +[menu.gcp] +title = "google_compute_instance_group_managers" +identifier = "inspec/resources/gcp/google_compute_instance_group_managers resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_instance_group_managers` is used to test a Google InstanceGroupManager resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_instance_group_managers(project: 'chef-gcp-inspec', zone: 'zone') do + its('base_instance_names') { should include 'igm' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_instance_group_managers` resource: + +See [google_compute_instance_group_manager](google_compute_instance_group_manager) for more detailed information. + + * `base_instance_names`: an array of `google_compute_instance_group_manager` base_instance_name + * `creation_timestamps`: an array of `google_compute_instance_group_manager` creation_timestamp + * `current_actions`: an array of `google_compute_instance_group_manager` current_actions + * `descriptions`: an array of `google_compute_instance_group_manager` description + * `ids`: an array of `google_compute_instance_group_manager` id + * `instance_groups`: an array of `google_compute_instance_group_manager` instance_group + * `instance_templates`: an array of `google_compute_instance_group_manager` instance_template + * `names`: an array of `google_compute_instance_group_manager` name + * `named_ports`: an array of `google_compute_instance_group_manager` named_ports + * `regions`: an array of `google_compute_instance_group_manager` region + * `target_pools`: an array of `google_compute_instance_group_manager` target_pools + * `target_sizes`: an array of `google_compute_instance_group_manager` target_size + * `zones`: an array of `google_compute_instance_group_manager` zone + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_groups.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_groups.md new file mode 100644 index 0000000..2129fc5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_groups.md @@ -0,0 +1,73 @@ ++++ +title = "google_compute_instance_groups resource" + +draft = false + + +[menu.gcp] +title = "google_compute_instance_groups" +identifier = "inspec/resources/gcp/google_compute_instance_groups resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_instance_groups` is used to test a Google InstanceGroup resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_instance_groups(project: 'chef-gcp-inspec', zone: 'zone') do + its('instance_group_names') { should include 'inspec-instance-group' } +end +``` + +### Test that there are no more than a specified number of instance groups available for the project + + describe google_compute_instance_groups(project: 'chef-inspec-gcp') do + its('count') { should be <= 100} + end + +### Test that an expected instance_group is available for the project + + describe google_compute_instance_groups(project: 'chef-inspec-gcp', zone: 'europe-west2-a') do + its('instance_group_names') { should include "my-instance-group-name" } + end + +### Test that a subset of all instance_groups matching "mig*" have size greater than zero + + google_compute_instance_groups(project: 'chef-inspec-gcp', zone: 'europe-west2-a').where(instance_group_name: /^mig/).instance_group_names.each do |instance_group_name| + describe google_compute_instance_group(project: 'chef-inspec-gcp', zone: 'europe-west2-a', name: instance_group_name) do + it { should exist } + its('size') { should be > 0 } + end + end + +## Properties + +Properties that can be accessed from the `google_compute_instance_groups` resource: + +See [google_compute_instance_group](google_compute_instance_group) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_instance_group` creation_timestamp + * `descriptions`: an array of `google_compute_instance_group` description + * `instance_group_ids`: an array of `google_compute_instance_group` id + * `instance_group_names`: an array of `google_compute_instance_group` name + * `named_ports`: an array of `google_compute_instance_group` named_ports + * `networks`: an array of `google_compute_instance_group` network + * `regions`: an array of `google_compute_instance_group` region + * `subnetworks`: an array of `google_compute_instance_group` subnetwork + * `zones`: an array of `google_compute_instance_group` zone + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_template.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_template.md new file mode 100644 index 0000000..6ebcdf4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_template.md @@ -0,0 +1,186 @@ ++++ +title = "google_compute_instance_template resource" + +draft = false + + +[menu.gcp] +title = "google_compute_instance_template" +identifier = "inspec/resources/gcp/google_compute_instance_template resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_instance_template` is used to test a Google InstanceTemplate resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_instance_template(project: 'chef-gcp-inspec', name: 'inspec-gcp-instance-template') do + it { should exist } + its('description') { should eq 'A description of the instance template' } + its('properties.description') { should eq 'A description of the instance itself' } + its('properties.machine_type') { should eq 'f1-micro' } + its('properties.tags.items') { should include 'foo' } + its('properties.disks.count') { should eq 1 } + its('properties.disks.first.auto_delete') { should eq 'true' } + its('properties.disks.first.boot') { should eq 'true' } + its('properties.network_interfaces.count') { should eq 1 } + its('properties.service_accounts.count') { should eq 1 } +end + +describe google_compute_instance_template(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_instance_template` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `id`: The unique identifier for the resource. This identifier is defined by the server. + + * `name`: Name of the resource. The name is 1-63 characters long and complies with RFC1035. + + * `properties`: The instance properties for this instance template. + + * `can_ip_forward`: Enables instances created based on this template to send packets with source IP addresses other than their own and receive packets with destination IP addresses other than their own. If these instances will be used as an IP gateway or it will be set as the next-hop in a Route resource, specify true. If unsure, leave this set to false. + + * `description`: An optional text description for the instances that are created from this instance template. + + * `disks`: An array of disks that are associated with the instances that are created from this template. + + * `licenses`: Any applicable license URI. + + * `auto_delete`: Specifies whether the disk will be auto-deleted when the instance is deleted (but not when the disk is detached from the instance). Tip: Disks should be set to autoDelete=true so that leftover disks are not left behind on machine deletion. + + * `boot`: Indicates that this is a boot disk. The virtual machine will use the first partition of the disk for its root filesystem. + + * `device_name`: Specifies a unique device name of your choice that is reflected into the /dev/disk/by-id/google-* tree of a Linux operating system running within the instance. This name can be used to reference the device for mounting, resizing, and so on, from within the instance. + + * `disk_encryption_key`: Encrypts or decrypts a disk using a customer-supplied encryption key. + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. + + * `rsa_encrypted_key`: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. + + * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `index`: Assigns a zero-based index to this disk, where 0 is reserved for the boot disk. For example, if you have many disks attached to an instance, each disk would have a unique index number. If not specified, the server will choose an appropriate value. + + * `initialize_params`: Specifies the parameters for a new disk that will be created alongside the new instance. Use initialization parameters to create boot disks or local SSDs attached to the new instance. + + * `disk_name`: Specifies the disk name. If not specified, the default is to use the name of the instance. + + * `disk_size_gb`: Specifies the size of the disk in base-2 GB. + + * `disk_type`: Reference to a disk type. Specifies the disk type to use to create the instance. If not specified, the default is pd-standard. + + * `source_image`: The source image to create this disk. When creating a new instance, one of initializeParams.sourceImage or disks.source is required. To create a disk with one of the public operating system images, specify the image by its family name. + + * `source_image_encryption_key`: The customer-supplied encryption key of the source image. Required if the source image is protected by a customer-supplied encryption key. Instance templates do not store customer-supplied encryption keys, so you cannot create disks for instances in a managed instance group if the source images are encrypted with your own keys. + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. + + * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `interface`: Specifies the disk interface to use for attaching this disk, which is either SCSI or NVME. The default is SCSI. Persistent disks must always use SCSI and the request will fail if you attempt to attach a persistent disk in any other format than SCSI. + Possible values: + * SCSI + * NVME + + * `mode`: The mode in which to attach this disk, either READ_WRITE or READ_ONLY. If not specified, the default is to attach the disk in READ_WRITE mode. + Possible values: + * READ_WRITE + * READ_ONLY + + * `source`: Reference to a disk. When creating a new instance, one of initializeParams.sourceImage or disks.source is required. If desired, you can also attach existing non-root persistent disks using this property. This field is only applicable for persistent disks. Note that for InstanceTemplate, specify the disk name, not the URL for the disk. + + * `type`: Specifies the type of the disk, either SCRATCH or PERSISTENT. If not specified, the default is PERSISTENT. + Possible values: + * SCRATCH + * PERSISTENT + + * `labels`: Labels to apply to this address. A list of key->value pairs. + + * `machine_type`: The machine type to use in the VM instance template. + + * `min_cpu_platform`: Specifies a minimum CPU platform for the VM instance. Applicable values are the friendly names of CPU platforms + + * `metadata`: The metadata key/value pairs to assign to instances that are created from this template. These pairs can consist of custom metadata or predefined keys. + + * `guest_accelerators`: List of the type and count of accelerator cards attached to the instance + + * `accelerator_count`: The number of the guest accelerator cards exposed to this instance. + + * `accelerator_type`: Full or partial URL of the accelerator type resource to expose to this instance. + + * `network_interfaces`: An array of configurations for this interface. This specifies how this interface is configured to interact with other network services, such as connecting to the internet. Only one network interface is supported per instance. + + * `access_configs`: An array of configurations for this interface. Currently, only one access config, ONE_TO_ONE_NAT, is supported. If there are no accessConfigs specified, then this instance will have no external internet access. + + * `name`: The name of this access configuration. The default and recommended name is External NAT but you can use any arbitrary string you would like. For example, My external IP or Network Access. + + * `nat_ip`: Reference to an address. An external IP address associated with this instance. Specify an unused static external IP address available to the project or leave this field undefined to use an IP from a shared ephemeral IP address pool. If you specify a static external IP address, it must live in the same region as the zone of the instance. + + * `type`: The type of configuration. The default and only option is ONE_TO_ONE_NAT. + Possible values: + * ONE_TO_ONE_NAT + + * `set_public_ptr`: Specifies whether a public DNS PTR record should be created to map the external IP address of the instance to a DNS domain name. + + * `public_ptr_domain_name`: The DNS domain name for the public PTR record. You can set this field only if the setPublicPtr field is enabled. + + * `network_tier`: This signifies the networking tier used for configuring this access configuration. If an AccessConfig is specified without a valid external IP address, an ephemeral IP will be created with this networkTier. If an AccessConfig with a valid external IP address is specified, it must match that of the networkTier associated with the Address resource owning that IP. + Possible values: + * PREMIUM + * STANDARD + + * `alias_ip_ranges`: An array of alias IP ranges for this network interface. Can only be specified for network interfaces on subnet-mode networks. + + * `ip_cidr_range`: The IP CIDR range represented by this alias IP range. This IP CIDR range must belong to the specified subnetwork and cannot contain IP addresses reserved by system or used by other network interfaces. This range may be a single IP address (e.g. 10.2.3.4), a netmask (e.g. /24) or a CIDR format string (e.g. 10.1.2.0/24). + + * `subnetwork_range_name`: Optional subnetwork secondary range name specifying the secondary range from which to allocate the IP CIDR range for this alias IP range. If left unspecified, the primary range of the subnetwork will be used. + + * `name`: The name of the network interface, generated by the server. For network devices, these are eth0, eth1, etc + + * `network`: Specifies the title of an existing network. When creating an instance, if neither the network nor the subnetwork is specified, the default network global/networks/default is used; if the network is not specified but the subnetwork is specified, the network is inferred. + + * `network_ip`: An IPv4 internal network address to assign to the instance for this network interface. If not specified by the user, an unused internal IP is assigned by the system. + + * `subnetwork`: Reference to a VPC network. If the network resource is in legacy mode, do not provide this property. If the network is in auto subnet mode, providing the subnetwork is optional. If the network is in custom subnet mode, then this field should be specified. + + * `scheduling`: Sets the scheduling options for this instance. + + * `automatic_restart`: Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). You can only set the automatic restart option for standard instances. Preemptible instances cannot be automatically restarted. + + * `on_host_maintenance`: Defines the maintenance behavior for this instance. For standard instances, the default behavior is MIGRATE. For preemptible instances, the default and only possible behavior is TERMINATE. For more information, see Setting Instance Scheduling Options. + + * `preemptible`: Defines whether the instance is preemptible. This can only be set during instance creation, it cannot be set or changed after the instance has been created. + + * `service_accounts`: A list of service accounts, with their specified scopes, authorized for this instance. Only one service account per VM instance is supported. + + * `email`: Email address of the service account. + + * `scopes`: The list of scopes to be made available for this service account. + + * `tags`: A list of tags to apply to this instance. Tags are used to identify valid sources or targets for network firewalls and are specified by the client during instance creation. The tags can be later modified by the setTags method. Each tag within the list must comply with RFC1035. + + * `fingerprint`: Specifies a fingerprint for this request, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata. + + * `items`: An array of tags. Each tag must be 1-63 characters long, and comply with RFC1035. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_templates.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_templates.md new file mode 100644 index 0000000..7cb714c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instance_templates.md @@ -0,0 +1,48 @@ ++++ +title = "google_compute_instance_templates resource" + +draft = false + + +[menu.gcp] +title = "google_compute_instance_templates" +identifier = "inspec/resources/gcp/google_compute_instance_templates resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_instance_templates` is used to test a Google InstanceTemplate resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_instance_templates(project: 'chef-gcp-inspec') do + its('names') { should include 'inspec-gcp-instance-template' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_instance_templates` resource: + +See [google_compute_instance_template](google_compute_instance_template) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_instance_template` creation_timestamp + * `descriptions`: an array of `google_compute_instance_template` description + * `ids`: an array of `google_compute_instance_template` id + * `names`: an array of `google_compute_instance_template` name + * `properties`: an array of `google_compute_instance_template` properties + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instances.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instances.md new file mode 100644 index 0000000..b264c54 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_instances.md @@ -0,0 +1,83 @@ ++++ +title = "google_compute_instances resource" + +draft = false + + +[menu.gcp] +title = "google_compute_instances" +identifier = "inspec/resources/gcp/google_compute_instances resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_instances` is used to test a Google Instance resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_instances(project: 'chef-gcp-inspec', zone: 'zone') do + its('instance_names') { should include 'inspec-instance' } +end +``` + +### Test that there are no more than a specified number of instances in the project and zone + + describe google_compute_instances(project: 'chef-inspec-gcp', zone: 'europe-west2-a') do + its('count') { should be <= 100} + end + +### Test the exact number of instances in the project and zone + + describe google_compute_instances(project: 'chef-inspec-gcp', zone: 'europe-west2-a') do + its('instance_ids.count') { should cmp 9 } + end + +### Test that an instance with a particular name exists in the project and zone + + describe google_compute_instances(project: 'chef-inspec-gcp', zone: 'europe-west2-a') do + its('instance_names') { should include "my-favourite-instance" } + end + +## Properties + +Properties that can be accessed from the `google_compute_instances` resource: + +See [google_compute_instance](google_compute_instance) for more detailed information. + + * `can_ip_forwards`: an array of `google_compute_instance` can_ip_forward + * `cpu_platforms`: an array of `google_compute_instance` cpu_platform + * `creation_timestamps`: an array of `google_compute_instance` creation_timestamp + * `deletion_protections`: an array of `google_compute_instance` deletion_protection + * `disks`: an array of `google_compute_instance` disks + * `guest_accelerators`: an array of `google_compute_instance` guest_accelerators + * `hostnames`: an array of `google_compute_instance` hostname + * `instance_ids`: an array of `google_compute_instance` id + * `label_fingerprints`: an array of `google_compute_instance` label_fingerprint + * `labels`: an array of `google_compute_instance` labels + * `metadata`: an array of `google_compute_instance` metadata + * `machine_types`: an array of `google_compute_instance` machine_type + * `min_cpu_platforms`: an array of `google_compute_instance` min_cpu_platform + * `instance_names`: an array of `google_compute_instance` name + * `network_interfaces`: an array of `google_compute_instance` network_interfaces + * `schedulings`: an array of `google_compute_instance` scheduling + * `service_accounts`: an array of `google_compute_instance` service_accounts + * `shielded_instance_configs`: an array of `google_compute_instance` shielded_instance_config + * `statuses`: an array of `google_compute_instance` status + * `status_messages`: an array of `google_compute_instance` status_message + * `tags`: an array of `google_compute_instance` tags + * `zones`: an array of `google_compute_instance` zone + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect.md new file mode 100644 index 0000000..fed6248 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect.md @@ -0,0 +1,114 @@ ++++ +title = "google_compute_interconnect resource" + +draft = false + + +[menu.gcp] +title = "google_compute_interconnect" +identifier = "inspec/resources/gcp/google_compute_interconnect resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_interconnect` InSpec audit resource to to test a Google Cloud Interconnect resource. + +## Examples + +```ruby +describe google_compute_interconnect(project: 'chef-gcp-inspec') do + it { should exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_interconnect` resource: + + + * `admin_enabled`: Administrative status of the interconnect. When this is set to true, the Interconnect is functional and can carry traffic. When set to false, no packets can be carried over the interconnect and no BGP routes are exchanged over it. By default, the status is set to true. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format.This field is deprecated. + + * `description`: A description about the purpose of the outage. + + * `location`: URL of the InterconnectLocation object that represents where this connection is to be provisioned. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `noc_contact_email`: Email address to contact the customer NOC for operations and maintenance notifications regarding this Interconnect. If specified, this will be used for notifications in addition to all other forms described, such as Stackdriver logs alerting and Cloud Notifications. + + * `peer_ip_address`: IP address configured on the customer side of the Interconnect link. The customer should configure this IP address during turnup when prompted by Google NOC. This can be used only for ping tests. + + * `google_ip_address`: IP address configured on the customer side of the Interconnect link. The customer should configure this IP address during turnup when prompted by Google NOC. This can be used only for ping tests. + + * `client_operation_id`: The value of requestId if you provided it in the request. Not present otherwise. + + * `google_reference_id`: Google reference ID to be used when raising support tickets with Google or otherwise to debug backend connectivity issues. + + * `provisioned_link_count`: Number of links actually provisioned in this interconnect. + + * `customer_name`: Customer name, to put in the Letter of Authorization as the party authorized to request a crossconnect. + + * `requested_link_count`: Customer name, to put in the Letter of Authorization as the party authorized to request a crossconnect. + + * `operational_status`: The current status of this Interconnect's functionality, which can take one of the following values: * OS_ACTIVE: A valid Interconnect, which is turned up and is ready to use. Attachments may be provisioned on this Interconnect. * OS_UNPROVISIONED: An Interconnect that has not completed turnup. No attachments may be provisioned on this Interconnect. * OS_UNDER_MAINTENANCE: An Interconnect that is undergoing internal maintenance. No attachments may be provisioned or updated on this Interconnect. + Possible values: + * OS_ACTIVE + * OS_UNPROVISIONED + * OS_UNDER_MAINTENANCE + + * `link_type`: Type of link requested, which can take one of the following values: * LINK_TYPE_ETHERNET_10G_LR: A 10G Ethernet with LR optics * LINK_TYPE_ETHERNET_100G_LR: A 100G Ethernet with LR optics. Note that this field indicates the speed of each of the links in the bundle, not the speed of the entire bundle. + Possible values: + * LINK_TYPE_ETHERNET_10G_LR + * LINK_TYPE_ETHERNET_100G_LR + + * `interconnect_type`: Type of interconnect, which can take one of the following values: * PARTNER: A partner-managed interconnection shared between customers though a partner. * DEDICATED: A dedicated physical interconnection with the customer. Note that a value IT_PRIVATE has been deprecated in favor of DEDICATED. + Possible values: + * PARTNER + * DEDICATED + + * `interconnect_attachments`: A list of the URLs of all InterconnectAttachments configured to use this Interconnect. + + * `expected_outages`: A list of outages expected for this Interconnect. + + * `name`: Unique identifier for this outage notification. + + * `description`: A description about the purpose of the outage. + + * `source`: The party that generated this notification, which can take the following value: * GOOGLE: this notification as generated by Google. Note that the value of NSRC_GOOGLE has been deprecated in favor of GOOGLE. + Possible values: + * GOOGLE + + * `state`: State of this notification, which can take one of the following values: * ACTIVE: This outage notification is active. The event could be in the past, present, or future.See startTime and endTime for scheduling. * CANCELLED: The outage associated with this notification was cancelled before the outage was due to start. * COMPLETED: The outage associated with this notification is complete. Note that the versions of this enum prefixed with "NS_" have been deprecated in favor of the unprefixed values. + Possible values: + * ACTIVE + * CANCELLED + * COMPLETED + + * `issue_type`: Form this outage is expected to take, which can take one of the following values: * OUTAGE: The Interconnect may be completely out of service for some or all of the specified window. * PARTIAL_OUTAGE: Some circuits comprising the Interconnect as a whole should remain up, but with reduced bandwidth. Note that the versions of this enum prefixed with "IT_" have been deprecated in favor of the unprefixed values. + Possible values: + * OUTAGE + * PARTIAL_OUTAGE + + * `affected_circuits`: If issueType is IT_PARTIAL_OUTAGE, a list of the Google-side circuit IDs that will be affected. + + * `start_time`: Scheduled start time for the outage (milliseconds since Unix epoch). + + * `end_time`: Scheduled end time for the outage (milliseconds since Unix epoch). + + * `circuit_infos`: A list of CircuitInfo objects, that describe the individual circuits in this LAG. + + * `google_circuit_id`: Google-assigned unique ID for this circuit. Assigned at circuit turn-up. + + * `google_demarc_id`: Google-assigned unique ID for this circuit. Assigned at circuit turn-up. + + * `customer_demarc_id`: Customer-side demarc ID for this circuit. + + * `satisfies_pzs`: Set to true if the resource satisfies the zone separation organization policy constraints and false otherwise. Defaults to false if the field is not present.' + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect_attachment.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect_attachment.md new file mode 100644 index 0000000..308b836 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect_attachment.md @@ -0,0 +1,208 @@ ++++ +title = "google_compute_interconnect_attachment resource" + +draft = false + + +[menu.gcp] +title = "google_compute_interconnect_attachment" +identifier = "inspec/resources/gcp/google_compute_interconnect_attachment resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_interconnect_attachment` InSpec audit resource to to test a Google Cloud InterconnectAttachment resource. + +## Examples + +```ruby +describe google_compute_interconnect_attachment(name: ' ', project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('description') { should cmp 'value_description' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('interconnect') { should cmp 'value_interconnect' } + its('router') { should cmp 'value_router' } + its('region') { should cmp 'value_region' } + its('google_reference_id') { should cmp 'value_googlereferenceid' } + its('operational_status') { should cmp 'value_operationalstatus' } + its('cloud_router_ip_address') { should cmp 'value_cloudrouteripaddress' } + its('customer_router_ip_address') { should cmp 'value_customerrouteripaddress' } + its('type') { should cmp 'value_type' } + its('pairing_key') { should cmp 'value_pairingkey' } + its('edge_availability_domain') { should cmp 'value_edgeavailabilitydomain' } + its('bandwidth') { should cmp 'value_bandwidth' } + its('label_fingerprint') { should cmp 'value_labelfingerprint' } + its('state') { should cmp 'value_state' } + its('partner_asn') { should cmp 'value_partnerasn' } + its('encryption') { should cmp 'value_encryption' } + its('stack_type') { should cmp 'value_stacktype' } + its('cloud_router_ipv6address') { should cmp 'value_cloudrouteripv6address' } + its('customer_router_ipv6address') { should cmp 'value_customerrouteripv6address' } + its('cloud_router_ipv6interface_id') { should cmp 'value_cloudrouteripv6interfaceid' } + its('customer_router_ipv6interface_id') { should cmp 'value_customerrouteripv6interfaceid' } + its('remote_service') { should cmp 'value_remoteservice' } + +end + +describe google_compute_interconnect_attachment(name: ' ', project: 'chef-gcp-inspec', region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_interconnect_attachment` resource: + + + * `kind`: [Output Only] Type of the resource. Always compute#interconnectAttachment for interconnect attachments. + + * `description`: An optional description of this resource. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `interconnect`: URL of the underlying Interconnect object that this attachment's traffic will traverse through. + + * `router`: URL of the Cloud Router to be used for dynamic routing. This router must be in the same region as this InterconnectAttachment. The InterconnectAttachment will automatically connect the Interconnect to the network & region within which the Cloud Router is configured. + + * `region`: [Output Only] URL of the region where the regional interconnect attachment resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body. + + * `google_reference_id`: [Output Only] Google reference ID, to be used when raising support tickets with Google or otherwise to debug backend connectivity issues. [Deprecated] This field is not used. + + * `mtu`: Maximum Transmission Unit (MTU), in bytes, of packets passing through this interconnect attachment. Only 1440 and 1500 are allowed. If not specified, the value will default to 1440. + + * `private_interconnect_info`: Information for an interconnect attachment when this belongs to an interconnect of type DEDICATED. + + * `tag8021q`: [Output Only] 802.1q encapsulation tag to be used for traffic between Google and the customer, going to and from this network and region. + + * `operational_status`: [Output Only] The current status of whether or not this interconnect attachment is functional, which can take one of the following values: - OS_ACTIVE: The attachment has been turned up and is ready to use. - OS_UNPROVISIONED: The attachment is not ready to use yet, because turnup is not complete. + Possible values: + * OS_ACTIVE + * OS_UNPROVISIONED + + * `cloud_router_ip_address`: [Output Only] IPv4 address + prefix length to be configured on Cloud Router Interface for this interconnect attachment. + + * `customer_router_ip_address`: [Output Only] IPv4 address + prefix length to be configured on the customer router subinterface for this interconnect attachment. + + * `type`: The type of interconnect attachment this is, which can take one of the following values: - DEDICATED: an attachment to a Dedicated Interconnect. - PARTNER: an attachment to a Partner Interconnect, created by the customer. - PARTNER_PROVIDER: an attachment to a Partner Interconnect, created by the partner. + Possible values: + * DEDICATED + * PARTNER + * PARTNER_PROVIDER + + * `pairing_key`: [Output only for type PARTNER. Input only for PARTNER_PROVIDER. Not present for DEDICATED]. The opaque identifier of a PARTNER attachment used to initiate provisioning with a selected partner. Of the form "XXXXX/region/domain" + + * `admin_enabled`: Determines whether this Attachment will carry packets. Not present for PARTNER_PROVIDER. + + * `vlan_tag8021q`: The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4093. Only specified at creation time. + + * `edge_availability_domain`: Desired availability domain for the attachment. Only available for type PARTNER, at creation time, and can take one of the following values: - AVAILABILITY_DOMAIN_ANY - AVAILABILITY_DOMAIN_1 - AVAILABILITY_DOMAIN_2 For improved reliability, customers should configure a pair of attachments, one per availability domain. The selected availability domain will be provided to the Partner via the pairing key, so that the provisioned circuit will lie in the specified domain. If not specified, the value will default to AVAILABILITY_DOMAIN_ANY. + Possible values: + * AVAILABILITY_DOMAIN_1 + * AVAILABILITY_DOMAIN_2 + * AVAILABILITY_DOMAIN_ANY + + * `candidate_subnets`: Up to 16 candidate prefixes that can be used to restrict the allocation of cloudRouterIpAddress and customerRouterIpAddress for this attachment. All prefixes must be within link-local address space (169.254.0.0/16) and must be /29 or shorter (/28, /27, etc). Google will attempt to select an unused /29 from the supplied candidate prefix(es). The request will fail if all possible /29s are in use on Google's edge. If not supplied, Google will randomly select an unused /29 from all of link-local space. + + * `bandwidth`: Provisioned bandwidth capacity for the interconnect attachment. For attachments of type DEDICATED, the user can set the bandwidth. For attachments of type PARTNER, the Google Partner that is operating the interconnect must set the bandwidth. Output only for PARTNER type, mutable for PARTNER_PROVIDER and DEDICATED, and can take one of the following values: - BPS_50M: 50 Mbit/s - BPS_100M: 100 Mbit/s - BPS_200M: 200 Mbit/s - BPS_300M: 300 Mbit/s - BPS_400M: 400 Mbit/s - BPS_500M: 500 Mbit/s - BPS_1G: 1 Gbit/s - BPS_2G: 2 Gbit/s - BPS_5G: 5 Gbit/s - BPS_10G: 10 Gbit/s - BPS_20G: 20 Gbit/s - BPS_50G: 50 Gbit/s + Possible values: + * BPS_100M + * BPS_10G + * BPS_1G + * BPS_200M + * BPS_20G + * BPS_2G + * BPS_300M + * BPS_400M + * BPS_500M + * BPS_50G + * BPS_50M + * BPS_5G + + * `partner_metadata`: Informational metadata about Partner attachments from Partners to display to customers. These fields are propagated from PARTNER_PROVIDER attachments to their corresponding PARTNER attachments. + + * `partner_name`: Plain text name of the Partner providing this attachment. This value may be validated to match approved Partner values. + + * `interconnect_name`: Plain text name of the Interconnect this attachment is connected to, as displayed in the Partner's portal. For instance "Chicago 1". This value may be validated to match approved Partner values. + + * `portal_url`: URL of the Partner's portal for this Attachment. Partners may customise this to be a deep link to the specific resource on the Partner portal. This value may be validated to match approved Partner values. + + * `labels`: Labels for this resource. These can only be added or modified by the setLabels method. Each label key/value pair must comply with RFC1035. Label values may be empty. + + * `additional_properties`: + + * `label_fingerprint`: A fingerprint for the labels being applied to this InterconnectAttachment, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve an InterconnectAttachment. + + * `state`: [Output Only] The current state of this attachment's functionality. Enum values ACTIVE and UNPROVISIONED are shared by DEDICATED/PRIVATE, PARTNER, and PARTNER_PROVIDER interconnect attachments, while enum values PENDING_PARTNER, PARTNER_REQUEST_RECEIVED, and PENDING_CUSTOMER are used for only PARTNER and PARTNER_PROVIDER interconnect attachments. This state can take one of the following values: - ACTIVE: The attachment has been turned up and is ready to use. - UNPROVISIONED: The attachment is not ready to use yet, because turnup is not complete. - PENDING_PARTNER: A newly-created PARTNER attachment that has not yet been configured on the Partner side. - PARTNER_REQUEST_RECEIVED: A PARTNER attachment is in the process of provisioning after a PARTNER_PROVIDER attachment was created that references it. - PENDING_CUSTOMER: A PARTNER or PARTNER_PROVIDER attachment that is waiting for a customer to activate it. - DEFUNCT: The attachment was deleted externally and is no longer functional. This could be because the associated Interconnect was removed, or because the other side of a Partner attachment was deleted. + Possible values: + * ACTIVE + * DEFUNCT + * PARTNER_REQUEST_RECEIVED + * PENDING_CUSTOMER + * PENDING_PARTNER + * STATE_UNSPECIFIED + * UNPROVISIONED + + * `partner_asn`: Optional BGP ASN for the router supplied by a Layer 3 Partner if they configured BGP on behalf of the customer. Output only for PARTNER type, input only for PARTNER_PROVIDER, not available for DEDICATED. + + * `encryption`: Indicates the user-supplied encryption option of this VLAN attachment (interconnectAttachment). Can only be specified at attachment creation for PARTNER or DEDICATED attachments. Possible values are: - NONE - This is the default value, which means that the VLAN attachment carries unencrypted traffic. VMs are able to send traffic to, or receive traffic from, such a VLAN attachment. - IPSEC - The VLAN attachment carries only encrypted traffic that is encrypted by an IPsec device, such as an HA VPN gateway or third-party IPsec VPN. VMs cannot directly send traffic to, or receive traffic from, such a VLAN attachment. To use *HA VPN over Cloud Interconnect*, the VLAN attachment must be created with this option. + Possible values: + * IPSEC + * NONE + + * `ipsec_internal_addresses`: A list of URLs of addresses that have been reserved for the VLAN attachment. Used only for the VLAN attachment that has the encryption option as IPSEC. The addresses must be regional internal IP address ranges. When creating an HA VPN gateway over the VLAN attachment, if the attachment is configured to use a regional internal IP address, then the VPN gateway's IP address is allocated from the IP address range specified here. For example, if the HA VPN gateway's interface 0 is paired to this VLAN attachment, then a regional internal IP address for the VPN gateway interface 0 will be allocated from the IP address specified for this VLAN attachment. If this field is not specified when creating the VLAN attachment, then later on when creating an HA VPN gateway on this VLAN attachment, the HA VPN gateway's IP address is allocated from the regional external IP address pool. + + * `dataplane_version`: [Output Only] Dataplane version for this InterconnectAttachment. This field is only present for Dataplane version 2 and higher. Absence of this field in the API output indicates that the Dataplane is version 1. + + * `satisfies_pzs`: [Output Only] Reserved for future use. + + * `stack_type`: The stack type for this interconnect attachment to identify whether the IPv6 feature is enabled or not. If not specified, IPV4_ONLY will be used. This field can be both set at interconnect attachments creation and update interconnect attachment operations. + Possible values: + * IPV4_IPV6 + * IPV4_ONLY + + * `cloud_router_ipv6_address`: [Output Only] IPv6 address + prefix length to be configured on Cloud Router Interface for this interconnect attachment. + + * `customer_router_ipv6_address`: [Output Only] IPv6 address + prefix length to be configured on the customer router subinterface for this interconnect attachment. + + * `candidate_ipv6_subnets`: This field is not available. + + * `cloud_router_ipv6_interface_id`: This field is not available. + + * `customer_router_ipv6_interface_id`: This field is not available. + + * `subnet_length`: Length of the IPv4 subnet mask. Allowed values: - 29 (default) - 30 The default value is 29, except for Cross-Cloud Interconnect connections that use an InterconnectRemoteLocation with a constraints.subnetLengthRange.min equal to 30. For example, connections that use an Azure remote location fall into this category. In these cases, the default value is 30, and requesting 29 returns an error. Where both 29 and 30 are allowed, 29 is preferred, because it gives Google Cloud Support more debugging visibility. + + * `remote_service`: [Output Only] If the attachment is on a Cross-Cloud Interconnect connection, this field contains the interconnect's remote location service provider. Example values: "Amazon Web Services" "Microsoft Azure". The field is set only for attachments on Cross-Cloud Interconnect connections. Its value is copied from the InterconnectRemoteLocation remoteService field. + + * `configuration_constraints`: + + * `bgp_md5`: [Output Only] Whether the attachment's BGP session requires/allows/disallows BGP MD5 authentication. This can take one of the following values: MD5_OPTIONAL, MD5_REQUIRED, MD5_UNSUPPORTED. For example, a Cross-Cloud Interconnect connection to a remote cloud provider that requires BGP MD5 authentication has the interconnectRemoteLocation attachment_configuration_constraints.bgp_md5 field set to MD5_REQUIRED, and that property is propagated to the attachment. Similarly, if BGP MD5 is MD5_UNSUPPORTED, an error is returned if MD5 is requested. + Possible values: + * MD5_OPTIONAL + * MD5_REQUIRED + * MD5_UNSUPPORTED + + * `bgp_peer_asn_ranges`: [Output Only] List of ASN ranges that the remote location is known to support. Formatted as an array of inclusive ranges {min: min-value, max: max-value}. For example, [{min: 123, max: 123}, {min: 64512, max: 65534}] allows the peer ASN to be 123 or anything in the range 64512-65534. This field is only advisory. Although the API accepts other ranges, these are the ranges that we recommend. + + * `min`: + + * `max`: + + * `multicast_enabled`: Whether or not to permit multicast traffic for this attachment. Multicast packets will be dropped if this is not enabled. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect_attachments.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect_attachments.md new file mode 100644 index 0000000..cb28533 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect_attachments.md @@ -0,0 +1,79 @@ ++++ +title = "google_compute_interconnect_attachments resource" + +draft = false + + +[menu.gcp] +title = "google_compute_interconnect_attachments" +identifier = "inspec/resources/gcp/google_compute_interconnect_attachments resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_interconnect_attachments` InSpec audit resource to to test a Google Cloud InterconnectAttachment resource. + +## Examples + +```ruby + describe google_compute_interconnect_attachments(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_interconnect_attachments` resource: + +See [google_compute_interconnect_attachment](google_compute_interconnect_attachment) for more detailed information. + + * `kinds`: an array of `google_compute_interconnect_attachment` kind + * `descriptions`: an array of `google_compute_interconnect_attachment` description + * `self_links`: an array of `google_compute_interconnect_attachment` self_link + * `self_link_with_ids`: an array of `google_compute_interconnect_attachment` self_link_with_id + * `ids`: an array of `google_compute_interconnect_attachment` id + * `creation_timestamps`: an array of `google_compute_interconnect_attachment` creation_timestamp + * `names`: an array of `google_compute_interconnect_attachment` name + * `interconnects`: an array of `google_compute_interconnect_attachment` interconnect + * `routers`: an array of `google_compute_interconnect_attachment` router + * `regions`: an array of `google_compute_interconnect_attachment` region + * `google_reference_ids`: an array of `google_compute_interconnect_attachment` google_reference_id + * `mtus`: an array of `google_compute_interconnect_attachment` mtu + * `private_interconnect_infos`: an array of `google_compute_interconnect_attachment` private_interconnect_info + * `operational_statuses`: an array of `google_compute_interconnect_attachment` operational_status + * `cloud_router_ip_addresses`: an array of `google_compute_interconnect_attachment` cloud_router_ip_address + * `customer_router_ip_addresses`: an array of `google_compute_interconnect_attachment` customer_router_ip_address + * `types`: an array of `google_compute_interconnect_attachment` type + * `pairing_keys`: an array of `google_compute_interconnect_attachment` pairing_key + * `admin_enableds`: an array of `google_compute_interconnect_attachment` admin_enabled + * `vlan_tag8021qs`: an array of `google_compute_interconnect_attachment` vlan_tag8021q + * `edge_availability_domains`: an array of `google_compute_interconnect_attachment` edge_availability_domain + * `candidate_subnets`: an array of `google_compute_interconnect_attachment` candidate_subnets + * `bandwidths`: an array of `google_compute_interconnect_attachment` bandwidth + * `partner_metadata`: an array of `google_compute_interconnect_attachment` partner_metadata + * `labels`: an array of `google_compute_interconnect_attachment` labels + * `label_fingerprints`: an array of `google_compute_interconnect_attachment` label_fingerprint + * `states`: an array of `google_compute_interconnect_attachment` state + * `partner_asns`: an array of `google_compute_interconnect_attachment` partner_asn + * `encryptions`: an array of `google_compute_interconnect_attachment` encryption + * `ipsec_internal_addresses`: an array of `google_compute_interconnect_attachment` ipsec_internal_addresses + * `dataplane_versions`: an array of `google_compute_interconnect_attachment` dataplane_version + * `satisfies_pzs`: an array of `google_compute_interconnect_attachment` satisfies_pzs + * `stack_types`: an array of `google_compute_interconnect_attachment` stack_type + * `cloud_router_ipv6_addresses`: an array of `google_compute_interconnect_attachment` cloud_router_ipv6_address + * `customer_router_ipv6_addresses`: an array of `google_compute_interconnect_attachment` customer_router_ipv6_address + * `candidate_ipv6_subnets`: an array of `google_compute_interconnect_attachment` candidate_ipv6_subnets + * `cloud_router_ipv6_interface_ids`: an array of `google_compute_interconnect_attachment` cloud_router_ipv6_interface_id + * `customer_router_ipv6_interface_ids`: an array of `google_compute_interconnect_attachment` customer_router_ipv6_interface_id + * `subnet_lengths`: an array of `google_compute_interconnect_attachment` subnet_length + * `remote_services`: an array of `google_compute_interconnect_attachment` remote_service + * `configuration_constraints`: an array of `google_compute_interconnect_attachment` configuration_constraints + * `multicast_enableds`: an array of `google_compute_interconnect_attachment` multicast_enabled + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect_location.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect_location.md new file mode 100644 index 0000000..9709740 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect_location.md @@ -0,0 +1,58 @@ ++++ +title = "google_compute_interconnect_location resource" + +draft = false + + +[menu.gcp] +title = "google_compute_interconnect_location" +identifier = "inspec/resources/gcp/google_compute_interconnect_location resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_interconnect_location` InSpec audit resource to to test a Google Cloud InterconnectLocation resource. + +## Examples + +```ruby +describe google_compute_interconnect_location(project: 'chef-gcp-inspec', name: 'akl-zone1-1353') do + it { should exist } + its('facility_provider_facility_id') { should eq 'Auckland - Albany' } + its('facility_provider') { should eq 'Vocus' } +end + +describe google_compute_interconnect_location(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_interconnect_location` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format.This field is deprecated. + + * `description`: An optional textual description of the resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. + + * `availability_zone`: Availability zone for this InterconnectLocation. Within a metropolitan area (metro), maintenance will not be simultaneously scheduled in more than one availability zone. Example: "zone1" or "zone2". + + * `client_operation_id`: The value of requestId if you provided it in the request. Not present otherwise. + + * `facility_provider`: The name of the provider for this facility (e.g., EQUINIX). + + * `facility_provider_facility_id`: A provider-assigned Identifier for this facility (e.g., Ashburn-DC1). + + * `status`: The status of this InterconnectLocation, which can take one of the following values: * CLOSED: The InterconnectLocation is closed and is unavailable for provisioning new Interconnects. * AVAILABLE: The InterconnectLocation is available for provisioning new Interconnects. + Possible values: + * CLOSED + * AVAILABLE + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect_locations.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect_locations.md new file mode 100644 index 0000000..4395623 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnect_locations.md @@ -0,0 +1,47 @@ ++++ +title = "google_compute_interconnect_locations resource" + +draft = false + + +[menu.gcp] +title = "google_compute_interconnect_locations" +identifier = "inspec/resources/gcp/google_compute_interconnect_locations resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_interconnect_locations` InSpec audit resource to to test a Google Cloud InterconnectLocation resource. + +## Examples + +```ruby +describe google_compute_interconnect_locations(project: 'chef-gcp-inspec') do + its('names') { should include 'akl-zone1-1353' } + its('facility_provider_facility_ids') { should include 'Auckland - Albany' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_interconnect_locations` resource: + +See [google_compute_interconnect_location](google_compute_interconnect_location) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_interconnect_location` creation_timestamp + * `descriptions`: an array of `google_compute_interconnect_location` description + * `ids`: an array of `google_compute_interconnect_location` id + * `names`: an array of `google_compute_interconnect_location` name + * `availability_zones`: an array of `google_compute_interconnect_location` availability_zone + * `client_operation_ids`: an array of `google_compute_interconnect_location` client_operation_id + * `facility_providers`: an array of `google_compute_interconnect_location` facility_provider + * `facility_provider_facility_ids`: an array of `google_compute_interconnect_location` facility_provider_facility_id + * `statuses`: an array of `google_compute_interconnect_location` status + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnects.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnects.md new file mode 100644 index 0000000..40519e0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_interconnects.md @@ -0,0 +1,58 @@ ++++ +title = "google_compute_interconnects resource" + +draft = false + + +[menu.gcp] +title = "google_compute_interconnects" +identifier = "inspec/resources/gcp/google_compute_interconnects resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_interconnects` InSpec audit resource to to test a Google Cloud Interconnect resource. + +## Examples + +```ruby +describe google_compute_interconnects(project: 'chef-gcp-inspec') do + it { should exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_interconnects` resource: + +See [google_compute_interconnect](google_compute_interconnect) for more detailed information. + + * `admin_enableds`: an array of `google_compute_interconnect` admin_enabled + * `creation_timestamps`: an array of `google_compute_interconnect` creation_timestamp + * `descriptions`: an array of `google_compute_interconnect` description + * `locations`: an array of `google_compute_interconnect` location + * `ids`: an array of `google_compute_interconnect` id + * `names`: an array of `google_compute_interconnect` name + * `noc_contact_emails`: an array of `google_compute_interconnect` noc_contact_email + * `peer_ip_addresses`: an array of `google_compute_interconnect` peer_ip_address + * `google_ip_addresses`: an array of `google_compute_interconnect` google_ip_address + * `client_operation_ids`: an array of `google_compute_interconnect` client_operation_id + * `google_reference_ids`: an array of `google_compute_interconnect` google_reference_id + * `provisioned_link_counts`: an array of `google_compute_interconnect` provisioned_link_count + * `customer_names`: an array of `google_compute_interconnect` customer_name + * `requested_link_counts`: an array of `google_compute_interconnect` requested_link_count + * `operational_statuses`: an array of `google_compute_interconnect` operational_status + * `link_types`: an array of `google_compute_interconnect` link_type + * `interconnect_types`: an array of `google_compute_interconnect` interconnect_type + * `interconnect_attachments`: an array of `google_compute_interconnect` interconnect_attachments + * `expected_outages`: an array of `google_compute_interconnect` expected_outages + * `circuit_infos`: an array of `google_compute_interconnect` circuit_infos + * `satisfies_pzs`: an array of `google_compute_interconnect` satisfies_pzs + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_license.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_license.md new file mode 100644 index 0000000..91ba6b2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_license.md @@ -0,0 +1,66 @@ + ++++ +title = "google_compute_license resource" + +draft = false + + +[menu.gcp] +title = "google_compute_license" +identifier = "inspec/resources/gcp/google_compute_license resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_license` InSpec audit resource to to test a Google Cloud License resource. + +## Examples + +```ruby +describe google_compute_license(name: 'value_license_id', project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('name') { should cmp 'value_name' } + its('id') { should cmp 'value_id' } + its('license_code') { should cmp 'value_licensecode' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('description') { should cmp 'value_description' } + its('self_link') { should cmp 'value_selflink' } +end +describe google_compute_license(name: 'value_license_id', project: 'chef-gcp-inspec', region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_license` resource: + + + * `kind`: [Output Only] Type of resource. Always compute#license for licenses. + + * `name`: Name of the resource. The name must be 1-63 characters long and comply with RFC1035. + + * `charges_use_fee`: [Output Only] Deprecated. This field no longer reflects whether a license charges a usage fee. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `license_code`: [Output Only] The unique code used to attach this license to images, snapshots, and disks. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `description`: An optional textual description of the resource; provided by the client when the resource is created. + + * `transferable`: If false, licenses will not be copied from the source resource when creating an image from a disk, disk from snapshot, or snapshot from disk. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `resource_requirements`: + + * `min_guest_cpu_count`: Minimum number of guest cpus required to use the Instance. Enforced at Instance creation and Instance start. + + * `min_memory_mb`: Minimum memory required to use the Instance. Enforced at Instance creation and Instance start. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_license_code.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_license_code.md new file mode 100644 index 0000000..ddf0698 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_license_code.md @@ -0,0 +1,53 @@ ++++ +title = "google_compute_license_code resource" + +draft = false + + +[menu.gcp] +title = "google_compute_license_code" +identifier = "inspec/resources/gcp/google_compute_license_code resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_license_code` InSpec audit resource to to test a Google Cloud LicenseCode resource. + +## Examples + +```ruby +describe google_compute_license_code(project: 'chef-gcp-inspec', name: 'akl-zone1-1353') do + it { should exist } +end + +describe google_compute_license_code(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_license_code` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format.This field is deprecated. + + * `description`: An optional textual description of the resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. + + * `transferable`: If true, the license will remain attached when creating images or snapshots from disks.Otherwise, the license is not transferred. + + * `state`: Current state of this License Code. + + * `license_alias`: URL and description aliases of Licenses with the same License Code. + + * `self_link`: Server-defined, fully qualified URL for this resource. + + * `description`: Description of this License Code. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_licenses.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_licenses.md new file mode 100644 index 0000000..634dbf5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_licenses.md @@ -0,0 +1,47 @@ ++++ +title = "google_compute_licenses resource" + +draft = false + + +[menu.gcp] +title = "google_compute_licenses" +identifier = "inspec/resources/gcp/google_compute_licenses resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_licenses` InSpec audit resource to to test a Google Cloud License resource. + +## Examples + +```ruby + describe google_compute_licenses(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_licenses` resource: + +See [google_compute_license](google_compute_license) for more detailed information. + + * `kinds`: an array of `google_compute_license` kind + * `names`: an array of `google_compute_license` name + * `charges_use_fees`: an array of `google_compute_license` charges_use_fee + * `ids`: an array of `google_compute_license` id + * `license_codes`: an array of `google_compute_license` license_code + * `creation_timestamps`: an array of `google_compute_license` creation_timestamp + * `descriptions`: an array of `google_compute_license` description + * `transferables`: an array of `google_compute_license` transferable + * `self_links`: an array of `google_compute_license` self_link + * `resource_requirements`: an array of `google_compute_license` resource_requirements + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_machine_image.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_machine_image.md new file mode 100644 index 0000000..44f4581 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_machine_image.md @@ -0,0 +1,828 @@ ++++ +title = "google_compute_machine_image resource" + +draft = false + + +[menu.gcp] +title = "google_compute_machine_image" +identifier = "inspec/resources/gcp/google_compute_machine_image resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_machine_image` InSpec audit resource to to test a Google Cloud MachineImage resource. + +## Examples + +```ruby +describe google_compute_machine_image(name: 'value_name', project: 'chef-gcp-inspec') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('self_link') { should cmp 'value_selflink' } + its('source_instance') { should cmp 'value_sourceinstance' } + its('status') { should cmp 'value_status' } + its('total_storage_bytes') { should cmp 'value_totalstoragebytes' } + +end + +describe google_compute_machine_image(name: 'value_name', project: 'chef-gcp-inspec') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_machine_image` resource: + + + * `kind`: [Output Only] The resource type, which is always compute#machineImage for machine image. + + * `id`: [Output Only] A unique identifier for this machine image. The server defines this identifier. + + * `creation_timestamp`: [Output Only] The creation timestamp for this machine image in RFC3339 text format. + + * `name`: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `self_link`: [Output Only] The URL for this machine image. The server defines this URL. + + * `source_instance`: The source instance used to create the machine image. You can provide this as a partial or full URL to the resource. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone /instances/instance - projects/project/zones/zone/instances/instance + + * `status`: [Output Only] The status of the machine image. One of the following values: INVALID, CREATING, READY, DELETING, and UPLOADING. + Possible values: + * CREATING + * DELETING + * INVALID + * READY + * UPLOADING + + * `source_instance_properties`: DEPRECATED: Please use compute#instanceProperties instead. New properties will not be added to this field. + + * `description`: An optional text description for the instances that are created from this machine image. + + * `tags`: A set of instance tags. + + * `items`: An array of tags. Each tag must be 1-63 characters long, and comply with RFC1035. + + * `fingerprint`: Specifies a fingerprint for this request, which is essentially a hash of the tags' contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update tags. You must always provide an up-to-date fingerprint hash in order to update or change tags. To see the latest fingerprint, make get() request to the instance. + + * `machine_type`: The machine type to use for instances that are created from this machine image. + + * `can_ip_forward`: Enables instances created based on this machine image to send packets with source IP addresses other than their own and receive packets with destination IP addresses other than their own. If these instances will be used as an IP gateway or it will be set as the next-hop in a Route resource, specify true. If unsure, leave this set to false. See the Enable IP forwarding documentation for more information. + + * `network_interfaces`: An array of network access configurations for this interface. + + * `kind`: [Output Only] Type of the resource. Always compute#networkInterface for network interfaces. + + * `network`: URL of the VPC network resource for this instance. When creating an instance, if neither the network nor the subnetwork is specified, the default network global/networks/default is used. If the selected project doesn't have the default network, you must specify a network or subnet. If the network is not specified but the subnetwork is specified, the network is inferred. If you specify this property, you can specify the network as a full or partial URL. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/project/global/networks/ network - projects/project/global/networks/network - global/networks/default + + * `subnetwork`: The URL of the Subnetwork resource for this instance. If the network resource is in legacy mode, do not specify this field. If the network is in auto subnet mode, specifying the subnetwork is optional. If the network is in custom subnet mode, specifying the subnetwork is required. If you specify this field, you can specify the subnetwork as a full or partial URL. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/project/regions/region /subnetworks/subnetwork - regions/region/subnetworks/subnetwork + + * `network_ip`: An IPv4 internal IP address to assign to the instance for this network interface. If not specified by the user, an unused internal IP is assigned by the system. + + * `ipv6_address`: An IPv6 internal network address for this network interface. To use a static internal IP address, it must be unused and in the same region as the instance's zone. If not specified, Google Cloud will automatically assign an internal IPv6 address from the instance's subnetwork. + + * `internal_ipv6_prefix_length`: The prefix length of the primary internal IPv6 range. + + * `name`: [Output Only] The name of the network interface, which is generated by the server. For a VM, the network interface uses the nicN naming format. Where N is a value between 0 and 7. The default interface value is nic0. + + * `access_configs`: An array of configurations for this interface. Currently, only one access config, ONE_TO_ONE_NAT, is supported. If there are no accessConfigs specified, then this instance will have no external internet access. + + * `kind`: [Output Only] Type of the resource. Always compute#accessConfig for access configs. + + * `type`: The type of configuration. In accessConfigs (IPv4), the default and only option is ONE_TO_ONE_NAT. In ipv6AccessConfigs, the default and only option is DIRECT_IPV6. + Possible values: + * DIRECT_IPV6 + * ONE_TO_ONE_NAT + + * `name`: The name of this access configuration. In accessConfigs (IPv4), the default and recommended name is External NAT, but you can use any arbitrary string, such as My external IP or Network Access. In ipv6AccessConfigs, the recommend name is External IPv6. + + * `nat_ip`: Applies to accessConfigs (IPv4) only. An external IP address associated with this instance. Specify an unused static external IP address available to the project or leave this field undefined to use an IP from a shared ephemeral IP address pool. If you specify a static external IP address, it must live in the same region as the zone of the instance. + + * `external_ipv6`: Applies to ipv6AccessConfigs only. The first IPv6 address of the external IPv6 range associated with this instance, prefix length is stored in externalIpv6PrefixLength in ipv6AccessConfig. To use a static external IP address, it must be unused and in the same region as the instance's zone. If not specified, Google Cloud will automatically assign an external IPv6 address from the instance's subnetwork. + + * `external_ipv6_prefix_length`: Applies to ipv6AccessConfigs only. The prefix length of the external IPv6 range. + + * `set_public_ptr`: Specifies whether a public DNS 'PTR' record should be created to map the external IP address of the instance to a DNS domain name. This field is not used in ipv6AccessConfig. A default PTR record will be created if the VM has external IPv6 range associated. + + * `public_ptr_domain_name`: The DNS domain name for the public PTR record. You can set this field only if the `setPublicPtr` field is enabled in accessConfig. If this field is unspecified in ipv6AccessConfig, a default PTR record will be createc for first IP in associated external IPv6 range. + + * `network_tier`: This signifies the networking tier used for configuring this access configuration and can only take the following values: PREMIUM, STANDARD. If an AccessConfig is specified without a valid external IP address, an ephemeral IP will be created with this networkTier. If an AccessConfig with a valid external IP address is specified, it must match that of the networkTier associated with the Address resource owning that IP. + Possible values: + * FIXED_STANDARD + * PREMIUM + * STANDARD + * STANDARD_OVERRIDES_FIXED_STANDARD + + * `security_policy`: [Output Only] The resource URL for the security policy associated with this access config. + + * `ipv6_access_configs`: An array of IPv6 access configurations for this interface. Currently, only one IPv6 access config, DIRECT_IPV6, is supported. If there is no ipv6AccessConfig specified, then this instance will have no external IPv6 Internet access. + + * `kind`: [Output Only] Type of the resource. Always compute#accessConfig for access configs. + + * `type`: The type of configuration. In accessConfigs (IPv4), the default and only option is ONE_TO_ONE_NAT. In ipv6AccessConfigs, the default and only option is DIRECT_IPV6. + Possible values: + * DIRECT_IPV6 + * ONE_TO_ONE_NAT + + * `name`: The name of this access configuration. In accessConfigs (IPv4), the default and recommended name is External NAT, but you can use any arbitrary string, such as My external IP or Network Access. In ipv6AccessConfigs, the recommend name is External IPv6. + + * `nat_ip`: Applies to accessConfigs (IPv4) only. An external IP address associated with this instance. Specify an unused static external IP address available to the project or leave this field undefined to use an IP from a shared ephemeral IP address pool. If you specify a static external IP address, it must live in the same region as the zone of the instance. + + * `external_ipv6`: Applies to ipv6AccessConfigs only. The first IPv6 address of the external IPv6 range associated with this instance, prefix length is stored in externalIpv6PrefixLength in ipv6AccessConfig. To use a static external IP address, it must be unused and in the same region as the instance's zone. If not specified, Google Cloud will automatically assign an external IPv6 address from the instance's subnetwork. + + * `external_ipv6_prefix_length`: Applies to ipv6AccessConfigs only. The prefix length of the external IPv6 range. + + * `set_public_ptr`: Specifies whether a public DNS 'PTR' record should be created to map the external IP address of the instance to a DNS domain name. This field is not used in ipv6AccessConfig. A default PTR record will be created if the VM has external IPv6 range associated. + + * `public_ptr_domain_name`: The DNS domain name for the public PTR record. You can set this field only if the `setPublicPtr` field is enabled in accessConfig. If this field is unspecified in ipv6AccessConfig, a default PTR record will be createc for first IP in associated external IPv6 range. + + * `network_tier`: This signifies the networking tier used for configuring this access configuration and can only take the following values: PREMIUM, STANDARD. If an AccessConfig is specified without a valid external IP address, an ephemeral IP will be created with this networkTier. If an AccessConfig with a valid external IP address is specified, it must match that of the networkTier associated with the Address resource owning that IP. + Possible values: + * FIXED_STANDARD + * PREMIUM + * STANDARD + * STANDARD_OVERRIDES_FIXED_STANDARD + + * `security_policy`: [Output Only] The resource URL for the security policy associated with this access config. + + * `alias_ip_ranges`: An array of alias IP ranges for this network interface. You can only specify this field for network interfaces in VPC networks. + + * `ip_cidr_range`: The IP alias ranges to allocate for this interface. This IP CIDR range must belong to the specified subnetwork and cannot contain IP addresses reserved by system or used by other network interfaces. This range may be a single IP address (such as 10.2.3.4), a netmask (such as /24) or a CIDR-formatted string (such as 10.1.2.0/24). + + * `subnetwork_range_name`: The name of a subnetwork secondary IP range from which to allocate an IP alias range. If not specified, the primary range of the subnetwork is used. + + * `fingerprint`: Fingerprint hash of contents stored in this network interface. This field will be ignored when inserting an Instance or adding a NetworkInterface. An up-to-date fingerprint must be provided in order to update the NetworkInterface. The request will fail with error 400 Bad Request if the fingerprint is not provided, or 412 Precondition Failed if the fingerprint is out of date. + + * `stack_type`: The stack type for this network interface. To assign only IPv4 addresses, use IPV4_ONLY. To assign both IPv4 and IPv6 addresses, use IPV4_IPV6. If not specified, IPV4_ONLY is used. This field can be both set at instance creation and update network interface operations. + Possible values: + * IPV4_IPV6 + * IPV4_ONLY + + * `ipv6_access_type`: [Output Only] One of EXTERNAL, INTERNAL to indicate whether the IP can be accessed from the Internet. This field is always inherited from its subnetwork. Valid only if stackType is IPV4_IPV6. + Possible values: + * EXTERNAL + * INTERNAL + + * `queue_count`: The networking queue count that's specified by users for the network interface. Both Rx and Tx queues will be set to this number. It'll be empty if not specified by the users. + + * `nic_type`: The type of vNIC to be used on this interface. This may be gVNIC or VirtioNet. + Possible values: + * GVNIC + * UNSPECIFIED_NIC_TYPE + * VIRTIO_NET + + * `network_attachment`: The URL of the network attachment that this interface should connect to in the following format: projects/{project_number}/regions/{region_name}/networkAttachments/{network_attachment_name}. + + * `disks`: An array of disks that are associated with the instances that are created from this machine image. + + * `kind`: [Output Only] Type of the resource. Always compute#attachedDisk for attached disks. + + * `type`: Specifies the type of the attached disk, either SCRATCH or PERSISTENT. + Possible values: + * PERSISTENT + * SCRATCH + + * `mode`: The mode in which this disk is attached to the source instance, either READ_WRITE or READ_ONLY. + Possible values: + * READ_ONLY + * READ_WRITE + + * `source`: Specifies a URL of the disk attached to the source instance. + + * `device_name`: Specifies the name of the disk attached to the source instance. + + * `index`: Specifies zero-based index of the disk that is attached to the source instance. + + * `boot`: Indicates that this is a boot disk. The virtual machine will use the first partition of the disk for its root filesystem. + + * `auto_delete`: Specifies whether the disk will be auto-deleted when the instance is deleted (but not when the disk is detached from the instance). + + * `licenses`: [Output Only] Any valid publicly visible licenses. + + * `interface`: Specifies the disk interface to use for attaching this disk, which is either SCSI or NVME. + Possible values: + * NVME + * SCSI + + * `guest_os_features`: A list of features to enable on the guest operating system. Applicable only for bootable images. Read Enabling guest operating system features to see a list of available options. + + * `type`: The ID of a supported feature. To add multiple values, use commas to separate values. Set to one or more of the following values: - VIRTIO_SCSI_MULTIQUEUE - WINDOWS - MULTI_IP_SUBNET - UEFI_COMPATIBLE - GVNIC - SEV_CAPABLE - SUSPEND_RESUME_COMPATIBLE - SEV_LIVE_MIGRATABLE - SEV_SNP_CAPABLE For more information, see Enabling guest operating system features. + Possible values: + * FEATURE_TYPE_UNSPECIFIED + * GVNIC + * MULTI_IP_SUBNET + * SECURE_BOOT + * SEV_CAPABLE + * SEV_LIVE_MIGRATABLE + * SEV_LIVE_MIGRATABLE_V2 + * SEV_SNP_CAPABLE + * UEFI_COMPATIBLE + * VIRTIO_SCSI_MULTIQUEUE + * WINDOWS + + * `disk_encryption_key`: + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + + * `rsa_encrypted_key`: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFH z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoD D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" The key must meet the following requirements before you can provide it to Compute Engine: 1. The key is wrapped using a RSA public key certificate provided by Google. 2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding. Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem + + * `kms_key_name`: The name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1 + + * `sha256`: [Output only] The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `kms_key_service_account`: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used. For example: "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com/ + + * `disk_size_gb`: The size of the disk in base-2 GB. + + * `storage_bytes`: [Output Only] A size of the storage used by the disk's snapshot by this machine image. + + * `storage_bytes_status`: [Output Only] An indicator whether storageBytes is in a stable state or it is being adjusted as a result of shared storage reallocation. This status can either be UPDATING, meaning the size of the snapshot is being updated, or UP_TO_DATE, meaning the size of the snapshot is up-to-date. + Possible values: + * UPDATING + * UP_TO_DATE + + * `disk_type`: [Output Only] URL of the disk type resource. For example: projects/project /zones/zone/diskTypes/pd-standard or pd-ssd + + * `metadata`: A metadata key/value entry. + + * `kind`: [Output Only] Type of the resource. Always compute#metadata for metadata. + + * `fingerprint`: Specifies a fingerprint for this request, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the resource. + + * `items`: Array of key/value pairs. The total size of all keys and values must be less than 512 KB. + + * `key`: Key for the metadata entry. Keys must conform to the following regexp: [a-zA-Z0-9-_]+, and be less than 128 bytes in length. This is reflected as part of a URL in the metadata server. Additionally, to avoid ambiguity, keys must not conflict with any other metadata keys for the project. + + * `value`: Value for the metadata entry. These are free-form strings, and only have meaning as interpreted by the image running in the instance. The only restriction placed on values is that their size must be less than or equal to 262144 bytes (256 KiB). + + * `service_accounts`: A list of service accounts with specified scopes. Access tokens for these service accounts are available to the instances that are created from this machine image. Use metadata queries to obtain the access tokens for these instances. + + * `email`: Email address of the service account. + + * `scopes`: The list of scopes to be made available for this service account. + + * `scheduling`: Sets the scheduling options for an Instance. + + * `on_host_maintenance`: Defines the maintenance behavior for this instance. For standard instances, the default behavior is MIGRATE. For preemptible instances, the default and only possible behavior is TERMINATE. For more information, see Set VM host maintenance policy. + Possible values: + * MIGRATE + * TERMINATE + + * `automatic_restart`: Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). You can only set the automatic restart option for standard instances. Preemptible instances cannot be automatically restarted. By default, this is set to true so an instance is automatically restarted if it is terminated by Compute Engine. + + * `preemptible`: Defines whether the instance is preemptible. This can only be set during instance creation or while the instance is stopped and therefore, in a `TERMINATED` state. See Instance Life Cycle for more information on the possible instance states. + + * `node_affinities`: A set of node affinity and anti-affinity configurations. Refer to Configuring node affinity for more information. Overrides reservationAffinity. + + * `key`: Corresponds to the label key of Node resource. + + * `operator`: Defines the operation of node selection. Valid operators are IN for affinity and NOT_IN for anti-affinity. + Possible values: + * IN + * NOT_IN + * OPERATOR_UNSPECIFIED + + * `values`: Corresponds to the label values of Node resource. + + * `min_node_cpus`: The minimum number of virtual CPUs this instance will consume when running on a sole-tenant node. + + * `location_hint`: An opaque location hint used to place the instance close to other resources. This field is for use by internal tools that use the public API. + + * `provisioning_model`: Specifies the provisioning model of the instance. + Possible values: + * SPOT + * STANDARD + + * `instance_termination_action`: Specifies the termination action for the instance. + Possible values: + * DELETE + * INSTANCE_TERMINATION_ACTION_UNSPECIFIED + * STOP + + * `local_ssd_recovery_timeout`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `labels`: Labels to apply to instances that are created from this machine image. + + * `additional_properties`: + + * `guest_accelerators`: A list of guest accelerator cards' type and count to use for instances created from this machine image. + + * `accelerator_type`: Full or partial URL of the accelerator type resource to attach to this instance. For example: projects/my-project/zones/us-central1-c/acceleratorTypes/nvidia-tesla-p100 If you are creating an instance template, specify only the accelerator name. See GPUs on Compute Engine for a full list of accelerator types. + + * `accelerator_count`: The number of the guest accelerator cards exposed to this instance. + + * `min_cpu_platform`: Minimum cpu/platform to be used by instances created from this machine image. The instance may be scheduled on the specified or newer cpu/platform. Applicable values are the friendly names of CPU platforms, such as minCpuPlatform: "Intel Haswell" or minCpuPlatform: "Intel Sandy Bridge". For more information, read Specifying a Minimum CPU Platform. + + * `deletion_protection`: Whether the instance created from this machine image should be protected against deletion. + + * `key_revocation_action_type`: KeyRevocationActionType of the instance. Supported options are "STOP" and "NONE". The default value is "NONE" if it is not specified. + Possible values: + * KEY_REVOCATION_ACTION_TYPE_UNSPECIFIED + * NONE + * STOP + + * `instance_properties`: + + * `description`: An optional text description for the instances that are created from these properties. + + * `tags`: A set of instance tags. + + * `items`: An array of tags. Each tag must be 1-63 characters long, and comply with RFC1035. + + * `fingerprint`: Specifies a fingerprint for this request, which is essentially a hash of the tags' contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update tags. You must always provide an up-to-date fingerprint hash in order to update or change tags. To see the latest fingerprint, make get() request to the instance. + + * `resource_manager_tags`: Resource manager tags to be bound to the instance. Tag keys and values have the same definition as resource manager tags. Keys must be in the format `tagKeys/{tag_key_id}`, and values are in the format `tagValues/456`. The field is ignored (both PUT & PATCH) when empty. + + * `additional_properties`: + + * `machine_type`: The machine type to use for instances that are created from these properties. + + * `can_ip_forward`: Enables instances created based on these properties to send packets with source IP addresses other than their own and receive packets with destination IP addresses other than their own. If these instances will be used as an IP gateway or it will be set as the next-hop in a Route resource, specify true. If unsure, leave this set to false. See the Enable IP forwarding documentation for more information. + + * `network_interfaces`: An array of network access configurations for this interface. + + * `kind`: [Output Only] Type of the resource. Always compute#networkInterface for network interfaces. + + * `network`: URL of the VPC network resource for this instance. When creating an instance, if neither the network nor the subnetwork is specified, the default network global/networks/default is used. If the selected project doesn't have the default network, you must specify a network or subnet. If the network is not specified but the subnetwork is specified, the network is inferred. If you specify this property, you can specify the network as a full or partial URL. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/project/global/networks/ network - projects/project/global/networks/network - global/networks/default + + * `subnetwork`: The URL of the Subnetwork resource for this instance. If the network resource is in legacy mode, do not specify this field. If the network is in auto subnet mode, specifying the subnetwork is optional. If the network is in custom subnet mode, specifying the subnetwork is required. If you specify this field, you can specify the subnetwork as a full or partial URL. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/project/regions/region /subnetworks/subnetwork - regions/region/subnetworks/subnetwork + + * `network_ip`: An IPv4 internal IP address to assign to the instance for this network interface. If not specified by the user, an unused internal IP is assigned by the system. + + * `ipv6_address`: An IPv6 internal network address for this network interface. To use a static internal IP address, it must be unused and in the same region as the instance's zone. If not specified, Google Cloud will automatically assign an internal IPv6 address from the instance's subnetwork. + + * `internal_ipv6_prefix_length`: The prefix length of the primary internal IPv6 range. + + * `name`: [Output Only] The name of the network interface, which is generated by the server. For a VM, the network interface uses the nicN naming format. Where N is a value between 0 and 7. The default interface value is nic0. + + * `access_configs`: An array of configurations for this interface. Currently, only one access config, ONE_TO_ONE_NAT, is supported. If there are no accessConfigs specified, then this instance will have no external internet access. + + * `kind`: [Output Only] Type of the resource. Always compute#accessConfig for access configs. + + * `type`: The type of configuration. In accessConfigs (IPv4), the default and only option is ONE_TO_ONE_NAT. In ipv6AccessConfigs, the default and only option is DIRECT_IPV6. + Possible values: + * DIRECT_IPV6 + * ONE_TO_ONE_NAT + + * `name`: The name of this access configuration. In accessConfigs (IPv4), the default and recommended name is External NAT, but you can use any arbitrary string, such as My external IP or Network Access. In ipv6AccessConfigs, the recommend name is External IPv6. + + * `nat_ip`: Applies to accessConfigs (IPv4) only. An external IP address associated with this instance. Specify an unused static external IP address available to the project or leave this field undefined to use an IP from a shared ephemeral IP address pool. If you specify a static external IP address, it must live in the same region as the zone of the instance. + + * `external_ipv6`: Applies to ipv6AccessConfigs only. The first IPv6 address of the external IPv6 range associated with this instance, prefix length is stored in externalIpv6PrefixLength in ipv6AccessConfig. To use a static external IP address, it must be unused and in the same region as the instance's zone. If not specified, Google Cloud will automatically assign an external IPv6 address from the instance's subnetwork. + + * `external_ipv6_prefix_length`: Applies to ipv6AccessConfigs only. The prefix length of the external IPv6 range. + + * `set_public_ptr`: Specifies whether a public DNS 'PTR' record should be created to map the external IP address of the instance to a DNS domain name. This field is not used in ipv6AccessConfig. A default PTR record will be created if the VM has external IPv6 range associated. + + * `public_ptr_domain_name`: The DNS domain name for the public PTR record. You can set this field only if the `setPublicPtr` field is enabled in accessConfig. If this field is unspecified in ipv6AccessConfig, a default PTR record will be createc for first IP in associated external IPv6 range. + + * `network_tier`: This signifies the networking tier used for configuring this access configuration and can only take the following values: PREMIUM, STANDARD. If an AccessConfig is specified without a valid external IP address, an ephemeral IP will be created with this networkTier. If an AccessConfig with a valid external IP address is specified, it must match that of the networkTier associated with the Address resource owning that IP. + Possible values: + * FIXED_STANDARD + * PREMIUM + * STANDARD + * STANDARD_OVERRIDES_FIXED_STANDARD + + * `security_policy`: [Output Only] The resource URL for the security policy associated with this access config. + + * `ipv6_access_configs`: An array of IPv6 access configurations for this interface. Currently, only one IPv6 access config, DIRECT_IPV6, is supported. If there is no ipv6AccessConfig specified, then this instance will have no external IPv6 Internet access. + + * `kind`: [Output Only] Type of the resource. Always compute#accessConfig for access configs. + + * `type`: The type of configuration. In accessConfigs (IPv4), the default and only option is ONE_TO_ONE_NAT. In ipv6AccessConfigs, the default and only option is DIRECT_IPV6. + Possible values: + * DIRECT_IPV6 + * ONE_TO_ONE_NAT + + * `name`: The name of this access configuration. In accessConfigs (IPv4), the default and recommended name is External NAT, but you can use any arbitrary string, such as My external IP or Network Access. In ipv6AccessConfigs, the recommend name is External IPv6. + + * `nat_ip`: Applies to accessConfigs (IPv4) only. An external IP address associated with this instance. Specify an unused static external IP address available to the project or leave this field undefined to use an IP from a shared ephemeral IP address pool. If you specify a static external IP address, it must live in the same region as the zone of the instance. + + * `external_ipv6`: Applies to ipv6AccessConfigs only. The first IPv6 address of the external IPv6 range associated with this instance, prefix length is stored in externalIpv6PrefixLength in ipv6AccessConfig. To use a static external IP address, it must be unused and in the same region as the instance's zone. If not specified, Google Cloud will automatically assign an external IPv6 address from the instance's subnetwork. + + * `external_ipv6_prefix_length`: Applies to ipv6AccessConfigs only. The prefix length of the external IPv6 range. + + * `set_public_ptr`: Specifies whether a public DNS 'PTR' record should be created to map the external IP address of the instance to a DNS domain name. This field is not used in ipv6AccessConfig. A default PTR record will be created if the VM has external IPv6 range associated. + + * `public_ptr_domain_name`: The DNS domain name for the public PTR record. You can set this field only if the `setPublicPtr` field is enabled in accessConfig. If this field is unspecified in ipv6AccessConfig, a default PTR record will be createc for first IP in associated external IPv6 range. + + * `network_tier`: This signifies the networking tier used for configuring this access configuration and can only take the following values: PREMIUM, STANDARD. If an AccessConfig is specified without a valid external IP address, an ephemeral IP will be created with this networkTier. If an AccessConfig with a valid external IP address is specified, it must match that of the networkTier associated with the Address resource owning that IP. + Possible values: + * FIXED_STANDARD + * PREMIUM + * STANDARD + * STANDARD_OVERRIDES_FIXED_STANDARD + + * `security_policy`: [Output Only] The resource URL for the security policy associated with this access config. + + * `alias_ip_ranges`: An array of alias IP ranges for this network interface. You can only specify this field for network interfaces in VPC networks. + + * `ip_cidr_range`: The IP alias ranges to allocate for this interface. This IP CIDR range must belong to the specified subnetwork and cannot contain IP addresses reserved by system or used by other network interfaces. This range may be a single IP address (such as 10.2.3.4), a netmask (such as /24) or a CIDR-formatted string (such as 10.1.2.0/24). + + * `subnetwork_range_name`: The name of a subnetwork secondary IP range from which to allocate an IP alias range. If not specified, the primary range of the subnetwork is used. + + * `fingerprint`: Fingerprint hash of contents stored in this network interface. This field will be ignored when inserting an Instance or adding a NetworkInterface. An up-to-date fingerprint must be provided in order to update the NetworkInterface. The request will fail with error 400 Bad Request if the fingerprint is not provided, or 412 Precondition Failed if the fingerprint is out of date. + + * `stack_type`: The stack type for this network interface. To assign only IPv4 addresses, use IPV4_ONLY. To assign both IPv4 and IPv6 addresses, use IPV4_IPV6. If not specified, IPV4_ONLY is used. This field can be both set at instance creation and update network interface operations. + Possible values: + * IPV4_IPV6 + * IPV4_ONLY + + * `ipv6_access_type`: [Output Only] One of EXTERNAL, INTERNAL to indicate whether the IP can be accessed from the Internet. This field is always inherited from its subnetwork. Valid only if stackType is IPV4_IPV6. + Possible values: + * EXTERNAL + * INTERNAL + + * `queue_count`: The networking queue count that's specified by users for the network interface. Both Rx and Tx queues will be set to this number. It'll be empty if not specified by the users. + + * `nic_type`: The type of vNIC to be used on this interface. This may be gVNIC or VirtioNet. + Possible values: + * GVNIC + * UNSPECIFIED_NIC_TYPE + * VIRTIO_NET + + * `network_attachment`: The URL of the network attachment that this interface should connect to in the following format: projects/{project_number}/regions/{region_name}/networkAttachments/{network_attachment_name}. + + * `disks`: An array of disks that are associated with the instances that are created from these properties. + + * `kind`: [Output Only] Type of the resource. Always compute#attachedDisk for attached disks. + + * `type`: Specifies the type of the disk, either SCRATCH or PERSISTENT. If not specified, the default is PERSISTENT. + Possible values: + * PERSISTENT + * SCRATCH + + * `mode`: The mode in which to attach this disk, either READ_WRITE or READ_ONLY. If not specified, the default is to attach the disk in READ_WRITE mode. + Possible values: + * READ_ONLY + * READ_WRITE + + * `saved_state`: For LocalSSD disks on VM Instances in STOPPED or SUSPENDED state, this field is set to PRESERVED if the LocalSSD data has been saved to a persistent location by customer request. (see the discard_local_ssd option on Stop/Suspend). Read-only in the api. + Possible values: + * DISK_SAVED_STATE_UNSPECIFIED + * PRESERVED + + * `source`: Specifies a valid partial or full URL to an existing Persistent Disk resource. When creating a new instance, one of initializeParams.sourceImage or initializeParams.sourceSnapshot or disks.source is required except for local SSD. If desired, you can also attach existing non-root persistent disks using this property. This field is only applicable for persistent disks. Note that for InstanceTemplate, specify the disk name for zonal disk, and the URL for regional disk. + + * `device_name`: Specifies a unique device name of your choice that is reflected into the /dev/disk/by-id/google-* tree of a Linux operating system running within the instance. This name can be used to reference the device for mounting, resizing, and so on, from within the instance. If not specified, the server chooses a default device name to apply to this disk, in the form persistent-disk-x, where x is a number assigned by Google Compute Engine. This field is only applicable for persistent disks. + + * `index`: [Output Only] A zero-based index to this disk, where 0 is reserved for the boot disk. If you have many disks attached to an instance, each disk would have a unique index number. + + * `boot`: Indicates that this is a boot disk. The virtual machine will use the first partition of the disk for its root filesystem. + + * `initialize_params`: [Input Only] Specifies the parameters for a new disk that will be created alongside the new instance. Use initialization parameters to create boot disks or local SSDs attached to the new instance. This field is persisted and returned for instanceTemplate and not returned in the context of instance. This property is mutually exclusive with the source property; you can only define one or the other, but not both. + + * `disk_name`: Specifies the disk name. If not specified, the default is to use the name of the instance. If a disk with the same name already exists in the given region, the existing disk is attached to the new instance and the new disk is not created. + + * `source_image`: The source image to create this disk. When creating a new instance, one of initializeParams.sourceImage or initializeParams.sourceSnapshot or disks.source is required except for local SSD. To create a disk with one of the public operating system images, specify the image by its family name. For example, specify family/debian-9 to use the latest Debian 9 image: projects/debian-cloud/global/images/family/debian-9 Alternatively, use a specific version of a public operating system image: projects/debian-cloud/global/images/debian-9-stretch-vYYYYMMDD To create a disk with a custom image that you created, specify the image name in the following format: global/images/my-custom-image You can also specify a custom image by its image family, which returns the latest version of the image in that family. Replace the image name with family/family-name: global/images/family/my-image-family If the source image is deleted later, this field will not be set. + + * `disk_size_gb`: Specifies the size of the disk in base-2 GB. The size must be at least 10 GB. If you specify a sourceImage, which is required for boot disks, the default size is the size of the sourceImage. If you do not specify a sourceImage, the default disk size is 500 GB. + + * `disk_type`: Specifies the disk type to use to create the instance. If not specified, the default is pd-standard, specified using the full URL. For example: https://www.googleapis.com/compute/v1/projects/project/zones/zone /diskTypes/pd-standard For a full list of acceptable values, see Persistent disk types. If you specify this field when creating a VM, you can provide either the full or partial URL. For example, the following values are valid: - https://www.googleapis.com/compute/v1/projects/project/zones/zone /diskTypes/diskType - projects/project/zones/zone/diskTypes/diskType - zones/zone/diskTypes/diskType If you specify this field when creating or updating an instance template or all-instances configuration, specify the type of the disk, not the URL. For example: pd-standard. + + * `source_image_encryption_key`: + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + + * `rsa_encrypted_key`: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFH z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoD D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" The key must meet the following requirements before you can provide it to Compute Engine: 1. The key is wrapped using a RSA public key certificate provided by Google. 2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding. Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem + + * `kms_key_name`: The name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1 + + * `sha256`: [Output only] The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `kms_key_service_account`: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used. For example: "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com/ + + * `labels`: Labels to apply to this disk. These can be later modified by the disks.setLabels method. This field is only applicable for persistent disks. + + * `additional_properties`: + + * `source_snapshot`: The source snapshot to create this disk. When creating a new instance, one of initializeParams.sourceSnapshot or initializeParams.sourceImage or disks.source is required except for local SSD. To create a disk with a snapshot that you created, specify the snapshot name in the following format: global/snapshots/my-backup If the source snapshot is deleted later, this field will not be set. + + * `source_snapshot_encryption_key`: + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + + * `rsa_encrypted_key`: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFH z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoD D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" The key must meet the following requirements before you can provide it to Compute Engine: 1. The key is wrapped using a RSA public key certificate provided by Google. 2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding. Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem + + * `kms_key_name`: The name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1 + + * `sha256`: [Output only] The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `kms_key_service_account`: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used. For example: "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com/ + + * `description`: An optional description. Provide this property when creating the disk. + + * `replica_zones`: Required for each regional disk associated with the instance. Specify the URLs of the zones where the disk should be replicated to. You must provide exactly two replica zones, and one zone must be the same as the instance zone. + + * `resource_policies`: Resource policies applied to this disk for automatic snapshot creations. Specified using the full or partial URL. For instance template, specify only the resource policy name. + + * `on_update_action`: Specifies which action to take on instance update with this disk. Default is to use the existing disk. + Possible values: + * RECREATE_DISK + * RECREATE_DISK_IF_SOURCE_CHANGED + * USE_EXISTING_DISK + + * `provisioned_iops`: Indicates how many IOPS to provision for the disk. This sets the number of I/O operations per second that the disk can handle. Values must be between 10,000 and 120,000. For more details, see the Extreme persistent disk documentation. + + * `licenses`: A list of publicly visible licenses. Reserved for Google's use. + + * `architecture`: The architecture of the attached disk. Valid values are arm64 or x86_64. + Possible values: + * ARCHITECTURE_UNSPECIFIED + * ARM64 + * X86_64 + + * `resource_manager_tags`: Resource manager tags to be bound to the disk. Tag keys and values have the same definition as resource manager tags. Keys must be in the format `tagKeys/{tag_key_id}`, and values are in the format `tagValues/456`. The field is ignored (both PUT & PATCH) when empty. + + * `additional_properties`: + + * `provisioned_throughput`: Indicates how much throughput to provision for the disk. This sets the number of throughput mb per second that the disk can handle. Values must be between 1 and 7,124. + + * `auto_delete`: Specifies whether the disk will be auto-deleted when the instance is deleted (but not when the disk is detached from the instance). + + * `licenses`: [Output Only] Any valid publicly visible licenses. + + * `interface`: Specifies the disk interface to use for attaching this disk, which is either SCSI or NVME. For most machine types, the default is SCSI. Local SSDs can use either NVME or SCSI. In certain configurations, persistent disks can use NVMe. For more information, see About persistent disks. + Possible values: + * NVME + * SCSI + + * `guest_os_features`: A list of features to enable on the guest operating system. Applicable only for bootable images. Read Enabling guest operating system features to see a list of available options. + + * `type`: The ID of a supported feature. To add multiple values, use commas to separate values. Set to one or more of the following values: - VIRTIO_SCSI_MULTIQUEUE - WINDOWS - MULTI_IP_SUBNET - UEFI_COMPATIBLE - GVNIC - SEV_CAPABLE - SUSPEND_RESUME_COMPATIBLE - SEV_LIVE_MIGRATABLE - SEV_SNP_CAPABLE For more information, see Enabling guest operating system features. + Possible values: + * FEATURE_TYPE_UNSPECIFIED + * GVNIC + * MULTI_IP_SUBNET + * SECURE_BOOT + * SEV_CAPABLE + * SEV_LIVE_MIGRATABLE + * SEV_LIVE_MIGRATABLE_V2 + * SEV_SNP_CAPABLE + * UEFI_COMPATIBLE + * VIRTIO_SCSI_MULTIQUEUE + * WINDOWS + + * `disk_encryption_key`: + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + + * `rsa_encrypted_key`: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFH z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoD D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" The key must meet the following requirements before you can provide it to Compute Engine: 1. The key is wrapped using a RSA public key certificate provided by Google. 2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding. Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem + + * `kms_key_name`: The name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1 + + * `sha256`: [Output only] The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `kms_key_service_account`: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used. For example: "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com/ + + * `disk_size_gb`: The size of the disk in GB. + + * `shielded_instance_initial_state`: Initial State for shielded instance, these are public keys which are safe to store in public + + * `pk`: + + * `content`: The raw content in the secure keys file. + + * `file_type`: The file type of source file. + Possible values: + * BIN + * UNDEFINED + * X509 + + * `keks`: The Key Exchange Key (KEK). + + * `content`: The raw content in the secure keys file. + + * `file_type`: The file type of source file. + Possible values: + * BIN + * UNDEFINED + * X509 + + * `dbs`: The Key Database (db). + + * `content`: The raw content in the secure keys file. + + * `file_type`: The file type of source file. + Possible values: + * BIN + * UNDEFINED + * X509 + + * `dbxs`: The forbidden key database (dbx). + + * `content`: The raw content in the secure keys file. + + * `file_type`: The file type of source file. + Possible values: + * BIN + * UNDEFINED + * X509 + + * `force_attach`: [Input Only] Whether to force attach the regional disk even if it's currently attached to another instance. If you try to force attach a zonal disk to an instance, you will receive an error. + + * `architecture`: [Output Only] The architecture of the attached disk. Valid values are ARM64 or X86_64. + Possible values: + * ARCHITECTURE_UNSPECIFIED + * ARM64 + * X86_64 + + * `metadata`: A metadata key/value entry. + + * `kind`: [Output Only] Type of the resource. Always compute#metadata for metadata. + + * `fingerprint`: Specifies a fingerprint for this request, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the resource. + + * `items`: Array of key/value pairs. The total size of all keys and values must be less than 512 KB. + + * `key`: Key for the metadata entry. Keys must conform to the following regexp: [a-zA-Z0-9-_]+, and be less than 128 bytes in length. This is reflected as part of a URL in the metadata server. Additionally, to avoid ambiguity, keys must not conflict with any other metadata keys for the project. + + * `value`: Value for the metadata entry. These are free-form strings, and only have meaning as interpreted by the image running in the instance. The only restriction placed on values is that their size must be less than or equal to 262144 bytes (256 KiB). + + * `service_accounts`: A list of service accounts with specified scopes. Access tokens for these service accounts are available to the instances that are created from these properties. Use metadata queries to obtain the access tokens for these instances. + + * `email`: Email address of the service account. + + * `scopes`: The list of scopes to be made available for this service account. + + * `scheduling`: Sets the scheduling options for an Instance. + + * `on_host_maintenance`: Defines the maintenance behavior for this instance. For standard instances, the default behavior is MIGRATE. For preemptible instances, the default and only possible behavior is TERMINATE. For more information, see Set VM host maintenance policy. + Possible values: + * MIGRATE + * TERMINATE + + * `automatic_restart`: Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). You can only set the automatic restart option for standard instances. Preemptible instances cannot be automatically restarted. By default, this is set to true so an instance is automatically restarted if it is terminated by Compute Engine. + + * `preemptible`: Defines whether the instance is preemptible. This can only be set during instance creation or while the instance is stopped and therefore, in a `TERMINATED` state. See Instance Life Cycle for more information on the possible instance states. + + * `node_affinities`: A set of node affinity and anti-affinity configurations. Refer to Configuring node affinity for more information. Overrides reservationAffinity. + + * `key`: Corresponds to the label key of Node resource. + + * `operator`: Defines the operation of node selection. Valid operators are IN for affinity and NOT_IN for anti-affinity. + Possible values: + * IN + * NOT_IN + * OPERATOR_UNSPECIFIED + + * `values`: Corresponds to the label values of Node resource. + + * `min_node_cpus`: The minimum number of virtual CPUs this instance will consume when running on a sole-tenant node. + + * `location_hint`: An opaque location hint used to place the instance close to other resources. This field is for use by internal tools that use the public API. + + * `provisioning_model`: Specifies the provisioning model of the instance. + Possible values: + * SPOT + * STANDARD + + * `instance_termination_action`: Specifies the termination action for the instance. + Possible values: + * DELETE + * INSTANCE_TERMINATION_ACTION_UNSPECIFIED + * STOP + + * `local_ssd_recovery_timeout`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `labels`: Labels to apply to instances that are created from these properties. + + * `additional_properties`: + + * `guest_accelerators`: A list of guest accelerator cards' type and count to use for instances created from these properties. + + * `accelerator_type`: Full or partial URL of the accelerator type resource to attach to this instance. For example: projects/my-project/zones/us-central1-c/acceleratorTypes/nvidia-tesla-p100 If you are creating an instance template, specify only the accelerator name. See GPUs on Compute Engine for a full list of accelerator types. + + * `accelerator_count`: The number of the guest accelerator cards exposed to this instance. + + * `min_cpu_platform`: Minimum cpu/platform to be used by instances. The instance may be scheduled on the specified or newer cpu/platform. Applicable values are the friendly names of CPU platforms, such as minCpuPlatform: "Intel Haswell" or minCpuPlatform: "Intel Sandy Bridge". For more information, read Specifying a Minimum CPU Platform. + + * `reservation_affinity`: Specifies the reservations that this instance can consume from. + + * `consume_reservation_type`: Specifies the type of reservation from which this instance can consume resources: ANY_RESERVATION (default), SPECIFIC_RESERVATION, or NO_RESERVATION. See Consuming reserved instances for examples. + Possible values: + * ANY_RESERVATION + * NO_RESERVATION + * SPECIFIC_RESERVATION + * UNSPECIFIED + + * `key`: Corresponds to the label key of a reservation resource. To target a SPECIFIC_RESERVATION by name, specify googleapis.com/reservation-name as the key and specify the name of your reservation as its value. + + * `values`: Corresponds to the label values of a reservation resource. This can be either a name to a reservation in the same project or "projects/different-project/reservations/some-reservation-name" to target a shared reservation in the same zone but in a different project. + + * `shielded_instance_config`: A set of Shielded Instance options. + + * `enable_secure_boot`: Defines whether the instance has Secure Boot enabled. Disabled by default. + + * `enable_vtpm`: Defines whether the instance has the vTPM enabled. Enabled by default. + + * `enable_integrity_monitoring`: Defines whether the instance has integrity monitoring enabled. Enabled by default. + + * `resource_policies`: Resource policies (names, not URLs) applied to instances created from these properties. Note that for MachineImage, this is not supported yet. + + * `confidential_instance_config`: A set of Confidential Instance options. + + * `enable_confidential_compute`: Defines whether the instance should have confidential compute enabled. + + * `private_ipv6_google_access`: The private IPv6 google access type for VMs. If not specified, use INHERIT_FROM_SUBNETWORK as default. Note that for MachineImage, this is not supported yet. + Possible values: + * ENABLE_BIDIRECTIONAL_ACCESS_TO_GOOGLE + * ENABLE_OUTBOUND_VM_ACCESS_TO_GOOGLE + * INHERIT_FROM_SUBNETWORK + + * `advanced_machine_features`: Specifies options for controlling advanced machine features. Options that would traditionally be configured in a BIOS belong here. Features that require operating system support may have corresponding entries in the GuestOsFeatures of an Image (e.g., whether or not the OS in the Image supports nested virtualization being enabled or disabled). + + * `enable_nested_virtualization`: Whether to enable nested virtualization or not (default is false). + + * `threads_per_core`: The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed. + + * `visible_core_count`: The number of physical cores to expose to an instance. Multiply by the number of threads per core to compute the total number of virtual CPUs to expose to the instance. If unset, the number of cores is inferred from the instance's nominal CPU count and the underlying platform's SMT width. + + * `enable_uefi_networking`: Whether to enable UEFI networking for instance creation. + + * `network_performance_config`: + + * `total_egress_bandwidth_tier`: + Possible values: + * DEFAULT + * TIER_1 + + * `key_revocation_action_type`: KeyRevocationActionType of the instance. Supported options are "STOP" and "NONE". The default value is "NONE" if it is not specified. + Possible values: + * KEY_REVOCATION_ACTION_TYPE_UNSPECIFIED + * NONE + * STOP + + * `saved_disks`: An array of Machine Image specific properties for disks attached to the source instance + + * `kind`: [Output Only] Type of the resource. Always compute#savedDisk for attached disks. + + * `source_disk`: Specifies a URL of the disk attached to the source instance. + + * `storage_bytes`: [Output Only] Size of the individual disk snapshot used by this machine image. + + * `storage_bytes_status`: [Output Only] An indicator whether storageBytes is in a stable state or it is being adjusted as a result of shared storage reallocation. This status can either be UPDATING, meaning the size of the snapshot is being updated, or UP_TO_DATE, meaning the size of the snapshot is up-to-date. + Possible values: + * UPDATING + * UP_TO_DATE + + * `architecture`: [Output Only] The architecture of the attached disk. + Possible values: + * ARCHITECTURE_UNSPECIFIED + * ARM64 + * X86_64 + + * `storage_locations`: The regional or multi-regional Cloud Storage bucket location where the machine image is stored. + + * `machine_image_encryption_key`: + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + + * `rsa_encrypted_key`: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFH z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoD D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" The key must meet the following requirements before you can provide it to Compute Engine: 1. The key is wrapped using a RSA public key certificate provided by Google. 2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding. Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem + + * `kms_key_name`: The name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1 + + * `sha256`: [Output only] The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `kms_key_service_account`: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used. For example: "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com/ + + * `guest_flush`: [Input Only] Whether to attempt an application consistent machine image by informing the OS to prepare for the snapshot process. + + * `source_disk_encryption_keys`: [Input Only] The customer-supplied encryption key of the disks attached to the source instance. Required if the source disk is protected by a customer-supplied encryption key. + + * `source_disk`: URL of the disk attached to the source instance. This can be a full or valid partial URL. For example, the following are valid values: - https://www.googleapis.com/compute/v1/projects/project/zones/zone /disks/disk - projects/project/zones/zone/disks/disk - zones/zone/disks/disk + + * `disk_encryption_key`: + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + + * `rsa_encrypted_key`: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. You can provide either the rawKey or the rsaEncryptedKey. For example: "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFH z0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoD D6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oe==" The key must meet the following requirements before you can provide it to Compute Engine: 1. The key is wrapped using a RSA public key certificate provided by Google. 2. After being wrapped, the key must be encoded in RFC 4648 base64 encoding. Gets the RSA public key certificate provided by Google at: https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem + + * `kms_key_name`: The name of the encryption key that is stored in Google Cloud KMS. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key The fully-qualifed key name may be returned for resource GET requests. For example: "kmsKeyName": "projects/kms_project_id/locations/region/keyRings/ key_region/cryptoKeys/key /cryptoKeyVersions/1 + + * `sha256`: [Output only] The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `kms_key_service_account`: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used. For example: "kmsKeyServiceAccount": "name@project_id.iam.gserviceaccount.com/ + + * `total_storage_bytes`: [Output Only] Total size of the storage used by the machine image. + + * `satisfies_pzs`: [Output Only] Reserved for future use. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_machine_images.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_machine_images.md new file mode 100644 index 0000000..8ad82b5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_machine_images.md @@ -0,0 +1,54 @@ ++++ +title = "google_compute_machine_images resource" + +draft = false + + +[menu.gcp] +title = "google_compute_machine_images" +identifier = "inspec/resources/gcp/google_compute_machine_images resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_machine_images` InSpec audit resource to to test a Google Cloud MachineImage resource. + +## Examples + +```ruby + describe google_compute_machine_images(project: 'chef-gcp-inspec') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_machine_images` resource: + +See [google_compute_machine_image](google_compute_machine_image) for more detailed information. + + * `kinds`: an array of `google_compute_machine_image` kind + * `ids`: an array of `google_compute_machine_image` id + * `creation_timestamps`: an array of `google_compute_machine_image` creation_timestamp + * `names`: an array of `google_compute_machine_image` name + * `descriptions`: an array of `google_compute_machine_image` description + * `self_links`: an array of `google_compute_machine_image` self_link + * `source_instances`: an array of `google_compute_machine_image` source_instance + * `statuses`: an array of `google_compute_machine_image` status + * `source_instance_properties`: an array of `google_compute_machine_image` source_instance_properties + * `instance_properties`: an array of `google_compute_machine_image` instance_properties + * `saved_disks`: an array of `google_compute_machine_image` saved_disks + * `storage_locations`: an array of `google_compute_machine_image` storage_locations + * `machine_image_encryption_keys`: an array of `google_compute_machine_image` machine_image_encryption_key + * `guest_flushes`: an array of `google_compute_machine_image` guest_flush + * `source_disk_encryption_keys`: an array of `google_compute_machine_image` source_disk_encryption_keys + * `total_storage_bytes`: an array of `google_compute_machine_image` total_storage_bytes + * `satisfies_pzs`: an array of `google_compute_machine_image` satisfies_pzs + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_machine_type.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_machine_type.md new file mode 100644 index 0000000..f9f62ea --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_machine_type.md @@ -0,0 +1,97 @@ ++++ +title = "google_compute_machine_type resource" + +draft = false + + +[menu.gcp] +title = "google_compute_machine_type" +identifier = "inspec/resources/gcp/google_compute_machine_type resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_machine_type` InSpec audit resource to to test a Google Cloud MachineType resource. + +## Examples + +```ruby +describe google_compute_machine_type(name: 'value_name', project: 'chef-gcp-inspec', zone: ' value_zone') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('maximum_persistent_disks_size_gb') { should cmp 'value_maximumpersistentdiskssizegb' } + its('zone') { should cmp 'value_zone' } + its('self_link') { should cmp 'value_selflink' } + +end + +describe google_compute_machine_type(name: 'value_name', project: 'chef-gcp-inspec', zone: ' value_zone') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_machine_type` resource: + + + * `kind`: [Output Only] The type of the resource. Always compute#machineType for machine types. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: [Output Only] Name of the resource. + + * `description`: [Output Only] An optional textual description of the resource. + + * `guest_cpus`: [Output Only] The number of virtual CPUs that are available to the instance. + + * `memory_mb`: [Output Only] The amount of physical memory available to the instance, defined in MB. + + * `image_space_gb`: [Deprecated] This property is deprecated and will never be populated with any relevant values. + + * `scratch_disks`: [Output Only] A list of extended scratch disks assigned to the instance. + + * `disk_gb`: Size of the scratch disk, defined in GB. + + * `maximum_persistent_disks`: [Output Only] Maximum persistent disks allowed. + + * `maximum_persistent_disks_size_gb`: [Output Only] Maximum total persistent disks size (GB) allowed. + + * `deprecated`: Deprecation status for a public resource. + + * `state`: The deprecation state of this resource. This can be ACTIVE, DEPRECATED, OBSOLETE, or DELETED. Operations which communicate the end of life date for an image, can use ACTIVE. Operations which create a new resource using a DEPRECATED resource will return successfully, but with a warning indicating the deprecated resource and recommending its replacement. Operations which use OBSOLETE or DELETED resources will be rejected and result in an error. + Possible values: + * ACTIVE + * DELETED + * DEPRECATED + * OBSOLETE + + * `replacement`: The URL of the suggested replacement for a deprecated resource. The suggested replacement resource must be the same kind of resource as the deprecated resource. + + * `deprecated`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to DEPRECATED. This is only informational and the status will not change unless the client explicitly changes it. + + * `obsolete`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to OBSOLETE. This is only informational and the status will not change unless the client explicitly changes it. + + * `deleted`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to DELETED. This is only informational and the status will not change unless the client explicitly changes it. + + * `zone`: [Output Only] The name of the zone where the machine type resides, such as us-central1-a. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `is_shared_cpu`: [Output Only] Whether this machine type has a shared CPU. See Shared-core machine types for more information. + + * `accelerators`: [Output Only] A list of accelerator configurations assigned to this machine type. + + * `guest_accelerator_type`: The accelerator type resource name, not a full URL, e.g. nvidia-tesla-t4. + + * `guest_accelerator_count`: Number of accelerator cards exposed to the guest. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_machine_types.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_machine_types.md new file mode 100644 index 0000000..c425000 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_machine_types.md @@ -0,0 +1,53 @@ ++++ +title = "google_compute_machine_types resource" + +draft = false + + +[menu.gcp] +title = "google_compute_machine_types" +identifier = "inspec/resources/gcp/google_compute_machine_types resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_machine_types` InSpec audit resource to to test a Google Cloud MachineType resource. + +## Examples + +```ruby + describe google_compute_machine_types(project: 'chef-gcp-inspec', zone: ' value_zone') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_machine_types` resource: + +See [google_compute_machine_type](google_compute_machine_type) for more detailed information. + + * `kinds`: an array of `google_compute_machine_type` kind + * `ids`: an array of `google_compute_machine_type` id + * `creation_timestamps`: an array of `google_compute_machine_type` creation_timestamp + * `names`: an array of `google_compute_machine_type` name + * `descriptions`: an array of `google_compute_machine_type` description + * `guest_cpus`: an array of `google_compute_machine_type` guest_cpus + * `memory_mbs`: an array of `google_compute_machine_type` memory_mb + * `image_space_gbs`: an array of `google_compute_machine_type` image_space_gb + * `scratch_disks`: an array of `google_compute_machine_type` scratch_disks + * `maximum_persistent_disks`: an array of `google_compute_machine_type` maximum_persistent_disks + * `maximum_persistent_disks_size_gbs`: an array of `google_compute_machine_type` maximum_persistent_disks_size_gb + * `deprecateds`: an array of `google_compute_machine_type` deprecated + * `zones`: an array of `google_compute_machine_type` zone + * `self_links`: an array of `google_compute_machine_type` self_link + * `is_shared_cpus`: an array of `google_compute_machine_type` is_shared_cpu + * `accelerators`: an array of `google_compute_machine_type` accelerators + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network.md new file mode 100644 index 0000000..d08e6ef --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network.md @@ -0,0 +1,120 @@ ++++ +title = "google_compute_network resource" + +draft = false + + +[menu.gcp] +title = "google_compute_network" +identifier = "inspec/resources/gcp/google_compute_network resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_network` is used to test a Google Network resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_network(project: 'chef-gcp-inspec', name: 'inspec-network') do + it { should exist } + its('routing_config.routing_mode') { should cmp 'REGIONAL' } +end + +describe google_compute_network(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +### Test that a GCP compute network exists + + describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do + it { should exist } + end + +### Test when a GCP compute network was created + + describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do + its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 } + end + +### Test for an expected network identifier + + describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do + its('id') { should eq 12345567789 } + end + + +### Test whether a single attached subnetwork name is correct + + describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do + its ('subnetworks.count') { should eq 1 } + its ('subnetworks.first') { should match "subnetwork-name"} + end + +### Test whether the network is configured to automatically create subnetworks or not + + describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do + its ('auto_create_subnetworks'){ should be false } + end + + +### Check the network routing configuration routing mode + + describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do + its ('routing_config.routing_mode') { should eq "REGIONAL" } + end + +## Properties + +Properties that can be accessed from the `google_compute_network` resource: + + + * `description`: An optional description of this resource. The resource must be recreated to modify this field. + + * `gateway_ipv4`: The gateway address for default routing out of the network. This value is selected by GCP. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `subnetworks`: Server-defined fully-qualified URLs for all subnetworks in this network. + + * `auto_create_subnetworks`: When set to `true`, the network is created in "auto subnet mode" and it will create a subnet for each region automatically across the `10.128.0.0/9` address range. When set to `false`, the network is created in "custom subnet mode" so the user can explicitly connect subnetwork resources. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `routing_config`: The network-level routing configuration for this network. Used by Cloud Router to determine what type of network-wide routing behavior to enforce. + + * `routing_mode`: The network-wide routing mode to use. If set to `REGIONAL`, this network's cloud routers will only advertise routes with subnetworks of this network in the same region as the router. If set to `GLOBAL`, this network's cloud routers will advertise routes with all subnetworks of this network, across regions. + Possible values: + * REGIONAL + * GLOBAL + + * `peerings`: Peerings for a network + + * `name`: Name of the peering. + + * `state`: State of the peering. + + * `state_details`: Details about the current state of the peering. + + * `network`: URL of the peer network + + * `export_custom_routes`: Whether to export the custom routes to the peer network. + + * `import_custom_routes`: Whether to import the custom routes to the peer network. + + * `peer_mtu`: Maximum Transmission Unit in bytes. + + * `mtu`: Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_attachment.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_attachment.md new file mode 100644 index 0000000..348bcb7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_attachment.md @@ -0,0 +1,102 @@ ++++ +title = "google_compute_network_attachment resource" + +draft = false + + +[menu.gcp] +title = "google_compute_network_attachment" +identifier = "inspec/resources/gcp/google_compute_network_attachment resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_network_attachment` InSpec audit resource to to test a Google Cloud NetworkAttachment resource. + +## Examples + +```ruby +describe google_compute_network_attachment(name: 'value_name', project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('region') { should cmp 'value_region' } + its('connection_preference') { should cmp 'value_connectionpreference' } + its('fingerprint') { should cmp 'value_fingerprint' } + its('network') { should cmp 'value_network' } + +end + +describe google_compute_network_attachment(name: 'value_name', project: 'chef-gcp-inspec', region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_network_attachment` resource: + + + * `kind`: [Output Only] Type of the resource. + + * `id`: [Output Only] The unique identifier for the resource type. The server generates this identifier. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource's resource id. + + * `region`: [Output Only] URL of the region where the network attachment resides. This field applies only to the region resource. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body. + + * `connection_preference`: + Possible values: + * ACCEPT_AUTOMATIC + * ACCEPT_MANUAL + * INVALID + + * `connection_endpoints`: [Output Only] An array of connections for all the producers connected to this network attachment. + + * `status`: The status of a connected endpoint to this network attachment. + Possible values: + * ACCEPTED + * CLOSED + * NEEDS_ATTENTION + * PENDING + * REJECTED + * STATUS_UNSPECIFIED + + * `project_id_or_num`: The project id or number of the interface to which the IP was assigned. + + * `subnetwork`: The subnetwork used to assign the IP to the producer instance network interface. + + * `ip_address`: The IPv4 address assigned to the producer instance network interface. This value will be a range in case of Serverless. + + * `ipv6_address`: The IPv6 address assigned to the producer instance network interface. This is only assigned when the stack types of both the instance network interface and the consumer subnet are IPv4_IPv6. + + * `secondary_ip_cidr_ranges`: Alias IP ranges from the same subnetwork. + + * `subnetwork_cidr_range`: [Output Only] The CIDR range of the subnet from which the IPv4 internal IP was allocated from. + + * `subnetworks`: An array of URLs where each entry is the URL of a subnet provided by the service consumer to use for endpoints in the producers that connect to this network attachment. + + * `producer_reject_lists`: Projects that are not allowed to connect to this network attachment. The project can be specified using its id or number. + + * `producer_accept_lists`: Projects that are allowed to connect to this network attachment. The project can be specified using its id or number. + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. An up-to-date fingerprint must be provided in order to patch. + + * `network`: [Output Only] The URL of the network which the Network Attachment belongs to. Practically it is inferred by fetching the network of the first subnetwork associated. Because it is required that all the subnetworks must be from the same network, it is assured that the Network Attachment belongs to the same network as all the subnetworks. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_attachments.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_attachments.md new file mode 100644 index 0000000..94d2ff9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_attachments.md @@ -0,0 +1,52 @@ ++++ +title = "google_compute_network_attachments resource" + +draft = false + + +[menu.gcp] +title = "google_compute_network_attachments" +identifier = "inspec/resources/gcp/google_compute_network_attachments resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_network_attachments` InSpec audit resource to to test a Google Cloud NetworkAttachment resource. + +## Examples + +```ruby + describe google_compute_network_attachments(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_network_attachments` resource: + +See [google_compute_network_attachment](google_compute_network_attachment) for more detailed information. + + * `kinds`: an array of `google_compute_network_attachment` kind + * `ids`: an array of `google_compute_network_attachment` id + * `creation_timestamps`: an array of `google_compute_network_attachment` creation_timestamp + * `names`: an array of `google_compute_network_attachment` name + * `descriptions`: an array of `google_compute_network_attachment` description + * `self_links`: an array of `google_compute_network_attachment` self_link + * `self_link_with_ids`: an array of `google_compute_network_attachment` self_link_with_id + * `regions`: an array of `google_compute_network_attachment` region + * `connection_preferences`: an array of `google_compute_network_attachment` connection_preference + * `connection_endpoints`: an array of `google_compute_network_attachment` connection_endpoints + * `subnetworks`: an array of `google_compute_network_attachment` subnetworks + * `producer_reject_lists`: an array of `google_compute_network_attachment` producer_reject_lists + * `producer_accept_lists`: an array of `google_compute_network_attachment` producer_accept_lists + * `fingerprints`: an array of `google_compute_network_attachment` fingerprint + * `networks`: an array of `google_compute_network_attachment` network + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_edge_security_service.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_edge_security_service.md new file mode 100644 index 0000000..5d2cddb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_edge_security_service.md @@ -0,0 +1,66 @@ ++++ +title = "google_compute_network_edge_security_service resource" + +draft = false + + +[menu.gcp] +title = "google_compute_network_edge_security_service" +identifier = "inspec/resources/gcp/google_compute_network_edge_security_service resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_network_edge_security_service` InSpec audit resource to to test a Google Cloud NetworkEdgeSecurityService resource. + +## Examples + +```ruby +describe google_compute_network_edge_security_service(name: 'value_name', project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('region') { should cmp 'value_region' } + its('fingerprint') { should cmp 'value_fingerprint' } + its('security_policy') { should cmp 'value_securitypolicy' } + +end + +describe google_compute_network_edge_security_service(name: ' ', project: 'chef-gcp-inspec', region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_network_edge_security_service` resource: + + + * `kind`: [Output only] Type of the resource. Always compute#networkEdgeSecurityService for NetworkEdgeSecurityServices + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `region`: [Output Only] URL of the region where the resource resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body. + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a NetworkEdgeSecurityService. An up-to-date fingerprint must be provided in order to update the NetworkEdgeSecurityService, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a NetworkEdgeSecurityService. + + * `security_policy`: The resource URL for the network edge security service associated with this network edge security service. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_endpoint_group.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_endpoint_group.md new file mode 100644 index 0000000..3c6904f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_endpoint_group.md @@ -0,0 +1,62 @@ ++++ +title = "google_compute_network_endpoint_group resource" + +draft = false + + +[menu.gcp] +title = "google_compute_network_endpoint_group" +identifier = "inspec/resources/gcp/google_compute_network_endpoint_group resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_network_endpoint_group` is used to test a Google NetworkEndpointGroup resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_network_endpoint_group(project: 'chef-gcp-inspec', zone: 'zone', name: 'inspec-gcp-endpoint-group') do + it { should exist } + its('default_port') { should cmp '90' } +end + +describe google_compute_network_endpoint_group(project: 'chef-gcp-inspec', zone: 'zone', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_network_endpoint_group` resource: + + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `network_endpoint_type`: Type of network endpoints in this network endpoint group. + Possible values: + * GCE_VM_IP_PORT + + * `size`: Number of network endpoints in the network endpoint group. + + * `network`: The network to which all network endpoints in the NEG belong. Uses "default" project network if unspecified. + + * `subnetwork`: Optional subnetwork to which all network endpoints in the NEG belong. + + * `default_port`: The default port used if the port number is not specified in the network endpoint. + + * `zone`: Zone where the network endpoint group is located. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_endpoint_groups.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_endpoint_groups.md new file mode 100644 index 0000000..fc6b941 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_endpoint_groups.md @@ -0,0 +1,53 @@ ++++ +title = "google_compute_network_endpoint_groups resource" + +draft = false + + +[menu.gcp] +title = "google_compute_network_endpoint_groups" +identifier = "inspec/resources/gcp/google_compute_network_endpoint_groups resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_network_endpoint_groups` is used to test a Google NetworkEndpointGroup resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_network_endpoint_groups(project: 'chef-gcp-inspec', zone: 'zone') do + its('default_ports') { should include '90' } + its('names') { should include 'inspec-gcp-endpoint-group' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_network_endpoint_groups` resource: + +See [google_compute_network_endpoint_group](google_compute_network_endpoint_group) for more detailed information. + + * `ids`: an array of `google_compute_network_endpoint_group` id + * `names`: an array of `google_compute_network_endpoint_group` name + * `descriptions`: an array of `google_compute_network_endpoint_group` description + * `network_endpoint_types`: an array of `google_compute_network_endpoint_group` network_endpoint_type + * `sizes`: an array of `google_compute_network_endpoint_group` size + * `networks`: an array of `google_compute_network_endpoint_group` network + * `subnetworks`: an array of `google_compute_network_endpoint_group` subnetwork + * `default_ports`: an array of `google_compute_network_endpoint_group` default_port + * `zones`: an array of `google_compute_network_endpoint_group` zone + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_firewall_policies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_firewall_policies.md new file mode 100644 index 0000000..149fd66 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_firewall_policies.md @@ -0,0 +1,52 @@ ++++ +title = "google_compute_network_firewall_policies resource" + +draft = false + + +[menu.gcp] +title = "google_compute_network_firewall_policies" +identifier = "inspec/resources/gcp/google_compute_network_firewall_policies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_network_firewall_policies` InSpec audit resource to to test a Google Cloud NetworkFirewallPolicy resource. + +## Examples + +```ruby + describe google_compute_network_firewall_policies(project: 'chef-gcp-inspec') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_network_firewall_policies` resource: + +See [google_compute_network_firewall_policy](google_compute_network_firewall_policy) for more detailed information. + + * `kinds`: an array of `google_compute_network_firewall_policy` kind + * `ids`: an array of `google_compute_network_firewall_policy` id + * `creation_timestamps`: an array of `google_compute_network_firewall_policy` creation_timestamp + * `names`: an array of `google_compute_network_firewall_policy` name + * `descriptions`: an array of `google_compute_network_firewall_policy` description + * `rules`: an array of `google_compute_network_firewall_policy` rules + * `fingerprints`: an array of `google_compute_network_firewall_policy` fingerprint + * `self_links`: an array of `google_compute_network_firewall_policy` self_link + * `self_link_with_ids`: an array of `google_compute_network_firewall_policy` self_link_with_id + * `associations`: an array of `google_compute_network_firewall_policy` associations + * `rule_tuple_counts`: an array of `google_compute_network_firewall_policy` rule_tuple_count + * `short_names`: an array of `google_compute_network_firewall_policy` short_name + * `display_names`: an array of `google_compute_network_firewall_policy` display_name + * `parents`: an array of `google_compute_network_firewall_policy` parent + * `regions`: an array of `google_compute_network_firewall_policy` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_firewall_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_firewall_policy.md new file mode 100644 index 0000000..4134e9f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_network_firewall_policy.md @@ -0,0 +1,159 @@ ++++ +title = "google_compute_network_firewall_policy resource" + +draft = false + + +[menu.gcp] +title = "google_compute_network_firewall_policy" +identifier = "inspec/resources/gcp/google_compute_network_firewall_policy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_network_firewall_policy` InSpec audit resource to to test a Google Cloud NetworkFirewallPolicy resource. + +## Examples + +```ruby +describe google_compute_network_firewall_policy(name: 'value_name', project: 'chef-gcp-inspec') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('fingerprint') { should cmp 'value_fingerprint' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('short_name') { should cmp 'value_shortname' } + its('display_name') { should cmp 'value_displayname' } + its('parent') { should cmp 'value_parent' } + its('region') { should cmp 'value_region' } + +end + +describe google_compute_network_firewall_policy(name: 'value_name', project: 'chef-gcp-inspec') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_network_firewall_policy` resource: + + + * `kind`: [Output only] Type of the resource. Always compute#firewallPolicyfor firewall policies + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. For Organization Firewall Policies it's a [Output Only] numeric ID allocated by Google Cloud which uniquely identifies the Organization Firewall Policy. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `rules`: A list of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a firewall policy, a default rule with action "allow" will be added. + + * `kind`: [Output only] Type of the resource. Always compute#firewallPolicyRule for firewall policy rules + + * `rule_name`: An optional name for the rule. This field is not a unique identifier and can be updated. + + * `description`: An optional description for this resource. + + * `priority`: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. + + * `match`: Represents a match condition that incoming traffic is evaluated against. Exactly one field must be specified. + + * `src_ip_ranges`: CIDR IP address range. Maximum number of source CIDR IP ranges allowed is 5000. + + * `dest_ip_ranges`: CIDR IP address range. Maximum number of destination CIDR IP ranges allowed is 5000. + + * `layer4_configs`: Pairs of IP protocols and ports that the rule should match. + + * `ip_protocol`: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number. + + * `ports`: An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. + + * `src_secure_tags`: List of secure tag values, which should be matched at the source of the traffic. For INGRESS rule, if all the srcSecureTag are INEFFECTIVE, and there is no srcIpRange, this rule will be ignored. Maximum number of source tag values allowed is 256. + + * `name`: Name of the secure tag, created with TagManager's TagValue API. + + * `state`: [Output Only] State of the secure tag, either `EFFECTIVE` or `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted or its network is deleted. + Possible values: + * EFFECTIVE + * INEFFECTIVE + + * `dest_address_groups`: Address groups which should be matched against the traffic destination. Maximum number of destination address groups is 10. + + * `src_address_groups`: Address groups which should be matched against the traffic source. Maximum number of source address groups is 10. + + * `src_fqdns`: Fully Qualified Domain Name (FQDN) which should be matched against traffic source. Maximum number of source fqdn allowed is 100. + + * `dest_fqdns`: Fully Qualified Domain Name (FQDN) which should be matched against traffic destination. Maximum number of destination fqdn allowed is 100. + + * `src_region_codes`: Region codes whose IP addresses will be used to match for source of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of source region codes allowed is 5000. + + * `dest_region_codes`: Region codes whose IP addresses will be used to match for destination of traffic. Should be specified as 2 letter country code defined as per ISO 3166 alpha-2 country codes. ex."US" Maximum number of dest region codes allowed is 5000. + + * `dest_threat_intelligences`: Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic destination. + + * `src_threat_intelligences`: Names of Network Threat Intelligence lists. The IPs in these lists will be matched against traffic source. + + * `action`: The Action to perform when the client connection triggers the rule. Valid actions are "allow", "deny" and "goto_next". + + * `direction`: The direction in which this rule applies. + Possible values: + * EGRESS + * INGRESS + + * `target_resources`: A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule. + + * `enable_logging`: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules. + + * `rule_tuple_count`: [Output Only] Calculation of the complexity of a single firewall policy rule. + + * `target_service_accounts`: A list of service accounts indicating the sets of instances that are applied with this rule. + + * `target_secure_tags`: A list of secure tags that controls which instances the firewall rule applies to. If targetSecureTag are specified, then the firewall rule applies only to instances in the VPC network that have one of those EFFECTIVE secure tags, if all the target_secure_tag are in INEFFECTIVE state, then this rule will be ignored. targetSecureTag may not be set at the same time as targetServiceAccounts. If neither targetServiceAccounts nor targetSecureTag are specified, the firewall rule applies to all instances on the specified network. Maximum number of target label tags allowed is 256. + + * `name`: Name of the secure tag, created with TagManager's TagValue API. + + * `state`: [Output Only] State of the secure tag, either `EFFECTIVE` or `INEFFECTIVE`. A secure tag is `INEFFECTIVE` when it is deleted or its network is deleted. + Possible values: + * EFFECTIVE + * INEFFECTIVE + + * `disabled`: Denotes whether the firewall policy rule is disabled. When set to true, the firewall policy rule is not enforced and traffic behaves as if it did not exist. If this is unspecified, the firewall policy rule will be enabled. + + * `fingerprint`: Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the firewall policy. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `associations`: A list of associations that belong to this firewall policy. + + * `name`: The name for an association. + + * `attachment_target`: The target that the firewall policy is attached to. + + * `firewall_policy_id`: [Output Only] The firewall policy ID of the association. + + * `short_name`: [Output Only] The short name of the firewall policy of the association. + + * `display_name`: [Output Only] Deprecated, please use short name instead. The display name of the firewall policy of the association. + + * `rule_tuple_count`: [Output Only] Total count of all firewall policy rule tuples. A firewall policy can not exceed a set number of tuples. + + * `short_name`: User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `display_name`: Deprecated, please use short name instead. User-provided name of the Organization firewall policy. The name should be unique in the organization in which the firewall policy is created. This field is not applicable to network firewall policies. This name must be set on creation and cannot be changed. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `parent`: [Output Only] The parent of the firewall policy. This field is not applicable to network firewall policies. + + * `region`: [Output Only] URL of the region where the regional firewall policy resides. This field is not applicable to global firewall policies. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_networks.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_networks.md new file mode 100644 index 0000000..d510652 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_networks.md @@ -0,0 +1,72 @@ ++++ +title = "google_compute_networks resource" + +draft = false + + +[menu.gcp] +title = "google_compute_networks" +identifier = "inspec/resources/gcp/google_compute_networks resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_networks` is used to test a Google Network resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_networks(project: 'chef-gcp-inspec') do + its('network_names') { should include 'inspec-network' } +end +``` + +### Test that there are no more than a specified number of networks available for the project + + describe google_compute_networks(project: 'chef-inspec-gcp') do + its('count') { should be <= 100} + end + +### Test that an expected network identifier is present in the project + + describe google_compute_networks(project: 'chef-inspec-gcp') do + its('network_ids') { should include 12345678975432 } + end + +### Test that an expected network name is available for the project + + describe google_compute_networks(project: 'chef-inspec-gcp') do + its('network_names') { should include "network-name" } + end + + +## Properties + +Properties that can be accessed from the `google_compute_networks` resource: + +See [google_compute_network](google_compute_network) for more detailed information. + + * `descriptions`: an array of `google_compute_network` description + * `gateway_ipv4s`: an array of `google_compute_network` gateway_ipv4 + * `network_ids`: an array of `google_compute_network` id + * `network_names`: an array of `google_compute_network` name + * `subnetworks`: an array of `google_compute_network` subnetworks + * `auto_create_subnetworks`: an array of `google_compute_network` auto_create_subnetworks + * `creation_timestamps`: an array of `google_compute_network` creation_timestamp + * `routing_configs`: an array of `google_compute_network` routing_config + * `peerings`: an array of `google_compute_network` peerings + * `mtus`: an array of `google_compute_network` mtu + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_group.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_group.md new file mode 100644 index 0000000..531798b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_group.md @@ -0,0 +1,69 @@ ++++ +title = "google_compute_node_group resource" + +draft = false + + +[menu.gcp] +title = "google_compute_node_group" +identifier = "inspec/resources/gcp/google_compute_node_group resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_node_group` is used to test a Google NodeGroup resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_node_group(project: 'chef-gcp-inspec', zone: 'zone', name: 'inspec-node-group') do + it { should exist } + its('description') { should cmp 'A description of the node group' } + its('size') { should cmp '0' } +end + +describe google_compute_node_group(project: 'chef-gcp-inspec', zone: 'zone', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_node_group` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional textual description of the resource. + + * `name`: Name of the resource. + + * `node_template`: The URL of the node template to which this node group belongs. + + * `size`: The total number of nodes in the node group. + + * `maintenance_policy`: Specifies how to handle instances when a node in the group undergoes maintenance. Set to one of: DEFAULT, RESTART_IN_PLACE, or MIGRATE_WITHIN_NODE_GROUP. The default value is DEFAULT. + + * `autoscaling_policy`: If you use sole-tenant nodes for your workloads, you can use the node group autoscaler to automatically manage the sizes of your node groups. + + * `mode`: The autoscaling mode. Set to one of the following: - OFF: Disables the autoscaler. - ON: Enables scaling in and scaling out. - ONLY_SCALE_OUT: Enables only scaling out. You must use this mode if your node groups are configured to restart their hosted VMs on minimal servers. + Possible values: + * OFF + * ON + * ONLY_SCALE_OUT + + * `min_nodes`: Minimum size of the node group. Must be less than or equal to max-nodes. The default value is 0. + + * `max_nodes`: Maximum size of the node group. Set to a value less than or equal to 100 and greater than or equal to min-nodes. + + * `zone`: Zone where this node group is located + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_groups.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_groups.md new file mode 100644 index 0000000..c7311e0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_groups.md @@ -0,0 +1,54 @@ ++++ +title = "google_compute_node_groups resource" + +draft = false + + +[menu.gcp] +title = "google_compute_node_groups" +identifier = "inspec/resources/gcp/google_compute_node_groups resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_node_groups` is used to test a Google NodeGroup resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_node_groups(project: 'chef-gcp-inspec', zone: 'zone') do + it { should exist } + its('descriptions') { should include 'A description of the node group' } + its('sizes') { should include '0' } + its('names') { should include 'inspec-node-group' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_node_groups` resource: + +See [google_compute_node_group](google_compute_node_group) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_node_group` creation_timestamp + * `descriptions`: an array of `google_compute_node_group` description + * `names`: an array of `google_compute_node_group` name + * `node_templates`: an array of `google_compute_node_group` node_template + * `sizes`: an array of `google_compute_node_group` size + * `maintenance_policies`: an array of `google_compute_node_group` maintenance_policy + * `autoscaling_policies`: an array of `google_compute_node_group` autoscaling_policy + * `zones`: an array of `google_compute_node_group` zone + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_template.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_template.md new file mode 100644 index 0000000..9d68b8b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_template.md @@ -0,0 +1,74 @@ ++++ +title = "google_compute_node_template resource" + +draft = false + + +[menu.gcp] +title = "google_compute_node_template" +identifier = "inspec/resources/gcp/google_compute_node_template resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_node_template` is used to test a Google NodeTemplate resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_node_template(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'inspec-node-template') do + it { should exist } + its('node_affinity_labels') { should include('key' => 'value') } +end + +describe google_compute_node_template(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_node_template` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional textual description of the resource. + + * `name`: Name of the resource. + + * `node_affinity_labels`: Labels to use for node affinity, which will be used in instance scheduling. + + * `node_type`: Node type to use for nodes group that are created from this template. Only one of nodeTypeFlexibility and nodeType can be specified. + + * `node_type_flexibility`: Flexible properties for the desired node type. Node groups that use this node template will create nodes of a type that matches these properties. Only one of nodeTypeFlexibility and nodeType can be specified. + + * `cpus`: Number of virtual CPUs to use. + + * `memory`: Physical memory available to the node, defined in MB. + + * `local_ssd`: Use local SSD + + * `server_binding`: (Beta only) The server binding policy for nodes using this template. Determines where the nodes should restart following a maintenance event. + + * `type`: Type of server binding policy. If `RESTART_NODE_ON_ANY_SERVER`, nodes using this template will restart on any physical server following a maintenance event. If `RESTART_NODE_ON_MINIMAL_SERVER`, nodes using this template will restart on the same physical server following a maintenance event, instead of being live migrated to or restarted on a new physical server. This option may be useful if you are using software licenses tied to the underlying server characteristics such as physical sockets or cores, to avoid the need for additional licenses when maintenance occurs. However, VMs on such nodes will experience outages while maintenance is applied. + Possible values: + * RESTART_NODE_ON_ANY_SERVER + * RESTART_NODE_ON_MINIMAL_SERVERS + + * `cpu_overcommit_type`: (Beta only) CPU overcommit. + Possible values: + * ENABLED + * NONE + + * `region`: Region where nodes using the node template will be created + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_templates.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_templates.md new file mode 100644 index 0000000..b54c40a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_templates.md @@ -0,0 +1,52 @@ ++++ +title = "google_compute_node_templates resource" + +draft = false + + +[menu.gcp] +title = "google_compute_node_templates" +identifier = "inspec/resources/gcp/google_compute_node_templates resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_node_templates` is used to test a Google NodeTemplate resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_node_templates(project: 'chef-gcp-inspec', region: 'europe-west2') do + its('names') { should include 'inspec-node-template' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_node_templates` resource: + +See [google_compute_node_template](google_compute_node_template) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_node_template` creation_timestamp + * `descriptions`: an array of `google_compute_node_template` description + * `names`: an array of `google_compute_node_template` name + * `node_affinity_labels`: an array of `google_compute_node_template` node_affinity_labels + * `node_types`: an array of `google_compute_node_template` node_type + * `node_type_flexibilities`: an array of `google_compute_node_template` node_type_flexibility + * `server_bindings`: (Beta only) an array of `google_compute_node_template` server_binding + * `cpu_overcommit_types`: (Beta only) an array of `google_compute_node_template` cpu_overcommit_type + * `regions`: an array of `google_compute_node_template` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_type.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_type.md new file mode 100644 index 0000000..e1e5aa7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_type.md @@ -0,0 +1,83 @@ ++++ +title = "google_compute_node_type resource" + +draft = false + + +[menu.gcp] +title = "google_compute_node_type" +identifier = "inspec/resources/gcp/google_compute_node_type resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_node_type` InSpec audit resource to to test a Google Cloud NodeType resource. + +## Examples + +```ruby +describe google_compute_v1_node_type(nodeType: ' ', project: 'chef-gcp-inspec', zone: ' value_zone') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('cpu_platform') { should cmp 'value_cpuplatform' } + its('zone') { should cmp 'value_zone' } + its('self_link') { should cmp 'value_selflink' } + +end + +describe google_compute_v1_node_type(nodeType: ' ', project: 'chef-gcp-inspec', zone: ' value_zone') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_node_type` resource: + + + * `kind`: [Output Only] The type of the resource. Always compute#nodeType for node types. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: [Output Only] Name of the resource. + + * `description`: [Output Only] An optional textual description of the resource. + + * `cpu_platform`: [Output Only] The CPU platform used by this node type. + + * `guest_cpus`: [Output Only] The number of virtual CPUs that are available to the node type. + + * `memory_mb`: [Output Only] The amount of physical memory available to the node type, defined in MB. + + * `local_ssd_gb`: [Output Only] Local SSD available to the node type, defined in GB. + + * `deprecated`: Deprecation status for a public resource. + + * `state`: The deprecation state of this resource. This can be ACTIVE, DEPRECATED, OBSOLETE, or DELETED. Operations which communicate the end of life date for an image, can use ACTIVE. Operations which create a new resource using a DEPRECATED resource will return successfully, but with a warning indicating the deprecated resource and recommending its replacement. Operations which use OBSOLETE or DELETED resources will be rejected and result in an error. + Possible values: + * ACTIVE + * DELETED + * DEPRECATED + * OBSOLETE + + * `replacement`: The URL of the suggested replacement for a deprecated resource. The suggested replacement resource must be the same kind of resource as the deprecated resource. + + * `deprecated`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to DEPRECATED. This is only informational and the status will not change unless the client explicitly changes it. + + * `obsolete`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to OBSOLETE. This is only informational and the status will not change unless the client explicitly changes it. + + * `deleted`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to DELETED. This is only informational and the status will not change unless the client explicitly changes it. + + * `zone`: [Output Only] The name of the zone where the node type resides, such as us-central1-a. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_types.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_types.md new file mode 100644 index 0000000..2364078 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_node_types.md @@ -0,0 +1,49 @@ ++++ +title = "google_compute_node_types resource" + +draft = false + + +[menu.gcp] +title = "google_compute_node_types" +identifier = "inspec/resources/gcp/google_compute_node_types resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_node_types` InSpec audit resource to to test a Google Cloud NodeType resource. + +## Examples + +```ruby + describe google_compute_v1_node_types(project: 'chef-gcp-inspec', zone: ' value_zone') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_node_types` resource: + +See [google_compute_node_type](google_compute_node_type) for more detailed information. + + * `kinds`: an array of `google_compute_node_type` kind + * `ids`: an array of `google_compute_node_type` id + * `creation_timestamps`: an array of `google_compute_node_type` creation_timestamp + * `names`: an array of `google_compute_node_type` name + * `descriptions`: an array of `google_compute_node_type` description + * `cpu_platforms`: an array of `google_compute_node_type` cpu_platform + * `guest_cpus`: an array of `google_compute_node_type` guest_cpus + * `memory_mbs`: an array of `google_compute_node_type` memory_mb + * `local_ssd_gbs`: an array of `google_compute_node_type` local_ssd_gb + * `deprecateds`: an array of `google_compute_node_type` deprecated + * `zones`: an array of `google_compute_node_type` zone + * `self_links`: an array of `google_compute_node_type` self_link + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_packet_mirroring.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_packet_mirroring.md new file mode 100644 index 0000000..6488a39 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_packet_mirroring.md @@ -0,0 +1,108 @@ ++++ +title = "google_compute_packet_mirroring resource" + +draft = false + + +[menu.gcp] +title = "google_compute_packet_mirroring" +identifier = "inspec/resources/gcp/google_compute_packet_mirroring resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_packet_mirroring` InSpec audit resource to to test a Google Cloud PacketMirroring resource. + +## Examples + +```ruby +describe google_compute_packet_mirroring(name: 'value_name', project: 'chef-gcp-inspec', region: 'value_region') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('region') { should cmp 'value_region' } + its('enable') { should cmp 'value_enable' } + +end + +describe google_compute_packet_mirroring(name: 'value_name', project: 'chef-gcp-inspec', region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_packet_mirroring` resource: + + + * `kind`: [Output Only] Type of the resource. Always compute#packetMirroring for packet mirrorings. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `name`: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `region`: [Output Only] URI of the region where the packetMirroring resides. + + * `network`: + + * `url`: URL of the network resource. + + * `canonical_url`: [Output Only] Unique identifier for the network; defined by the server. + + * `priority`: The priority of applying this configuration. Priority is used to break ties in cases where there is more than one matching rule. In the case of two rules that apply for a given Instance, the one with the lowest-numbered priority value wins. Default value is 1000. Valid range is 0 through 65535. + + * `collector_ilb`: + + * `url`: Resource URL to the forwarding rule representing the ILB configured as destination of the mirrored traffic. + + * `canonical_url`: [Output Only] Unique identifier for the forwarding rule; defined by the server. + + * `mirrored_resources`: + + * `subnetworks`: A set of subnetworks for which traffic from/to all VM instances will be mirrored. They must live in the same region as this packetMirroring. You may specify a maximum of 5 subnetworks. + + * `url`: Resource URL to the subnetwork for which traffic from/to all VM instances will be mirrored. + + * `canonical_url`: [Output Only] Unique identifier for the subnetwork; defined by the server. + + * `instances`: A set of virtual machine instances that are being mirrored. They must live in zones contained in the same region as this packetMirroring. Note that this config will apply only to those network interfaces of the Instances that belong to the network specified in this packetMirroring. You may specify a maximum of 50 Instances. + + * `url`: Resource URL to the virtual machine instance which is being mirrored. + + * `canonical_url`: [Output Only] Unique identifier for the instance; defined by the server. + + * `tags`: A set of mirrored tags. Traffic from/to all VM instances that have one or more of these tags will be mirrored. + + * `filter`: + + * `cidr_ranges`: One or more IPv4 or IPv6 CIDR ranges that apply as filter on the source (ingress) or destination (egress) IP in the IP header. If no ranges are specified, all IPv4 traffic that matches the specified IPProtocols is mirrored. If neither cidrRanges nor IPProtocols is specified, all IPv4 traffic is mirrored. To mirror all IPv4 and IPv6 traffic, use "0.0.0.0/0,::/0". Note: Support for IPv6 traffic is in preview. + + * `ip_protocols`: Protocols that apply as filter on mirrored traffic. If no protocols are specified, all traffic that matches the specified CIDR ranges is mirrored. If neither cidrRanges nor IPProtocols is specified, all IPv4 traffic is mirrored. + + * `direction`: Direction of traffic to mirror, either INGRESS, EGRESS, or BOTH. The default is BOTH. + Possible values: + * BOTH + * EGRESS + * INGRESS + + * `enable`: Indicates whether or not this packet mirroring takes effect. If set to FALSE, this packet mirroring policy will not be enforced on the network. The default is TRUE. + Possible values: + * FALSE + * TRUE + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_packet_mirrorings.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_packet_mirrorings.md new file mode 100644 index 0000000..617080f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_packet_mirrorings.md @@ -0,0 +1,51 @@ ++++ +title = "google_compute_packet_mirrorings resource" + +draft = false + + +[menu.gcp] +title = "google_compute_packet_mirrorings" +identifier = "inspec/resources/gcp/google_compute_packet_mirrorings resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_packet_mirrorings` InSpec audit resource to to test a Google Cloud PacketMirroring resource. + +## Examples + +```ruby + describe google_compute_packet_mirrorings(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_packet_mirrorings` resource: + +See [google_compute_packet_mirroring](google_compute_packet_mirroring) for more detailed information. + + * `kinds`: an array of `google_compute_packet_mirroring` kind + * `ids`: an array of `google_compute_packet_mirroring` id + * `creation_timestamps`: an array of `google_compute_packet_mirroring` creation_timestamp + * `self_links`: an array of `google_compute_packet_mirroring` self_link + * `self_link_with_ids`: an array of `google_compute_packet_mirroring` self_link_with_id + * `names`: an array of `google_compute_packet_mirroring` name + * `descriptions`: an array of `google_compute_packet_mirroring` description + * `regions`: an array of `google_compute_packet_mirroring` region + * `networks`: an array of `google_compute_packet_mirroring` network + * `priorities`: an array of `google_compute_packet_mirroring` priority + * `collector_ilbs`: an array of `google_compute_packet_mirroring` collector_ilb + * `mirrored_resources`: an array of `google_compute_packet_mirroring` mirrored_resources + * `filters`: an array of `google_compute_packet_mirroring` filter + * `enables`: an array of `google_compute_packet_mirroring` enable + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_project_info.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_project_info.md new file mode 100644 index 0000000..d7870e3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_project_info.md @@ -0,0 +1,80 @@ ++++ +title = "google_compute_project_info resource" + +draft = false + + +[menu.gcp] +title = "google_compute_project_info" +identifier = "inspec/resources/gcp/google_compute_project_info resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_project_info` is used to test a Google ProjectInfo resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_project_info(project: 'chef-gcp-inspec') do + it { should exist } + its('default_service_account') { should match "developer.gserviceaccount.com" } +end +``` + +### Test that GCP compute project information exists + + describe google_compute_project_info(project: 'chef-inspec-gcp') do + it { should exist } + end + +### Test that GCP compute project default service account is as expected + + describe google_compute_project_info(project: 'chef-inspec-gcp') do + its('default_service_account') { should eq '12345-compute@developer.gserviceaccount.com' } + end + +## Properties + +Properties that can be accessed from the `google_compute_project_info` resource: + + + * `name`: The name of this project + + * `common_instance_metadata`: Metadata shared for all instances in this project + + * `items`: Array of key/values + + * `key`: Key of the metadata key/value pair + + * `value`: Value of the metadata key/value pair + + * `enabled_features`: Restricted features enabled for use on this project + + * `default_service_account`: Default service account used by VMs in this project + + * `xpn_project_status`: The role this project has in a shared VPC configuration. + + * `default_network_tier`: The default network tier used for configuring resources in this project + + * `quotas`: Quotas applied to this project + + * `metric`: Name of the quota metric + + * `limit`: Quota limit for this metric + + * `usage`: Current usage of this metric + + * `owner`: Owning resource. This is the resource on which this quota is applied. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_public_delegated_prefix.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_public_delegated_prefix.md new file mode 100644 index 0000000..1953c75 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_public_delegated_prefix.md @@ -0,0 +1,54 @@ ++++ +title = "google_compute_public_delegated_prefix resource" + +draft = false + + +[menu.gcp] +title = "google_compute_public_delegated_prefix" +identifier = "inspec/resources/gcp/google_compute_public_delegated_prefix resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_public_delegated_prefix` InSpec audit resource to to test a Google Cloud PublicDelegatedPrefix resource. + +## Examples + +```ruby +describe google_compute_public_delegated_prefix(project: 'chef-gcp-inspec', region: 'us-east1-b', name: 'test') do + it { should exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_public_delegated_prefix` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format.This field is deprecated. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `ip_cidr_range`: The IPv4 address range, in CIDR format, represented by this public delegated prefix. + + * `parent_prefix`: The value of requestId if you provided it in the request. Not present otherwise. + + * `is_live_migration`: If true, the prefix will be live migrated. + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a new PublicDelegatedPrefix. An up-to-date fingerprint must be provided in order to update the PublicDelegatedPrefix, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a PublicDelegatedPrefix. A base64-encoded string. + + * `status`: The status of the public delegated prefix, which can be one of following values: * INITIALIZING The public delegated prefix is being initialized and addresses cannot be created yet. * READY_TO_ANNOUNCE The public delegated prefix is a live migration prefix and is active. * ANNOUNCED The public delegated prefix is active. * DELETING The public delegated prefix is being deprovsioned. + Possible values: + * INITIALIZING + * READY_TO_ANNOUNCE + * ANNOUNCED + * DELETING + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_public_delegated_prefixes.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_public_delegated_prefixes.md new file mode 100644 index 0000000..82c1bbb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_public_delegated_prefixes.md @@ -0,0 +1,46 @@ ++++ +title = "google_compute_public_delegated_prefixes resource" + +draft = false + + +[menu.gcp] +title = "google_compute_public_delegated_prefixes" +identifier = "inspec/resources/gcp/google_compute_public_delegated_prefixes resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_public_delegated_prefixes` InSpec audit resource to to test a Google Cloud PublicDelegatedPrefix resource. + +## Examples + +```ruby +describe google_compute_public_delegated_prefixes(project: 'chef-gcp-inspec', region: 'us-east1-b') do + it { should exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_public_delegated_prefixes` resource: + +See [google_compute_public_delegated_prefix](google_compute_public_delegated_prefix) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_public_delegated_prefix` creation_timestamp + * `descriptions`: an array of `google_compute_public_delegated_prefix` description + * `ids`: an array of `google_compute_public_delegated_prefix` id + * `names`: an array of `google_compute_public_delegated_prefix` name + * `ip_cidr_ranges`: an array of `google_compute_public_delegated_prefix` ip_cidr_range + * `parent_prefixes`: an array of `google_compute_public_delegated_prefix` parent_prefix + * `is_live_migrations`: an array of `google_compute_public_delegated_prefix` is_live_migration + * `fingerprints`: an array of `google_compute_public_delegated_prefix` fingerprint + * `statuses`: an array of `google_compute_public_delegated_prefix` status + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region.md new file mode 100644 index 0000000..ed8f752 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region.md @@ -0,0 +1,127 @@ ++++ +title = "google_compute_region resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region" +identifier = "inspec/resources/gcp/google_compute_region resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_region` is used to test a Google Region resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_region(project: 'chef-gcp-inspec', name: 'europe-west2') do + it { should exist } + it { should be_up } + its('zone_names') { should include "#{gcp_location}-a" } +end + +describe google_compute_region(project: 'chef-gcp-inspec', name: 'notthere') do + it { should_not exist } +end + +``` + ### Test that a GCP compute region exists +``` + describe google_compute_region(project: 'chef-inspec-gcp', region: 'europe-west2') do + it { should exist } + end +``` + ### Test that a GCP compute region is in the expected state +``` + describe google_compute_region(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('status') { should eq 'UP' } + # or equivalently + it { should be_up } + end +``` + ### Test a GCP compute region identifier +``` + describe google_compute_region(project: 'chef-inspec-gcp', region: "asia-east1") do + its('id') { should eq "1220" } + end +``` + ### Check that a region is associated with the expected zone fully qualified name +``` + describe google_compute_region(project: 'chef-inspec-gcp', region: "asia-east1") do + its('zones') { should include "https://www.googleapis.com/compute/v1/projects/spaterson-project/zones/asia-east1-a" } + end +``` + ### Check that a region is associated with the expected zone short name +``` + describe google_compute_region(project: 'chef-inspec-gcp', region: "asia-east1") do + its('zone_names') { should include "asia-east1-a" } + end +``` + + The `zone_names` property is also useful for subsequently looping over associated `google_compute_zone` resources. For example: +``` + google_compute_region(project: 'chef-inspec-gcp', region: "asia-east1").zone_names.each do |zone_name| + describe google_compute_zone(project: 'chef-inspec-gcp', name: zone_name) do + it { should be_up } + end + end + +``` + +## Properties + +Properties that can be accessed from the `google_compute_region` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `deprecated`: The deprecation state of this resource. + + * `deleted`: An optional RFC3339 timestamp on or after which the deprecation state of this resource will be changed to DELETED. + + * `deprecated`: An optional RFC3339 timestamp on or after which the deprecation state of this resource will be changed to DEPRECATED. + + * `obsolete`: An optional RFC3339 timestamp on or after which the deprecation state of this resource will be changed to OBSOLETE. + + * `replacement`: The URL of the suggested replacement for a deprecated resource. The suggested replacement resource must be the same kind of resource as the deprecated resource. + + * `state`: The deprecation state of this resource. This can be DEPRECATED, OBSOLETE, or DELETED. Operations which create a new resource using a DEPRECATED resource will return successfully, but with a warning indicating the deprecated resource and recommending its replacement. Operations which use OBSOLETE or DELETED resources will be rejected and result in an error. + Possible values: + * DEPRECATED + * OBSOLETE + * DELETED + + * `description`: An optional description of this resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. + + * `quotas`: Quotas assigned to this region. + + * `metric`: Name of the quota metric. + + * `limit`: Quota limit for this metric. + + * `usage`: Current usage of this metric. + + * `owner`: Owning resource. This is the resource on which this quota is applied. + + * `status`: Status of the region, either UP or DOWN. + Possible values: + * UP + * DOWN + + * `zones`: List of zones within the region + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_autoscaler.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_autoscaler.md new file mode 100644 index 0000000..0ec6c66 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_autoscaler.md @@ -0,0 +1,181 @@ ++++ +title = "google_compute_region_autoscaler resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_autoscaler" +identifier = "inspec/resources/gcp/google_compute_region_autoscaler resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_autoscaler` InSpec audit resource to to test a Google Cloud RegionAutoscaler resource. + +## Examples + +```ruby +describe google_compute_region_autoscaler(name: 'value_name', project: 'chef-gcp-inspec', region: 'value_region') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('target') { should cmp 'value_target' } + its('zone') { should cmp 'value_zone' } + its('region') { should cmp 'value_region' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('status') { should cmp 'value_status' } + +end + +describe google_compute_region_autoscaler(name: 'value_name', project: 'chef-gcp-inspec', region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_autoscaler` resource: + + + * `kind`: [Output Only] Type of the resource. Always compute#autoscaler for autoscalers. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `target`: URL of the managed instance group that this autoscaler will scale. This field is required when creating an autoscaler. + + * `autoscaling_policy`: Cloud Autoscaler policy. + + * `min_num_replicas`: The minimum number of replicas that the autoscaler can scale in to. This cannot be less than 0. If not provided, autoscaler chooses a default value depending on maximum number of instances allowed. + + * `max_num_replicas`: The maximum number of instances that the autoscaler can scale out to. This is required when creating or updating an autoscaler. The maximum number of replicas must not be lower than minimal number of replicas. + + * `scale_down_control`: Configuration that allows for slower scale in so that even if Autoscaler recommends an abrupt scale in of a MIG, it will be throttled as specified by the parameters below. + + * `max_scaled_down_replicas`: Encapsulates numeric value that can be either absolute or relative. + + * `fixed`: Specifies a fixed number of VM instances. This must be a positive integer. + + * `percent`: Specifies a percentage of instances between 0 to 100%, inclusive. For example, specify 80 for 80%. + + * `calculated`: [Output Only] Absolute value of VM instances calculated based on the specific mode. - If the value is fixed, then the calculated value is equal to the fixed value. - If the value is a percent, then the calculated value is percent/100 * targetSize. For example, the calculated value of a 80% of a managed instance group with 150 instances would be (80/100 * 150) = 120 VM instances. If there is a remainder, the number is rounded. + + * `time_window_sec`: How far back autoscaling looks when computing recommendations to include directives regarding slower scale in, as described above. + + * `scale_in_control`: Configuration that allows for slower scale in so that even if Autoscaler recommends an abrupt scale in of a MIG, it will be throttled as specified by the parameters below. + + * `max_scaled_in_replicas`: Encapsulates numeric value that can be either absolute or relative. + + * `fixed`: Specifies a fixed number of VM instances. This must be a positive integer. + + * `percent`: Specifies a percentage of instances between 0 to 100%, inclusive. For example, specify 80 for 80%. + + * `calculated`: [Output Only] Absolute value of VM instances calculated based on the specific mode. - If the value is fixed, then the calculated value is equal to the fixed value. - If the value is a percent, then the calculated value is percent/100 * targetSize. For example, the calculated value of a 80% of a managed instance group with 150 instances would be (80/100 * 150) = 120 VM instances. If there is a remainder, the number is rounded. + + * `time_window_sec`: How far back autoscaling looks when computing recommendations to include directives regarding slower scale in, as described above. + + * `cool_down_period_sec`: The number of seconds that your application takes to initialize on a VM instance. This is referred to as the [initialization period](/compute/docs/autoscaler#cool_down_period). Specifying an accurate initialization period improves autoscaler decisions. For example, when scaling out, the autoscaler ignores data from VMs that are still initializing because those VMs might not yet represent normal usage of your application. The default initialization period is 60 seconds. Initialization periods might vary because of numerous factors. We recommend that you test how long your application takes to initialize. To do this, create a VM and time your application's startup process. + + * `cpu_utilization`: CPU utilization policy. + + * `utilization_target`: The target CPU utilization that the autoscaler maintains. Must be a float value in the range (0, 1]. If not specified, the default is 0.6. If the CPU level is below the target utilization, the autoscaler scales in the number of instances until it reaches the minimum number of instances you specified or until the average CPU of your instances reaches the target utilization. If the average CPU is above the target utilization, the autoscaler scales out until it reaches the maximum number of instances you specified or until the average utilization reaches the target utilization. + + * `predictive_method`: Indicates whether predictive autoscaling based on CPU metric is enabled. Valid values are: * NONE (default). No predictive method is used. The autoscaler scales the group to meet current demand based on real-time metrics. * OPTIMIZE_AVAILABILITY. Predictive autoscaling improves availability by monitoring daily and weekly load patterns and scaling out ahead of anticipated demand. + Possible values: + * NONE + * OPTIMIZE_AVAILABILITY + * PREDICTIVE_METHOD_UNSPECIFIED + * STANDARD + + * `custom_metric_utilizations`: Configuration parameters of autoscaling based on a custom metric. + + * `metric`: The identifier (type) of the Stackdriver Monitoring metric. The metric cannot have negative values. The metric must have a value type of INT64 or DOUBLE. + + * `filter`: A filter string, compatible with a Stackdriver Monitoring filter string for TimeSeries.list API call. This filter is used to select a specific TimeSeries for the purpose of autoscaling and to determine whether the metric is exporting per-instance or per-group data. For the filter to be valid for autoscaling purposes, the following rules apply: - You can only use the AND operator for joining selectors. - You can only use direct equality comparison operator (=) without any functions for each selector. - You can specify the metric in both the filter string and in the metric field. However, if specified in both places, the metric must be identical. - The monitored resource type determines what kind of values are expected for the metric. If it is a gce_instance, the autoscaler expects the metric to include a separate TimeSeries for each instance in a group. In such a case, you cannot filter on resource labels. If the resource type is any other value, the autoscaler expects this metric to contain values that apply to the entire autoscaled instance group and resource label filtering can be performed to point autoscaler at the correct TimeSeries to scale upon. This is called a *per-group metric* for the purpose of autoscaling. If not specified, the type defaults to gce_instance. Try to provide a filter that is selective enough to pick just one TimeSeries for the autoscaled group or for each of the instances (if you are using gce_instance resource type). If multiple TimeSeries are returned upon the query execution, the autoscaler will sum their respective values to obtain its scaling value. + + * `utilization_target`: The target value of the metric that autoscaler maintains. This must be a positive value. A utilization metric scales number of virtual machines handling requests to increase or decrease proportionally to the metric. For example, a good metric to use as a utilization_target is https://www.googleapis.com/compute/v1/instance/network/received_bytes_count. The autoscaler works to keep this value constant for each of the instances. + + * `single_instance_assignment`: If scaling is based on a per-group metric value that represents the total amount of work to be done or resource usage, set this value to an amount assigned for a single instance of the scaled group. Autoscaler keeps the number of instances proportional to the value of this metric. The metric itself does not change value due to group resizing. A good metric to use with the target is for example pubsub.googleapis.com/subscription/num_undelivered_messages or a custom metric exporting the total number of requests coming to your instances. A bad example would be a metric exporting an average or median latency, since this value can't include a chunk assignable to a single instance, it could be better used with utilization_target instead. + + * `utilization_target_type`: Defines how target utilization value is expressed for a Stackdriver Monitoring metric. Either GAUGE, DELTA_PER_SECOND, or DELTA_PER_MINUTE. + Possible values: + * DELTA_PER_MINUTE + * DELTA_PER_SECOND + * GAUGE + + * `load_balancing_utilization`: Configuration parameters of autoscaling based on load balancing. + + * `utilization_target`: Fraction of backend capacity utilization (set in HTTP(S) load balancing configuration) that the autoscaler maintains. Must be a positive float value. If not defined, the default is 0.8. + + * `mode`: Defines the operating mode for this policy. The following modes are available: - OFF: Disables the autoscaler but maintains its configuration. - ONLY_SCALE_OUT: Restricts the autoscaler to add VM instances only. - ON: Enables all autoscaler activities according to its policy. For more information, see "Turning off or restricting an autoscaler" + Possible values: + * OFF + * ON + * ONLY_SCALE_OUT + * ONLY_UP + + * `scaling_schedules`: Scaling schedules defined for an autoscaler. Multiple schedules can be set on an autoscaler, and they can overlap. During overlapping periods the greatest min_required_replicas of all scaling schedules is applied. Up to 128 scaling schedules are allowed. + + * `additional_properties`: Scaling based on user-defined schedule. The message describes a single scaling schedule. A scaling schedule changes the minimum number of VM instances an autoscaler can recommend, which can trigger scaling out. + + * `zone`: [Output Only] URL of the zone where the instance group resides (for autoscalers living in zonal scope). + + * `region`: [Output Only] URL of the region where the instance group resides (for autoscalers living in regional scope). + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `status`: [Output Only] The status of the autoscaler configuration. Current set of possible values: - PENDING: Autoscaler backend hasn't read new/updated configuration. - DELETING: Configuration is being deleted. - ACTIVE: Configuration is acknowledged to be effective. Some warnings might be present in the statusDetails field. - ERROR: Configuration has errors. Actionable for users. Details are present in the statusDetails field. New values might be added in the future. + Possible values: + * ACTIVE + * DELETING + * ERROR + * PENDING + + * `status_details`: [Output Only] Human-readable details about the current state of the autoscaler. Read the documentation for Commonly returned status messages for examples of status messages you might encounter. + + * `message`: The status message. + + * `type`: The type of error, warning, or notice returned. Current set of possible values: - ALL_INSTANCES_UNHEALTHY (WARNING): All instances in the instance group are unhealthy (not in RUNNING state). - BACKEND_SERVICE_DOES_NOT_EXIST (ERROR): There is no backend service attached to the instance group. - CAPPED_AT_MAX_NUM_REPLICAS (WARNING): Autoscaler recommends a size greater than maxNumReplicas. - CUSTOM_METRIC_DATA_POINTS_TOO_SPARSE (WARNING): The custom metric samples are not exported often enough to be a credible base for autoscaling. - CUSTOM_METRIC_INVALID (ERROR): The custom metric that was specified does not exist or does not have the necessary labels. - MIN_EQUALS_MAX (WARNING): The minNumReplicas is equal to maxNumReplicas. This means the autoscaler cannot add or remove instances from the instance group. - MISSING_CUSTOM_METRIC_DATA_POINTS (WARNING): The autoscaler did not receive any data from the custom metric configured for autoscaling. - MISSING_LOAD_BALANCING_DATA_POINTS (WARNING): The autoscaler is configured to scale based on a load balancing signal but the instance group has not received any requests from the load balancer. - MODE_OFF (WARNING): Autoscaling is turned off. The number of instances in the group won't change automatically. The autoscaling configuration is preserved. - MODE_ONLY_UP (WARNING): Autoscaling is in the "Autoscale only out" mode. The autoscaler can add instances but not remove any. - MORE_THAN_ONE_BACKEND_SERVICE (ERROR): The instance group cannot be autoscaled because it has more than one backend service attached to it. - NOT_ENOUGH_QUOTA_AVAILABLE (ERROR): There is insufficient quota for the necessary resources, such as CPU or number of instances. - REGION_RESOURCE_STOCKOUT (ERROR): Shown only for regional autoscalers: there is a resource stockout in the chosen region. - SCALING_TARGET_DOES_NOT_EXIST (ERROR): The target to be scaled does not exist. - UNSUPPORTED_MAX_RATE_LOAD_BALANCING_CONFIGURATION (ERROR): Autoscaling does not work with an HTTP/S load balancer that has been configured for maxRate. - ZONE_RESOURCE_STOCKOUT (ERROR): For zonal autoscalers: there is a resource stockout in the chosen zone. For regional autoscalers: in at least one of the zones you're using there is a resource stockout. New values might be added in the future. Some of the values might not be available in all API versions. + Possible values: + * ALL_INSTANCES_UNHEALTHY + * BACKEND_SERVICE_DOES_NOT_EXIST + * CAPPED_AT_MAX_NUM_REPLICAS + * CUSTOM_METRIC_DATA_POINTS_TOO_SPARSE + * CUSTOM_METRIC_INVALID + * MIN_EQUALS_MAX + * MISSING_CUSTOM_METRIC_DATA_POINTS + * MISSING_LOAD_BALANCING_DATA_POINTS + * MODE_OFF + * MODE_ONLY_SCALE_OUT + * MODE_ONLY_UP + * MORE_THAN_ONE_BACKEND_SERVICE + * NOT_ENOUGH_QUOTA_AVAILABLE + * REGION_RESOURCE_STOCKOUT + * SCALING_TARGET_DOES_NOT_EXIST + * SCHEDULED_INSTANCES_GREATER_THAN_AUTOSCALER_MAX + * SCHEDULED_INSTANCES_LESS_THAN_AUTOSCALER_MIN + * UNKNOWN + * UNSUPPORTED_MAX_RATE_LOAD_BALANCING_CONFIGURATION + * ZONE_RESOURCE_STOCKOUT + + * `recommended_size`: [Output Only] Target recommended MIG size (number of instances) computed by autoscaler. Autoscaler calculates the recommended MIG size even when the autoscaling policy mode is different from ON. This field is empty when autoscaler is not connected to an existing managed instance group or autoscaler did not generate its prediction. + + * `scaling_schedule_status`: [Output Only] Status information of existing scaling schedules. + + * `additional_properties`: + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_autoscalers.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_autoscalers.md new file mode 100644 index 0000000..0e5f896 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_autoscalers.md @@ -0,0 +1,52 @@ ++++ +title = "google_compute_region_autoscalers resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_autoscalers" +identifier = "inspec/resources/gcp/google_compute_region_autoscalers resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_autoscalers` InSpec audit resource to to test a Google Cloud RegionAutoscaler resource. + +## Examples + +```ruby + describe google_compute_region_autoscalers(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_autoscalers` resource: + +See [google_compute_region_autoscaler](google_compute_region_autoscaler) for more detailed information. + + * `kinds`: an array of `google_compute_region_autoscaler` kind + * `ids`: an array of `google_compute_region_autoscaler` id + * `creation_timestamps`: an array of `google_compute_region_autoscaler` creation_timestamp + * `names`: an array of `google_compute_region_autoscaler` name + * `descriptions`: an array of `google_compute_region_autoscaler` description + * `targets`: an array of `google_compute_region_autoscaler` target + * `autoscaling_policies`: an array of `google_compute_region_autoscaler` autoscaling_policy + * `zones`: an array of `google_compute_region_autoscaler` zone + * `regions`: an array of `google_compute_region_autoscaler` region + * `self_links`: an array of `google_compute_region_autoscaler` self_link + * `self_link_with_ids`: an array of `google_compute_region_autoscaler` self_link_with_id + * `statuses`: an array of `google_compute_region_autoscaler` status + * `status_details`: an array of `google_compute_region_autoscaler` status_details + * `recommended_sizes`: an array of `google_compute_region_autoscaler` recommended_size + * `scaling_schedule_statuses`: an array of `google_compute_region_autoscaler` scaling_schedule_status + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_backend_service.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_backend_service.md new file mode 100644 index 0000000..cbd9ff3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_backend_service.md @@ -0,0 +1,257 @@ ++++ +title = "google_compute_region_backend_service resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_backend_service" +identifier = "inspec/resources/gcp/google_compute_region_backend_service resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_region_backend_service` is used to test a Google RegionBackendService resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_region_backend_service(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'inspec-gcp-region-backend-service') do + it { should exist } + its('description') { should eq 'A regional description' } + its('protocol') { should eq 'TCP' } + its('timeout_sec') { should eq '15' } +end + +describe google_compute_region_backend_service(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_backend_service` resource: + + + * `affinity_cookie_ttl_sec`: Lifetime of cookies in seconds if session_affinity is GENERATED_COOKIE. If set to 0, the cookie is non-persistent and lasts only until the end of the browser session (or equivalent). The maximum allowed value for TTL is one day. When the load balancing scheme is INTERNAL, this field is not used. + + * `backends`: The set of backends that serve this RegionBackendService. + + * `balancing_mode`: Specifies the balancing mode for this backend. + Possible values: + * UTILIZATION + * RATE + * CONNECTION + + * `capacity_scaler`: A multiplier applied to the group's maximum servicing capacity (based on UTILIZATION, RATE or CONNECTION). ~>**NOTE**: This field cannot be set for INTERNAL region backend services (default loadBalancingScheme), but is required for non-INTERNAL backend service. The total capacity_scaler for all backends must be non-zero. A setting of 0 means the group is completely drained, offering 0% of its available Capacity. Valid range is [0.0,1.0]. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `failover`: This field designates whether this is a failover backend. More than one failover backend can be configured for a given RegionBackendService. + + * `group`: The fully-qualified URL of an Instance Group or Network Endpoint Group resource. In case of instance group this defines the list of instances that serve traffic. Member virtual machine instances from each instance group must live in the same zone as the instance group itself. No two backends in a backend service are allowed to use same Instance Group resource. For Network Endpoint Groups this defines list of endpoints. All endpoints of Network Endpoint Group must be hosted on instances located in the same zone as the Network Endpoint Group. Backend services cannot mix Instance Group and Network Endpoint Group backends. When the `load_balancing_scheme` is INTERNAL, only instance groups are supported. Note that you must specify an Instance Group or Network Endpoint Group resource using the fully-qualified URL, rather than a partial URL. + + * `max_connections`: The max number of simultaneous connections for the group. Can be used with either CONNECTION or UTILIZATION balancing modes. Cannot be set for INTERNAL backend services. For CONNECTION mode, either maxConnections or one of maxConnectionsPerInstance or maxConnectionsPerEndpoint, as appropriate for group type, must be set. + + * `max_connections_per_instance`: The max number of simultaneous connections that a single backend instance can handle. Cannot be set for INTERNAL backend services. This is used to calculate the capacity of the group. Can be used in either CONNECTION or UTILIZATION balancing modes. For CONNECTION mode, either maxConnections or maxConnectionsPerInstance must be set. + + * `max_connections_per_endpoint`: The max number of simultaneous connections that a single backend network endpoint can handle. Cannot be set for INTERNAL backend services. This is used to calculate the capacity of the group. Can be used in either CONNECTION or UTILIZATION balancing modes. For CONNECTION mode, either maxConnections or maxConnectionsPerEndpoint must be set. + + * `max_rate`: The max requests per second (RPS) of the group. Cannot be set for INTERNAL backend services. Can be used with either RATE or UTILIZATION balancing modes, but required if RATE mode. Either maxRate or one of maxRatePerInstance or maxRatePerEndpoint, as appropriate for group type, must be set. + + * `max_rate_per_instance`: The max requests per second (RPS) that a single backend instance can handle. This is used to calculate the capacity of the group. Can be used in either balancing mode. For RATE mode, either maxRate or maxRatePerInstance must be set. Cannot be set for INTERNAL backend services. + + * `max_rate_per_endpoint`: The max requests per second (RPS) that a single backend network endpoint can handle. This is used to calculate the capacity of the group. Can be used in either balancing mode. For RATE mode, either maxRate or maxRatePerEndpoint must be set. Cannot be set for INTERNAL backend services. + + * `max_utilization`: Used when balancingMode is UTILIZATION. This ratio defines the CPU utilization target for the group. Valid range is [0.0, 1.0]. Cannot be set for INTERNAL backend services. + + * `circuit_breakers`: Settings controlling the volume of connections to a backend service. This field is applicable only when the `load_balancing_scheme` is set to INTERNAL_MANAGED and the `protocol` is set to HTTP, HTTPS, or HTTP2. + + * `connect_timeout`: (Beta only) The timeout for new network connections to hosts. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive. + + * `max_requests_per_connection`: Maximum requests for a single backend connection. This parameter is respected by both the HTTP/1.1 and HTTP/2 implementations. If not specified, there is no limit. Setting this parameter to 1 will effectively disable keep alive. + + * `max_connections`: The maximum number of connections to the backend cluster. Defaults to 1024. + + * `max_pending_requests`: The maximum number of pending requests to the backend cluster. Defaults to 1024. + + * `max_requests`: The maximum number of parallel requests to the backend cluster. Defaults to 1024. + + * `max_retries`: The maximum number of parallel retries to the backend cluster. Defaults to 3. + + * `consistent_hash`: Consistent Hash-based load balancing can be used to provide soft session affinity based on HTTP headers, cookies or other properties. This load balancing policy is applicable only for HTTP connections. The affinity to a particular destination host will be lost when one or more hosts are added/removed from the destination service. This field specifies parameters that control consistent hashing. This field only applies when all of the following are true - * `load_balancing_scheme` is set to INTERNAL_MANAGED * `protocol` is set to HTTP, HTTPS, or HTTP2 * `locality_lb_policy` is set to MAGLEV or RING_HASH + + * `http_cookie`: Hash is based on HTTP Cookie. This field describes a HTTP cookie that will be used as the hash key for the consistent hash load balancer. If the cookie is not present, it will be generated. This field is applicable if the sessionAffinity is set to HTTP_COOKIE. + + * `ttl`: Lifetime of the cookie. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive. + + * `name`: Name of the cookie. + + * `path`: Path to set for the cookie. + + * `http_header_name`: The hash based on the value of the specified header field. This field is applicable if the sessionAffinity is set to HEADER_FIELD. + + * `minimum_ring_size`: The minimum number of virtual nodes to use for the hash ring. Larger ring sizes result in more granular load distributions. If the number of hosts in the load balancing pool is larger than the ring size, each host will be assigned a single virtual node. Defaults to 1024. + + * `cdn_policy`: Cloud CDN configuration for this BackendService. + + * `cache_key_policy`: The CacheKeyPolicy for this CdnPolicy. + + * `include_host`: If true requests to different hosts will be cached separately. + + * `include_protocol`: If true, http and https requests will be cached separately. + + * `include_query_string`: If true, include query string parameters in the cache key according to query_string_whitelist and query_string_blacklist. If neither is set, the entire query string will be included. If false, the query string will be excluded from the cache key entirely. + + * `query_string_blacklist`: Names of query string parameters to exclude in cache keys. All other parameters will be included. Either specify query_string_whitelist or query_string_blacklist, not both. '&' and '=' will be percent encoded and not treated as delimiters. + + * `query_string_whitelist`: Names of query string parameters to include in cache keys. All other parameters will be excluded. Either specify query_string_whitelist or query_string_blacklist, not both. '&' and '=' will be percent encoded and not treated as delimiters. + + * `signed_url_cache_max_age_sec`: Maximum number of seconds the response to a signed URL request will be considered fresh, defaults to 1hr (3600s). After this time period, the response will be revalidated before being served. When serving responses to signed URL requests, Cloud CDN will internally behave as though all responses from this backend had a "Cache-Control: public, max-age=[TTL]" header, regardless of any existing Cache-Control header. The actual headers served in responses will not be altered. + + * `default_ttl`: (Beta only) Specifies the default TTL for cached content served by this origin for responses that do not have an existing valid TTL (max-age or s-max-age). + + * `max_ttl`: (Beta only) Specifies the maximum allowed TTL for cached content served by this origin. + + * `client_ttl`: (Beta only) Specifies the maximum allowed TTL for cached content served by this origin. + + * `negative_caching`: (Beta only) Negative caching allows per-status code TTLs to be set, in order to apply fine-grained caching for common errors or redirects. + + * `negative_caching_policy`: (Beta only) Sets a cache TTL for the specified HTTP status code. negativeCaching must be enabled to configure negativeCachingPolicy. Omitting the policy and leaving negativeCaching enabled will use Cloud CDN's default cache TTLs. + + * `code`: (Beta only) The HTTP status code to define a TTL against. Only HTTP status codes 300, 301, 308, 404, 405, 410, 421, 451 and 501 can be specified as values, and you cannot specify a status code more than once. + + * `ttl`: (Beta only) The TTL (in seconds) for which to cache responses with the corresponding status code. The maximum allowed value is 1800s (30 minutes), noting that infrequently accessed objects may be evicted from the cache before the defined TTL. + + * `cache_mode`: (Beta only) Specifies the cache setting for all responses from this backend. The possible values are: USE_ORIGIN_HEADERS, FORCE_CACHE_ALL and CACHE_ALL_STATIC + Possible values: + * USE_ORIGIN_HEADERS + * FORCE_CACHE_ALL + * CACHE_ALL_STATIC + + * `serve_while_stale`: (Beta only) Serve existing content from the cache (if available) when revalidating content with the origin, or when an error is encountered when refreshing the cache. + + * `connection_draining`: Settings for connection draining + + * `draining_timeout_sec`: Time for which instance will be drained (not accept new connections, but still work to finish started). + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. + + * `failover_policy`: Policy for failovers. + + * `disable_connection_drain_on_failover`: On failover or failback, this field indicates whether connection drain will be honored. Setting this to true has the following effect: connections to the old active pool are not drained. Connections to the new active pool use the timeout of 10 min (currently fixed). Setting to false has the following effect: both old and new connections will have a drain timeout of 10 min. This can be set to true only if the protocol is TCP. The default is false. + + * `drop_traffic_if_unhealthy`: This option is used only when no healthy VMs are detected in the primary and backup instance groups. When set to true, traffic is dropped. When set to false, new connections are sent across all VMs in the primary group. The default is false. + + * `failover_ratio`: The value of the field must be in [0, 1]. If the ratio of the healthy VMs in the primary backend is at or below this number, traffic arriving at the load-balanced IP will be directed to the failover backend. In case where 'failoverRatio' is not set or all the VMs in the backup backend are unhealthy, the traffic will be directed back to the primary backend in the "force" mode, where traffic will be spread to the healthy VMs with the best effort, or to all VMs when no VM is healthy. This field is only used with l4 load balancing. + + * `enable_cdn`: If true, enable Cloud CDN for this RegionBackendService. + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. + + * `health_checks`: The set of URLs to HealthCheck resources for health checking this RegionBackendService. Currently at most one health check can be specified. A health check must be specified unless the backend service uses an internet or serverless NEG as a backend. + + * `id`: The unique identifier for the resource. + + * `load_balancing_scheme`: Indicates what kind of load balancing this regional backend service will be used for. A backend service created for one type of load balancing cannot be used with the other(s). + Possible values: + * EXTERNAL + * INTERNAL + * INTERNAL_MANAGED + + * `locality_lb_policy`: The load balancing algorithm used within the scope of the locality. The possible values are - * ROUND_ROBIN - This is a simple policy in which each healthy backend is selected in round robin order. * LEAST_REQUEST - An O(1) algorithm which selects two random healthy hosts and picks the host which has fewer active requests. * RING_HASH - The ring/modulo hash load balancer implements consistent hashing to backends. The algorithm has the property that the addition/removal of a host from a set of N hosts only affects 1/N of the requests. * RANDOM - The load balancer selects a random healthy host. * ORIGINAL_DESTINATION - Backend host is selected based on the client connection metadata, i.e., connections are opened to the same address as the destination address of the incoming connection before the connection was redirected to the load balancer. * MAGLEV - used as a drop in replacement for the ring hash load balancer. Maglev is not as stable as ring hash but has faster table lookup build times and host selection times. For more information about Maglev, refer to https://ai.google/research/pubs/pub44824 This field is applicable only when the `load_balancing_scheme` is set to INTERNAL_MANAGED and the `protocol` is set to HTTP, HTTPS, or HTTP2. + Possible values: + * ROUND_ROBIN + * LEAST_REQUEST + * RING_HASH + * RANDOM + * ORIGINAL_DESTINATION + * MAGLEV + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `outlier_detection`: Settings controlling eviction of unhealthy hosts from the load balancing pool. This field is applicable only when the `load_balancing_scheme` is set to INTERNAL_MANAGED and the `protocol` is set to HTTP, HTTPS, or HTTP2. + + * `base_ejection_time`: The base time that a host is ejected for. The real time is equal to the base time multiplied by the number of times the host has been ejected. Defaults to 30000ms or 30s. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `consecutive_errors`: Number of errors before a host is ejected from the connection pool. When the backend host is accessed over HTTP, a 5xx return code qualifies as an error. Defaults to 5. + + * `consecutive_gateway_failure`: The number of consecutive gateway failures (502, 503, 504 status or connection errors that are mapped to one of those status codes) before a consecutive gateway failure ejection occurs. Defaults to 5. + + * `enforcing_consecutive_errors`: The percentage chance that a host will be actually ejected when an outlier status is detected through consecutive 5xx. This setting can be used to disable ejection or to ramp it up slowly. Defaults to 100. + + * `enforcing_consecutive_gateway_failure`: The percentage chance that a host will be actually ejected when an outlier status is detected through consecutive gateway failures. This setting can be used to disable ejection or to ramp it up slowly. Defaults to 0. + + * `enforcing_success_rate`: The percentage chance that a host will be actually ejected when an outlier status is detected through success rate statistics. This setting can be used to disable ejection or to ramp it up slowly. Defaults to 100. + + * `interval`: Time interval between ejection sweep analysis. This can result in both new ejections as well as hosts being returned to service. Defaults to 10 seconds. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `max_ejection_percent`: Maximum percentage of hosts in the load balancing pool for the backend service that can be ejected. Defaults to 10%. + + * `success_rate_minimum_hosts`: The number of hosts in a cluster that must have enough request volume to detect success rate outliers. If the number of hosts is less than this setting, outlier detection via success rate statistics is not performed for any host in the cluster. Defaults to 5. + + * `success_rate_request_volume`: The minimum number of total requests that must be collected in one interval (as defined by the interval duration above) to include this host in success rate based outlier detection. If the volume is lower than this setting, outlier detection via success rate statistics is not performed for that host. Defaults to 100. + + * `success_rate_stdev_factor`: This factor is used to determine the ejection threshold for success rate outlier ejection. The ejection threshold is the difference between the mean success rate, and the product of this factor and the standard deviation of the mean success rate: mean - (stdev * success_rate_stdev_factor). This factor is divided by a thousand to get a double. That is, if the desired factor is 1.9, the runtime value should be 1900. Defaults to 1900. + + * `port_name`: A named port on a backend instance group representing the port for communication to the backend VMs in that group. Required when the loadBalancingScheme is EXTERNAL, INTERNAL_MANAGED, or INTERNAL_SELF_MANAGED and the backends are instance groups. The named port must be defined on each backend instance group. This parameter has no meaning if the backends are NEGs. API sets a default of "http" if not given. Must be omitted when the loadBalancingScheme is INTERNAL (Internal TCP/UDP Load Balancing). + + * `protocol`: The protocol this RegionBackendService uses to communicate with backends. The default is HTTP. **NOTE**: HTTP2 is only valid for beta HTTP/2 load balancer types and may result in errors if used with the GA API. + Possible values: + * HTTP + * HTTPS + * HTTP2 + * SSL + * TCP + * UDP + * GRPC + + * `session_affinity`: Type of session affinity to use. The default is NONE. Session affinity is not applicable if the protocol is UDP. + Possible values: + * NONE + * CLIENT_IP + * CLIENT_IP_PORT_PROTO + * CLIENT_IP_PROTO + * GENERATED_COOKIE + * HEADER_FIELD + * HTTP_COOKIE + + * `timeout_sec`: How many seconds to wait for the backend before considering it a failed request. Default is 30 seconds. Valid range is [1, 86400]. + + * `log_config`: This field denotes the logging options for the load balancer traffic served by this backend service. If logging is enabled, logs will be exported to Stackdriver. + + * `enable`: Whether to enable logging for the load balancer traffic served by this backend service. + + * `sample_rate`: This field can only be specified if logging is enabled for this backend service. The value of the field must be in [0, 1]. This configures the sampling rate of requests to the load balancer where 1.0 means all logged requests are reported and 0.0 means no logged requests are reported. The default value is 1.0. + + * `network`: The URL of the network to which this backend service belongs. This field can only be specified when the load balancing scheme is set to INTERNAL. + + * `region`: A reference to the region where the regional backend service resides. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_backend_services.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_backend_services.md new file mode 100644 index 0000000..d16b1c4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_backend_services.md @@ -0,0 +1,70 @@ ++++ +title = "google_compute_region_backend_services resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_backend_services" +identifier = "inspec/resources/gcp/google_compute_region_backend_services resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_region_backend_services` is used to test a Google RegionBackendService resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_region_backend_services(project: 'chef-gcp-inspec', region: 'europe-west2') do + its('count') { should be >= 1 } + its('names') { should include 'inspec-gcp-region-backend-service' } + its('protocols') { should include 'TCP' } + its('timeout_secs') { should include '15' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_backend_services` resource: + +See [google_compute_region_backend_service](google_compute_region_backend_service) for more detailed information. + + * `affinity_cookie_ttl_secs`: an array of `google_compute_region_backend_service` affinity_cookie_ttl_sec + * `backends`: an array of `google_compute_region_backend_service` backends + * `circuit_breakers`: an array of `google_compute_region_backend_service` circuit_breakers + * `consistent_hashes`: an array of `google_compute_region_backend_service` consistent_hash + * `cdn_policies`: an array of `google_compute_region_backend_service` cdn_policy + * `connection_drainings`: an array of `google_compute_region_backend_service` connection_draining + * `creation_timestamps`: an array of `google_compute_region_backend_service` creation_timestamp + * `descriptions`: an array of `google_compute_region_backend_service` description + * `failover_policies`: an array of `google_compute_region_backend_service` failover_policy + * `enable_cdns`: an array of `google_compute_region_backend_service` enable_cdn + * `fingerprints`: an array of `google_compute_region_backend_service` fingerprint + * `health_checks`: an array of `google_compute_region_backend_service` health_checks + * `ids`: an array of `google_compute_region_backend_service` id + * `load_balancing_schemes`: an array of `google_compute_region_backend_service` load_balancing_scheme + * `locality_lb_policies`: an array of `google_compute_region_backend_service` locality_lb_policy + * `names`: an array of `google_compute_region_backend_service` name + * `outlier_detections`: an array of `google_compute_region_backend_service` outlier_detection + * `port_names`: an array of `google_compute_region_backend_service` port_name + * `protocols`: an array of `google_compute_region_backend_service` protocol + * `session_affinities`: an array of `google_compute_region_backend_service` session_affinity + * `timeout_secs`: an array of `google_compute_region_backend_service` timeout_sec + * `log_configs`: an array of `google_compute_region_backend_service` log_config + * `networks`: an array of `google_compute_region_backend_service` network + * `regions`: an array of `google_compute_region_backend_service` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_commitment.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_commitment.md new file mode 100644 index 0000000..ef089d6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_commitment.md @@ -0,0 +1,321 @@ ++++ +title = "google_compute_region_commitment resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_commitment" +identifier = "inspec/resources/gcp/google_compute_region_commitment resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_commitment` InSpec audit resource to to test a Google Cloud RegionCommitment resource. + +## Examples + +```ruby +describe google_compute_region_commitment(name: ' value_name', project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('region') { should cmp 'value_region' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('status') { should cmp 'value_status' } + its('status_message') { should cmp 'value_statusmessage' } + its('plan') { should cmp 'value_plan' } + its('start_timestamp') { should cmp 'value_starttimestamp' } + its('end_timestamp') { should cmp 'value_endtimestamp' } + its('type') { should cmp 'value_type' } + its('category') { should cmp 'value_category' } + its('split_source_commitment') { should cmp 'value_splitsourcecommitment' } + +end + +describe google_compute_region_commitment(name: ' ', project: 'chef-gcp-inspec', region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_commitment` resource: + + + * `kind`: [Output Only] Type of the resource. Always compute#commitment for commitments. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `region`: [Output Only] URL of the region where this commitment may be used. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `status`: [Output Only] Status of the commitment with regards to eventual expiration (each commitment has an end date defined). One of the following values: NOT_YET_ACTIVE, ACTIVE, EXPIRED. + Possible values: + * ACTIVE + * CANCELED_EARLY_TERMINATION + * CANCELING + * CANCELLED + * CREATING + * EXPIRED + * NOT_YET_ACTIVE + + * `status_message`: [Output Only] An optional, human-readable explanation of the status. + + * `plan`: The plan for this commitment, which determines duration and discount rate. The currently supported plans are TWELVE_MONTH (1 year), and THIRTY_SIX_MONTH (3 years). + Possible values: + * INVALID + * THIRTY_SIX_MONTH + * TWELVE_MONTH + + * `start_timestamp`: [Output Only] Commitment start time in RFC3339 text format. + + * `end_timestamp`: [Output Only] Commitment end time in RFC3339 text format. + + * `resources`: A list of commitment amounts for particular resources. Note that VCPU and MEMORY resource commitments must occur together. + + * `type`: Type of resource for which this commitment applies. Possible values are VCPU, MEMORY, LOCAL_SSD, and ACCELERATOR. + Possible values: + * ACCELERATOR + * LOCAL_SSD + * MEMORY + * UNSPECIFIED + * VCPU + + * `amount`: The amount of the resource purchased (in a type-dependent unit, such as bytes). For vCPUs, this can just be an integer. For memory, this must be provided in MB. Memory must be a multiple of 256 MB, with up to 6.5GB of memory per every vCPU. + + * `accelerator_type`: Name of the accelerator type resource. Applicable only when the type is ACCELERATOR. + + * `type`: The type of commitment, which affects the discount rate and the eligible resources. Type MEMORY_OPTIMIZED specifies a commitment that will only apply to memory optimized machines. Type ACCELERATOR_OPTIMIZED specifies a commitment that will only apply to accelerator optimized machines. + Possible values: + * ACCELERATOR_OPTIMIZED + * ACCELERATOR_OPTIMIZED_A3 + * COMPUTE_OPTIMIZED + * COMPUTE_OPTIMIZED_C2D + * COMPUTE_OPTIMIZED_C3 + * COMPUTE_OPTIMIZED_C3D + * COMPUTE_OPTIMIZED_H3 + * GENERAL_PURPOSE + * GENERAL_PURPOSE_E2 + * GENERAL_PURPOSE_N2 + * GENERAL_PURPOSE_N2D + * GENERAL_PURPOSE_N4 + * GENERAL_PURPOSE_T2D + * GRAPHICS_OPTIMIZED + * MEMORY_OPTIMIZED + * MEMORY_OPTIMIZED_M3 + * STORAGE_OPTIMIZED_Z3 + * TYPE_UNSPECIFIED + + * `reservations`: List of create-on-create reservations for this commitment. + + * `kind`: [Output Only] Type of the resource. Always compute#reservations for reservations. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `self_link`: [Output Only] Server-defined fully-qualified URL for this resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `zone`: Zone in which the reservation resides. A zone must be provided if the reservation is created within a commitment. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `name`: The name of the resource, provided by the client when initially creating the resource. The resource name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `specific_reservation`: This reservation type allows to pre allocate specific instance configuration. Next ID: 6 + + * `instance_properties`: Properties of the SKU instances being reserved. Next ID: 9 + + * `machine_type`: Specifies type of machine (name only) which has fixed number of vCPUs and fixed amount of memory. This also includes specifying custom machine type following custom-NUMBER_OF_CPUS-AMOUNT_OF_MEMORY pattern. + + * `guest_accelerators`: Specifies accelerator type and count. + + * `accelerator_type`: Full or partial URL of the accelerator type resource to attach to this instance. For example: projects/my-project/zones/us-central1-c/acceleratorTypes/nvidia-tesla-p100 If you are creating an instance template, specify only the accelerator name. See GPUs on Compute Engine for a full list of accelerator types. + + * `accelerator_count`: The number of the guest accelerator cards exposed to this instance. + + * `min_cpu_platform`: Minimum cpu platform the reservation. + + * `local_ssds`: Specifies amount of local ssd to reserve with each instance. The type of disk is local-ssd. + + * `disk_size_gb`: Specifies the size of the disk in base-2 GB. + + * `interface`: Specifies the disk interface to use for attaching this disk, which is either SCSI or NVME. The default is SCSI. For performance characteristics of SCSI over NVMe, see Local SSD performance. + Possible values: + * NVDIMM + * NVME + * SCSI + + * `maintenance_freeze_duration_hours`: Specifies the number of hours after reservation creation where instances using the reservation won't be scheduled for maintenance. + + * `location_hint`: An opaque location hint used to place the allocation close to other resources. This field is for use by internal tools that use the public API. + + * `maintenance_interval`: Specifies the frequency of planned maintenance events. The accepted values are: `PERIODIC`. + Possible values: + * AS_NEEDED + * PERIODIC + * RECURRENT + + * `count`: Specifies the number of resources that are allocated. + + * `in_use_count`: [Output Only] Indicates how many instances are in use. + + * `assured_count`: [Output Only] Indicates how many instances are actually usable currently. + + * `source_instance_template`: Specifies the instance template to create the reservation. If you use this field, you must exclude the instanceProperties field. This field is optional, and it can be a full or partial URL. For example, the following are all valid URLs to an instance template: - https://www.googleapis.com/compute/v1/projects/project /global/instanceTemplates/instanceTemplate - projects/project/global/instanceTemplates/instanceTemplate - global/instanceTemplates/instanceTemplate + + * `aggregate_reservation`: This reservation type is specified by total resource amounts (e.g. total count of CPUs) and can account for multiple instance SKUs. In other words, one can create instances of varying shapes against this reservation. + + * `vm_family`: The VM family that all instances scheduled against this reservation must belong to. + Possible values: + * VM_FAMILY_CLOUD_TPU_LITE_DEVICE_CT5L + * VM_FAMILY_CLOUD_TPU_LITE_POD_SLICE_CT5LP + * VM_FAMILY_CLOUD_TPU_POD_SLICE_CT4P + + * `reserved_resources`: List of reserved resources (CPUs, memory, accelerators). + + * `accelerator`: + + * `accelerator_count`: Number of accelerators of specified type. + + * `accelerator_type`: Full or partial URL to accelerator type. e.g. "projects/{PROJECT}/zones/{ZONE}/acceleratorTypes/ct4l" + + * `in_use_resources`: [Output only] List of resources currently in use. + + * `accelerator`: + + * `accelerator_count`: Number of accelerators of specified type. + + * `accelerator_type`: Full or partial URL to accelerator type. e.g. "projects/{PROJECT}/zones/{ZONE}/acceleratorTypes/ct4l" + + * `workload_type`: The workload type of the instances that will target this reservation. + Possible values: + * BATCH + * SERVING + * UNSPECIFIED + + * `commitment`: [Output Only] Full or partial URL to a parent commitment. This field displays for reservations that are tied to a commitment. + + * `specific_reservation_required`: Indicates whether the reservation can be consumed by VMs with affinity for "any" reservation. If the field is set, then only VMs that target the reservation by name can consume from this reservation. + + * `status`: [Output Only] The status of the reservation. + Possible values: + * CREATING + * DELETING + * INVALID + * READY + * UPDATING + + * `share_settings`: The share setting for reservations and sole tenancy node groups. + + * `share_type`: Type of sharing for this shared-reservation + Possible values: + * DIRECT_PROJECTS_UNDER_SPECIFIC_FOLDERS + * LOCAL + * ORGANIZATION + * SHARE_TYPE_UNSPECIFIED + * SPECIFIC_PROJECTS + + * `projects`: A List of Project names to specify consumer projects for this shared-reservation. This is only valid when share_type's value is SPECIFIC_PROJECTS. + + * `project_map`: A map of project id and project config. This is only valid when share_type's value is SPECIFIC_PROJECTS. + + * `additional_properties`: Config for each project in the share settings. + + * `folder_map`: A map of folder id and folder config to specify consumer projects for this shared-reservation. This is only valid when share_type's value is DIRECT_PROJECTS_UNDER_SPECIFIC_FOLDERS. Folder id should be a string of number, and without "folders/" prefix. + + * `additional_properties`: Config for each folder in the share settings. + + * `satisfies_pzs`: [Output Only] Reserved for future use. + + * `resource_policies`: Resource policies to be added to this reservation. The key is defined by user, and the value is resource policy url. This is to define placement policy with reservation. + + * `additional_properties`: + + * `resource_status`: [Output Only] Contains output only fields. + + * `specific_sku_allocation`: Contains Properties set for the reservation. + + * `source_instance_template_id`: ID of the instance template used to populate reservation properties. + + * `delete_at_time`: Absolute time in future when the reservation will be auto-deleted by Compute Engine. Timestamp is represented in RFC3339 text format. + + * `delete_after_duration`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `category`: The category of the commitment. Category MACHINE specifies commitments composed of machine resources such as VCPU or MEMORY, listed in resources. Category LICENSE specifies commitments composed of software licenses, listed in licenseResources. Note that only MACHINE commitments should have a Type specified. + Possible values: + * CATEGORY_UNSPECIFIED + * LICENSE + * MACHINE + + * `license_resource`: Commitment for a particular license resource. + + * `license`: Any applicable license URI. + + * `amount`: The number of licenses purchased. + + * `cores_per_license`: Specifies the core range of the instance for which this license applies. + + * `auto_renew`: Specifies whether to enable automatic renewal for the commitment. The default value is false if not specified. The field can be updated until the day of the commitment expiration at 12:00am PST. If the field is set to true, the commitment will be automatically renewed for either one or three years according to the terms of the existing commitment. + + * `merge_source_commitments`: List of source commitments to be merged into a new commitment. + + * `split_source_commitment`: Source commitment to be split into a new commitment. + + * `resource_status`: [Output Only] Contains output only fields. + + * `cancellation_information`: + + * `cancellation_fee`: Represents an amount of money with its currency type. + + * `currency_code`: The three-letter currency code defined in ISO 4217. + + * `units`: The whole units of the amount. For example if `currencyCode` is `"USD"`, then 1 unit is one US dollar. + + * `nanos`: Number of nano (10^-9) units of the amount. The value must be between -999,999,999 and +999,999,999 inclusive. If `units` is positive, `nanos` must be positive or zero. If `units` is zero, `nanos` can be positive, zero, or negative. If `units` is negative, `nanos` must be negative or zero. For example $-1.75 is represented as `units`=-1 and `nanos`=-750,000,000. + + * `cancellation_fee_expiration_timestamp`: [Output Only] An optional, cancellation fee expiration time. RFC3339 text format. + + * `cancellation_cap`: Represents an amount of money with its currency type. + + * `currency_code`: The three-letter currency code defined in ISO 4217. + + * `units`: The whole units of the amount. For example if `currencyCode` is `"USD"`, then 1 unit is one US dollar. + + * `nanos`: Number of nano (10^-9) units of the amount. The value must be between -999,999,999 and +999,999,999 inclusive. If `units` is positive, `nanos` must be positive or zero. If `units` is zero, `nanos` can be positive, zero, or negative. If `units` is negative, `nanos` must be negative or zero. For example $-1.75 is represented as `units`=-1 and `nanos`=-750,000,000. + + * `canceled_commitment`: Represents an amount of money with its currency type. + + * `currency_code`: The three-letter currency code defined in ISO 4217. + + * `units`: The whole units of the amount. For example if `currencyCode` is `"USD"`, then 1 unit is one US dollar. + + * `nanos`: Number of nano (10^-9) units of the amount. The value must be between -999,999,999 and +999,999,999 inclusive. If `units` is positive, `nanos` must be positive or zero. If `units` is zero, `nanos` can be positive, zero, or negative. If `units` is negative, `nanos` must be negative or zero. For example $-1.75 is represented as `units`=-1 and `nanos`=-750,000,000. + + * `canceled_commitment_last_updated_timestamp`: [Output Only] An optional last update time of canceled_commitment. RFC3339 text format. + + * `existing_reservations`: Specifies the already existing reservations to attach to the Commitment. This field is optional, and it can be a full or partial URL. For example, the following are valid URLs to an reservation: - https://www.googleapis.com/compute/v1/projects/project/zones/zone /reservations/reservation - projects/project/zones/zone/reservations/reservation + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_commitments.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_commitments.md new file mode 100644 index 0000000..be31111 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_commitments.md @@ -0,0 +1,60 @@ ++++ +title = "google_compute_region_commitments resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_commitments" +identifier = "inspec/resources/gcp/google_compute_region_commitments resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_commitments` InSpec audit resource to to test a Google Cloud RegionCommitment resource. + +## Examples + +```ruby + describe google_compute_region_commitments(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_commitments` resource: + +See [google_compute_region_commitment](google_compute_region_commitment) for more detailed information. + + * `kinds`: an array of `google_compute_region_commitment` kind + * `ids`: an array of `google_compute_region_commitment` id + * `creation_timestamps`: an array of `google_compute_region_commitment` creation_timestamp + * `names`: an array of `google_compute_region_commitment` name + * `descriptions`: an array of `google_compute_region_commitment` description + * `regions`: an array of `google_compute_region_commitment` region + * `self_links`: an array of `google_compute_region_commitment` self_link + * `self_link_with_ids`: an array of `google_compute_region_commitment` self_link_with_id + * `statuses`: an array of `google_compute_region_commitment` status + * `status_messages`: an array of `google_compute_region_commitment` status_message + * `plans`: an array of `google_compute_region_commitment` plan + * `start_timestamps`: an array of `google_compute_region_commitment` start_timestamp + * `end_timestamps`: an array of `google_compute_region_commitment` end_timestamp + * `resources`: an array of `google_compute_region_commitment` resources + * `types`: an array of `google_compute_region_commitment` type + * `reservations`: an array of `google_compute_region_commitment` reservations + * `categories`: an array of `google_compute_region_commitment` category + * `license_resources`: an array of `google_compute_region_commitment` license_resource + * `auto_renews`: an array of `google_compute_region_commitment` auto_renew + * `merge_source_commitments`: an array of `google_compute_region_commitment` merge_source_commitments + * `split_source_commitments`: an array of `google_compute_region_commitment` split_source_commitment + * `resource_statuses`: an array of `google_compute_region_commitment` resource_status + * `existing_reservations`: an array of `google_compute_region_commitment` existing_reservations + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_disk_type.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_disk_type.md new file mode 100644 index 0000000..05dc84e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_disk_type.md @@ -0,0 +1,83 @@ ++++ +title = "google_compute_region_disk_type resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_disk_type" +identifier = "inspec/resources/gcp/google_compute_region_disk_type resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_disk_type` InSpec audit resource to to test a Google Cloud RegionDiskType resource. + +## Examples + +```ruby +describe google_compute_region_disk_type(disk_type: 'value_name', project: 'chef-gcp-inspec', region: 'value_region') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('valid_disk_size') { should cmp 'value_validdisksize' } + its('zone') { should cmp 'value_zone' } + its('self_link') { should cmp 'value_selflink' } + its('default_disk_size_gb') { should cmp 'value_defaultdisksizegb' } + its('region') { should cmp 'value_region' } + +end + +describe google_compute_region_disk_type(disk_type: 'value_name', project: 'chef-gcp-inspec', region: 'value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_disk_type` resource: + + + * `kind`: [Output Only] Type of the resource. Always compute#diskType for disk types. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: [Output Only] Name of the resource. + + * `description`: [Output Only] An optional description of this resource. + + * `valid_disk_size`: [Output Only] An optional textual description of the valid disk size, such as "10GB-10TB". + + * `deprecated`: Deprecation status for a public resource. + + * `state`: The deprecation state of this resource. This can be ACTIVE, DEPRECATED, OBSOLETE, or DELETED. Operations which communicate the end of life date for an image, can use ACTIVE. Operations which create a new resource using a DEPRECATED resource will return successfully, but with a warning indicating the deprecated resource and recommending its replacement. Operations which use OBSOLETE or DELETED resources will be rejected and result in an error. + Possible values: + * ACTIVE + * DELETED + * DEPRECATED + * OBSOLETE + + * `replacement`: The URL of the suggested replacement for a deprecated resource. The suggested replacement resource must be the same kind of resource as the deprecated resource. + + * `deprecated`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to DEPRECATED. This is only informational and the status will not change unless the client explicitly changes it. + + * `obsolete`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to OBSOLETE. This is only informational and the status will not change unless the client explicitly changes it. + + * `deleted`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to DELETED. This is only informational and the status will not change unless the client explicitly changes it. + + * `zone`: [Output Only] URL of the zone where the disk type resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `default_disk_size_gb`: [Output Only] Server-defined default disk size in GB. + + * `region`: [Output Only] URL of the region where the disk type resides. Only applicable for regional resources. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_disk_types.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_disk_types.md new file mode 100644 index 0000000..ef90525 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_disk_types.md @@ -0,0 +1,48 @@ ++++ +title = "google_compute_region_disk_types resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_disk_types" +identifier = "inspec/resources/gcp/google_compute_region_disk_types resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_disk_types` InSpec audit resource to to test a Google Cloud RegionDiskType resource. + +## Examples + +```ruby + describe google_compute_region_disk_types(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_disk_types` resource: + +See [google_compute_region_disk_type](google_compute_region_disk_type) for more detailed information. + + * `kinds`: an array of `google_compute_region_disk_type` kind + * `ids`: an array of `google_compute_region_disk_type` id + * `creation_timestamps`: an array of `google_compute_region_disk_type` creation_timestamp + * `names`: an array of `google_compute_region_disk_type` name + * `descriptions`: an array of `google_compute_region_disk_type` description + * `valid_disk_sizes`: an array of `google_compute_region_disk_type` valid_disk_size + * `deprecateds`: an array of `google_compute_region_disk_type` deprecated + * `zones`: an array of `google_compute_region_disk_type` zone + * `self_links`: an array of `google_compute_region_disk_type` self_link + * `default_disk_size_gbs`: an array of `google_compute_region_disk_type` default_disk_size_gb + * `regions`: an array of `google_compute_region_disk_type` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_health_check.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_health_check.md new file mode 100644 index 0000000..ba86684 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_health_check.md @@ -0,0 +1,224 @@ ++++ +title = "google_compute_region_health_check resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_health_check" +identifier = "inspec/resources/gcp/google_compute_region_health_check resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_health_check` InSpec audit resource to to test a Google Cloud RegionHealthCheck resource. + +## Examples + +```ruby +describe google_compute_region_health_check(project: 'chef-gcp-inspec', region: '', name: '') do + it { should exist } + its('type') { should eq "TCP" } +end + +describe google_compute_region_health_check(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'notthere') do + it { should_not exist } +end + +``` + ### Test that a GCP compute region exists +``` + describe google_compute_region_health_check(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'test1') do + it { should exist } + end +``` + ### Test that a GCP compute region is in the expected state +``` + describe google_compute_region_health_check(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'test1') do + its('status') { should eq 'UP' } + end +``` + ### Test a GCP compute region identifier +``` + describe google_compute_region_health_check(project: 'chef-inspec-gcp', region: "asia-east1", name: 'test1') do + its('unhealthy_threshold') { should eq 2 } + end +``` + ### Check that a region is associated with the expected zone fully qualified name +``` + describe google_compute_region_health_check(project: 'chef-inspec-gcp', region: "asia-east1", name: 'test1') do + its('healthy_threshold') { should eq 2 } + end +``` + ### Check that a region is associated with the expected zone short name +``` + describe google_compute_region_health_check(project: 'chef-inspec-gcp', region: "asia-east1", name: 'test1') do + its('types') { should include "TCP" } + end +``` + +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_health_check` resource: + + + * `check_interval_sec`: How often (in seconds) to send a health check. The default value is 5 seconds. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `healthy_threshold`: A so-far unhealthy instance will be marked healthy after this many consecutive successes. The default value is 2. + + * `id`: The unique identifier for the resource. This identifier is defined by the server. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `unhealthy_threshold`: A so-far healthy instance will be marked unhealthy after this many consecutive failures. The default value is 2. + + * `timeout_sec`: How long (in seconds) to wait before claiming failure. The default value is 5 seconds. It is invalid for timeoutSec to have greater value than checkIntervalSec. + + * `type`: Specifies the type of the healthCheck, either TCP, SSL, HTTP or HTTPS. If not specified, the default is TCP. Exactly one of the protocol-specific health check field must be specified, which must match type field. + Possible values: + * TCP + * SSL + * HTTP + * HTTPS + * HTTP2 + + * `http_health_check`: A nested object resource + + * `host`: The value of the host header in the HTTP health check request. If left empty (default value), the public IP on behalf of which this health check is performed will be used. + + * `request_path`: The request path of the HTTP health check request. The default value is /. + + * `response`: The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII. + + * `port`: The TCP port number for the HTTP health check request. The default value is 80. + + * `port_name`: Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence. + + * `proxy_header`: Specifies the type of proxy header to append before sending data to the backend. + Possible values: + * NONE + * PROXY_V1 + + * `port_specification`: Specifies how port is selected for health checking, can be one of the following values: * `USE_FIXED_PORT`: The port number in `port` is used for health checking. * `USE_NAMED_PORT`: The `portName` is used for health checking. * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, HTTP health check follows behavior specified in `port` and `portName` fields. + Possible values: + * USE_FIXED_PORT + * USE_NAMED_PORT + * USE_SERVING_PORT + + * `https_health_check`: A nested object resource + + * `host`: The value of the host header in the HTTPS health check request. If left empty (default value), the public IP on behalf of which this health check is performed will be used. + + * `request_path`: The request path of the HTTPS health check request. The default value is /. + + * `response`: The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII. + + * `port`: The TCP port number for the HTTPS health check request. The default value is 443. + + * `port_name`: Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence. + + * `proxy_header`: Specifies the type of proxy header to append before sending data to the backend. + Possible values: + * NONE + * PROXY_V1 + + * `port_specification`: Specifies how port is selected for health checking, can be one of the following values: * `USE_FIXED_PORT`: The port number in `port` is used for health checking. * `USE_NAMED_PORT`: The `portName` is used for health checking. * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, HTTPS health check follows behavior specified in `port` and `portName` fields. + Possible values: + * USE_FIXED_PORT + * USE_NAMED_PORT + * USE_SERVING_PORT + + * `tcp_health_check`: A nested object resource + + * `request`: The application data to send once the TCP connection has been established (default value is empty). If both request and response are empty, the connection establishment alone will indicate health. The request data can only be ASCII. + + * `response`: The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII. + + * `port`: The TCP port number for the TCP health check request. The default value is 80. + + * `port_name`: Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence. + + * `proxy_header`: Specifies the type of proxy header to append before sending data to the backend. + Possible values: + * NONE + * PROXY_V1 + + * `port_specification`: Specifies how port is selected for health checking, can be one of the following values: * `USE_FIXED_PORT`: The port number in `port` is used for health checking. * `USE_NAMED_PORT`: The `portName` is used for health checking. * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, TCP health check follows behavior specified in `port` and `portName` fields. + Possible values: + * USE_FIXED_PORT + * USE_NAMED_PORT + * USE_SERVING_PORT + + * `ssl_health_check`: A nested object resource + + * `request`: The application data to send once the SSL connection has been established (default value is empty). If both request and response are empty, the connection establishment alone will indicate health. The request data can only be ASCII. + + * `response`: The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII. + + * `port`: The TCP port number for the SSL health check request. The default value is 443. + + * `port_name`: Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence. + + * `proxy_header`: Specifies the type of proxy header to append before sending data to the backend. + Possible values: + * NONE + * PROXY_V1 + + * `port_specification`: Specifies how port is selected for health checking, can be one of the following values: * `USE_FIXED_PORT`: The port number in `port` is used for health checking. * `USE_NAMED_PORT`: The `portName` is used for health checking. * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, SSL health check follows behavior specified in `port` and `portName` fields. + Possible values: + * USE_FIXED_PORT + * USE_NAMED_PORT + * USE_SERVING_PORT + + * `http2_health_check`: A nested object resource + + * `host`: The value of the host header in the HTTP2 health check request. If left empty (default value), the public IP on behalf of which this health check is performed will be used. + + * `request_path`: The request path of the HTTP2 health check request. The default value is /. + + * `response`: The bytes to match against the beginning of the response data. If left empty (the default value), any response will indicate health. The response data can only be ASCII. + + * `port`: The TCP port number for the HTTP2 health check request. The default value is 443. + + * `port_name`: Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence. + + * `proxy_header`: Specifies the type of proxy header to append before sending data to the backend. + Possible values: + * NONE + * PROXY_V1 + + * `port_specification`: Specifies how port is selected for health checking, can be one of the following values: * `USE_FIXED_PORT`: The port number in `port` is used for health checking. * `USE_NAMED_PORT`: The `portName` is used for health checking. * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, HTTP2 health check follows behavior specified in `port` and `portName` fields. + Possible values: + * USE_FIXED_PORT + * USE_NAMED_PORT + * USE_SERVING_PORT + + * `grpc_health_check`: A nested object resource + + * `port`: The port number for the health check request. Must be specified if portName and portSpecification are not set or if port_specification is USE_FIXED_PORT. Valid values are 1 through 65535. + + * `port_name`: Port name as defined in InstanceGroup#NamedPort#name. If both port and port_name are defined, port takes precedence. + + * `port_specification`: Specifies how port is selected for health checking, can be one of the following values: * `USE_FIXED_PORT`: The port number in `port` is used for health checking. * `USE_NAMED_PORT`: The `portName` is used for health checking. * `USE_SERVING_PORT`: For NetworkEndpointGroup, the port specified for each network endpoint is used for health checking. For other backends, the port or named port specified in the Backend Service is used for health checking. If not specified, gRPC health check follows behavior specified in `port` and `portName` fields. + Possible values: + * USE_FIXED_PORT + * USE_NAMED_PORT + * USE_SERVING_PORT + + * `grpc_service_name`: The gRPC service name for the health check. The value of grpcServiceName has the following meanings by convention: * Empty serviceName means the overall status of all services at the backend. * Non-empty serviceName means the health of that gRPC service, as defined by the owner of the service. The grpcServiceName can only be ASCII. + + * `log_config`: Configure logging on this health check. + + * `enable`: Indicates whether or not to export logs. This is false by default, which means no health check logging will be done. + + * `region`: The region where the regional health check resides. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_health_checks.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_health_checks.md new file mode 100644 index 0000000..93f00c3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_health_checks.md @@ -0,0 +1,84 @@ ++++ +title = "google_compute_region_health_checks resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_health_checks" +identifier = "inspec/resources/gcp/google_compute_region_health_checks resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_health_checks` InSpec audit resource to to test a Google Cloud RegionHealthCheck resource. + +## Examples + +```ruby +describe google_compute_region_health_checks(project: 'chef-gcp-inspec', region: '') do + its('types') { should include "TCP" } +end + +``` + ### Use this InSpec resource to enumerate IDs then test in-depth using `google_compute_region` +``` + google_compute_region_health_checks(project: 'chef-inspec-gcp', region: 'europe-west2').region_names.each do |region_name| + describe google_compute_region(project: 'chef-inspec-gcp', region: region_name) do + it { should exist } + end + end +``` + + ### Test that there are more than a specified number of regions available for the project +``` + describe google_compute_region_health_checks(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('unhealthy_thresholds') { should eq 2} + end +``` + ### Test that an expected region is available for the project +``` + describe google_compute_region_health_checks(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('healthy_thresholds') { should include 2 } + end +``` + ### Test whether any regions are in status "DOWN" +``` + describe google_compute_region_health_checks(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('check_interval_secs') { should_not include 5 } + end +``` + +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_health_checks` resource: + +See [google_compute_region_health_check](google_compute_region_health_check) for more detailed information. + + * `check_interval_secs`: an array of `google_compute_region_health_check` check_interval_sec + * `creation_timestamps`: an array of `google_compute_region_health_check` creation_timestamp + * `descriptions`: an array of `google_compute_region_health_check` description + * `healthy_thresholds`: an array of `google_compute_region_health_check` healthy_threshold + * `ids`: an array of `google_compute_region_health_check` id + * `names`: an array of `google_compute_region_health_check` name + * `unhealthy_thresholds`: an array of `google_compute_region_health_check` unhealthy_threshold + * `timeout_secs`: an array of `google_compute_region_health_check` timeout_sec + * `types`: an array of `google_compute_region_health_check` type + * `http_health_checks`: an array of `google_compute_region_health_check` http_health_check + * `https_health_checks`: an array of `google_compute_region_health_check` https_health_check + * `tcp_health_checks`: an array of `google_compute_region_health_check` tcp_health_check + * `ssl_health_checks`: an array of `google_compute_region_health_check` ssl_health_check + * `http2_health_checks`: an array of `google_compute_region_health_check` http2_health_check + * `grpc_health_checks`: an array of `google_compute_region_health_check` grpc_health_check + * `log_configs`: an array of `google_compute_region_health_check` log_config + * `regions`: an array of `google_compute_region_health_check` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_instance_group.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_instance_group.md new file mode 100644 index 0000000..baa1e5e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_instance_group.md @@ -0,0 +1,63 @@ ++++ +title = "google_compute_region_instance_group resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_instance_group" +identifier = "inspec/resources/gcp/google_compute_region_instance_group resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_instance_group` InSpec audit resource to to test a Google Cloud RegionInstanceGroup resource. + +## Examples + +```ruby +describe google_compute_region_instance_group(project: 'chef-gcp-inspec', region: 'us-central1', name: 'instance-group-2') do +it { should exist } +its('name') { should eq 'instance-group-2' } +its('size') { should eq '1' } +its('named_ports.first.name') { should eq 'port' } +its('named_ports.first.port') { should eq '80' } +end + +describe google_compute_region_instance_group(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'nonexistent') do +it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_instance_group` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format.This field is deprecated. + + * `description`: An optional textual description of the resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. + + * `fingerprint`: The fingerprint of the named ports. The system uses this fingerprint to detect conflicts when multiple users change the named ports concurrently. base64-encoded string. + + * `network`: The URL of the network to which all instances in the instance group belong. If your instance has multiple network interfaces, then the network and subnetwork fields only refer to the network and subnet used by your primary interface (nic0). + + * `zone`: The URL of the zone where the instance group is located (for zonal resources). + + * `size`: The total number of instances in the instance group. + + * `region`: The URL of the region where the instance group is located (for regional resources). + + * `named_ports`: Assigns a name to a port number. For example: {name: "http", port: 80} This allows the system to reference ports by the assigned name instead of a port number. Named ports can also contain multiple ports. For example: [{name: "http", port: 80},{name: "http", port: 8080}] Named ports apply to all instances in this instance group. + + * `name`: The name for this named port. The name must be 1-63 characters long, and comply with RFC1035. + + * `port`: The port number, which can be a value between 1 and 65535. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_instance_group_manager.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_instance_group_manager.md new file mode 100644 index 0000000..d540547 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_instance_group_manager.md @@ -0,0 +1,108 @@ ++++ +title = "google_compute_region_instance_group_manager resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_instance_group_manager" +identifier = "inspec/resources/gcp/google_compute_region_instance_group_manager resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_region_instance_group_manager` is used to test a Google RegionInstanceGroupManager resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_region_instance_group_manager(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'inspec-rigm') do + it { should exist } + its('base_instance_name') { should eq 'rigm1' } + its('target_size') { should eq '1' } + its('named_ports.first.name') { should eq 'https' } + its('named_ports.first.port') { should eq '8888' } + its('auto_healing_policies.first.initial_delay_sec') { should eq '300' } +end + +describe google_compute_region_instance_group_manager(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'nonexistent') do + it { should_not exist } +end +``` + +### Test that a GCP compute region instance group manager has the expected size + + describe google_compute_region_instance_group_manager(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-test') do + its('target_size') { should eq 2 } + end + +### Test that a GCP compute region instance group manager has a port with supplied name and value + + describe google_compute_region_instance_group_manager(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-test') do + its('named_ports') { should include "http" } + end + +## Properties + +Properties that can be accessed from the `google_compute_region_instance_group_manager` resource: + + + * `base_instance_name`: The base instance name to use for instances in this group. The value must be 1-58 characters long. Instances are named by appending a hyphen and a random four-character string to the base instance name. The base instance name must comply with RFC1035. + + * `creation_timestamp`: The creation timestamp for this managed instance group in RFC3339 text format. + + * `current_actions`: The list of instance actions and the number of instances in this managed instance group that are scheduled for each of those actions. + + * `abandoning`: The total number of instances in the managed instance group that are scheduled to be abandoned. Abandoning an instance removes it from the managed instance group without deleting it. + + * `creating`: The number of instances in the managed instance group that are scheduled to be created or are currently being created. If the group fails to create any of these instances, it tries again until it creates the instance successfully. If you have disabled creation retries, this field will not be populated; instead, the creatingWithoutRetries field will be populated. + + * `creating_without_retries`: The number of instances that the managed instance group will attempt to create. The group attempts to create each instance only once. If the group fails to create any of these instances, it decreases the group's targetSize value accordingly. + + * `deleting`: The number of instances in the managed instance group that are scheduled to be deleted or are currently being deleted. + + * `none`: The number of instances in the managed instance group that are running and have no scheduled actions. + + * `recreating`: The number of instances in the managed instance group that are scheduled to be recreated or are currently being being recreated. Recreating an instance deletes the existing root persistent disk and creates a new disk from the image that is defined in the instance template. + + * `refreshing`: The number of instances in the managed instance group that are being reconfigured with properties that do not require a restart or a recreate action. For example, setting or removing target pools for the instance. + + * `restarting`: The number of instances in the managed instance group that are scheduled to be restarted or are currently being restarted. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `id`: A unique identifier for this resource + + * `instance_group`: The instance group being managed + + * `instance_template`: The instance template that is specified for this managed instance group. The group uses this template to create all new instances in the managed instance group. + + * `name`: The name of the managed instance group. The name must be 1-63 characters long, and comply with RFC1035. + + * `named_ports`: Named ports configured for the Instance Groups complementary to this Instance Group Manager. + + * `name`: The name for this named port. The name must be 1-63 characters long, and comply with RFC1035. + + * `port`: The port number, which can be a value between 1 and 65535. + + * `target_pools`: TargetPool resources to which instances in the instanceGroup field are added. The target pools automatically apply to all of the instances in the managed instance group. + + * `target_size`: The target number of running instances for this managed instance group. Deleting or abandoning instances reduces this number. Resizing the group changes this number. + + * `auto_healing_policies`: The autohealing policy for this managed instance group + + * `health_check`: The URL for the health check that signals autohealing. + + * `initial_delay_sec`: The number of seconds that the managed instance group waits before it applies autohealing policies to new instances or recently recreated instances + + * `region`: The region the managed instance group resides. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_instance_group_managers.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_instance_group_managers.md new file mode 100644 index 0000000..6ecb1cc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_instance_group_managers.md @@ -0,0 +1,78 @@ ++++ +title = "google_compute_region_instance_group_managers resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_instance_group_managers" +identifier = "inspec/resources/gcp/google_compute_region_instance_group_managers resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_region_instance_group_managers` is used to test a Google RegionInstanceGroupManager resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_region_instance_group_managers(project: 'chef-gcp-inspec', region: 'europe-west2') do + its('instance_group_manager_names') { should include 'inspec-rigm' } + its('base_instance_names') { should include 'rigm1' } +end +``` + +### Test that there are no more than a specified number of instance groups available for the project + + describe google_compute_region_instance_group_managers(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('count') { should be <= 100} + end + +### Test that an expected instance_group is available for the project + + describe google_compute_region_instance_group_managers(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('instance_group_names') { should include "my-instance-group-name" } + end + +### Test that a subset of all instance_groups matching "mig*" have size greater than zero + + google_compute_region_instance_group_managers(project: 'chef-inspec-gcp', region: 'europe-west2').where(instance_group_name: /^mig/).instance_group_names.each do |instance_group_name| + describe google_compute_instance_group(project: 'chef-inspec-gcp', region: 'europe-west2', name: instance_group_name) do + it { should exist } + its('target_size') { should be > 0 } + end + end + +## Properties + +Properties that can be accessed from the `google_compute_region_instance_group_managers` resource: + +See [google_compute_region_instance_group_manager](google_compute_region_instance_group_manager) for more detailed information. + + * `base_instance_names`: an array of `google_compute_region_instance_group_manager` base_instance_name + * `creation_timestamps`: an array of `google_compute_region_instance_group_manager` creation_timestamp + * `current_actions`: an array of `google_compute_region_instance_group_manager` current_actions + * `descriptions`: an array of `google_compute_region_instance_group_manager` description + * `instance_group_manager_ids`: an array of `google_compute_region_instance_group_manager` id + * `instance_groups`: an array of `google_compute_region_instance_group_manager` instance_group + * `instance_templates`: an array of `google_compute_region_instance_group_manager` instance_template + * `instance_group_manager_names`: an array of `google_compute_region_instance_group_manager` name + * `named_ports`: an array of `google_compute_region_instance_group_manager` named_ports + * `target_pools`: an array of `google_compute_region_instance_group_manager` target_pools + * `target_sizes`: an array of `google_compute_region_instance_group_manager` target_size + * `auto_healing_policies`: an array of `google_compute_region_instance_group_manager` auto_healing_policies + * `regions`: an array of `google_compute_region_instance_group_manager` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_instance_groups.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_instance_groups.md new file mode 100644 index 0000000..bedb2ae --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_instance_groups.md @@ -0,0 +1,48 @@ ++++ +title = "google_compute_region_instance_groups resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_instance_groups" +identifier = "inspec/resources/gcp/google_compute_region_instance_groups resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_instance_groups` InSpec audit resource to to test a Google Cloud RegionInstanceGroup resource. + +## Examples + +```ruby +describe google_compute_region_instance_groups(project: 'chef-gcp-inspec', region: 'us-central1') do + it { should exist } + its('names') { should include 'instance-group-2' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_instance_groups` resource: + +See [google_compute_region_instance_group](google_compute_region_instance_group) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_region_instance_group` creation_timestamp + * `descriptions`: an array of `google_compute_region_instance_group` description + * `ids`: an array of `google_compute_region_instance_group` id + * `names`: an array of `google_compute_region_instance_group` name + * `fingerprints`: an array of `google_compute_region_instance_group` fingerprint + * `networks`: an array of `google_compute_region_instance_group` network + * `zones`: an array of `google_compute_region_instance_group` zone + * `sizes`: an array of `google_compute_region_instance_group` size + * `regions`: an array of `google_compute_region_instance_group` region + * `named_ports`: an array of `google_compute_region_instance_group` named_ports + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_network_endpoint_group.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_network_endpoint_group.md new file mode 100644 index 0000000..61b28e6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_network_endpoint_group.md @@ -0,0 +1,125 @@ ++++ +title = "google_compute_region_network_endpoint_group resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_network_endpoint_group" +identifier = "inspec/resources/gcp/google_compute_region_network_endpoint_group resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_network_endpoint_group` InSpec audit resource to to test a Google Cloud RegionNetworkEndpointGroup resource. + +## Examples + +```ruby +describe google_compute_region_network_endpoint_group(network_endpoint_group: ' ', project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('self_link') { should cmp 'value_selflink' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('network_endpoint_type') { should cmp 'value_networkendpointtype' } + its('region') { should cmp 'value_region' } + its('zone') { should cmp 'value_zone' } + its('network') { should cmp 'value_network' } + its('subnetwork') { should cmp 'value_subnetwork' } + its('psc_target_service') { should cmp 'value_psctargetservice' } + +end + +describe google_compute_region_network_endpoint_group(network_endpoint_group: ' ', project: 'chef-gcp-inspec', region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_network_endpoint_group` resource: + + + * `kind`: [Output Only] Type of the resource. Always compute#networkEndpointGroup for network endpoint group. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `name`: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `network_endpoint_type`: Type of network endpoints in this network endpoint group. Can be one of GCE_VM_IP, GCE_VM_IP_PORT, NON_GCP_PRIVATE_IP_PORT, INTERNET_FQDN_PORT, INTERNET_IP_PORT, SERVERLESS, PRIVATE_SERVICE_CONNECT. + Possible values: + * GCE_VM_IP + * GCE_VM_IP_PORT + * INTERNET_FQDN_PORT + * INTERNET_IP_PORT + * NON_GCP_PRIVATE_IP_PORT + * PRIVATE_SERVICE_CONNECT + * SERVERLESS + + * `size`: [Output only] Number of network endpoints in the network endpoint group. + + * `region`: [Output Only] The URL of the region where the network endpoint group is located. + + * `zone`: [Output Only] The URL of the zone where the network endpoint group is located. + + * `network`: The URL of the network to which all network endpoints in the NEG belong. Uses "default" project network if unspecified. + + * `subnetwork`: Optional URL of the subnetwork to which all network endpoints in the NEG belong. + + * `default_port`: The default port used if the port number is not specified in the network endpoint. + + * `annotations`: Metadata defined as annotations on the network endpoint group. + + * `additional_properties`: + + * `cloud_run`: Configuration for a Cloud Run network endpoint group (NEG). The service must be provided explicitly or in the URL mask. The tag is optional, may be provided explicitly or in the URL mask. Note: Cloud Run service must be in the same project and located in the same region as the Serverless NEG. + + * `service`: Cloud Run service is the main resource of Cloud Run. The service must be 1-63 characters long, and comply with RFC1035. Example value: "run-service". + + * `tag`: Optional Cloud Run tag represents the "named-revision" to provide additional fine-grained traffic routing information. The tag must be 1-63 characters long, and comply with RFC1035. Example value: "revision-0010". + + * `url_mask`: A template to parse and fields from a request URL. URL mask allows for routing to multiple Run services without having to create multiple network endpoint groups and backend services. For example, request URLs "foo1.domain.com/bar1" and "foo1.domain.com/bar2" can be backed by the same Serverless Network Endpoint Group (NEG) with URL mask ".domain.com/". The URL mask will parse them to { service="bar1", tag="foo1" } and { service="bar2", tag="foo2" } respectively. + + * `app_engine`: Configuration for an App Engine network endpoint group (NEG). The service is optional, may be provided explicitly or in the URL mask. The version is optional and can only be provided explicitly or in the URL mask when service is present. Note: App Engine service must be in the same project and located in the same region as the Serverless NEG. + + * `service`: Optional serving service. The service name is case-sensitive and must be 1-63 characters long. Example value: "default", "my-service". + + * `version`: Optional serving version. The version name is case-sensitive and must be 1-100 characters long. Example value: "v1", "v2". + + * `url_mask`: A template to parse service and version fields from a request URL. URL mask allows for routing to multiple App Engine services without having to create multiple Network Endpoint Groups and backend services. For example, the request URLs "foo1-dot-appname.appspot.com/v1" and "foo1-dot-appname.appspot.com/v2" can be backed by the same Serverless NEG with URL mask "-dot-appname.appspot.com/". The URL mask will parse them to { service = "foo1", version = "v1" } and { service = "foo1", version = "v2" } respectively. + + * `cloud_function`: Configuration for a Cloud Function network endpoint group (NEG). The function must be provided explicitly or in the URL mask. Note: Cloud Function must be in the same project and located in the same region as the Serverless NEG. + + * `function`: A user-defined name of the Cloud Function. The function name is case-sensitive and must be 1-63 characters long. Example value: "func1". + + * `url_mask`: A template to parse function field from a request URL. URL mask allows for routing to multiple Cloud Functions without having to create multiple Network Endpoint Groups and backend services. For example, request URLs " mydomain.com/function1" and "mydomain.com/function2" can be backed by the same Serverless NEG with URL mask "/". The URL mask will parse them to { function = "function1" } and { function = "function2" } respectively. + + * `psc_target_service`: The target service url used to set up private service connection to a Google API or a PSC Producer Service Attachment. An example value is: "asia-northeast3-cloudkms.googleapis.com" + + * `psc_data`: All data that is specifically relevant to only network endpoint groups of type PRIVATE_SERVICE_CONNECT. + + * `consumer_psc_address`: [Output Only] Address allocated from given subnetwork for PSC. This IP address acts as a VIP for a PSC NEG, allowing it to act as an endpoint in L7 PSC-XLB. + + * `psc_connection_id`: [Output Only] The PSC connection id of the PSC Network Endpoint Group Consumer. + + * `psc_connection_status`: [Output Only] The connection status of the PSC Forwarding Rule. + Possible values: + * ACCEPTED + * CLOSED + * NEEDS_ATTENTION + * PENDING + * REJECTED + * STATUS_UNSPECIFIED + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_network_endpoint_groups.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_network_endpoint_groups.md new file mode 100644 index 0000000..32d63e6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_network_endpoint_groups.md @@ -0,0 +1,56 @@ ++++ +title = "google_compute_region_network_endpoint_groups resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_network_endpoint_groups" +identifier = "inspec/resources/gcp/google_compute_region_network_endpoint_groups resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_network_endpoint_groups` InSpec audit resource to to test a Google Cloud RegionNetworkEndpointGroup resource. + +## Examples + +```ruby + describe google_compute_region_network_endpoint_groups(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_network_endpoint_groups` resource: + +See [google_compute_region_network_endpoint_group](google_compute_region_network_endpoint_group) for more detailed information. + + * `kinds`: an array of `google_compute_region_network_endpoint_group` kind + * `ids`: an array of `google_compute_region_network_endpoint_group` id + * `creation_timestamps`: an array of `google_compute_region_network_endpoint_group` creation_timestamp + * `self_links`: an array of `google_compute_region_network_endpoint_group` self_link + * `names`: an array of `google_compute_region_network_endpoint_group` name + * `descriptions`: an array of `google_compute_region_network_endpoint_group` description + * `network_endpoint_types`: an array of `google_compute_region_network_endpoint_group` network_endpoint_type + * `sizes`: an array of `google_compute_region_network_endpoint_group` size + * `regions`: an array of `google_compute_region_network_endpoint_group` region + * `zones`: an array of `google_compute_region_network_endpoint_group` zone + * `networks`: an array of `google_compute_region_network_endpoint_group` network + * `subnetworks`: an array of `google_compute_region_network_endpoint_group` subnetwork + * `default_ports`: an array of `google_compute_region_network_endpoint_group` default_port + * `annotations`: an array of `google_compute_region_network_endpoint_group` annotations + * `cloud_runs`: an array of `google_compute_region_network_endpoint_group` cloud_run + * `app_engines`: an array of `google_compute_region_network_endpoint_group` app_engine + * `cloud_functions`: an array of `google_compute_region_network_endpoint_group` cloud_function + * `psc_target_services`: an array of `google_compute_region_network_endpoint_group` psc_target_service + * `psc_data`: an array of `google_compute_region_network_endpoint_group` psc_data + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_operation.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_operation.md new file mode 100644 index 0000000..0343657 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_operation.md @@ -0,0 +1,66 @@ ++++ +title = "google_compute_region_operation resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_operation" +identifier = "inspec/resources/gcp/google_compute_region_operation resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_operation` InSpec audit resource to to test a Google Cloud RegionOperation resource. + +## Examples + +```ruby +describe google_compute_region_operation(project: 'chef-gcp-inspec', region: '', name: 'operation-1641188435323-5d4a6f5b26934-9281422c-dce238f5') do +it { should exist } +its('name') { should eq 'operation-1641188435323-5d4a6f5b26934-9281422c-dce238f5' } +its('status') { should eq '' } +its('progress') { should eq '100' } +end + +describe google_compute_region_operation(project: 'chef-gcp-inspec', region: '', name: 'nonexistent') do +it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_operation` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format.This field is deprecated. + + * `description`: An optional textual description of the resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. + + * `target_id`: The unique target ID, which identifies a specific incarnation of the target resource. + + * `status`: The status of the operation, which can be one of the following: PENDING, RUNNING, or DONE. + Possible values: + * PENDING + * RUNNING + * DONE + + * `user`: User who requested the operation, for example: user@example.com. + + * `insert_time`: The time that this operation was requested. This value is in RFC3339 text format. + + * `start_time`: The time that this operation was requested. This value is in RFC3339 text format. + + * `end_time`: The time that this operation was requested. This value is in RFC3339 text format. + + * `progress`: An optional progress indicator that ranges from 0 to 100. There is no requirement that this be linear or support any granularity of operations. This should not be used to guess when the operation will be complete. This number should monotonically increase as the operation progresses. + + * `zone`: The URL of the zone where the instance group is located (for zonal resources). + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_operations.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_operations.md new file mode 100644 index 0000000..41db6f4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_operations.md @@ -0,0 +1,51 @@ ++++ +title = "google_compute_region_operations resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_operations" +identifier = "inspec/resources/gcp/google_compute_region_operations resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_operations` InSpec audit resource to to test a Google Cloud RegionOperation resource. + +## Examples + +```ruby +describe google_compute_region_operations(project: 'chef-gcp-inspec', region: '') do + it { should exist } + its('names') { should include 'operation-1641188435323-5d4a6f5b26934-9281422c-dce238f5' } + its('progress') { should include '100' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_operations` resource: + +See [google_compute_region_operation](google_compute_region_operation) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_region_operation` creation_timestamp + * `descriptions`: an array of `google_compute_region_operation` description + * `ids`: an array of `google_compute_region_operation` id + * `names`: an array of `google_compute_region_operation` name + * `target_ids`: an array of `google_compute_region_operation` target_id + * `statuses`: an array of `google_compute_region_operation` status + * `users`: an array of `google_compute_region_operation` user + * `insert_times`: an array of `google_compute_region_operation` insert_time + * `start_times`: an array of `google_compute_region_operation` start_time + * `end_times`: an array of `google_compute_region_operation` end_time + * `progresses`: an array of `google_compute_region_operation` progress + * `zones`: an array of `google_compute_region_operation` zone + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_security_policies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_security_policies.md new file mode 100644 index 0000000..b9a6ba5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_security_policies.md @@ -0,0 +1,91 @@ ++++ +title = "google_compute_region_security_policies resource" + +draft = false + + + +[menu.gcp] +title = "google_compute_region_security_policies" +identifier = "inspec/resources/gcp/google_compute_region_security_policies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_security_policies` InSpec audit resource to test the properties of a Google Cloud RegionSecurityPolicy resource. + +## Examples + +```ruby + describe google_compute_region_security_policies(project: 'chef-gcp-inspec', region: ' ') do + it { should exist } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_compute_region_security_policies` resource: + +See [google_compute_region_security_policy](google_compute_region_security_policy) for more detailed information. + +* `user_defined_fields`: an array of `google_compute_region_security_policy` user_defined_fields +* `kinds`: an array of `google_compute_region_security_policy` kind +* `ids`: an array of `google_compute_region_security_policy` id +* `creation_timestamps`: an array of `google_compute_region_security_policy` creation_timestamp +* `names`: an array of `google_compute_region_security_policy` name +* `descriptions`: an array of `google_compute_region_security_policy` description +* `rules`: an array of `google_compute_region_security_policy` rules +* `cloud_armor_configs`: an array of `google_compute_region_security_policy` cloud_armor_config +* `adaptive_protection_configs`: an array of `google_compute_region_security_policy` adaptive_protection_config +* `ddos_protection_configs`: an array of `google_compute_region_security_policy` ddos_protection_config +* `advanced_options_configs`: an array of `google_compute_region_security_policy` advanced_options_config +* `recaptcha_options_configs`: an array of `google_compute_region_security_policy` recaptcha_options_config +* `fingerprints`: an array of `google_compute_region_security_policy` fingerprint +* `self_links`: an array of `google_compute_region_security_policy` self_link +* `self_link_with_ids`: an array of `google_compute_region_security_policy` self_link_with_id +* `types`: an array of `google_compute_region_security_policy` type +* `associations`: an array of `google_compute_region_security_policy` associations +* `labels`: an array of `google_compute_region_security_policy` labels +* `label_fingerprints`: an array of `google_compute_region_security_policy` label_fingerprint +* `rule_tuple_counts`: an array of `google_compute_region_security_policy` rule_tuple_count +* `display_names`: an array of `google_compute_region_security_policy` display_name +* `parents`: an array of `google_compute_region_security_policy` parent +* `regions`: an array of `google_compute_region_security_policy` region + +## Properties + +Properties that can be accessed from the `google_compute_region_security_policies` resource: + +See [google_compute_region_security_policy](google_compute_region_security_policy) for more detailed information. + +* `user_defined_fields`: an array of `google_compute_region_security_policy` user_defined_fields +* `kinds`: an array of `google_compute_region_security_policy` kind +* `ids`: an array of `google_compute_region_security_policy` id +* `creation_timestamps`: an array of `google_compute_region_security_policy` creation_timestamp +* `names`: an array of `google_compute_region_security_policy` name +* `descriptions`: an array of `google_compute_region_security_policy` description +* `rules`: an array of `google_compute_region_security_policy` rules +* `cloud_armor_configs`: an array of `google_compute_region_security_policy` cloud_armor_config +* `adaptive_protection_configs`: an array of `google_compute_region_security_policy` adaptive_protection_config +* `ddos_protection_configs`: an array of `google_compute_region_security_policy` ddos_protection_config +* `advanced_options_configs`: an array of `google_compute_region_security_policy` advanced_options_config +* `recaptcha_options_configs`: an array of `google_compute_region_security_policy` recaptcha_options_config +* `fingerprints`: an array of `google_compute_region_security_policy` fingerprint +* `self_links`: an array of `google_compute_region_security_policy` self_link +* `self_link_with_ids`: an array of `google_compute_region_security_policy` self_link_with_id +* `types`: an array of `google_compute_region_security_policy` type +* `associations`: an array of `google_compute_region_security_policy` associations +* `labels`: an array of `google_compute_region_security_policy` labels +* `label_fingerprints`: an array of `google_compute_region_security_policy` label_fingerprint +* `rule_tuple_counts`: an array of `google_compute_region_security_policy` rule_tuple_count +* `display_names`: an array of `google_compute_region_security_policy` display_name +* `parents`: an array of `google_compute_region_security_policy` parent +* `regions`: an array of `google_compute_region_security_policy` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_security_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_security_policy.md new file mode 100644 index 0000000..166b365 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_security_policy.md @@ -0,0 +1,447 @@ ++++ +title = "google_compute_region_security_policy resource" + +draft = false + + + +[menu.gcp] +title = "google_compute_region_security_policy" +identifier = "inspec/resources/gcp/google_compute_region_security_policy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_security_policy` InSpec audit resource to test the properties of a Google Cloud RegionSecurityPolicy resource. + +## Examples + +```ruby +describe google_compute_region_security_policy(project: 'chef-gcp-inspec', region: ' ', securityPolicy: ' ') do + it { should exist } + its('kind') { should cmp '' } + its('id') { should cmp '' } + its('creation_timestamp') { should cmp '' } + its('name') { should cmp '' } + its('description') { should cmp '' } + its('fingerprint') { should cmp '' } + its('self_link') { should cmp '' } + its('self_link_with_id') { should cmp '' } + its('type') { should cmp '' } + its('label_fingerprint') { should cmp '' } + its('display_name') { should cmp '' } + its('parent') { should cmp '' } + its('region') { should cmp '' } + +end + +describe google_compute_region_security_policy(project: 'chef-gcp-inspec', region: ' ', securityPolicy: ' ') do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_compute_region_security_policy` resource: + +## Properties + +Properties that can be accessed from the `google_compute_region_security_policy` resource: + + + * `user_defined_fields`: Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits. Rules may then specify matching values for these fields. Example: userDefinedFields: - name: "ipv4_fragment_offset" base: IPV4 offset: 6 size: 2 mask: "0x1fff" + + * `name`: The name of this field. Must be unique within the policy. + + * `base`: The base relative to which 'offset' is measured. Possible values are: - IPV4: Points to the beginning of the IPv4 header. - IPV6: Points to the beginning of the IPv6 header. - TCP: Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. - UDP: Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments. required + Possible values: + * IPV4 + * IPV6 + * TCP + * UDP + + * `offset`: Offset of the first byte of the field (in network byte order) relative to 'base'. + + * `size`: Size of the field in bytes. Valid values: 1-4. + + * `mask`: If specified, apply this mask (bitwise AND) to the field to ignore bits before matching. Encoded as a hexadecimal number (starting with "0x"). The last byte of the field (in network byte order) corresponds to the least significant byte of the mask. + + * `kind`: [Output only] Type of the resource. Always compute#securityPolicyfor security policies + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `rules`: A list of rules that belong to this policy. There must always be a default rule which is a rule with priority 2147483647 and match all condition (for the match condition this means match "*" for srcIpRanges and for the networkMatch condition every field must be either match "*" or not set). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. + + * `kind`: [Output only] Type of the resource. Always compute#securityPolicyRule for security policy rules + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `priority`: An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority. + + * `match`: Represents a match condition that incoming traffic is evaluated against. Exactly one field must be specified. + + * `expr`: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `title`: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + + * `description`: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + + * `location`: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + + * `expr_options`: + + * `recaptcha_options`: + + * `action_token_site_keys`: A list of site keys to be used during the validation of reCAPTCHA action-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created. + + * `session_token_site_keys`: A list of site keys to be used during the validation of reCAPTCHA session-tokens. The provided site keys need to be created from reCAPTCHA API under the same project where the security policy is created. + + * `versioned_expr`: Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: SRC_IPS_V1 - must specify the corresponding src_ip_range field in config. + Possible values: + * FIREWALL + * SRC_IPS_V1 + + * `config`: + + * `src_ip_ranges`: CIDR IP address range. Maximum number of src_ip_ranges allowed is 10. + + * `dest_ip_ranges`: CIDR IP address range. This field may only be specified when versioned_expr is set to FIREWALL. + + * `dest_ports`: Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL. + + * `ip_protocol`: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number. + + * `ports`: An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL. + + * `layer4_configs`: Pairs of IP protocols and ports that the rule should match. This field may only be specified when versioned_expr is set to FIREWALL. + + * `ip_protocol`: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number. + + * `ports`: An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. This field may only be specified when versioned_expr is set to FIREWALL. + + * `network_match`: Represents a match condition that incoming network traffic is evaluated against. + + * `user_defined_fields`: User-defined fields. Each element names a defined field and lists the matching values for that field. + + * `name`: Name of the user-defined field, as given in the definition. + + * `values`: Matching values of the field. Each element can be a 32-bit unsigned decimal or hexadecimal (starting with "0x") number (e.g. "64") or range (e.g. "0x400-0x7ff"). + + * `src_ip_ranges`: Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format. + + * `dest_ip_ranges`: Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text format. + + * `ip_protocols`: IPv4 protocol / IPv6 next header (after extension headers). Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. "253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp". + + * `src_ports`: Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). + + * `dest_ports`: Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). + + * `src_region_codes`: Two-letter ISO 3166-1 alpha-2 country code associated with the source IP address. + + * `src_asns`: BGP Autonomous System Number associated with the source IP address. + + * `action`: The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for `STATUS` are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this. + + * `preview`: If set to true, the specified action is not enforced. + + * `direction`: The direction in which this rule applies. This field may only be specified when versioned_expr is set to FIREWALL. + Possible values: + * EGRESS + * INGRESS + + * `target_resources`: A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule. This field may only be specified when versioned_expr is set to FIREWALL. + + * `enable_logging`: Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you cannot enable logging on "goto_next" rules. This field may only be specified when the versioned_expr is set to FIREWALL. + + * `rule_tuple_count`: [Output Only] Calculation of the complexity of a single firewall security policy rule. + + * `rate_limit_options`: + + * `rate_limit_threshold`: + + * `count`: Number of HTTP(S) requests for calculating the threshold. + + * `interval_sec`: Interval over which the threshold is computed. + + * `conform_action`: Action to take for requests that are under the configured rate limit threshold. Valid option is "allow" only. + + * `exceed_action`: Action to take for requests that are above the configured rate limit threshold, to either deny with a specified HTTP response code, or redirect to a different endpoint. Valid options are `deny(STATUS)`, where valid values for `STATUS` are 403, 404, 429, and 502, and `redirect`, where the redirect parameters come from `exceedRedirectOptions` below. The `redirect` action is only supported in Global Security Policies of type CLOUD_ARMOR. + + * `exceed_redirect_options`: + + * `type`: Type of the redirect action. + Possible values: + * EXTERNAL_302 + * GOOGLE_RECAPTCHA + + * `target`: Target for the redirect action. This is required if the type is EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. + + * `exceed_action_rpc_status`: Simplified google.rpc.Status type (omitting details). + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. + + * `enforce_on_key`: Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKey" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates. - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL. - USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. + Possible values: + * ALL + * ALL_IPS + * HTTP_COOKIE + * HTTP_HEADER + * HTTP_PATH + * IP + * REGION_CODE + * SNI + * TLS_JA3_FINGERPRINT + * USER_IP + * XFF_IP + + * `enforce_on_key_name`: Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value. + + * `enforce_on_key_configs`: If specified, any combination of values of enforce_on_key_type/enforce_on_key_name is treated as the key on which ratelimit threshold/action is enforced. You can specify up to 3 enforce_on_key_configs. If enforce_on_key_configs is specified, enforce_on_key must not be specified. + + * `enforce_on_key_type`: Determines the key to enforce the rate_limit_threshold on. Possible values are: - ALL: A single rate limit threshold is applied to all the requests matching this rule. This is the default value if "enforceOnKeyConfigs" is not configured. - IP: The source IP address of the request is the key. Each IP has this limit enforced separately. - HTTP_HEADER: The value of the HTTP header whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the header value. If no such header is present in the request, the key type defaults to ALL. - XFF_IP: The first IP address (i.e. the originating client IP address) specified in the list of IPs under X-Forwarded-For HTTP header. If no such header is present or the value is not a valid IP, the key defaults to the source IP address of the request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie whose name is configured under "enforceOnKeyName". The key value is truncated to the first 128 bytes of the cookie value. If no such cookie is present in the request, the key type defaults to ALL. - HTTP_PATH: The URL path of the HTTP request. The key value is truncated to the first 128 bytes. - SNI: Server name indication in the TLS session of the HTTPS request. The key value is truncated to the first 128 bytes. The key type defaults to ALL on a HTTP session. - REGION_CODE: The country/region from which the request originates. - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL. - USER_IP: The IP address of the originating client, which is resolved based on "userIpRequestHeaders" configured with the security policy. If there is no "userIpRequestHeaders" configuration or an IP address cannot be resolved from it, the key type defaults to IP. + Possible values: + * ALL + * ALL_IPS + * HTTP_COOKIE + * HTTP_HEADER + * HTTP_PATH + * IP + * REGION_CODE + * SNI + * TLS_JA3_FINGERPRINT + * USER_IP + * XFF_IP + + * `enforce_on_key_name`: Rate limit key name applicable only for the following key types: HTTP_HEADER -- Name of the HTTP header whose value is taken as the key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key value. + + * `ban_threshold`: + + * `count`: Number of HTTP(S) requests for calculating the threshold. + + * `interval_sec`: Interval over which the threshold is computed. + + * `ban_duration_sec`: Can only be specified if the action for the rule is "rate_based_ban". If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold. + + * `target_service_accounts`: A list of service accounts indicating the sets of instances that are applied with this rule. + + * `rule_number`: Identifier for the rule. This is only unique within the given security policy. This can only be set during rule creation, if rule number is not specified it will be generated by the server. + + * `redirect_target`: This must be specified for redirect actions. Cannot be specified for any other actions. + + * `header_action`: + + * `request_headers_to_adds`: The list of request headers to add or overwrite if they're already present. + + * `header_name`: The name of the header to set. + + * `header_value`: The value to set the named header to. + + * `redirect_options`: + + * `type`: Type of the redirect action. + Possible values: + * EXTERNAL_302 + * GOOGLE_RECAPTCHA + + * `target`: Target for the redirect action. This is required if the type is EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. + + * `rule_managed_protection_tier`: [Output Only] The minimum managed protection tier required for this rule. [Deprecated] Use requiredManagedProtectionTiers instead. + Possible values: + * CAMP_PLUS_ANNUAL + * CAMP_PLUS_PAYGO + * CA_STANDARD + + * `preconfigured_waf_config`: + + * `exclusions`: A list of exclusions to apply during preconfigured WAF evaluation. + + * `target_rule_set`: Target WAF rule set to apply the preconfigured WAF exclusion. + + * `target_rule_ids`: A list of target rule IDs under the WAF rule set to apply the preconfigured WAF exclusion. If omitted, it refers to all the rule IDs under the WAF rule set. + + * `request_headers_to_exclude`: A list of request header names whose value will be excluded from inspection during preconfigured WAF evaluation. + + * `val`: The value of the field. + + * `op`: The match operator for the field. + Possible values: + * CONTAINS + * ENDS_WITH + * EQUALS + * EQUALS_ANY + * STARTS_WITH + + * `request_cookies_to_exclude`: A list of request cookie names whose value will be excluded from inspection during preconfigured WAF evaluation. + + * `val`: The value of the field. + + * `op`: The match operator for the field. + Possible values: + * CONTAINS + * ENDS_WITH + * EQUALS + * EQUALS_ANY + * STARTS_WITH + + * `request_query_params_to_exclude`: A list of request query parameter names whose value will be excluded from inspection during preconfigured WAF evaluation. Note that the parameter can be in the query string or in the POST body. + + * `val`: The value of the field. + + * `op`: The match operator for the field. + Possible values: + * CONTAINS + * ENDS_WITH + * EQUALS + * EQUALS_ANY + * STARTS_WITH + + * `request_uris_to_exclude`: A list of request URIs from the request line to be excluded from inspection during preconfigured WAF evaluation. When specifying this field, the query or fragment part should be excluded. + + * `val`: The value of the field. + + * `op`: The match operator for the field. + Possible values: + * CONTAINS + * ENDS_WITH + * EQUALS + * EQUALS_ANY + * STARTS_WITH + + * `cloud_armor_config`: Configuration options for Cloud Armor. + + * `enable_ml`: If set to true, enables Cloud Armor Machine Learning. + + * `adaptive_protection_config`: Configuration options for Cloud Armor Adaptive Protection (CAAP). + + * `layer7_ddos_defense_config`: Configuration options for L7 DDoS detection. This field is only supported in Global Security Policies of type CLOUD_ARMOR. + + * `enable`: If set to true, enables CAAP for L7 DDoS detection. This field is only supported in Global Security Policies of type CLOUD_ARMOR. + + * `rule_visibility`: Rule visibility can be one of the following: STANDARD - opaque rules. (default) PREMIUM - transparent rules. This field is only supported in Global Security Policies of type CLOUD_ARMOR. + Possible values: + * PREMIUM + * STANDARD + + * `threshold_configs`: Configuration options for layer7 adaptive protection for various customizable thresholds. + + * `name`: The name must be 1-63 characters long, and comply with RFC1035. The name must be unique within the security policy. + + * `auto_deploy_load_threshold`: + + * `auto_deploy_confidence_threshold`: + + * `auto_deploy_impacted_baseline_threshold`: + + * `auto_deploy_expiration_sec`: + + * `detection_load_threshold`: + + * `detection_absolute_qps`: + + * `detection_relative_to_baseline_qps`: + + * `traffic_granularity_configs`: Configuration options for enabling Adaptive Protection to operate on specified granular traffic units. + + * `type`: Type of this configuration. + Possible values: + * HTTP_HEADER_HOST + * HTTP_PATH + * UNSPECIFIED_TYPE + + * `value`: Requests that match this value constitute a granular traffic unit. + + * `enable_each_unique_value`: If enabled, traffic matching each unique value for the specified type constitutes a separate traffic unit. It can only be set to true if `value` is empty. + + * `auto_deploy_config`: Configuration options for Adaptive Protection auto-deploy feature. + + * `load_threshold`: + + * `confidence_threshold`: + + * `impacted_baseline_threshold`: + + * `expiration_sec`: + + * `ddos_protection_config`: + + * `ddos_protection`: + Possible values: + * ADVANCED + * ADVANCED_PREVIEW + * STANDARD + + * `advanced_options_config`: + + * `json_parsing`: + Possible values: + * DISABLED + * STANDARD + * STANDARD_WITH_GRAPHQL + + * `json_custom_config`: + + * `content_types`: A list of custom Content-Type header values to apply the JSON parsing. As per RFC 1341, a Content-Type header value has the following format: Content-Type := type "/" subtype *[";" parameter] When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded. + + * `log_level`: + Possible values: + * NORMAL + * VERBOSE + + * `user_ip_request_headers`: An optional list of case-insensitive request header names to use for resolving the callers client IP address. + + * `recaptcha_options_config`: + + * `redirect_site_key`: An optional field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google-managed site key is used. This field is only supported in Global Security Policies of type CLOUD_ARMOR. + + * `fingerprint`: Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make get() request to the security policy. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `type`: The type indicates the intended use of the security policy. - CLOUD_ARMOR: Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers. - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Google's cache. - CLOUD_ARMOR_INTERNAL_SERVICE: Cloud Armor internal service policies can be configured to filter HTTP requests targeting services managed by Traffic Director in a service mesh. They filter requests before the request is served from the application. - CLOUD_ARMOR_NETWORK: Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application. This field can be set only at resource creation time. + Possible values: + * CLOUD_ARMOR + * CLOUD_ARMOR_EDGE + * CLOUD_ARMOR_INTERNAL_SERVICE + * CLOUD_ARMOR_NETWORK + * FIREWALL + + * `associations`: A list of associations that belong to this policy. + + * `name`: The name for an association. + + * `attachment_id`: The resource that the security policy is attached to. + + * `security_policy_id`: [Output Only] The security policy ID of the association. + + * `display_name`: [Output Only] The display name of the security policy of the association. + + * `labels`: Labels for this resource. These can only be added or modified by the setLabels method. Each label key/value pair must comply with RFC1035. Label values may be empty. + + * `additional_properties`: + + * `label_fingerprint`: A fingerprint for the labels being applied to this security policy, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels. To see the latest fingerprint, make get() request to the security policy. + + * `rule_tuple_count`: [Output Only] Total count of all security policy rule tuples. A security policy can not exceed a set number of tuples. + + * `display_name`: User-provided name of the organization security policy. The name should be unique in the organization in which the security policy is created. This should only be used when SecurityPolicyType is FIREWALL. The name must be 1-63 characters long, and comply with https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `parent`: [Output Only] The parent of the security policy. + + * `region`: [Output Only] URL of the region where the regional security policy resides. This field is not applicable to global security policies. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_ssl_policies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_ssl_policies.md new file mode 100644 index 0000000..b497fd0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_ssl_policies.md @@ -0,0 +1,52 @@ ++++ +title = "google_compute_region_ssl_policies resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_ssl_policies" +identifier = "inspec/resources/gcp/google_compute_region_ssl_policies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_ssl_policies` InSpec audit resource to to test a Google Cloud RegionSslPolicy resource. + +## Examples + +```ruby + describe google_compute_region_ssl_policies(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_ssl_policies` resource: + +See [google_compute_region_ssl_policy](google_compute_region_ssl_policy) for more detailed information. + + * `kinds`: an array of `google_compute_region_ssl_policy` kind + * `ids`: an array of `google_compute_region_ssl_policy` id + * `creation_timestamps`: an array of `google_compute_region_ssl_policy` creation_timestamp + * `self_links`: an array of `google_compute_region_ssl_policy` self_link + * `self_link_with_ids`: an array of `google_compute_region_ssl_policy` self_link_with_id + * `names`: an array of `google_compute_region_ssl_policy` name + * `descriptions`: an array of `google_compute_region_ssl_policy` description + * `profiles`: an array of `google_compute_region_ssl_policy` profile + * `min_tls_versions`: an array of `google_compute_region_ssl_policy` min_tls_version + * `enabled_features`: an array of `google_compute_region_ssl_policy` enabled_features + * `custom_features`: an array of `google_compute_region_ssl_policy` custom_features + * `fingerprints`: an array of `google_compute_region_ssl_policy` fingerprint + * `warnings`: an array of `google_compute_region_ssl_policy` warnings + * `tls_settings`: an array of `google_compute_region_ssl_policy` tls_settings + * `regions`: an array of `google_compute_region_ssl_policy` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_ssl_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_ssl_policy.md new file mode 100644 index 0000000..442ddcd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_ssl_policy.md @@ -0,0 +1,227 @@ ++++ +title = "google_compute_region_ssl_policy resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_ssl_policy" +identifier = "inspec/resources/gcp/google_compute_region_ssl_policy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_ssl_policy` InSpec audit resource to to test a Google Cloud RegionSslPolicy resource. + +## Examples + +```ruby +describe google_compute_region_ssl_policy(project: 'chef-gcp-inspec', region: ' value_region', sslPolicy: ' ') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('profile') { should cmp 'value_profile' } + its('min_tls_version') { should cmp 'value_mintlsversion' } + its('fingerprint') { should cmp 'value_fingerprint' } + its('region') { should cmp 'value_region' } + +end + +describe google_compute_region_ssl_policy(project: 'chef-gcp-inspec', region: ' value_region', sslPolicy: ' ') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_ssl_policy` resource: + + + * `kind`: [Output only] Type of the resource. Always compute#sslPolicyfor SSL policies. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `name`: Name of the resource. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `profile`: Profile specifies the set of SSL features that can be used by the load balancer when negotiating SSL with clients. This can be one of COMPATIBLE, MODERN, RESTRICTED, or CUSTOM. If using CUSTOM, the set of SSL features to enable must be specified in the customFeatures field. + Possible values: + * COMPATIBLE + * CUSTOM + * MODERN + * RESTRICTED + + * `min_tls_version`: The minimum version of SSL protocol that can be used by the clients to establish a connection with the load balancer. This can be one of TLS_1_0, TLS_1_1, TLS_1_2. + Possible values: + * TLS_1_0 + * TLS_1_1 + * TLS_1_2 + + * `enabled_features`: [Output Only] The list of features enabled in the SSL policy. + + * `custom_features`: A list of features enabled when the selected profile is CUSTOM. The method returns the set of features that can be specified in this list. This field must be empty if the profile is not CUSTOM. + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a SslPolicy. An up-to-date fingerprint must be provided in order to update the SslPolicy, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve an SslPolicy. + + * `warnings`: [Output Only] If potential misconfigurations are detected for this SSL policy, this field will be populated with warning messages. + + * `code`: [Output Only] A warning code, if applicable. For example, Compute Engine returns NO_RESULTS_ON_PAGE if there are no results in the response. + Possible values: + * CLEANUP_FAILED + * DEPRECATED_RESOURCE_USED + * DEPRECATED_TYPE_USED + * DISK_SIZE_LARGER_THAN_IMAGE_SIZE + * EXPERIMENTAL_TYPE_USED + * EXTERNAL_API_WARNING + * FIELD_VALUE_OVERRIDEN + * INJECTED_KERNELS_DEPRECATED + * INVALID_HEALTH_CHECK_FOR_DYNAMIC_WIEGHTED_LB + * LARGE_DEPLOYMENT_WARNING + * LIST_OVERHEAD_QUOTA_EXCEED + * MISSING_TYPE_DEPENDENCY + * NEXT_HOP_ADDRESS_NOT_ASSIGNED + * NEXT_HOP_CANNOT_IP_FORWARD + * NEXT_HOP_INSTANCE_HAS_NO_IPV6_INTERFACE + * NEXT_HOP_INSTANCE_NOT_FOUND + * NEXT_HOP_INSTANCE_NOT_ON_NETWORK + * NEXT_HOP_NOT_RUNNING + * NOT_CRITICAL_ERROR + * NO_RESULTS_ON_PAGE + * PARTIAL_SUCCESS + * REQUIRED_TOS_AGREEMENT + * RESOURCE_IN_USE_BY_OTHER_RESOURCE_WARNING + * RESOURCE_NOT_DELETED + * SCHEMA_VALIDATION_IGNORED + * SINGLE_INSTANCE_PROPERTY_TEMPLATE + * UNDECLARED_PROPERTIES + * UNREACHABLE + + * `message`: [Output Only] A human-readable description of the warning code. + + * `data`: [Output Only] Metadata about this warning in key: value format. For example: "data": [ { "key": "scope", "value": "zones/us-east1-d" } + + * `key`: [Output Only] A key that provides more detail on the warning being returned. For example, for warnings where there are no results in a list request for a particular zone, this key might be scope and the key value might be the zone name. Other examples might be a key indicating a deprecated resource and a suggested replacement, or a warning about invalid network settings (for example, if an instance attempts to perform IP forwarding but is not enabled for IP forwarding). + + * `value`: [Output Only] A warning data value corresponding to the key. + + * `tls_settings`: The TLS settings for the server. + + * `tls_mode`: Indicates whether connections should be secured using TLS. The value of this field determines how TLS is enforced. This field can be set to one of the following: - SIMPLE Secure connections with standard TLS semantics. - MUTUAL Secure connections to the backends using mutual TLS by presenting client certificates for authentication. + Possible values: + * INVALID + * MUTUAL + * SIMPLE + + * `proxy_tls_context`: [Deprecated] The TLS settings for the client or server. The TLS settings for the client or server. + + * `certificate_context`: [Deprecated] Defines the mechanism to obtain the client or server certificate. Defines the mechanism to obtain the client or server certificate. + + * `certificate_source`: Defines how TLS certificates are obtained. + Possible values: + * INVALID + * USE_PATH + * USE_SDS + + * `certificate_paths`: [Deprecated] The paths to the mounted TLS Certificates and private key. The paths to the mounted TLS Certificates and private key. + + * `certificate_path`: The path to the file holding the client or server TLS certificate to use. + + * `private_key_path`: The path to the file holding the client or server private key. + + * `sds_config`: [Deprecated] The configuration to access the SDS server. The configuration to access the SDS server. + + * `grpc_service_config`: [Deprecated] gRPC config to access the SDS server. gRPC config to access the SDS server. + + * `target_uri`: The target URI of the SDS server. + + * `channel_credentials`: [Deprecated] gRPC channel credentials to access the SDS server. gRPC channel credentials to access the SDS server. + + * `channel_credential_type`: The channel credentials to access the SDS server. This field can be set to one of the following: CERTIFICATES: Use TLS certificates to access the SDS server. GCE_VM: Use local GCE VM credentials to access the SDS server. + Possible values: + * CERTIFICATES + * GCE_VM + * INVALID + + * `certificates`: [Deprecated] The paths to the mounted TLS Certificates and private key. The paths to the mounted TLS Certificates and private key. + + * `certificate_path`: The path to the file holding the client or server TLS certificate to use. + + * `private_key_path`: The path to the file holding the client or server private key. + + * `call_credentials`: [Deprecated] gRPC call credentials to access the SDS server. gRPC call credentials to access the SDS server. + + * `call_credential_type`: The type of call credentials to use for GRPC requests to the SDS server. This field can be set to one of the following: - GCE_VM: The local GCE VM service account credentials are used to access the SDS server. - FROM_PLUGIN: Custom authenticator credentials are used to access the SDS server. + Possible values: + * FROM_PLUGIN + * GCE_VM + * INVALID + + * `from_plugin`: [Deprecated] Custom authenticator credentials. Custom authenticator credentials. + + * `name`: Plugin name. + + * `struct_config`: A text proto that conforms to a Struct type definition interpreted by the plugin. + + * `validation_context`: [Deprecated] Defines the mechanism to obtain the Certificate Authority certificate to validate the client/server certificate. validate the client/server certificate. + + * `validation_source`: Defines how TLS certificates are obtained. + Possible values: + * INVALID + * USE_PATH + * USE_SDS + + * `certificate_path`: The path to the file holding the CA certificate to validate the client or server certificate. + + * `sds_config`: [Deprecated] The configuration to access the SDS server. The configuration to access the SDS server. + + * `grpc_service_config`: [Deprecated] gRPC config to access the SDS server. gRPC config to access the SDS server. + + * `target_uri`: The target URI of the SDS server. + + * `channel_credentials`: [Deprecated] gRPC channel credentials to access the SDS server. gRPC channel credentials to access the SDS server. + + * `channel_credential_type`: The channel credentials to access the SDS server. This field can be set to one of the following: CERTIFICATES: Use TLS certificates to access the SDS server. GCE_VM: Use local GCE VM credentials to access the SDS server. + Possible values: + * CERTIFICATES + * GCE_VM + * INVALID + + * `certificates`: [Deprecated] The paths to the mounted TLS Certificates and private key. The paths to the mounted TLS Certificates and private key. + + * `certificate_path`: The path to the file holding the client or server TLS certificate to use. + + * `private_key_path`: The path to the file holding the client or server private key. + + * `call_credentials`: [Deprecated] gRPC call credentials to access the SDS server. gRPC call credentials to access the SDS server. + + * `call_credential_type`: The type of call credentials to use for GRPC requests to the SDS server. This field can be set to one of the following: - GCE_VM: The local GCE VM service account credentials are used to access the SDS server. - FROM_PLUGIN: Custom authenticator credentials are used to access the SDS server. + Possible values: + * FROM_PLUGIN + * GCE_VM + * INVALID + + * `from_plugin`: [Deprecated] Custom authenticator credentials. Custom authenticator credentials. + + * `name`: Plugin name. + + * `struct_config`: A text proto that conforms to a Struct type definition interpreted by the plugin. + + * `subject_alt_names`: A list of alternate names to verify the subject identity in the certificate presented by the client. + + * `region`: [Output Only] URL of the region where the regional SSL policy resides. This field is not applicable to global SSL policies. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_target_http_proxies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_target_http_proxies.md new file mode 100644 index 0000000..922c8c4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_target_http_proxies.md @@ -0,0 +1,50 @@ ++++ +title = "google_compute_region_target_http_proxies resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_target_http_proxies" +identifier = "inspec/resources/gcp/google_compute_region_target_http_proxies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_target_http_proxies` InSpec audit resource to to test a Google Cloud RegionTargetHttpProxy resource. + +## Examples + +```ruby + describe google_compute_region_target_http_proxies(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_target_http_proxies` resource: + +See [google_compute_region_target_http_proxy](google_compute_region_target_http_proxy) for more detailed information. + + * `kinds`: an array of `google_compute_region_target_http_proxy` kind + * `ids`: an array of `google_compute_region_target_http_proxy` id + * `creation_timestamps`: an array of `google_compute_region_target_http_proxy` creation_timestamp + * `names`: an array of `google_compute_region_target_http_proxy` name + * `descriptions`: an array of `google_compute_region_target_http_proxy` description + * `self_links`: an array of `google_compute_region_target_http_proxy` self_link + * `self_link_with_ids`: an array of `google_compute_region_target_http_proxy` self_link_with_id + * `url_maps`: an array of `google_compute_region_target_http_proxy` url_map + * `regions`: an array of `google_compute_region_target_http_proxy` region + * `proxy_binds`: an array of `google_compute_region_target_http_proxy` proxy_bind + * `http_filters`: an array of `google_compute_region_target_http_proxy` http_filters + * `fingerprints`: an array of `google_compute_region_target_http_proxy` fingerprint + * `http_keep_alive_timeout_secs`: an array of `google_compute_region_target_http_proxy` http_keep_alive_timeout_sec + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_target_http_proxy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_target_http_proxy.md new file mode 100644 index 0000000..77a0b0b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_target_http_proxy.md @@ -0,0 +1,72 @@ ++++ +title = "google_compute_region_target_http_proxy resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_target_http_proxy" +identifier = "inspec/resources/gcp/google_compute_region_target_http_proxy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_target_http_proxy` InSpec audit resource to to test a Google Cloud RegionTargetHttpProxy resource. + +## Examples + +```ruby +describe google_compute_region_target_http_proxy(project: 'chef-gcp-inspec', region: ' value_region', targetHttpProxy: ' ') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('url_map') { should cmp 'value_urlmap' } + its('region') { should cmp 'value_region' } + its('fingerprint') { should cmp 'value_fingerprint' } + +end + +describe google_compute_region_target_http_proxy(project: 'chef-gcp-inspec', region: ' value_region', targetHttpProxy: ' ') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_target_http_proxy` resource: + + + * `kind`: [Output Only] Type of resource. Always compute#targetHttpProxy for target HTTP proxies. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `url_map`: URL to the UrlMap resource that defines the mapping from URL to the BackendService. + + * `region`: [Output Only] URL of the region where the regional Target HTTP Proxy resides. This field is not applicable to global Target HTTP Proxies. + + * `proxy_bind`: This field only applies when the forwarding rule that references this target proxy has a loadBalancingScheme set to INTERNAL_SELF_MANAGED. When this field is set to true, Envoy proxies set up inbound traffic interception and bind to the IP address and port specified in the forwarding rule. This is generally useful when using Traffic Director to configure Envoy as a gateway or middle proxy (in other words, not a sidecar proxy). The Envoy proxy listens for inbound requests and handles requests when it receives them. The default is false. + + * `http_filters`: URLs to networkservices.HttpFilter resources enabled for xDS clients using this configuration. For example, https://networkservices.googleapis.com/v1alpha1/projects/project/locations/ locationhttpFilters/httpFilter Only filters that handle outbound connection and stream events may be specified. These filters work in conjunction with a default set of HTTP filters that may already be configured by Traffic Director. Traffic Director will determine the final location of these filters within xDS configuration based on the name of the HTTP filter. If Traffic Director positions multiple filters at the same location, those filters will be in the same order as specified in this list. httpFilters only applies for loadbalancers with loadBalancingScheme set to INTERNAL_SELF_MANAGED. See ForwardingRule for more details. + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a TargetHttpProxy. An up-to-date fingerprint must be provided in order to patch/update the TargetHttpProxy; otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the TargetHttpProxy. + + * `http_keep_alive_timeout_sec`: Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). If an HTTP keep-alive is not specified, a default value (610 seconds) will be used. For global external Application Load Balancers, the minimum allowed value is 5 seconds and the maximum allowed value is 1200 seconds. For classic Application Load Balancers, this option is not supported. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_target_https_proxies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_target_https_proxies.md new file mode 100644 index 0000000..34c498f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_target_https_proxies.md @@ -0,0 +1,59 @@ ++++ +title = "google_compute_region_target_https_proxies resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_target_https_proxies" +identifier = "inspec/resources/gcp/google_compute_region_target_https_proxies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_target_https_proxies` InSpec audit resource to to test a Google Cloud RegionTargetHttpsProxy resource. + +## Examples + +```ruby + describe google_compute_region_target_https_proxies(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_target_https_proxies` resource: + +See [google_compute_region_target_https_proxy](google_compute_region_target_https_proxy) for more detailed information. + + * `kinds`: an array of `google_compute_region_target_https_proxy` kind + * `ids`: an array of `google_compute_region_target_https_proxy` id + * `creation_timestamps`: an array of `google_compute_region_target_https_proxy` creation_timestamp + * `names`: an array of `google_compute_region_target_https_proxy` name + * `descriptions`: an array of `google_compute_region_target_https_proxy` description + * `self_links`: an array of `google_compute_region_target_https_proxy` self_link + * `self_link_with_ids`: an array of `google_compute_region_target_https_proxy` self_link_with_id + * `url_maps`: an array of `google_compute_region_target_https_proxy` url_map + * `ssl_certificates`: an array of `google_compute_region_target_https_proxy` ssl_certificates + * `certificate_maps`: an array of `google_compute_region_target_https_proxy` certificate_map + * `quic_overrides`: an array of `google_compute_region_target_https_proxy` quic_override + * `ssl_policies`: an array of `google_compute_region_target_https_proxy` ssl_policy + * `regions`: an array of `google_compute_region_target_https_proxy` region + * `proxy_binds`: an array of `google_compute_region_target_https_proxy` proxy_bind + * `http_filters`: an array of `google_compute_region_target_https_proxy` http_filters + * `server_tls_policies`: an array of `google_compute_region_target_https_proxy` server_tls_policy + * `authentications`: an array of `google_compute_region_target_https_proxy` authentication + * `authorization_policies`: an array of `google_compute_region_target_https_proxy` authorization_policy + * `authorizations`: an array of `google_compute_region_target_https_proxy` authorization + * `fingerprints`: an array of `google_compute_region_target_https_proxy` fingerprint + * `http_keep_alive_timeout_secs`: an array of `google_compute_region_target_https_proxy` http_keep_alive_timeout_sec + * `tls_early_data`: an array of `google_compute_region_target_https_proxy` tls_early_data + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_target_https_proxy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_target_https_proxy.md new file mode 100644 index 0000000..5e37468 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_target_https_proxy.md @@ -0,0 +1,106 @@ ++++ +title = "google_compute_region_target_https_proxy resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_target_https_proxy" +identifier = "inspec/resources/gcp/google_compute_region_target_https_proxy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_target_https_proxy` InSpec audit resource to to test a Google Cloud RegionTargetHttpsProxy resource. + +## Examples + +```ruby +describe google_compute_region_target_https_proxy(project: 'chef-gcp-inspec', region: ' value_region', targetHttpsProxy: ' ') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('url_map') { should cmp 'value_urlmap' } + its('certificate_map') { should cmp 'value_certificatemap' } + its('quic_override') { should cmp 'value_quicoverride' } + its('ssl_policy') { should cmp 'value_sslpolicy' } + its('region') { should cmp 'value_region' } + its('server_tls_policy') { should cmp 'value_servertlspolicy' } + its('authentication') { should cmp 'value_authentication' } + its('authorization_policy') { should cmp 'value_authorizationpolicy' } + its('authorization') { should cmp 'value_authorization' } + its('fingerprint') { should cmp 'value_fingerprint' } + its('tls_early_data') { should cmp 'value_tlsearlydata' } + +end + +describe google_compute_region_target_https_proxy(project: 'chef-gcp-inspec', region: ' value_region', targetHttpsProxy: ' ') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_target_https_proxy` resource: + + + * `kind`: [Output Only] Type of resource. Always compute#targetHttpsProxy for target HTTPS proxies. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `url_map`: A fully-qualified or valid partial URL to the UrlMap resource that defines the mapping from URL to the BackendService. For example, the following are all valid URLs for specifying a URL map: - https://www.googleapis.compute/v1/projects/project/global/urlMaps/ url-map - projects/project/global/urlMaps/url-map - global/urlMaps/url-map + + * `ssl_certificates`: URLs to SslCertificate resources that are used to authenticate connections between users and the load balancer. At least one SSL certificate must be specified. Currently, you may specify up to 15 SSL certificates. sslCertificates do not apply when the load balancing scheme is set to INTERNAL_SELF_MANAGED. + + * `certificate_map`: URL of a certificate map that identifies a certificate map associated with the given target proxy. This field can only be set for global target proxies. If set, sslCertificates will be ignored. Accepted format is //certificatemanager.googleapis.com/projects/{project }/locations/{location}/certificateMaps/{resourceName}. + + * `quic_override`: Specifies the QUIC override policy for this TargetHttpsProxy resource. This setting determines whether the load balancer attempts to negotiate QUIC with clients. You can specify NONE, ENABLE, or DISABLE. - When quic-override is set to NONE, Google manages whether QUIC is used. - When quic-override is set to ENABLE, the load balancer uses QUIC when possible. - When quic-override is set to DISABLE, the load balancer doesn't use QUIC. - If the quic-override flag is not specified, NONE is implied. + Possible values: + * DISABLE + * ENABLE + * NONE + + * `ssl_policy`: URL of SslPolicy resource that will be associated with the TargetHttpsProxy resource. If not set, the TargetHttpsProxy resource has no SSL policy configured. + + * `region`: [Output Only] URL of the region where the regional TargetHttpsProxy resides. This field is not applicable to global TargetHttpsProxies. + + * `proxy_bind`: This field only applies when the forwarding rule that references this target proxy has a loadBalancingScheme set to INTERNAL_SELF_MANAGED. When this field is set to true, Envoy proxies set up inbound traffic interception and bind to the IP address and port specified in the forwarding rule. This is generally useful when using Traffic Director to configure Envoy as a gateway or middle proxy (in other words, not a sidecar proxy). The Envoy proxy listens for inbound requests and handles requests when it receives them. The default is false. + + * `http_filters`: URLs to networkservices.HttpFilter resources enabled for xDS clients using this configuration. For example, https://networkservices.googleapis.com/beta/projects/project/locations/ locationhttpFilters/httpFilter Only filters that handle outbound connection and stream events may be specified. These filters work in conjunction with a default set of HTTP filters that may already be configured by Traffic Director. Traffic Director will determine the final location of these filters within xDS configuration based on the name of the HTTP filter. If Traffic Director positions multiple filters at the same location, those filters will be in the same order as specified in this list. httpFilters only applies for loadbalancers with loadBalancingScheme set to INTERNAL_SELF_MANAGED. See ForwardingRule for more details. + + * `server_tls_policy`: Optional. A URL referring to a networksecurity.ServerTlsPolicy resource that describes how the proxy should authenticate inbound traffic. serverTlsPolicy only applies to a global TargetHttpsProxy attached to globalForwardingRules with the loadBalancingScheme set to INTERNAL_SELF_MANAGED or EXTERNAL or EXTERNAL_MANAGED. For details which ServerTlsPolicy resources are accepted with INTERNAL_SELF_MANAGED and which with EXTERNAL, EXTERNAL_MANAGED loadBalancingScheme consult ServerTlsPolicy documentation. If left blank, communications are not encrypted. + + * `authentication`: [Deprecated] Use serverTlsPolicy instead. + + * `authorization_policy`: Optional. A URL referring to a networksecurity.AuthorizationPolicy resource that describes how the proxy should authorize inbound traffic. If left blank, access will not be restricted by an authorization policy. Refer to the AuthorizationPolicy resource for additional details. authorizationPolicy only applies to a global TargetHttpsProxy attached to globalForwardingRules with the loadBalancingScheme set to INTERNAL_SELF_MANAGED. Note: This field currently has no impact. + + * `authorization`: [Deprecated] Use authorizationPolicy instead. + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a TargetHttpsProxy. An up-to-date fingerprint must be provided in order to patch the TargetHttpsProxy; otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the TargetHttpsProxy. + + * `http_keep_alive_timeout_sec`: Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). If an HTTP keep-alive is not specified, a default value (610 seconds) will be used. For global external Application Load Balancers, the minimum allowed value is 5 seconds and the maximum allowed value is 1200 seconds. For classic Application Load Balancers, this option is not supported. + + * `tls_early_data`: Specifies whether TLS 1.3 0-RTT Data ("Early Data") should be accepted for this service. Early Data allows a TLS resumption handshake to include the initial application payload (a HTTP request) alongside the handshake, reducing the effective round trips to "zero". This applies to TLS 1.3 connections over TCP (HTTP/2) as well as over UDP (QUIC/h3). This can improve application performance, especially on networks where interruptions may be common, such as on mobile. Requests with Early Data will have the "Early-Data" HTTP header set on the request, with a value of "1", to allow the backend to determine whether Early Data was included. Note: TLS Early Data may allow requests to be replayed, as the data is sent to the backend before the handshake has fully completed. Applications that allow idempotent HTTP methods to make non-idempotent changes, such as a GET request updating a database, should not accept Early Data on those requests, and reject requests with the "Early-Data: 1" HTTP header by returning a HTTP 425 (Too Early) status code, in order to remain RFC compliant. The default value is DISABLED. + Possible values: + * DISABLED + * PERMISSIVE + * STRICT + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_url_map.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_url_map.md new file mode 100644 index 0000000..18ddaa4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_url_map.md @@ -0,0 +1,793 @@ ++++ +title = "google_compute_region_url_map resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_url_map" +identifier = "inspec/resources/gcp/google_compute_region_url_map resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_url_map` InSpec audit resource to to test a Google Cloud RegionUrlMap resource. + +## Examples + +```ruby +describe google_compute_region_url_map(project: 'chef-gcp-inspec', region: ' value_region', name: ' ') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('self_link') { should cmp 'value_selflink' } + its('default_service') { should cmp 'value_defaultservice' } + its('fingerprint') { should cmp 'value_fingerprint' } + its('region') { should cmp 'value_region' } + +end + +describe google_compute_region_url_map(project: 'chef-gcp-inspec', region: ' value_region', name: ' ') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_url_map` resource: + + + * `kind`: [Output Only] Type of the resource. Always compute#urlMaps for url maps. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `host_rules`: The list of host rules to use against the URL. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `hosts`: The list of host patterns to match. They must be valid hostnames with optional port numbers in the format host:port. * matches any string of ([a-z0-9-.]*). In that case, * must be the first character, and if followed by anything, the immediate following character must be either - or .. * based matching is not supported when the URL map is bound to a target gRPC proxy that has the validateForProxyless field set to true. + + * `path_matcher`: The name of the PathMatcher to use to match the path portion of the URL if the hostRule matches the URL's host portion. + + * `path_matchers`: The list of named PathMatchers to use against the URL. + + * `name`: The name to which this PathMatcher is referred by the HostRule. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `default_service`: The full or partial URL to the BackendService resource. This URL is used if none of the pathRules or routeRules defined by this PathMatcher are matched. For example, the following are all valid URLs to a BackendService resource: - https://www.googleapis.com/compute/v1/projects/project /global/backendServices/backendService - compute/v1/projects/project/global/backendServices/backendService - global/backendServices/backendService If defaultRouteAction is also specified, advanced routing actions, such as URL rewrites, take effect before sending the request to the backend. However, if defaultService is specified, defaultRouteAction cannot contain any weightedBackendServices. Conversely, if defaultRouteAction specifies any weightedBackendServices, defaultService must not be specified. Only one of defaultService, defaultUrlRedirect , or defaultRouteAction.weightedBackendService must be set. Authorization requires one or more of the following Google IAM permissions on the specified resource default_service: - compute.backendBuckets.use - compute.backendServices.use + + * `default_route_action`: + + * `weighted_backend_services`: A list of weighted backend services to send traffic to when a route match occurs. The weights determine the fraction of traffic that flows to their corresponding backend service. If all traffic needs to go to a single backend service, there must be one weightedBackendService with weight set to a non-zero number. After a backend service is identified and before forwarding the request to the backend service, advanced routing actions such as URL rewrites and header transformations are applied depending on additional settings specified in this HttpRouteAction. + + * `backend_service`: The full or partial URL to the default BackendService resource. Before forwarding the request to backendService, the load balancer applies any relevant headerActions specified as part of this backendServiceWeight. + + * `weight`: Specifies the fraction of traffic sent to a backend service, computed as weight / (sum of all weightedBackendService weights in routeAction) . The selection of a backend service is determined only for new traffic. Once a user's request has been directed to a backend service, subsequent requests are sent to the same backend service as determined by the backend service's session affinity policy. The value must be from 0 to 1000. + + * `header_action`: The request and response header transformations that take effect before the request is passed along to the selected backendService. + + * `request_headers_to_remove`: A list of header names for headers that need to be removed from the request before forwarding the request to the backendService. + + * `request_headers_to_add`: Headers to add to a matching request before forwarding the request to the backendService. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `response_headers_to_remove`: A list of header names for headers that need to be removed from the response before sending the response back to the client. + + * `response_headers_to_add`: Headers to add the response before sending the response back to the client. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `url_rewrite`: The spec for modifying the path before sending the request to the matched backend service. + + * `path_prefix_rewrite`: Before forwarding the request to the selected backend service, the matching portion of the request's path is replaced by pathPrefixRewrite. The value must be from 1 to 1024 characters. + + * `host_rewrite`: Before forwarding the request to the selected service, the request's host header is replaced with contents of hostRewrite. The value must be from 1 to 255 characters. + + * `path_template_rewrite`: If specified, the pattern rewrites the URL path (based on the :path header) using the HTTP template syntax. A corresponding path_template_match must be specified. Any template variables must exist in the path_template_match field. - -At least one variable must be specified in the path_template_match field - You can omit variables from the rewritten URL - The * and ** operators cannot be matched unless they have a corresponding variable name - e.g. {format=*} or {var=**}. For example, a path_template_match of /static/{format=**} could be rewritten as /static/content/{format} to prefix /content to the URL. Variables can also be re-ordered in a rewrite, so that /{country}/{format}/{suffix=**} can be rewritten as /content/{format}/{country}/{suffix}. At least one non-empty routeRules[].matchRules[].path_template_match is required. Only one of path_prefix_rewrite or path_template_rewrite may be specified. + + * `timeout`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `retry_policy`: The retry policy associates with HttpRouteRule + + * `retry_conditions`: Specifies one or more conditions when this retry policy applies. Valid values are: - 5xx: retry is attempted if the instance or endpoint responds with any 5xx response code, or if the instance or endpoint does not respond at all. For example, disconnects, reset, read timeout, connection failure, and refused streams. - gateway-error: Similar to 5xx, but only applies to response codes 502, 503 or 504. - connect-failure: a retry is attempted on failures connecting to the instance or endpoint. For example, connection timeouts. - retriable-4xx: a retry is attempted if the instance or endpoint responds with a 4xx response code. The only error that you can retry is error code 409. - refused-stream: a retry is attempted if the instance or endpoint resets the stream with a REFUSED_STREAM error code. This reset type indicates that it is safe to retry. - cancelled: a retry is attempted if the gRPC status code in the response header is set to cancelled. - deadline-exceeded: a retry is attempted if the gRPC status code in the response header is set to deadline-exceeded. - internal: a retry is attempted if the gRPC status code in the response header is set to internal. - resource-exhausted: a retry is attempted if the gRPC status code in the response header is set to resource-exhausted. - unavailable: a retry is attempted if the gRPC status code in the response header is set to unavailable. Only the following codes are supported when the URL map is bound to target gRPC proxy that has validateForProxyless field set to true. - cancelled - deadline-exceeded - internal - resource-exhausted - unavailable + + * `num_retries`: Specifies the allowed number retries. This number must be > 0. If not specified, defaults to 1. + + * `per_try_timeout`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `request_mirror_policy`: A policy that specifies how requests intended for the route's backends are shadowed to a separate mirrored backend service. The load balancer doesn't wait for responses from the shadow service. Before sending traffic to the shadow service, the host or authority header is suffixed with -shadow. + + * `backend_service`: The full or partial URL to the BackendService resource being mirrored to. The backend service configured for a mirroring policy must reference backends that are of the same type as the original backend service matched in the URL map. Serverless NEG backends are not currently supported as a mirrored backend service. + + * `cors_policy`: The specification for allowing client-side cross-origin requests. For more information about the W3C recommendation for cross-origin resource sharing (CORS), see Fetch API Living Standard. + + * `allow_origins`: Specifies the list of origins that is allowed to do CORS requests. An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes. + + * `allow_origin_regexes`: Specifies a regular expression that matches allowed origins. For more information about the regular expression syntax, see Syntax. An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes. Regular expressions can only be used when the loadBalancingScheme is set to INTERNAL_SELF_MANAGED. + + * `allow_methods`: Specifies the content for the Access-Control-Allow-Methods header. + + * `allow_headers`: Specifies the content for the Access-Control-Allow-Headers header. + + * `expose_headers`: Specifies the content for the Access-Control-Expose-Headers header. + + * `max_age`: Specifies how long results of a preflight request can be cached in seconds. This field translates to the Access-Control-Max-Age header. + + * `allow_credentials`: In response to a preflight request, setting this to true indicates that the actual request can include user credentials. This field translates to the Access-Control-Allow-Credentials header. Default is false. + + * `disabled`: If true, the setting specifies the CORS policy is disabled. The default value of false, which indicates that the CORS policy is in effect. + + * `fault_injection_policy`: The specification for fault injection introduced into traffic to test the resiliency of clients to backend service failure. As part of fault injection, when clients send requests to a backend service, delays can be introduced by the load balancer on a percentage of requests before sending those request to the backend service. Similarly requests from clients can be aborted by the load balancer for a percentage of requests. + + * `delay`: Specifies the delay introduced by the load balancer before forwarding the request to the backend service as part of fault injection. + + * `fixed_delay`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `percentage`: The percentage of traffic for connections, operations, or requests for which a delay is introduced as part of fault injection. The value must be from 0.0 to 100.0 inclusive. + + * `abort`: Specification for how requests are aborted as part of fault injection. + + * `http_status`: The HTTP status code used to abort the request. The value must be from 200 to 599 inclusive. For gRPC protocol, the gRPC status code is mapped to HTTP status code according to this mapping table. HTTP status 200 is mapped to gRPC status UNKNOWN. Injecting an OK status is currently not supported by Traffic Director. + + * `percentage`: The percentage of traffic for connections, operations, or requests that is aborted as part of fault injection. The value must be from 0.0 to 100.0 inclusive. + + * `max_stream_duration`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `default_url_redirect`: Specifies settings for an HTTP redirect. + + * `host_redirect`: The host that is used in the redirect response instead of the one that was supplied in the request. The value must be from 1 to 255 characters. + + * `path_redirect`: The path that is used in the redirect response instead of the one that was supplied in the request. pathRedirect cannot be supplied together with prefixRedirect. Supply one alone or neither. If neither is supplied, the path of the original request is used for the redirect. The value must be from 1 to 1024 characters. + + * `prefix_redirect`: The prefix that replaces the prefixMatch specified in the HttpRouteRuleMatch, retaining the remaining portion of the URL before redirecting the request. prefixRedirect cannot be supplied together with pathRedirect. Supply one alone or neither. If neither is supplied, the path of the original request is used for the redirect. The value must be from 1 to 1024 characters. + + * `redirect_response_code`: The HTTP Status code to use for this RedirectAction. Supported values are: - MOVED_PERMANENTLY_DEFAULT, which is the default value and corresponds to 301. - FOUND, which corresponds to 302. - SEE_OTHER which corresponds to 303. - TEMPORARY_REDIRECT, which corresponds to 307. In this case, the request method is retained. - PERMANENT_REDIRECT, which corresponds to 308. In this case, the request method is retained. + Possible values: + * FOUND + * MOVED_PERMANENTLY_DEFAULT + * PERMANENT_REDIRECT + * SEE_OTHER + * TEMPORARY_REDIRECT + + * `https_redirect`: If set to true, the URL scheme in the redirected request is set to HTTPS. If set to false, the URL scheme of the redirected request remains the same as that of the request. This must only be set for URL maps used in TargetHttpProxys. Setting this true for TargetHttpsProxy is not permitted. The default is set to false. + + * `strip_query`: If set to true, any accompanying query portion of the original URL is removed before redirecting the request. If set to false, the query portion of the original URL is retained. The default is set to false. + + * `path_rules`: The list of path rules. Use this list instead of routeRules when routing based on simple path matching is all that's required. The order by which path rules are specified does not matter. Matches are always done on the longest-path-first basis. For example: a pathRule with a path /a/b/c/* will match before /a/b/* irrespective of the order in which those paths appear in this list. Within a given pathMatcher, only one of pathRules or routeRules must be set. + + * `service`: The full or partial URL of the backend service resource to which traffic is directed if this rule is matched. If routeAction is also specified, advanced routing actions, such as URL rewrites, take effect before sending the request to the backend. However, if service is specified, routeAction cannot contain any weightedBackendServices. Conversely, if routeAction specifies any weightedBackendServices, service must not be specified. Only one of urlRedirect, service or routeAction.weightedBackendService must be set. + + * `route_action`: + + * `weighted_backend_services`: A list of weighted backend services to send traffic to when a route match occurs. The weights determine the fraction of traffic that flows to their corresponding backend service. If all traffic needs to go to a single backend service, there must be one weightedBackendService with weight set to a non-zero number. After a backend service is identified and before forwarding the request to the backend service, advanced routing actions such as URL rewrites and header transformations are applied depending on additional settings specified in this HttpRouteAction. + + * `backend_service`: The full or partial URL to the default BackendService resource. Before forwarding the request to backendService, the load balancer applies any relevant headerActions specified as part of this backendServiceWeight. + + * `weight`: Specifies the fraction of traffic sent to a backend service, computed as weight / (sum of all weightedBackendService weights in routeAction) . The selection of a backend service is determined only for new traffic. Once a user's request has been directed to a backend service, subsequent requests are sent to the same backend service as determined by the backend service's session affinity policy. The value must be from 0 to 1000. + + * `header_action`: The request and response header transformations that take effect before the request is passed along to the selected backendService. + + * `request_headers_to_remove`: A list of header names for headers that need to be removed from the request before forwarding the request to the backendService. + + * `request_headers_to_add`: Headers to add to a matching request before forwarding the request to the backendService. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `response_headers_to_remove`: A list of header names for headers that need to be removed from the response before sending the response back to the client. + + * `response_headers_to_add`: Headers to add the response before sending the response back to the client. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `url_rewrite`: The spec for modifying the path before sending the request to the matched backend service. + + * `path_prefix_rewrite`: Before forwarding the request to the selected backend service, the matching portion of the request's path is replaced by pathPrefixRewrite. The value must be from 1 to 1024 characters. + + * `host_rewrite`: Before forwarding the request to the selected service, the request's host header is replaced with contents of hostRewrite. The value must be from 1 to 255 characters. + + * `path_template_rewrite`: If specified, the pattern rewrites the URL path (based on the :path header) using the HTTP template syntax. A corresponding path_template_match must be specified. Any template variables must exist in the path_template_match field. - -At least one variable must be specified in the path_template_match field - You can omit variables from the rewritten URL - The * and ** operators cannot be matched unless they have a corresponding variable name - e.g. {format=*} or {var=**}. For example, a path_template_match of /static/{format=**} could be rewritten as /static/content/{format} to prefix /content to the URL. Variables can also be re-ordered in a rewrite, so that /{country}/{format}/{suffix=**} can be rewritten as /content/{format}/{country}/{suffix}. At least one non-empty routeRules[].matchRules[].path_template_match is required. Only one of path_prefix_rewrite or path_template_rewrite may be specified. + + * `timeout`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `retry_policy`: The retry policy associates with HttpRouteRule + + * `retry_conditions`: Specifies one or more conditions when this retry policy applies. Valid values are: - 5xx: retry is attempted if the instance or endpoint responds with any 5xx response code, or if the instance or endpoint does not respond at all. For example, disconnects, reset, read timeout, connection failure, and refused streams. - gateway-error: Similar to 5xx, but only applies to response codes 502, 503 or 504. - connect-failure: a retry is attempted on failures connecting to the instance or endpoint. For example, connection timeouts. - retriable-4xx: a retry is attempted if the instance or endpoint responds with a 4xx response code. The only error that you can retry is error code 409. - refused-stream: a retry is attempted if the instance or endpoint resets the stream with a REFUSED_STREAM error code. This reset type indicates that it is safe to retry. - cancelled: a retry is attempted if the gRPC status code in the response header is set to cancelled. - deadline-exceeded: a retry is attempted if the gRPC status code in the response header is set to deadline-exceeded. - internal: a retry is attempted if the gRPC status code in the response header is set to internal. - resource-exhausted: a retry is attempted if the gRPC status code in the response header is set to resource-exhausted. - unavailable: a retry is attempted if the gRPC status code in the response header is set to unavailable. Only the following codes are supported when the URL map is bound to target gRPC proxy that has validateForProxyless field set to true. - cancelled - deadline-exceeded - internal - resource-exhausted - unavailable + + * `num_retries`: Specifies the allowed number retries. This number must be > 0. If not specified, defaults to 1. + + * `per_try_timeout`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `request_mirror_policy`: A policy that specifies how requests intended for the route's backends are shadowed to a separate mirrored backend service. The load balancer doesn't wait for responses from the shadow service. Before sending traffic to the shadow service, the host or authority header is suffixed with -shadow. + + * `backend_service`: The full or partial URL to the BackendService resource being mirrored to. The backend service configured for a mirroring policy must reference backends that are of the same type as the original backend service matched in the URL map. Serverless NEG backends are not currently supported as a mirrored backend service. + + * `cors_policy`: The specification for allowing client-side cross-origin requests. For more information about the W3C recommendation for cross-origin resource sharing (CORS), see Fetch API Living Standard. + + * `allow_origins`: Specifies the list of origins that is allowed to do CORS requests. An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes. + + * `allow_origin_regexes`: Specifies a regular expression that matches allowed origins. For more information about the regular expression syntax, see Syntax. An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes. Regular expressions can only be used when the loadBalancingScheme is set to INTERNAL_SELF_MANAGED. + + * `allow_methods`: Specifies the content for the Access-Control-Allow-Methods header. + + * `allow_headers`: Specifies the content for the Access-Control-Allow-Headers header. + + * `expose_headers`: Specifies the content for the Access-Control-Expose-Headers header. + + * `max_age`: Specifies how long results of a preflight request can be cached in seconds. This field translates to the Access-Control-Max-Age header. + + * `allow_credentials`: In response to a preflight request, setting this to true indicates that the actual request can include user credentials. This field translates to the Access-Control-Allow-Credentials header. Default is false. + + * `disabled`: If true, the setting specifies the CORS policy is disabled. The default value of false, which indicates that the CORS policy is in effect. + + * `fault_injection_policy`: The specification for fault injection introduced into traffic to test the resiliency of clients to backend service failure. As part of fault injection, when clients send requests to a backend service, delays can be introduced by the load balancer on a percentage of requests before sending those request to the backend service. Similarly requests from clients can be aborted by the load balancer for a percentage of requests. + + * `delay`: Specifies the delay introduced by the load balancer before forwarding the request to the backend service as part of fault injection. + + * `fixed_delay`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `percentage`: The percentage of traffic for connections, operations, or requests for which a delay is introduced as part of fault injection. The value must be from 0.0 to 100.0 inclusive. + + * `abort`: Specification for how requests are aborted as part of fault injection. + + * `http_status`: The HTTP status code used to abort the request. The value must be from 200 to 599 inclusive. For gRPC protocol, the gRPC status code is mapped to HTTP status code according to this mapping table. HTTP status 200 is mapped to gRPC status UNKNOWN. Injecting an OK status is currently not supported by Traffic Director. + + * `percentage`: The percentage of traffic for connections, operations, or requests that is aborted as part of fault injection. The value must be from 0.0 to 100.0 inclusive. + + * `max_stream_duration`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `url_redirect`: Specifies settings for an HTTP redirect. + + * `host_redirect`: The host that is used in the redirect response instead of the one that was supplied in the request. The value must be from 1 to 255 characters. + + * `path_redirect`: The path that is used in the redirect response instead of the one that was supplied in the request. pathRedirect cannot be supplied together with prefixRedirect. Supply one alone or neither. If neither is supplied, the path of the original request is used for the redirect. The value must be from 1 to 1024 characters. + + * `prefix_redirect`: The prefix that replaces the prefixMatch specified in the HttpRouteRuleMatch, retaining the remaining portion of the URL before redirecting the request. prefixRedirect cannot be supplied together with pathRedirect. Supply one alone or neither. If neither is supplied, the path of the original request is used for the redirect. The value must be from 1 to 1024 characters. + + * `redirect_response_code`: The HTTP Status code to use for this RedirectAction. Supported values are: - MOVED_PERMANENTLY_DEFAULT, which is the default value and corresponds to 301. - FOUND, which corresponds to 302. - SEE_OTHER which corresponds to 303. - TEMPORARY_REDIRECT, which corresponds to 307. In this case, the request method is retained. - PERMANENT_REDIRECT, which corresponds to 308. In this case, the request method is retained. + Possible values: + * FOUND + * MOVED_PERMANENTLY_DEFAULT + * PERMANENT_REDIRECT + * SEE_OTHER + * TEMPORARY_REDIRECT + + * `https_redirect`: If set to true, the URL scheme in the redirected request is set to HTTPS. If set to false, the URL scheme of the redirected request remains the same as that of the request. This must only be set for URL maps used in TargetHttpProxys. Setting this true for TargetHttpsProxy is not permitted. The default is set to false. + + * `strip_query`: If set to true, any accompanying query portion of the original URL is removed before redirecting the request. If set to false, the query portion of the original URL is retained. The default is set to false. + + * `paths`: The list of path patterns to match. Each must start with / and the only place a * is allowed is at the end following a /. The string fed to the path matcher does not include any text after the first ? or #, and those chars are not allowed here. + + * `custom_error_response_policy`: Specifies the custom error response policy that must be applied when the backend service or backend bucket responds with an error. + + * `error_response_rules`: Specifies rules for returning error responses. In a given policy, if you specify rules for both a range of error codes as well as rules for specific error codes then rules with specific error codes have a higher priority. For example, assume that you configure a rule for 401 (Un-authorized) code, and another for all 4 series error codes (4XX). If the backend service returns a 401, then the rule for 401 will be applied. However if the backend service returns a 403, the rule for 4xx takes effect. + + * `match_response_codes`: Valid values include: - A number between 400 and 599: For example 401 or 503, in which case the load balancer applies the policy if the error code exactly matches this value. - 5xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 500 to 599. - 4xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 400 to 499. Values must be unique within matchResponseCodes and across all errorResponseRules of CustomErrorResponsePolicy. + + * `path`: The full path to a file within backendBucket . For example: /errors/defaultError.html path must start with a leading slash. path cannot have trailing slashes. If the file is not available in backendBucket or the load balancer cannot reach the BackendBucket, a simple Not Found Error is returned to the client. The value must be from 1 to 1024 characters + + * `override_response_code`: The HTTP status code returned with the response containing the custom error content. If overrideResponseCode is not supplied, the same response code returned by the original backend bucket or backend service is returned to the client. + + * `error_service`: The full or partial URL to the BackendBucket resource that contains the custom error content. Examples are: - https://www.googleapis.com/compute/v1/projects/project/global/backendBuckets/myBackendBucket - compute/v1/projects/project/global/backendBuckets/myBackendBucket - global/backendBuckets/myBackendBucket If errorService is not specified at lower levels like pathMatcher, pathRule and routeRule, an errorService specified at a higher level in the UrlMap will be used. If UrlMap.defaultCustomErrorResponsePolicy contains one or more errorResponseRules[], it must specify errorService. If load balancer cannot reach the backendBucket, a simple Not Found Error will be returned, with the original response code (or overrideResponseCode if configured). errorService is not supported for internal or regional HTTP/HTTPS load balancers. + + * `route_rules`: The list of HTTP route rules. Use this list instead of pathRules when advanced route matching and routing actions are desired. routeRules are evaluated in order of priority, from the lowest to highest number. Within a given pathMatcher, you can set only one of pathRules or routeRules. + + * `priority`: For routeRules within a given pathMatcher, priority determines the order in which a load balancer interprets routeRules. RouteRules are evaluated in order of priority, from the lowest to highest number. The priority of a rule decreases as its number increases (1, 2, 3, N+1). The first rule that matches the request is applied. You cannot configure two or more routeRules with the same priority. Priority for each rule must be set to a number from 0 to 2147483647 inclusive. Priority numbers can have gaps, which enable you to add or remove rules in the future without affecting the rest of the rules. For example, 1, 2, 3, 4, 5, 9, 12, 16 is a valid series of priority numbers to which you could add rules numbered from 6 to 8, 10 to 11, and 13 to 15 in the future without any impact on existing rules. + + * `description`: The short description conveying the intent of this routeRule. The description can have a maximum length of 1024 characters. + + * `match_rules`: The list of criteria for matching attributes of a request to this routeRule. This list has OR semantics: the request matches this routeRule when any of the matchRules are satisfied. However predicates within a given matchRule have AND semantics. All predicates within a matchRule must match for the request to match the rule. + + * `prefix_match`: For satisfying the matchRule condition, the request's path must begin with the specified prefixMatch. prefixMatch must begin with a /. The value must be from 1 to 1024 characters. Only one of prefixMatch, fullPathMatch or regexMatch must be specified. + + * `full_path_match`: For satisfying the matchRule condition, the path of the request must exactly match the value specified in fullPathMatch after removing any query parameters and anchor that may be part of the original URL. fullPathMatch must be from 1 to 1024 characters. Only one of prefixMatch, fullPathMatch or regexMatch must be specified. + + * `regex_match`: For satisfying the matchRule condition, the path of the request must satisfy the regular expression specified in regexMatch after removing any query parameters and anchor supplied with the original URL. For more information about regular expression syntax, see Syntax. Only one of prefixMatch, fullPathMatch or regexMatch must be specified. Regular expressions can only be used when the loadBalancingScheme is set to INTERNAL_SELF_MANAGED. + + * `ignore_case`: Specifies that prefixMatch and fullPathMatch matches are case sensitive. The default value is false. ignoreCase must not be used with regexMatch. Not supported when the URL map is bound to a target gRPC proxy. + + * `header_matches`: Specifies a list of header match criteria, all of which must match corresponding headers in the request. + + * `header_name`: The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method". When the URL map is bound to a target gRPC proxy that has the validateForProxyless field set to true, only non-binary user-specified custom metadata and the `content-type` header are supported. The following transport-level headers cannot be used in header matching rules: `:authority`, `:method`, `:path`, `:scheme`, `user-agent`, `accept-encoding`, `content-encoding`, `grpc-accept-encoding`, `grpc-encoding`, `grpc-previous-rpc-attempts`, `grpc-tags-bin`, `grpc-timeout` and `grpc-trace-bin`. + + * `exact_match`: The value should exactly match contents of exactMatch. Only one of exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch must be set. + + * `regex_match`: The value of the header must match the regular expression specified in regexMatch. For more information about regular expression syntax, see Syntax. For matching against a port specified in the HTTP request, use a headerMatch with headerName set to PORT and a regular expression that satisfies the RFC2616 Host header's port specifier. Only one of exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch must be set. Regular expressions can only be used when the loadBalancingScheme is set to INTERNAL_SELF_MANAGED. + + * `range_match`: HttpRouteRuleMatch criteria for field values that must stay within the specified integer range. + + * `range_start`: The start of the range (inclusive) in signed long integer format. + + * `range_end`: The end of the range (exclusive) in signed long integer format. + + * `present_match`: A header with the contents of headerName must exist. The match takes place whether or not the request's header has a value. Only one of exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch must be set. + + * `prefix_match`: The value of the header must start with the contents of prefixMatch. Only one of exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch must be set. + + * `suffix_match`: The value of the header must end with the contents of suffixMatch. Only one of exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch must be set. + + * `invert_match`: If set to false, the headerMatch is considered a match if the preceding match criteria are met. If set to true, the headerMatch is considered a match if the preceding match criteria are NOT met. The default setting is false. + + * `query_parameter_matches`: Specifies a list of query parameter match criteria, all of which must match corresponding query parameters in the request. Not supported when the URL map is bound to a target gRPC proxy. + + * `name`: The name of the query parameter to match. The query parameter must exist in the request, in the absence of which the request match fails. + + * `present_match`: Specifies that the queryParameterMatch matches if the request contains the query parameter, irrespective of whether the parameter has a value or not. Only one of presentMatch, exactMatch, or regexMatch must be set. + + * `exact_match`: The queryParameterMatch matches if the value of the parameter exactly matches the contents of exactMatch. Only one of presentMatch, exactMatch, or regexMatch must be set. + + * `regex_match`: The queryParameterMatch matches if the value of the parameter matches the regular expression specified by regexMatch. For more information about regular expression syntax, see Syntax. Only one of presentMatch, exactMatch, or regexMatch must be set. Regular expressions can only be used when the loadBalancingScheme is set to INTERNAL_SELF_MANAGED. + + * `metadata_filters`: Opaque filter criteria used by the load balancer to restrict routing configuration to a limited set of xDS compliant clients. In their xDS requests to the load balancer, xDS clients present node metadata. When there is a match, the relevant routing configuration is made available to those proxies. For each metadataFilter in this list, if its filterMatchCriteria is set to MATCH_ANY, at least one of the filterLabels must match the corresponding label provided in the metadata. If its filterMatchCriteria is set to MATCH_ALL, then all of its filterLabels must match with corresponding labels provided in the metadata. If multiple metadata filters are specified, all of them need to be satisfied in order to be considered a match. metadataFilters specified here is applied after those specified in ForwardingRule that refers to the UrlMap this HttpRouteRuleMatch belongs to. metadataFilters only applies to load balancers that have loadBalancingScheme set to INTERNAL_SELF_MANAGED. Not supported when the URL map is bound to a target gRPC proxy that has validateForProxyless field set to true. + + * `filter_match_criteria`: Specifies how individual filter label matches within the list of filterLabels and contributes toward the overall metadataFilter match. Supported values are: - MATCH_ANY: at least one of the filterLabels must have a matching label in the provided metadata. - MATCH_ALL: all filterLabels must have matching labels in the provided metadata. + Possible values: + * MATCH_ALL + * MATCH_ANY + * NOT_SET + + * `filter_labels`: The list of label value pairs that must match labels in the provided metadata based on filterMatchCriteria This list must not be empty and can have at the most 64 entries. + + * `name`: Name of metadata label. The name can have a maximum length of 1024 characters and must be at least 1 character long. + + * `value`: The value of the label must match the specified value. value can have a maximum length of 1024 characters. + + * `path_template_match`: If specified, the route is a pattern match expression that must match the :path header once the query string is removed. A pattern match allows you to match - The value must be between 1 and 1024 characters - The pattern must start with a leading slash ("/") - There may be no more than 5 operators in pattern Precisely one of prefix_match, full_path_match, regex_match or path_template_match must be set. + + * `service`: The full or partial URL of the backend service resource to which traffic is directed if this rule is matched. If routeAction is also specified, advanced routing actions, such as URL rewrites, take effect before sending the request to the backend. However, if service is specified, routeAction cannot contain any weightedBackendServices. Conversely, if routeAction specifies any weightedBackendServices, service must not be specified. Only one of urlRedirect, service or routeAction.weightedBackendService must be set. + + * `route_action`: + + * `weighted_backend_services`: A list of weighted backend services to send traffic to when a route match occurs. The weights determine the fraction of traffic that flows to their corresponding backend service. If all traffic needs to go to a single backend service, there must be one weightedBackendService with weight set to a non-zero number. After a backend service is identified and before forwarding the request to the backend service, advanced routing actions such as URL rewrites and header transformations are applied depending on additional settings specified in this HttpRouteAction. + + * `backend_service`: The full or partial URL to the default BackendService resource. Before forwarding the request to backendService, the load balancer applies any relevant headerActions specified as part of this backendServiceWeight. + + * `weight`: Specifies the fraction of traffic sent to a backend service, computed as weight / (sum of all weightedBackendService weights in routeAction) . The selection of a backend service is determined only for new traffic. Once a user's request has been directed to a backend service, subsequent requests are sent to the same backend service as determined by the backend service's session affinity policy. The value must be from 0 to 1000. + + * `header_action`: The request and response header transformations that take effect before the request is passed along to the selected backendService. + + * `request_headers_to_remove`: A list of header names for headers that need to be removed from the request before forwarding the request to the backendService. + + * `request_headers_to_add`: Headers to add to a matching request before forwarding the request to the backendService. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `response_headers_to_remove`: A list of header names for headers that need to be removed from the response before sending the response back to the client. + + * `response_headers_to_add`: Headers to add the response before sending the response back to the client. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `url_rewrite`: The spec for modifying the path before sending the request to the matched backend service. + + * `path_prefix_rewrite`: Before forwarding the request to the selected backend service, the matching portion of the request's path is replaced by pathPrefixRewrite. The value must be from 1 to 1024 characters. + + * `host_rewrite`: Before forwarding the request to the selected service, the request's host header is replaced with contents of hostRewrite. The value must be from 1 to 255 characters. + + * `path_template_rewrite`: If specified, the pattern rewrites the URL path (based on the :path header) using the HTTP template syntax. A corresponding path_template_match must be specified. Any template variables must exist in the path_template_match field. - -At least one variable must be specified in the path_template_match field - You can omit variables from the rewritten URL - The * and ** operators cannot be matched unless they have a corresponding variable name - e.g. {format=*} or {var=**}. For example, a path_template_match of /static/{format=**} could be rewritten as /static/content/{format} to prefix /content to the URL. Variables can also be re-ordered in a rewrite, so that /{country}/{format}/{suffix=**} can be rewritten as /content/{format}/{country}/{suffix}. At least one non-empty routeRules[].matchRules[].path_template_match is required. Only one of path_prefix_rewrite or path_template_rewrite may be specified. + + * `timeout`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `retry_policy`: The retry policy associates with HttpRouteRule + + * `retry_conditions`: Specifies one or more conditions when this retry policy applies. Valid values are: - 5xx: retry is attempted if the instance or endpoint responds with any 5xx response code, or if the instance or endpoint does not respond at all. For example, disconnects, reset, read timeout, connection failure, and refused streams. - gateway-error: Similar to 5xx, but only applies to response codes 502, 503 or 504. - connect-failure: a retry is attempted on failures connecting to the instance or endpoint. For example, connection timeouts. - retriable-4xx: a retry is attempted if the instance or endpoint responds with a 4xx response code. The only error that you can retry is error code 409. - refused-stream: a retry is attempted if the instance or endpoint resets the stream with a REFUSED_STREAM error code. This reset type indicates that it is safe to retry. - cancelled: a retry is attempted if the gRPC status code in the response header is set to cancelled. - deadline-exceeded: a retry is attempted if the gRPC status code in the response header is set to deadline-exceeded. - internal: a retry is attempted if the gRPC status code in the response header is set to internal. - resource-exhausted: a retry is attempted if the gRPC status code in the response header is set to resource-exhausted. - unavailable: a retry is attempted if the gRPC status code in the response header is set to unavailable. Only the following codes are supported when the URL map is bound to target gRPC proxy that has validateForProxyless field set to true. - cancelled - deadline-exceeded - internal - resource-exhausted - unavailable + + * `num_retries`: Specifies the allowed number retries. This number must be > 0. If not specified, defaults to 1. + + * `per_try_timeout`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `request_mirror_policy`: A policy that specifies how requests intended for the route's backends are shadowed to a separate mirrored backend service. The load balancer doesn't wait for responses from the shadow service. Before sending traffic to the shadow service, the host or authority header is suffixed with -shadow. + + * `backend_service`: The full or partial URL to the BackendService resource being mirrored to. The backend service configured for a mirroring policy must reference backends that are of the same type as the original backend service matched in the URL map. Serverless NEG backends are not currently supported as a mirrored backend service. + + * `cors_policy`: The specification for allowing client-side cross-origin requests. For more information about the W3C recommendation for cross-origin resource sharing (CORS), see Fetch API Living Standard. + + * `allow_origins`: Specifies the list of origins that is allowed to do CORS requests. An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes. + + * `allow_origin_regexes`: Specifies a regular expression that matches allowed origins. For more information about the regular expression syntax, see Syntax. An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes. Regular expressions can only be used when the loadBalancingScheme is set to INTERNAL_SELF_MANAGED. + + * `allow_methods`: Specifies the content for the Access-Control-Allow-Methods header. + + * `allow_headers`: Specifies the content for the Access-Control-Allow-Headers header. + + * `expose_headers`: Specifies the content for the Access-Control-Expose-Headers header. + + * `max_age`: Specifies how long results of a preflight request can be cached in seconds. This field translates to the Access-Control-Max-Age header. + + * `allow_credentials`: In response to a preflight request, setting this to true indicates that the actual request can include user credentials. This field translates to the Access-Control-Allow-Credentials header. Default is false. + + * `disabled`: If true, the setting specifies the CORS policy is disabled. The default value of false, which indicates that the CORS policy is in effect. + + * `fault_injection_policy`: The specification for fault injection introduced into traffic to test the resiliency of clients to backend service failure. As part of fault injection, when clients send requests to a backend service, delays can be introduced by the load balancer on a percentage of requests before sending those request to the backend service. Similarly requests from clients can be aborted by the load balancer for a percentage of requests. + + * `delay`: Specifies the delay introduced by the load balancer before forwarding the request to the backend service as part of fault injection. + + * `fixed_delay`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `percentage`: The percentage of traffic for connections, operations, or requests for which a delay is introduced as part of fault injection. The value must be from 0.0 to 100.0 inclusive. + + * `abort`: Specification for how requests are aborted as part of fault injection. + + * `http_status`: The HTTP status code used to abort the request. The value must be from 200 to 599 inclusive. For gRPC protocol, the gRPC status code is mapped to HTTP status code according to this mapping table. HTTP status 200 is mapped to gRPC status UNKNOWN. Injecting an OK status is currently not supported by Traffic Director. + + * `percentage`: The percentage of traffic for connections, operations, or requests that is aborted as part of fault injection. The value must be from 0.0 to 100.0 inclusive. + + * `max_stream_duration`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `url_redirect`: Specifies settings for an HTTP redirect. + + * `host_redirect`: The host that is used in the redirect response instead of the one that was supplied in the request. The value must be from 1 to 255 characters. + + * `path_redirect`: The path that is used in the redirect response instead of the one that was supplied in the request. pathRedirect cannot be supplied together with prefixRedirect. Supply one alone or neither. If neither is supplied, the path of the original request is used for the redirect. The value must be from 1 to 1024 characters. + + * `prefix_redirect`: The prefix that replaces the prefixMatch specified in the HttpRouteRuleMatch, retaining the remaining portion of the URL before redirecting the request. prefixRedirect cannot be supplied together with pathRedirect. Supply one alone or neither. If neither is supplied, the path of the original request is used for the redirect. The value must be from 1 to 1024 characters. + + * `redirect_response_code`: The HTTP Status code to use for this RedirectAction. Supported values are: - MOVED_PERMANENTLY_DEFAULT, which is the default value and corresponds to 301. - FOUND, which corresponds to 302. - SEE_OTHER which corresponds to 303. - TEMPORARY_REDIRECT, which corresponds to 307. In this case, the request method is retained. - PERMANENT_REDIRECT, which corresponds to 308. In this case, the request method is retained. + Possible values: + * FOUND + * MOVED_PERMANENTLY_DEFAULT + * PERMANENT_REDIRECT + * SEE_OTHER + * TEMPORARY_REDIRECT + + * `https_redirect`: If set to true, the URL scheme in the redirected request is set to HTTPS. If set to false, the URL scheme of the redirected request remains the same as that of the request. This must only be set for URL maps used in TargetHttpProxys. Setting this true for TargetHttpsProxy is not permitted. The default is set to false. + + * `strip_query`: If set to true, any accompanying query portion of the original URL is removed before redirecting the request. If set to false, the query portion of the original URL is retained. The default is set to false. + + * `header_action`: The request and response header transformations that take effect before the request is passed along to the selected backendService. + + * `request_headers_to_remove`: A list of header names for headers that need to be removed from the request before forwarding the request to the backendService. + + * `request_headers_to_add`: Headers to add to a matching request before forwarding the request to the backendService. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `response_headers_to_remove`: A list of header names for headers that need to be removed from the response before sending the response back to the client. + + * `response_headers_to_add`: Headers to add the response before sending the response back to the client. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `http_filter_configs`: Outbound route specific configuration for networkservices.HttpFilter resources enabled by Traffic Director. httpFilterConfigs only applies for load balancers with loadBalancingScheme set to INTERNAL_SELF_MANAGED. See ForwardingRule for more details. Not supported when the URL map is bound to a target gRPC proxy that has validateForProxyless field set to true. + + * `filter_name`: Name of the networkservices.HttpFilter resource this configuration belongs to. This name must be known to the xDS client. Example: envoy.wasm + + * `config_type_url`: The fully qualified versioned proto3 type url of the protobuf that the filter expects for its contextual settings, for example: type.googleapis.com/google.protobuf.Struct + + * `config`: The configuration needed to enable the networkservices.HttpFilter resource. The configuration must be YAML formatted and only contain fields defined in the protobuf identified in configTypeUrl + + * `http_filter_metadata`: Outbound route specific metadata supplied to networkservices.HttpFilter resources enabled by Traffic Director. httpFilterMetadata only applies for load balancers with loadBalancingScheme set to INTERNAL_SELF_MANAGED. See ForwardingRule for more details. The only configTypeUrl supported is type.googleapis.com/google.protobuf.Struct Not supported when the URL map is bound to a target gRPC proxy that has validateForProxyless field set to true. + + * `filter_name`: Name of the networkservices.HttpFilter resource this configuration belongs to. This name must be known to the xDS client. Example: envoy.wasm + + * `config_type_url`: The fully qualified versioned proto3 type url of the protobuf that the filter expects for its contextual settings, for example: type.googleapis.com/google.protobuf.Struct + + * `config`: The configuration needed to enable the networkservices.HttpFilter resource. The configuration must be YAML formatted and only contain fields defined in the protobuf identified in configTypeUrl + + * `custom_error_response_policy`: Specifies the custom error response policy that must be applied when the backend service or backend bucket responds with an error. + + * `error_response_rules`: Specifies rules for returning error responses. In a given policy, if you specify rules for both a range of error codes as well as rules for specific error codes then rules with specific error codes have a higher priority. For example, assume that you configure a rule for 401 (Un-authorized) code, and another for all 4 series error codes (4XX). If the backend service returns a 401, then the rule for 401 will be applied. However if the backend service returns a 403, the rule for 4xx takes effect. + + * `match_response_codes`: Valid values include: - A number between 400 and 599: For example 401 or 503, in which case the load balancer applies the policy if the error code exactly matches this value. - 5xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 500 to 599. - 4xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 400 to 499. Values must be unique within matchResponseCodes and across all errorResponseRules of CustomErrorResponsePolicy. + + * `path`: The full path to a file within backendBucket . For example: /errors/defaultError.html path must start with a leading slash. path cannot have trailing slashes. If the file is not available in backendBucket or the load balancer cannot reach the BackendBucket, a simple Not Found Error is returned to the client. The value must be from 1 to 1024 characters + + * `override_response_code`: The HTTP status code returned with the response containing the custom error content. If overrideResponseCode is not supplied, the same response code returned by the original backend bucket or backend service is returned to the client. + + * `error_service`: The full or partial URL to the BackendBucket resource that contains the custom error content. Examples are: - https://www.googleapis.com/compute/v1/projects/project/global/backendBuckets/myBackendBucket - compute/v1/projects/project/global/backendBuckets/myBackendBucket - global/backendBuckets/myBackendBucket If errorService is not specified at lower levels like pathMatcher, pathRule and routeRule, an errorService specified at a higher level in the UrlMap will be used. If UrlMap.defaultCustomErrorResponsePolicy contains one or more errorResponseRules[], it must specify errorService. If load balancer cannot reach the backendBucket, a simple Not Found Error will be returned, with the original response code (or overrideResponseCode if configured). errorService is not supported for internal or regional HTTP/HTTPS load balancers. + + * `header_action`: The request and response header transformations that take effect before the request is passed along to the selected backendService. + + * `request_headers_to_remove`: A list of header names for headers that need to be removed from the request before forwarding the request to the backendService. + + * `request_headers_to_add`: Headers to add to a matching request before forwarding the request to the backendService. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `response_headers_to_remove`: A list of header names for headers that need to be removed from the response before sending the response back to the client. + + * `response_headers_to_add`: Headers to add the response before sending the response back to the client. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `default_custom_error_response_policy`: Specifies the custom error response policy that must be applied when the backend service or backend bucket responds with an error. + + * `error_response_rules`: Specifies rules for returning error responses. In a given policy, if you specify rules for both a range of error codes as well as rules for specific error codes then rules with specific error codes have a higher priority. For example, assume that you configure a rule for 401 (Un-authorized) code, and another for all 4 series error codes (4XX). If the backend service returns a 401, then the rule for 401 will be applied. However if the backend service returns a 403, the rule for 4xx takes effect. + + * `match_response_codes`: Valid values include: - A number between 400 and 599: For example 401 or 503, in which case the load balancer applies the policy if the error code exactly matches this value. - 5xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 500 to 599. - 4xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 400 to 499. Values must be unique within matchResponseCodes and across all errorResponseRules of CustomErrorResponsePolicy. + + * `path`: The full path to a file within backendBucket . For example: /errors/defaultError.html path must start with a leading slash. path cannot have trailing slashes. If the file is not available in backendBucket or the load balancer cannot reach the BackendBucket, a simple Not Found Error is returned to the client. The value must be from 1 to 1024 characters + + * `override_response_code`: The HTTP status code returned with the response containing the custom error content. If overrideResponseCode is not supplied, the same response code returned by the original backend bucket or backend service is returned to the client. + + * `error_service`: The full or partial URL to the BackendBucket resource that contains the custom error content. Examples are: - https://www.googleapis.com/compute/v1/projects/project/global/backendBuckets/myBackendBucket - compute/v1/projects/project/global/backendBuckets/myBackendBucket - global/backendBuckets/myBackendBucket If errorService is not specified at lower levels like pathMatcher, pathRule and routeRule, an errorService specified at a higher level in the UrlMap will be used. If UrlMap.defaultCustomErrorResponsePolicy contains one or more errorResponseRules[], it must specify errorService. If load balancer cannot reach the backendBucket, a simple Not Found Error will be returned, with the original response code (or overrideResponseCode if configured). errorService is not supported for internal or regional HTTP/HTTPS load balancers. + + * `tests`: The list of expected URL mapping tests. Request to update the UrlMap succeeds only if all test cases pass. You can specify a maximum of 100 tests per UrlMap. Not supported when the URL map is bound to a target gRPC proxy that has validateForProxyless field set to true. + + * `description`: Description of this test case. + + * `host`: Host portion of the URL. If headers contains a host header, then host must also match the header value. + + * `path`: Path portion of the URL. + + * `backend_service_weight`: The weight to use for the supplied host and path when using advanced routing rules that involve traffic splitting. + + * `headers`: HTTP headers for this request. If headers contains a host header, then host must also match the header value. + + * `name`: Header name. + + * `value`: Header value. + + * `service`: Expected BackendService or BackendBucket resource the given URL should be mapped to. The service field cannot be set if expectedRedirectResponseCode is set. + + * `expected_url_redirect`: The expected URL that should be redirected to for the host and path being tested. [Deprecated] This field is deprecated. Use expected_output_url instead. + + * `expected_output_url`: The expected output URL evaluated by the load balancer containing the scheme, host, path and query parameters. For rules that forward requests to backends, the test passes only when expectedOutputUrl matches the request forwarded by the load balancer to backends. For rules with urlRewrite, the test verifies that the forwarded request matches hostRewrite and pathPrefixRewrite in the urlRewrite action. When service is specified, expectedOutputUrl`s scheme is ignored. For rules with urlRedirect, the test passes only if expectedOutputUrl matches the URL in the load balancer's redirect response. If urlRedirect specifies https_redirect, the test passes only if the scheme in expectedOutputUrl is also set to HTTPS. If urlRedirect specifies strip_query, the test passes only if expectedOutputUrl does not contain any query parameters. expectedOutputUrl is optional when service is specified. + + * `expected_redirect_response_code`: For rules with urlRedirect, the test passes only if expectedRedirectResponseCode matches the HTTP status code in load balancer's redirect response. expectedRedirectResponseCode cannot be set when service is set. + + * `default_service`: The full or partial URL of the defaultService resource to which traffic is directed if none of the hostRules match. If defaultRouteAction is also specified, advanced routing actions, such as URL rewrites, take effect before sending the request to the backend. However, if defaultService is specified, defaultRouteAction cannot contain any weightedBackendServices. Conversely, if routeAction specifies any weightedBackendServices, service must not be specified. Only one of defaultService, defaultUrlRedirect , or defaultRouteAction.weightedBackendService must be set. defaultService has no effect when the URL map is bound to a target gRPC proxy that has the validateForProxyless field set to true. + + * `default_route_action`: + + * `weighted_backend_services`: A list of weighted backend services to send traffic to when a route match occurs. The weights determine the fraction of traffic that flows to their corresponding backend service. If all traffic needs to go to a single backend service, there must be one weightedBackendService with weight set to a non-zero number. After a backend service is identified and before forwarding the request to the backend service, advanced routing actions such as URL rewrites and header transformations are applied depending on additional settings specified in this HttpRouteAction. + + * `backend_service`: The full or partial URL to the default BackendService resource. Before forwarding the request to backendService, the load balancer applies any relevant headerActions specified as part of this backendServiceWeight. + + * `weight`: Specifies the fraction of traffic sent to a backend service, computed as weight / (sum of all weightedBackendService weights in routeAction) . The selection of a backend service is determined only for new traffic. Once a user's request has been directed to a backend service, subsequent requests are sent to the same backend service as determined by the backend service's session affinity policy. The value must be from 0 to 1000. + + * `header_action`: The request and response header transformations that take effect before the request is passed along to the selected backendService. + + * `request_headers_to_remove`: A list of header names for headers that need to be removed from the request before forwarding the request to the backendService. + + * `request_headers_to_add`: Headers to add to a matching request before forwarding the request to the backendService. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `response_headers_to_remove`: A list of header names for headers that need to be removed from the response before sending the response back to the client. + + * `response_headers_to_add`: Headers to add the response before sending the response back to the client. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `url_rewrite`: The spec for modifying the path before sending the request to the matched backend service. + + * `path_prefix_rewrite`: Before forwarding the request to the selected backend service, the matching portion of the request's path is replaced by pathPrefixRewrite. The value must be from 1 to 1024 characters. + + * `host_rewrite`: Before forwarding the request to the selected service, the request's host header is replaced with contents of hostRewrite. The value must be from 1 to 255 characters. + + * `path_template_rewrite`: If specified, the pattern rewrites the URL path (based on the :path header) using the HTTP template syntax. A corresponding path_template_match must be specified. Any template variables must exist in the path_template_match field. - -At least one variable must be specified in the path_template_match field - You can omit variables from the rewritten URL - The * and ** operators cannot be matched unless they have a corresponding variable name - e.g. {format=*} or {var=**}. For example, a path_template_match of /static/{format=**} could be rewritten as /static/content/{format} to prefix /content to the URL. Variables can also be re-ordered in a rewrite, so that /{country}/{format}/{suffix=**} can be rewritten as /content/{format}/{country}/{suffix}. At least one non-empty routeRules[].matchRules[].path_template_match is required. Only one of path_prefix_rewrite or path_template_rewrite may be specified. + + * `timeout`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `retry_policy`: The retry policy associates with HttpRouteRule + + * `retry_conditions`: Specifies one or more conditions when this retry policy applies. Valid values are: - 5xx: retry is attempted if the instance or endpoint responds with any 5xx response code, or if the instance or endpoint does not respond at all. For example, disconnects, reset, read timeout, connection failure, and refused streams. - gateway-error: Similar to 5xx, but only applies to response codes 502, 503 or 504. - connect-failure: a retry is attempted on failures connecting to the instance or endpoint. For example, connection timeouts. - retriable-4xx: a retry is attempted if the instance or endpoint responds with a 4xx response code. The only error that you can retry is error code 409. - refused-stream: a retry is attempted if the instance or endpoint resets the stream with a REFUSED_STREAM error code. This reset type indicates that it is safe to retry. - cancelled: a retry is attempted if the gRPC status code in the response header is set to cancelled. - deadline-exceeded: a retry is attempted if the gRPC status code in the response header is set to deadline-exceeded. - internal: a retry is attempted if the gRPC status code in the response header is set to internal. - resource-exhausted: a retry is attempted if the gRPC status code in the response header is set to resource-exhausted. - unavailable: a retry is attempted if the gRPC status code in the response header is set to unavailable. Only the following codes are supported when the URL map is bound to target gRPC proxy that has validateForProxyless field set to true. - cancelled - deadline-exceeded - internal - resource-exhausted - unavailable + + * `num_retries`: Specifies the allowed number retries. This number must be > 0. If not specified, defaults to 1. + + * `per_try_timeout`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `request_mirror_policy`: A policy that specifies how requests intended for the route's backends are shadowed to a separate mirrored backend service. The load balancer doesn't wait for responses from the shadow service. Before sending traffic to the shadow service, the host or authority header is suffixed with -shadow. + + * `backend_service`: The full or partial URL to the BackendService resource being mirrored to. The backend service configured for a mirroring policy must reference backends that are of the same type as the original backend service matched in the URL map. Serverless NEG backends are not currently supported as a mirrored backend service. + + * `cors_policy`: The specification for allowing client-side cross-origin requests. For more information about the W3C recommendation for cross-origin resource sharing (CORS), see Fetch API Living Standard. + + * `allow_origins`: Specifies the list of origins that is allowed to do CORS requests. An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes. + + * `allow_origin_regexes`: Specifies a regular expression that matches allowed origins. For more information about the regular expression syntax, see Syntax. An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes. Regular expressions can only be used when the loadBalancingScheme is set to INTERNAL_SELF_MANAGED. + + * `allow_methods`: Specifies the content for the Access-Control-Allow-Methods header. + + * `allow_headers`: Specifies the content for the Access-Control-Allow-Headers header. + + * `expose_headers`: Specifies the content for the Access-Control-Expose-Headers header. + + * `max_age`: Specifies how long results of a preflight request can be cached in seconds. This field translates to the Access-Control-Max-Age header. + + * `allow_credentials`: In response to a preflight request, setting this to true indicates that the actual request can include user credentials. This field translates to the Access-Control-Allow-Credentials header. Default is false. + + * `disabled`: If true, the setting specifies the CORS policy is disabled. The default value of false, which indicates that the CORS policy is in effect. + + * `fault_injection_policy`: The specification for fault injection introduced into traffic to test the resiliency of clients to backend service failure. As part of fault injection, when clients send requests to a backend service, delays can be introduced by the load balancer on a percentage of requests before sending those request to the backend service. Similarly requests from clients can be aborted by the load balancer for a percentage of requests. + + * `delay`: Specifies the delay introduced by the load balancer before forwarding the request to the backend service as part of fault injection. + + * `fixed_delay`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `percentage`: The percentage of traffic for connections, operations, or requests for which a delay is introduced as part of fault injection. The value must be from 0.0 to 100.0 inclusive. + + * `abort`: Specification for how requests are aborted as part of fault injection. + + * `http_status`: The HTTP status code used to abort the request. The value must be from 200 to 599 inclusive. For gRPC protocol, the gRPC status code is mapped to HTTP status code according to this mapping table. HTTP status 200 is mapped to gRPC status UNKNOWN. Injecting an OK status is currently not supported by Traffic Director. + + * `percentage`: The percentage of traffic for connections, operations, or requests that is aborted as part of fault injection. The value must be from 0.0 to 100.0 inclusive. + + * `max_stream_duration`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + * `default_url_redirect`: Specifies settings for an HTTP redirect. + + * `host_redirect`: The host that is used in the redirect response instead of the one that was supplied in the request. The value must be from 1 to 255 characters. + + * `path_redirect`: The path that is used in the redirect response instead of the one that was supplied in the request. pathRedirect cannot be supplied together with prefixRedirect. Supply one alone or neither. If neither is supplied, the path of the original request is used for the redirect. The value must be from 1 to 1024 characters. + + * `prefix_redirect`: The prefix that replaces the prefixMatch specified in the HttpRouteRuleMatch, retaining the remaining portion of the URL before redirecting the request. prefixRedirect cannot be supplied together with pathRedirect. Supply one alone or neither. If neither is supplied, the path of the original request is used for the redirect. The value must be from 1 to 1024 characters. + + * `redirect_response_code`: The HTTP Status code to use for this RedirectAction. Supported values are: - MOVED_PERMANENTLY_DEFAULT, which is the default value and corresponds to 301. - FOUND, which corresponds to 302. - SEE_OTHER which corresponds to 303. - TEMPORARY_REDIRECT, which corresponds to 307. In this case, the request method is retained. - PERMANENT_REDIRECT, which corresponds to 308. In this case, the request method is retained. + Possible values: + * FOUND + * MOVED_PERMANENTLY_DEFAULT + * PERMANENT_REDIRECT + * SEE_OTHER + * TEMPORARY_REDIRECT + + * `https_redirect`: If set to true, the URL scheme in the redirected request is set to HTTPS. If set to false, the URL scheme of the redirected request remains the same as that of the request. This must only be set for URL maps used in TargetHttpProxys. Setting this true for TargetHttpsProxy is not permitted. The default is set to false. + + * `strip_query`: If set to true, any accompanying query portion of the original URL is removed before redirecting the request. If set to false, the query portion of the original URL is retained. The default is set to false. + + * `header_action`: The request and response header transformations that take effect before the request is passed along to the selected backendService. + + * `request_headers_to_remove`: A list of header names for headers that need to be removed from the request before forwarding the request to the backendService. + + * `request_headers_to_add`: Headers to add to a matching request before forwarding the request to the backendService. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `response_headers_to_remove`: A list of header names for headers that need to be removed from the response before sending the response back to the client. + + * `response_headers_to_add`: Headers to add the response before sending the response back to the client. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. The default value is false. + + * `default_custom_error_response_policy`: Specifies the custom error response policy that must be applied when the backend service or backend bucket responds with an error. + + * `error_response_rules`: Specifies rules for returning error responses. In a given policy, if you specify rules for both a range of error codes as well as rules for specific error codes then rules with specific error codes have a higher priority. For example, assume that you configure a rule for 401 (Un-authorized) code, and another for all 4 series error codes (4XX). If the backend service returns a 401, then the rule for 401 will be applied. However if the backend service returns a 403, the rule for 4xx takes effect. + + * `match_response_codes`: Valid values include: - A number between 400 and 599: For example 401 or 503, in which case the load balancer applies the policy if the error code exactly matches this value. - 5xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 500 to 599. - 4xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 400 to 499. Values must be unique within matchResponseCodes and across all errorResponseRules of CustomErrorResponsePolicy. + + * `path`: The full path to a file within backendBucket . For example: /errors/defaultError.html path must start with a leading slash. path cannot have trailing slashes. If the file is not available in backendBucket or the load balancer cannot reach the BackendBucket, a simple Not Found Error is returned to the client. The value must be from 1 to 1024 characters + + * `override_response_code`: The HTTP status code returned with the response containing the custom error content. If overrideResponseCode is not supplied, the same response code returned by the original backend bucket or backend service is returned to the client. + + * `error_service`: The full or partial URL to the BackendBucket resource that contains the custom error content. Examples are: - https://www.googleapis.com/compute/v1/projects/project/global/backendBuckets/myBackendBucket - compute/v1/projects/project/global/backendBuckets/myBackendBucket - global/backendBuckets/myBackendBucket If errorService is not specified at lower levels like pathMatcher, pathRule and routeRule, an errorService specified at a higher level in the UrlMap will be used. If UrlMap.defaultCustomErrorResponsePolicy contains one or more errorResponseRules[], it must specify errorService. If load balancer cannot reach the backendBucket, a simple Not Found Error will be returned, with the original response code (or overrideResponseCode if configured). errorService is not supported for internal or regional HTTP/HTTPS load balancers. + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field is ignored when inserting a UrlMap. An up-to-date fingerprint must be provided in order to update the UrlMap, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a UrlMap. + + * `region`: [Output Only] URL of the region where the regional URL map resides. This field is not applicable to global URL maps. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_url_maps.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_url_maps.md new file mode 100644 index 0000000..572a6a7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_region_url_maps.md @@ -0,0 +1,53 @@ ++++ +title = "google_compute_region_url_maps resource" + +draft = false + + +[menu.gcp] +title = "google_compute_region_url_maps" +identifier = "inspec/resources/gcp/google_compute_region_url_maps resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_region_url_maps` InSpec audit resource to to test a Google Cloud RegionUrlMap resource. + +## Examples + +```ruby + describe google_compute_region_url_maps(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_region_url_maps` resource: + +See [google_compute_region_url_map](google_compute_region_url_map) for more detailed information. + + * `kinds`: an array of `google_compute_region_url_map` kind + * `ids`: an array of `google_compute_region_url_map` id + * `creation_timestamps`: an array of `google_compute_region_url_map` creation_timestamp + * `names`: an array of `google_compute_region_url_map` name + * `descriptions`: an array of `google_compute_region_url_map` description + * `self_links`: an array of `google_compute_region_url_map` self_link + * `host_rules`: an array of `google_compute_region_url_map` host_rules + * `path_matchers`: an array of `google_compute_region_url_map` path_matchers + * `tests`: an array of `google_compute_region_url_map` tests + * `default_services`: an array of `google_compute_region_url_map` default_service + * `default_route_actions`: an array of `google_compute_region_url_map` default_route_action + * `default_url_redirects`: an array of `google_compute_region_url_map` default_url_redirect + * `header_actions`: an array of `google_compute_region_url_map` header_action + * `default_custom_error_response_policies`: an array of `google_compute_region_url_map` default_custom_error_response_policy + * `fingerprints`: an array of `google_compute_region_url_map` fingerprint + * `regions`: an array of `google_compute_region_url_map` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_regional_disk.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_regional_disk.md new file mode 100644 index 0000000..503eac4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_regional_disk.md @@ -0,0 +1,65 @@ ++++ +title = "google_compute_regional_disk resource" + +draft = false + + +[menu.gcp] +title = "google_compute_regional_disk" +identifier = "inspec/resources/gcp/google_compute_regional_disk resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_regional_disk` is used to test a Google Regional Disk resource. + +## Examples + +```ruby +describe google_compute_regional_disk(project: 'chef-gcp-inspec', name: 'my_disk', region: 'region') do + it { should exist } + its('type') { should match 'pd-standard' } +end + +describe.one do + google_compute_regional_disk(project: 'chef-gcp-inspec', name: 'my_disk', region: 'region').labels.each_pair do |key, value| + describe key do + it { should cmp "environment" } + end + end +end + +describe google_compute_regional_disk(project: 'chef-gcp-inspec', name: 'nonexistent', region: 'region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_regional_disk` resource: + + * `label_fingerprint`: The fingerprint used for optimistic locking of this resource. Used internally during updates. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `size_gb`: Size of the persistent disk, specified in GB. You can specify this field when creating a persistent disk using the sourceImage or sourceSnapshot parameter, or specify it alone to create an empty persistent disk. If you specify this field along with sourceImage or sourceSnapshot, the value of sizeGb must not be less than the size of the sourceImage or the size of the snapshot. + + * `physical_block_size_bytes`: Physical block size of the persistent disk, in bytes. If not present in a request, a default value is used. Currently supported sizes are 4096 and 16384, other sizes may be added in the future. If an unsupported value is requested, the error message will list the supported values for the caller's project. + + * `type`: URL of the disk type resource describing which disk type to use to create the disk. Provide this when creating the disk. + + * `region`: A reference to the region where the disk resides. + + * `replica_zones`: A reference to the zones where the disk resides. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_regional_disks.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_regional_disks.md new file mode 100644 index 0000000..564d9f7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_regional_disks.md @@ -0,0 +1,70 @@ ++++ +title = "google_compute_regional_disks resource" + +draft = false + + +[menu.gcp] +title = "google_compute_regional_disks" +identifier = "inspec/resources/gcp/google_compute_regional_disks resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_regional_disks` is used to test a Google Regional Disk resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +most_recent_image = google_compute_image(project: 'debian-cloud', name: 'debian-10-buster-v20191014') +describe google_compute_regional_disks(project: 'chef-gcp-inspec', region: 'region') do + it { should exist } + its('names') { should include 'inspec-snapshot-disk' } + its('source_images') { should include most_recent_image.self_link } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_regional_disks` resource: + +See [google_compute_regional_disk](google_compute_regional_disk) for more detailed information. + + * `ids`: an array of `google_compute_regional_disk` id + * `creation_timestamps`: an array of `google_compute_regional_disk` creation_timestamp + * `names`: an array of `google_compute_regional_disk` name + * `descriptions`: an array of `google_compute_regional_disk` description + * `size_gbs`: an array of `google_compute_regional_disk` size_gb + * `zones`: an array of `google_compute_zoneal_disk` zone + * `source_snapshots`: an array of `google_compute_regional_disk` source_snapshot + * `source_snapshot_encryption_keys`: an array of `google_compute_regional_disk` source_snapshot_encryption_key + * `source_snapshot_ids`: an array of `google_compute_regional_disk` source_snapshot_id + * `source_images`: an array of `google_compute_regional_disk` source_image + * `source_image_ids`: an array of `google_compute_regional_disk` source_image_id + * `source_image_encryption_keys`: an array of `google_compute_regional_disk` source_image_encryption_key + * `types`: an array of `google_compute_regional_disk` type + * `licenses`: an array of `google_compute_regional_disk` licenses + * `last_attach_timestamps`: an array of `google_compute_regional_disk` last_attach_timestamp + * `last_detach_timestamps`: an array of `google_compute_regional_disk` last_detach_timestamp + * `users`: an array of `google_compute_regional_disk` users + * `disk_encryption_keys`: an array of `google_compute_regional_disk` disk_encryption_key + * `labels`: an array of `google_compute_regional_disk` labels + * `label_fingerprints`: an array of `google_compute_regional_disk` label_fingerprint + * `physical_block_size_bytes`: an array of `google_compute_regional_disk` physical_block_size_bytes + * `regions`: an array of `google_compute_regional_disk` region + * `replica_zones`: an array of `google_compute_regional_disk` replica_zone + * `statuses`: an array of `google_compute_statusal_disk` status + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_regions.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_regions.md new file mode 100644 index 0000000..facecc0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_regions.md @@ -0,0 +1,92 @@ ++++ +title = "google_compute_regions resource" + +draft = false + + +[menu.gcp] +title = "google_compute_regions" +identifier = "inspec/resources/gcp/google_compute_regions resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_regions` is used to test a Google Region resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_regions(project: 'chef-gcp-inspec') do + its('count') { should be >= 1 } + its('region_names') { should include "#{gcp_location}" } + its('region_statuses') { should_not include "DOWN" } + its('region_ids') { should include "1290" } +end + +``` + ### Use this InSpec resource to enumerate IDs then test in-depth using `google_compute_region` +``` + google_compute_regions(project: 'chef-inspec-gcp').region_names.each do |region_name| + describe google_compute_region(project: 'chef-inspec-gcp', region: region_name) do + it { should be_up } + end + end +``` + + ### Test that there are more than a specified number of regions available for the project +``` + describe google_compute_regions(project: 'chef-inspec-gcp') do + its('count') { should be >= 10} + end +``` + ### Test that an expected region is available for the project +``` + describe google_compute_regions(project: 'chef-inspec-gcp') do + its('region_names') { should include 'europe-west2' } + end +``` + ### Test whether any regions are in status "DOWN" +``` + describe google_compute_regions(project: 'chef-inspec-gcp') do + its('region_statuses') { should_not include "DOWN" } + end +``` + + ### Test that a subset of all regions matching "europe*" are "UP" +``` + google_compute_regions(project: gcp_project_id).where(region_name: /^europe/).region_names.each do |region_name| + describe google_compute_region(project: 'chef-inspec-gcp', region: region_name) do + it { should be_up } + end + end + +``` + +## Properties + +Properties that can be accessed from the `google_compute_regions` resource: + +See [google_compute_region](google_compute_region) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_region` creation_timestamp + * `deprecateds`: an array of `google_compute_region` deprecated + * `descriptions`: an array of `google_compute_region` description + * `region_ids`: an array of `google_compute_region` id + * `region_names`: an array of `google_compute_region` name + * `quotas`: an array of `google_compute_region` quotas + * `region_statuses`: an array of `google_compute_region` status + * `zones`: an array of `google_compute_region` zones + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_reservation.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_reservation.md new file mode 100644 index 0000000..446ed8b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_reservation.md @@ -0,0 +1,187 @@ ++++ +title = "google_compute_reservation resource" + +draft = false + + +[menu.gcp] +title = "google_compute_reservation" +identifier = "inspec/resources/gcp/google_compute_reservation resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_reservation` InSpec audit resource to to test a Google Cloud Reservation resource. + +## Examples + +```ruby +describe google_compute_reservation(project: 'chef-gcp-inspec', name: ' value_name', zone: ' value_zone') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('zone') { should cmp 'value_zone' } + its('description') { should cmp 'value_description' } + its('name') { should cmp 'value_name' } + its('commitment') { should cmp 'value_commitment' } + its('status') { should cmp 'value_status' } + its('delete_at_time') { should cmp 'value_deleteattime' } + +end + +describe google_compute_reservation(project: 'chef-gcp-inspec', name: "does_not_exit", zone: ' value_zone') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_reservation` resource: + + + * `kind`: [Output Only] Type of the resource. Always compute#reservations for reservations. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `self_link`: [Output Only] Server-defined fully-qualified URL for this resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `zone`: Zone in which the reservation resides. A zone must be provided if the reservation is created within a commitment. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `name`: The name of the resource, provided by the client when initially creating the resource. The resource name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `specific_reservation`: This reservation type allows to pre allocate specific instance configuration. Next ID: 6 + + * `instance_properties`: Properties of the SKU instances being reserved. Next ID: 9 + + * `machine_type`: Specifies type of machine (name only) which has fixed number of vCPUs and fixed amount of memory. This also includes specifying custom machine type following custom-NUMBER_OF_CPUS-AMOUNT_OF_MEMORY pattern. + + * `guest_accelerators`: Specifies accelerator type and count. + + * `accelerator_type`: Full or partial URL of the accelerator type resource to attach to this instance. For example: projects/my-project/zones/us-central1-c/acceleratorTypes/nvidia-tesla-p100 If you are creating an instance template, specify only the accelerator name. See GPUs on Compute Engine for a full list of accelerator types. + + * `accelerator_count`: The number of the guest accelerator cards exposed to this instance. + + * `min_cpu_platform`: Minimum cpu platform the reservation. + + * `local_ssds`: Specifies amount of local ssd to reserve with each instance. The type of disk is local-ssd. + + * `disk_size_gb`: Specifies the size of the disk in base-2 GB. + + * `interface`: Specifies the disk interface to use for attaching this disk, which is either SCSI or NVME. The default is SCSI. For performance characteristics of SCSI over NVMe, see Local SSD performance. + Possible values: + * NVDIMM + * NVME + * SCSI + + * `maintenance_freeze_duration_hours`: Specifies the number of hours after reservation creation where instances using the reservation won't be scheduled for maintenance. + + * `location_hint`: An opaque location hint used to place the allocation close to other resources. This field is for use by internal tools that use the public API. + + * `maintenance_interval`: Specifies the frequency of planned maintenance events. The accepted values are: `PERIODIC`. + Possible values: + * AS_NEEDED + * PERIODIC + * RECURRENT + + * `count`: Specifies the number of resources that are allocated. + + * `in_use_count`: [Output Only] Indicates how many instances are in use. + + * `assured_count`: [Output Only] Indicates how many instances are actually usable currently. + + * `source_instance_template`: Specifies the instance template to create the reservation. If you use this field, you must exclude the instanceProperties field. This field is optional, and it can be a full or partial URL. For example, the following are all valid URLs to an instance template: - https://www.googleapis.com/compute/v1/projects/project /global/instanceTemplates/instanceTemplate - projects/project/global/instanceTemplates/instanceTemplate - global/instanceTemplates/instanceTemplate + + * `aggregate_reservation`: This reservation type is specified by total resource amounts (e.g. total count of CPUs) and can account for multiple instance SKUs. In other words, one can create instances of varying shapes against this reservation. + + * `vm_family`: The VM family that all instances scheduled against this reservation must belong to. + Possible values: + * VM_FAMILY_CLOUD_TPU_LITE_DEVICE_CT5L + * VM_FAMILY_CLOUD_TPU_LITE_POD_SLICE_CT5LP + * VM_FAMILY_CLOUD_TPU_POD_SLICE_CT4P + + * `reserved_resources`: List of reserved resources (CPUs, memory, accelerators). + + * `accelerator`: + + * `accelerator_count`: Number of accelerators of specified type. + + * `accelerator_type`: Full or partial URL to accelerator type. e.g. "projects/{PROJECT}/zones/{ZONE}/acceleratorTypes/ct4l" + + * `in_use_resources`: [Output only] List of resources currently in use. + + * `accelerator`: + + * `accelerator_count`: Number of accelerators of specified type. + + * `accelerator_type`: Full or partial URL to accelerator type. e.g. "projects/{PROJECT}/zones/{ZONE}/acceleratorTypes/ct4l" + + * `workload_type`: The workload type of the instances that will target this reservation. + Possible values: + * BATCH + * SERVING + * UNSPECIFIED + + * `commitment`: [Output Only] Full or partial URL to a parent commitment. This field displays for reservations that are tied to a commitment. + + * `specific_reservation_required`: Indicates whether the reservation can be consumed by VMs with affinity for "any" reservation. If the field is set, then only VMs that target the reservation by name can consume from this reservation. + + * `status`: [Output Only] The status of the reservation. + Possible values: + * CREATING + * DELETING + * INVALID + * READY + * UPDATING + + * `share_settings`: The share setting for reservations and sole tenancy node groups. + + * `share_type`: Type of sharing for this shared-reservation + Possible values: + * DIRECT_PROJECTS_UNDER_SPECIFIC_FOLDERS + * LOCAL + * ORGANIZATION + * SHARE_TYPE_UNSPECIFIED + * SPECIFIC_PROJECTS + + * `projects`: A List of Project names to specify consumer projects for this shared-reservation. This is only valid when share_type's value is SPECIFIC_PROJECTS. + + * `project_map`: A map of project id and project config. This is only valid when share_type's value is SPECIFIC_PROJECTS. + + * `additional_properties`: Config for each project in the share settings. + + * `folder_map`: A map of folder id and folder config to specify consumer projects for this shared-reservation. This is only valid when share_type's value is DIRECT_PROJECTS_UNDER_SPECIFIC_FOLDERS. Folder id should be a string of number, and without "folders/" prefix. + + * `additional_properties`: Config for each folder in the share settings. + + * `satisfies_pzs`: [Output Only] Reserved for future use. + + * `resource_policies`: Resource policies to be added to this reservation. The key is defined by user, and the value is resource policy url. This is to define placement policy with reservation. + + * `additional_properties`: + + * `resource_status`: [Output Only] Contains output only fields. + + * `specific_sku_allocation`: Contains Properties set for the reservation. + + * `source_instance_template_id`: ID of the instance template used to populate reservation properties. + + * `delete_at_time`: Absolute time in future when the reservation will be auto-deleted by Compute Engine. Timestamp is represented in RFC3339 text format. + + * `delete_after_duration`: A Duration represents a fixed-length span of time represented as a count of seconds and fractions of seconds at nanosecond resolution. It is independent of any calendar and concepts like "day" or "month". Range is approximately 10,000 years. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 `seconds` field and a positive `nanos` field. Must be from 0 to 999,999,999 inclusive. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_reservations.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_reservations.md new file mode 100644 index 0000000..4c22866 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_reservations.md @@ -0,0 +1,56 @@ ++++ +title = "google_compute_reservations resource" + +draft = false + + +[menu.gcp] +title = "google_compute_reservations" +identifier = "inspec/resources/gcp/google_compute_reservations resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_reservations` InSpec audit resource to to test a Google Cloud Reservation resource. + +## Examples + +```ruby + describe google_compute_reservations(project: 'chef-gcp-inspec', zone: ' value_zone') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_reservations` resource: + +See [google_compute_reservation](google_compute_reservation) for more detailed information. + + * `kinds`: an array of `google_compute_reservation` kind + * `ids`: an array of `google_compute_reservation` id + * `creation_timestamps`: an array of `google_compute_reservation` creation_timestamp + * `self_links`: an array of `google_compute_reservation` self_link + * `self_link_with_ids`: an array of `google_compute_reservation` self_link_with_id + * `zones`: an array of `google_compute_reservation` zone + * `descriptions`: an array of `google_compute_reservation` description + * `names`: an array of `google_compute_reservation` name + * `specific_reservations`: an array of `google_compute_reservation` specific_reservation + * `aggregate_reservations`: an array of `google_compute_reservation` aggregate_reservation + * `commitments`: an array of `google_compute_reservation` commitment + * `specific_reservation_requireds`: an array of `google_compute_reservation` specific_reservation_required + * `statuses`: an array of `google_compute_reservation` status + * `share_settings`: an array of `google_compute_reservation` share_settings + * `satisfies_pzs`: an array of `google_compute_reservation` satisfies_pzs + * `resource_policies`: an array of `google_compute_reservation` resource_policies + * `resource_statuses`: an array of `google_compute_reservation` resource_status + * `delete_at_times`: an array of `google_compute_reservation` delete_at_time + * `delete_after_durations`: an array of `google_compute_reservation` delete_after_duration + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_resource_policies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_resource_policies.md new file mode 100644 index 0000000..cf0269a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_resource_policies.md @@ -0,0 +1,51 @@ ++++ +title = "google_compute_resource_policies resource" + +draft = false + + +[menu.gcp] +title = "google_compute_resource_policies" +identifier = "inspec/resources/gcp/google_compute_resource_policies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_resource_policies` InSpec audit resource to to test a Google Cloud ResourcePolicy resource. + +## Examples + +```ruby + describe google_compute_resource_policies(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_resource_policies` resource: + +See [google_compute_resource_policy](google_compute_resource_policy) for more detailed information. + + * `kinds`: an array of `google_compute_resource_policy` kind + * `ids`: an array of `google_compute_resource_policy` id + * `creation_timestamps`: an array of `google_compute_resource_policy` creation_timestamp + * `self_links`: an array of `google_compute_resource_policy` self_link + * `self_link_with_ids`: an array of `google_compute_resource_policy` self_link_with_id + * `regions`: an array of `google_compute_resource_policy` region + * `descriptions`: an array of `google_compute_resource_policy` description + * `names`: an array of `google_compute_resource_policy` name + * `vm_maintenance_policies`: an array of `google_compute_resource_policy` vm_maintenance_policy + * `snapshot_schedule_policies`: an array of `google_compute_resource_policy` snapshot_schedule_policy + * `group_placement_policies`: an array of `google_compute_resource_policy` group_placement_policy + * `instance_schedule_policies`: an array of `google_compute_resource_policy` instance_schedule_policy + * `statuses`: an array of `google_compute_resource_policy` status + * `resource_statuses`: an array of `google_compute_resource_policy` resource_status + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_resource_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_resource_policy.md new file mode 100644 index 0000000..3e8fc9c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_resource_policy.md @@ -0,0 +1,210 @@ ++++ +title = "google_compute_resource_policy resource" + +draft = false + + +[menu.gcp] +title = "google_compute_resource_policy" +identifier = "inspec/resources/gcp/google_compute_resource_policy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_resource_policy` InSpec audit resource to to test a Google Cloud ResourcePolicy resource. + +## Examples + +```ruby +describe google_compute_resource_policy(project: 'chef-gcp-inspec', region: 'value_region', name: 'value_name') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('region') { should cmp 'value_region' } + its('description') { should cmp 'value_description' } + its('name') { should cmp 'value_name' } + its('status') { should cmp 'value_status' } +end + +describe google_compute_resource_policy(project: 'chef-gcp-inspec', region: ' value_region', name: 'value_name') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_resource_policy` resource: + + + * `kind`: [Output Only] Type of the resource. Always compute#resource_policies for resource policies. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `self_link`: [Output Only] Server-defined fully-qualified URL for this resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `region`: + + * `description`: + + * `name`: The name of the resource, provided by the client when initially creating the resource. The resource name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `vm_maintenance_policy`: + + * `maintenance_window`: A maintenance window for VMs. When set, we restrict our maintenance operations to this window. + + * `daily_maintenance_window`: Time window specified for daily operations. + + * `days_in_cycle`: Defines a schedule with units measured in days. The value determines how many days pass between the start of each cycle. + + * `start_time`: Start time of the window. This must be in UTC format that resolves to one of 00:00, 04:00, 08:00, 12:00, 16:00, or 20:00. For example, both 13:00-5 and 08:00 are valid. + + * `duration`: [Output only] A predetermined duration for the window, automatically chosen to be the smallest possible in the given scenario. + + * `concurrency_control_group`: A concurrency control configuration. Defines a group config that, when attached to an instance, recognizes that instance as part of a group of instances where only up the concurrency_limit of instances in that group can undergo simultaneous maintenance. For more information: go/concurrency-control-design-doc + + * `concurrency_limit`: + + * `snapshot_schedule_policy`: A snapshot schedule policy specifies when and how frequently snapshots are to be created for the target disk. Also specifies how many and how long these scheduled snapshots should be retained. + + * `schedule`: A schedule for disks where the schedueled operations are performed. + + * `hourly_schedule`: Time window specified for hourly operations. + + * `hours_in_cycle`: Defines a schedule with units measured in hours. The value determines how many hours pass between the start of each cycle. + + * `start_time`: Time within the window to start the operations. It must be in format "HH:MM", where HH : [00-23] and MM : [00-00] GMT. + + * `duration`: [Output only] Duration of the time window, automatically chosen to be smallest possible in the given scenario. + + * `daily_schedule`: Time window specified for daily operations. + + * `days_in_cycle`: Defines a schedule with units measured in days. The value determines how many days pass between the start of each cycle. + + * `start_time`: Start time of the window. This must be in UTC format that resolves to one of 00:00, 04:00, 08:00, 12:00, 16:00, or 20:00. For example, both 13:00-5 and 08:00 are valid. + + * `duration`: [Output only] A predetermined duration for the window, automatically chosen to be the smallest possible in the given scenario. + + * `weekly_schedule`: Time window specified for weekly operations. + + * `day_of_weeks`: Up to 7 intervals/windows, one for each day of the week. + + * `day`: Defines a schedule that runs on specific days of the week. Specify one or more days. The following options are available: MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY. + Possible values: + * FRIDAY + * INVALID + * MONDAY + * SATURDAY + * SUNDAY + * THURSDAY + * TUESDAY + * WEDNESDAY + + * `start_time`: Time within the window to start the operations. It must be in format "HH:MM", where HH : [00-23] and MM : [00-00] GMT. + + * `duration`: [Output only] Duration of the time window, automatically chosen to be smallest possible in the given scenario. + + * `retention_policy`: Policy for retention of scheduled snapshots. + + * `max_retention_days`: Maximum age of the snapshot that is allowed to be kept. + + * `on_policy_switch`: + Possible values: + * DO_NOT_RETROACTIVELY_APPLY + * RETROACTIVELY_APPLY + * UNSPECIFIED_ON_POLICY_SWITCH + + * `on_source_disk_delete`: Specifies the behavior to apply to scheduled snapshots when the source disk is deleted. + Possible values: + * APPLY_RETENTION_POLICY + * KEEP_AUTO_SNAPSHOTS + * UNSPECIFIED_ON_SOURCE_DISK_DELETE + + * `snapshot_properties`: Specified snapshot properties for scheduled snapshots created by this policy. + + * `labels`: Labels to apply to scheduled snapshots. These can be later modified by the setLabels method. Label values may be empty. + + * `additional_properties`: + + * `storage_locations`: Cloud Storage bucket storage location of the auto snapshot (regional or multi-regional). + + * `guest_flush`: Indication to perform a 'guest aware' snapshot. + + * `chain_name`: Chain name that the snapshot is created in. + + * `group_placement_policy`: A GroupPlacementPolicy specifies resource placement configuration. It specifies the failure bucket separation as well as network locality + + * `style`: Specifies instances to hosts placement relationship + Possible values: + * COMPACT + * FULLY_SPREAD + * UNSPECIFIED_PLACEMENT_TYPE + + * `locality`: Specifies network locality + Possible values: + * BEST_EFFORT + * STRICT + * UNSPECIFIED_LOCALITY + + * `vm_count`: Number of VMs in this placement group. Google does not recommend that you use this field unless you use a compact policy and you want your policy to work only if it contains this exact number of VMs. + + * `availability_domain_count`: The number of availability domains to spread instances across. If two instances are in different availability domain, they are not in the same low latency network. + + * `collocation`: Specifies network collocation + Possible values: + * CLUSTERED + * COLLOCATED + * UNSPECIFIED_COLLOCATION + + * `scope`: Scope specifies the availability domain to which the VMs should be spread. + Possible values: + * HOST + * UNSPECIFIED_SCOPE + + * `tpu_topology`: Specifies the shape of the TPU slice + + * `max_distance`: Specifies the number of max logical switches. + + * `slice_count`: Specifies the number of slices in a multislice workload. + + * `instance_schedule_policy`: An InstanceSchedulePolicy specifies when and how frequent certain operations are performed on the instance. + + * `vm_start_schedule`: Schedule for an instance operation. + + * `schedule`: Specifies the frequency for the operation, using the unix-cron format. + + * `vm_stop_schedule`: Schedule for an instance operation. + + * `schedule`: Specifies the frequency for the operation, using the unix-cron format. + + * `time_zone`: Specifies the time zone to be used in interpreting Schedule.schedule. The value of this field must be a time zone name from the tz database: https://wikipedia.org/wiki/Tz_database. + + * `start_time`: The start time of the schedule. The timestamp is an RFC3339 string. + + * `expiration_time`: The expiration time of the schedule. The timestamp is an RFC3339 string. + + * `status`: [Output Only] The status of resource policy creation. + Possible values: + * CREATING + * DELETING + * EXPIRED + * INVALID + * READY + + * `resource_status`: Contains output only fields. Use this sub-message for all output fields set on ResourcePolicy. The internal structure of this "status" field should mimic the structure of ResourcePolicy proto specification. + + * `instance_schedule_policy`: + + * `next_run_start_time`: [Output Only] The next time the schedule is planned to run. The actual time might be slightly different. The timestamp is an RFC3339 string. + + * `last_run_start_time`: [Output Only] The last time the schedule successfully ran. The timestamp is an RFC3339 string. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_route.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_route.md new file mode 100644 index 0000000..36445e0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_route.md @@ -0,0 +1,69 @@ ++++ +title = "google_compute_route resource" + +draft = false + + +[menu.gcp] +title = "google_compute_route" +identifier = "inspec/resources/gcp/google_compute_route resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_route` is used to test a Google Route resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_route(project: 'chef-gcp-inspec', name: 'inspec-gcp-route') do + it { should exist } + its('dest_range') { should eq '15.0.0.0/24' } + its('network') { should match /\/gcp-inspec-network$/ } + its('next_hop_ip') { should eq '10.2.0.1' } + its('priority') { should eq '100' } +end + +describe google_compute_route(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_route` resource: + + + * `dest_range`: The destination range of outgoing packets that this route applies to. Only IPv4 is supported. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `network`: The network that this route applies to. + + * `priority`: The priority of this route. Priority is used to break ties in cases where there is more than one matching route of equal prefix length. In the case of two routes with equal prefix length, the one with the lowest-numbered priority value wins. Default value is 1000. Valid range is 0 through 65535. + + * `tags`: A list of instance tags to which this route applies. + + * `next_hop_gateway`: URL to a gateway that should handle matching packets. Currently, you can only specify the internet gateway, using a full or partial valid URL: * https://www.googleapis.com/compute/v1/projects/project/ global/gateways/default-internet-gateway * projects/project/global/gateways/default-internet-gateway * global/gateways/default-internet-gateway + + * `next_hop_instance`: URL to an instance that should handle matching packets. You can specify this as a full or partial URL. For example: * https://www.googleapis.com/compute/v1/projects/project/zones/zone/ instances/instance * projects/project/zones/zone/instances/instance * zones/zone/instances/instance + + * `next_hop_ip`: Network IP address of an instance that should handle matching packets. + + * `next_hop_vpn_tunnel`: URL to a VpnTunnel that should handle matching packets. + + * `next_hop_network`: URL to a Network that should handle matching packets. + + * `next_hop_ilb`: The URL to a forwarding rule of type loadBalancingScheme=INTERNAL that should handle matching packets. You can only specify the forwarding rule as a partial or full URL. For example, the following are all valid URLs: https://www.googleapis.com/compute/v1/projects/project/regions/region/forwardingRules/forwardingRule regions/region/forwardingRules/forwardingRule Note that this can only be used when the destinationRange is a public (non-RFC 1918) IP CIDR range. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_router.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_router.md new file mode 100644 index 0000000..ae234a7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_router.md @@ -0,0 +1,77 @@ ++++ +title = "google_compute_router resource" + +draft = false + + +[menu.gcp] +title = "google_compute_router" +identifier = "inspec/resources/gcp/google_compute_router resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_router` is used to test a Google Router resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_router(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'inspec-gcp-router') do + it { should exist } + its('bgp.asn') { should eq '64514' } + its('bgp.advertise_mode') { should eq 'CUSTOM' } + its('bgp.advertised_groups') { should include 'ALL_SUBNETS' } + its('bgp.advertised_ip_ranges.count') { should eq 2 } + its('bgp.advertised_ip_ranges.first.range') { should eq '1.2.3.4' } + its('bgp.advertised_ip_ranges.last.range') { should eq '1.2.3.4' } + its('network') { should match /\/gcp-inspec-network$/ } + end + +describe google_compute_router(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_router` resource: + + + * `id`: The unique identifier for the resource. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. + + * `network`: A reference to the network to which this router belongs. + + * `bgp`: BGP information specific to this router. + + * `asn`: Local BGP Autonomous System Number (ASN). Must be an RFC6996 private ASN, either 16-bit or 32-bit. The value will be fixed for this router resource. All VPN tunnels that link to this router will have the same local ASN. + + * `advertise_mode`: User-specified flag to indicate which mode to use for advertisement. + Possible values: + * DEFAULT + * CUSTOM + + * `advertised_groups`: User-specified list of prefix groups to advertise in custom mode. This field can only be populated if advertiseMode is CUSTOM and is advertised to all peers of the router. These groups will be advertised in addition to any specified prefixes. Leave this field blank to advertise no custom groups. This enum field has the one valid value: ALL_SUBNETS + + * `advertised_ip_ranges`: User-specified list of individual IP ranges to advertise in custom mode. This field can only be populated if advertiseMode is CUSTOM and is advertised to all peers of the router. These IP ranges will be advertised in addition to any specified groups. Leave this field blank to advertise no custom IP ranges. + + * `range`: The IP range to advertise. The value must be a CIDR-formatted string. + + * `description`: User-specified description for the IP range. + + * `region`: Region where the router resides. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_router_nat.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_router_nat.md new file mode 100644 index 0000000..0092299 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_router_nat.md @@ -0,0 +1,97 @@ ++++ +title = "google_compute_router_nat resource" + +draft = false + + +[menu.gcp] +title = "google_compute_router_nat" +identifier = "inspec/resources/gcp/google_compute_router_nat resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_router_nat` is used to test a Google RouterNat resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_router_nat(project: 'chef-gcp-inspec', region: 'europe-west2', router: 'inspec-gcp-router', name: 'inspec-router-nat') do + it { should exist } + its('nat_ip_allocate_option') { should cmp 'AUTO_ONLY' } + its('source_subnetwork_ip_ranges_to_nat') { should cmp 'ALL_SUBNETWORKS_ALL_IP_RANGES' } + its('min_ports_per_vm') { should cmp '2' } + its('log_config.enable') { should cmp 'true' } + its('log_config.filter') { should cmp 'ERRORS_ONLY' } +end + +describe google_compute_router(project: 'chef-gcp-inspec', region: 'europe-west2', router: 'nonexistent', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_router_nat` resource: + + + * `name`: Name of the NAT service. The name must be 1-63 characters long and comply with RFC1035. + + * `nat_ip_allocate_option`: How external IPs should be allocated for this NAT. Valid values are `AUTO_ONLY` for only allowing NAT IPs allocated by Google Cloud Platform, or `MANUAL_ONLY` for only user-allocated NAT IP addresses. + Possible values: + * MANUAL_ONLY + * AUTO_ONLY + + * `nat_ips`: Self-links of NAT IPs. Only valid if natIpAllocateOption is set to MANUAL_ONLY. + + * `drain_nat_ips`: A list of URLs of the IP resources to be drained. These IPs must be valid static external IPs that have been assigned to the NAT. + + * `source_subnetwork_ip_ranges_to_nat`: How NAT should be configured per Subnetwork. If `ALL_SUBNETWORKS_ALL_IP_RANGES`, all of the IP ranges in every Subnetwork are allowed to Nat. If `ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES`, all of the primary IP ranges in every Subnetwork are allowed to Nat. `LIST_OF_SUBNETWORKS`: A list of Subnetworks are allowed to Nat (specified in the field subnetwork below). Note that if this field contains ALL_SUBNETWORKS_ALL_IP_RANGES or ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, then there should not be any other RouterNat section in any Router for this network in this region. + Possible values: + * ALL_SUBNETWORKS_ALL_IP_RANGES + * ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES + * LIST_OF_SUBNETWORKS + + * `subnetwork`: One or more subnetwork NAT configurations. Only used if `source_subnetwork_ip_ranges_to_nat` is set to `LIST_OF_SUBNETWORKS` + + * `name`: Self-link of subnetwork to NAT + + * `source_ip_ranges_to_nat`: List of options for which source IPs in the subnetwork should have NAT enabled. Supported values include: `ALL_IP_RANGES`, `LIST_OF_SECONDARY_IP_RANGES`, `PRIMARY_IP_RANGE`. + + * `secondary_ip_range_names`: List of the secondary ranges of the subnetwork that are allowed to use NAT. This can be populated only if `LIST_OF_SECONDARY_IP_RANGES` is one of the values in sourceIpRangesToNat + + * `min_ports_per_vm`: Minimum number of ports allocated to a VM from this NAT. + + * `udp_idle_timeout_sec`: Timeout (in seconds) for UDP connections. Defaults to 30s if not set. + + * `icmp_idle_timeout_sec`: Timeout (in seconds) for ICMP connections. Defaults to 30s if not set. + + * `tcp_established_idle_timeout_sec`: Timeout (in seconds) for TCP established connections. Defaults to 1200s if not set. + + * `tcp_transitory_idle_timeout_sec`: Timeout (in seconds) for TCP transitory connections. Defaults to 30s if not set. + + * `log_config`: Configuration for logging on NAT + + * `enable`: Indicates whether or not to export logs. + + * `filter`: Specifies the desired filtering of logs on this NAT. + Possible values: + * ERRORS_ONLY + * TRANSLATIONS_ONLY + * ALL + + * `enable_endpoint_independent_mapping`: Specifies if endpoint independent mapping is enabled. This is enabled by default. For more information see the [official documentation](https://cloud.google.com/nat/docs/overview#specs-rfcs). + + * `router`: The name of the Cloud Router in which this NAT will be configured. + + * `region`: Region where the router and NAT reside. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_router_nats.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_router_nats.md new file mode 100644 index 0000000..018d4fa --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_router_nats.md @@ -0,0 +1,58 @@ ++++ +title = "google_compute_router_nats resource" + +draft = false + + +[menu.gcp] +title = "google_compute_router_nats" +identifier = "inspec/resources/gcp/google_compute_router_nats resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_router_nats` is used to test a Google RouterNat resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_router_nats(project: 'chef-gcp-inspec', region: 'europe-west2', router: 'inspec-gcp-router') do + its('names') { should include 'inspec-router-nat' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_router_nats` resource: + +See [google_compute_router_nat](google_compute_router_nat) for more detailed information. + + * `names`: an array of `google_compute_router_nat` name + * `nat_ip_allocate_options`: an array of `google_compute_router_nat` nat_ip_allocate_option + * `nat_ips`: an array of `google_compute_router_nat` nat_ips + * `drain_nat_ips`: an array of `google_compute_router_nat` drain_nat_ips + * `source_subnetwork_ip_ranges_to_nats`: an array of `google_compute_router_nat` source_subnetwork_ip_ranges_to_nat + * `subnetworks`: an array of `google_compute_router_nat` subnetwork + * `min_ports_per_vms`: an array of `google_compute_router_nat` min_ports_per_vm + * `udp_idle_timeout_secs`: an array of `google_compute_router_nat` udp_idle_timeout_sec + * `icmp_idle_timeout_secs`: an array of `google_compute_router_nat` icmp_idle_timeout_sec + * `tcp_established_idle_timeout_secs`: an array of `google_compute_router_nat` tcp_established_idle_timeout_sec + * `tcp_transitory_idle_timeout_secs`: an array of `google_compute_router_nat` tcp_transitory_idle_timeout_sec + * `log_configs`: an array of `google_compute_router_nat` log_config + * `enable_endpoint_independent_mappings`: an array of `google_compute_router_nat` enable_endpoint_independent_mapping + * `routers`: an array of `google_compute_router_nat` router + * `regions`: an array of `google_compute_router_nat` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_routers.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_routers.md new file mode 100644 index 0000000..391dbb9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_routers.md @@ -0,0 +1,50 @@ ++++ +title = "google_compute_routers resource" + +draft = false + + +[menu.gcp] +title = "google_compute_routers" +identifier = "inspec/resources/gcp/google_compute_routers resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_routers` is used to test a Google Router resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_routers(project: 'chef-gcp-inspec', region: 'europe-west2') do + its('names') { should include 'inspec-gcp-router' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_routers` resource: + +See [google_compute_router](google_compute_router) for more detailed information. + + * `ids`: an array of `google_compute_router` id + * `creation_timestamps`: an array of `google_compute_router` creation_timestamp + * `names`: an array of `google_compute_router` name + * `descriptions`: an array of `google_compute_router` description + * `networks`: an array of `google_compute_router` network + * `bgps`: an array of `google_compute_router` bgp + * `regions`: an array of `google_compute_router` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_routes.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_routes.md new file mode 100644 index 0000000..22b6f59 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_routes.md @@ -0,0 +1,58 @@ ++++ +title = "google_compute_routes resource" + +draft = false + + +[menu.gcp] +title = "google_compute_routes" +identifier = "inspec/resources/gcp/google_compute_routes resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_routes` is used to test a Google Route resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_routes(project: 'chef-gcp-inspec') do + its('count') { should be >= 1 } + its('dest_ranges') { should include '15.0.0.0/24' } + its('next_hop_ips') { should include '10.2.0.1' } + its('priorities') { should include '100' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_routes` resource: + +See [google_compute_route](google_compute_route) for more detailed information. + + * `dest_ranges`: an array of `google_compute_route` dest_range + * `descriptions`: an array of `google_compute_route` description + * `names`: an array of `google_compute_route` name + * `networks`: an array of `google_compute_route` network + * `priorities`: an array of `google_compute_route` priority + * `tags`: an array of `google_compute_route` tags + * `next_hop_gateways`: an array of `google_compute_route` next_hop_gateway + * `next_hop_instances`: an array of `google_compute_route` next_hop_instance + * `next_hop_ips`: an array of `google_compute_route` next_hop_ip + * `next_hop_vpn_tunnels`: an array of `google_compute_route` next_hop_vpn_tunnel + * `next_hop_networks`: an array of `google_compute_route` next_hop_network + * `next_hop_ilbs`: an array of `google_compute_route` next_hop_ilb + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_security_policies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_security_policies.md new file mode 100644 index 0000000..fb443c2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_security_policies.md @@ -0,0 +1,47 @@ ++++ +title = "google_compute_security_policies resource" + +draft = false + + +[menu.gcp] +title = "google_compute_security_policies" +identifier = "inspec/resources/gcp/google_compute_security_policies resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_security_policies` is used to test a Google SecurityPolicy resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_security_policies(project: 'chef-gcp-inspec') do + its('count') { should be >= 1 } + its('names') { should include 'sec-policy' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_security_policies` resource: + +See [google_compute_security_policy](google_compute_security_policy) for more detailed information. + + * `names`: an array of `google_compute_security_policy` name + * `ids`: an array of `google_compute_security_policy` id + * `rules`: an array of `google_compute_security_policy` rules + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_security_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_security_policy.md new file mode 100644 index 0000000..5c82cb4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_security_policy.md @@ -0,0 +1,78 @@ ++++ +title = "google_compute_security_policy resource" + +draft = false + + +[menu.gcp] +title = "google_compute_security_policy" +identifier = "inspec/resources/gcp/google_compute_security_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_security_policy` is used to test a Google SecurityPolicy resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_security_policy(project: 'chef-gcp-inspec', name: 'sec-policy') do + it { should exist } + its('rules.size') { should cmp 2 } + its('rules.first.priority') { should cmp '1000' } + its('rules.first.match.config.src_ip_ranges.first') { should cmp '9.9.9.0/24' } +end + +describe google_compute_security_policy(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_security_policy` resource: + + + * `name`: Name of the security policy. + + * `id`: The unique identifier for the resource. + + * `rules`: A list of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added. + + * `description`: A description of the rule. + + * `priority`: An integer indicating the priority of a rule in the list. The priority must be a value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. + + * `action`: The Action to preform when the client connection triggers the rule. Can currently be either "allow" or "deny()" where valid values for status are 403, 404, and 502. + + * `preview`: If set to true, the specified action is not enforced. + + * `match`: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. + + * `description`: A description of the rule. + + * `expr`: User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `title`: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + + * `description`: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + + * `location`: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + + * `versioned_expr`: Preconfigured versioned expression. If this field is specified, config must also be specified. Available preconfigured expressions along with their requirements are: `SRC_IPS_V1` - must specify the corresponding srcIpRange field in config. + + * `config`: The configuration options available when specifying versionedExpr. This field must be specified if versionedExpr is specified and cannot be specified if versionedExpr is not specified. + + * `src_ip_ranges`: CIDR IP address range. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_service_attachment.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_service_attachment.md new file mode 100644 index 0000000..7c921b7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_service_attachment.md @@ -0,0 +1,114 @@ ++++ +title = "google_compute_service_attachment resource" + +draft = false + + +[menu.gcp] +title = "google_compute_service_attachment" +identifier = "inspec/resources/gcp/google_compute_service_attachment resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_service_attachment` InSpec audit resource to to test a Google Cloud ServiceAttachment resource. + +## Examples + +```ruby +describe google_compute_service_attachment(project: 'chef-gcp-inspec', region: ' value_region', service_attachment: ' ') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('self_link') { should cmp 'value_selflink' } + its('region') { should cmp 'value_region' } + its('producer_forwarding_rule') { should cmp 'value_producerforwardingrule' } + its('target_service') { should cmp 'value_targetservice' } + its('connection_preference') { should cmp 'value_connectionpreference' } + its('fingerprint') { should cmp 'value_fingerprint' } + +end + +describe google_compute_service_attachment(project: 'chef-gcp-inspec', region: ' value_region', service_attachment: ' ') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_service_attachment` resource: + + + * `kind`: [Output Only] Type of the resource. Always compute#serviceAttachment for service attachments. + + * `id`: [Output Only] The unique identifier for the resource type. The server generates this identifier. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `region`: [Output Only] URL of the region where the service attachment resides. This field applies only to the region resource. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body. + + * `producer_forwarding_rule`: The URL of a forwarding rule with loadBalancingScheme INTERNAL* that is serving the endpoint identified by this service attachment. + + * `target_service`: The URL of a service serving the endpoint identified by this service attachment. + + * `connection_preference`: The connection preference of service attachment. The value can be set to ACCEPT_AUTOMATIC. An ACCEPT_AUTOMATIC service attachment is one that always accepts the connection from consumer forwarding rules. + Possible values: + * ACCEPT_AUTOMATIC + * ACCEPT_MANUAL + * CONNECTION_PREFERENCE_UNSPECIFIED + + * `connected_endpoints`: [Output Only] An array of connections for all the consumers connected to this service attachment. + + * `status`: The status of a connected endpoint to this service attachment. + Possible values: + * ACCEPTED + * CLOSED + * NEEDS_ATTENTION + * PENDING + * REJECTED + * STATUS_UNSPECIFIED + + * `psc_connection_id`: The PSC connection id of the connected endpoint. + + * `endpoint`: The url of a connected endpoint. + + * `consumer_network`: The url of the consumer network. + + * `nat_subnets`: An array of URLs where each entry is the URL of a subnet provided by the service producer to use for NAT in this service attachment. + + * `enable_proxy_protocol`: If true, enable the proxy protocol which is for supplying client TCP/IP address data in TCP connections that traverse proxies on their way to destination servers. + + * `consumer_reject_lists`: Projects that are not allowed to connect to this service attachment. The project can be specified using its id or number. + + * `consumer_accept_lists`: Projects that are allowed to connect to this service attachment. + + * `project_id_or_num`: The project id or number for the project to set the limit for. + + * `network_url`: The network URL for the network to set the limit for. + + * `connection_limit`: The value of the limit to set. + + * `psc_service_attachment_id`: + + * `high`: + + * `low`: + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a ServiceAttachment. An up-to-date fingerprint must be provided in order to patch/update the ServiceAttachment; otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the ServiceAttachment. + + * `domain_names`: If specified, the domain name will be used during the integration between the PSC connected endpoints and the Cloud DNS. For example, this is a valid domain name: "p.mycompany.com.". Current max number of domain names supported is 1. + + * `reconcile_connections`: This flag determines whether a consumer accept/reject list change can reconcile the statuses of existing ACCEPTED or REJECTED PSC endpoints. - If false, connection policy update will only affect existing PENDING PSC endpoints. Existing ACCEPTED/REJECTED endpoints will remain untouched regardless how the connection policy is modified . - If true, update will affect both PENDING and ACCEPTED/REJECTED PSC endpoints. For example, an ACCEPTED PSC endpoint will be moved to REJECTED if its project is added to the reject list. For newly created service attachment, this boolean defaults to false. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_service_attachments.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_service_attachments.md new file mode 100644 index 0000000..9c950c8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_service_attachments.md @@ -0,0 +1,56 @@ ++++ +title = "google_compute_service_attachments resource" + +draft = false + + +[menu.gcp] +title = "google_compute_service_attachments" +identifier = "inspec/resources/gcp/google_compute_service_attachments resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_service_attachments` InSpec audit resource to to test a Google Cloud ServiceAttachment resource. + +## Examples + +```ruby + describe google_compute_service_attachments(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_service_attachments` resource: + +See [google_compute_service_attachment](google_compute_service_attachment) for more detailed information. + + * `kinds`: an array of `google_compute_service_attachment` kind + * `ids`: an array of `google_compute_service_attachment` id + * `creation_timestamps`: an array of `google_compute_service_attachment` creation_timestamp + * `names`: an array of `google_compute_service_attachment` name + * `descriptions`: an array of `google_compute_service_attachment` description + * `self_links`: an array of `google_compute_service_attachment` self_link + * `regions`: an array of `google_compute_service_attachment` region + * `producer_forwarding_rules`: an array of `google_compute_service_attachment` producer_forwarding_rule + * `target_services`: an array of `google_compute_service_attachment` target_service + * `connection_preferences`: an array of `google_compute_service_attachment` connection_preference + * `connected_endpoints`: an array of `google_compute_service_attachment` connected_endpoints + * `nat_subnets`: an array of `google_compute_service_attachment` nat_subnets + * `enable_proxy_protocols`: an array of `google_compute_service_attachment` enable_proxy_protocol + * `consumer_reject_lists`: an array of `google_compute_service_attachment` consumer_reject_lists + * `consumer_accept_lists`: an array of `google_compute_service_attachment` consumer_accept_lists + * `psc_service_attachment_ids`: an array of `google_compute_service_attachment` psc_service_attachment_id + * `fingerprints`: an array of `google_compute_service_attachment` fingerprint + * `domain_names`: an array of `google_compute_service_attachment` domain_names + * `reconcile_connections`: an array of `google_compute_service_attachment` reconcile_connections + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_snapshot.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_snapshot.md new file mode 100644 index 0000000..a1261f4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_snapshot.md @@ -0,0 +1,84 @@ ++++ +title = "google_compute_snapshot resource" + +draft = false + + +[menu.gcp] +title = "google_compute_snapshot" +identifier = "inspec/resources/gcp/google_compute_snapshot resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_snapshot` is used to test a Google Snapshot resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_snapshot(project: 'chef-gcp-inspec', name: 'inspec-gcp-disk-snapshot') do + it { should exist } + its('source_disk') { should match 'inspec-snapshot-disk' } +end + +describe google_compute_snapshot(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_snapshot` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `id`: The unique identifier for the resource. + + * `disk_size_gb`: Size of the snapshot, specified in GB. + + * `name`: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. + + * `storage_bytes`: A size of the storage used by the snapshot. As snapshots share storage, this number is expected to change with snapshot creation/deletion. + + * `storage_locations`: Cloud Storage bucket storage location of the snapshot (regional or multi-regional). + + * `licenses`: A list of public visible licenses that apply to this snapshot. This can be because the original image had licenses attached (such as a Windows image). snapshotEncryptionKey nested object Encrypts the snapshot using a customer-supplied encryption key. + + * `labels`: Labels to apply to this Snapshot. + + * `label_fingerprint`: The fingerprint used for optimistic locking of this resource. Used internally during updates. + + * `source_disk`: A reference to the disk used to create this snapshot. + + * `zone`: A reference to the zone where the disk is hosted. + + * `snapshot_encryption_key`: The customer-supplied encryption key of the snapshot. Required if the source snapshot is protected by a customer-supplied encryption key. + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. + + * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + + * `kms_key_name`: The name of the encryption key that is stored in Google Cloud KMS. + + * `kms_key_service_account`: The service account used for the encryption request for the given KMS key. If absent, the Compute Engine Service Agent service account is used. + + * `source_disk_encryption_key`: The customer-supplied encryption key of the source snapshot. Required if the source snapshot is protected by a customer-supplied encryption key. + + * `raw_key`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. + + * `kms_key_name`: The name of the encryption key that is stored in Google Cloud KMS. + + * `kms_key_service_account`: The service account used for the encryption request for the given KMS key. If absent, the Compute Engine Service Agent service account is used. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_snapshots.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_snapshots.md new file mode 100644 index 0000000..d34ec6c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_snapshots.md @@ -0,0 +1,65 @@ ++++ +title = "google_compute_snapshots resource" + +draft = false + + +[menu.gcp] +title = "google_compute_snapshots" +identifier = "inspec/resources/gcp/google_compute_snapshots resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_snapshots` is used to test a Google Snapshot resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_snapshots(project: 'chef-gcp-inspec') do + its('count') { should be >= 1 } +end + +describe.one do + google_compute_snapshots(project: 'chef-gcp-inspec').names do |snapshot_name| + describe google_compute_snapshot(project: 'chef-gcp-inspec', name: snapshot_name) do + its('source_disk') { should match 'inspec-snapshot-disk' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_snapshots` resource: + +See [google_compute_snapshot](google_compute_snapshot) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_snapshot` creation_timestamp + * `ids`: an array of `google_compute_snapshot` id + * `disk_size_gbs`: an array of `google_compute_snapshot` disk_size_gb + * `names`: an array of `google_compute_snapshot` name + * `descriptions`: an array of `google_compute_snapshot` description + * `storage_bytes`: an array of `google_compute_snapshot` storage_bytes + * `storage_locations`: an array of `google_compute_snapshot` storage_locations + * `licenses`: an array of `google_compute_snapshot` licenses + * `labels`: an array of `google_compute_snapshot` labels + * `label_fingerprints`: an array of `google_compute_snapshot` label_fingerprint + * `source_disks`: an array of `google_compute_snapshot` source_disk + * `zones`: an array of `google_compute_snapshot` zone + * `snapshot_encryption_keys`: an array of `google_compute_snapshot` snapshot_encryption_key + * `source_disk_encryption_keys`: an array of `google_compute_snapshot` source_disk_encryption_key + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_ssl_certificate.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_ssl_certificate.md new file mode 100644 index 0000000..3233699 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_ssl_certificate.md @@ -0,0 +1,72 @@ ++++ +title = "google_compute_ssl_certificate resource" + +draft = false + + +[menu.gcp] +title = "google_compute_ssl_certificate" +identifier = "inspec/resources/gcp/google_compute_ssl_certificate resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_ssl_certificate` is used to test a Google SslCertificate resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_ssl_certificate(project: 'chef-gcp-inspec', name: 'inspec-gcp-ssl-certificate') do + it { should exist } + its('description') { should eq 'A fake ssl certificate (DO NOT USE)' } + its('certificate') { should eq '-----BEGIN CERTIFICATE----- +MIICqjCCAk+gAwIBAgIJAIuJ+0352Kq4MAoGCCqGSM49BAMCMIGwMQswCQYDVQQG +EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjERMA8GA1UEBwwIS2lya2xhbmQxFTAT +BgNVBAoMDEdvb2dsZSwgSW5jLjEeMBwGA1UECwwVR29vZ2xlIENsb3VkIFBsYXRm +b3JtMR8wHQYDVQQDDBZ3d3cubXktc2VjdXJlLXNpdGUuY29tMSEwHwYJKoZIhvcN +AQkBFhJuZWxzb25hQGdvb2dsZS5jb20wHhcNMTcwNjI4MDQ1NjI2WhcNMjcwNjI2 +MDQ1NjI2WjCBsDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xETAP +BgNVBAcMCEtpcmtsYW5kMRUwEwYDVQQKDAxHb29nbGUsIEluYy4xHjAcBgNVBAsM +FUdvb2dsZSBDbG91ZCBQbGF0Zm9ybTEfMB0GA1UEAwwWd3d3Lm15LXNlY3VyZS1z +aXRlLmNvbTEhMB8GCSqGSIb3DQEJARYSbmVsc29uYUBnb29nbGUuY29tMFkwEwYH +KoZIzj0CAQYIKoZIzj0DAQcDQgAEHGzpcRJ4XzfBJCCPMQeXQpTXwlblimODQCuQ +4mzkzTv0dXyB750fOGN02HtkpBOZzzvUARTR10JQoSe2/5PIwaNQME4wHQYDVR0O +BBYEFKIQC3A2SDpxcdfn0YLKineDNq/BMB8GA1UdIwQYMBaAFKIQC3A2SDpxcdfn +0YLKineDNq/BMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhALs4vy+O +M3jcqgA4fSW/oKw6UJxp+M6a+nGMX+UJR3YgAiEAvvl39QRVAiv84hdoCuyON0lJ +zqGNhIPGq2ULqXKK8BY= +-----END CERTIFICATE----- +' } +end + +describe google_compute_ssl_certificate(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_ssl_certificate` resource: + + + * `certificate`: The certificate in PEM format. The certificate chain must be no greater than 5 certs long. The chain must include at least one intermediate cert. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `private_key`: The write-only private key in PEM format. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_ssl_certificates.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_ssl_certificates.md new file mode 100644 index 0000000..c70903d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_ssl_certificates.md @@ -0,0 +1,69 @@ ++++ +title = "google_compute_ssl_certificates resource" + +draft = false + + +[menu.gcp] +title = "google_compute_ssl_certificates" +identifier = "inspec/resources/gcp/google_compute_ssl_certificates resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_ssl_certificates` is used to test a Google SslCertificate resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_ssl_certificates(project: 'chef-gcp-inspec') do + + its('names') { should include 'inspec-gcp-ssl-certificate' } + its('descriptions') { should include 'A fake ssl certificate (DO NOT USE)' } + its('certificates') { should include '-----BEGIN CERTIFICATE----- +MIICqjCCAk+gAwIBAgIJAIuJ+0352Kq4MAoGCCqGSM49BAMCMIGwMQswCQYDVQQG +EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjERMA8GA1UEBwwIS2lya2xhbmQxFTAT +BgNVBAoMDEdvb2dsZSwgSW5jLjEeMBwGA1UECwwVR29vZ2xlIENsb3VkIFBsYXRm +b3JtMR8wHQYDVQQDDBZ3d3cubXktc2VjdXJlLXNpdGUuY29tMSEwHwYJKoZIhvcN +AQkBFhJuZWxzb25hQGdvb2dsZS5jb20wHhcNMTcwNjI4MDQ1NjI2WhcNMjcwNjI2 +MDQ1NjI2WjCBsDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xETAP +BgNVBAcMCEtpcmtsYW5kMRUwEwYDVQQKDAxHb29nbGUsIEluYy4xHjAcBgNVBAsM +FUdvb2dsZSBDbG91ZCBQbGF0Zm9ybTEfMB0GA1UEAwwWd3d3Lm15LXNlY3VyZS1z +aXRlLmNvbTEhMB8GCSqGSIb3DQEJARYSbmVsc29uYUBnb29nbGUuY29tMFkwEwYH +KoZIzj0CAQYIKoZIzj0DAQcDQgAEHGzpcRJ4XzfBJCCPMQeXQpTXwlblimODQCuQ +4mzkzTv0dXyB750fOGN02HtkpBOZzzvUARTR10JQoSe2/5PIwaNQME4wHQYDVR0O +BBYEFKIQC3A2SDpxcdfn0YLKineDNq/BMB8GA1UdIwQYMBaAFKIQC3A2SDpxcdfn +0YLKineDNq/BMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhALs4vy+O +M3jcqgA4fSW/oKw6UJxp+M6a+nGMX+UJR3YgAiEAvvl39QRVAiv84hdoCuyON0lJ +zqGNhIPGq2ULqXKK8BY= +-----END CERTIFICATE----- +' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_ssl_certificates` resource: + +See [google_compute_ssl_certificate](google_compute_ssl_certificate) for more detailed information. + + * `certificates`: an array of `google_compute_ssl_certificate` certificate + * `creation_timestamps`: an array of `google_compute_ssl_certificate` creation_timestamp + * `descriptions`: an array of `google_compute_ssl_certificate` description + * `ids`: an array of `google_compute_ssl_certificate` id + * `names`: an array of `google_compute_ssl_certificate` name + * `private_keys`: an array of `google_compute_ssl_certificate` private_key + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_ssl_policies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_ssl_policies.md new file mode 100644 index 0000000..0c899df --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_ssl_policies.md @@ -0,0 +1,62 @@ ++++ +title = "google_compute_ssl_policies resource" + +draft = false + + +[menu.gcp] +title = "google_compute_ssl_policies" +identifier = "inspec/resources/gcp/google_compute_ssl_policies resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_ssl_policies` is used to test a Google SslPolicy resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_ssl_policies(project: 'chef-gcp-inspec') do + it { should exist } + its('names') { should include 'inspec-gcp-ssl-policy' } + its('profiles') { should include 'CUSTOM' } + its('count') { should eq 1 } +end + +google_compute_ssl_policies(project: 'chef-gcp-inspec').names.each do |policy_name| + describe google_compute_ssl_policy(project: 'chef-gcp-inspec', name: policy_name) do + its('min_tls_version') { should eq 'TLS_1_2' } + end +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_ssl_policies` resource: + +See [google_compute_ssl_policy](google_compute_ssl_policy) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_ssl_policy` creation_timestamp + * `descriptions`: an array of `google_compute_ssl_policy` description + * `ids`: an array of `google_compute_ssl_policy` id + * `names`: an array of `google_compute_ssl_policy` name + * `profiles`: an array of `google_compute_ssl_policy` profile + * `min_tls_versions`: an array of `google_compute_ssl_policy` min_tls_version + * `enabled_features`: an array of `google_compute_ssl_policy` enabled_features + * `custom_features`: an array of `google_compute_ssl_policy` custom_features + * `fingerprints`: an array of `google_compute_ssl_policy` fingerprint + * `warnings`: an array of `google_compute_ssl_policy` warnings + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_ssl_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_ssl_policy.md new file mode 100644 index 0000000..64f9fb9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_ssl_policy.md @@ -0,0 +1,78 @@ ++++ +title = "google_compute_ssl_policy resource" + +draft = false + + +[menu.gcp] +title = "google_compute_ssl_policy" +identifier = "inspec/resources/gcp/google_compute_ssl_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_ssl_policy` is used to test a Google SslPolicy resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_ssl_policy(project: 'chef-gcp-inspec', name: 'inspec-gcp-ssl-policy') do + it { should exist } + its('min_tls_version') { should eq 'TLS_1_2' } + its('profile') { should eq 'CUSTOM' } + its('custom_features') { should include 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' } + its('custom_features') { should include 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' } +end + +describe google_compute_ssl_policy(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_ssl_policy` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `profile`: Profile specifies the set of SSL features that can be used by the load balancer when negotiating SSL with clients. If using `CUSTOM`, the set of SSL features to enable must be specified in the `customFeatures` field. + Possible values: + * COMPATIBLE + * MODERN + * RESTRICTED + * CUSTOM + + * `min_tls_version`: The minimum version of SSL protocol that can be used by the clients to establish a connection with the load balancer. + Possible values: + * TLS_1_0 + * TLS_1_1 + * TLS_1_2 + + * `enabled_features`: The list of features enabled in the SSL policy. + + * `custom_features`: A list of features enabled when the selected profile is CUSTOM. The method returns the set of features that can be specified in this list. This field must be empty if the profile is not CUSTOM. + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. + + * `warnings`: If potential misconfigurations are detected for this SSL policy, this field will be populated with warning messages. + + * `code`: A warning code, if applicable. + + * `message`: A human-readable description of the warning code. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_subnetwork.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_subnetwork.md new file mode 100644 index 0000000..47c70df --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_subnetwork.md @@ -0,0 +1,149 @@ ++++ +title = "google_compute_subnetwork resource" + +draft = false + + +[menu.gcp] +title = "google_compute_subnetwork" +identifier = "inspec/resources/gcp/google_compute_subnetwork resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_subnetwork` is used to test a Google Subnetwork resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_subnetwork(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'inspec-subnet') do + it { should exist } + its('ip_cidr_range') { should eq '10.2.0.0/16' } + its('log_config.enable') { should be true } + its('log_config.flow_sampling') { should cmp '0.5' } + its('log_config.aggregation_interval') { should cmp 'INTERVAL_10_MIN' } + its('log_config.metadata') { should include 'INCLUDE_ALL_METADATA' } +end + +describe google_compute_subnetwork(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'nonexistent') do + it { should_not exist } +end +``` + +### Test that a GCP compute subnetwork exists + + describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do + it { should exist } + end + +### Test when a GCP compute subnetwork was created + + describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do + its('creation_timestamp') { should be > Time.now - 365*60*60*24*10 } + end + +### Test for an expected subnetwork identifier + + describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do + its('id') { should eq 12345567789 } + end + +### Test that a subnetwork gateway address is as expected + + describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do + its('gateway_address') { should eq "10.2.0.1" } + end + +### Test that a subnetwork IP CIDR range is as expected + + describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do + its('ip_cidr_range') { should eq "10.2.0.0/29" } + end + +### Test that a subnetwork is associated with the expected network + + describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do + its('network') { should match "gcp_network_name" } + end + +### Test whether VMs in this subnet can access Google services without assigning external IP addresses through Private Google Access + + describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do + its('private_ip_google_access') { should be false } + end + +## Properties + +Properties that can be accessed from the `google_compute_subnetwork` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. Provide this property when you create the resource. This field can be set only at resource creation time. + + * `gateway_address`: The gateway address for default routes to reach destination addresses outside this subnetwork. + + * `id`: The unique identifier for the resource. + + * `ip_cidr_range`: The range of internal addresses that are owned by this subnetwork. Provide this property when you create the subnetwork. For example, 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. + + * `name`: The name of the resource, provided by the client when initially creating the resource. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `network`: The network this subnet belongs to. Only networks that are in the distributed mode can have subnetworks. + + * `purpose`: (Beta only) The purpose of the resource. This field can be either PRIVATE or INTERNAL_HTTPS_LOAD_BALANCER. A subnetwork with purpose set to INTERNAL_HTTPS_LOAD_BALANCER is a user-created subnetwork that is reserved for Internal HTTP(S) Load Balancing. If unspecified, the purpose defaults to PRIVATE. If set to INTERNAL_HTTPS_LOAD_BALANCER you must also set the role. + Possible values: + * INTERNAL_HTTPS_LOAD_BALANCER + * PRIVATE + + * `role`: (Beta only) The role of subnetwork. Currently, this field is only used when purpose = INTERNAL_HTTPS_LOAD_BALANCER. The value can be set to ACTIVE or BACKUP. An ACTIVE subnetwork is one that is currently being used for Internal HTTP(S) Load Balancing. A BACKUP subnetwork is one that is ready to be promoted to ACTIVE or is currently draining. + Possible values: + * ACTIVE + * BACKUP + + * `secondary_ip_ranges`: An array of configurations for secondary IP ranges for VM instances contained in this subnetwork. The primary IP of such VM must belong to the primary ipCidrRange of the subnetwork. The alias IPs may belong to either primary or secondary ranges. + + * `range_name`: The name associated with this subnetwork secondary range, used when adding an alias IP range to a VM instance. The name must be 1-63 characters long, and comply with RFC1035. The name must be unique within the subnetwork. + + * `ip_cidr_range`: The range of IP addresses belonging to this subnetwork secondary range. Provide this property when you create the subnetwork. Ranges must be unique and non-overlapping with all primary and secondary IP ranges within a network. Only IPv4 is supported. + + * `private_ip_google_access`: When enabled, VMs in this subnetwork without external IP addresses can access Google APIs and services by using Private Google Access. + + * `private_ipv6_google_access`: The private IPv6 google access type for the VMs in this subnet. + + * `region`: The GCP region for this subnetwork. + + * `log_config`: Denotes the logging options for the subnetwork flow logs. If logging is enabled logs will be exported to Stackdriver. This field cannot be set if the `purpose` of this subnetwork is `INTERNAL_HTTPS_LOAD_BALANCER` + + * `enable`: If logging is enabled for this subnetwork + + * `aggregation_interval`: Can only be specified if VPC flow logging for this subnetwork is enabled. Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections. Default is an interval of 5 seconds per connection. + Possible values: + * INTERVAL_5_SEC + * INTERVAL_30_SEC + * INTERVAL_1_MIN + * INTERVAL_5_MIN + * INTERVAL_10_MIN + * INTERVAL_15_MIN + + * `flow_sampling`: Can only be specified if VPC flow logging for this subnetwork is enabled. The value of the field must be in [0, 1]. Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. Default is 0.5 which means half of all collected logs are reported. + + * `metadata`: Can only be specified if VPC flow logging for this subnetwork is enabled. Configures whether metadata fields should be added to the reported VPC flow logs. + Possible values: + * EXCLUDE_ALL_METADATA + * INCLUDE_ALL_METADATA + * CUSTOM_METADATA + + * `metadata_fields`: List of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and "metadata" is set to CUSTOM_METADATA. + + * `filter_expr`: Export filter used to define which VPC flow logs should be logged, as as CEL expression. See https://cloud.google.com/vpc/docs/flow-logs#filtering for details on how to format this field. The default value is 'true', which evaluates to include everything. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_subnetwork_iam_binding.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_subnetwork_iam_binding.md new file mode 100644 index 0000000..58bb511 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_subnetwork_iam_binding.md @@ -0,0 +1,38 @@ ++++ +title = "google_compute_subnetwork_iam_binding resource" + +draft = false + + +[menu.gcp] +title = "google_compute_subnetwork_iam_binding" +identifier = "inspec/resources/gcp/google_compute_subnetwork_iam_binding resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_subnetwork_iam_binding` is used to test a Google Subnetwork Iam Bindings + +## Examples + +```ruby +describe google_compute_subnetwork_iam_binding(project: "project", region: "region", name: "name", role: "roles/editor") do + it { should exist } + its('members') { should include 'user:testuser@example.com' } +end +``` + + +## Properties + +Properties that can be accessed from the `google_compute_subnetwork_iam_binding` resource: + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_subnetwork_iam_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_subnetwork_iam_policy.md new file mode 100644 index 0000000..f5666d4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_subnetwork_iam_policy.md @@ -0,0 +1,58 @@ ++++ +title = "google_compute_subnetwork_iam_policy resource" + +draft = false + + +[menu.gcp] +title = "google_compute_subnetwork_iam_policy" +identifier = "inspec/resources/gcp/google_compute_subnetwork_iam_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_subnetwork_iam_policy` is used to test a Google Subnetwork Iam Policy resource. + +## Examples + +```ruby +describe google_compute_subnetwork_iam_policy(project: "project", region: "region", name: "name") do + it { should exist } +end + +google_compute_subnetwork_iam_policy(project: "project", region: "region", name: "name").bindings.each do |binding| + describe binding do + its('role') { should eq 'roles/editor'} + its('members') { should include 'user:testuser@example.com'} + end +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_subnetwork_iam_policy` resource: + + * `iam_binding_roles`: The list of roles that exist on the policy. + + * `bindings`: Associates a list of members to a role. + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + * `audit_configs`: Specifies cloud audit logging configuration for this policy. + + * `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. + + * `audit_log_configs`: The configuration for logging of each type of permission. + + * `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ + + * `exempted_members`: Specifies the identities that do not cause logging for this type of permission. + + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_subnetworks.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_subnetworks.md new file mode 100644 index 0000000..dfae542 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_subnetworks.md @@ -0,0 +1,83 @@ ++++ +title = "google_compute_subnetworks resource" + +draft = false + + +[menu.gcp] +title = "google_compute_subnetworks" +identifier = "inspec/resources/gcp/google_compute_subnetworks resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_subnetworks` is used to test a Google Subnetwork resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_subnetworks(project: 'chef-gcp-inspec', region: 'europe-west2') do + its('ip_cidr_ranges') { should include '10.2.0.0/16' } + its('subnetwork_names') { should include 'inspec-subnet' } +end +``` + +### Test that there are no more than a specified number of subnetworks available for the project and region + + describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('count') { should be <= 100} + end + +### Test that an expected subnetwork identifier is present in the project and region + + describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('subnetwork_ids') { should include 12345678975432 } + end + + +### Test that an expected subnetwork name is available for the project and region + + describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('subnetwork_names') { should include "subnetwork-name" } + end + +### Test that an expected subnetwork network name is not present for the project and region + + describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('subnetwork_networks') { should not include "network-name" } + end + +## Properties + +Properties that can be accessed from the `google_compute_subnetworks` resource: + +See [google_compute_subnetwork](google_compute_subnetwork) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_subnetwork` creation_timestamp + * `descriptions`: an array of `google_compute_subnetwork` description + * `gateway_addresses`: an array of `google_compute_subnetwork` gateway_address + * `subnetwork_ids`: an array of `google_compute_subnetwork` id + * `ip_cidr_ranges`: an array of `google_compute_subnetwork` ip_cidr_range + * `subnetwork_names`: an array of `google_compute_subnetwork` name + * `networks`: an array of `google_compute_subnetwork` network + * `purposes`: (Beta only) an array of `google_compute_subnetwork` purpose + * `roles`: (Beta only) an array of `google_compute_subnetwork` role + * `secondary_ip_ranges`: an array of `google_compute_subnetwork` secondary_ip_ranges + * `private_ip_google_accesses`: an array of `google_compute_subnetwork` private_ip_google_access + * `private_ipv6_google_accesses`: an array of `google_compute_subnetwork` private_ipv6_google_access + * `regions`: an array of `google_compute_subnetwork` region + * `log_configs`: an array of `google_compute_subnetwork` log_config + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_grpc_proxies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_grpc_proxies.md new file mode 100644 index 0000000..6cdf8bf --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_grpc_proxies.md @@ -0,0 +1,47 @@ ++++ +title = "google_compute_target_grpc_proxies resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_grpc_proxies" +identifier = "inspec/resources/gcp/google_compute_target_grpc_proxies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_target_grpc_proxies` InSpec audit resource to to test a Google Cloud TargetGrpcProxy resource. + +## Examples + +```ruby + describe google_compute_target_grpc_proxies(project: 'chef-gcp-inspec') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_grpc_proxies` resource: + +See [google_compute_target_grpc_proxy](google_compute_target_grpc_proxy) for more detailed information. + + * `kinds`: an array of `google_compute_target_grpc_proxy` kind + * `ids`: an array of `google_compute_target_grpc_proxy` id + * `creation_timestamps`: an array of `google_compute_target_grpc_proxy` creation_timestamp + * `names`: an array of `google_compute_target_grpc_proxy` name + * `descriptions`: an array of `google_compute_target_grpc_proxy` description + * `self_links`: an array of `google_compute_target_grpc_proxy` self_link + * `self_link_with_ids`: an array of `google_compute_target_grpc_proxy` self_link_with_id + * `url_maps`: an array of `google_compute_target_grpc_proxy` url_map + * `validate_for_proxylesses`: an array of `google_compute_target_grpc_proxy` validate_for_proxyless + * `fingerprints`: an array of `google_compute_target_grpc_proxy` fingerprint + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_grpc_proxy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_grpc_proxy.md new file mode 100644 index 0000000..548629a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_grpc_proxy.md @@ -0,0 +1,65 @@ ++++ +title = "google_compute_target_grpc_proxy resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_grpc_proxy" +identifier = "inspec/resources/gcp/google_compute_target_grpc_proxy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_target_grpc_proxy` InSpec audit resource to to test a Google Cloud TargetGrpcProxy resource. + +## Examples + +```ruby +describe google_compute_target_grpc_proxy(project: 'chef-gcp-inspec', name: ' ') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('url_map') { should cmp 'value_urlmap' } + its('fingerprint') { should cmp 'value_fingerprint' } + +end + +describe google_compute_target_grpc_proxy(project: 'chef-gcp-inspec', name: ' ') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_grpc_proxy` resource: + + + * `kind`: [Output Only] Type of the resource. Always compute#targetGrpcProxy for target grpc proxies. + + * `id`: [Output Only] The unique identifier for the resource type. The server generates this identifier. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `self_link_with_id`: [Output Only] Server-defined URL with id for the resource. + + * `url_map`: URL to the UrlMap resource that defines the mapping from URL to the BackendService. The protocol field in the BackendService must be set to GRPC. + + * `validate_for_proxyless`: If true, indicates that the BackendServices referenced by the urlMap may be accessed by gRPC applications without using a sidecar proxy. This will enable configuration checks on urlMap and its referenced BackendServices to not allow unsupported features. A gRPC application must use "xds:///" scheme in the target URI of the service it is connecting to. If false, indicates that the BackendServices referenced by the urlMap will be accessed by gRPC applications via a sidecar proxy. In this case, a gRPC application must not use "xds:///" scheme in the target URI of the service it is connecting to + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. This field will be ignored when inserting a TargetGrpcProxy. An up-to-date fingerprint must be provided in order to patch/update the TargetGrpcProxy; otherwise, the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve the TargetGrpcProxy. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_http_proxies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_http_proxies.md new file mode 100644 index 0000000..cb1e089 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_http_proxies.md @@ -0,0 +1,49 @@ ++++ +title = "google_compute_target_http_proxies resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_http_proxies" +identifier = "inspec/resources/gcp/google_compute_target_http_proxies resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_target_http_proxies` is used to test a Google TargetHttpProxy resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_target_http_proxies(project: 'chef-gcp-inspec') do + its('names') { should include 'inspec-gcp-http-proxy' } + its('descriptions') { should include 'A HTTP proxy' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_http_proxies` resource: + +See [google_compute_target_http_proxy](google_compute_target_http_proxy) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_target_http_proxy` creation_timestamp + * `descriptions`: an array of `google_compute_target_http_proxy` description + * `ids`: an array of `google_compute_target_http_proxy` id + * `names`: an array of `google_compute_target_http_proxy` name + * `url_maps`: an array of `google_compute_target_http_proxy` url_map + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_http_proxy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_http_proxy.md new file mode 100644 index 0000000..09be8dc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_http_proxy.md @@ -0,0 +1,53 @@ ++++ +title = "google_compute_target_http_proxy resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_http_proxy" +identifier = "inspec/resources/gcp/google_compute_target_http_proxy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_target_http_proxy` is used to test a Google TargetHttpProxy resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_target_http_proxy(project: 'chef-gcp-inspec', name: 'inspec-gcp-http-proxy') do + it { should exist } + its('description') { should eq 'A HTTP proxy' } + its('url_map') { should match /\/inspec-gcp-url-map$/ } +end + +describe google_compute_target_http_proxy(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_http_proxy` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `url_map`: A reference to the UrlMap resource that defines the mapping from URL to the BackendService. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_https_proxies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_https_proxies.md new file mode 100644 index 0000000..539bcb1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_https_proxies.md @@ -0,0 +1,52 @@ ++++ +title = "google_compute_target_https_proxies resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_https_proxies" +identifier = "inspec/resources/gcp/google_compute_target_https_proxies resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_target_https_proxies` is used to test a Google TargetHttpsProxy resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_target_https_proxies(project: 'chef-gcp-inspec') do + its('names') { should include 'inspec-gcp-https-proxy' } + its('descriptions') { should include 'A HTTPS target proxy' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_https_proxies` resource: + +See [google_compute_target_https_proxy](google_compute_target_https_proxy) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_target_https_proxy` creation_timestamp + * `descriptions`: an array of `google_compute_target_https_proxy` description + * `ids`: an array of `google_compute_target_https_proxy` id + * `names`: an array of `google_compute_target_https_proxy` name + * `quic_overrides`: an array of `google_compute_target_https_proxy` quic_override + * `ssl_certificates`: an array of `google_compute_target_https_proxy` ssl_certificates + * `ssl_policies`: an array of `google_compute_target_https_proxy` ssl_policy + * `url_maps`: an array of `google_compute_target_https_proxy` url_map + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_https_proxy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_https_proxy.md new file mode 100644 index 0000000..846a3cf --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_https_proxy.md @@ -0,0 +1,63 @@ ++++ +title = "google_compute_target_https_proxy resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_https_proxy" +identifier = "inspec/resources/gcp/google_compute_target_https_proxy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_target_https_proxy` is used to test a Google TargetHttpsProxy resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_target_https_proxy(project: 'chef-gcp-inspec', name: 'inspec-gcp-https-proxy') do + it { should exist } + its('url_map') { should match /\/inspec-gcp-url-map$/ } + its('description') { should eq 'A HTTPS target proxy' } +end + +describe google_compute_target_https_proxy(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_https_proxy` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `quic_override`: Specifies the QUIC override policy for this resource. This determines whether the load balancer will attempt to negotiate QUIC with clients or not. Can specify one of NONE, ENABLE, or DISABLE. If NONE is specified, uses the QUIC policy with no user overrides, which is equivalent to DISABLE. + Possible values: + * NONE + * ENABLE + * DISABLE + + * `ssl_certificates`: A list of SslCertificate resources that are used to authenticate connections between users and the load balancer. At least one SSL certificate must be specified. + + * `ssl_policy`: A reference to the SslPolicy resource that will be associated with the TargetHttpsProxy resource. If not set, the TargetHttpsProxy resource will not have any SSL policy configured. + + * `url_map`: A reference to the UrlMap resource that defines the mapping from URL to the BackendService. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_instance.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_instance.md new file mode 100644 index 0000000..4abdaf3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_instance.md @@ -0,0 +1,74 @@ ++++ +title = "google_compute_target_instance resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_instance" +identifier = "inspec/resources/gcp/google_compute_target_instance resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_target_instance` InSpec audit resource to to test a Google Cloud TargetInstance resource. + +## Examples + +```ruby +describe google_compute_target_instance(project: 'chef-gcp-inspec', name: ' ', zone: ' value_zone') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('zone') { should cmp 'value_zone' } + its('nat_policy') { should cmp 'value_natpolicy' } + its('instance') { should cmp 'value_instance' } + its('self_link') { should cmp 'value_selflink' } + its('self_link_with_id') { should cmp 'value_selflinkwithid' } + its('network') { should cmp 'value_network' } + its('security_policy') { should cmp 'value_securitypolicy' } + +end + +describe google_compute_target_instance(project: 'chef-gcp-inspec', name: ' ', zone: ' value_zone') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_instance` resource: + + + * `kind`: [Output Only] The type of the resource. Always compute#targetInstance for target instances. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `zone`: [Output Only] URL of the zone where the target instance resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body. + + * `nat_policy`: Must have a value of NO_NAT. Protocol forwarding delivers packets while preserving the destination IP address of the forwarding rule referencing the target instance. + Possible values: + * NO_NAT + + * `instance`: A URL to the virtual machine instance that handles traffic for this target instance. When creating a target instance, you can provide the fully-qualified URL or a valid partial URL to the desired virtual machine. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/project/zones/zone /instances/instance - projects/project/zones/zone/instances/instance - zones/zone/instances/instance + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `self_link_with_id`: [Output Only] Server-defined URL for this resource with the resource id. + + * `network`: The URL of the network this target instance uses to forward traffic. If not specified, the traffic will be forwarded to the network that the default network interface belongs to. + + * `security_policy`: [Output Only] The resource URL for the security policy associated with this target instance. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_instances.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_instances.md new file mode 100644 index 0000000..f9d638a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_instances.md @@ -0,0 +1,49 @@ ++++ +title = "google_compute_target_instances resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_instances" +identifier = "inspec/resources/gcp/google_compute_target_instances resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_target_instances` InSpec audit resource to to test a Google Cloud TargetInstance resource. + +## Examples + +```ruby + describe google_compute_target_instances(project: 'chef-gcp-inspec', zone: ' value_zone') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_instances` resource: + +See [google_compute_target_instance](google_compute_target_instance) for more detailed information. + + * `kinds`: an array of `google_compute_target_instance` kind + * `ids`: an array of `google_compute_target_instance` id + * `creation_timestamps`: an array of `google_compute_target_instance` creation_timestamp + * `names`: an array of `google_compute_target_instance` name + * `descriptions`: an array of `google_compute_target_instance` description + * `zones`: an array of `google_compute_target_instance` zone + * `nat_policies`: an array of `google_compute_target_instance` nat_policy + * `instances`: an array of `google_compute_target_instance` instance + * `self_links`: an array of `google_compute_target_instance` self_link + * `self_link_with_ids`: an array of `google_compute_target_instance` self_link_with_id + * `networks`: an array of `google_compute_target_instance` network + * `security_policies`: an array of `google_compute_target_instance` security_policy + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_pool.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_pool.md new file mode 100644 index 0000000..22db93e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_pool.md @@ -0,0 +1,67 @@ ++++ +title = "google_compute_target_pool resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_pool" +identifier = "inspec/resources/gcp/google_compute_target_pool resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_target_pool` is used to test a Google TargetPool resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_target_pool(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'inspec-gcp-target-pool') do + it { should exist } + its('session_affinity') { should eq 'CLIENT_IP' } + it { should has_target_instance('gcp_ext_vm_name', 'zone') } +end + +describe google_compute_target_pool(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_pool` resource: + + + * `backup_pool`: This field is applicable only when the containing target pool is serving a forwarding rule as the primary pool, and its failoverRatio field is properly set to a value between [0, 1]. backupPool and failoverRatio together define the fallback behavior of the primary target pool: if the ratio of the healthy instances in the primary pool is at or below failoverRatio, traffic arriving at the load-balanced IP will be directed to the backup pool. In case where failoverRatio and backupPool are not set, or all the instances in the backup pool are unhealthy, the traffic will be directed back to the primary pool in the "force" mode, where traffic will be spread to the healthy instances with the best effort, or to all instances when no instance is healthy. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. + + * `failover_ratio`: This field is applicable only when the containing target pool is serving a forwarding rule as the primary pool (i.e., not as a backup pool to some other target pool). The value of the field must be in [0, 1]. If set, backupPool must also be set. They together define the fallback behavior of the primary target pool: if the ratio of the healthy instances in the primary pool is at or below this number, traffic arriving at the load-balanced IP will be directed to the backup pool. In case where failoverRatio is not set or all the instances in the backup pool are unhealthy, the traffic will be directed back to the primary pool in the "force" mode, where traffic will be spread to the healthy instances with the best effort, or to all instances when no instance is healthy. + + * `health_check`: A reference to a HttpHealthCheck resource. A member instance in this pool is considered healthy if and only if the health checks pass. If not specified it means all member instances will be considered healthy at all times. + + * `id`: The unique identifier for the resource. + + * `instances`: A list of virtual machine instances serving this pool. They must live in zones contained in the same region as this pool. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `session_affinity`: Session affinity option. Must be one of these values: * NONE: Connections from the same client IP may go to any instance in the pool. * CLIENT_IP: Connections from the same client IP will go to the same instance in the pool while that instance remains healthy. * CLIENT_IP_PROTO: Connections from the same client IP with the same IP protocol will go to the same instance in the pool while that instance remains healthy. + Possible values: + * NONE + * CLIENT_IP + * CLIENT_IP_PROTO + + * `region`: The region where the target pool resides. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_pools.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_pools.md new file mode 100644 index 0000000..04f0a45 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_pools.md @@ -0,0 +1,54 @@ ++++ +title = "google_compute_target_pools resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_pools" +identifier = "inspec/resources/gcp/google_compute_target_pools resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_target_pools` is used to test a Google TargetPool resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_target_pools(project: 'chef-gcp-inspec', region: 'europe-west2') do + its('names') { should include 'inspec-gcp-target-pool' } + its('session_affinities') { should include 'CLIENT_IP' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_pools` resource: + +See [google_compute_target_pool](google_compute_target_pool) for more detailed information. + + * `backup_pools`: an array of `google_compute_target_pool` backup_pool + * `creation_timestamps`: an array of `google_compute_target_pool` creation_timestamp + * `descriptions`: an array of `google_compute_target_pool` description + * `failover_ratios`: an array of `google_compute_target_pool` failover_ratio + * `health_checks`: an array of `google_compute_target_pool` health_check + * `ids`: an array of `google_compute_target_pool` id + * `instances`: an array of `google_compute_target_pool` instances + * `names`: an array of `google_compute_target_pool` name + * `session_affinities`: an array of `google_compute_target_pool` session_affinity + * `regions`: an array of `google_compute_target_pool` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_ssl_proxies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_ssl_proxies.md new file mode 100644 index 0000000..6bb34b4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_ssl_proxies.md @@ -0,0 +1,48 @@ ++++ +title = "google_compute_target_ssl_proxies resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_ssl_proxies" +identifier = "inspec/resources/gcp/google_compute_target_ssl_proxies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_target_ssl_proxies` InSpec audit resource to to test a Google Cloud TargetSslProxy resource. + +## Examples + +```ruby + describe google_compute_target_ssl_proxies(project: 'chef-gcp-inspec') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_ssl_proxies` resource: + +See [google_compute_target_ssl_proxy](google_compute_target_ssl_proxy) for more detailed information. + + * `kinds`: an array of `google_compute_target_ssl_proxy` kind + * `ids`: an array of `google_compute_target_ssl_proxy` id + * `creation_timestamps`: an array of `google_compute_target_ssl_proxy` creation_timestamp + * `names`: an array of `google_compute_target_ssl_proxy` name + * `descriptions`: an array of `google_compute_target_ssl_proxy` description + * `self_links`: an array of `google_compute_target_ssl_proxy` self_link + * `services`: an array of `google_compute_target_ssl_proxy` service + * `ssl_certificates`: an array of `google_compute_target_ssl_proxy` ssl_certificates + * `certificate_maps`: an array of `google_compute_target_ssl_proxy` certificate_map + * `proxy_headers`: an array of `google_compute_target_ssl_proxy` proxy_header + * `ssl_policies`: an array of `google_compute_target_ssl_proxy` ssl_policy + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_ssl_proxy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_ssl_proxy.md new file mode 100644 index 0000000..ccd5c5a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_ssl_proxy.md @@ -0,0 +1,70 @@ ++++ +title = "google_compute_target_ssl_proxy resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_ssl_proxy" +identifier = "inspec/resources/gcp/google_compute_target_ssl_proxy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_target_ssl_proxy` InSpec audit resource to to test a Google Cloud TargetSslProxy resource. + +## Examples + +```ruby +describe google_compute_target_ssl_proxy(project: 'chef-gcp-inspec', name: ' ') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('self_link') { should cmp 'value_selflink' } + its('service') { should cmp 'value_service' } + its('certificate_map') { should cmp 'value_certificatemap' } + its('proxy_header') { should cmp 'value_proxyheader' } + its('ssl_policy') { should cmp 'value_sslpolicy' } +end + +describe google_compute_target_ssl_proxy(project: 'chef-gcp-inspec', name: ' ') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_ssl_proxy` resource: + + + * `kind`: [Output Only] Type of the resource. Always compute#targetSslProxy for target SSL proxies. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `service`: URL to the BackendService resource. + + * `ssl_certificates`: URLs to SslCertificate resources that are used to authenticate connections to Backends. At least one SSL certificate must be specified. Currently, you may specify up to 15 SSL certificates. sslCertificates do not apply when the load balancing scheme is set to INTERNAL_SELF_MANAGED. + + * `certificate_map`: URL of a certificate map that identifies a certificate map associated with the given target proxy. This field can only be set for global target proxies. If set, sslCertificates will be ignored. Accepted format is //certificatemanager.googleapis.com/projects/{project }/locations/{location}/certificateMaps/{resourceName}. + + * `proxy_header`: Specifies the type of proxy header to append before sending data to the backend, either NONE or PROXY_V1. The default is NONE. + Possible values: + * NONE + * PROXY_V1 + + * `ssl_policy`: URL of SslPolicy resource that will be associated with the TargetSslProxy resource. If not set, the TargetSslProxy resource will not have any SSL policy configured. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_tcp_proxies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_tcp_proxies.md new file mode 100644 index 0000000..85b3b6a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_tcp_proxies.md @@ -0,0 +1,50 @@ ++++ +title = "google_compute_target_tcp_proxies resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_tcp_proxies" +identifier = "inspec/resources/gcp/google_compute_target_tcp_proxies resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_target_tcp_proxies` is used to test a Google TargetTcpProxy resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_target_tcp_proxies(project: 'chef-gcp-inspec') do + its('names') { should include 'inspec-gcp-target-tcp-proxy' } + its('proxy_headers') { should include 'NONE' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_tcp_proxies` resource: + +See [google_compute_target_tcp_proxy](google_compute_target_tcp_proxy) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_target_tcp_proxy` creation_timestamp + * `descriptions`: an array of `google_compute_target_tcp_proxy` description + * `ids`: an array of `google_compute_target_tcp_proxy` id + * `names`: an array of `google_compute_target_tcp_proxy` name + * `proxy_headers`: an array of `google_compute_target_tcp_proxy` proxy_header + * `services`: an array of `google_compute_target_tcp_proxy` service + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_tcp_proxy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_tcp_proxy.md new file mode 100644 index 0000000..4580b87 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_tcp_proxy.md @@ -0,0 +1,58 @@ ++++ +title = "google_compute_target_tcp_proxy resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_tcp_proxy" +identifier = "inspec/resources/gcp/google_compute_target_tcp_proxy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_target_tcp_proxy` is used to test a Google TargetTcpProxy resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_target_tcp_proxy(project: 'chef-gcp-inspec', name: 'inspec-gcp-target-tcp-proxy') do + it { should exist } + its('proxy_header') { should eq 'NONE' } + its('service') { should match /\/gcp-inspec-tcp-backend-service$/ } +end + +describe google_compute_target_tcp_proxy(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_tcp_proxy` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional description of this resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `proxy_header`: Specifies the type of proxy header to append before sending data to the backend. + Possible values: + * NONE + * PROXY_V1 + + * `service`: A reference to the BackendService resource. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_vpn_gateway.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_vpn_gateway.md new file mode 100644 index 0000000..8694037 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_vpn_gateway.md @@ -0,0 +1,79 @@ ++++ +title = "google_compute_target_vpn_gateway resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_vpn_gateway" +identifier = "inspec/resources/gcp/google_compute_target_vpn_gateway resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_target_vpn_gateway` InSpec audit resource to to test a Google Cloud TargetVpnGateway resource. + +## Examples + +```ruby +describe google_compute_target_vpn_gateway(project: 'chef-gcp-inspec', region: ' value_region', name: 'value_name') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('region') { should cmp 'value_region' } + its('network') { should cmp 'value_network' } + its('status') { should cmp 'value_status' } + its('self_link') { should cmp 'value_selflink' } + its('label_fingerprint') { should cmp 'value_labelfingerprint' } + +end + +describe google_compute_target_vpn_gateway(project: 'chef-gcp-inspec', region: ' value_region', name: 'value_name') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_vpn_gateway` resource: + + + * `kind`: [Output Only] Type of resource. Always compute#targetVpnGateway for target VPN gateways. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `region`: [Output Only] URL of the region where the target VPN gateway resides. You must specify this field as part of the HTTP request URL. It is not settable as a field in the request body. + + * `network`: URL of the network to which this VPN gateway is attached. Provided by the client when the VPN gateway is created. + + * `tunnels`: [Output Only] A list of URLs to VpnTunnel resources. VpnTunnels are created using the compute.vpntunnels.insert method and associated with a VPN gateway. + + * `status`: [Output Only] The status of the VPN gateway, which can be one of the following: CREATING, READY, FAILED, or DELETING. + Possible values: + * CREATING + * DELETING + * FAILED + * READY + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `forwarding_rules`: [Output Only] A list of URLs to the ForwardingRule resources. ForwardingRules are created using compute.forwardingRules.insert and associated with a VPN gateway. + + * `labels`: Labels for this resource. These can only be added or modified by the setLabels method. Each label key/value pair must comply with RFC1035. Label values may be empty. + + * `additional_properties`: + + * `label_fingerprint`: A fingerprint for the labels being applied to this TargetVpnGateway, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a TargetVpnGateway. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_vpn_gateways.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_vpn_gateways.md new file mode 100644 index 0000000..7c0bfb2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_target_vpn_gateways.md @@ -0,0 +1,50 @@ ++++ +title = "google_compute_target_vpn_gateways resource" + +draft = false + + +[menu.gcp] +title = "google_compute_target_vpn_gateways" +identifier = "inspec/resources/gcp/google_compute_target_vpn_gateways resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_target_vpn_gateways` InSpec audit resource to to test a Google Cloud TargetVpnGateway resource. + +## Examples + +```ruby + describe google_compute_target_vpn_gateways(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_target_vpn_gateways` resource: + +See [google_compute_target_vpn_gateway](google_compute_target_vpn_gateway) for more detailed information. + + * `kinds`: an array of `google_compute_target_vpn_gateway` kind + * `ids`: an array of `google_compute_target_vpn_gateway` id + * `creation_timestamps`: an array of `google_compute_target_vpn_gateway` creation_timestamp + * `names`: an array of `google_compute_target_vpn_gateway` name + * `descriptions`: an array of `google_compute_target_vpn_gateway` description + * `regions`: an array of `google_compute_target_vpn_gateway` region + * `networks`: an array of `google_compute_target_vpn_gateway` network + * `tunnels`: an array of `google_compute_target_vpn_gateway` tunnels + * `statuses`: an array of `google_compute_target_vpn_gateway` status + * `self_links`: an array of `google_compute_target_vpn_gateway` self_link + * `forwarding_rules`: an array of `google_compute_target_vpn_gateway` forwarding_rules + * `labels`: an array of `google_compute_target_vpn_gateway` labels + * `label_fingerprints`: an array of `google_compute_target_vpn_gateway` label_fingerprint + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_url_map.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_url_map.md new file mode 100644 index 0000000..b1cd2e2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_url_map.md @@ -0,0 +1,332 @@ ++++ +title = "google_compute_url_map resource" + +draft = false + + +[menu.gcp] +title = "google_compute_url_map" +identifier = "inspec/resources/gcp/google_compute_url_map resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_url_map` is used to test a Google UrlMap resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_url_map(project: 'chef-gcp-inspec', name: 'inspec-gcp-url-map') do + it { should exist } + its('description') { should eq 'URL map description' } + its('default_service') { should match /\/inspec-gcp-backend-service$/ } + its('host_rules.count') { should eq 1 } + its('host_rules.first.hosts') { should include 'site.com' } + its('path_matchers.count') { should eq 1 } + its('path_matchers.first.default_service') { should match /\/inspec-gcp-backend-service$/ } + its('tests.count') { should eq 1 } + its('tests.first.host') { should eq 'test.com' } + its('tests.first.path') { should eq '/home' } +end + +describe google_compute_url_map(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_url_map` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `default_service`: The full or partial URL of the defaultService resource to which traffic is directed if none of the hostRules match. If defaultRouteAction is additionally specified, advanced routing actions like URL Rewrites, etc. take effect prior to sending the request to the backend. However, if defaultService is specified, defaultRouteAction cannot contain any weightedBackendServices. Conversely, if routeAction specifies any weightedBackendServices, service must not be specified. Only one of defaultService, defaultUrlRedirect or defaultRouteAction.weightedBackendService must be set. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `id`: The unique identifier for the resource. + + * `fingerprint`: Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking. + + * `header_action`: Specifies changes to request and response headers that need to take effect for the selected backendService. The headerAction specified here take effect after headerAction specified under pathMatcher. + + * `request_headers_to_add`: Headers to add to a matching request prior to forwarding the request to the backendService. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. + + * `request_headers_to_remove`: A list of header names for headers that need to be removed from the request prior to forwarding the request to the backendService. + + * `response_headers_to_add`: Headers to add the response prior to sending the response back to the client. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. + + * `response_headers_to_remove`: A list of header names for headers that need to be removed from the response prior to sending the response back to the client. + + * `host_rules`: The list of HostRules to use against the URL. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `hosts`: The list of host patterns to match. They must be valid hostnames, except * will match any string of ([a-z0-9-.]*). In that case, * must be the first character and must be followed in the pattern by either - or .. + + * `path_matcher`: The name of the PathMatcher to use to match the path portion of the URL if the hostRule matches the URL's host portion. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `path_matchers`: The list of named PathMatchers to use against the URL. + + * `default_service`: The full or partial URL to the BackendService resource. This will be used if none of the pathRules or routeRules defined by this PathMatcher are matched. For example, the following are all valid URLs to a BackendService resource: - https://www.googleapis.com/compute/v1/projects/project/global/backendServices/backendService - compute/v1/projects/project/global/backendServices/backendService - global/backendServices/backendService If defaultRouteAction is additionally specified, advanced routing actions like URL Rewrites, etc. take effect prior to sending the request to the backend. However, if defaultService is specified, defaultRouteAction cannot contain any weightedBackendServices. Conversely, if defaultRouteAction specifies any weightedBackendServices, defaultService must not be specified. Only one of defaultService, defaultUrlRedirect or defaultRouteAction.weightedBackendService must be set. Authorization requires one or more of the following Google IAM permissions on the specified resource defaultService: - compute.backendBuckets.use - compute.backendServices.use + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `header_action`: Specifies changes to request and response headers that need to take effect for the selected backendService. HeaderAction specified here are applied after the matching HttpRouteRule HeaderAction and before the HeaderAction in the UrlMap + + * `request_headers_to_add`: Headers to add to a matching request prior to forwarding the request to the backendService. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. + + * `request_headers_to_remove`: A list of header names for headers that need to be removed from the request prior to forwarding the request to the backendService. + + * `response_headers_to_add`: Headers to add the response prior to sending the response back to the client. + + * `header_name`: The name of the header. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. + + * `response_headers_to_remove`: A list of header names for headers that need to be removed from the response prior to sending the response back to the client. + + * `name`: The name to which this PathMatcher is referred by the HostRule. + + * `default_url_redirect`: When none of the specified hostRules match, the request is redirected to a URL specified by defaultUrlRedirect. If defaultUrlRedirect is specified, defaultService or defaultRouteAction must not be set. + + * `host_redirect`: The host that will be used in the redirect response instead of the one that was supplied in the request. The value must be between 1 and 255 characters. + + * `https_redirect`: If set to true, the URL scheme in the redirected request is set to https. If set to false, the URL scheme of the redirected request will remain the same as that of the request. This must only be set for UrlMaps used in TargetHttpProxys. Setting this true for TargetHttpsProxy is not permitted. The default is set to false. + + * `path_redirect`: The path that will be used in the redirect response instead of the one that was supplied in the request. pathRedirect cannot be supplied together with prefixRedirect. Supply one alone or neither. If neither is supplied, the path of the original request will be used for the redirect. The value must be between 1 and 1024 characters. + + * `prefix_redirect`: The prefix that replaces the prefixMatch specified in the HttpRouteRuleMatch, retaining the remaining portion of the URL before redirecting the request. prefixRedirect cannot be supplied together with pathRedirect. Supply one alone or neither. If neither is supplied, the path of the original request will be used for the redirect. The value must be between 1 and 1024 characters. + + * `redirect_response_code`: The HTTP Status code to use for this RedirectAction. Supported values are: * MOVED_PERMANENTLY_DEFAULT, which is the default value and corresponds to 301. * FOUND, which corresponds to 302. * SEE_OTHER which corresponds to 303. * TEMPORARY_REDIRECT, which corresponds to 307. In this case, the request method will be retained. * PERMANENT_REDIRECT, which corresponds to 308. In this case, the request method will be retained. + Possible values: + * FOUND + * MOVED_PERMANENTLY_DEFAULT + * PERMANENT_REDIRECT + * SEE_OTHER + * TEMPORARY_REDIRECT + + * `strip_query`: If set to true, any accompanying query portion of the original URL is removed prior to redirecting the request. If set to false, the query portion of the original URL is retained. + + * `default_route_action`: defaultRouteAction takes effect when none of the pathRules or routeRules match. The load balancer performs advanced routing actions like URL rewrites, header transformations, etc. prior to forwarding the request to the selected backend. If defaultRouteAction specifies any weightedBackendServices, defaultService must not be set. Conversely if defaultService is set, defaultRouteAction cannot contain any weightedBackendServices. Only one of defaultRouteAction or defaultUrlRedirect must be set. + + * `url_rewrite`: The spec to modify the URL of the request, prior to forwarding the request to the matched service. + + * `path_prefix_rewrite`: Prior to forwarding the request to the selected backend service, the matching portion of the request's path is replaced by pathPrefixRewrite. The value must be between 1 and 1024 characters. + + * `host_rewrite`: Prior to forwarding the request to the selected service, the request's host header is replaced with contents of hostRewrite. The value must be between 1 and 255 characters. + + * `timeout`: Specifies the timeout for the selected route. Timeout is computed from the time the request has been fully processed (i.e. end-of-stream) up until the response has been completely processed. Timeout includes all retries. If not specified, will use the largest timeout among all backend services associated with the route. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive. + + * `retry_policy`: Specifies the retry policy associated with this route. + + * `retry_conditions`: Specfies one or more conditions when this retry rule applies. Valid values are: * 5xx: Loadbalancer will attempt a retry if the backend service responds with any 5xx response code, or if the backend service does not respond at all, example: disconnects, reset, read timeout, * connection failure, and refused streams. * gateway-error: Similar to 5xx, but only applies to response codes 502, 503 or 504. * connect-failure: Loadbalancer will retry on failures connecting to backend services, for example due to connection timeouts. * retriable-4xx: Loadbalancer will retry for retriable 4xx response codes. Currently the only retriable error supported is 409. * refused-stream:Loadbalancer will retry if the backend service resets the stream with a REFUSED_STREAM error code. This reset type indicates that it is safe to retry. * cancelled: Loadbalancer will retry if the gRPC status code in the response header is set to cancelled * deadline-exceeded: Loadbalancer will retry if the gRPC status code in the response header is set to deadline-exceeded * resource-exhausted: Loadbalancer will retry if the gRPC status code in the response header is set to resource-exhausted * unavailable: Loadbalancer will retry if the gRPC status code in the response header is set to unavailable + + * `num_retries`: Specifies the allowed number retries. This number must be > 0. If not specified, defaults to 1. + + * `per_try_timeout`: Specifies a non-zero timeout per retry attempt. If not specified, will use the timeout set in HttpRouteAction. If timeout in HttpRouteAction is not set, will use the largest timeout among all backend services associated with the route. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive. + + * `request_mirror_policy`: Specifies the policy on how requests intended for the route's backends are shadowed to a separate mirrored backend service. Loadbalancer does not wait for responses from the shadow service. Prior to sending traffic to the shadow service, the host / authority header is suffixed with -shadow. + + * `backend_service`: The full or partial URL to the BackendService resource being mirrored to. + + * `cors_policy`: The specification for allowing client side cross-origin requests. Please see [W3C Recommendation for Cross Origin Resource Sharing](https://www.w3.org/TR/cors/) + + * `allow_origins`: Specifies the list of origins that will be allowed to do CORS requests. An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes. + + * `allow_origin_regexes`: Specifies the regular expression patterns that match allowed origins. For regular expression grammar please see en.cppreference.com/w/cpp/regex/ecmascript An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes. + + * `allow_methods`: Specifies the content for the Access-Control-Allow-Methods header. + + * `allow_headers`: Specifies the content for the Access-Control-Allow-Headers header. + + * `expose_headers`: Specifies the content for the Access-Control-Expose-Headers header. + + * `max_age`: Specifies how long results of a preflight request can be cached in seconds. This translates to the Access-Control-Max-Age header. + + * `allow_credentials`: In response to a preflight request, setting this to true indicates that the actual request can include user credentials. This translates to the Access-Control-Allow-Credentials header. + + * `disabled`: If true, specifies the CORS policy is disabled. The default value is false, which indicates that the CORS policy is in effect. + + * `fault_injection_policy`: The specification for fault injection introduced into traffic to test the resiliency of clients to backend service failure. As part of fault injection, when clients send requests to a backend service, delays can be introduced by Loadbalancer on a percentage of requests before sending those request to the backend service. Similarly requests from clients can be aborted by the Loadbalancer for a percentage of requests. timeout and retryPolicy will be ignored by clients that are configured with a faultInjectionPolicy. + + * `delay`: The specification for how client requests are delayed as part of fault injection, before being sent to a backend service. + + * `fixed_delay`: Specifies the value of the fixed delay interval. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive. + + * `percentage`: The percentage of traffic (connections/operations/requests) on which delay will be introduced as part of fault injection. The value must be between 0.0 and 100.0 inclusive. + + * `abort`: The specification for how client requests are aborted as part of fault injection. + + * `http_status`: The HTTP status code used to abort the request. The value must be between 200 and 599 inclusive. + + * `percentage`: The percentage of traffic (connections/operations/requests) which will be aborted as part of fault injection. The value must be between 0.0 and 100.0 inclusive. + + * `tests`: The list of expected URL mapping tests. Request to update this UrlMap will succeed only if all of the test cases pass. You can specify a maximum of 100 tests per UrlMap. + + * `description`: Description of this test case. + + * `host`: Host portion of the URL. + + * `path`: Path portion of the URL. + + * `service`: Expected BackendService resource the given URL should be mapped to. + + * `default_url_redirect`: When none of the specified hostRules match, the request is redirected to a URL specified by defaultUrlRedirect. If defaultUrlRedirect is specified, defaultService or defaultRouteAction must not be set. + + * `host_redirect`: The host that will be used in the redirect response instead of the one that was supplied in the request. The value must be between 1 and 255 characters. + + * `https_redirect`: If set to true, the URL scheme in the redirected request is set to https. If set to false, the URL scheme of the redirected request will remain the same as that of the request. This must only be set for UrlMaps used in TargetHttpProxys. Setting this true for TargetHttpsProxy is not permitted. The default is set to false. + + * `path_redirect`: The path that will be used in the redirect response instead of the one that was supplied in the request. pathRedirect cannot be supplied together with prefixRedirect. Supply one alone or neither. If neither is supplied, the path of the original request will be used for the redirect. The value must be between 1 and 1024 characters. + + * `prefix_redirect`: The prefix that replaces the prefixMatch specified in the HttpRouteRuleMatch, retaining the remaining portion of the URL before redirecting the request. prefixRedirect cannot be supplied together with pathRedirect. Supply one alone or neither. If neither is supplied, the path of the original request will be used for the redirect. The value must be between 1 and 1024 characters. + + * `redirect_response_code`: The HTTP Status code to use for this RedirectAction. Supported values are: * MOVED_PERMANENTLY_DEFAULT, which is the default value and corresponds to 301. * FOUND, which corresponds to 302. * SEE_OTHER which corresponds to 303. * TEMPORARY_REDIRECT, which corresponds to 307. In this case, the request method will be retained. * PERMANENT_REDIRECT, which corresponds to 308. In this case, the request method will be retained. + Possible values: + * FOUND + * MOVED_PERMANENTLY_DEFAULT + * PERMANENT_REDIRECT + * SEE_OTHER + * TEMPORARY_REDIRECT + + * `strip_query`: If set to true, any accompanying query portion of the original URL is removed prior to redirecting the request. If set to false, the query portion of the original URL is retained. The default is set to false. + + * `default_route_action`: defaultRouteAction takes effect when none of the hostRules match. The load balancer performs advanced routing actions like URL rewrites, header transformations, etc. prior to forwarding the request to the selected backend. If defaultRouteAction specifies any weightedBackendServices, defaultService must not be set. Conversely if defaultService is set, defaultRouteAction cannot contain any weightedBackendServices. Only one of defaultRouteAction or defaultUrlRedirect must be set. + + * `weighted_backend_services`: A list of weighted backend services to send traffic to when a route match occurs. The weights determine the fraction of traffic that flows to their corresponding backend service. If all traffic needs to go to a single backend service, there must be one weightedBackendService with weight set to a non 0 number. Once a backendService is identified and before forwarding the request to the backend service, advanced routing actions like Url rewrites and header transformations are applied depending on additional settings specified in this HttpRouteAction. + + * `backend_service`: The full or partial URL to the default BackendService resource. Before forwarding the request to backendService, the loadbalancer applies any relevant headerActions specified as part of this backendServiceWeight. + + * `weight`: Specifies the fraction of traffic sent to backendService, computed as weight / (sum of all weightedBackendService weights in routeAction) . The selection of a backend service is determined only for new traffic. Once a user's request has been directed to a backendService, subsequent requests will be sent to the same backendService as determined by the BackendService's session affinity policy. The value must be between 0 and 1000 + + * `header_action`: Specifies changes to request and response headers that need to take effect for the selected backendService. headerAction specified here take effect before headerAction in the enclosing HttpRouteRule, PathMatcher and UrlMap. + + * `request_headers_to_remove`: A list of header names for headers that need to be removed from the request prior to forwarding the request to the backendService. + + * `request_headers_to_add`: Headers to add to a matching request prior to forwarding the request to the backendService. + + * `header_name`: The name of the header to add. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. + + * `response_headers_to_remove`: A list of header names for headers that need to be removed from the response prior to sending the response back to the client. + + * `response_headers_to_add`: Headers to add the response prior to sending the response back to the client. + + * `header_name`: The name of the header to add. + + * `header_value`: The value of the header to add. + + * `replace`: If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header. + + * `url_rewrite`: The spec to modify the URL of the request, prior to forwarding the request to the matched service. + + * `path_prefix_rewrite`: Prior to forwarding the request to the selected backend service, the matching portion of the request's path is replaced by pathPrefixRewrite. The value must be between 1 and 1024 characters. + + * `host_rewrite`: Prior to forwarding the request to the selected service, the request's host header is replaced with contents of hostRewrite. The value must be between 1 and 255 characters. + + * `timeout`: Specifies the timeout for the selected route. Timeout is computed from the time the request has been fully processed (i.e. end-of-stream) up until the response has been completely processed. Timeout includes all retries. If not specified, will use the largest timeout among all backend services associated with the route. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive. + + * `retry_policy`: Specifies the retry policy associated with this route. + + * `retry_conditions`: Specfies one or more conditions when this retry rule applies. Valid values are: * 5xx: Loadbalancer will attempt a retry if the backend service responds with any 5xx response code, or if the backend service does not respond at all, example: disconnects, reset, read timeout, * connection failure, and refused streams. * gateway-error: Similar to 5xx, but only applies to response codes 502, 503 or 504. * connect-failure: Loadbalancer will retry on failures connecting to backend services, for example due to connection timeouts. * retriable-4xx: Loadbalancer will retry for retriable 4xx response codes. Currently the only retriable error supported is 409. * refused-stream:Loadbalancer will retry if the backend service resets the stream with a REFUSED_STREAM error code. This reset type indicates that it is safe to retry. * cancelled: Loadbalancer will retry if the gRPC status code in the response header is set to cancelled * deadline-exceeded: Loadbalancer will retry if the gRPC status code in the response header is set to deadline-exceeded * resource-exhausted: Loadbalancer will retry if the gRPC status code in the response header is set to resource-exhausted * unavailable: Loadbalancer will retry if the gRPC status code in the response header is set to unavailable + + * `num_retries`: Specifies the allowed number retries. This number must be > 0. If not specified, defaults to 1. + + * `per_try_timeout`: Specifies a non-zero timeout per retry attempt. If not specified, will use the timeout set in HttpRouteAction. If timeout in HttpRouteAction is not set, will use the largest timeout among all backend services associated with the route. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive. + + * `request_mirror_policy`: Specifies the policy on how requests intended for the route's backends are shadowed to a separate mirrored backend service. Loadbalancer does not wait for responses from the shadow service. Prior to sending traffic to the shadow service, the host / authority header is suffixed with -shadow. + + * `backend_service`: The full or partial URL to the BackendService resource being mirrored to. + + * `cors_policy`: The specification for allowing client side cross-origin requests. Please see [W3C Recommendation for Cross Origin Resource Sharing](https://www.w3.org/TR/cors/) + + * `allow_origins`: Specifies the list of origins that will be allowed to do CORS requests. An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes. + + * `allow_origin_regexes`: Specifies the regular expression patterns that match allowed origins. For regular expression grammar please see en.cppreference.com/w/cpp/regex/ecmascript An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes. + + * `allow_methods`: Specifies the content for the Access-Control-Allow-Methods header. + + * `allow_headers`: Specifies the content for the Access-Control-Allow-Headers header. + + * `expose_headers`: Specifies the content for the Access-Control-Expose-Headers header. + + * `max_age`: Specifies how long results of a preflight request can be cached in seconds. This translates to the Access-Control-Max-Age header. + + * `allow_credentials`: In response to a preflight request, setting this to true indicates that the actual request can include user credentials. This translates to the Access-Control-Allow-Credentials header. + + * `disabled`: If true, specifies the CORS policy is disabled. The default value is false, which indicates that the CORS policy is in effect. + + * `fault_injection_policy`: The specification for fault injection introduced into traffic to test the resiliency of clients to backend service failure. As part of fault injection, when clients send requests to a backend service, delays can be introduced by Loadbalancer on a percentage of requests before sending those request to the backend service. Similarly requests from clients can be aborted by the Loadbalancer for a percentage of requests. timeout and retryPolicy will be ignored by clients that are configured with a faultInjectionPolicy. + + * `delay`: The specification for how client requests are delayed as part of fault injection, before being sent to a backend service. + + * `fixed_delay`: Specifies the value of the fixed delay interval. + + * `seconds`: Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years + + * `nanos`: Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive. + + * `percentage`: The percentage of traffic (connections/operations/requests) on which delay will be introduced as part of fault injection. The value must be between 0.0 and 100.0 inclusive. + + * `abort`: The specification for how client requests are aborted as part of fault injection. + + * `http_status`: The HTTP status code used to abort the request. The value must be between 200 and 599 inclusive. + + * `percentage`: The percentage of traffic (connections/operations/requests) which will be aborted as part of fault injection. The value must be between 0.0 and 100.0 inclusive. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_url_maps.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_url_maps.md new file mode 100644 index 0000000..46c9b27 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_url_maps.md @@ -0,0 +1,55 @@ ++++ +title = "google_compute_url_maps resource" + +draft = false + + +[menu.gcp] +title = "google_compute_url_maps" +identifier = "inspec/resources/gcp/google_compute_url_maps resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_url_maps` is used to test a Google UrlMap resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_url_maps(project: 'chef-gcp-inspec') do + its('names') { should include 'inspec-gcp-url-map' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_url_maps` resource: + +See [google_compute_url_map](google_compute_url_map) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_url_map` creation_timestamp + * `default_services`: an array of `google_compute_url_map` default_service + * `descriptions`: an array of `google_compute_url_map` description + * `ids`: an array of `google_compute_url_map` id + * `fingerprints`: an array of `google_compute_url_map` fingerprint + * `header_actions`: an array of `google_compute_url_map` header_action + * `host_rules`: an array of `google_compute_url_map` host_rules + * `names`: an array of `google_compute_url_map` name + * `path_matchers`: an array of `google_compute_url_map` path_matchers + * `tests`: an array of `google_compute_url_map` tests + * `default_url_redirects`: an array of `google_compute_url_map` default_url_redirect + * `default_route_actions`: an array of `google_compute_url_map` default_route_action + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_vpn_gateway.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_vpn_gateway.md new file mode 100644 index 0000000..bfe8f48 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_vpn_gateway.md @@ -0,0 +1,81 @@ ++++ +title = "google_compute_vpn_gateway resource" + +draft = false + + +[menu.gcp] +title = "google_compute_vpn_gateway" +identifier = "inspec/resources/gcp/google_compute_vpn_gateway resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_vpn_gateway` InSpec audit resource to to test a Google Cloud VpnGateway resource. + +## Examples + +```ruby +describe google_compute_vpn_gateway(project: 'chef-gcp-inspec', region: ' value_region', vpnGateway: ' ') do + it { should exist } + its('kind') { should cmp 'value_kind' } + its('id') { should cmp 'value_id' } + its('creation_timestamp') { should cmp 'value_creationtimestamp' } + its('name') { should cmp 'value_name' } + its('description') { should cmp 'value_description' } + its('region') { should cmp 'value_region' } + its('network') { should cmp 'value_network' } + its('self_link') { should cmp 'value_selflink' } + its('label_fingerprint') { should cmp 'value_labelfingerprint' } + its('stack_type') { should cmp 'value_stacktype' } + +end + +describe google_compute_vpn_gateway(project: 'chef-gcp-inspec', region: ' value_region', vpnGateway: ' ') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_vpn_gateway` resource: + + + * `kind`: [Output Only] Type of resource. Always compute#vpnGateway for VPN gateways. + + * `id`: [Output Only] The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: [Output Only] Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `region`: [Output Only] URL of the region where the VPN gateway resides. + + * `network`: URL of the network to which this VPN gateway is attached. Provided by the client when the VPN gateway is created. + + * `self_link`: [Output Only] Server-defined URL for the resource. + + * `labels`: Labels for this resource. These can only be added or modified by the setLabels method. Each label key/value pair must comply with RFC1035. Label values may be empty. + + * `additional_properties`: + + * `label_fingerprint`: A fingerprint for the labels being applied to this VpnGateway, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels, otherwise the request will fail with error 412 conditionNotMet. To see the latest fingerprint, make a get() request to retrieve a VpnGateway. + + * `vpn_interfaces`: The list of VPN interfaces associated with this VPN gateway. + + * `id`: [Output Only] Numeric identifier for this VPN interface associated with the VPN gateway. + + * `ip_address`: [Output Only] IP address for this VPN interface associated with the VPN gateway. The IP address could be either a regional external IP address or a regional internal IP address. The two IP addresses for a VPN gateway must be all regional external or regional internal IP addresses. There cannot be a mix of regional external IP addresses and regional internal IP addresses. For HA VPN over Cloud Interconnect, the IP addresses for both interfaces could either be regional internal IP addresses or regional external IP addresses. For regular (non HA VPN over Cloud Interconnect) HA VPN tunnels, the IP address must be a regional external IP address. + + * `interconnect_attachment`: URL of the VLAN attachment (interconnectAttachment) resource for this VPN gateway interface. When the value of this field is present, the VPN gateway is used for HA VPN over Cloud Interconnect; all egress or ingress traffic for this VPN gateway interface goes through the specified VLAN attachment resource. + + * `stack_type`: The stack type for this VPN gateway to identify the IP protocols that are enabled. Possible values are: IPV4_ONLY, IPV4_IPV6. If not specified, IPV4_ONLY will be used. + Possible values: + * IPV4_IPV6 + * IPV4_ONLY + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_vpn_gateways.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_vpn_gateways.md new file mode 100644 index 0000000..adfd745 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_vpn_gateways.md @@ -0,0 +1,49 @@ ++++ +title = "google_compute_vpn_gateways resource" + +draft = false + + +[menu.gcp] +title = "google_compute_vpn_gateways" +identifier = "inspec/resources/gcp/google_compute_vpn_gateways resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_vpn_gateways` InSpec audit resource to to test a Google Cloud VpnGateway resource. + +## Examples + +```ruby + describe google_compute_vpn_gateways(project: 'chef-gcp-inspec', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_vpn_gateways` resource: + +See [google_compute_vpn_gateway](google_compute_vpn_gateway) for more detailed information. + + * `kinds`: an array of `google_compute_vpn_gateway` kind + * `ids`: an array of `google_compute_vpn_gateway` id + * `creation_timestamps`: an array of `google_compute_vpn_gateway` creation_timestamp + * `names`: an array of `google_compute_vpn_gateway` name + * `descriptions`: an array of `google_compute_vpn_gateway` description + * `regions`: an array of `google_compute_vpn_gateway` region + * `networks`: an array of `google_compute_vpn_gateway` network + * `self_links`: an array of `google_compute_vpn_gateway` self_link + * `labels`: an array of `google_compute_vpn_gateway` labels + * `label_fingerprints`: an array of `google_compute_vpn_gateway` label_fingerprint + * `vpn_interfaces`: an array of `google_compute_vpn_gateway` vpn_interfaces + * `stack_types`: an array of `google_compute_vpn_gateway` stack_type + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_vpn_tunnel.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_vpn_tunnel.md new file mode 100644 index 0000000..0075a0a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_vpn_tunnel.md @@ -0,0 +1,112 @@ ++++ +title = "google_compute_vpn_tunnel resource" + +draft = false + + +[menu.gcp] +title = "google_compute_vpn_tunnel" +identifier = "inspec/resources/gcp/google_compute_vpn_tunnel resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_vpn_tunnel` is used to test a Google VpnTunnel resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_vpn_tunnel(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'inspec-vpn-tunnel') do + it { should exist } + its('peer_ip') { should eq '15.0.0.120' } +end + +describe google_compute_vpn_tunnel(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'nonexistent') do + it { should_not exist } +end +``` + +### Test that a GCP compute vpn_tunnel exists + + describe google_compute_vpn_tunnel(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-vpn-tunnel') do + it { should exist } + end + +### Test when a GCP compute vpn_tunnel was created + + describe google_compute_vpn_tunnel(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-vpn-tunnel') do + its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 } + end + +### Test for an expected vpn_tunnel identifier + + describe google_compute_vpn_tunnel(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-vpn-tunnel') do + its('id') { should eq 12345567789 } + end + +### Test that a vpn_tunnel peer address is as expected + + describe google_compute_vpn_tunnel(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-vpn-tunnel') do + its('peer_ip') { should eq "123.123.123.123" } + end + +### Test that a vpn_tunnel status is as expected + + describe google_compute_vpn_tunnel(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-vpn_tunnel') do + its('status') { should eq "ESTABLISHED" } + end + +## Properties + +Properties that can be accessed from the `google_compute_vpn_tunnel` resource: + + + * `id`: The unique identifier for the resource. This identifier is defined by the server. + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `name`: Name of the resource. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. + + * `target_vpn_gateway`: URL of the Target VPN gateway with which this VPN tunnel is associated. + + * `vpn_gateway`: URL of the VPN gateway with which this VPN tunnel is associated. This must be used if a High Availability VPN gateway resource is created. + + * `vpn_gateway_interface`: The interface ID of the VPN gateway with which this VPN tunnel is associated. + + * `peer_external_gateway`: URL of the peer side external VPN gateway to which this VPN tunnel is connected. + + * `peer_external_gateway_interface`: The interface ID of the external VPN gateway to which this VPN tunnel is connected. + + * `peer_gcp_gateway`: URL of the peer side HA GCP VPN gateway to which this VPN tunnel is connected. If provided, the VPN tunnel will automatically use the same vpn_gateway_interface ID in the peer GCP VPN gateway. + + * `router`: URL of router resource to be used for dynamic routing. + + * `peer_ip`: IP address of the peer VPN gateway. Only IPv4 is supported. + + * `shared_secret`: Shared secret used to set the secure session between the Cloud VPN gateway and the peer VPN gateway. + + * `shared_secret_hash`: Hash of the shared secret. + + * `ike_version`: IKE protocol version to use when establishing the VPN tunnel with peer VPN gateway. Acceptable IKE versions are 1 or 2. Default version is 2. + + * `local_traffic_selector`: Local traffic selector to use when establishing the VPN tunnel with peer VPN gateway. The value should be a CIDR formatted string, for example `192.168.0.0/16`. The ranges should be disjoint. Only IPv4 is supported. + + * `remote_traffic_selector`: Remote traffic selector to use when establishing the VPN tunnel with peer VPN gateway. The value should be a CIDR formatted string, for example `192.168.0.0/16`. The ranges should be disjoint. Only IPv4 is supported. + + * `labels`: (Beta only) Labels to apply to this VpnTunnel. + + * `label_fingerprint`: (Beta only) The fingerprint used for optimistic locking of this resource. Used internally during updates. + + * `region`: The region where the tunnel is located. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_vpn_tunnels.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_vpn_tunnels.md new file mode 100644 index 0000000..27fa775 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_vpn_tunnels.md @@ -0,0 +1,82 @@ ++++ +title = "google_compute_vpn_tunnels resource" + +draft = false + + +[menu.gcp] +title = "google_compute_vpn_tunnels" +identifier = "inspec/resources/gcp/google_compute_vpn_tunnels resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_vpn_tunnels` is used to test a Google VpnTunnel resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_vpn_tunnels(project: 'chef-gcp-inspec', region: 'europe-west2') do + its('vpn_tunnel_names') { should include 'inspec-vpn-tunnel' } + its('peer_ips') { should include '15.0.0.120' } +end +``` + +### Test that there are no more than a specified number of vpn_tunnels available for the project and region + + describe google_compute_vpn_tunnels(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('count') { should be <= 100} + end + +### Test that an expected vpn_tunnel name is available for the project and region + + describe google_compute_vpn_tunnels(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('vpn_tunnel_names') { should include "vpn_tunnel-name" } + end + +### Test that an expected vpn_tunnel target_vpn_gateways name is not present for the project and region + + describe google_compute_vpn_tunnels(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('vpn_tunnel_target_vpn_gateways') { should not include "gateway-name" } + end + +## Properties + +Properties that can be accessed from the `google_compute_vpn_tunnels` resource: + +See [google_compute_vpn_tunnel](google_compute_vpn_tunnel) for more detailed information. + + * `ids`: an array of `google_compute_vpn_tunnel` id + * `creation_timestamps`: an array of `google_compute_vpn_tunnel` creation_timestamp + * `vpn_tunnel_names`: an array of `google_compute_vpn_tunnel` name + * `descriptions`: an array of `google_compute_vpn_tunnel` description + * `target_vpn_gateways`: an array of `google_compute_vpn_tunnel` target_vpn_gateway + * `vpn_gateways`: an array of `google_compute_vpn_tunnel` vpn_gateway + * `vpn_gateway_interfaces`: an array of `google_compute_vpn_tunnel` vpn_gateway_interface + * `peer_external_gateways`: an array of `google_compute_vpn_tunnel` peer_external_gateway + * `peer_external_gateway_interfaces`: an array of `google_compute_vpn_tunnel` peer_external_gateway_interface + * `peer_gcp_gateways`: an array of `google_compute_vpn_tunnel` peer_gcp_gateway + * `routers`: an array of `google_compute_vpn_tunnel` router + * `peer_ips`: an array of `google_compute_vpn_tunnel` peer_ip + * `shared_secrets`: an array of `google_compute_vpn_tunnel` shared_secret + * `shared_secret_hashes`: an array of `google_compute_vpn_tunnel` shared_secret_hash + * `ike_versions`: an array of `google_compute_vpn_tunnel` ike_version + * `local_traffic_selectors`: an array of `google_compute_vpn_tunnel` local_traffic_selector + * `remote_traffic_selectors`: an array of `google_compute_vpn_tunnel` remote_traffic_selector + * `labels`: (Beta only) an array of `google_compute_vpn_tunnel` labels + * `label_fingerprints`: (Beta only) an array of `google_compute_vpn_tunnel` label_fingerprint + * `regions`: an array of `google_compute_vpn_tunnel` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_xpn_resources.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_xpn_resources.md new file mode 100644 index 0000000..5da1065 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_xpn_resources.md @@ -0,0 +1,39 @@ ++++ +title = "google_compute_xpn_resources resource" + +draft = false + + +[menu.gcp] +title = "google_compute_xpn_resources" +identifier = "inspec/resources/gcp/google_compute_xpn_resources resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_xpn_resources` InSpec audit resource to to test a Google Cloud Project resource. + +## Examples + +```ruby + describe google_compute_xpn_resources(project: 'chef-gcp-inspec') do + it { should exist } + its('ids') { should include xpn_resources['id']} + its('types') { should include xpn_resources['type']} + end +``` + +## Properties + +Properties that can be accessed from the `google_compute_xpn_resources` resource: + +See [google_compute_xpn_resources](google_compute_xpn_resources) for more detailed information. + + * `kind`: Type of resource. Always compute#projectsGetXpnResources for lists of service resources (a.k.a service projects) + * `resources[]`: Service resources (a.k.a service projects) attached to this project as their shared VPC host. + * `resources[].type`: The type of the service resource. + * `resources[].id`: The ID of the service resource. In the case of projects, this field supports project id (e.g., my-project-123) and project number (e.g. 12345678). + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_zone.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_zone.md new file mode 100644 index 0000000..447b94c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_zone.md @@ -0,0 +1,91 @@ ++++ +title = "google_compute_zone resource" + +draft = false + + +[menu.gcp] +title = "google_compute_zone" +identifier = "inspec/resources/gcp/google_compute_zone resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_zone` is used to test a Google Zone resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_compute_zone(project: 'chef-gcp-inspec', name: "us-central1-a") do + it { should exist } + it { should be_up } +end +``` + +### Test that a GCP compute zone exists + + describe google_compute_zone(project: 'chef-inspec-gcp', zone: 'us-east1-b') do + it { should exist } + end + +### Test that a GCP compute zone is in the expected state + + describe google_compute_zone(project: 'chef-inspec-gcp', zone: 'us-east1-b') do + its('status') { should eq 'UP' } + # or equivalently + it { should be_up } + end + +### Test that a GCP compute zone has an expected CPU platform + + describe google_compute_zone(project: 'chef-inspec-gcp', zone: 'us-east1-b') do + its('available_cpu_platforms') { should include "Intel Skylake" } + end + +## Properties + +Properties that can be accessed from the `google_compute_zone` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `deprecated`: The deprecation status associated with this machine type. + + * `deleted`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to DELETED. This is only informational and the status will not change unless the client explicitly changes it. + + * `deprecated`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to DEPRECATED. This is only informational and the status will not change unless the client explicitly changes it. + + * `obsolete`: An optional RFC3339 timestamp on or after which the state of this resource is intended to change to OBSOLETE. This is only informational and the status will not change unless the client explicitly changes it. + + * `replacement`: The URL of the suggested replacement for a deprecated resource. The suggested replacement resource must be the same kind of resource as the deprecated resource. + + * `state`: The deprecation state of this resource. This can be DEPRECATED, OBSOLETE, or DELETED. Operations which create a new resource using a DEPRECATED resource will return successfully, but with a warning indicating the deprecated resource and recommending its replacement. Operations which use OBSOLETE or DELETED resources will be rejected and result in an error. + Possible values: + * DEPRECATED + * OBSOLETE + * DELETED + + * `description`: An optional textual description of the resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. + + * `region`: The region where the zone is located. + + * `status`: The status of the zone. + Possible values: + * UP + * DOWN + + * `available_cpu_platforms`: The available CPU platforms in this zone + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_zone_operation.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_zone_operation.md new file mode 100644 index 0000000..9a2a520 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_zone_operation.md @@ -0,0 +1,68 @@ ++++ +title = "google_compute_zone_operation resource" + +draft = false + + +[menu.gcp] +title = "google_compute_zone_operation" +identifier = "inspec/resources/gcp/google_compute_zone_operation resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_zone_operation` InSpec audit resource to to test a Google Cloud ZoneOperation resource. + +## Examples + +```ruby +describe google_compute_zone_operation(project: 'chef-gcp-inspec', zone: 'us-central1-a', name: 'operation-1641188179305-5d4a6e66fe2bd-8fd1812d-d97f3b69') do +it { should exist } +its('name') { should eq 'operation-1641188179305-5d4a6e66fe2bd-8fd1812d-d97f3b69' } +its('status') { should eq '' } +its('progress') { should eq '100' } +end + +describe google_compute_zone_operation(project: 'chef-gcp-inspec', zone: 'us-central1-a', name: 'nonexistent') do +it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_zone_operation` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format.This field is deprecated. + + * `description`: An optional textual description of the resource. + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource. + + * `status_message`: An optional, human-readable explanation of the status. + + * `target_id`: The unique target ID, which identifies a specific incarnation of the target resource. + + * `status`: The status of the operation, which can be one of the following: PENDING, RUNNING, or DONE. + Possible values: + * PENDING + * RUNNING + * DONE + + * `user`: User who requested the operation, for example: user@example.com. + + * `insert_time`: The time that this operation was requested. This value is in RFC3339 text format. + + * `start_time`: The time that this operation was requested. This value is in RFC3339 text format. + + * `end_time`: The time that this operation was requested. This value is in RFC3339 text format. + + * `progress`: An optional progress indicator that ranges from 0 to 100. There is no requirement that this be linear or support any granularity of operations. This should not be used to guess when the operation will be complete. This number should monotonically increase as the operation progresses. + + * `region`: The URL of the region where the operation resides. Only applicable when performing regional operations. + + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_zone_operations.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_zone_operations.md new file mode 100644 index 0000000..d21c889 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_zone_operations.md @@ -0,0 +1,52 @@ ++++ +title = "google_compute_zone_operations resource" + +draft = false + + +[menu.gcp] +title = "google_compute_zone_operations" +identifier = "inspec/resources/gcp/google_compute_zone_operations resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_compute_zone_operations` InSpec audit resource to to test a Google Cloud ZoneOperation resource. + +## Examples + +```ruby +describe google_compute_zone_operations(project: 'chef-gcp-inspec', zone: 'us-central1-a') do + it { should exist } + its('names') { should include 'operation-1641188179305-5d4a6e66fe2bd-8fd1812d-d97f3b69' } + its('progresses') { should include '100' } +end +``` + +## Properties + +Properties that can be accessed from the `google_compute_zone_operations` resource: + +See [google_compute_zone_operation](google_compute_zone_operation) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_zone_operation` creation_timestamp + * `descriptions`: an array of `google_compute_zone_operation` description + * `ids`: an array of `google_compute_zone_operation` id + * `names`: an array of `google_compute_zone_operation` name + * `status_messages`: an array of `google_compute_zone_operation` status_message + * `target_ids`: an array of `google_compute_zone_operation` target_id + * `statuses`: an array of `google_compute_zone_operation` status + * `users`: an array of `google_compute_zone_operation` user + * `insert_times`: an array of `google_compute_zone_operation` insert_time + * `start_times`: an array of `google_compute_zone_operation` start_time + * `end_times`: an array of `google_compute_zone_operation` end_time + * `progresses`: an array of `google_compute_zone_operation` progress + * `regions`: an array of `google_compute_zone_operation` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_zones.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_zones.md new file mode 100644 index 0000000..a0c298a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_compute_zones.md @@ -0,0 +1,87 @@ ++++ +title = "google_compute_zones resource" + +draft = false + + +[menu.gcp] +title = "google_compute_zones" +identifier = "inspec/resources/gcp/google_compute_zones resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_compute_zones` is used to test a Google Zone resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +google_compute_zones(project: 'chef-gcp-inspec').zone_names.each do |zone_name| + describe google_compute_zone(project: 'chef-gcp-inspec', name: zone_name) do + it { should exist } + it { should be_up } + end +end +``` + +### Test that there are no more than a specified number of zones available for the project + + describe google_compute_zones(project: 'chef-inspec-gcp') do + its('count') { should be <= 100} + end + +### Test the exact number of zones in the project + + describe google_compute_zones(project: 'chef-inspec-gcp') do + its('zone_ids.count') { should cmp 9 } + end + +### Test that an expected zone is available for the project + + describe google_compute_zones(project: 'chef-inspec-gcp') do + its('zone_names') { should include "us-east1-b" } + end + +### Test whether any zones are in status "DOWN" + + describe google_compute_zones(project: 'chef-inspec-gcp') do + its('zone_statuses') { should_not include "DOWN" } + end + +### Test that a subset of all zones matching "us*" are "UP" + + google_compute_zones(project: 'chef-inspec-gcp').where(zone_name: /^us/).zone_names.each do |zone_name| + describe google_compute_zone(project: 'chef-inspec-gcp', zone: zone_name) do + it { should exist } + its('status') { should eq 'UP' } + end + end + +## Properties + +Properties that can be accessed from the `google_compute_zones` resource: + +See [google_compute_zone](google_compute_zone) for more detailed information. + + * `creation_timestamps`: an array of `google_compute_zone` creation_timestamp + * `deprecateds`: an array of `google_compute_zone` deprecated + * `descriptions`: an array of `google_compute_zone` description + * `zone_ids`: an array of `google_compute_zone` id + * `zone_names`: an array of `google_compute_zone` name + * `regions`: an array of `google_compute_zone` region + * `zone_statuses`: an array of `google_compute_zone` status + * `available_cpu_platforms`: an array of `google_compute_zone` available_cpu_platforms + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_cluster.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_cluster.md new file mode 100644 index 0000000..8d0229b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_cluster.md @@ -0,0 +1,344 @@ ++++ +title = "google_container_cluster resource" + +draft = false + + +[menu.gcp] +title = "google_container_cluster" +identifier = "inspec/resources/gcp/google_container_cluster resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_container_cluster` InSpec audit resource to to test a Google Cloud Cluster resource. + +## Examples + +```ruby +describe google_container_cluster(project: 'chef-gcp-inspec', location: 'europe-west2-a', name: 'gcp-inspec-kube-cluster') do + it { should exist } + its('locations.sort'){ should cmp [ 'europe-west2-a', 'europe-west2-b', 'europe-west2-c' ].sort } + + its('master_auth.username') { should eq 'gcp-inspec-kube-admin' } +end + +describe google_container_cluster(project: 'chef-gcp-inspec', location: 'europe-west2-a', name: 'nonexistent') do + it { should_not exist } +end + +describe google_container_cluster(project: 'chef-gcp-inspec', location: 'europe-west2-a', name: 'gcp-inspec-kube-cluster', beta: true) do + it { should exist } + its('release_channel.channel') { should cmp "RAPID" } +end +``` + +### Test that a GCP container cluster is in a particular state e.g. "RUNNING" + + describe google_container_cluster(project: 'chef-inspec-gcp', location: 'europe-west2-a', name: 'inspec-gcp-kube-cluster') do + its('status') { should eq 'RUNNING' } + end + +### Test that a GCP container cluster has the expected kube master user/password + + describe google_container_cluster(project: 'chef-inspec-gcp', location: 'europe-west2-a', name: 'inspec-gcp-kube-cluster') do + its('master_auth.username'){ should eq "user_name"} + its('master_auth.password'){ should eq "choose_something_strong"} + end + +### Test that the locations where the GCP container cluster is running match those expected + + describe google_container_cluster(project: 'chef-inspec-gcp', location: 'europe-west2-a', name: 'inspec-gcp-kube-cluster') do + its('locations.sort'){should cmp ["europe-west2-a", "europe-west2-b", "europe-west2-c"].sort} + end + +### Test GCP container cluster network and subnetwork settings + + describe google_container_cluster(project: 'chef-inspec-gcp', location: 'europe-west2-a', name: 'inspec-gcp-kube-cluster') do + its('network'){should eq "default"} + its('subnetwork'){should eq "default"} + end + +### Test GCP container cluster node pool configuration settings + + describe google_container_cluster(project: 'chef-inspec-gcp', location: 'europe-west2-a', name: 'inspec-gcp-kube-cluster') do + its('node_config.disk_size_gb'){should eq 100} + its('node_config.image_type'){should eq "COS"} + its('node_config.machine_type'){should eq "n1-standard-1"} + its('node_ipv4_cidr_size'){should eq 24} + its('node_pools.count'){should eq 1} + end + +## Properties + +Properties that can be accessed from the `google_container_cluster` resource: + + + * `name`: The name of this cluster. The name must be unique within this project and location, and can be up to 40 characters. Must be Lowercase letters, numbers, and hyphens only. Must start with a letter. Must end with a number or a letter. + + * `description`: An optional description of this cluster. + + * `initial_node_count`: The number of nodes to create in this cluster. You must ensure that your Compute Engine resource quota is sufficient for this number of instances. You must also have available firewall and routes quota. For requests, this field should only be used in lieu of a "nodePool" object, since this configuration (along with the "nodeConfig") will be used to create a "NodePool" object with an auto-generated name. Do not use this and a nodePool at the same time. This field has been deprecated. Please use nodePool.initial_node_count instead. + + * `node_config`: Parameters used in creating the cluster's nodes. For requests, this field should only be used in lieu of a "nodePool" object, since this configuration (along with the "initialNodeCount") will be used to create a "NodePool" object with an auto-generated name. Do not use this and a nodePool at the same time. For responses, this field will be populated with the node configuration of the first node pool. If unspecified, the defaults are used. + + * `machine_type`: The name of a Google Compute Engine machine type (e.g. n1-standard-1). If unspecified, the default machine type is n1-standard-1. + + * `disk_size_gb`: Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB. If unspecified, the default disk size is 100GB. + + * `oauth_scopes`: The set of Google API scopes to be made available on all of the node VMs under the "default" service account. The following scopes are recommended, but not required, and by default are not included: https://www.googleapis.com/auth/compute is required for mounting persistent storage on your nodes. https://www.googleapis.com/auth/devstorage.read_only is required for communicating with gcr.io (the Google Container Registry). If unspecified, no scopes are added, unless Cloud Logging or Cloud Monitoring are enabled, in which case their required scopes will be added. + + * `service_account`: The Google Cloud Platform Service Account to be used by the node VMs. If no Service Account is specified, the "default" service account is used. + + * `metadata`: The metadata key/value pairs assigned to instances in the cluster. Keys must conform to the regexp [a-zA-Z0-9-_]+ and be less than 128 bytes in length. These are reflected as part of a URL in the metadata server. Additionally, to avoid ambiguity, keys must not conflict with any other metadata keys for the project or be one of the four reserved keys: "instance-template", "kube-env", "startup-script", and "user-data" Values are free-form strings, and only have meaning as interpreted by the image running in the instance. The only restriction placed on them is that each value's size must be less than or equal to 32 KB. The total size of all keys and values must be less than 512 KB. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + + * `image_type`: The image type to use for this node. Note that for a given image type, the latest version of it will be used. + + * `labels`: The map of Kubernetes labels (key/value pairs) to be applied to each node. These will added in addition to any default label(s) that Kubernetes may apply to the node. In case of conflict in label keys, the applied set may differ depending on the Kubernetes version -- it's best to assume the behavior is undefined and conflicts should be avoided. For more information, including usage and the valid values, see: http://kubernetes.io/v1.1/docs/user-guide/labels.html An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + + * `local_ssd_count`: The number of local SSD disks to be attached to the node. The limit for this value is dependant upon the maximum number of disks available on a machine per zone. See: https://cloud.google.com/compute/docs/disks/local-ssd#local_ssd_limits for more information. + + * `tags`: The list of instance tags applied to all nodes. Tags are used to identify valid sources or targets for network firewalls and are specified by the client during cluster or node pool creation. Each tag within the list must comply with RFC1035. + + * `preemptible`: Whether the nodes are created as preemptible VM instances. See: https://cloud.google.com/compute/docs/instances/preemptible for more information about preemptible VM instances. + + * `accelerators`: A list of hardware accelerators to be attached to each node. See https://cloud.google.com/compute/docs/gpus for more information about support for GPUs. + + * `accelerator_count`: The number of accelerator cards exposed to an instance. + + * `accelerator_type`: The accelerator type resource name + + * `disk_type`: Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') If unspecified, the default disk type is 'pd-standard' + + * `min_cpu_platform`: Minimum CPU platform to be used by this instance. The instance may be scheduled on the specified or newer CPU platform. + + * `taints`: List of kubernetes taints to be applied to each node. For more information, including usage and the valid values, see: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + + * `key`: Key for taint + + * `value`: Value for taint + + * `effect`: Effect for taint + Possible values: + * EFFECT_UNSPECIFIED + * NO_SCHEDULE + * PREFER_NO_SCHEDULE + * NO_EXECUTE + + * `shielded_instance_config`: Shielded Instance options. + + * `enable_secure_boot`: Defines whether the instance has Secure Boot enabled. Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. + + * `enable_integrity_monitoring`: Defines whether the instance has integrity monitoring enabled. Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. + + * `master_auth`: The authentication information for accessing the master endpoint. + + * `username`: The username to use for HTTP basic authentication to the master endpoint. + + * `password`: The password to use for HTTP basic authentication to the master endpoint. Because the master endpoint is open to the Internet, you should create a strong password with a minimum of 16 characters. + + * `client_certificate_config`: Configuration for client certificate authentication on the cluster. For clusters before v1.12, if no configuration is specified, a client certificate is issued. + + * `issue_client_certificate`: Issue a client certificate. + + * `cluster_ca_certificate`: Base64-encoded public certificate that is the root of trust for the cluster. + + * `client_certificate`: Base64-encoded public certificate used by clients to authenticate to the cluster endpoint. + + * `client_key`: Base64-encoded private key used by clients to authenticate to the cluster endpoint. + + * `fleet`: The fleet configuration for the cluster. + * `project`: The Fleet host project(project ID or project number) where this cluster will be registered to. This field cannot be changed after the cluster has been registered. + * `membership`: The full resource name of the registered fleet membership of the cluster, in the format //gkehub.googleapis.com/projects/*/locations/*/memberships/*. + * `pre_registered`: Whether the cluster has been registered through the fleet API. + + * `logging_service`: The logging service the cluster should use to write logs. Currently available options: logging.googleapis.com - the Google Cloud Logging service. none - no logs will be exported from the cluster. if left as an empty string,logging.googleapis.com will be used. + Possible values: + * logging.googleapis.com + * none + + * `monitoring_service`: The monitoring service the cluster should use to write metrics. Currently available options: monitoring.googleapis.com - the Google Cloud Monitoring service. none - no metrics will be exported from the cluster. if left as an empty string, monitoring.googleapis.com will be used. + Possible values: + * monitoring.googleapis.com + * none + + * `network`: The name of the Google Compute Engine network to which the cluster is connected. If left unspecified, the default network will be used. + + * `database_encryption`: Configuration of etcd encryption. + + * `state`: Denotes the state of etcd encryption. + Possible values: + * ENCRYPTED + * DECRYPTED + + * `key_name`: Name of CloudKMS key to use for the encryption of secrets in etcd. Ex. `projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key` + + * `private_cluster_config`: Configuration for a private cluster. + + * `enable_private_nodes`: Whether nodes have internal IP addresses only. If enabled, all nodes are given only RFC 1918 private addresses and communicate with the master via private networking. + + * `enable_private_endpoint`: Whether the master's internal IP address is used as the cluster endpoint. + + * `master_ipv4_cidr_block`: The IP range in CIDR notation to use for the hosted master network. This range will be used for assigning internal IP addresses to the master or set of masters, as well as the ILB VIP. This range must not overlap with any other ranges in use within the cluster's network. + + * `private_endpoint`: The internal IP address of this cluster's master endpoint. + + * `public_endpoint`: The external IP address of this cluster's master endpoint. + + * `cluster_ipv4_cidr`: The IP address range of the container pods in this cluster, in CIDR notation (e.g. 10.96.0.0/14). Leave blank to have one automatically chosen or specify a /14 block in 10.0.0.0/8. + + * `enable_tpu`: (Optional) Whether to enable Cloud TPU resources in this cluster. See the official documentation - https://cloud.google.com/tpu/docs/kubernetes-engine-setup + + * `tpu_ipv4_cidr_block`: The IP address range of the Cloud TPUs in this cluster, in [CIDR](http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation (e.g. `1.2.3.4/29`). + + * `addons_config`: Configurations for the various addons available to run in the cluster. + + * `http_load_balancing`: Configuration for the HTTP (L7) load balancing controller addon, which makes it easy to set up HTTP load balancers for services in a cluster. + + * `disabled`: Whether the HTTP Load Balancing controller is enabled in the cluster. When enabled, it runs a small pod in the cluster that manages the load balancers. + + * `horizontal_pod_autoscaling`: Configuration for the horizontal pod autoscaling feature, which increases or decreases the number of replica pods a replication controller has based on the resource usage of the existing pods. + + * `disabled`: Whether the Horizontal Pod Autoscaling feature is enabled in the cluster. When enabled, it ensures that a Heapster pod is running in the cluster, which is also used by the Cloud Monitoring service. + + * `kubernetes_dashboard`: Configuration for the Kubernetes Dashboard. This addon is deprecated, and will be disabled in 1.15. It is recommended to use the Cloud Console to manage and monitor your Kubernetes clusters, workloads and applications. + + * `disabled`: Whether the Kubernetes Dashboard is enabled for this cluster. + + * `network_policy_config`: Configuration for NetworkPolicy. This only tracks whether the addon is enabled or not on the Master, it does not track whether network policy is enabled for the nodes. + + * `disabled`: Whether NetworkPolicy is enabled for this cluster. + + * `gce_persistent_disk_csi_driver_config`: Configuration for enable the automatic deployment and management of the persistent disk driver without having to manually set it up. + + * `enabled`: Whether NetworkPolicy is enabled for this cluster. + + * `subnetwork`: The name of the Google Compute Engine subnetwork to which the cluster is connected. + + * `locations`: The list of Google Compute Engine zones in which the cluster's nodes should be located. + + * `resource_labels`: The resource labels for the cluster to use to annotate any related Google Compute Engine resources. + + * `label_fingerprint`: The fingerprint of the set of labels for this cluster. + + * `legacy_abac`: Configuration for the legacy ABAC authorization mode. + + * `enabled`: Whether the ABAC authorizer is enabled for this cluster. When enabled, identities in the system, including service accounts, nodes, and controllers, will have statically granted permissions beyond those provided by the RBAC configuration or IAM. + + * `network_policy`: Configuration options for the NetworkPolicy feature. + + * `provider`: The selected network policy provider. + Possible values: + * PROVIDER_UNSPECIFIED + * CALICO + + * `enabled`: Whether network policy is enabled on the cluster. + + * `default_max_pods_constraint`: The default constraint on the maximum number of pods that can be run simultaneously on a node in the node pool of this cluster. Only honored if cluster created with IP Alias support. + + * `max_pods_per_node`: Constraint enforced on the max num of pods per node. + + * `ip_allocation_policy`: Configuration for controlling how IPs are allocated in the cluster + + * `use_ip_aliases`: Whether alias IPs will be used for pod IPs in the cluster + + * `create_subnetwork`: Whether a new subnetwork will be created automatically for the cluster + + * `subnetwork_name`: A custom subnetwork name to be used if createSubnetwork is true. If this field is empty, then an automatic name will be chosen for the new subnetwork. + + * `cluster_secondary_range_name`: The name of the secondary range to be used for the cluster CIDR block. The secondary range will be used for pod IP addresses. This must be an existing secondary range associated with the cluster subnetwork + + * `services_secondary_range_name`: The name of the secondary range to be used as for the services CIDR block. The secondary range will be used for service ClusterIPs. This must be an existing secondary range associated with the cluster subnetwork. + + * `cluster_ipv4_cidr_block`: The IP address range for the cluster pod IPs. If this field is set, then cluster.cluster_ipv4_cidr must be left blank. This field is only applicable when useIpAliases is true. Set to blank to have a range chosen with the default size. Set to /netmask (e.g. /14) to have a range chosen with a specific netmask. + + * `node_ipv4_cidr_block`: The IP address range of the instance IPs in this cluster. This is applicable only if createSubnetwork is true. Set to blank to have a range chosen with the default size. Set to /netmask (e.g. /14) to have a range chosen with a specific netmask. + + * `services_ipv4_cidr_block`: The IP address range of the services IPs in this cluster. If blank, a range will be automatically chosen with the default size. This field is only applicable when useIpAliases is true. Set to blank to have a range chosen with the default size. Set to /netmask (e.g. /14) to have a range chosen with a specific netmask. + + * `tpu_ipv4_cidr_block`: The IP address range of the Cloud TPUs in this cluster. If unspecified, a range will be automatically chosen with the default size. This field is only applicable when useIpAliases is true. If unspecified, the range will use the default size. Set to /netmask (e.g. /14) to have a range chosen with a specific netmask. + + * `endpoint`: The IP address of this cluster's master endpoint. The endpoint can be accessed from the internet at https://username:password@endpoint/ See the masterAuth property of this resource for username and password information. + + * `initial_cluster_version`: The software version of the master endpoint and kubelets used in the cluster when it was first created. The version can be upgraded over time. + + * `current_master_version`: The current software version of the master endpoint. + + * `current_node_version`: The current version of the node software components. If they are currently at multiple versions because they're in the process of being upgraded, this reflects the minimum version of all nodes. + + * `create_time`: The time the cluster was created, in RFC3339 text format. + + * `status`: The current status of this cluster. + Possible values: + * STATUS_UNSPECIFIED + * PROVISIONING + * RUNNING + * RECONCILING + * STOPPING + * ERROR + * DEGRADED + + * `status_message`: Additional information about the current status of this cluster, if available. + + * `node_ipv4_cidr_size`: The size of the address space on each node for hosting containers. This is provisioned from within the container_ipv4_cidr range. + + * `services_ipv4_cidr`: The IP address range of the Kubernetes services in this cluster, in CIDR notation (e.g. 1.2.3.4/29). Service addresses are typically put in the last /16 from the container CIDR. + + * `current_node_count`: The number of nodes currently in the cluster. + + * `expire_time`: The time the cluster will be automatically deleted in RFC3339 text format. + + * `conditions`: Which conditions caused the current cluster state. + + * `code`: Machine-friendly representation of the condition + + * `message`: Human-friendly representation of the condition + + * `master_authorized_networks_config`: Configuration for controlling how IPs are allocated in the cluster + + * `enabled`: Whether or not master authorized networks is enabled. + + * `cidr_blocks`: Define up to 50 external networks that could access Kubernetes master through HTTPS. + + * `display_name`: Optional field used to identify cidr blocks + + * `cidr_block`: Block specified in CIDR notation + + * `node_pools`: Node pools belonging to this cluster + + * `name`: Name of the node pool + + * `binary_authorization`: Configuration for the BinaryAuthorization feature. + + * `enabled`: If enabled, all container images will be validated by Binary Authorization. + + * `release_channel`: ReleaseChannel indicates which release channel a cluster is subscribed to. Release channels are arranged in order of risk and frequency of updates. + + * `channel`: Which release channel the cluster is subscribed to. + Possible values: + * UNSPECIFIED + * RAPID + * REGULAR + * STABLE + + * `shielded_nodes`: Shielded Nodes configuration. + + * `enabled`: Whether Shielded Nodes features are enabled on all nodes in this cluster. + + * `network_config`: Network configurations + + * `enable_intra_node_visibility`: Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network. + + * `network`: The relative name of the Google Compute Engine network to which the cluster is connected. Example: projects/my-project/global/networks/my-network + + * `subnetwork`: The relative name of the Google Compute Engine subnetwork to which the cluster is connected. Example: projects/my-project/regions/us-central1/subnetworks/my-subnet + + * `default_snat_status`: Whether the cluster disables default in-node sNAT rules. In-node sNAT rules will be disabled when defaultSnatStatus is disabled. + + * `enable_kubernetes_alpha`: Kubernetes alpha features are enabled on this cluster. This includes alpha API groups (e.g. v1alpha1) and features that may not be production ready in the kubernetes version of the master and nodes. + + * `location`: The location where the cluster is deployed + + +## GCP permissions + +Ensure the [Kubernetes Engine API](https://console.cloud.google.com/apis/library/container.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_clusters.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_clusters.md new file mode 100644 index 0000000..764dffd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_clusters.md @@ -0,0 +1,106 @@ ++++ +title = "google_container_clusters resource" + +draft = false + + +[menu.gcp] +title = "google_container_clusters" +identifier = "inspec/resources/gcp/google_container_clusters resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_container_clusters` InSpec audit resource to to test a Google Cloud Cluster resource. + +## Examples + +```ruby +describe google_container_clusters(project: 'chef-gcp-inspec', location: 'europe-west2-a') do + its('cluster_names') { should include 'gcp-inspec-kube-cluster' } +end +``` + +### Test that there are no more than a specified number of clusters available for the project in a particular zone + + describe google_container_clusters(project: 'chef-inspec-gcp', location: 'europe-west2-a') do + its('count') { should be <= 5} + end + +### Test that an expected cluster is available for the project + + describe google_container_clusters(project: 'chef-inspec-gcp', location: 'europe-west2-a') do + its('cluster_names') { should include "my-cluster" } + end + +### Test whether any clusters are in status "STOPPING" + + describe google_container_clusters(project: 'chef-inspec-gcp', location: 'europe-west2-a') do + its('cluster_statuses') { should_not include "STOPPING" } + end + +### Test that a subset of all clusters matching "kube*" are "RUNNING" + + google_container_clusters(project: gcp_project_id).where(cluster_name: /^kube/).cluster_names.each do |cluster_name| + describe google_container_cluster(project: 'chef-inspec-gcp', location: 'europe-west2-a', name: cluster_name) do + it { should exist } + its('status') { should eq 'RUNNING' } + end + end + +## Properties + +Properties that can be accessed from the `google_container_clusters` resource: + +See [google_container_cluster](google_container_cluster) for more detailed information. + + * `cluster_names`: an array of `google_container_cluster` name + * `descriptions`: an array of `google_container_cluster` description + * `initial_node_counts`: an array of `google_container_cluster` initial_node_count + * `node_configs`: an array of `google_container_cluster` node_config + * `master_auths`: an array of `google_container_cluster` master_auth + * `logging_services`: an array of `google_container_cluster` logging_service + * `monitoring_services`: an array of `google_container_cluster` monitoring_service + * `cluster_networks`: an array of `google_container_cluster` network + * `database_encryptions`: an array of `google_container_cluster` database_encryption + * `private_cluster_configs`: an array of `google_container_cluster` private_cluster_config + * `cluster_ipv4_cidrs`: an array of `google_container_cluster` cluster_ipv4_cidr + * `enable_tpus`: an array of `google_container_cluster` enable_tpu + * `tpu_ipv4_cidr_blocks`: an array of `google_container_cluster` tpu_ipv4_cidr_block + * `addons_configs`: an array of `google_container_cluster` addons_config + * `subnetworks`: an array of `google_container_cluster` subnetwork + * `locations`: an array of `google_container_cluster` locations + * `resource_labels`: an array of `google_container_cluster` resource_labels + * `label_fingerprints`: an array of `google_container_cluster` label_fingerprint + * `legacy_abacs`: an array of `google_container_cluster` legacy_abac + * `network_policies`: an array of `google_container_cluster` network_policy + * `default_max_pods_constraints`: an array of `google_container_cluster` default_max_pods_constraint + * `ip_allocation_policies`: an array of `google_container_cluster` ip_allocation_policy + * `endpoints`: an array of `google_container_cluster` endpoint + * `initial_cluster_versions`: an array of `google_container_cluster` initial_cluster_version + * `current_master_versions`: an array of `google_container_cluster` current_master_version + * `current_node_versions`: an array of `google_container_cluster` current_node_version + * `create_times`: an array of `google_container_cluster` create_time + * `cluster_statuses`: an array of `google_container_cluster` status + * `status_messages`: an array of `google_container_cluster` status_message + * `node_ipv4_cidr_sizes`: an array of `google_container_cluster` node_ipv4_cidr_size + * `services_ipv4_cidrs`: an array of `google_container_cluster` services_ipv4_cidr + * `current_node_counts`: an array of `google_container_cluster` current_node_count + * `expire_times`: an array of `google_container_cluster` expire_time + * `conditions`: an array of `google_container_cluster` conditions + * `master_authorized_networks_configs`: an array of `google_container_cluster` master_authorized_networks_config + * `node_pools`: an array of `google_container_cluster` node_pools + * `binary_authorizations`: an array of `google_container_cluster` binary_authorization + * `release_channels`: an array of `google_container_cluster` release_channel + * `shielded_nodes`: an array of `google_container_cluster` shielded_nodes + * `network_configs`: an array of `google_container_cluster` network_config + * `enable_kubernetes_alphas`: an array of `google_container_cluster` enable_kubernetes_alpha + * `locations`: an array of `google_container_cluster` location + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Kubernetes Engine API](https://console.cloud.google.com/apis/library/container.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_node_pool.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_node_pool.md new file mode 100644 index 0000000..cdb4576 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_node_pool.md @@ -0,0 +1,175 @@ ++++ +title = "google_container_node_pool resource" + +draft = false + + +[menu.gcp] +title = "google_container_node_pool" +identifier = "inspec/resources/gcp/google_container_node_pool resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_container_node_pool` is used to test a Google NodePool resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_container_node_pool(project: 'chef-gcp-inspec', location: 'europe-west2-a', cluster_name: 'gcp-inspec-kube-cluster', nodepool_name: 'inspec-gcp-regional-node-pool') do + it { should exist } + its('initial_node_count') { should eq '1'} +end + +describe google_container_node_pool(project: 'chef-gcp-inspec', location: 'europe-west2-a', cluster_name: 'gcp-inspec-kube-cluster', nodepool_name: 'nonexistent') do + it { should_not exist } +end +``` + +### Test that a GCP container node pool is in a particular state e.g. "RUNNING" + + describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do + its('status') { should eq 'RUNNING' } + end + +### Test GCP container node pool disk size in GB is as expected + + describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do + its('config.disk_size_gb'){should eq 100} + end + +### Test GCP container node pool machine type is as expected + + describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do + its('config.machine_type'){should eq "n1-standard-1"} + end + +### Test GCP container node pool node image type is as expected + + describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do + its('config.image_type'){should eq "COS"} + end + +### Test GCP container node pool initial node count is as expected + + describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do + its('initial_node_count'){should eq 3} + end + +## Properties + +Properties that can be accessed from the `google_container_node_pool` resource: + + + * `name`: The name of the node pool. + + * `config`: The node configuration of the pool. + + * `machine_type`: The name of a Google Compute Engine machine type (e.g. n1-standard-1). If unspecified, the default machine type is n1-standard-1. + + * `disk_size_gb`: Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB. If unspecified, the default disk size is 100GB. + + * `oauth_scopes`: The set of Google API scopes to be made available on all of the node VMs under the "default" service account. The following scopes are recommended, but not required, and by default are not included: https://www.googleapis.com/auth/compute is required for mounting persistent storage on your nodes. https://www.googleapis.com/auth/devstorage.read_only is required for communicating with gcr.io (the Google Container Registry). If unspecified, no scopes are added, unless Cloud Logging or Cloud Monitoring are enabled, in which case their required scopes will be added. + + * `service_account`: The Google Cloud Platform Service Account to be used by the node VMs. If no Service Account is specified, the "default" service account is used. + + * `metadata`: The metadata key/value pairs assigned to instances in the cluster. Keys must conform to the regexp [a-zA-Z0-9-_]+ and be less than 128 bytes in length. These are reflected as part of a URL in the metadata server. Additionally, to avoid ambiguity, keys must not conflict with any other metadata keys for the project or be one of the four reserved keys: "instance-template", "kube-env", "startup-script", and "user-data" Values are free-form strings, and only have meaning as interpreted by the image running in the instance. The only restriction placed on them is that each value's size must be less than or equal to 32 KB. The total size of all keys and values must be less than 512 KB. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + + * `image_type`: The image type to use for this node. Note that for a given image type, the latest version of it will be used. + + * `labels`: The map of Kubernetes labels (key/value pairs) to be applied to each node. These will added in addition to any default label(s) that Kubernetes may apply to the node. In case of conflict in label keys, the applied set may differ depending on the Kubernetes version -- it's best to assume the behavior is undefined and conflicts should be avoided. For more information, including usage and the valid values, see: http://kubernetes.io/v1.1/docs/user-guide/labels.html An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + + * `local_ssd_count`: The number of local SSD disks to be attached to the node. The limit for this value is dependant upon the maximum number of disks available on a machine per zone. See: https://cloud.google.com/compute/docs/disks/local-ssd#local_ssd_limits for more information. + + * `tags`: The list of instance tags applied to all nodes. Tags are used to identify valid sources or targets for network firewalls and are specified by the client during cluster or node pool creation. Each tag within the list must comply with RFC1035. + + * `preemptible`: Whether the nodes are created as preemptible VM instances. See: https://cloud.google.com/compute/docs/instances/preemptible for more information about preemptible VM instances. + + * `accelerators`: A list of hardware accelerators to be attached to each node + + * `accelerator_count`: The number of the accelerator cards exposed to an instance. + + * `accelerator_type`: The accelerator type resource name + + * `disk_type`: Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') If unspecified, the default disk type is 'pd-standard' + + * `min_cpu_platform`: Minimum CPU platform to be used by this instance. The instance may be scheduled on the specified or newer CPU platform + + * `taints`: List of kubernetes taints to be applied to each node. + + * `key`: Key for taint + + * `value`: Value for taint + + * `effect`: Effect for taint + + * `shielded_instance_config`: Shielded Instance options. + + * `enable_secure_boot`: Defines whether the instance has Secure Boot enabled. Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. + + * `enable_integrity_monitoring`: Defines whether the instance has integrity monitoring enabled. Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. + + * `workload_meta_config`: WorkloadMetadataConfig defines the metadata configuration to expose to workloads on the node pool. + + * `mode`: Mode is the configuration for how to expose metadata to workloads running on the node pool. + Possible values: + * GCE_METADATA + * GKE_METADATA + + * `initial_node_count`: The initial node count for the pool. You must ensure that your Compute Engine resource quota is sufficient for this number of instances. You must also have available firewall and routes quota. + + * `status`: Status of nodes in this pool instance + + * `status_message`: Additional information about the current status of this node pool instance + + * `version`: The version of the Kubernetes of this node. + + * `autoscaling`: Autoscaler configuration for this NodePool. Autoscaler is enabled only if a valid configuration is present. + + * `enabled`: Is autoscaling enabled for this node pool. + + * `min_node_count`: Minimum number of nodes in the NodePool. Must be >= 1 and <= maxNodeCount. + + * `max_node_count`: Maximum number of nodes in the NodePool. Must be >= minNodeCount. There has to enough quota to scale up the cluster. + + * `management`: Management configuration for this NodePool. + + * `auto_upgrade`: A flag that specifies whether node auto-upgrade is enabled for the node pool. If enabled, node auto-upgrade helps keep the nodes in your node pool up to date with the latest release version of Kubernetes. + + * `auto_repair`: A flag that specifies whether the node auto-repair is enabled for the node pool. If enabled, the nodes in this node pool will be monitored and, if they fail health checks too many times, an automatic repair action will be triggered. + + * `upgrade_options`: Specifies the Auto Upgrade knobs for the node pool. + + * `auto_upgrade_start_time`: This field is set when upgrades are about to commence with the approximate start time for the upgrades, in RFC3339 text format. + + * `description`: This field is set when upgrades are about to commence with the description of the upgrade. + + * `max_pods_constraint`: The constraint on the maximum number of pods that can be run simultaneously on a node in the node pool. + + * `max_pods_per_node`: Constraint enforced on the max num of pods per node. + + * `conditions`: Which conditions caused the current node pool state. + + * `code`: Machine-friendly representation of the condition + Possible values: + * UNKNOWN + * GCE_STOCKOUT + * GKE_SERVICE_ACCOUNT_DELETED + * GCE_QUOTA_EXCEEDED + * SET_BY_OPERATOR + + * `pod_ipv4_cidr_size`: The pod CIDR block size per node in this node pool. + + * `cluster`: The cluster this node pool belongs to. + + * `location`: The location where the node pool is deployed + + +## GCP permissions + +Ensure the [Kubernetes Engine API](https://console.cloud.google.com/apis/library/container.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_node_pools.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_node_pools.md new file mode 100644 index 0000000..bf100ce --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_node_pools.md @@ -0,0 +1,77 @@ ++++ +title = "google_container_node_pools resource" + +draft = false + + +[menu.gcp] +title = "google_container_node_pools" +identifier = "inspec/resources/gcp/google_container_node_pools resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_container_node_pools` is used to test a Google NodePool resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_container_node_pools(project: 'chef-gcp-inspec', location: 'europe-west2-a', cluster_name: 'gcp-inspec-kube-cluster') do + its('initial_node_counts') { should include '1'} +end +``` + +### Test that there are no more than a specified number of node pools available for the project + + describe google_container_node_pools(project: 'chef-inspec-gcp') do + its('count') { should be <= 10} + end + +### Test that an expected node pool is available for the project + + describe google_container_node_pools(project: 'chef-inspec-gcp') do + its('node_pool_names') { should include "us-east1-b" } + end + +### Test that a subset of all node pools matching "mypool*" are "UP" + + google_container_node_pools(project: 'chef-inspec-gcp', location: 'europe-west2-a', cluster_name: 'inspec-gcp-cluster').where(node_pool_name: /^mypool/).node_pool_names.each do |node_pool_name| + describe google_container_node_pool(project: 'chef-inspec-gcp', location: 'europe-west2-a', cluster_name: 'inspec-gcp-cluster', nodepool_name: node_pool_name) do + it { should exist } + its('status') { should eq 'RUNNING' } + end + end + +## Properties + +Properties that can be accessed from the `google_container_node_pools` resource: + +See [google_container_node_pool](google_container_node_pool) for more detailed information. + + * `node_pool_names`: an array of `google_container_node_pool` name + * `configs`: an array of `google_container_node_pool` config + * `initial_node_counts`: an array of `google_container_node_pool` initial_node_count + * `node_pool_statuses`: an array of `google_container_node_pool` status + * `status_messages`: an array of `google_container_node_pool` status_message + * `versions`: an array of `google_container_node_pool` version + * `autoscalings`: an array of `google_container_node_pool` autoscaling + * `managements`: an array of `google_container_node_pool` management + * `max_pods_constraints`: an array of `google_container_node_pool` max_pods_constraint + * `conditions`: an array of `google_container_node_pool` conditions + * `pod_ipv4_cidr_sizes`: an array of `google_container_node_pool` pod_ipv4_cidr_size + * `clusters`: an array of `google_container_node_pool` cluster + * `locations`: an array of `google_container_node_pool` location + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Kubernetes Engine API](https://console.cloud.google.com/apis/library/container.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_regional_cluster.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_regional_cluster.md new file mode 100644 index 0000000..9e5ccfd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_regional_cluster.md @@ -0,0 +1,223 @@ ++++ +title = "google_container_regional_cluster resource" + +draft = false + + +[menu.gcp] +title = "google_container_regional_cluster" +identifier = "inspec/resources/gcp/google_container_regional_cluster resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_container_regional_cluster` InSpec audit resource to to test a Google Cloud RegionalCluster resource. + +## Examples + +```ruby +describe google_container_regional_cluster(project: 'chef-gcp-inspec', location: 'europe-west2', name: 'inspec-gcp-regional-cluster') do + it { should exist } + its('initial_node_count') { should eq '1'} + its('location') { should eq 'europe-west2'} +end + +describe google_container_regional_cluster(project: 'chef-gcp-inspec', location: 'europe-west2', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_container_regional_cluster` resource: + + + * `name`: The name of this cluster. The name must be unique within this project and location, and can be up to 40 characters. Must be Lowercase letters, numbers, and hyphens only. Must start with a letter. Must end with a number or a letter. + + * `description`: An optional description of this cluster. + + * `initial_node_count`: The number of nodes to create in this cluster. You must ensure that your Compute Engine resource quota is sufficient for this number of instances. You must also have available firewall and routes quota. For requests, this field should only be used in lieu of a "nodePool" object, since this configuration (along with the "nodeConfig") will be used to create a "NodePool" object with an auto-generated name. Do not use this and a nodePool at the same time. This field has been deprecated. Please use nodePool.initial_node_count instead. + + * `node_config`: Parameters used in creating the cluster's nodes. For requests, this field should only be used in lieu of a "nodePool" object, since this configuration (along with the "initialNodeCount") will be used to create a "NodePool" object with an auto-generated name. Do not use this and a nodePool at the same time. For responses, this field will be populated with the node configuration of the first node pool. If unspecified, the defaults are used. + + * `machine_type`: The name of a Google Compute Engine machine type (e.g. n1-standard-1). If unspecified, the default machine type is n1-standard-1. + + * `disk_size_gb`: Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB. If unspecified, the default disk size is 100GB. + + * `oauth_scopes`: The set of Google API scopes to be made available on all of the node VMs under the "default" service account. The following scopes are recommended, but not required, and by default are not included: https://www.googleapis.com/auth/compute is required for mounting persistent storage on your nodes. https://www.googleapis.com/auth/devstorage.read_only is required for communicating with gcr.io (the Google Container Registry). If unspecified, no scopes are added, unless Cloud Logging or Cloud Monitoring are enabled, in which case their required scopes will be added. + + * `service_account`: The Google Cloud Platform Service Account to be used by the node VMs. If no Service Account is specified, the "default" service account is used. + + * `metadata`: The metadata key/value pairs assigned to instances in the cluster. Keys must conform to the regexp [a-zA-Z0-9-_]+ and be less than 128 bytes in length. These are reflected as part of a URL in the metadata server. Additionally, to avoid ambiguity, keys must not conflict with any other metadata keys for the project or be one of the four reserved keys: "instance-template", "kube-env", "startup-script", and "user-data" Values are free-form strings, and only have meaning as interpreted by the image running in the instance. The only restriction placed on them is that each value's size must be less than or equal to 32 KB. The total size of all keys and values must be less than 512 KB. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + + * `image_type`: The image type to use for this node. Note that for a given image type, the latest version of it will be used. + + * `labels`: The map of Kubernetes labels (key/value pairs) to be applied to each node. These will added in addition to any default label(s) that Kubernetes may apply to the node. In case of conflict in label keys, the applied set may differ depending on the Kubernetes version -- it's best to assume the behavior is undefined and conflicts should be avoided. For more information, including usage and the valid values, see: http://kubernetes.io/v1.1/docs/user-guide/labels.html An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + + * `local_ssd_count`: The number of local SSD disks to be attached to the node. The limit for this value is dependant upon the maximum number of disks available on a machine per zone. See: https://cloud.google.com/compute/docs/disks/local-ssd#local_ssd_limits for more information. + + * `tags`: The list of instance tags applied to all nodes. Tags are used to identify valid sources or targets for network firewalls and are specified by the client during cluster or node pool creation. Each tag within the list must comply with RFC1035. + + * `preemptible`: Whether the nodes are created as preemptible VM instances. See: https://cloud.google.com/compute/docs/instances/preemptible for more information about preemptible VM instances. + + * `accelerators`: A list of hardware accelerators to be attached to each node. See https://cloud.google.com/compute/docs/gpus for more information about support for GPUs. + + * `accelerator_count`: The number of accelerator cards exposed to an instance. + + * `accelerator_type`: The accelerator type resource name + + * `disk_type`: Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') If unspecified, the default disk type is 'pd-standard' + + * `min_cpu_platform`: Minimum CPU platform to be used by this instance. The instance may be scheduled on the specified or newer CPU platform. + + * `taints`: List of kubernetes taints to be applied to each node. For more information, including usage and the valid values, see: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + + * `key`: Key for taint + + * `value`: Value for taint + + * `effect`: Effect for taint + + * `master_auth`: The authentication information for accessing the master endpoint. + + * `username`: The username to use for HTTP basic authentication to the master endpoint. + + * `password`: The password to use for HTTP basic authentication to the master endpoint. Because the master endpoint is open to the Internet, you should create a strong password with a minimum of 16 characters. + + * `client_certificate_config`: Configuration for client certificate authentication on the cluster. For clusters before v1.12, if no configuration is specified, a client certificate is issued. + + * `issue_client_certificate`: Issue a client certificate. + + * `cluster_ca_certificate`: Base64-encoded public certificate that is the root of trust for the cluster. + + * `client_certificate`: Base64-encoded public certificate used by clients to authenticate to the cluster endpoint. + + * `client_key`: Base64-encoded private key used by clients to authenticate to the cluster endpoint. + + * `logging_service`: The logging service the cluster should use to write logs. Currently available options: logging.googleapis.com - the Google Cloud Logging service. none - no logs will be exported from the cluster. if left as an empty string,logging.googleapis.com will be used. + + * `monitoring_service`: The monitoring service the cluster should use to write metrics. Currently available options: monitoring.googleapis.com - the Google Cloud Monitoring service. none - no metrics will be exported from the cluster. if left as an empty string, monitoring.googleapis.com will be used. + + * `network`: The name of the Google Compute Engine network to which the cluster is connected. If left unspecified, the default network will be used. + + * `private_cluster_config`: Configuration for a private cluster. + + * `enable_private_nodes`: Whether nodes have internal IP addresses only. If enabled, all nodes are given only RFC 1918 private addresses and communicate with the master via private networking. + + * `enable_private_endpoint`: Whether the master's internal IP address is used as the cluster endpoint. + + * `master_ipv4_cidr_block`: The IP range in CIDR notation to use for the hosted master network. This range will be used for assigning internal IP addresses to the master or set of masters, as well as the ILB VIP. This range must not overlap with any other ranges in use within the cluster's network. + + * `private_endpoint`: The internal IP address of this cluster's master endpoint. + + * `public_endpoint`: The external IP address of this cluster's master endpoint. + + * `cluster_ipv4_cidr`: The IP address range of the container pods in this cluster, in CIDR notation (e.g. 10.96.0.0/14). Leave blank to have one automatically chosen or specify a /14 block in 10.0.0.0/8. + + * `enable_tpu`: (Optional) Whether to enable Cloud TPU resources in this cluster. See the official documentation - https://cloud.google.com/tpu/docs/kubernetes-engine-setup + + * `tpu_ipv4_cidr_block`: The IP address range of the Cloud TPUs in this cluster, in [CIDR](http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation (e.g. `1.2.3.4/29`). + + * `addons_config`: Configurations for the various addons available to run in the cluster. + + * `http_load_balancing`: Configuration for the HTTP (L7) load balancing controller addon, which makes it easy to set up HTTP load balancers for services in a cluster. + + * `disabled`: Whether the HTTP Load Balancing controller is enabled in the cluster. When enabled, it runs a small pod in the cluster that manages the load balancers. + + * `horizontal_pod_autoscaling`: Configuration for the horizontal pod autoscaling feature, which increases or decreases the number of replica pods a replication controller has based on the resource usage of the existing pods. + + * `disabled`: Whether the Horizontal Pod Autoscaling feature is enabled in the cluster. When enabled, it ensures that a Heapster pod is running in the cluster, which is also used by the Cloud Monitoring service. + + * `kubernetes_dashboard`: Configuration for the Kubernetes Dashboard. This addon is deprecated, and will be disabled in 1.15. It is recommended to use the Cloud Console to manage and monitor your Kubernetes clusters, workloads and applications. + + * `disabled`: Whether the Kubernetes Dashboard is enabled for this cluster. + + * `network_policy_config`: Configuration for NetworkPolicy. This only tracks whether the addon is enabled or not on the Master, it does not track whether network policy is enabled for the nodes. + + * `disabled`: Whether NetworkPolicy is enabled for this cluster. + + * `subnetwork`: The name of the Google Compute Engine subnetwork to which the cluster is connected. + + * `locations`: The list of Google Compute Engine zones in which the cluster's nodes should be located. + + * `resource_labels`: The resource labels for the cluster to use to annotate any related Google Compute Engine resources. + + * `label_fingerprint`: The fingerprint of the set of labels for this cluster. + + * `legacy_abac`: Configuration for the legacy ABAC authorization mode. + + * `enabled`: Whether the ABAC authorizer is enabled for this cluster. When enabled, identities in the system, including service accounts, nodes, and controllers, will have statically granted permissions beyond those provided by the RBAC configuration or IAM. + + * `network_policy`: Configuration options for the NetworkPolicy feature. + + * `provider`: The selected network policy provider. + + * `enabled`: Whether network policy is enabled on the cluster. + + * `default_max_pods_constraint`: The default constraint on the maximum number of pods that can be run simultaneously on a node in the node pool of this cluster. Only honored if cluster created with IP Alias support. + + * `max_pods_per_node`: Constraint enforced on the max num of pods per node. + + * `ip_allocation_policy`: Configuration for controlling how IPs are allocated in the cluster + + * `use_ip_aliases`: Whether alias IPs will be used for pod IPs in the cluster + + * `create_subnetwork`: Whether a new subnetwork will be created automatically for the cluster + + * `subnetwork_name`: A custom subnetwork name to be used if createSubnetwork is true. If this field is empty, then an automatic name will be chosen for the new subnetwork. + + * `cluster_secondary_range_name`: The name of the secondary range to be used for the cluster CIDR block. The secondary range will be used for pod IP addresses. This must be an existing secondary range associated with the cluster subnetwork + + * `services_secondary_range_name`: The name of the secondary range to be used as for the services CIDR block. The secondary range will be used for service ClusterIPs. This must be an existing secondary range associated with the cluster subnetwork. + + * `cluster_ipv4_cidr_block`: The IP address range for the cluster pod IPs. If this field is set, then cluster.cluster_ipv4_cidr must be left blank. This field is only applicable when useIpAliases is true. Set to blank to have a range chosen with the default size. Set to /netmask (e.g. /14) to have a range chosen with a specific netmask. + + * `node_ipv4_cidr_block`: The IP address range of the instance IPs in this cluster. This is applicable only if createSubnetwork is true. Set to blank to have a range chosen with the default size. Set to /netmask (e.g. /14) to have a range chosen with a specific netmask. + + * `services_ipv4_cidr_block`: The IP address range of the services IPs in this cluster. If blank, a range will be automatically chosen with the default size. This field is only applicable when useIpAliases is true. Set to blank to have a range chosen with the default size. Set to /netmask (e.g. /14) to have a range chosen with a specific netmask. + + * `tpu_ipv4_cidr_block`: The IP address range of the Cloud TPUs in this cluster. If unspecified, a range will be automatically chosen with the default size. This field is only applicable when useIpAliases is true. If unspecified, the range will use the default size. Set to /netmask (e.g. /14) to have a range chosen with a specific netmask. + + * `endpoint`: The IP address of this cluster's master endpoint. The endpoint can be accessed from the internet at https://username:password@endpoint/ See the masterAuth property of this resource for username and password information. + + * `initial_cluster_version`: The software version of the master endpoint and kubelets used in the cluster when it was first created. The version can be upgraded over time. + + * `current_master_version`: The current software version of the master endpoint. + + * `current_node_version`: The current version of the node software components. If they are currently at multiple versions because they're in the process of being upgraded, this reflects the minimum version of all nodes. + + * `create_time`: The time the cluster was created, in RFC3339 text format. + + * `status`: The current status of this cluster. + + * `status_message`: Additional information about the current status of this cluster, if available. + + * `node_ipv4_cidr_size`: The size of the address space on each node for hosting containers. This is provisioned from within the container_ipv4_cidr range. + + * `services_ipv4_cidr`: The IP address range of the Kubernetes services in this cluster, in CIDR notation (e.g. 1.2.3.4/29). Service addresses are typically put in the last /16 from the container CIDR. + + * `current_node_count`: The number of nodes currently in the cluster. + + * `expire_time`: The time the cluster will be automatically deleted in RFC3339 text format. + + * `conditions`: Which conditions caused the current cluster state. + + * `code`: Machine-friendly representation of the condition + + * `message`: Human-friendly representation of the condition + + * `master_authorized_networks_config`: Configuration for controlling how IPs are allocated in the cluster + + * `enabled`: Whether or not master authorized networks is enabled. + + * `cidr_blocks`: Define up to 50 external networks that could access Kubernetes master through HTTPS. + + * `display_name`: Optional field used to identify cidr blocks + + * `cidr_block`: Block specified in CIDR notation + + * `location`: The location where the cluster is deployed + + +## GCP permissions + +Ensure the [Kubernetes Engine API](https://console.cloud.google.com/apis/library/container.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_regional_clusters.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_regional_clusters.md new file mode 100644 index 0000000..5f70ea0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_regional_clusters.md @@ -0,0 +1,74 @@ ++++ +title = "google_container_regional_clusters resource" + +draft = false + + +[menu.gcp] +title = "google_container_regional_clusters" +identifier = "inspec/resources/gcp/google_container_regional_clusters resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_container_regional_clusters` InSpec audit resource to to test a Google Cloud RegionalCluster resource. + +## Examples + +```ruby +describe google_container_regional_clusters(project: 'chef-gcp-inspec', location: 'europe-west2') do + its('count') { should be >= 1 } + its('names') { should include 'inspec-gcp-regional-cluster' } + its('initial_node_counts') { should include '1'} +end +``` + +## Properties + +Properties that can be accessed from the `google_container_regional_clusters` resource: + +See [google_container_regional_cluster](google_container_regional_cluster) for more detailed information. + + * `names`: an array of `google_container_regional_cluster` name + * `descriptions`: an array of `google_container_regional_cluster` description + * `initial_node_counts`: an array of `google_container_regional_cluster` initial_node_count + * `node_configs`: an array of `google_container_regional_cluster` node_config + * `master_auths`: an array of `google_container_regional_cluster` master_auth + * `logging_services`: an array of `google_container_regional_cluster` logging_service + * `monitoring_services`: an array of `google_container_regional_cluster` monitoring_service + * `networks`: an array of `google_container_regional_cluster` network + * `private_cluster_configs`: an array of `google_container_regional_cluster` private_cluster_config + * `cluster_ipv4_cidrs`: an array of `google_container_regional_cluster` cluster_ipv4_cidr + * `enable_tpus`: an array of `google_container_regional_cluster` enable_tpu + * `tpu_ipv4_cidr_blocks`: an array of `google_container_regional_cluster` tpu_ipv4_cidr_block + * `addons_configs`: an array of `google_container_regional_cluster` addons_config + * `subnetworks`: an array of `google_container_regional_cluster` subnetwork + * `locations`: an array of `google_container_regional_cluster` locations + * `resource_labels`: an array of `google_container_regional_cluster` resource_labels + * `label_fingerprints`: an array of `google_container_regional_cluster` label_fingerprint + * `legacy_abacs`: an array of `google_container_regional_cluster` legacy_abac + * `network_policies`: an array of `google_container_regional_cluster` network_policy + * `default_max_pods_constraints`: an array of `google_container_regional_cluster` default_max_pods_constraint + * `ip_allocation_policies`: an array of `google_container_regional_cluster` ip_allocation_policy + * `endpoints`: an array of `google_container_regional_cluster` endpoint + * `initial_cluster_versions`: an array of `google_container_regional_cluster` initial_cluster_version + * `current_master_versions`: an array of `google_container_regional_cluster` current_master_version + * `current_node_versions`: an array of `google_container_regional_cluster` current_node_version + * `create_times`: an array of `google_container_regional_cluster` create_time + * `statuses`: an array of `google_container_regional_cluster` status + * `status_messages`: an array of `google_container_regional_cluster` status_message + * `node_ipv4_cidr_sizes`: an array of `google_container_regional_cluster` node_ipv4_cidr_size + * `services_ipv4_cidrs`: an array of `google_container_regional_cluster` services_ipv4_cidr + * `current_node_counts`: an array of `google_container_regional_cluster` current_node_count + * `expire_times`: an array of `google_container_regional_cluster` expire_time + * `conditions`: an array of `google_container_regional_cluster` conditions + * `master_authorized_networks_configs`: an array of `google_container_regional_cluster` master_authorized_networks_config + * `locations`: an array of `google_container_regional_cluster` location + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Kubernetes Engine API](https://console.cloud.google.com/apis/library/container.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_regional_node_pool.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_regional_node_pool.md new file mode 100644 index 0000000..cc8c494 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_regional_node_pool.md @@ -0,0 +1,120 @@ ++++ +title = "google_container_regional_node_pool resource" + +draft = false + + +[menu.gcp] +title = "google_container_regional_node_pool" +identifier = "inspec/resources/gcp/google_container_regional_node_pool resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_container_regional_node_pool` InSpec audit resource to to test a Google Cloud RegionalNodePool resource. + +## Examples + +```ruby +describe google_container_regional_node_pool(project: 'chef-gcp-inspec', location: 'europe-west2', cluster: 'inspec-gcp-regional-cluster', name: 'inspec-gcp-regional-node-pool') do + it { should exist } + its('initial_node_count') { should eq '1'} +end + +describe google_container_regional_node_pool(project: 'chef-gcp-inspec', location: 'europe-west2', cluster: 'inspec-gcp-regional-cluster', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_container_regional_node_pool` resource: + + + * `name`: The name of the node pool. + + * `config`: The node configuration of the pool. + + * `machine_type`: The name of a Google Compute Engine machine type (e.g. n1-standard-1). If unspecified, the default machine type is n1-standard-1. + + * `disk_size_gb`: Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB. If unspecified, the default disk size is 100GB. + + * `oauth_scopes`: The set of Google API scopes to be made available on all of the node VMs under the "default" service account. The following scopes are recommended, but not required, and by default are not included: https://www.googleapis.com/auth/compute is required for mounting persistent storage on your nodes. https://www.googleapis.com/auth/devstorage.read_only is required for communicating with gcr.io (the Google Container Registry). If unspecified, no scopes are added, unless Cloud Logging or Cloud Monitoring are enabled, in which case their required scopes will be added. + + * `service_account`: The Google Cloud Platform Service Account to be used by the node VMs. If no Service Account is specified, the "default" service account is used. + + * `metadata`: The metadata key/value pairs assigned to instances in the cluster. Keys must conform to the regexp [a-zA-Z0-9-_]+ and be less than 128 bytes in length. These are reflected as part of a URL in the metadata server. Additionally, to avoid ambiguity, keys must not conflict with any other metadata keys for the project or be one of the four reserved keys: "instance-template", "kube-env", "startup-script", and "user-data" Values are free-form strings, and only have meaning as interpreted by the image running in the instance. The only restriction placed on them is that each value's size must be less than or equal to 32 KB. The total size of all keys and values must be less than 512 KB. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + + * `image_type`: The image type to use for this node. Note that for a given image type, the latest version of it will be used. + + * `labels`: The map of Kubernetes labels (key/value pairs) to be applied to each node. These will added in addition to any default label(s) that Kubernetes may apply to the node. In case of conflict in label keys, the applied set may differ depending on the Kubernetes version -- it's best to assume the behavior is undefined and conflicts should be avoided. For more information, including usage and the valid values, see: http://kubernetes.io/v1.1/docs/user-guide/labels.html An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + + * `local_ssd_count`: The number of local SSD disks to be attached to the node. The limit for this value is dependant upon the maximum number of disks available on a machine per zone. See: https://cloud.google.com/compute/docs/disks/local-ssd#local_ssd_limits for more information. + + * `tags`: The list of instance tags applied to all nodes. Tags are used to identify valid sources or targets for network firewalls and are specified by the client during cluster or node pool creation. Each tag within the list must comply with RFC1035. + + * `preemptible`: Whether the nodes are created as preemptible VM instances. See: https://cloud.google.com/compute/docs/instances/preemptible for more information about preemptible VM instances. + + * `accelerators`: A list of hardware accelerators to be attached to each node + + * `accelerator_count`: The number of the accelerator cards exposed to an instance. + + * `accelerator_type`: The accelerator type resource name + + * `disk_type`: Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') If unspecified, the default disk type is 'pd-standard' + + * `min_cpu_platform`: Minimum CPU platform to be used by this instance. The instance may be scheduled on the specified or newer CPU platform + + * `taints`: List of kubernetes taints to be applied to each node. + + * `key`: Key for taint + + * `value`: Value for taint + + * `effect`: Effect for taint + + * `initial_node_count`: The initial node count for the pool. You must ensure that your Compute Engine resource quota is sufficient for this number of instances. You must also have available firewall and routes quota. + + * `status`: Status of nodes in this pool instance + + * `status_message`: Additional information about the current status of this node pool instance + + * `version`: The version of the Kubernetes of this node. + + * `autoscaling`: Autoscaler configuration for this NodePool. Autoscaler is enabled only if a valid configuration is present. + + * `enabled`: Is autoscaling enabled for this node pool. + + * `min_node_count`: Minimum number of nodes in the NodePool. Must be >= 1 and <= maxNodeCount. + + * `max_node_count`: Maximum number of nodes in the NodePool. Must be >= minNodeCount. There has to enough quota to scale up the cluster. + + * `management`: Management configuration for this NodePool. + + * `auto_upgrade`: A flag that specifies whether node auto-upgrade is enabled for the node pool. If enabled, node auto-upgrade helps keep the nodes in your node pool up to date with the latest release version of Kubernetes. + + * `auto_repair`: A flag that specifies whether the node auto-repair is enabled for the node pool. If enabled, the nodes in this node pool will be monitored and, if they fail health checks too many times, an automatic repair action will be triggered. + + * `upgrade_options`: Specifies the Auto Upgrade knobs for the node pool. + + * `auto_upgrade_start_time`: This field is set when upgrades are about to commence with the approximate start time for the upgrades, in RFC3339 text format. + + * `description`: This field is set when upgrades are about to commence with the description of the upgrade. + + * `max_pods_constraint`: The constraint on the maximum number of pods that can be run simultaneously on a node in the node pool. + + * `max_pods_per_node`: Constraint enforced on the max num of pods per node. + + * `conditions`: Which conditions caused the current node pool state. + + * `code`: Machine-friendly representation of the condition + + * `pod_ipv4_cidr_size`: The pod CIDR block size per node in this node pool. + + * `cluster`: The cluster this node pool belongs to. + + * `location`: The location where the node pool is deployed + + +## GCP permissions + +Ensure the [Kubernetes Engine API](https://console.cloud.google.com/apis/library/container.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_regional_node_pools.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_regional_node_pools.md new file mode 100644 index 0000000..280acae --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_regional_node_pools.md @@ -0,0 +1,50 @@ ++++ +title = "google_container_regional_node_pools resource" + +draft = false + + +[menu.gcp] +title = "google_container_regional_node_pools" +identifier = "inspec/resources/gcp/google_container_regional_node_pools resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_container_regional_node_pools` InSpec audit resource to to test a Google Cloud RegionalNodePool resource. + +## Examples + +```ruby +describe google_container_regional_node_pools(project: 'chef-gcp-inspec', location: 'europe-west2', cluster: 'inspec-gcp-regional-cluster') do + its('initial_node_counts') { should include '1'} +end +``` + +## Properties + +Properties that can be accessed from the `google_container_regional_node_pools` resource: + +See [google_container_regional_node_pool](google_container_regional_node_pool) for more detailed information. + + * `names`: an array of `google_container_regional_node_pool` name + * `configs`: an array of `google_container_regional_node_pool` config + * `initial_node_counts`: an array of `google_container_regional_node_pool` initial_node_count + * `statuses`: an array of `google_container_regional_node_pool` status + * `status_messages`: an array of `google_container_regional_node_pool` status_message + * `versions`: an array of `google_container_regional_node_pool` version + * `autoscalings`: an array of `google_container_regional_node_pool` autoscaling + * `managements`: an array of `google_container_regional_node_pool` management + * `max_pods_constraints`: an array of `google_container_regional_node_pool` max_pods_constraint + * `conditions`: an array of `google_container_regional_node_pool` conditions + * `pod_ipv4_cidr_sizes`: an array of `google_container_regional_node_pool` pod_ipv4_cidr_size + * `clusters`: an array of `google_container_regional_node_pool` cluster + * `locations`: an array of `google_container_regional_node_pool` location + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Kubernetes Engine API](https://console.cloud.google.com/apis/library/container.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_server_config.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_server_config.md new file mode 100644 index 0000000..34dc187 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_container_server_config.md @@ -0,0 +1,56 @@ ++++ +title = "google_container_server_config resource" + +draft = false + + +[menu.gcp] +title = "google_container_server_config" +identifier = "inspec/resources/gcp/google_container_server_config resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_container_server_config` InSpec audit resource to to test a Google Cloud ServerConfig resource. + +## Examples + +```ruby +describe google_container_server_config(project: 'chef-gcp-inspec', location: 'europe-west2-a') do + its('valid_master_versions') { should include '1.21.5-gke.1802'} +end +``` + +## Properties + +Properties that can be accessed from the `google_container_server_config` resource: + + + * `default_cluster_version`: Version of Kubernetes the service deploys by default. + + * `default_image_type`: Default image type. + + * `valid_image_types`: List of valid image types. + + * `valid_node_versions`: List of valid node upgrade target versions, in descending order. + + * `valid_master_versions`: List of valid master versions, in descending order. + + * `channels`: List of release channel configurations. + + * `channel`: The release channel this configuration applies to. + Possible values: + * UNSPECIFIED + * RAPID + * REGULAR + * STABLE + + * `default_version`: The default version for newly created clusters on the channel. + + * `valid_versions`: List of valid versions for the channel. + + * `location`: The name of the Google Compute Engine location to return ServerConfig for. + + +## GCP permissions + +Ensure the [Kubernetes Engine API](https://console.cloud.google.com/apis/library/container.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_data_fusion_instance.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_data_fusion_instance.md new file mode 100644 index 0000000..ca3c299 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_data_fusion_instance.md @@ -0,0 +1,219 @@ ++++ +title = "google_data_fusion_instance resource" + +draft = false + + + +[menu.gcp] +title = "google_data_fusion_instance" +identifier = "inspec/resources/gcp/google_data_fusion_instance resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_data_fusion_instance` InSpec audit resource to test the properties of a Google Cloud Instance resource. + +## Examples + +```ruby +describe google_data_fusion_instance(name: 'projects/*/locations/*/instances/inspec-instance') do + it { should exist } + its('name') { should cmp 'inspec-instance' } + its('description') { should cmp 'value_description' } + its('type') { should cmp 'value_type' } + its('create_time') { should cmp 'value_create_time' } + its('update_time') { should cmp 'value_update_time' } + its('state') { should cmp 'value_state' } + its('state_message') { should cmp 'value_state_message' } + its('service_endpoint') { should cmp 'value_service_endpoint' } + its('zone') { should cmp 'value_zone' } + its('version') { should cmp 'value_version' } + its('service_account') { should cmp 'value_service_account' } + its('display_name') { should cmp 'value_display_name' } + its('api_endpoint') { should cmp 'value_api_endpoint' } + its('gcs_bucket') { should cmp 'value_gcs_bucket' } + its('p4service_account') { should cmp 'value_p4service_account' } + its('tenant_project_id') { should cmp 'value_tenant_project_id' } + its('dataproc_service_account') { should cmp 'value_dataproc_service_account' } + its('workforce_identity_service_endpoint') { should cmp 'value_workforce_identity_service_endpoint' } + its('patch_revision') { should cmp 'value_patch_revision' } +end + +describe google_data_fusion_instance(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_data_fusion_instance` resource: + +## Properties + +Properties that can be accessed from the `google_data_fusion_instance` resource: + + + * `name`: Output only. The name of this instance is in the form of projects/{project}/locations/{location}/instances/{instance}. + + * `description`: A description of this instance. + + * `type`: Required. Instance type. + Possible values: + * TYPE_UNSPECIFIED + * BASIC + * ENTERPRISE + * DEVELOPER + + * `enable_stackdriver_logging`: Option to enable Stackdriver Logging. + + * `enable_stackdriver_monitoring`: Option to enable Stackdriver Monitoring. + + * `private_instance`: Specifies whether the Data Fusion instance should be private. If set to true, all Data Fusion nodes will have private IP addresses and will not be able to access the public internet. + + * `network_config`: Network configuration for a Data Fusion instance. These configurations are used for peering with the customer network. Configurations are optional when a public Data Fusion instance is to be created. However, providing these configurations allows several benefits, such as reduced network latency while accessing the customer resources from managed Data Fusion instance nodes, as well as access to the customer on-prem resources. + + * `network`: Optional. Name of the network in the customer project with which the Tenant Project will be peered for executing pipelines. In case of shared VPC where the network resides in another host project the network should specified in the form of projects/{host-project-id}/global/networks/{network}. This is only required for connectivity type VPC_PEERING. + + * `ip_allocation`: Optional. The IP range in CIDR notation to use for the managed Data Fusion instance nodes. This range must not overlap with any other ranges used in the Data Fusion instance network. This is required only when using connection type VPC_PEERING. Format: a.b.c.d/22 Example: 192.168.0.0/22 + + * `connection_type`: Optional. Type of connection for establishing private IP connectivity between the Data Fusion customer project VPC and the corresponding tenant project from a predefined list of available connection modes. If this field is unspecified for a private instance, VPC peering is used. + Possible values: + * CONNECTION_TYPE_UNSPECIFIED + * VPC_PEERING + * PRIVATE_SERVICE_CONNECT_INTERFACES + + * `private_service_connect_config`: Configuration for using Private Service Connect to establish connectivity between the Data Fusion consumer project and the corresponding tenant project. + + * `network_attachment`: Required. The reference to the network attachment used to establish private connectivity. It will be of the form projects/{project-id}/regions/{region}/networkAttachments/{network-attachment-id}. + + * `unreachable_cidr_block`: Optional. Input only. The CIDR block to which the CDF instance can't route traffic to in the consumer project VPC. The size of this block should be at least /25. This range should not overlap with the primary address range of any subnetwork used by the network attachment. This range can be used for other purposes in the consumer VPC as long as there is no requirement for CDF to reach destinations using these addresses. If this value is not provided, the server chooses a non RFC 1918 address range. The format of this field is governed by RFC 4632. Example: 192.168.0.0/25 + + * `effective_unreachable_cidr_block`: Output only. The CIDR block to which the CDF instance can't route traffic to in the consumer project VPC. The size of this block is /25. The format of this field is governed by RFC 4632. Example: 240.0.0.0/25 + + * `labels`: The resource labels for instance to use to annotate any related underlying resources such as Compute Engine VMs. The character '=' is not allowed to be used within the labels. + + * `additional_properties`: + + * `options`: Map of additional options used to configure the behavior of Data Fusion instance. + + * `additional_properties`: + + * `create_time`: Output only. The time the instance was created. + + * `update_time`: Output only. The time the instance was last updated. + + * `state`: Output only. The current state of this Data Fusion instance. + Possible values: + * STATE_UNSPECIFIED + * CREATING + * ACTIVE + * FAILED + * DELETING + * UPGRADING + * RESTARTING + * UPDATING + * AUTO_UPDATING + * AUTO_UPGRADING + * DISABLED + + * `state_message`: Output only. Additional information about the current state of this Data Fusion instance if available. + + * `service_endpoint`: Output only. Endpoint on which the Data Fusion UI is accessible. + + * `zone`: Name of the zone in which the Data Fusion instance will be created. Only DEVELOPER instances use this field. + + * `version`: Current version of the Data Fusion. Only specifiable in Update. + + * `service_account`: Output only. Deprecated. Use tenant_project_id instead to extract the tenant project ID. + + * `display_name`: Display name for an instance. + + * `available_version`: Output only. Available versions that the instance can be upgraded to using UpdateInstanceRequest. + + * `version_number`: The version number of the Data Fusion instance, such as '6.0.1.0'. + + * `default_version`: Whether this is currently the default version for Cloud Data Fusion + + * `available_features`: Represents a list of available feature names for a given version. + + * `type`: Type represents the release availability of the version + Possible values: + * TYPE_UNSPECIFIED + * TYPE_PREVIEW + * TYPE_GENERAL_AVAILABILITY + + * `api_endpoint`: Output only. Endpoint on which the REST APIs is accessible. + + * `gcs_bucket`: Output only. Cloud Storage bucket generated by Data Fusion in the customer project. + + * `accelerators`: Output only. List of accelerators enabled for this CDF instance. + + * `accelerator_type`: Optional. The type of an accelator for a Cloud Data Fusion instance. + Possible values: + * ACCELERATOR_TYPE_UNSPECIFIED + * CDC + * HEALTHCARE + * CCAI_INSIGHTS + * CLOUDSEARCH + + * `state`: Output only. The state of the accelerator. + Possible values: + * STATE_UNSPECIFIED + * ENABLED + * DISABLED + * UNKNOWN + + * `p4_service_account`: Output only. Service agent for the customer project. + + * `tenant_project_id`: Output only. The name of the tenant project. + + * `dataproc_service_account`: User-managed service account to set on Dataproc when Cloud Data Fusion creates Dataproc to run data processing pipelines. This allows users to have fine-grained access control on Dataproc's accesses to cloud resources. + + * `enable_rbac`: Option to enable granular role-based access control. + + * `crypto_key_config`: The crypto key configuration. This field is used by the Customer-managed encryption keys (CMEK) feature. + + * `key_reference`: The name of the key which is used to encrypt/decrypt customer data. For key in Cloud KMS, the key should be in the format of `projects/*/locations/*/keyRings/*/cryptoKeys/*`. + + * `disabled_reason`: Output only. If the instance state is DISABLED, the reason for disabling the instance. + + * `event_publish_config`: Confirguration of PubSubEventWriter. + + * `enabled`: Required. Option to enable Event Publishing. + + * `topic`: Required. The resource name of the Pub/Sub topic. Format: projects/{project_id}/topics/{topic_id} + + * `enable_zone_separation`: Option to enable granular zone separation. + + * `satisfies_pzs`: Output only. Reserved for future use. + + * `workforce_identity_service_endpoint`: Output only. Endpoint on which the Data Fusion UI is accessible to third-party users + + * `patch_revision`: Optional. Current patch revision of the Data Fusion. + + * `dataplex_data_lineage_integration_enabled`: Optional. Option to enable the Dataplex Lineage Integration feature. + + * `maintenance_policy`: Maintenance policy of the instance. + + * `maintenance_window`: Maintenance window of the instance. + + * `recurring_time_window`: Represents an arbitrary window of time that recurs. + + * `window`: Represents an arbitrary window of time. + + * `start_time`: Required. The start time of the time window provided in [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. Example: "2024-01-01T12:04:06-04:00" + + * `end_time`: Required. The end time of the time window provided in [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. The end time should take place after the start time. Example: "2024-01-02T12:04:06-06:00" + + * `recurrence`: Required. An RRULE with format [RFC-5545](https://tools.ietf.org/html/rfc5545#section-3.8.5.3) for how this window reccurs. They go on for the span of time between the start and end time. The only supported FREQ value is "WEEKLY". To have something repeat every weekday, use: "FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR". This specifies how frequently the window starts. To have a 9 am - 5 pm UTC-4 window every weekday, use something like: ``` start time = 2019-01-01T09:00:00-0400 end time = 2019-01-01T17:00:00-0400 recurrence = FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR ``` + + * `maintenance_exclusion_window`: Represents an arbitrary window of time. + + * `start_time`: Required. The start time of the time window provided in [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. Example: "2024-01-01T12:04:06-04:00" + + * `end_time`: Required. The end time of the time window provided in [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. The end time should take place after the start time. Example: "2024-01-02T12:04:06-06:00" + + +## GCP permissions + +Ensure the [Cloud Data Fusion API](https://console.cloud.google.com/apis/library/datafusion.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_data_fusion_instances.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_data_fusion_instances.md new file mode 100644 index 0000000..773cba5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_data_fusion_instances.md @@ -0,0 +1,115 @@ ++++ +title = "google_data_fusion_instances resource" + +draft = false + + + +[menu.gcp] +title = "google_data_fusion_instances" +identifier = "inspec/resources/gcp/google_data_fusion_instances resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_data_fusion_instances` InSpec audit resource to test the properties of a Google Cloud Instance resource. + +## Examples + +```ruby + describe google_data_fusion_instances(parent: 'projects/*/locations/*') do + it { should exist } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_data_fusion_instances` resource: + +See [google_data_fusion_instance](google_data_fusion_instance) for more detailed information. + +* `names`: an array of `google_data_fusion_instance` name +* `descriptions`: an array of `google_data_fusion_instance` description +* `types`: an array of `google_data_fusion_instance` type +* `enable_stackdriver_loggings`: an array of `google_data_fusion_instance` enable_stackdriver_logging +* `enable_stackdriver_monitorings`: an array of `google_data_fusion_instance` enable_stackdriver_monitoring +* `private_instances`: an array of `google_data_fusion_instance` private_instance +* `network_configs`: an array of `google_data_fusion_instance` network_config +* `labels`: an array of `google_data_fusion_instance` labels +* `options`: an array of `google_data_fusion_instance` options +* `create_times`: an array of `google_data_fusion_instance` create_time +* `update_times`: an array of `google_data_fusion_instance` update_time +* `states`: an array of `google_data_fusion_instance` state +* `state_messages`: an array of `google_data_fusion_instance` state_message +* `service_endpoints`: an array of `google_data_fusion_instance` service_endpoint +* `zones`: an array of `google_data_fusion_instance` zone +* `versions`: an array of `google_data_fusion_instance` version +* `service_accounts`: an array of `google_data_fusion_instance` service_account +* `display_names`: an array of `google_data_fusion_instance` display_name +* `available_versions`: an array of `google_data_fusion_instance` available_version +* `api_endpoints`: an array of `google_data_fusion_instance` api_endpoint +* `gcs_buckets`: an array of `google_data_fusion_instance` gcs_bucket +* `accelerators`: an array of `google_data_fusion_instance` accelerators +* `p4_service_accounts`: an array of `google_data_fusion_instance` p4_service_account +* `tenant_project_ids`: an array of `google_data_fusion_instance` tenant_project_id +* `dataproc_service_accounts`: an array of `google_data_fusion_instance` dataproc_service_account +* `enable_rbacs`: an array of `google_data_fusion_instance` enable_rbac +* `crypto_key_configs`: an array of `google_data_fusion_instance` crypto_key_config +* `disabled_reasons`: an array of `google_data_fusion_instance` disabled_reason +* `event_publish_configs`: an array of `google_data_fusion_instance` event_publish_config +* `enable_zone_separations`: an array of `google_data_fusion_instance` enable_zone_separation +* `satisfies_pzs`: an array of `google_data_fusion_instance` satisfies_pzs +* `workforce_identity_service_endpoints`: an array of `google_data_fusion_instance` workforce_identity_service_endpoint +* `patch_revisions`: an array of `google_data_fusion_instance` patch_revision +* `dataplex_data_lineage_integration_enableds`: an array of `google_data_fusion_instance` dataplex_data_lineage_integration_enabled +* `maintenance_policies`: an array of `google_data_fusion_instance` maintenance_policy + +## Properties + +Properties that can be accessed from the `google_data_fusion_instances` resource: + +See [google_data_fusion_instance](google_data_fusion_instance) for more detailed information. + +* `names`: an array of `google_data_fusion_instance` name +* `descriptions`: an array of `google_data_fusion_instance` description +* `types`: an array of `google_data_fusion_instance` type +* `enable_stackdriver_loggings`: an array of `google_data_fusion_instance` enable_stackdriver_logging +* `enable_stackdriver_monitorings`: an array of `google_data_fusion_instance` enable_stackdriver_monitoring +* `private_instances`: an array of `google_data_fusion_instance` private_instance +* `network_configs`: an array of `google_data_fusion_instance` network_config +* `labels`: an array of `google_data_fusion_instance` labels +* `options`: an array of `google_data_fusion_instance` options +* `create_times`: an array of `google_data_fusion_instance` create_time +* `update_times`: an array of `google_data_fusion_instance` update_time +* `states`: an array of `google_data_fusion_instance` state +* `state_messages`: an array of `google_data_fusion_instance` state_message +* `service_endpoints`: an array of `google_data_fusion_instance` service_endpoint +* `zones`: an array of `google_data_fusion_instance` zone +* `versions`: an array of `google_data_fusion_instance` version +* `service_accounts`: an array of `google_data_fusion_instance` service_account +* `display_names`: an array of `google_data_fusion_instance` display_name +* `available_versions`: an array of `google_data_fusion_instance` available_version +* `api_endpoints`: an array of `google_data_fusion_instance` api_endpoint +* `gcs_buckets`: an array of `google_data_fusion_instance` gcs_bucket +* `accelerators`: an array of `google_data_fusion_instance` accelerators +* `p4_service_accounts`: an array of `google_data_fusion_instance` p4_service_account +* `tenant_project_ids`: an array of `google_data_fusion_instance` tenant_project_id +* `dataproc_service_accounts`: an array of `google_data_fusion_instance` dataproc_service_account +* `enable_rbacs`: an array of `google_data_fusion_instance` enable_rbac +* `crypto_key_configs`: an array of `google_data_fusion_instance` crypto_key_config +* `disabled_reasons`: an array of `google_data_fusion_instance` disabled_reason +* `event_publish_configs`: an array of `google_data_fusion_instance` event_publish_config +* `enable_zone_separations`: an array of `google_data_fusion_instance` enable_zone_separation +* `satisfies_pzs`: an array of `google_data_fusion_instance` satisfies_pzs +* `workforce_identity_service_endpoints`: an array of `google_data_fusion_instance` workforce_identity_service_endpoint +* `patch_revisions`: an array of `google_data_fusion_instance` patch_revision +* `dataplex_data_lineage_integration_enableds`: an array of `google_data_fusion_instance` dataplex_data_lineage_integration_enabled +* `maintenance_policies`: an array of `google_data_fusion_instance` maintenance_policy + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Data Fusion API](https://console.cloud.google.com/apis/library/datafusion.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataflow_project_location_job.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataflow_project_location_job.md new file mode 100644 index 0000000..fbc9486 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataflow_project_location_job.md @@ -0,0 +1,591 @@ ++++ +title = "google_dataflow_project_location_job resource" + +draft = false + + +[menu.gcp] +title = "google_dataflow_project_location_job" +identifier = "inspec/resources/gcp/google_dataflow_project_location_job resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataflow_project_location_job` InSpec audit resource to to test a Google Cloud ProjectLocationJob resource. + +## Examples + +```ruby +describe google_dataflow_project_location_job(job: 'value_job_id', location: 'value_location', project: 'value_project') do + it { should exist } + its('id') { should cmp 'value_id' } + its('project_id') { should cmp 'value_projectid' } + its('name') { should cmp 'value_name' } + its('type') { should cmp 'value_type' } + its('steps_location') { should cmp 'value_stepslocation' } + its('current_state') { should cmp 'value_currentstate' } + its('current_state_time') { should cmp 'value_currentstatetime' } + its('requested_state') { should cmp 'value_requestedstate' } + its('create_time') { should cmp 'value_createtime' } + its('replace_job_id') { should cmp 'value_replacejobid' } + its('client_request_id') { should cmp 'value_clientrequestid' } + its('replaced_by_job_id') { should cmp 'value_replacedbyjobid' } + its('location') { should cmp 'value_location' } + its('start_time') { should cmp 'value_starttime' } + its('created_from_snapshot_id') { should cmp 'value_createdfromsnapshotid' } + +end + +describe google_dataflow_project_location_job(job: 'value_job_id', location: 'value_location', projectId: 'value_project') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_dataflow_project_location_job` resource: + + + * `id`: The unique ID of this job. This field is set by the Dataflow service when the job is created, and is immutable for the life of the job. + + * `project_id`: The ID of the Google Cloud project that the job belongs to. + + * `name`: The user-specified Dataflow job name. Only one active job with a given name can exist in a project within one region at any given time. Jobs in different regions can have the same name. If a caller attempts to create a job with the same name as an active job that already exists, the attempt returns the existing job. The name must match the regular expression `[a-z]([-a-z0-9]{0,1022}[a-z0-9])?` + + * `type`: The type of Dataflow job. + Possible values: + * JOB_TYPE_UNKNOWN + * JOB_TYPE_BATCH + * JOB_TYPE_STREAMING + + * `environment`: Describes the environment in which a Dataflow Job runs. + + * `temp_storage_prefix`: The prefix of the resources the system should use for temporary storage. The system will append the suffix "/temp-{JOBNAME} to this resource prefix, where {JOBNAME} is the value of the job_name field. The resulting bucket and object prefix is used as the prefix of the resources used to store temporary data needed during the job execution. NOTE: This will override the value in taskrunner_settings. The supported resource type is: Google Cloud Storage: storage.googleapis.com/{bucket}/{object} bucket.storage.googleapis.com/{object} + + * `cluster_manager_api_service`: The type of cluster manager API to use. If unknown or unspecified, the service will attempt to choose a reasonable default. This should be in the form of the API service name, e.g. "compute.googleapis.com". + + * `experiments`: The list of experiments to enable. This field should be used for SDK related experiments and not for service related experiments. The proper field for service related experiments is service_options. + + * `service_options`: The list of service options to enable. This field should be used for service related experiments only. These experiments, when graduating to GA, should be replaced by dedicated fields or become default (i.e. always on). + + * `service_kms_key_name`: If set, contains the Cloud KMS key identifier used to encrypt data at rest, AKA a Customer Managed Encryption Key (CMEK). Format: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY + + * `worker_pools`: The worker pools. At least one "harness" worker pool must be specified in order for the job to have workers. + + * `kind`: The kind of the worker pool; currently only `harness` and `shuffle` are supported. + + * `num_workers`: Number of Google Compute Engine workers in this pool needed to execute the job. If zero or unspecified, the service will attempt to choose a reasonable default. + + * `packages`: Packages to be installed on workers. + + * `name`: The name of the package. + + * `location`: The resource to read the package from. The supported resource type is: Google Cloud Storage: storage.googleapis.com/{bucket} bucket.storage.googleapis.com/ + + * `default_package_set`: The default package set to install. This allows the service to select a default set of packages which are useful to worker harnesses written in a particular language. + Possible values: + * DEFAULT_PACKAGE_SET_UNKNOWN + * DEFAULT_PACKAGE_SET_NONE + * DEFAULT_PACKAGE_SET_JAVA + * DEFAULT_PACKAGE_SET_PYTHON + + * `machine_type`: Machine type (e.g. "n1-standard-1"). If empty or unspecified, the service will attempt to choose a reasonable default. + + * `teardown_policy`: Sets the policy for determining when to turndown worker pool. Allowed values are: `TEARDOWN_ALWAYS`, `TEARDOWN_ON_SUCCESS`, and `TEARDOWN_NEVER`. `TEARDOWN_ALWAYS` means workers are always torn down regardless of whether the job succeeds. `TEARDOWN_ON_SUCCESS` means workers are torn down if the job succeeds. `TEARDOWN_NEVER` means the workers are never torn down. If the workers are not torn down by the service, they will continue to run and use Google Compute Engine VM resources in the user's project until they are explicitly terminated by the user. Because of this, Google recommends using the `TEARDOWN_ALWAYS` policy except for small, manually supervised test jobs. If unknown or unspecified, the service will attempt to choose a reasonable default. + Possible values: + * TEARDOWN_POLICY_UNKNOWN + * TEARDOWN_ALWAYS + * TEARDOWN_ON_SUCCESS + * TEARDOWN_NEVER + + * `disk_size_gb`: Size of root disk for VMs, in GB. If zero or unspecified, the service will attempt to choose a reasonable default. + + * `disk_type`: Type of root disk for VMs. If empty or unspecified, the service will attempt to choose a reasonable default. + + * `disk_source_image`: Fully qualified source image for disks. + + * `zone`: Zone to run the worker pools in. If empty or unspecified, the service will attempt to choose a reasonable default. + + * `taskrunner_settings`: Taskrunner configuration settings. + + * `task_user`: The UNIX user ID on the worker VM to use for tasks launched by taskrunner; e.g. "root". + + * `task_group`: The UNIX group ID on the worker VM to use for tasks launched by taskrunner; e.g. "wheel". + + * `oauth_scopes`: The OAuth2 scopes to be requested by the taskrunner in order to access the Cloud Dataflow API. + + * `base_url`: The base URL for the taskrunner to use when accessing Google Cloud APIs. When workers access Google Cloud APIs, they logically do so via relative URLs. If this field is specified, it supplies the base URL to use for resolving these relative URLs. The normative algorithm used is defined by RFC 1808, "Relative Uniform Resource Locators". If not specified, the default value is "http://www.googleapis.com/" + + * `dataflow_api_version`: The API version of endpoint, e.g. "v1b3" + + * `parallel_worker_settings`: Provides data to pass through to the worker harness. + + * `base_url`: The base URL for accessing Google Cloud APIs. When workers access Google Cloud APIs, they logically do so via relative URLs. If this field is specified, it supplies the base URL to use for resolving these relative URLs. The normative algorithm used is defined by RFC 1808, "Relative Uniform Resource Locators". If not specified, the default value is "http://www.googleapis.com/" + + * `reporting_enabled`: Whether to send work progress updates to the service. + + * `service_path`: The Cloud Dataflow service path relative to the root URL, for example, "dataflow/v1b3/projects". + + * `shuffle_service_path`: The Shuffle service path relative to the root URL, for example, "shuffle/v1beta1". + + * `worker_id`: The ID of the worker running this pipeline. + + * `temp_storage_prefix`: The prefix of the resources the system should use for temporary storage. The supported resource type is: Google Cloud Storage: storage.googleapis.com/{bucket}/{object} bucket.storage.googleapis.com/{object} + + * `base_task_dir`: The location on the worker for task-specific subdirectories. + + * `continue_on_exception`: Whether to continue taskrunner if an exception is hit. + + * `log_to_serialconsole`: Whether to send taskrunner log info to Google Compute Engine VM serial console. + + * `alsologtostderr`: Whether to also send taskrunner log info to stderr. + + * `log_upload_location`: Indicates where to put logs. If this is not specified, the logs will not be uploaded. The supported resource type is: Google Cloud Storage: storage.googleapis.com/{bucket}/{object} bucket.storage.googleapis.com/{object} + + * `log_dir`: The directory on the VM to store logs. + + * `temp_storage_prefix`: The prefix of the resources the taskrunner should use for temporary storage. The supported resource type is: Google Cloud Storage: storage.googleapis.com/{bucket}/{object} bucket.storage.googleapis.com/{object} + + * `harness_command`: The command to launch the worker harness. + + * `workflow_file_name`: The file to store the workflow in. + + * `commandlines_file_name`: The file to store preprocessing commands in. + + * `vm_id`: The ID string of the VM. + + * `language_hint`: The suggested backend language. + + * `streaming_worker_main_class`: The streaming worker main class name. + + * `on_host_maintenance`: The action to take on host maintenance, as defined by the Google Compute Engine API. + + * `data_disks`: Data disks that are used by a VM in this workflow. + + * `size_gb`: Size of disk in GB. If zero or unspecified, the service will attempt to choose a reasonable default. + + * `disk_type`: Disk storage type, as defined by Google Compute Engine. This must be a disk type appropriate to the project and zone in which the workers will run. If unknown or unspecified, the service will attempt to choose a reasonable default. For example, the standard persistent disk type is a resource name typically ending in "pd-standard". If SSD persistent disks are available, the resource name typically ends with "pd-ssd". The actual valid values are defined the Google Compute Engine API, not by the Cloud Dataflow API; consult the Google Compute Engine documentation for more information about determining the set of available disk types for a particular project and zone. Google Compute Engine Disk types are local to a particular project in a particular zone, and so the resource name will typically look something like this: compute.googleapis.com/projects/project-id/zones/zone/diskTypes/pd-standard + + * `mount_point`: Directory in a VM where disk is mounted. + + * `metadata`: Metadata to set on the Google Compute Engine VMs. + + * `additional_properties`: + + * `autoscaling_settings`: Settings for WorkerPool autoscaling. + + * `algorithm`: The algorithm to use for autoscaling. + Possible values: + * AUTOSCALING_ALGORITHM_UNKNOWN + * AUTOSCALING_ALGORITHM_NONE + * AUTOSCALING_ALGORITHM_BASIC + + * `max_num_workers`: The maximum number of workers to cap scaling at. + + * `pool_args`: Extra arguments for this worker pool. + + * `additional_properties`: Properties of the object. Contains field @type with type URL. + + * `network`: Network to which VMs will be assigned. If empty or unspecified, the service will use the network "default". + + * `subnetwork`: Subnetwork to which VMs will be assigned, if desired. Expected to be of the form "regions/REGION/subnetworks/SUBNETWORK". + + * `worker_harness_container_image`: Required. Docker container image that executes the Cloud Dataflow worker harness, residing in Google Container Registry. Deprecated for the Fn API path. Use sdk_harness_container_images instead. + + * `num_threads_per_worker`: The number of threads per worker harness. If empty or unspecified, the service will choose a number of threads (according to the number of cores on the selected machine type for batch, or 1 by convention for streaming). + + * `ip_configuration`: Configuration for VM IPs. + Possible values: + * WORKER_IP_UNSPECIFIED + * WORKER_IP_PUBLIC + * WORKER_IP_PRIVATE + + * `sdk_harness_container_images`: Set of SDK harness containers needed to execute this pipeline. This will only be set in the Fn API path. For non-cross-language pipelines this should have only one entry. Cross-language pipelines will have two or more entries. + + * `container_image`: A docker container image that resides in Google Container Registry. + + * `use_single_core_per_container`: If true, recommends the Dataflow service to use only one core per SDK container instance with this image. If false (or unset) recommends using more than one core per SDK container instance with this image for efficiency. Note that Dataflow service may choose to override this property if needed. + + * `environment_id`: Environment ID for the Beam runner API proto Environment that corresponds to the current SDK Harness. + + * `capabilities`: The set of capabilities enumerated in the above Environment proto. See also [beam_runner_api.proto](https://github.com/apache/beam/blob/master/model/pipeline/src/main/proto/org/apache/beam/model/pipeline/v1/beam_runner_api.proto) + + * `user_agent`: A description of the process that generated the request. + + * `additional_properties`: Properties of the object. + + * `version`: A structure describing which components and their versions of the service are required in order to run the job. + + * `additional_properties`: Properties of the object. + + * `dataset`: The dataset for the current project where various workflow related tables are stored. The supported resource type is: Google BigQuery: bigquery.googleapis.com/{dataset} + + * `sdk_pipeline_options`: The Cloud Dataflow SDK pipeline options specified by the user. These options are passed through the service and are used to recreate the SDK pipeline options on the worker in a language agnostic and platform independent way. + + * `additional_properties`: Properties of the object. + + * `internal_experiments`: Experimental settings. + + * `additional_properties`: Properties of the object. Contains field @type with type URL. + + * `service_account_email`: Identity to run virtual machines as. Defaults to the default account. + + * `flex_resource_scheduling_goal`: Which Flexible Resource Scheduling mode to run in. + Possible values: + * FLEXRS_UNSPECIFIED + * FLEXRS_SPEED_OPTIMIZED + * FLEXRS_COST_OPTIMIZED + + * `worker_region`: The Compute Engine region (https://cloud.google.com/compute/docs/regions-zones/regions-zones) in which worker processing should occur, e.g. "us-west1". Mutually exclusive with worker_zone. If neither worker_region nor worker_zone is specified, default to the control plane's region. + + * `worker_zone`: The Compute Engine zone (https://cloud.google.com/compute/docs/regions-zones/regions-zones) in which worker processing should occur, e.g. "us-west1-a". Mutually exclusive with worker_region. If neither worker_region nor worker_zone is specified, a zone in the control plane's region is chosen based on available capacity. + + * `shuffle_mode`: Output only. The shuffle mode used for the job. + Possible values: + * SHUFFLE_MODE_UNSPECIFIED + * VM_BASED + * SERVICE_BASED + + * `debug_options`: Describes any options that have an effect on the debugging of pipelines. + + * `enable_hot_key_logging`: When true, enables the logging of the literal hot key to the user's Cloud Logging. + + * `data_sampling`: Configuration options for sampling elements. + + * `behaviors`: List of given sampling behaviors to enable. For example, specifying behaviors = [ALWAYS_ON] samples in-flight elements but does not sample exceptions. Can be used to specify multiple behaviors like, behaviors = [ALWAYS_ON, EXCEPTIONS] for specifying periodic sampling and exception sampling. If DISABLED is in the list, then sampling will be disabled and ignore the other given behaviors. Ordering does not matter. + + * `use_streaming_engine_resource_based_billing`: Output only. Whether the job uses the Streaming Engine resource-based billing model. + + * `streaming_mode`: Optional. Specifies the Streaming Engine message processing guarantees. Reduces cost and latency but might result in duplicate messages committed to storage. Designed to run simple mapping streaming ETL jobs at the lowest cost. For example, Change Data Capture (CDC) to BigQuery is a canonical use case. + Possible values: + * STREAMING_MODE_UNSPECIFIED + * STREAMING_MODE_EXACTLY_ONCE + * STREAMING_MODE_AT_LEAST_ONCE + + * `steps`: Exactly one of step or steps_location should be specified. The top-level steps that constitute the entire job. Only retrieved with JOB_VIEW_ALL. + + * `kind`: The kind of step in the Cloud Dataflow job. + + * `name`: The name that identifies the step. This must be unique for each step with respect to all other steps in the Cloud Dataflow job. + + * `properties`: Named properties associated with the step. Each kind of predefined step has its own required set of properties. Must be provided on Create. Only retrieved with JOB_VIEW_ALL. + + * `additional_properties`: Properties of the object. + + * `steps_location`: The Cloud Storage location where the steps are stored. + + * `current_state`: The current state of the job. Jobs are created in the `JOB_STATE_STOPPED` state unless otherwise specified. A job in the `JOB_STATE_RUNNING` state may asynchronously enter a terminal state. After a job has reached a terminal state, no further state updates may be made. This field might be mutated by the Dataflow service; callers cannot mutate it. + Possible values: + * JOB_STATE_UNKNOWN + * JOB_STATE_STOPPED + * JOB_STATE_RUNNING + * JOB_STATE_DONE + * JOB_STATE_FAILED + * JOB_STATE_CANCELLED + * JOB_STATE_UPDATED + * JOB_STATE_DRAINING + * JOB_STATE_DRAINED + * JOB_STATE_PENDING + * JOB_STATE_CANCELLING + * JOB_STATE_QUEUED + * JOB_STATE_RESOURCE_CLEANING_UP + + * `current_state_time`: The timestamp associated with the current state. + + * `requested_state`: The job's requested state. Applies to `UpdateJob` requests. Set `requested_state` with `UpdateJob` requests to switch between the states `JOB_STATE_STOPPED` and `JOB_STATE_RUNNING`. You can also use `UpdateJob` requests to change a job's state from `JOB_STATE_RUNNING` to `JOB_STATE_CANCELLED`, `JOB_STATE_DONE`, or `JOB_STATE_DRAINED`. These states irrevocably terminate the job if it hasn't already reached a terminal state. This field has no effect on `CreateJob` requests. + Possible values: + * JOB_STATE_UNKNOWN + * JOB_STATE_STOPPED + * JOB_STATE_RUNNING + * JOB_STATE_DONE + * JOB_STATE_FAILED + * JOB_STATE_CANCELLED + * JOB_STATE_UPDATED + * JOB_STATE_DRAINING + * JOB_STATE_DRAINED + * JOB_STATE_PENDING + * JOB_STATE_CANCELLING + * JOB_STATE_QUEUED + * JOB_STATE_RESOURCE_CLEANING_UP + + * `execution_info`: Additional information about how a Cloud Dataflow job will be executed that isn't contained in the submitted job. + + * `stages`: A mapping from each stage to the information about that stage. + + * `additional_properties`: Contains information about how a particular google.dataflow.v1beta3.Step will be executed. + + * `create_time`: The timestamp when the job was initially created. Immutable and set by the Cloud Dataflow service. + + * `replace_job_id`: If this job is an update of an existing job, this field is the job ID of the job it replaced. When sending a `CreateJobRequest`, you can update a job by specifying it here. The job named here is stopped, and its intermediate state is transferred to this job. + + * `transform_name_mapping`: The map of transform name prefixes of the job to be replaced to the corresponding name prefixes of the new job. + + * `additional_properties`: + + * `client_request_id`: The client's unique identifier of the job, re-used across retried attempts. If this field is set, the service will ensure its uniqueness. The request to create a job will fail if the service has knowledge of a previously submitted job with the same client's ID and job name. The caller may use this field to ensure idempotence of job creation across retried attempts to create a job. By default, the field is empty and, in that case, the service ignores it. + + * `replaced_by_job_id`: If another job is an update of this job (and thus, this job is in `JOB_STATE_UPDATED`), this field contains the ID of that job. + + * `temp_files`: A set of files the system should be aware of that are used for temporary storage. These temporary files will be removed on job completion. No duplicates are allowed. No file patterns are supported. The supported files are: Google Cloud Storage: storage.googleapis.com/{bucket}/{object} bucket.storage.googleapis.com/{object} + + * `labels`: User-defined labels for this job. The labels map can contain no more than 64 entries. Entries of the labels map are UTF8 strings that comply with the following restrictions: * Keys must conform to regexp: \p{Ll}\p{Lo}{0,62} * Values must conform to regexp: [\p{Ll}\p{Lo}\p{N}_-]{0,63} * Both keys and values are additionally constrained to be <= 128 bytes in size. + + * `additional_properties`: + + * `location`: The [regional endpoint] (https://cloud.google.com/dataflow/docs/concepts/regional-endpoints) that contains this job. + + * `pipeline_description`: A descriptive representation of submitted pipeline as well as the executed form. This data is provided by the Dataflow service for ease of visualizing the pipeline and interpreting Dataflow provided metrics. + + * `original_pipeline_transform`: Description of each transform in the pipeline and collections between them. + + * `kind`: Type of transform. + Possible values: + * UNKNOWN_KIND + * PAR_DO_KIND + * GROUP_BY_KEY_KIND + * FLATTEN_KIND + * READ_KIND + * WRITE_KIND + * CONSTANT_KIND + * SINGLETON_KIND + * SHUFFLE_KIND + + * `id`: SDK generated id of this transform instance. + + * `name`: User provided name for this transform instance. + + * `display_data`: Transform-specific display data. + + * `key`: The key identifying the display data. This is intended to be used as a label for the display data when viewed in a dax monitoring system. + + * `namespace`: The namespace for the key. This is usually a class name or programming language namespace (i.e. python module) which defines the display data. This allows a dax monitoring system to specially handle the data and perform custom rendering. + + * `str_value`: Contains value if the data is of string type. + + * `int64_value`: Contains value if the data is of int64 type. + + * `float_value`: Contains value if the data is of float type. + + * `java_class_value`: Contains value if the data is of java class type. + + * `timestamp_value`: Contains value if the data is of timestamp type. + + * `duration_value`: Contains value if the data is of duration type. + + * `bool_value`: Contains value if the data is of a boolean type. + + * `short_str_value`: A possible additional shorter value to display. For example a java_class_name_value of com.mypackage.MyDoFn will be stored with MyDoFn as the short_str_value and com.mypackage.MyDoFn as the java_class_name value. short_str_value can be displayed and java_class_name_value will be displayed as a tooltip. + + * `url`: An optional full URL. + + * `label`: An optional label to display in a dax UI for the element. + + * `output_collection_name`: User names for all collection outputs to this transform. + + * `input_collection_name`: User names for all collection inputs to this transform. + + * `execution_pipeline_stage`: Description of each stage of execution of the pipeline. + + * `name`: Dataflow service generated name for this stage. + + * `id`: Dataflow service generated id for this stage. + + * `kind`: Type of transform this stage is executing. + Possible values: + * UNKNOWN_KIND + * PAR_DO_KIND + * GROUP_BY_KEY_KIND + * FLATTEN_KIND + * READ_KIND + * WRITE_KIND + * CONSTANT_KIND + * SINGLETON_KIND + * SHUFFLE_KIND + + * `input_source`: Input sources for this stage. + + * `user_name`: Human-readable name for this source; may be user or system generated. + + * `name`: Dataflow service generated name for this source. + + * `original_transform_or_collection`: User name for the original user transform or collection with which this source is most closely associated. + + * `size_bytes`: Size of the source, if measurable. + + * `output_source`: Output sources for this stage. + + * `user_name`: Human-readable name for this source; may be user or system generated. + + * `name`: Dataflow service generated name for this source. + + * `original_transform_or_collection`: User name for the original user transform or collection with which this source is most closely associated. + + * `size_bytes`: Size of the source, if measurable. + + * `prerequisite_stage`: Other stages that must complete before this stage can run. + + * `component_transform`: Transforms that comprise this execution stage. + + * `user_name`: Human-readable name for this transform; may be user or system generated. + + * `name`: Dataflow service generated name for this source. + + * `original_transform`: User name for the original user transform with which this transform is most closely associated. + + * `component_source`: Collections produced and consumed by component transforms of this stage. + + * `user_name`: Human-readable name for this transform; may be user or system generated. + + * `name`: Dataflow service generated name for this source. + + * `original_transform_or_collection`: User name for the original user transform or collection with which this source is most closely associated. + + * `display_data`: Pipeline level display data. + + * `key`: The key identifying the display data. This is intended to be used as a label for the display data when viewed in a dax monitoring system. + + * `namespace`: The namespace for the key. This is usually a class name or programming language namespace (i.e. python module) which defines the display data. This allows a dax monitoring system to specially handle the data and perform custom rendering. + + * `str_value`: Contains value if the data is of string type. + + * `int64_value`: Contains value if the data is of int64 type. + + * `float_value`: Contains value if the data is of float type. + + * `java_class_value`: Contains value if the data is of java class type. + + * `timestamp_value`: Contains value if the data is of timestamp type. + + * `duration_value`: Contains value if the data is of duration type. + + * `bool_value`: Contains value if the data is of a boolean type. + + * `short_str_value`: A possible additional shorter value to display. For example a java_class_name_value of com.mypackage.MyDoFn will be stored with MyDoFn as the short_str_value and com.mypackage.MyDoFn as the java_class_name value. short_str_value can be displayed and java_class_name_value will be displayed as a tooltip. + + * `url`: An optional full URL. + + * `label`: An optional label to display in a dax UI for the element. + + * `step_names_hash`: A hash value of the submitted pipeline portable graph step names if exists. + + * `stage_states`: This field may be mutated by the Cloud Dataflow service; callers cannot mutate it. + + * `execution_stage_name`: The name of the execution stage. + + * `execution_stage_state`: Executions stage states allow the same set of values as JobState. + Possible values: + * JOB_STATE_UNKNOWN + * JOB_STATE_STOPPED + * JOB_STATE_RUNNING + * JOB_STATE_DONE + * JOB_STATE_FAILED + * JOB_STATE_CANCELLED + * JOB_STATE_UPDATED + * JOB_STATE_DRAINING + * JOB_STATE_DRAINED + * JOB_STATE_PENDING + * JOB_STATE_CANCELLING + * JOB_STATE_QUEUED + * JOB_STATE_RESOURCE_CLEANING_UP + + * `current_state_time`: The time at which the stage transitioned to this state. + + * `job_metadata`: Metadata available primarily for filtering jobs. Will be included in the ListJob response and Job SUMMARY view. + + * `sdk_version`: The version of the SDK used to run the job. + + * `version`: The version of the SDK used to run the job. + + * `version_display_name`: A readable string describing the version of the SDK. + + * `sdk_support_status`: The support status for this SDK version. + Possible values: + * UNKNOWN + * SUPPORTED + * STALE + * DEPRECATED + * UNSUPPORTED + + * `bugs`: Output only. Known bugs found in this SDK version. + + * `type`: Output only. Describes the impact of this SDK bug. + Possible values: + * TYPE_UNSPECIFIED + * GENERAL + * PERFORMANCE + * DATALOSS + + * `severity`: Output only. How severe the SDK bug is. + Possible values: + * SEVERITY_UNSPECIFIED + * NOTICE + * WARNING + * SEVERE + + * `uri`: Output only. Link to more information on the bug. + + * `spanner_details`: Identification of a Spanner source used in the Dataflow job. + + * `project_id`: ProjectId accessed in the connection. + + * `instance_id`: InstanceId accessed in the connection. + + * `database_id`: DatabaseId accessed in the connection. + + * `bigquery_details`: Identification of a BigQuery source used in the Dataflow job. + + * `table`: Table accessed in the connection. + + * `dataset`: Dataset accessed in the connection. + + * `project_id`: Project accessed in the connection. + + * `query`: Query used to access data in the connection. + + * `big_table_details`: Identification of a Cloud Bigtable source used in the Dataflow job. + + * `project_id`: ProjectId accessed in the connection. + + * `instance_id`: InstanceId accessed in the connection. + + * `table_id`: TableId accessed in the connection. + + * `pubsub_details`: Identification of a Pub/Sub source used in the Dataflow job. + + * `topic`: Topic accessed in the connection. + + * `subscription`: Subscription used in the connection. + + * `file_details`: Identification of a File source used in the Dataflow job. + + * `file_pattern`: File Pattern used to access files by the connector. + + * `datastore_details`: Identification of a Datastore source used in the Dataflow job. + + * `namespace`: Namespace used in the connection. + + * `project_id`: ProjectId accessed in the connection. + + * `user_display_properties`: List of display properties to help UI filter jobs. + + * `additional_properties`: + + * `start_time`: The timestamp when the job was started (transitioned to JOB_STATE_PENDING). Flexible resource scheduling jobs are started with some delay after job creation, so start_time is unset before start and is updated when the job is started by the Cloud Dataflow service. For other jobs, start_time always equals to create_time and is immutable and set by the Cloud Dataflow service. + + * `created_from_snapshot_id`: If this is specified, the job's initial state is populated from the given snapshot. + + * `satisfies_pzs`: Reserved for future use. This field is set only in responses from the server; it is ignored if it is set in any requests. + + * `runtime_updatable_params`: Additional job parameters that can only be updated during runtime using the projects.jobs.update method. These fields have no effect when specified during job creation. + + * `max_num_workers`: The maximum number of workers to cap autoscaling at. This field is currently only supported for Streaming Engine jobs. + + * `min_num_workers`: The minimum number of workers to scale down to. This field is currently only supported for Streaming Engine jobs. + + * `worker_utilization_hint`: Target worker utilization, compared against the aggregate utilization of the worker pool by autoscaler, to determine upscaling and downscaling when absent other constraints such as backlog. + + * `satisfies_pzi`: Output only. Reserved for future use. This field is set only in responses from the server; it is ignored if it is set in any requests. + + +## GCP permissions + +Ensure the [https://dataflow.googleapis.com/](https://console.cloud.google.com/apis/library/dataflow.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataflow_project_location_jobs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataflow_project_location_jobs.md new file mode 100644 index 0000000..33132fc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataflow_project_location_jobs.md @@ -0,0 +1,64 @@ ++++ +title = "google_dataflow_project_location_jobs resource" + +draft = false + + +[menu.gcp] +title = "google_dataflow_project_location_jobs" +identifier = "inspec/resources/gcp/google_dataflow_project_location_jobs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataflow_project_location_jobs` InSpec audit resource to to test a Google Cloud ProjectLocationJob resource. + +## Examples + +```ruby + describe google_dataflow_project_location_jobs(location: 'value_location', project: 'value_project') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_dataflow_project_location_jobs` resource: + +See [google_dataflow_project_location_job](google_dataflow_project_location_job) for more detailed information. + + * `ids`: an array of `google_dataflow_project_location_job` id + * `project_ids`: an array of `google_dataflow_project_location_job` project_id + * `names`: an array of `google_dataflow_project_location_job` name + * `types`: an array of `google_dataflow_project_location_job` type + * `environments`: an array of `google_dataflow_project_location_job` environment + * `steps`: an array of `google_dataflow_project_location_job` steps + * `steps_locations`: an array of `google_dataflow_project_location_job` steps_location + * `current_states`: an array of `google_dataflow_project_location_job` current_state + * `current_state_times`: an array of `google_dataflow_project_location_job` current_state_time + * `requested_states`: an array of `google_dataflow_project_location_job` requested_state + * `execution_infos`: an array of `google_dataflow_project_location_job` execution_info + * `create_times`: an array of `google_dataflow_project_location_job` create_time + * `replace_job_ids`: an array of `google_dataflow_project_location_job` replace_job_id + * `transform_name_mappings`: an array of `google_dataflow_project_location_job` transform_name_mapping + * `client_request_ids`: an array of `google_dataflow_project_location_job` client_request_id + * `replaced_by_job_ids`: an array of `google_dataflow_project_location_job` replaced_by_job_id + * `temp_files`: an array of `google_dataflow_project_location_job` temp_files + * `labels`: an array of `google_dataflow_project_location_job` labels + * `locations`: an array of `google_dataflow_project_location_job` location + * `pipeline_descriptions`: an array of `google_dataflow_project_location_job` pipeline_description + * `stage_states`: an array of `google_dataflow_project_location_job` stage_states + * `job_metadata`: an array of `google_dataflow_project_location_job` job_metadata + * `start_times`: an array of `google_dataflow_project_location_job` start_time + * `created_from_snapshot_ids`: an array of `google_dataflow_project_location_job` created_from_snapshot_id + * `satisfies_pzs`: an array of `google_dataflow_project_location_job` satisfies_pzs + * `runtime_updatable_params`: an array of `google_dataflow_project_location_job` runtime_updatable_params + * `satisfies_pzis`: an array of `google_dataflow_project_location_job` satisfies_pzi + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://dataflow.googleapis.com/](https://console.cloud.google.com/apis/library/dataflow.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_autoscaling_policies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_autoscaling_policies.md new file mode 100644 index 0000000..6427804 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_autoscaling_policies.md @@ -0,0 +1,45 @@ ++++ +title = "google_dataproc_autoscaling_policies resource" + +draft = false + + +[menu.gcp] +title = "google_dataproc_autoscaling_policies" +identifier = "inspec/resources/gcp/google_dataproc_autoscaling_policies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_autoscaling_policies` InSpec audit resource to to test a Google Cloud ProjectRegionAutoscalingPolicy resource. + +## Examples + +```ruby + describe google_dataproc_autoscaling_policies(parent: 'value_parent') do + it { should exist } + its('ids') { should include 'value_id' } + its('names') { should include 'value_name' } + end +``` + +## Properties + +Properties that can be accessed from the `google_dataproc_autoscaling_policies` resource: + +See [google_dataproc_autoscaling_policy](google_dataproc_autoscaling_policy) for more detailed information. + +* `ids`: an array of `google_dataproc_autoscaling_policy` id +* `names`: an array of `google_dataproc_autoscaling_policy` name +* `basic_algorithms`: an array of `google_dataproc_autoscaling_policy` basic_algorithm +* `worker_configs`: an array of `google_dataproc_autoscaling_policy` worker_config +* `secondary_worker_configs`: an array of `google_dataproc_autoscaling_policy` secondary_worker_config +* `labels`: an array of `google_dataproc_autoscaling_policy` labels + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Dataproc API](https://console.cloud.google.com/apis/library/dataproc.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_autoscaling_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_autoscaling_policy.md new file mode 100644 index 0000000..bc28d30 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_autoscaling_policy.md @@ -0,0 +1,95 @@ ++++ +title = "google_dataproc_autoscaling_policy resource" + +draft = false + + +[menu.gcp] +title = "google_dataproc_autoscaling_policy" +identifier = "inspec/resources/gcp/google_dataproc_autoscaling_policy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_autoscaling_policy` InSpec audit resource to to test a Google Cloud ProjectRegionAutoscalingPolicy resource. + +## Examples + +```ruby +describe google_dataproc_autoscaling_policy(name: 'value_name') do + it { should exist } + its('id') { should cmp 'value_id' } + its('name') { should cmp 'value_name' } +end + +describe google_dataproc_autoscaling_policy(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_dataproc_autoscaling_policy` resource: + +## Properties + +Properties that can be accessed from the `google_dataproc_autoscaling_policy` resource: + + + * `id`: Required. The policy id.The id must contain only letters (a-z, A-Z), numbers (0-9), underscores (_), and hyphens (-). Cannot begin or end with underscore or hyphen. Must consist of between 3 and 50 characters. + + * `name`: Output only. The "resource name" of the autoscaling policy, as described in https://cloud.google.com/apis/design/resource_names. For projects.regions.autoscalingPolicies, the resource name of the policy has the following format: projects/{project_id}/regions/{region}/autoscalingPolicies/{policy_id} For projects.locations.autoscalingPolicies, the resource name of the policy has the following format: projects/{project_id}/locations/{location}/autoscalingPolicies/{policy_id} + + * `basic_algorithm`: Basic algorithm for autoscaling. + + * `yarn_config`: Basic autoscaling configurations for YARN. + + * `graceful_decommission_timeout`: Required. Timeout for YARN graceful decommissioning of Node Managers. Specifies the duration to wait for jobs to complete before forcefully removing workers (and potentially interrupting jobs). Only applicable to downscaling operations.Bounds: 0s, 1d. + + * `scale_up_factor`: Required. Fraction of average YARN pending memory in the last cooldown period for which to add workers. A scale-up factor of 1.0 will result in scaling up so that there is no pending memory remaining after the update (more aggressive scaling). A scale-up factor closer to 0 will result in a smaller magnitude of scaling up (less aggressive scaling). See How autoscaling works (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/autoscaling#how_autoscaling_works) for more information.Bounds: 0.0, 1.0. + + * `scale_down_factor`: Required. Fraction of average YARN pending memory in the last cooldown period for which to remove workers. A scale-down factor of 1 will result in scaling down so that there is no available memory remaining after the update (more aggressive scaling). A scale-down factor of 0 disables removing workers, which can be beneficial for autoscaling a single job. See How autoscaling works (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/autoscaling#how_autoscaling_works) for more information.Bounds: 0.0, 1.0. + + * `scale_up_min_worker_fraction`: Optional. Minimum scale-up threshold as a fraction of total cluster size before scaling occurs. For example, in a 20-worker cluster, a threshold of 0.1 means the autoscaler must recommend at least a 2-worker scale-up for the cluster to scale. A threshold of 0 means the autoscaler will scale up on any recommended change.Bounds: 0.0, 1.0. Default: 0.0. + + * `scale_down_min_worker_fraction`: Optional. Minimum scale-down threshold as a fraction of total cluster size before scaling occurs. For example, in a 20-worker cluster, a threshold of 0.1 means the autoscaler must recommend at least a 2 worker scale-down for the cluster to scale. A threshold of 0 means the autoscaler will scale down on any recommended change.Bounds: 0.0, 1.0. Default: 0.0. + + * `spark_standalone_config`: Basic autoscaling configurations for Spark Standalone. + + * `graceful_decommission_timeout`: Required. Timeout for Spark graceful decommissioning of spark workers. Specifies the duration to wait for spark worker to complete spark decommissioning tasks before forcefully removing workers. Only applicable to downscaling operations.Bounds: 0s, 1d. + + * `scale_up_factor`: Required. Fraction of required workers to add to Spark Standalone clusters. A scale-up factor of 1.0 will result in scaling up so that there are no more required workers for the Spark Job (more aggressive scaling). A scale-up factor closer to 0 will result in a smaller magnitude of scaling up (less aggressive scaling).Bounds: 0.0, 1.0. + + * `scale_down_factor`: Required. Fraction of required executors to remove from Spark Serverless clusters. A scale-down factor of 1.0 will result in scaling down so that there are no more executors for the Spark Job.(more aggressive scaling). A scale-down factor closer to 0 will result in a smaller magnitude of scaling donw (less aggressive scaling).Bounds: 0.0, 1.0. + + * `scale_up_min_worker_fraction`: Optional. Minimum scale-up threshold as a fraction of total cluster size before scaling occurs. For example, in a 20-worker cluster, a threshold of 0.1 means the autoscaler must recommend at least a 2-worker scale-up for the cluster to scale. A threshold of 0 means the autoscaler will scale up on any recommended change.Bounds: 0.0, 1.0. Default: 0.0. + + * `scale_down_min_worker_fraction`: Optional. Minimum scale-down threshold as a fraction of total cluster size before scaling occurs. For example, in a 20-worker cluster, a threshold of 0.1 means the autoscaler must recommend at least a 2 worker scale-down for the cluster to scale. A threshold of 0 means the autoscaler will scale down on any recommended change.Bounds: 0.0, 1.0. Default: 0.0. + + * `remove_only_idle_workers`: Optional. Remove only idle workers when scaling down cluster + + * `cooldown_period`: Optional. Duration between scaling events. A scaling period starts after the update operation from the previous event has completed.Bounds: 2m, 1d. Default: 2m. + + * `worker_config`: Configuration for the size bounds of an instance group, including its proportional size to other groups. + + * `min_instances`: Optional. Minimum number of instances for this group.Primary workers - Bounds: 2, max_instances. Default: 2. Secondary workers - Bounds: 0, max_instances. Default: 0. + + * `max_instances`: Required. Maximum number of instances for this group. Required for primary workers. Note that by default, clusters will not use secondary workers. Required for secondary workers if the minimum secondary instances is set.Primary workers - Bounds: [min_instances, ). Secondary workers - Bounds: [min_instances, ). Default: 0. + + * `weight`: Optional. Weight for the instance group, which is used to determine the fraction of total workers in the cluster from this instance group. For example, if primary workers have weight 2, and secondary workers have weight 1, the cluster will have approximately 2 primary workers for each secondary worker.The cluster may not reach the specified balance if constrained by min/max bounds or other autoscaling settings. For example, if max_instances for secondary workers is 0, then only primary workers will be added. The cluster can also be out of balance when created.If weight is not set on any instance group, the cluster will default to equal weight for all groups: the cluster will attempt to maintain an equal number of workers in each group within the configured size bounds for each group. If weight is set for one group only, the cluster will default to zero weight on the unset group. For example if weight is set only on primary workers, the cluster will use primary workers only and no secondary workers. + + * `secondary_worker_config`: Configuration for the size bounds of an instance group, including its proportional size to other groups. + + * `min_instances`: Optional. Minimum number of instances for this group.Primary workers - Bounds: 2, max_instances. Default: 2. Secondary workers - Bounds: 0, max_instances. Default: 0. + + * `max_instances`: Required. Maximum number of instances for this group. Required for primary workers. Note that by default, clusters will not use secondary workers. Required for secondary workers if the minimum secondary instances is set.Primary workers - Bounds: [min_instances, ). Secondary workers - Bounds: [min_instances, ). Default: 0. + + * `weight`: Optional. Weight for the instance group, which is used to determine the fraction of total workers in the cluster from this instance group. For example, if primary workers have weight 2, and secondary workers have weight 1, the cluster will have approximately 2 primary workers for each secondary worker.The cluster may not reach the specified balance if constrained by min/max bounds or other autoscaling settings. For example, if max_instances for secondary workers is 0, then only primary workers will be added. The cluster can also be out of balance when created.If weight is not set on any instance group, the cluster will default to equal weight for all groups: the cluster will attempt to maintain an equal number of workers in each group within the configured size bounds for each group. If weight is set for one group only, the cluster will default to zero weight on the unset group. For example if weight is set only on primary workers, the cluster will use primary workers only and no secondary workers. + + * `labels`: Optional. The labels to associate with this autoscaling policy. Label keys must contain 1 to 63 characters, and must conform to RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt). Label values may be empty, but, if present, must contain 1 to 63 characters, and must conform to RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt). No more than 32 labels can be associated with an autoscaling policy. + + * `additional_properties`: + + +## GCP permissions + +Ensure the [Cloud Dataproc API](https://console.cloud.google.com/apis/library/dataproc.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_batch.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_batch.md new file mode 100644 index 0000000..ba865ea --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_batch.md @@ -0,0 +1,220 @@ ++++ +title = "google_dataproc_batch resource" + +draft = false + + + +[menu.gcp] +title = "google_dataproc_batch" +identifier = "inspec/resources/gcp/google_dataproc_batch resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_batch` InSpec audit resource to test the properties of a Google Cloud Batch resource. + +## Examples + +```ruby +describe google_dataproc_batch(name: 'projects/*/locations/*/batches/value_name') do + it { should exist } + its('name') { should cmp 'value_name' } + its('uuid') { should cmp 'value_uuid' } + its('create_time') { should cmp 'value_createtime' } + its('state') { should cmp 'value_state' } + its('state_message') { should cmp 'value_statemessage' } + its('state_time') { should cmp 'value_statetime' } + its('creator') { should cmp 'value_creator' } + its('operation') { should cmp 'value_operation' } +end + +describe google_dataproc_batch(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_dataproc_batch` resource: + +## Properties + +Properties that can be accessed from the `google_dataproc_batch` resource: + + + * `name`: Output only. The resource name of the batch. + + * `uuid`: Output only. A batch UUID (Unique Universal Identifier). The service generates this value when it creates the batch. + + * `create_time`: Output only. The time when the batch was created. + + * `pyspark_batch`: A configuration for running an Apache PySpark (https://spark.apache.org/docs/latest/api/python/getting_started/quickstart.html) batch workload. + + * `main_python_file_uri`: Required. The HCFS URI of the main Python file to use as the Spark driver. Must be a .py file. + + * `args`: Optional. The arguments to pass to the driver. Do not include arguments that can be set as batch properties, such as --conf, since a collision can occur that causes an incorrect batch submission. + + * `python_file_uris`: Optional. HCFS file URIs of Python files to pass to the PySpark framework. Supported file types: .py, .egg, and .zip. + + * `jar_file_uris`: Optional. HCFS URIs of jar files to add to the classpath of the Spark driver and tasks. + + * `file_uris`: Optional. HCFS URIs of files to be placed in the working directory of each executor. + + * `archive_uris`: Optional. HCFS URIs of archives to be extracted into the working directory of each executor. Supported file types: .jar, .tar, .tar.gz, .tgz, and .zip. + + * `spark_batch`: A configuration for running an Apache Spark (https://spark.apache.org/) batch workload. + + * `main_jar_file_uri`: Optional. The HCFS URI of the jar file that contains the main class. + + * `main_class`: Optional. The name of the driver main class. The jar file that contains the class must be in the classpath or specified in jar_file_uris. + + * `args`: Optional. The arguments to pass to the driver. Do not include arguments that can be set as batch properties, such as --conf, since a collision can occur that causes an incorrect batch submission. + + * `jar_file_uris`: Optional. HCFS URIs of jar files to add to the classpath of the Spark driver and tasks. + + * `file_uris`: Optional. HCFS URIs of files to be placed in the working directory of each executor. + + * `archive_uris`: Optional. HCFS URIs of archives to be extracted into the working directory of each executor. Supported file types: .jar, .tar, .tar.gz, .tgz, and .zip. + + * `spark_r_batch`: A configuration for running an Apache SparkR (https://spark.apache.org/docs/latest/sparkr.html) batch workload. + + * `main_r_file_uri`: Required. The HCFS URI of the main R file to use as the driver. Must be a .R or .r file. + + * `args`: Optional. The arguments to pass to the Spark driver. Do not include arguments that can be set as batch properties, such as --conf, since a collision can occur that causes an incorrect batch submission. + + * `file_uris`: Optional. HCFS URIs of files to be placed in the working directory of each executor. + + * `archive_uris`: Optional. HCFS URIs of archives to be extracted into the working directory of each executor. Supported file types: .jar, .tar, .tar.gz, .tgz, and .zip. + + * `spark_sql_batch`: A configuration for running Apache Spark SQL (https://spark.apache.org/sql/) queries as a batch workload. + + * `query_file_uri`: Required. The HCFS URI of the script that contains Spark SQL queries to execute. + + * `query_variables`: Optional. Mapping of query variable names to values (equivalent to the Spark SQL command: SET name="value";). + + * `additional_properties`: + + * `jar_file_uris`: Optional. HCFS URIs of jar files to be added to the Spark CLASSPATH. + + * `runtime_info`: Runtime information about workload execution. + + * `endpoints`: Output only. Map of remote access endpoints (such as web interfaces and APIs) to their URIs. + + * `additional_properties`: + + * `output_uri`: Output only. A URI pointing to the location of the stdout and stderr of the workload. + + * `diagnostic_output_uri`: Output only. A URI pointing to the location of the diagnostics tarball. + + * `approximate_usage`: Usage metrics represent approximate total resources consumed by a workload. + + * `milli_dcu_seconds`: Optional. DCU (Dataproc Compute Units) usage in (milliDCU x seconds) (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)). + + * `shuffle_storage_gb_seconds`: Optional. Shuffle storage usage in (GB x seconds) (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)). + + * `milli_accelerator_seconds`: Optional. Accelerator usage in (milliAccelerator x seconds) (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)). + + * `accelerator_type`: Optional. Accelerator type being used, if any + + * `current_usage`: The usage snapshot represents the resources consumed by a workload at a specified time. + + * `milli_dcu`: Optional. Milli (one-thousandth) Dataproc Compute Units (DCUs) (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)). + + * `shuffle_storage_gb`: Optional. Shuffle Storage in gigabytes (GB). (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)) + + * `milli_dcu_premium`: Optional. Milli (one-thousandth) Dataproc Compute Units (DCUs) charged at premium tier (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)). + + * `shuffle_storage_gb_premium`: Optional. Shuffle Storage in gigabytes (GB) charged at premium tier. (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)) + + * `milli_accelerator`: Optional. Milli (one-thousandth) accelerator. (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)) + + * `accelerator_type`: Optional. Accelerator type being used, if any + + * `snapshot_time`: Optional. The timestamp of the usage snapshot. + + * `state`: Output only. The state of the batch. + Possible values: + * STATE_UNSPECIFIED + * PENDING + * RUNNING + * CANCELLING + * CANCELLED + * SUCCEEDED + * FAILED + + * `state_message`: Output only. Batch state details, such as a failure description if the state is FAILED. + + * `state_time`: Output only. The time when the batch entered a current state. + + * `creator`: Output only. The email address of the user who created the batch. + + * `labels`: Optional. The labels to associate with this batch. Label keys must contain 1 to 63 characters, and must conform to RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt). Label values may be empty, but, if present, must contain 1 to 63 characters, and must conform to RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt). No more than 32 labels can be associated with a batch. + + * `additional_properties`: + + * `runtime_config`: Runtime configuration for a workload. + + * `version`: Optional. Version of the batch runtime. + + * `container_image`: Optional. Optional custom container image for the job runtime environment. If not specified, a default container image will be used. + + * `properties`: Optional. A mapping of property names to values, which are used to configure workload execution. + + * `additional_properties`: + + * `repository_config`: Configuration for dependency repositories + + * `pypi_repository_config`: Configuration for PyPi repository + + * `pypi_repository`: Optional. PyPi repository address + + * `environment_config`: Environment configuration for a workload. + + * `execution_config`: Execution configuration for a workload. + + * `service_account`: Optional. Service account that used to execute workload. + + * `network_uri`: Optional. Network URI to connect workload to. + + * `subnetwork_uri`: Optional. Subnetwork URI to connect workload to. + + * `network_tags`: Optional. Tags used for network traffic control. + + * `kms_key`: Optional. The Cloud KMS key to use for encryption. + + * `idle_ttl`: Optional. Applies to sessions only. The duration to keep the session alive while it's idling. Exceeding this threshold causes the session to terminate. This field cannot be set on a batch workload. Minimum value is 10 minutes; maximum value is 14 days (see JSON representation of Duration (https://developers.google.com/protocol-buffers/docs/proto3#json)). Defaults to 1 hour if not set. If both ttl and idle_ttl are specified for an interactive session, the conditions are treated as OR conditions: the workload will be terminated when it has been idle for idle_ttl or when ttl has been exceeded, whichever occurs first. + + * `ttl`: Optional. The duration after which the workload will be terminated, specified as the JSON representation for Duration (https://protobuf.dev/programming-guides/proto3/#json). When the workload exceeds this duration, it will be unconditionally terminated without waiting for ongoing work to finish. If ttl is not specified for a batch workload, the workload will be allowed to run until it exits naturally (or run forever without exiting). If ttl is not specified for an interactive session, it defaults to 24 hours. If ttl is not specified for a batch that uses 2.1+ runtime version, it defaults to 4 hours. Minimum value is 10 minutes; maximum value is 14 days. If both ttl and idle_ttl are specified (for an interactive session), the conditions are treated as OR conditions: the workload will be terminated when it has been idle for idle_ttl or when ttl has been exceeded, whichever occurs first. + + * `staging_bucket`: Optional. A Cloud Storage bucket used to stage workload dependencies, config files, and store workload output and other ephemeral data, such as Spark history files. If you do not specify a staging bucket, Cloud Dataproc will determine a Cloud Storage location according to the region where your workload is running, and then create and manage project-level, per-location staging and temporary buckets. This field requires a Cloud Storage bucket name, not a gs://... URI to a Cloud Storage bucket. + + * `peripherals_config`: Auxiliary services configuration for a workload. + + * `metastore_service`: Optional. Resource name of an existing Dataproc Metastore service.Example: projects/[project_id]/locations/[region]/services/[service_id] + + * `spark_history_server_config`: Spark History Server configuration for the workload. + + * `dataproc_cluster`: Optional. Resource name of an existing Dataproc Cluster to act as a Spark History Server for the workload.Example: projects/[project_id]/regions/[region]/clusters/[cluster_name] + + * `operation`: Output only. The resource name of the operation associated with this batch. + + * `state_history`: Output only. Historical state information for the batch. + + * `state`: Output only. The state of the batch at this point in history. + Possible values: + * STATE_UNSPECIFIED + * PENDING + * RUNNING + * CANCELLING + * CANCELLED + * SUCCEEDED + * FAILED + + * `state_message`: Output only. Details about the state at this point in history. + + * `state_start_time`: Output only. The time when the batch entered the historical state. + + +## GCP permissions + +Ensure the [Cloud Dataproc API](https://console.cloud.google.com/apis/library/dataproc.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_batches.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_batches.md new file mode 100644 index 0000000..785cbe6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_batches.md @@ -0,0 +1,87 @@ ++++ +title = "google_dataproc_batches resource" + +draft = false + + + +[menu.gcp] +title = "google_dataproc_batches" +identifier = "inspec/resources/gcp/google_dataproc_batches resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_batches` InSpec audit resource to test the properties of a Google Cloud Batch resource. + +## Examples + +```ruby + describe google_dataproc_batches(parent: 'projects/*/locations/*') do + it { should exist } + its('names') { should include 'value_name' } + its('uuids') { should include 'value_uuid' } + its('create_times') { should include 'value_createtime' } + its('states') { should include 'value_state' } + its('state_messages') { should include 'value_statemessage' } + its('state_times') { should include 'value_statetime' } + its('creators') { should include 'value_creator' } + its('operations') { should include 'value_operation' } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_dataproc_batches` resource: + +See [google_dataproc_batch](google_dataproc_batch) for more detailed information. + +* `names`: an array of `google_dataproc_batch` name +* `uuids`: an array of `google_dataproc_batch` uuid +* `create_times`: an array of `google_dataproc_batch` create_time +* `pyspark_batches`: an array of `google_dataproc_batch` pyspark_batch +* `spark_batches`: an array of `google_dataproc_batch` spark_batch +* `spark_r_batches`: an array of `google_dataproc_batch` spark_r_batch +* `spark_sql_batches`: an array of `google_dataproc_batch` spark_sql_batch +* `runtime_infos`: an array of `google_dataproc_batch` runtime_info +* `states`: an array of `google_dataproc_batch` state +* `state_messages`: an array of `google_dataproc_batch` state_message +* `state_times`: an array of `google_dataproc_batch` state_time +* `creators`: an array of `google_dataproc_batch` creator +* `labels`: an array of `google_dataproc_batch` labels +* `runtime_configs`: an array of `google_dataproc_batch` runtime_config +* `environment_configs`: an array of `google_dataproc_batch` environment_config +* `operations`: an array of `google_dataproc_batch` operation +* `state_histories`: an array of `google_dataproc_batch` state_history + +## Properties + +Properties that can be accessed from the `google_dataproc_batches` resource: + +See [google_dataproc_batch](google_dataproc_batch) for more detailed information. + +* `names`: an array of `google_dataproc_batch` name +* `uuids`: an array of `google_dataproc_batch` uuid +* `create_times`: an array of `google_dataproc_batch` create_time +* `pyspark_batches`: an array of `google_dataproc_batch` pyspark_batch +* `spark_batches`: an array of `google_dataproc_batch` spark_batch +* `spark_r_batches`: an array of `google_dataproc_batch` spark_r_batch +* `spark_sql_batches`: an array of `google_dataproc_batch` spark_sql_batch +* `runtime_infos`: an array of `google_dataproc_batch` runtime_info +* `states`: an array of `google_dataproc_batch` state +* `state_messages`: an array of `google_dataproc_batch` state_message +* `state_times`: an array of `google_dataproc_batch` state_time +* `creators`: an array of `google_dataproc_batch` creator +* `labels`: an array of `google_dataproc_batch` labels +* `runtime_configs`: an array of `google_dataproc_batch` runtime_config +* `environment_configs`: an array of `google_dataproc_batch` environment_config +* `operations`: an array of `google_dataproc_batch` operation +* `state_histories`: an array of `google_dataproc_batch` state_history + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Dataproc API](https://console.cloud.google.com/apis/library/dataproc.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_cluster.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_cluster.md new file mode 100644 index 0000000..e160da8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_cluster.md @@ -0,0 +1,220 @@ ++++ +title = "google_dataproc_cluster resource" + +draft = false + + +[menu.gcp] +title = "google_dataproc_cluster" +identifier = "inspec/resources/gcp/google_dataproc_cluster resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_dataproc_cluster` is used to test a Google Cluster resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_dataproc_cluster(project: 'chef-gcp-inspec', region: 'europe-west2', cluster_name: 'inspec-dataproc-cluster') do + it { should exist } + its('labels') { should include('label' => 'value') } + its('config.master_config.num_instances') { should cmp '1' } + its('config.worker_config.num_instances') { should cmp '2' } + its('config.master_config.machine_type_uri') { should match 'n1-standard-1' } + its('config.worker_config.machine_type_uri') { should match 'n1-standard-1' } + its('config.software_config.properties') { should include('dataproc:dataproc.allow.zero.workers' => 'true') } +end + +describe google_dataproc_cluster(project: 'chef-gcp-inspec', region: 'europe-west2', cluster_name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_dataproc_cluster` resource: + + + * `cluster_name`: The name of the cluster, unique within the project and region. + + * `labels`: Labels to apply to this cluster. A list of key->value pairs. + + * `config`: Configuration for the cluster + + * `config_bucket`: The Cloud Storage staging bucket used to stage files, such as Hadoop jars, between client machines and the cluster. + + * `gce_cluster_config`: Common config settings for resources of Google Compute Engine cluster instances, applicable to all instances in the cluster. + + * `zone_uri`: The zone where the Compute Engine cluster will be located + + * `network_uri`: The Compute Engine network to be used for machine communications + + * `subnetwork_uri`: The Compute Engine subnetwork to be used for machine communications + + * `internal_ip_only`: If true, all instances int he cluster will only have internal IP addresses + + * `service_account_scopes`: The URIs of service account scopes to be included in Compute Engine instances The following base set of scopes is always included: https://www.googleapis.com/auth/cloud.useraccounts.readonly https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/logging.write + + * `tags`: The Compute Engine tags to add to all instances + + * `metadata`: The map of metadata entries to add to all instances + + * `master_config`: The config settings for Compute Engine resources in an instance group, such as a master or worker group. + + * `num_instances`: The number of VM instances in the instance group. For master instance groups, must be set to 1. + + * `instance_names`: The list of instance names. + + * `image_uri`: The Compute Engine image resource used for cluster instances. + + * `machine_type_uri`: The Compute Engine machine type used for cluster instances + + * `disk_config`: Disk option config settings + + * `boot_disk_type`: Type of the boot disk. Valid values are "pd-ssd" or "pd-standard" + + * `boot_disk_size_gb`: Size in GB of the boot disk. + + * `num_local_ssds`: Number of attached SSDs, from 0 to 4. + + * `is_preemptible`: Specifies if this instance group contains preemptible instances. + + * `managed_group_config`: The config for Compute Engine Instance Group Manager that manages this group. This is only used for preemptible instance groups. + + * `instance_template_name`: The name of the Instance Template used for the Managed Instance Group. + + * `instance_group_manager_name`: The name of the Instance Group Manager for this group + + * `worker_config`: The config settings for Compute Engine resources in an instance group, such as a master or worker group. + + * `num_instances`: The number of VM instances in the instance group. For master instance groups, must be set to 1. + + * `instance_names`: The list of instance names. + + * `image_uri`: The Compute Engine image resource used for cluster instances. + + * `machine_type_uri`: The Compute Engine machine type used for cluster instances + + * `disk_config`: Disk option config settings + + * `boot_disk_type`: Type of the boot disk. Valid values are "pd-ssd" or "pd-standard" + + * `boot_disk_size_gb`: Size in GB of the boot disk. + + * `num_local_ssds`: Number of attached SSDs, from 0 to 4. + + * `is_preemptible`: Specifies if this instance group contains preemptible instances. + + * `managed_group_config`: The config for Compute Engine Instance Group Manager that manages this group. This is only used for preemptible instance groups. + + * `instance_template_name`: The name of the Instance Template used for the Managed Instance Group. + + * `instance_group_manager_name`: The name of the Instance Group Manager for this group + + * `secondary_worker_config`: The config settings for Compute Engine resources in an instance group, such as a master or worker group. + + * `num_instances`: The number of VM instances in the instance group. For master instance groups, must be set to 1. + + * `instance_names`: The list of instance names. + + * `image_uri`: The Compute Engine image resource used for cluster instances. + + * `machine_type_uri`: The Compute Engine machine type used for cluster instances + + * `disk_config`: Disk option config settings + + * `boot_disk_type`: Type of the boot disk. Valid values are "pd-ssd" or "pd-standard" + + * `boot_disk_size_gb`: Size in GB of the boot disk. + + * `num_local_ssds`: Number of attached SSDs, from 0 to 4. + + * `is_preemptible`: Specifies if this instance group contains preemptible instances. + + * `managed_group_config`: The config for Compute Engine Instance Group Manager that manages this group. This is only used for preemptible instance groups. + + * `instance_template_name`: The name of the Instance Template used for the Managed Instance Group. + + * `instance_group_manager_name`: The name of the Instance Group Manager for this group + + * `software_config`: Specifies the selection and config of software inside the cluster + + * `image_version`: The version of software inside the cluster. It must be one of the supported Cloud Dataproc Versions, such as "1.2" (including a subminor version, such as "1.2.29"), or the "preview" version. + + * `properties`: The properties to set on daemon config files. Property keys are specified in the prefix:property format, for example `core:hadoop.tmp.dir` + + * `optional_components`: The set of optional components to activate on the cluster. Possible values include: COMPONENT_UNSPECIFIED, ANACONDA, HIVE_WEBHCAT, JUPYTER, ZEPPELIN, HBASE, SOLR, and RANGER + Possible values: + * COMPONENT_UNSPECIFIED + * ANACONDA + * HBASE + * RANGER + * SOLR + * HIVE_WEBHCAT + * JUPYTER + * ZEPPELIN + + * `initialization_actions`: Specifies an executable to run on a fully configured node and a timeout period for executable completion. + + * `executable_file`: Cloud Storage URI of the executable file + + * `execution_timeout`: Amount of time executable has to complete + + * `encryption_config`: Encryption settings for the cluster. + + * `gce_pd_kms_key_name`: The Cloud KMS key name to use for PD disk encryption for all instances in the cluster. + + * `security_config`: Kerberos config holder. + + * `kerberos_config`: Kerberos related configuration. + + * `enable_kerberos`: Flag to indicate whether to Kerberize the cluster. + + * `rootprincipal_password_uri`: The cloud Storage URI of a KMS encrypted file containing the root principal password. + + * `kms_key_uri`: The uri of the KMS key used to encrypt various sensitive files. + + * `keystore_uri`: The Cloud Storage URI of the keystore file used for SSL encryption. + + * `truststore_uri`: The Cloud Storage URI of a KMS encrypted file containing the password to the user provided keystore. + + * `key_password_uri`: The Cloud Storage URI of a KMS encrypted file containing the password to the user provided key. + + * `truststore_password_uri`: The Cloud Storage URI of a KMS encrypted file containing the password to the user provided truststore. + + * `cross_realm_trust_realm`: The remote realm the Dataproc on-cluster KDC will trust, should the user enable cross realm trust. + + * `cross_realm_trust_admin_server`: The admin server (IP or hostname) for the remote trusted realm in a cross realm trust relationship. + + * `cross_realm_trust_shared_password_uri`: The Cloud Storage URI of a KMS encrypted file containing the shared password between the on-cluster Kerberos realm and the remote trusted realm, in a cross realm trust relationship. + + * `kdc_db_key_uri`: The Cloud Storage URI of a KMS encrypted file containing the master key of the KDC database. + + * `tgt_lifetime_hours`: The lifetime of the ticket granting ticket, in hours. + + * `realm`: The name of the on-cluster Kerberos realm. + + * `region`: The region in which the cluster and associated nodes will be created in. + + * `project_id`: The Google Cloud Platform project ID that the cluster belongs to. + + * `virtual_cluster_config`: Optional. The virtual cluster config is used when creating a Dataproc cluster that does not directly control the underlying compute resources, for example, when creating a Dataproc-on-GKE cluster (https://cloud.google.com/dataproc/docs/guides/dpgke/dataproc-gke-overview). Dataproc may set default values, and values may change when clusters are updated. Exactly one of config or virtual_cluster_config must be specified. + + * `status`: Output only. Cluster status. + + * `status_history`: Output only. The previous cluster status. + + * `cluster_uuid`: Output only. A cluster UUID (Unique Universal Identifier). Dataproc generates this value when it creates the cluster. + + * `metrics`: Output only. Contains cluster daemon metrics such as HDFS and YARN stats.Beta Feature: This report is available for testing purposes only. It may be changed before final release. + + +## GCP permissions + +Ensure the [Cloud Dataproc API](https://console.cloud.google.com/apis/library/dataproc.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_clusters.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_clusters.md new file mode 100644 index 0000000..1b8602a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_clusters.md @@ -0,0 +1,54 @@ ++++ +title = "google_dataproc_clusters resource" + +draft = false + + +[menu.gcp] +title = "google_dataproc_clusters" +identifier = "inspec/resources/gcp/google_dataproc_clusters resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_dataproc_clusters` is used to test a Google Cluster resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_dataproc_clusters(project: 'chef-gcp-inspec', region: 'europe-west2') do + its('count') { should be >= 1 } + its('cluster_names') { should include 'inspec-dataproc-cluster' } +end +``` + +## Properties + +Properties that can be accessed from the `google_dataproc_clusters` resource: + +See [google_dataproc_cluster](google_dataproc_cluster) for more detailed information. + + * `cluster_names`: an array of `google_dataproc_cluster` cluster_name + * `labels`: an array of `google_dataproc_cluster` labels + * `configs`: an array of `google_dataproc_cluster` config + * `regions`: an array of `google_dataproc_cluster` region + * `project_ids`: an array of `google_dataproc_cluster` project_id + * `virtual_cluster_configs`: an array of `google_dataproc_cluster` virtual_cluster_config + * `statuses`: an array of `google_dataproc_cluster` status + * `status_histories`: an array of `google_dataproc_cluster` status_history + * `cluster_uuids`: an array of `google_dataproc_cluster` cluster_uuid + * `metrics`: an array of `google_dataproc_cluster` metrics + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Dataproc API](https://console.cloud.google.com/apis/library/dataproc.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_job.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_job.md new file mode 100644 index 0000000..4ca9894 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_job.md @@ -0,0 +1,382 @@ ++++ +title = "google_dataproc_job resource" + +draft = false + + +[menu.gcp] +title = "google_dataproc_job" +identifier = "inspec/resources/gcp/google_dataproc_job resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_job` InSpec audit resource to to test a Google Cloud Job resource. + +## Examples + +```ruby +describe google_dataproc_job(job_id: 'value_job_id', project_id: 'value_project_id', region: ' value_region') do + it { should exist } + its('driver_output_resource_uri') { should cmp 'value_driveroutputresourceuri' } + its('driver_control_files_uri') { should cmp 'value_drivercontrolfilesuri' } + its('job_uuid') { should cmp 'value_jobuuid' } +end + +describe google_dataproc_job(job_id: 'doesnotexist', project_id: 'value_project_id', region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_dataproc_job` resource: + + + * `reference`: Encapsulates the full scoping used to reference a job. + + * `project_id`: Optional. The ID of the Google Cloud Platform project that the job belongs to. If specified, must match the request project ID. + + * `job_id`: Optional. The job ID, which must be unique within the project.The ID must contain only letters (a-z, A-Z), numbers (0-9), underscores (_), or hyphens (-). The maximum length is 100 characters.If not specified by the caller, the job ID will be provided by the server. + + * `placement`: Dataproc job config. + + * `cluster_name`: Required. The name of the cluster where the job will be submitted. + + * `cluster_uuid`: Output only. A cluster UUID generated by the Dataproc service when the job is submitted. + + * `cluster_labels`: Optional. Cluster labels to identify a cluster where the job will be submitted. + + * `additional_properties`: + + * `hadoop_job`: A Dataproc job for running Apache Hadoop MapReduce (https://hadoop.apache.org/docs/current/hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapReduceTutorial.html) jobs on Apache Hadoop YARN (https://hadoop.apache.org/docs/r2.7.1/hadoop-yarn/hadoop-yarn-site/YARN.html). + + * `main_jar_file_uri`: The HCFS URI of the jar file containing the main class. Examples: 'gs://foo-bucket/analytics-binaries/extract-useful-metrics-mr.jar' 'hdfs:/tmp/test-samples/custom-wordcount.jar' 'file:///home/usr/lib/hadoop-mapreduce/hadoop-mapreduce-examples.jar' + + * `main_class`: The name of the driver's main class. The jar file containing the class must be in the default CLASSPATH or specified in jar_file_uris. + + * `args`: Optional. The arguments to pass to the driver. Do not include arguments, such as -libjars or -Dfoo=bar, that can be set as job properties, since a collision might occur that causes an incorrect job submission. + + * `jar_file_uris`: Optional. Jar file URIs to add to the CLASSPATHs of the Hadoop driver and tasks. + + * `file_uris`: Optional. HCFS (Hadoop Compatible Filesystem) URIs of files to be copied to the working directory of Hadoop drivers and distributed tasks. Useful for naively parallel tasks. + + * `archive_uris`: Optional. HCFS URIs of archives to be extracted in the working directory of Hadoop drivers and tasks. Supported file types: .jar, .tar, .tar.gz, .tgz, or .zip. + + * `properties`: Optional. A mapping of property names to values, used to configure Hadoop. Properties that conflict with values set by the Dataproc API might be overwritten. Can include properties set in /etc/hadoop/conf/*-site and classes in user code. + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `spark_job`: A Dataproc job for running Apache Spark (https://spark.apache.org/) applications on YARN. + + * `main_jar_file_uri`: The HCFS URI of the jar file that contains the main class. + + * `main_class`: The name of the driver's main class. The jar file that contains the class must be in the default CLASSPATH or specified in SparkJob.jar_file_uris. + + * `args`: Optional. The arguments to pass to the driver. Do not include arguments, such as --conf, that can be set as job properties, since a collision may occur that causes an incorrect job submission. + + * `jar_file_uris`: Optional. HCFS URIs of jar files to add to the CLASSPATHs of the Spark driver and tasks. + + * `file_uris`: Optional. HCFS URIs of files to be placed in the working directory of each executor. Useful for naively parallel tasks. + + * `archive_uris`: Optional. HCFS URIs of archives to be extracted into the working directory of each executor. Supported file types: .jar, .tar, .tar.gz, .tgz, and .zip. + + * `properties`: Optional. A mapping of property names to values, used to configure Spark. Properties that conflict with values set by the Dataproc API might be overwritten. Can include properties set in /etc/spark/conf/spark-defaults.conf and classes in user code. + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `pyspark_job`: A Dataproc job for running Apache PySpark (https://spark.apache.org/docs/0.9.0/python-programming-guide.html) applications on YARN. + + * `main_python_file_uri`: Required. The HCFS URI of the main Python file to use as the driver. Must be a .py file. + + * `args`: Optional. The arguments to pass to the driver. Do not include arguments, such as --conf, that can be set as job properties, since a collision may occur that causes an incorrect job submission. + + * `python_file_uris`: Optional. HCFS file URIs of Python files to pass to the PySpark framework. Supported file types: .py, .egg, and .zip. + + * `jar_file_uris`: Optional. HCFS URIs of jar files to add to the CLASSPATHs of the Python driver and tasks. + + * `file_uris`: Optional. HCFS URIs of files to be placed in the working directory of each executor. Useful for naively parallel tasks. + + * `archive_uris`: Optional. HCFS URIs of archives to be extracted into the working directory of each executor. Supported file types: .jar, .tar, .tar.gz, .tgz, and .zip. + + * `properties`: Optional. A mapping of property names to values, used to configure PySpark. Properties that conflict with values set by the Dataproc API might be overwritten. Can include properties set in /etc/spark/conf/spark-defaults.conf and classes in user code. + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `hive_job`: A Dataproc job for running Apache Hive (https://hive.apache.org/) queries on YARN. + + * `query_file_uri`: The HCFS URI of the script that contains Hive queries. + + * `query_list`: A list of queries to run on a cluster. + + * `queries`: Required. The queries to execute. You do not need to end a query expression with a semicolon. Multiple queries can be specified in one string by separating each with a semicolon. Here is an example of a Dataproc API snippet that uses a QueryList to specify a HiveJob: "hiveJob": { "queryList": { "queries": [ "query1", "query2", "query3;query4", ] } } + + * `continue_on_failure`: Optional. Whether to continue executing queries if a query fails. The default value is false. Setting to true can be useful when executing independent parallel queries. + + * `script_variables`: Optional. Mapping of query variable names to values (equivalent to the Hive command: SET name="value";). + + * `additional_properties`: + + * `properties`: Optional. A mapping of property names and values, used to configure Hive. Properties that conflict with values set by the Dataproc API might be overwritten. Can include properties set in /etc/hadoop/conf/*-site.xml, /etc/hive/conf/hive-site.xml, and classes in user code. + + * `additional_properties`: + + * `jar_file_uris`: Optional. HCFS URIs of jar files to add to the CLASSPATH of the Hive server and Hadoop MapReduce (MR) tasks. Can contain Hive SerDes and UDFs. + + * `pig_job`: A Dataproc job for running Apache Pig (https://pig.apache.org/) queries on YARN. + + * `query_file_uri`: The HCFS URI of the script that contains the Pig queries. + + * `query_list`: A list of queries to run on a cluster. + + * `queries`: Required. The queries to execute. You do not need to end a query expression with a semicolon. Multiple queries can be specified in one string by separating each with a semicolon. Here is an example of a Dataproc API snippet that uses a QueryList to specify a HiveJob: "hiveJob": { "queryList": { "queries": [ "query1", "query2", "query3;query4", ] } } + + * `continue_on_failure`: Optional. Whether to continue executing queries if a query fails. The default value is false. Setting to true can be useful when executing independent parallel queries. + + * `script_variables`: Optional. Mapping of query variable names to values (equivalent to the Pig command: name=[value]). + + * `additional_properties`: + + * `properties`: Optional. A mapping of property names to values, used to configure Pig. Properties that conflict with values set by the Dataproc API might be overwritten. Can include properties set in /etc/hadoop/conf/*-site.xml, /etc/pig/conf/pig.properties, and classes in user code. + + * `additional_properties`: + + * `jar_file_uris`: Optional. HCFS URIs of jar files to add to the CLASSPATH of the Pig Client and Hadoop MapReduce (MR) tasks. Can contain Pig UDFs. + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `spark_r_job`: A Dataproc job for running Apache SparkR (https://spark.apache.org/docs/latest/sparkr.html) applications on YARN. + + * `main_r_file_uri`: Required. The HCFS URI of the main R file to use as the driver. Must be a .R file. + + * `args`: Optional. The arguments to pass to the driver. Do not include arguments, such as --conf, that can be set as job properties, since a collision may occur that causes an incorrect job submission. + + * `file_uris`: Optional. HCFS URIs of files to be placed in the working directory of each executor. Useful for naively parallel tasks. + + * `archive_uris`: Optional. HCFS URIs of archives to be extracted into the working directory of each executor. Supported file types: .jar, .tar, .tar.gz, .tgz, and .zip. + + * `properties`: Optional. A mapping of property names to values, used to configure SparkR. Properties that conflict with values set by the Dataproc API might be overwritten. Can include properties set in /etc/spark/conf/spark-defaults.conf and classes in user code. + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `spark_sql_job`: A Dataproc job for running Apache Spark SQL (https://spark.apache.org/sql/) queries. + + * `query_file_uri`: The HCFS URI of the script that contains SQL queries. + + * `query_list`: A list of queries to run on a cluster. + + * `queries`: Required. The queries to execute. You do not need to end a query expression with a semicolon. Multiple queries can be specified in one string by separating each with a semicolon. Here is an example of a Dataproc API snippet that uses a QueryList to specify a HiveJob: "hiveJob": { "queryList": { "queries": [ "query1", "query2", "query3;query4", ] } } + + * `script_variables`: Optional. Mapping of query variable names to values (equivalent to the Spark SQL command: SET name="value";). + + * `additional_properties`: + + * `properties`: Optional. A mapping of property names to values, used to configure Spark SQL's SparkConf. Properties that conflict with values set by the Dataproc API might be overwritten. + + * `additional_properties`: + + * `jar_file_uris`: Optional. HCFS URIs of jar files to be added to the Spark CLASSPATH. + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `presto_job`: A Dataproc job for running Presto (https://prestosql.io/) queries. IMPORTANT: The Dataproc Presto Optional Component (https://cloud.google.com/dataproc/docs/concepts/components/presto) must be enabled when the cluster is created to submit a Presto job to the cluster. + + * `query_file_uri`: The HCFS URI of the script that contains SQL queries. + + * `query_list`: A list of queries to run on a cluster. + + * `queries`: Required. The queries to execute. You do not need to end a query expression with a semicolon. Multiple queries can be specified in one string by separating each with a semicolon. Here is an example of a Dataproc API snippet that uses a QueryList to specify a HiveJob: "hiveJob": { "queryList": { "queries": [ "query1", "query2", "query3;query4", ] } } + + * `continue_on_failure`: Optional. Whether to continue executing queries if a query fails. The default value is false. Setting to true can be useful when executing independent parallel queries. + + * `output_format`: Optional. The format in which query output will be displayed. See the Presto documentation for supported output formats + + * `client_tags`: Optional. Presto client tags to attach to this query + + * `properties`: Optional. A mapping of property names to values. Used to set Presto session properties (https://prestodb.io/docs/current/sql/set-session.html) Equivalent to using the --session flag in the Presto CLI + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `trino_job`: A Dataproc job for running Trino (https://trino.io/) queries. IMPORTANT: The Dataproc Trino Optional Component (https://cloud.google.com/dataproc/docs/concepts/components/trino) must be enabled when the cluster is created to submit a Trino job to the cluster. + + * `query_file_uri`: The HCFS URI of the script that contains SQL queries. + + * `query_list`: A list of queries to run on a cluster. + + * `queries`: Required. The queries to execute. You do not need to end a query expression with a semicolon. Multiple queries can be specified in one string by separating each with a semicolon. Here is an example of a Dataproc API snippet that uses a QueryList to specify a HiveJob: "hiveJob": { "queryList": { "queries": [ "query1", "query2", "query3;query4", ] } } + + * `continue_on_failure`: Optional. Whether to continue executing queries if a query fails. The default value is false. Setting to true can be useful when executing independent parallel queries. + + * `output_format`: Optional. The format in which query output will be displayed. See the Trino documentation for supported output formats + + * `client_tags`: Optional. Trino client tags to attach to this query + + * `properties`: Optional. A mapping of property names to values. Used to set Trino session properties (https://trino.io/docs/current/sql/set-session.html) Equivalent to using the --session flag in the Trino CLI + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `flink_job`: A Dataproc job for running Apache Flink applications on YARN. + + * `main_jar_file_uri`: The HCFS URI of the jar file that contains the main class. + + * `main_class`: The name of the driver's main class. The jar file that contains the class must be in the default CLASSPATH or specified in jarFileUris. + + * `args`: Optional. The arguments to pass to the driver. Do not include arguments, such as --conf, that can be set as job properties, since a collision might occur that causes an incorrect job submission. + + * `jar_file_uris`: Optional. HCFS URIs of jar files to add to the CLASSPATHs of the Flink driver and tasks. + + * `savepoint_uri`: Optional. HCFS URI of the savepoint, which contains the last saved progress for starting the current job. + + * `properties`: Optional. A mapping of property names to values, used to configure Flink. Properties that conflict with values set by the Dataproc API might beoverwritten. Can include properties set in/etc/flink/conf/flink-defaults.conf and classes in user code. + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `status`: Dataproc job status. + + * `state`: Output only. A state message specifying the overall job state. + Possible values: + * STATE_UNSPECIFIED + * PENDING + * SETUP_DONE + * RUNNING + * CANCEL_PENDING + * CANCEL_STARTED + * CANCELLED + * DONE + * ERROR + * ATTEMPT_FAILURE + + * `details`: Optional. Output only. Job state details, such as an error description if the state is ERROR. + + * `state_start_time`: Output only. The time when this state was entered. + + * `substate`: Output only. Additional state information, which includes status reported by the agent. + Possible values: + * UNSPECIFIED + * SUBMITTED + * QUEUED + * STALE_STATUS + + * `status_history`: Output only. The previous job status. + + * `state`: Output only. A state message specifying the overall job state. + Possible values: + * STATE_UNSPECIFIED + * PENDING + * SETUP_DONE + * RUNNING + * CANCEL_PENDING + * CANCEL_STARTED + * CANCELLED + * DONE + * ERROR + * ATTEMPT_FAILURE + + * `details`: Optional. Output only. Job state details, such as an error description if the state is ERROR. + + * `state_start_time`: Output only. The time when this state was entered. + + * `substate`: Output only. Additional state information, which includes status reported by the agent. + Possible values: + * UNSPECIFIED + * SUBMITTED + * QUEUED + * STALE_STATUS + + * `yarn_applications`: Output only. The collection of YARN applications spun up by this job.Beta Feature: This report is available for testing purposes only. It might be changed before final release. + + * `name`: Required. The application name. + + * `state`: Required. The application state. + Possible values: + * STATE_UNSPECIFIED + * NEW + * NEW_SAVING + * SUBMITTED + * ACCEPTED + * RUNNING + * FINISHED + * FAILED + * KILLED + + * `progress`: Required. The numerical progress of the application, from 1 to 100. + + * `tracking_url`: Optional. The HTTP URL of the ApplicationMaster, HistoryServer, or TimelineServer that provides application-specific information. The URL uses the internal hostname, and requires a proxy server for resolution and, possibly, access. + + * `driver_output_resource_uri`: Output only. A URI pointing to the location of the stdout of the job's driver program. + + * `driver_control_files_uri`: Output only. If present, the location of miscellaneous control files which can be used as part of job setup and handling. If not present, control files might be placed in the same location as driver_output_uri. + + * `labels`: Optional. The labels to associate with this job. Label keys must contain 1 to 63 characters, and must conform to RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt). Label values can be empty, but, if present, must contain 1 to 63 characters, and must conform to RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt). No more than 32 labels can be associated with a job. + + * `additional_properties`: + + * `scheduling`: Job scheduling options. + + * `max_failures_per_hour`: Optional. Maximum number of times per hour a driver can be restarted as a result of driver exiting with non-zero code before job is reported failed.A job might be reported as thrashing if the driver exits with a non-zero code four times within a 10-minute window.Maximum value is 10.Note: This restartable job option is not supported in Dataproc workflow templates (https://cloud.google.com/dataproc/docs/concepts/workflows/using-workflows#adding_jobs_to_a_template). + + * `max_failures_total`: Optional. Maximum total number of times a driver can be restarted as a result of the driver exiting with a non-zero code. After the maximum number is reached, the job will be reported as failed.Maximum value is 240.Note: Currently, this restartable job option is not supported in Dataproc workflow templates (https://cloud.google.com/dataproc/docs/concepts/workflows/using-workflows#adding_jobs_to_a_template). + + * `job_uuid`: Output only. A UUID that uniquely identifies a job within the project over time. This is in contrast to a user-settable reference.job_id that might be reused over time. + + * `done`: Output only. Indicates whether the job is completed. If the value is false, the job is still in progress. If true, the job is completed, and status.state field will indicate if it was successful, failed, or cancelled. + + * `driver_scheduling_config`: Driver scheduling configuration. + + * `memory_mb`: Required. The amount of memory in MB the driver is requesting. + + * `vcores`: Required. The number of vCPUs the driver is requesting. + + +## GCP permissions + +Ensure the [Cloud Dataproc API](https://console.cloud.google.com/apis/library/dataproc.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_jobs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_jobs.md new file mode 100644 index 0000000..9e74bba --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_jobs.md @@ -0,0 +1,62 @@ ++++ +title = "google_dataproc_jobs resource" + +draft = false + + +[menu.gcp] +title = "google_dataproc_jobs" +identifier = "inspec/resources/gcp/google_dataproc_jobs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_jobs` InSpec audit resource to to test a Google Cloud Job resource. + +## Examples + +```ruby + describe google_dataproc_jobs(project_id: 'value_project_id', region: 'value_region') do + it { should exist } + its('driver_output_resource_uris') { should include 'value_driveroutputresourceuri' } + its('driver_control_files_uris') { should include 'value_drivercontrolfilesuri' } + its('job_uuids') { should include 'value_jobuuid' } + end +``` + +## Properties + +Properties that can be accessed from the `google_dataproc_jobs` resource: + +See [google_dataproc_job](google_dataproc_job) for more detailed information. + +* `references`: an array of `google_dataproc_job` reference +* `placements`: an array of `google_dataproc_job` placement +* `hadoop_jobs`: an array of `google_dataproc_job` hadoop_job +* `spark_jobs`: an array of `google_dataproc_job` spark_job +* `pyspark_jobs`: an array of `google_dataproc_job` pyspark_job +* `hive_jobs`: an array of `google_dataproc_job` hive_job +* `pig_jobs`: an array of `google_dataproc_job` pig_job +* `spark_r_jobs`: an array of `google_dataproc_job` spark_r_job +* `spark_sql_jobs`: an array of `google_dataproc_job` spark_sql_job +* `presto_jobs`: an array of `google_dataproc_job` presto_job +* `trino_jobs`: an array of `google_dataproc_job` trino_job +* `flink_jobs`: an array of `google_dataproc_job` flink_job +* `statuses`: an array of `google_dataproc_job` status +* `status_histories`: an array of `google_dataproc_job` status_history +* `yarn_applications`: an array of `google_dataproc_job` yarn_applications +* `driver_output_resource_uris`: an array of `google_dataproc_job` driver_output_resource_uri +* `driver_control_files_uris`: an array of `google_dataproc_job` driver_control_files_uri +* `labels`: an array of `google_dataproc_job` labels +* `schedulings`: an array of `google_dataproc_job` scheduling +* `job_uuids`: an array of `google_dataproc_job` job_uuid +* `dones`: an array of `google_dataproc_job` done +* `driver_scheduling_configs`: an array of `google_dataproc_job` driver_scheduling_config + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Dataproc API](https://console.cloud.google.com/apis/library/dataproc.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_federation.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_federation.md new file mode 100644 index 0000000..8c0829e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_federation.md @@ -0,0 +1,79 @@ ++++ +title = "google_dataproc_metastore_federation resource" + +draft = false + + + +[menu.gcp] +title = "google_dataproc_metastore_federation" +identifier = "inspec/resources/gcp/google_dataproc_metastore_federation resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_metastore_federation` InSpec audit resource to test the properties of a Google Cloud Federation resource. + +## Examples + +```ruby +describe google_dataproc_metastore_federation(name: 'value_name') do + it { should exist } + its('name') { should cmp 'value_name' } + its('create_time') { should cmp 'value_createtime' } + its('update_time') { should cmp 'value_updatetime' } + its('version') { should cmp 'value_version' } + its('endpoint_uri') { should cmp 'value_endpointuri' } + its('state') { should cmp 'value_state' } + its('state_message') { should cmp 'value_statemessage' } + its('uid') { should cmp 'value_uid' } +end + +describe google_dataproc_metastore_federation(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_dataproc_metastore_federation` resource: + +## Properties + +Properties that can be accessed from the `google_dataproc_metastore_federation` resource: + + + * `name`: Immutable. The relative resource name of the federation, of the form: projects/{project_number}/locations/{location_id}/federations/{federation_id}`. + + * `create_time`: Output only. The time when the metastore federation was created. + + * `update_time`: Output only. The time when the metastore federation was last updated. + + * `labels`: User-defined labels for the metastore federation. + + * `additional_properties`: + + * `version`: Immutable. The Apache Hive metastore version of the federation. All backend metastore versions must be compatible with the federation version. + + * `backend_metastores`: A map from BackendMetastore rank to BackendMetastores from which the federation service serves metadata at query time. The map key represents the order in which BackendMetastores should be evaluated to resolve database names at query time and should be greater than or equal to zero. A BackendMetastore with a lower number will be evaluated before a BackendMetastore with a higher number. + + * `additional_properties`: Represents a backend metastore for the federation. + + * `endpoint_uri`: Output only. The federation endpoint. + + * `state`: Output only. The current state of the federation. + Possible values: + * STATE_UNSPECIFIED + * CREATING + * ACTIVE + * UPDATING + * DELETING + * ERROR + + * `state_message`: Output only. Additional information about the current state of the metastore federation, if available. + + * `uid`: Output only. The globally unique resource identifier of the metastore federation. + + +## GCP permissions + +Ensure the [Dataproc Metastore API](https://console.cloud.google.com/apis/library/metastore.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_federations.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_federations.md new file mode 100644 index 0000000..159c35d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_federations.md @@ -0,0 +1,73 @@ ++++ +title = "google_dataproc_metastore_federations resource" + +draft = false + + + +[menu.gcp] +title = "google_dataproc_metastore_federations" +identifier = "inspec/resources/gcp/google_dataproc_metastore_federations resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_metastore_federations` InSpec audit resource to test the properties of a Google Cloud Federation resource. + +## Examples + +```ruby + describe google_dataproc_metastore_federations(parent: 'value_parent') do + it { should exist } + its('names') { should include 'value_name' } + its('create_times') { should include 'value_createtime' } + its('update_times') { should include 'value_updatetime' } + its('versions') { should include 'value_version' } + its('endpoint_uris') { should include 'value_endpointuri' } + its('states') { should include 'value_state' } + its('state_messages') { should include 'value_statemessage' } + its('uids') { should include 'value_uid' } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_dataproc_metastore_federations` resource: + +See [google_dataproc_metastore_federation](google_dataproc_metastore_federation) for more detailed information. + +* `names`: an array of `google_dataproc_metastore_federation` name +* `create_times`: an array of `google_dataproc_metastore_federation` create_time +* `update_times`: an array of `google_dataproc_metastore_federation` update_time +* `labels`: an array of `google_dataproc_metastore_federation` labels +* `versions`: an array of `google_dataproc_metastore_federation` version +* `backend_metastores`: an array of `google_dataproc_metastore_federation` backend_metastores +* `endpoint_uris`: an array of `google_dataproc_metastore_federation` endpoint_uri +* `states`: an array of `google_dataproc_metastore_federation` state +* `state_messages`: an array of `google_dataproc_metastore_federation` state_message +* `uids`: an array of `google_dataproc_metastore_federation` uid + +## Properties + +Properties that can be accessed from the `google_dataproc_metastore_federations` resource: + +See [google_dataproc_metastore_federation](google_dataproc_metastore_federation) for more detailed information. + +* `names`: an array of `google_dataproc_metastore_federation` name +* `create_times`: an array of `google_dataproc_metastore_federation` create_time +* `update_times`: an array of `google_dataproc_metastore_federation` update_time +* `labels`: an array of `google_dataproc_metastore_federation` labels +* `versions`: an array of `google_dataproc_metastore_federation` version +* `backend_metastores`: an array of `google_dataproc_metastore_federation` backend_metastores +* `endpoint_uris`: an array of `google_dataproc_metastore_federation` endpoint_uri +* `states`: an array of `google_dataproc_metastore_federation` state +* `state_messages`: an array of `google_dataproc_metastore_federation` state_message +* `uids`: an array of `google_dataproc_metastore_federation` uid + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Dataproc Metastore API](https://console.cloud.google.com/apis/library/metastore.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_service.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_service.md new file mode 100644 index 0000000..b8da2e4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_service.md @@ -0,0 +1,287 @@ ++++ +title = "google_dataproc_metastore_service resource" + +draft = false + + + +[menu.gcp] +title = "google_dataproc_metastore_service" +identifier = "inspec/resources/gcp/google_dataproc_metastore_service resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_metastore_service` InSpec audit resource to test the properties of a Google Cloud Service resource. + +## Examples + +```ruby +describe google_dataproc_metastore_service(name: 'value_name') do + it { should exist } + its('name') { should cmp 'value_name' } + its('create_time') { should cmp 'value_createtime' } + its('update_time') { should cmp 'value_updatetime' } + its('network') { should cmp 'value_network' } + its('endpoint_uri') { should cmp 'value_endpointuri' } + its('state') { should cmp 'value_state' } + its('state_message') { should cmp 'value_statemessage' } + its('artifact_gcs_uri') { should cmp 'value_artifactgcsuri' } + its('tier') { should cmp 'value_tier' } + its('uid') { should cmp 'value_uid' } + its('release_channel') { should cmp 'value_releasechannel' } + its('database_type') { should cmp 'value_databasetype' } +end + +describe google_dataproc_metastore_service(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_dataproc_metastore_service` resource: + +## Properties + +Properties that can be accessed from the `google_dataproc_metastore_service` resource: + + + * `hive_metastore_config`: Specifies configuration information specific to running Hive metastore software as the metastore service. + + * `version`: Immutable. The Hive metastore schema version. + + * `config_overrides`: A mapping of Hive metastore configuration key-value pairs to apply to the Hive metastore (configured in hive-site.xml). The mappings override system defaults (some keys cannot be overridden). These overrides are also applied to auxiliary versions and can be further customized in the auxiliary version's AuxiliaryVersionConfig. + + * `additional_properties`: + + * `kerberos_config`: Configuration information for a Kerberos principal. + + * `keytab`: A securely stored value. + + * `cloud_secret`: The relative resource name of a Secret Manager secret version, in the following form:projects/{project_number}/secrets/{secret_id}/versions/{version_id}. + + * `principal`: A Kerberos principal that exists in the both the keytab the KDC to authenticate as. A typical principal is of the form primary/instance@REALM, but there is no exact format. + + * `krb5_config_gcs_uri`: A Cloud Storage URI that specifies the path to a krb5.conf file. It is of the form gs://{bucket_name}/path/to/krb5.conf, although the file does not need to be named krb5.conf explicitly. + + * `endpoint_protocol`: The protocol to use for the metastore service endpoint. If unspecified, defaults to THRIFT. + Possible values: + * ENDPOINT_PROTOCOL_UNSPECIFIED + * THRIFT + * GRPC + + * `auxiliary_versions`: A mapping of Hive metastore version to the auxiliary version configuration. When specified, a secondary Hive metastore service is created along with the primary service. All auxiliary versions must be less than the service's primary version. The key is the auxiliary service name and it must match the regular expression a-z?. This means that the first character must be a lowercase letter, and all the following characters must be hyphens, lowercase letters, or digits, except the last character, which cannot be a hyphen. + + * `additional_properties`: Configuration information for the auxiliary service versions. + + * `name`: Immutable. The relative resource name of the metastore service, in the following format:projects/{project_number}/locations/{location_id}/services/{service_id}. + + * `create_time`: Output only. The time when the metastore service was created. + + * `update_time`: Output only. The time when the metastore service was last updated. + + * `labels`: User-defined labels for the metastore service. + + * `additional_properties`: + + * `network`: Immutable. The relative resource name of the VPC network on which the instance can be accessed. It is specified in the following form:projects/{project_number}/global/networks/{network_id}. + + * `endpoint_uri`: Output only. The URI of the endpoint used to access the metastore service. + + * `port`: The TCP port at which the metastore service is reached. Default: 9083. + + * `state`: Output only. The current state of the metastore service. + Possible values: + * STATE_UNSPECIFIED + * CREATING + * ACTIVE + * SUSPENDING + * SUSPENDED + * UPDATING + * DELETING + * ERROR + * MIGRATING + + * `state_message`: Output only. Additional information about the current state of the metastore service, if available. + + * `artifact_gcs_uri`: Output only. A Cloud Storage URI (starting with gs://) that specifies where artifacts related to the metastore service are stored. + + * `tier`: The tier of the service. + Possible values: + * TIER_UNSPECIFIED + * DEVELOPER + * ENTERPRISE + + * `metadata_integration`: Specifies how metastore metadata should be integrated with external services. + + * `data_catalog_config`: Specifies how metastore metadata should be integrated with the Data Catalog service. + + * `enabled`: Optional. Defines whether the metastore metadata should be synced to Data Catalog. The default value is to disable syncing metastore metadata to Data Catalog. + + * `dataplex_config`: Specifies how metastore metadata should be integrated with the Dataplex service. + + * `lake_resources`: A reference to the Lake resources that this metastore service is attached to. The key is the lake resource name. Example: projects/{project_number}/locations/{location_id}/lakes/{lake_id}. + + * `additional_properties`: Represents a Lake resource + + * `maintenance_window`: Maintenance window. This specifies when Dataproc Metastore may perform system maintenance operation to the service. + + * `hour_of_day`: The hour of day (0-23) when the window starts. + + * `day_of_week`: The day of week, when the window starts. + Possible values: + * DAY_OF_WEEK_UNSPECIFIED + * MONDAY + * TUESDAY + * WEDNESDAY + * THURSDAY + * FRIDAY + * SATURDAY + * SUNDAY + + * `uid`: Output only. The globally unique resource identifier of the metastore service. + + * `metadata_management_activity`: The metadata management activities of the metastore service. + + * `metadata_exports`: Output only. The latest metadata exports of the metastore service. + + * `destination_gcs_uri`: Output only. A Cloud Storage URI of a folder that metadata are exported to, in the form of gs:////, where is automatically generated. + + * `start_time`: Output only. The time when the export started. + + * `end_time`: Output only. The time when the export ended. + + * `state`: Output only. The current state of the export. + Possible values: + * STATE_UNSPECIFIED + * RUNNING + * SUCCEEDED + * FAILED + * CANCELLED + + * `database_dump_type`: Output only. The type of the database dump. + Possible values: + * TYPE_UNSPECIFIED + * MYSQL + * AVRO + + * `restores`: Output only. The latest restores of the metastore service. + + * `start_time`: Output only. The time when the restore started. + + * `end_time`: Output only. The time when the restore ended. + + * `state`: Output only. The current state of the restore. + Possible values: + * STATE_UNSPECIFIED + * RUNNING + * SUCCEEDED + * FAILED + * CANCELLED + + * `backup`: Output only. The relative resource name of the metastore service backup to restore from, in the following form:projects/{project_id}/locations/{location_id}/services/{service_id}/backups/{backup_id}. + + * `type`: Output only. The type of restore. + Possible values: + * RESTORE_TYPE_UNSPECIFIED + * FULL + * METADATA_ONLY + + * `details`: Output only. The restore details containing the revision of the service to be restored to, in format of JSON. + + * `backup_location`: Optional. A Cloud Storage URI specifying where the backup artifacts are stored, in the format gs:///. + + * `release_channel`: Immutable. The release channel of the service. If unspecified, defaults to STABLE. + Possible values: + * RELEASE_CHANNEL_UNSPECIFIED + * CANARY + * STABLE + + * `encryption_config`: Encryption settings for the service. + + * `kms_key`: The fully qualified customer provided Cloud KMS key name to use for customer data encryption, in the following format:projects/{project_number}/locations/{location_id}/keyRings/{key_ring_id}/cryptoKeys/{crypto_key_id}. + + * `network_config`: Network configuration for the Dataproc Metastore service. + + * `consumers`: Immutable. The consumer-side network configuration for the Dataproc Metastore instance. + + * `subnetwork`: Immutable. The subnetwork of the customer project from which an IP address is reserved and used as the Dataproc Metastore service's endpoint. It is accessible to hosts in the subnet and to all hosts in a subnet in the same region and same network. There must be at least one IP address available in the subnet's primary range. The subnet is specified in the following form:projects/{project_number}/regions/{region_id}/subnetworks/{subnetwork_id} + + * `endpoint_uri`: Output only. The URI of the endpoint used to access the metastore service. + + * `endpoint_location`: Output only. The location of the endpoint URI. Format: projects/{project}/locations/{location}. + + * `custom_routes_enabled`: Enables custom routes to be imported and exported for the Dataproc Metastore service's peered VPC network. + + * `database_type`: Immutable. The database type that the Metastore service stores its data. + Possible values: + * DATABASE_TYPE_UNSPECIFIED + * MYSQL + * SPANNER + + * `telemetry_config`: Telemetry Configuration for the Dataproc Metastore service. + + * `log_format`: The output format of the Dataproc Metastore service's logs. + Possible values: + * LOG_FORMAT_UNSPECIFIED + * LEGACY + * JSON + + * `scaling_config`: Represents the scaling configuration of a metastore service. + + * `instance_size`: An enum of readable instance sizes, with each instance size mapping to a float value (e.g. InstanceSize.EXTRA_SMALL = scaling_factor(0.1)) + Possible values: + * INSTANCE_SIZE_UNSPECIFIED + * EXTRA_SMALL + * SMALL + * MEDIUM + * LARGE + * EXTRA_LARGE + + * `scaling_factor`: Scaling factor, increments of 0.1 for values less than 1.0, and increments of 1.0 for values greater than 1.0. + + * `autoscaling_config`: Represents the autoscaling configuration of a metastore service. + + * `autoscaling_factor`: Output only. The scaling factor of a service with autoscaling enabled. + + * `autoscaling_enabled`: Optional. Whether or not autoscaling is enabled for this service. + + * `limit_config`: Represents the autoscaling limit configuration of a metastore service. + + * `max_scaling_factor`: Optional. The highest scaling factor that the service should be autoscaled to. + + * `min_scaling_factor`: Optional. The lowest scaling factor that the service should be autoscaled to. + + * `scheduled_backup`: This specifies the configuration of scheduled backup. + + * `enabled`: Optional. Defines whether the scheduled backup is enabled. The default value is false. + + * `cron_schedule`: Optional. The scheduled interval in Cron format, see https://en.wikipedia.org/wiki/Cron The default is empty: scheduled backup is not enabled. Must be specified to enable scheduled backups. + + * `time_zone`: Optional. Specifies the time zone to be used when interpreting cron_schedule. Must be a time zone name from the time zone database (https://en.wikipedia.org/wiki/List_of_tz_database_time_zones), e.g. America/Los_Angeles or Africa/Abidjan. If left unspecified, the default is UTC. + + * `next_scheduled_time`: Output only. The time when the next backups execution is scheduled to start. + + * `backup_location`: Optional. A Cloud Storage URI of a folder, in the format gs:///. A sub-folder containing backup files will be stored below it. + + * `latest_backup`: The details of the latest scheduled backup. + + * `backup_id`: Output only. The ID of an in-progress scheduled backup. Empty if no backup is in progress. + + * `start_time`: Output only. The time when the backup was started. + + * `state`: Output only. The current state of the backup. + Possible values: + * STATE_UNSPECIFIED + * IN_PROGRESS + * SUCCEEDED + * FAILED + + * `duration`: Output only. The duration of the backup completion. + + * `deletion_protection`: Optional. Indicates if the dataproc metastore should be protected against accidental deletions. + + +## GCP permissions + +Ensure the [Dataproc Metastore API](https://console.cloud.google.com/apis/library/metastore.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_service_backup.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_service_backup.md new file mode 100644 index 0000000..fb8a223 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_service_backup.md @@ -0,0 +1,301 @@ ++++ +title = "google_dataproc_metastore_service_backup resource" + +draft = false + + + +[menu.gcp] +title = "google_dataproc_metastore_service_backup" +identifier = "inspec/resources/gcp/google_dataproc_metastore_service_backup resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_metastore_service_backup` InSpec audit resource to test the properties of a Google Cloud ServiceBackup resource. + +## Examples + +```ruby +describe google_dataproc_metastore_service_backup(name: 'value_name') do + it { should exist } + its('name') { should cmp 'value_name' } + its('create_time') { should cmp 'value_createtime' } + its('end_time') { should cmp 'value_endtime' } + its('state') { should cmp 'value_state' } + its('description') { should cmp 'value_description' } +end + +describe google_dataproc_metastore_service_backup(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_dataproc_metastore_service_backup` resource: + +## Properties + +Properties that can be accessed from the `google_dataproc_metastore_service_backup` resource: + + + * `name`: Immutable. The relative resource name of the backup, in the following form:projects/{project_number}/locations/{location_id}/services/{service_id}/backups/{backup_id} + + * `create_time`: Output only. The time when the backup was started. + + * `end_time`: Output only. The time when the backup finished creating. + + * `state`: Output only. The current state of the backup. + Possible values: + * STATE_UNSPECIFIED + * CREATING + * DELETING + * ACTIVE + * FAILED + * RESTORING + + * `service_revision`: A managed metastore service that serves metadata queries. + + * `hive_metastore_config`: Specifies configuration information specific to running Hive metastore software as the metastore service. + + * `version`: Immutable. The Hive metastore schema version. + + * `config_overrides`: A mapping of Hive metastore configuration key-value pairs to apply to the Hive metastore (configured in hive-site.xml). The mappings override system defaults (some keys cannot be overridden). These overrides are also applied to auxiliary versions and can be further customized in the auxiliary version's AuxiliaryVersionConfig. + + * `additional_properties`: + + * `kerberos_config`: Configuration information for a Kerberos principal. + + * `keytab`: A securely stored value. + + * `cloud_secret`: The relative resource name of a Secret Manager secret version, in the following form:projects/{project_number}/secrets/{secret_id}/versions/{version_id}. + + * `principal`: A Kerberos principal that exists in the both the keytab the KDC to authenticate as. A typical principal is of the form primary/instance@REALM, but there is no exact format. + + * `krb5_config_gcs_uri`: A Cloud Storage URI that specifies the path to a krb5.conf file. It is of the form gs://{bucket_name}/path/to/krb5.conf, although the file does not need to be named krb5.conf explicitly. + + * `endpoint_protocol`: The protocol to use for the metastore service endpoint. If unspecified, defaults to THRIFT. + Possible values: + * ENDPOINT_PROTOCOL_UNSPECIFIED + * THRIFT + * GRPC + + * `auxiliary_versions`: A mapping of Hive metastore version to the auxiliary version configuration. When specified, a secondary Hive metastore service is created along with the primary service. All auxiliary versions must be less than the service's primary version. The key is the auxiliary service name and it must match the regular expression a-z?. This means that the first character must be a lowercase letter, and all the following characters must be hyphens, lowercase letters, or digits, except the last character, which cannot be a hyphen. + + * `additional_properties`: Configuration information for the auxiliary service versions. + + * `name`: Immutable. The relative resource name of the metastore service, in the following format:projects/{project_number}/locations/{location_id}/services/{service_id}. + + * `create_time`: Output only. The time when the metastore service was created. + + * `update_time`: Output only. The time when the metastore service was last updated. + + * `labels`: User-defined labels for the metastore service. + + * `additional_properties`: + + * `network`: Immutable. The relative resource name of the VPC network on which the instance can be accessed. It is specified in the following form:projects/{project_number}/global/networks/{network_id}. + + * `endpoint_uri`: Output only. The URI of the endpoint used to access the metastore service. + + * `port`: The TCP port at which the metastore service is reached. Default: 9083. + + * `state`: Output only. The current state of the metastore service. + Possible values: + * STATE_UNSPECIFIED + * CREATING + * ACTIVE + * SUSPENDING + * SUSPENDED + * UPDATING + * DELETING + * ERROR + * MIGRATING + + * `state_message`: Output only. Additional information about the current state of the metastore service, if available. + + * `artifact_gcs_uri`: Output only. A Cloud Storage URI (starting with gs://) that specifies where artifacts related to the metastore service are stored. + + * `tier`: The tier of the service. + Possible values: + * TIER_UNSPECIFIED + * DEVELOPER + * ENTERPRISE + + * `metadata_integration`: Specifies how metastore metadata should be integrated with external services. + + * `data_catalog_config`: Specifies how metastore metadata should be integrated with the Data Catalog service. + + * `enabled`: Optional. Defines whether the metastore metadata should be synced to Data Catalog. The default value is to disable syncing metastore metadata to Data Catalog. + + * `dataplex_config`: Specifies how metastore metadata should be integrated with the Dataplex service. + + * `lake_resources`: A reference to the Lake resources that this metastore service is attached to. The key is the lake resource name. Example: projects/{project_number}/locations/{location_id}/lakes/{lake_id}. + + * `additional_properties`: Represents a Lake resource + + * `maintenance_window`: Maintenance window. This specifies when Dataproc Metastore may perform system maintenance operation to the service. + + * `hour_of_day`: The hour of day (0-23) when the window starts. + + * `day_of_week`: The day of week, when the window starts. + Possible values: + * DAY_OF_WEEK_UNSPECIFIED + * MONDAY + * TUESDAY + * WEDNESDAY + * THURSDAY + * FRIDAY + * SATURDAY + * SUNDAY + + * `uid`: Output only. The globally unique resource identifier of the metastore service. + + * `metadata_management_activity`: The metadata management activities of the metastore service. + + * `metadata_exports`: Output only. The latest metadata exports of the metastore service. + + * `destination_gcs_uri`: Output only. A Cloud Storage URI of a folder that metadata are exported to, in the form of gs:////, where is automatically generated. + + * `start_time`: Output only. The time when the export started. + + * `end_time`: Output only. The time when the export ended. + + * `state`: Output only. The current state of the export. + Possible values: + * STATE_UNSPECIFIED + * RUNNING + * SUCCEEDED + * FAILED + * CANCELLED + + * `database_dump_type`: Output only. The type of the database dump. + Possible values: + * TYPE_UNSPECIFIED + * MYSQL + * AVRO + + * `restores`: Output only. The latest restores of the metastore service. + + * `start_time`: Output only. The time when the restore started. + + * `end_time`: Output only. The time when the restore ended. + + * `state`: Output only. The current state of the restore. + Possible values: + * STATE_UNSPECIFIED + * RUNNING + * SUCCEEDED + * FAILED + * CANCELLED + + * `backup`: Output only. The relative resource name of the metastore service backup to restore from, in the following form:projects/{project_id}/locations/{location_id}/services/{service_id}/backups/{backup_id}. + + * `type`: Output only. The type of restore. + Possible values: + * RESTORE_TYPE_UNSPECIFIED + * FULL + * METADATA_ONLY + + * `details`: Output only. The restore details containing the revision of the service to be restored to, in format of JSON. + + * `backup_location`: Optional. A Cloud Storage URI specifying where the backup artifacts are stored, in the format gs:///. + + * `release_channel`: Immutable. The release channel of the service. If unspecified, defaults to STABLE. + Possible values: + * RELEASE_CHANNEL_UNSPECIFIED + * CANARY + * STABLE + + * `encryption_config`: Encryption settings for the service. + + * `kms_key`: The fully qualified customer provided Cloud KMS key name to use for customer data encryption, in the following format:projects/{project_number}/locations/{location_id}/keyRings/{key_ring_id}/cryptoKeys/{crypto_key_id}. + + * `network_config`: Network configuration for the Dataproc Metastore service. + + * `consumers`: Immutable. The consumer-side network configuration for the Dataproc Metastore instance. + + * `subnetwork`: Immutable. The subnetwork of the customer project from which an IP address is reserved and used as the Dataproc Metastore service's endpoint. It is accessible to hosts in the subnet and to all hosts in a subnet in the same region and same network. There must be at least one IP address available in the subnet's primary range. The subnet is specified in the following form:projects/{project_number}/regions/{region_id}/subnetworks/{subnetwork_id} + + * `endpoint_uri`: Output only. The URI of the endpoint used to access the metastore service. + + * `endpoint_location`: Output only. The location of the endpoint URI. Format: projects/{project}/locations/{location}. + + * `custom_routes_enabled`: Enables custom routes to be imported and exported for the Dataproc Metastore service's peered VPC network. + + * `database_type`: Immutable. The database type that the Metastore service stores its data. + Possible values: + * DATABASE_TYPE_UNSPECIFIED + * MYSQL + * SPANNER + + * `telemetry_config`: Telemetry Configuration for the Dataproc Metastore service. + + * `log_format`: The output format of the Dataproc Metastore service's logs. + Possible values: + * LOG_FORMAT_UNSPECIFIED + * LEGACY + * JSON + + * `scaling_config`: Represents the scaling configuration of a metastore service. + + * `instance_size`: An enum of readable instance sizes, with each instance size mapping to a float value (e.g. InstanceSize.EXTRA_SMALL = scaling_factor(0.1)) + Possible values: + * INSTANCE_SIZE_UNSPECIFIED + * EXTRA_SMALL + * SMALL + * MEDIUM + * LARGE + * EXTRA_LARGE + + * `scaling_factor`: Scaling factor, increments of 0.1 for values less than 1.0, and increments of 1.0 for values greater than 1.0. + + * `autoscaling_config`: Represents the autoscaling configuration of a metastore service. + + * `autoscaling_factor`: Output only. The scaling factor of a service with autoscaling enabled. + + * `autoscaling_enabled`: Optional. Whether or not autoscaling is enabled for this service. + + * `limit_config`: Represents the autoscaling limit configuration of a metastore service. + + * `max_scaling_factor`: Optional. The highest scaling factor that the service should be autoscaled to. + + * `min_scaling_factor`: Optional. The lowest scaling factor that the service should be autoscaled to. + + * `scheduled_backup`: This specifies the configuration of scheduled backup. + + * `enabled`: Optional. Defines whether the scheduled backup is enabled. The default value is false. + + * `cron_schedule`: Optional. The scheduled interval in Cron format, see https://en.wikipedia.org/wiki/Cron The default is empty: scheduled backup is not enabled. Must be specified to enable scheduled backups. + + * `time_zone`: Optional. Specifies the time zone to be used when interpreting cron_schedule. Must be a time zone name from the time zone database (https://en.wikipedia.org/wiki/List_of_tz_database_time_zones), e.g. America/Los_Angeles or Africa/Abidjan. If left unspecified, the default is UTC. + + * `next_scheduled_time`: Output only. The time when the next backups execution is scheduled to start. + + * `backup_location`: Optional. A Cloud Storage URI of a folder, in the format gs:///. A sub-folder containing backup files will be stored below it. + + * `latest_backup`: The details of the latest scheduled backup. + + * `backup_id`: Output only. The ID of an in-progress scheduled backup. Empty if no backup is in progress. + + * `start_time`: Output only. The time when the backup was started. + + * `state`: Output only. The current state of the backup. + Possible values: + * STATE_UNSPECIFIED + * IN_PROGRESS + * SUCCEEDED + * FAILED + + * `duration`: Output only. The duration of the backup completion. + + * `deletion_protection`: Optional. Indicates if the dataproc metastore should be protected against accidental deletions. + + * `description`: The description of the backup. + + * `restoring_services`: Output only. Services that are restoring from the backup. + + +## GCP permissions + +Ensure the [Dataproc Metastore API](https://console.cloud.google.com/apis/library/metastore.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_service_backups.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_service_backups.md new file mode 100644 index 0000000..7e298d9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_service_backups.md @@ -0,0 +1,64 @@ ++++ +title = "google_dataproc_metastore_service_backups resource" + +draft = false + + + +[menu.gcp] +title = "google_dataproc_metastore_service_backups" +identifier = "inspec/resources/gcp/google_dataproc_metastore_service_backups resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_metastore_service_backups` InSpec audit resource to test the properties of a Google Cloud ServiceBackup resource. + +## Examples + +```ruby + describe google_dataproc_metastore_service_backups(parent: ' value_parent') do + it { should exist } + its('names') { should include 'value_name' } + its('create_times') { should include 'value_createtime' } + its('end_times') { should include 'value_endtime' } + its('states') { should include 'value_state' } + its('descriptions') { should include 'value_description' } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_dataproc_metastore_service_backups` resource: + +See [google_dataproc_metastore_service_backup](google_dataproc_metastore_service_backup) for more detailed information. + +* `names`: an array of `google_dataproc_metastore_service_backup` name +* `create_times`: an array of `google_dataproc_metastore_service_backup` create_time +* `end_times`: an array of `google_dataproc_metastore_service_backup` end_time +* `states`: an array of `google_dataproc_metastore_service_backup` state +* `service_revisions`: an array of `google_dataproc_metastore_service_backup` service_revision +* `descriptions`: an array of `google_dataproc_metastore_service_backup` description +* `restoring_services`: an array of `google_dataproc_metastore_service_backup` restoring_services + +## Properties + +Properties that can be accessed from the `google_dataproc_metastore_service_backups` resource: + +See [google_dataproc_metastore_service_backup](google_dataproc_metastore_service_backup) for more detailed information. + +* `names`: an array of `google_dataproc_metastore_service_backup` name +* `create_times`: an array of `google_dataproc_metastore_service_backup` create_time +* `end_times`: an array of `google_dataproc_metastore_service_backup` end_time +* `states`: an array of `google_dataproc_metastore_service_backup` state +* `service_revisions`: an array of `google_dataproc_metastore_service_backup` service_revision +* `descriptions`: an array of `google_dataproc_metastore_service_backup` description +* `restoring_services`: an array of `google_dataproc_metastore_service_backup` restoring_services + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Dataproc Metastore API](https://console.cloud.google.com/apis/library/metastore.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_services.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_services.md new file mode 100644 index 0000000..2cf586e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_metastore_services.md @@ -0,0 +1,105 @@ ++++ +title = "google_dataproc_metastore_services resource" + +draft = false + + + +[menu.gcp] +title = "google_dataproc_metastore_services" +identifier = "inspec/resources/gcp/google_dataproc_metastore_services resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_metastore_services` InSpec audit resource to test the properties of a Google Cloud Service resource. + +## Examples + +```ruby + describe google_dataproc_metastore_services(parent: ' value_parent') do + it { should exist } + its('names') { should include 'value_name' } + its('create_times') { should include 'value_createtime' } + its('update_times') { should include 'value_updatetime' } + its('networks') { should include 'value_network' } + its('endpoint_uris') { should include 'value_endpointuri' } + its('states') { should include 'value_state' } + its('state_messages') { should include 'value_statemessage' } + its('artifact_gcs_uris') { should include 'value_artifactgcsuri' } + its('tiers') { should include 'value_tier' } + its('uids') { should include 'value_uid' } + its('release_channels') { should include 'value_releasechannel' } + its('database_types') { should include 'value_databasetype' } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_dataproc_metastore_services` resource: + +See [google_dataproc_metastore_service](google_dataproc_metastore_service) for more detailed information. + +* `hive_metastore_configs`: an array of `google_dataproc_metastore_service` hive_metastore_config +* `names`: an array of `google_dataproc_metastore_service` name +* `create_times`: an array of `google_dataproc_metastore_service` create_time +* `update_times`: an array of `google_dataproc_metastore_service` update_time +* `labels`: an array of `google_dataproc_metastore_service` labels +* `networks`: an array of `google_dataproc_metastore_service` network +* `endpoint_uris`: an array of `google_dataproc_metastore_service` endpoint_uri +* `ports`: an array of `google_dataproc_metastore_service` port +* `states`: an array of `google_dataproc_metastore_service` state +* `state_messages`: an array of `google_dataproc_metastore_service` state_message +* `artifact_gcs_uris`: an array of `google_dataproc_metastore_service` artifact_gcs_uri +* `tiers`: an array of `google_dataproc_metastore_service` tier +* `metadata_integrations`: an array of `google_dataproc_metastore_service` metadata_integration +* `maintenance_windows`: an array of `google_dataproc_metastore_service` maintenance_window +* `uids`: an array of `google_dataproc_metastore_service` uid +* `metadata_management_activities`: an array of `google_dataproc_metastore_service` metadata_management_activity +* `release_channels`: an array of `google_dataproc_metastore_service` release_channel +* `encryption_configs`: an array of `google_dataproc_metastore_service` encryption_config +* `network_configs`: an array of `google_dataproc_metastore_service` network_config +* `database_types`: an array of `google_dataproc_metastore_service` database_type +* `telemetry_configs`: an array of `google_dataproc_metastore_service` telemetry_config +* `scaling_configs`: an array of `google_dataproc_metastore_service` scaling_config +* `scheduled_backups`: an array of `google_dataproc_metastore_service` scheduled_backup +* `deletion_protections`: an array of `google_dataproc_metastore_service` deletion_protection + +## Properties + +Properties that can be accessed from the `google_dataproc_metastore_services` resource: + +See [google_dataproc_metastore_service](google_dataproc_metastore_service) for more detailed information. + +* `hive_metastore_configs`: an array of `google_dataproc_metastore_service` hive_metastore_config +* `names`: an array of `google_dataproc_metastore_service` name +* `create_times`: an array of `google_dataproc_metastore_service` create_time +* `update_times`: an array of `google_dataproc_metastore_service` update_time +* `labels`: an array of `google_dataproc_metastore_service` labels +* `networks`: an array of `google_dataproc_metastore_service` network +* `endpoint_uris`: an array of `google_dataproc_metastore_service` endpoint_uri +* `ports`: an array of `google_dataproc_metastore_service` port +* `states`: an array of `google_dataproc_metastore_service` state +* `state_messages`: an array of `google_dataproc_metastore_service` state_message +* `artifact_gcs_uris`: an array of `google_dataproc_metastore_service` artifact_gcs_uri +* `tiers`: an array of `google_dataproc_metastore_service` tier +* `metadata_integrations`: an array of `google_dataproc_metastore_service` metadata_integration +* `maintenance_windows`: an array of `google_dataproc_metastore_service` maintenance_window +* `uids`: an array of `google_dataproc_metastore_service` uid +* `metadata_management_activities`: an array of `google_dataproc_metastore_service` metadata_management_activity +* `release_channels`: an array of `google_dataproc_metastore_service` release_channel +* `encryption_configs`: an array of `google_dataproc_metastore_service` encryption_config +* `network_configs`: an array of `google_dataproc_metastore_service` network_config +* `database_types`: an array of `google_dataproc_metastore_service` database_type +* `telemetry_configs`: an array of `google_dataproc_metastore_service` telemetry_config +* `scaling_configs`: an array of `google_dataproc_metastore_service` scaling_config +* `scheduled_backups`: an array of `google_dataproc_metastore_service` scheduled_backup +* `deletion_protections`: an array of `google_dataproc_metastore_service` deletion_protection + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Dataproc Metastore API](https://console.cloud.google.com/apis/library/metastore.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_session.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_session.md new file mode 100644 index 0000000..4726dcc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_session.md @@ -0,0 +1,184 @@ ++++ +title = "google_dataproc_session resource" + +draft = false + + + +[menu.gcp] +title = "google_dataproc_session" +identifier = "inspec/resources/gcp/google_dataproc_session resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_session` InSpec audit resource to test the properties of a Google Cloud Session resource. + +## Examples + +```ruby +describe google_dataproc_session(name: ' value_name') do + it { should exist } + its('name') { should cmp 'value_name' } + its('uuid') { should cmp 'value_uuid' } + its('create_time') { should cmp 'value_createtime' } + its('state') { should cmp 'value_state' } + its('state_message') { should cmp 'value_statemessage' } + its('state_time') { should cmp 'value_statetime' } + its('creator') { should cmp 'value_creator' } + its('user') { should cmp 'value_user' } + its('session_template') { should cmp 'value_sessiontemplate' } + +end + +describe google_dataproc_session(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_dataproc_session` resource: + +## Properties + +Properties that can be accessed from the `google_dataproc_session` resource: + + + * `name`: Required. The resource name of the session. + + * `uuid`: Output only. A session UUID (Unique Universal Identifier). The service generates this value when it creates the session. + + * `create_time`: Output only. The time when the session was created. + + * `jupyter_session`: Jupyter configuration for an interactive session. + + * `kernel`: Optional. Kernel + Possible values: + * KERNEL_UNSPECIFIED + * PYTHON + * SCALA + + * `display_name`: Optional. Display name, shown in the Jupyter kernelspec card. + + * `runtime_info`: Runtime information about workload execution. + + * `endpoints`: Output only. Map of remote access endpoints (such as web interfaces and APIs) to their URIs. + + * `additional_properties`: + + * `output_uri`: Output only. A URI pointing to the location of the stdout and stderr of the workload. + + * `diagnostic_output_uri`: Output only. A URI pointing to the location of the diagnostics tarball. + + * `approximate_usage`: Usage metrics represent approximate total resources consumed by a workload. + + * `milli_dcu_seconds`: Optional. DCU (Dataproc Compute Units) usage in (milliDCU x seconds) (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)). + + * `shuffle_storage_gb_seconds`: Optional. Shuffle storage usage in (GB x seconds) (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)). + + * `milli_accelerator_seconds`: Optional. Accelerator usage in (milliAccelerator x seconds) (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)). + + * `accelerator_type`: Optional. Accelerator type being used, if any + + * `current_usage`: The usage snapshot represents the resources consumed by a workload at a specified time. + + * `milli_dcu`: Optional. Milli (one-thousandth) Dataproc Compute Units (DCUs) (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)). + + * `shuffle_storage_gb`: Optional. Shuffle Storage in gigabytes (GB). (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)) + + * `milli_dcu_premium`: Optional. Milli (one-thousandth) Dataproc Compute Units (DCUs) charged at premium tier (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)). + + * `shuffle_storage_gb_premium`: Optional. Shuffle Storage in gigabytes (GB) charged at premium tier. (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)) + + * `milli_accelerator`: Optional. Milli (one-thousandth) accelerator. (see Dataproc Serverless pricing (https://cloud.google.com/dataproc-serverless/pricing)) + + * `accelerator_type`: Optional. Accelerator type being used, if any + + * `snapshot_time`: Optional. The timestamp of the usage snapshot. + + * `state`: Output only. A state of the session. + Possible values: + * STATE_UNSPECIFIED + * CREATING + * ACTIVE + * TERMINATING + * TERMINATED + * FAILED + + * `state_message`: Output only. Session state details, such as the failure description if the state is FAILED. + + * `state_time`: Output only. The time when the session entered the current state. + + * `creator`: Output only. The email address of the user who created the session. + + * `labels`: Optional. The labels to associate with the session. Label keys must contain 1 to 63 characters, and must conform to RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt). Label values may be empty, but, if present, must contain 1 to 63 characters, and must conform to RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt). No more than 32 labels can be associated with a session. + + * `additional_properties`: + + * `runtime_config`: Runtime configuration for a workload. + + * `version`: Optional. Version of the batch runtime. + + * `container_image`: Optional. Optional custom container image for the job runtime environment. If not specified, a default container image will be used. + + * `properties`: Optional. A mapping of property names to values, which are used to configure workload execution. + + * `additional_properties`: + + * `repository_config`: Configuration for dependency repositories + + * `pypi_repository_config`: Configuration for PyPi repository + + * `pypi_repository`: Optional. PyPi repository address + + * `environment_config`: Environment configuration for a workload. + + * `execution_config`: Execution configuration for a workload. + + * `service_account`: Optional. Service account that used to execute workload. + + * `network_uri`: Optional. Network URI to connect workload to. + + * `subnetwork_uri`: Optional. Subnetwork URI to connect workload to. + + * `network_tags`: Optional. Tags used for network traffic control. + + * `kms_key`: Optional. The Cloud KMS key to use for encryption. + + * `idle_ttl`: Optional. Applies to sessions only. The duration to keep the session alive while it's idling. Exceeding this threshold causes the session to terminate. This field cannot be set on a batch workload. Minimum value is 10 minutes; maximum value is 14 days (see JSON representation of Duration (https://developers.google.com/protocol-buffers/docs/proto3#json)). Defaults to 1 hour if not set. If both ttl and idle_ttl are specified for an interactive session, the conditions are treated as OR conditions: the workload will be terminated when it has been idle for idle_ttl or when ttl has been exceeded, whichever occurs first. + + * `ttl`: Optional. The duration after which the workload will be terminated, specified as the JSON representation for Duration (https://protobuf.dev/programming-guides/proto3/#json). When the workload exceeds this duration, it will be unconditionally terminated without waiting for ongoing work to finish. If ttl is not specified for a batch workload, the workload will be allowed to run until it exits naturally (or run forever without exiting). If ttl is not specified for an interactive session, it defaults to 24 hours. If ttl is not specified for a batch that uses 2.1+ runtime version, it defaults to 4 hours. Minimum value is 10 minutes; maximum value is 14 days. If both ttl and idle_ttl are specified (for an interactive session), the conditions are treated as OR conditions: the workload will be terminated when it has been idle for idle_ttl or when ttl has been exceeded, whichever occurs first. + + * `staging_bucket`: Optional. A Cloud Storage bucket used to stage workload dependencies, config files, and store workload output and other ephemeral data, such as Spark history files. If you do not specify a staging bucket, Cloud Dataproc will determine a Cloud Storage location according to the region where your workload is running, and then create and manage project-level, per-location staging and temporary buckets. This field requires a Cloud Storage bucket name, not a gs://... URI to a Cloud Storage bucket. + + * `peripherals_config`: Auxiliary services configuration for a workload. + + * `metastore_service`: Optional. Resource name of an existing Dataproc Metastore service.Example: projects/[project_id]/locations/[region]/services/[service_id] + + * `spark_history_server_config`: Spark History Server configuration for the workload. + + * `dataproc_cluster`: Optional. Resource name of an existing Dataproc Cluster to act as a Spark History Server for the workload.Example: projects/[project_id]/regions/[region]/clusters/[cluster_name] + + * `user`: Optional. The email address of the user who owns the session. + + * `state_history`: Output only. Historical state information for the session. + + * `state`: Output only. The state of the session at this point in the session history. + Possible values: + * STATE_UNSPECIFIED + * CREATING + * ACTIVE + * TERMINATING + * TERMINATED + * FAILED + + * `state_message`: Output only. Details about the state at this point in the session history. + + * `state_start_time`: Output only. The time when the session entered the historical state. + + * `session_template`: Optional. The session template used by the session.Only resource names, including project ID and location, are valid.Example: * https://www.googleapis.com/compute/v1/projects/[project_id]/locations/[dataproc_region]/sessionTemplates/[template_id] * projects/[project_id]/locations/[dataproc_region]/sessionTemplates/[template_id]The template must be in the same project and Dataproc region as the session. + + +## GCP permissions + +Ensure the [Cloud Dataproc API](https://console.cloud.google.com/apis/library/dataproc.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_sessions.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_sessions.md new file mode 100644 index 0000000..d823c9f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_sessions.md @@ -0,0 +1,75 @@ ++++ +title = "google_dataproc_sessions resource" + +draft = false + + + +[menu.gcp] +title = "google_dataproc_sessions" +identifier = "inspec/resources/gcp/google_dataproc_sessions resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_sessions` InSpec audit resource to test the properties of a Google Cloud Session resource. + +## Examples + +```ruby + describe google_dataproc_sessions(parent: ' value_parent') do + it { should exist } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_dataproc_sessions` resource: + +See [google_dataproc_session](google_dataproc_session) for more detailed information. + +* `names`: an array of `google_dataproc_session` name +* `uuids`: an array of `google_dataproc_session` uuid +* `create_times`: an array of `google_dataproc_session` create_time +* `jupyter_sessions`: an array of `google_dataproc_session` jupyter_session +* `runtime_infos`: an array of `google_dataproc_session` runtime_info +* `states`: an array of `google_dataproc_session` state +* `state_messages`: an array of `google_dataproc_session` state_message +* `state_times`: an array of `google_dataproc_session` state_time +* `creators`: an array of `google_dataproc_session` creator +* `labels`: an array of `google_dataproc_session` labels +* `runtime_configs`: an array of `google_dataproc_session` runtime_config +* `environment_configs`: an array of `google_dataproc_session` environment_config +* `users`: an array of `google_dataproc_session` user +* `state_histories`: an array of `google_dataproc_session` state_history +* `session_templates`: an array of `google_dataproc_session` session_template + +## Properties + +Properties that can be accessed from the `google_dataproc_sessions` resource: + +See [google_dataproc_session](google_dataproc_session) for more detailed information. + +* `names`: an array of `google_dataproc_session` name +* `uuids`: an array of `google_dataproc_session` uuid +* `create_times`: an array of `google_dataproc_session` create_time +* `jupyter_sessions`: an array of `google_dataproc_session` jupyter_session +* `runtime_infos`: an array of `google_dataproc_session` runtime_info +* `states`: an array of `google_dataproc_session` state +* `state_messages`: an array of `google_dataproc_session` state_message +* `state_times`: an array of `google_dataproc_session` state_time +* `creators`: an array of `google_dataproc_session` creator +* `labels`: an array of `google_dataproc_session` labels +* `runtime_configs`: an array of `google_dataproc_session` runtime_config +* `environment_configs`: an array of `google_dataproc_session` environment_config +* `users`: an array of `google_dataproc_session` user +* `state_histories`: an array of `google_dataproc_session` state_history +* `session_templates`: an array of `google_dataproc_session` session_template + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Dataproc API](https://console.cloud.google.com/apis/library/dataproc.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_workflow_template.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_workflow_template.md new file mode 100644 index 0000000..d2ac6bb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_workflow_template.md @@ -0,0 +1,875 @@ ++++ +title = "google_dataproc_workflow_template resource" + +draft = false + + +[menu.gcp] +title = "google_dataproc_workflow_template" +identifier = "inspec/resources/gcp/google_dataproc_workflow_template resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_workflow_template` InSpec audit resource to to test a Google Cloud WorkflowTemplate resource. + +## Examples + +```ruby +describe google_dataproc_workflow_template(name: 'value_name') do + it { should exist } + its('id') { should cmp 'value_id' } + its('name') { should cmp 'value_name' } + its('create_time') { should cmp 'value_createtime' } + its('update_time') { should cmp 'value_updatetime' } + its('dag_timeout') { should cmp 'value_dagtimeout' } + +end + +describe google_dataproc_workflow_template(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_dataproc_workflow_template` resource: + + + * `id`: + + * `name`: Output only. The resource name of the workflow template, as described in https://cloud.google.com/apis/design/resource_names. For projects.regions.workflowTemplates, the resource name of the template has the following format: projects/{project_id}/regions/{region}/workflowTemplates/{template_id} For projects.locations.workflowTemplates, the resource name of the template has the following format: projects/{project_id}/locations/{location}/workflowTemplates/{template_id} + + * `version`: Optional. Used to perform a consistent read-modify-write.This field should be left blank for a CreateWorkflowTemplate request. It is required for an UpdateWorkflowTemplate request, and must match the current server version. A typical update template flow would fetch the current template with a GetWorkflowTemplate request, which will return the current template with the version field filled in with the current server version. The user updates other fields in the template, then returns it as part of the UpdateWorkflowTemplate request. + + * `create_time`: Output only. The time template was created. + + * `update_time`: Output only. The time template was last updated. + + * `labels`: Optional. The labels to associate with this template. These labels will be propagated to all jobs and clusters created by the workflow instance.Label keys must contain 1 to 63 characters, and must conform to RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt).Label values may be empty, but, if present, must contain 1 to 63 characters, and must conform to RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt).No more than 32 labels can be associated with a template. + + * `additional_properties`: + + * `placement`: Specifies workflow execution target.Either managed_cluster or cluster_selector is required. + + * `managed_cluster`: Cluster that is managed by the workflow. + + * `cluster_name`: Required. The cluster name prefix. A unique cluster name will be formed by appending a random suffix.The name must contain only lower-case letters (a-z), numbers (0-9), and hyphens (-). Must begin with a letter. Cannot begin or end with hyphen. Must consist of between 2 and 35 characters. + + * `config`: The cluster config. + + * `config_bucket`: Optional. A Cloud Storage bucket used to stage job dependencies, config files, and job driver console output. If you do not specify a staging bucket, Cloud Dataproc will determine a Cloud Storage location (US, ASIA, or EU) for your cluster's staging bucket according to the Compute Engine zone where your cluster is deployed, and then create and manage this project-level, per-location bucket (see Dataproc staging and temp buckets (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/staging-bucket)). This field requires a Cloud Storage bucket name, not a gs://... URI to a Cloud Storage bucket. + + * `temp_bucket`: Optional. A Cloud Storage bucket used to store ephemeral cluster and jobs data, such as Spark and MapReduce history files. If you do not specify a temp bucket, Dataproc will determine a Cloud Storage location (US, ASIA, or EU) for your cluster's temp bucket according to the Compute Engine zone where your cluster is deployed, and then create and manage this project-level, per-location bucket. The default bucket has a TTL of 90 days, but you can use any TTL (or none) if you specify a bucket (see Dataproc staging and temp buckets (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/staging-bucket)). This field requires a Cloud Storage bucket name, not a gs://... URI to a Cloud Storage bucket. + + * `gce_cluster_config`: Common config settings for resources of Compute Engine cluster instances, applicable to all instances in the cluster. + + * `zone_uri`: Optional. The Compute Engine zone where the Dataproc cluster will be located. If omitted, the service will pick a zone in the cluster's Compute Engine region. On a get request, zone will always be present.A full URL, partial URI, or short name are valid. Examples: https://www.googleapis.com/compute/v1/projects/[project_id]/zones/[zone] projects/[project_id]/zones/[zone] [zone] + + * `network_uri`: Optional. The Compute Engine network to be used for machine communications. Cannot be specified with subnetwork_uri. If neither network_uri nor subnetwork_uri is specified, the "default" network of the project is used, if it exists. Cannot be a "Custom Subnet Network" (see Using Subnetworks (https://cloud.google.com/compute/docs/subnetworks) for more information).A full URL, partial URI, or short name are valid. Examples: https://www.googleapis.com/compute/v1/projects/[project_id]/global/networks/default projects/[project_id]/global/networks/default default + + * `subnetwork_uri`: Optional. The Compute Engine subnetwork to be used for machine communications. Cannot be specified with network_uri.A full URL, partial URI, or short name are valid. Examples: https://www.googleapis.com/compute/v1/projects/[project_id]/regions/[region]/subnetworks/sub0 projects/[project_id]/regions/[region]/subnetworks/sub0 sub0 + + * `internal_ip_only`: Optional. This setting applies to subnetwork-enabled networks. It is set to true by default in clusters created with image versions 2.2.x.When set to true: All cluster VMs have internal IP addresses. Google Private Access (https://cloud.google.com/vpc/docs/private-google-access) must be enabled to access Dataproc and other Google Cloud APIs. Off-cluster dependencies must be configured to be accessible without external IP addresses.When set to false: Cluster VMs are not restricted to internal IP addresses. Ephemeral external IP addresses are assigned to each cluster VM. + + * `private_ipv6_google_access`: Optional. The type of IPv6 access for a cluster. + Possible values: + * PRIVATE_IPV6_GOOGLE_ACCESS_UNSPECIFIED + * INHERIT_FROM_SUBNETWORK + * OUTBOUND + * BIDIRECTIONAL + + * `service_account`: Optional. The Dataproc service account (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/service-accounts#service_accounts_in_dataproc) (also see VM Data Plane identity (https://cloud.google.com/dataproc/docs/concepts/iam/dataproc-principals#vm_service_account_data_plane_identity)) used by Dataproc cluster VM instances to access Google Cloud Platform services.If not specified, the Compute Engine default service account (https://cloud.google.com/compute/docs/access/service-accounts#default_service_account) is used. + + * `service_account_scopes`: Optional. The URIs of service account scopes to be included in Compute Engine instances. The following base set of scopes is always included: https://www.googleapis.com/auth/cloud.useraccounts.readonly https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/logging.writeIf no scopes are specified, the following defaults are also provided: https://www.googleapis.com/auth/bigquery https://www.googleapis.com/auth/bigtable.admin.table https://www.googleapis.com/auth/bigtable.data https://www.googleapis.com/auth/devstorage.full_control + + * `tags`: The Compute Engine tags to add to all instances (see Tagging instances (https://cloud.google.com/compute/docs/label-or-tag-resources#tags)). + + * `metadata`: Optional. The Compute Engine metadata entries to add to all instances (see Project and instance metadata (https://cloud.google.com/compute/docs/storing-retrieving-metadata#project_and_instance_metadata)). + + * `additional_properties`: + + * `reservation_affinity`: Reservation Affinity for consuming Zonal reservation. + + * `consume_reservation_type`: Optional. Type of reservation to consume + Possible values: + * TYPE_UNSPECIFIED + * NO_RESERVATION + * ANY_RESERVATION + * SPECIFIC_RESERVATION + + * `key`: Optional. Corresponds to the label key of reservation resource. + + * `values`: Optional. Corresponds to the label values of reservation resource. + + * `node_group_affinity`: Node Group Affinity for clusters using sole-tenant node groups. The Dataproc NodeGroupAffinity resource is not related to the Dataproc NodeGroup resource. + + * `node_group_uri`: Required. The URI of a sole-tenant node group resource (https://cloud.google.com/compute/docs/reference/rest/v1/nodeGroups) that the cluster will be created on.A full URL, partial URI, or node group name are valid. Examples: https://www.googleapis.com/compute/v1/projects/[project_id]/zones/[zone]/nodeGroups/node-group-1 projects/[project_id]/zones/[zone]/nodeGroups/node-group-1 node-group-1 + + * `shielded_instance_config`: Shielded Instance Config for clusters using Compute Engine Shielded VMs (https://cloud.google.com/security/shielded-cloud/shielded-vm). + + * `enable_secure_boot`: Optional. Defines whether instances have Secure Boot enabled. + + * `enable_vtpm`: Optional. Defines whether instances have the vTPM enabled. + + * `enable_integrity_monitoring`: Optional. Defines whether instances have integrity monitoring enabled. + + * `confidential_instance_config`: Confidential Instance Config for clusters using Confidential VMs (https://cloud.google.com/compute/confidential-vm/docs) + + * `enable_confidential_compute`: Optional. Defines whether the instance should have confidential compute enabled. + + * `master_config`: The config settings for Compute Engine resources in an instance group, such as a master or worker group. + + * `num_instances`: Optional. The number of VM instances in the instance group. For HA cluster master_config groups, must be set to 3. For standard cluster master_config groups, must be set to 1. + + * `instance_names`: Output only. The list of instance names. Dataproc derives the names from cluster_name, num_instances, and the instance group. + + * `instance_references`: Output only. List of references to Compute Engine instances. + + * `instance_name`: The user-friendly name of the Compute Engine instance. + + * `instance_id`: The unique identifier of the Compute Engine instance. + + * `public_key`: The public RSA key used for sharing data with this instance. + + * `public_ecies_key`: The public ECIES key used for sharing data with this instance. + + * `image_uri`: Optional. The Compute Engine image resource used for cluster instances.The URI can represent an image or image family.Image examples: https://www.googleapis.com/compute/v1/projects/[project_id]/global/images/[image-id] projects/[project_id]/global/images/[image-id] image-idImage family examples. Dataproc will use the most recent image from the family: https://www.googleapis.com/compute/v1/projects/[project_id]/global/images/family/[custom-image-family-name] projects/[project_id]/global/images/family/[custom-image-family-name]If the URI is unspecified, it will be inferred from SoftwareConfig.image_version or the system default. + + * `machine_type_uri`: Optional. The Compute Engine machine type used for cluster instances.A full URL, partial URI, or short name are valid. Examples: https://www.googleapis.com/compute/v1/projects/[project_id]/zones/[zone]/machineTypes/n1-standard-2 projects/[project_id]/zones/[zone]/machineTypes/n1-standard-2 n1-standard-2Auto Zone Exception: If you are using the Dataproc Auto Zone Placement (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/auto-zone#using_auto_zone_placement) feature, you must use the short name of the machine type resource, for example, n1-standard-2. + + * `disk_config`: Specifies the config of disk options for a group of VM instances. + + * `boot_disk_type`: Optional. Type of the boot disk (default is "pd-standard"). Valid values: "pd-balanced" (Persistent Disk Balanced Solid State Drive), "pd-ssd" (Persistent Disk Solid State Drive), or "pd-standard" (Persistent Disk Hard Disk Drive). See Disk types (https://cloud.google.com/compute/docs/disks#disk-types). + + * `boot_disk_size_gb`: Optional. Size in GB of the boot disk (default is 500GB). + + * `num_local_ssds`: Optional. Number of attached SSDs, from 0 to 8 (default is 0). If SSDs are not attached, the boot disk is used to store runtime logs and HDFS (https://hadoop.apache.org/docs/r1.2.1/hdfs_user_guide.html) data. If one or more SSDs are attached, this runtime bulk data is spread across them, and the boot disk contains only basic config and installed binaries.Note: Local SSD options may vary by machine type and number of vCPUs selected. + + * `local_ssd_interface`: Optional. Interface type of local SSDs (default is "scsi"). Valid values: "scsi" (Small Computer System Interface), "nvme" (Non-Volatile Memory Express). See local SSD performance (https://cloud.google.com/compute/docs/disks/local-ssd#performance). + + * `is_preemptible`: Output only. Specifies that this instance group contains preemptible instances. + + * `preemptibility`: Optional. Specifies the preemptibility of the instance group.The default value for master and worker groups is NON_PREEMPTIBLE. This default cannot be changed.The default value for secondary instances is PREEMPTIBLE. + Possible values: + * PREEMPTIBILITY_UNSPECIFIED + * NON_PREEMPTIBLE + * PREEMPTIBLE + * SPOT + + * `managed_group_config`: Specifies the resources used to actively manage an instance group. + + * `instance_template_name`: Output only. The name of the Instance Template used for the Managed Instance Group. + + * `instance_group_manager_name`: Output only. The name of the Instance Group Manager for this group. + + * `instance_group_manager_uri`: Output only. The partial URI to the instance group manager for this group. E.g. projects/my-project/regions/us-central1/instanceGroupManagers/my-igm. + + * `accelerators`: Optional. The Compute Engine accelerator configuration for these instances. + + * `accelerator_type_uri`: Full URL, partial URI, or short name of the accelerator type resource to expose to this instance. See Compute Engine AcceleratorTypes (https://cloud.google.com/compute/docs/reference/v1/acceleratorTypes).Examples: https://www.googleapis.com/compute/v1/projects/[project_id]/zones/[zone]/acceleratorTypes/nvidia-tesla-t4 projects/[project_id]/zones/[zone]/acceleratorTypes/nvidia-tesla-t4 nvidia-tesla-t4Auto Zone Exception: If you are using the Dataproc Auto Zone Placement (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/auto-zone#using_auto_zone_placement) feature, you must use the short name of the accelerator type resource, for example, nvidia-tesla-t4. + + * `accelerator_count`: The number of the accelerator cards of this type exposed to this instance. + + * `min_cpu_platform`: Optional. Specifies the minimum cpu platform for the Instance Group. See Dataproc -> Minimum CPU Platform (https://cloud.google.com/dataproc/docs/concepts/compute/dataproc-min-cpu). + + * `min_num_instances`: Optional. The minimum number of primary worker instances to create. If min_num_instances is set, cluster creation will succeed if the number of primary workers created is at least equal to the min_num_instances number.Example: Cluster creation request with num_instances = 5 and min_num_instances = 3: If 4 VMs are created and 1 instance fails, the failed VM is deleted. The cluster is resized to 4 instances and placed in a RUNNING state. If 2 instances are created and 3 instances fail, the cluster in placed in an ERROR state. The failed VMs are not deleted. + + * `instance_flexibility_policy`: Instance flexibility Policy allowing a mixture of VM shapes and provisioning models. + + * `instance_selection_list`: Optional. List of instance selection options that the group will use when creating new VMs. + + * `machine_types`: Optional. Full machine-type names, e.g. "n1-standard-16". + + * `rank`: Optional. Preference of this instance selection. Lower number means higher preference. Dataproc will first try to create a VM based on the machine-type with priority rank and fallback to next rank based on availability. Machine types and instance selections with the same priority have the same preference. + + * `instance_selection_results`: Output only. A list of instance selection results in the group. + + * `machine_type`: Output only. Full machine-type names, e.g. "n1-standard-16". + + * `vm_count`: Output only. Number of VM provisioned with the machine_type. + + * `startup_config`: Configuration to handle the startup of instances during cluster create and update process. + + * `required_registration_fraction`: Optional. The config setting to enable cluster creation/ updation to be successful only after required_registration_fraction of instances are up and running. This configuration is applicable to only secondary workers for now. The cluster will fail if required_registration_fraction of instances are not available. This will include instance creation, agent registration, and service registration (if enabled). + + * `worker_config`: The config settings for Compute Engine resources in an instance group, such as a master or worker group. + + * `num_instances`: Optional. The number of VM instances in the instance group. For HA cluster master_config groups, must be set to 3. For standard cluster master_config groups, must be set to 1. + + * `instance_names`: Output only. The list of instance names. Dataproc derives the names from cluster_name, num_instances, and the instance group. + + * `instance_references`: Output only. List of references to Compute Engine instances. + + * `instance_name`: The user-friendly name of the Compute Engine instance. + + * `instance_id`: The unique identifier of the Compute Engine instance. + + * `public_key`: The public RSA key used for sharing data with this instance. + + * `public_ecies_key`: The public ECIES key used for sharing data with this instance. + + * `image_uri`: Optional. The Compute Engine image resource used for cluster instances.The URI can represent an image or image family.Image examples: https://www.googleapis.com/compute/v1/projects/[project_id]/global/images/[image-id] projects/[project_id]/global/images/[image-id] image-idImage family examples. Dataproc will use the most recent image from the family: https://www.googleapis.com/compute/v1/projects/[project_id]/global/images/family/[custom-image-family-name] projects/[project_id]/global/images/family/[custom-image-family-name]If the URI is unspecified, it will be inferred from SoftwareConfig.image_version or the system default. + + * `machine_type_uri`: Optional. The Compute Engine machine type used for cluster instances.A full URL, partial URI, or short name are valid. Examples: https://www.googleapis.com/compute/v1/projects/[project_id]/zones/[zone]/machineTypes/n1-standard-2 projects/[project_id]/zones/[zone]/machineTypes/n1-standard-2 n1-standard-2Auto Zone Exception: If you are using the Dataproc Auto Zone Placement (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/auto-zone#using_auto_zone_placement) feature, you must use the short name of the machine type resource, for example, n1-standard-2. + + * `disk_config`: Specifies the config of disk options for a group of VM instances. + + * `boot_disk_type`: Optional. Type of the boot disk (default is "pd-standard"). Valid values: "pd-balanced" (Persistent Disk Balanced Solid State Drive), "pd-ssd" (Persistent Disk Solid State Drive), or "pd-standard" (Persistent Disk Hard Disk Drive). See Disk types (https://cloud.google.com/compute/docs/disks#disk-types). + + * `boot_disk_size_gb`: Optional. Size in GB of the boot disk (default is 500GB). + + * `num_local_ssds`: Optional. Number of attached SSDs, from 0 to 8 (default is 0). If SSDs are not attached, the boot disk is used to store runtime logs and HDFS (https://hadoop.apache.org/docs/r1.2.1/hdfs_user_guide.html) data. If one or more SSDs are attached, this runtime bulk data is spread across them, and the boot disk contains only basic config and installed binaries.Note: Local SSD options may vary by machine type and number of vCPUs selected. + + * `local_ssd_interface`: Optional. Interface type of local SSDs (default is "scsi"). Valid values: "scsi" (Small Computer System Interface), "nvme" (Non-Volatile Memory Express). See local SSD performance (https://cloud.google.com/compute/docs/disks/local-ssd#performance). + + * `is_preemptible`: Output only. Specifies that this instance group contains preemptible instances. + + * `preemptibility`: Optional. Specifies the preemptibility of the instance group.The default value for master and worker groups is NON_PREEMPTIBLE. This default cannot be changed.The default value for secondary instances is PREEMPTIBLE. + Possible values: + * PREEMPTIBILITY_UNSPECIFIED + * NON_PREEMPTIBLE + * PREEMPTIBLE + * SPOT + + * `managed_group_config`: Specifies the resources used to actively manage an instance group. + + * `instance_template_name`: Output only. The name of the Instance Template used for the Managed Instance Group. + + * `instance_group_manager_name`: Output only. The name of the Instance Group Manager for this group. + + * `instance_group_manager_uri`: Output only. The partial URI to the instance group manager for this group. E.g. projects/my-project/regions/us-central1/instanceGroupManagers/my-igm. + + * `accelerators`: Optional. The Compute Engine accelerator configuration for these instances. + + * `accelerator_type_uri`: Full URL, partial URI, or short name of the accelerator type resource to expose to this instance. See Compute Engine AcceleratorTypes (https://cloud.google.com/compute/docs/reference/v1/acceleratorTypes).Examples: https://www.googleapis.com/compute/v1/projects/[project_id]/zones/[zone]/acceleratorTypes/nvidia-tesla-t4 projects/[project_id]/zones/[zone]/acceleratorTypes/nvidia-tesla-t4 nvidia-tesla-t4Auto Zone Exception: If you are using the Dataproc Auto Zone Placement (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/auto-zone#using_auto_zone_placement) feature, you must use the short name of the accelerator type resource, for example, nvidia-tesla-t4. + + * `accelerator_count`: The number of the accelerator cards of this type exposed to this instance. + + * `min_cpu_platform`: Optional. Specifies the minimum cpu platform for the Instance Group. See Dataproc -> Minimum CPU Platform (https://cloud.google.com/dataproc/docs/concepts/compute/dataproc-min-cpu). + + * `min_num_instances`: Optional. The minimum number of primary worker instances to create. If min_num_instances is set, cluster creation will succeed if the number of primary workers created is at least equal to the min_num_instances number.Example: Cluster creation request with num_instances = 5 and min_num_instances = 3: If 4 VMs are created and 1 instance fails, the failed VM is deleted. The cluster is resized to 4 instances and placed in a RUNNING state. If 2 instances are created and 3 instances fail, the cluster in placed in an ERROR state. The failed VMs are not deleted. + + * `instance_flexibility_policy`: Instance flexibility Policy allowing a mixture of VM shapes and provisioning models. + + * `instance_selection_list`: Optional. List of instance selection options that the group will use when creating new VMs. + + * `machine_types`: Optional. Full machine-type names, e.g. "n1-standard-16". + + * `rank`: Optional. Preference of this instance selection. Lower number means higher preference. Dataproc will first try to create a VM based on the machine-type with priority rank and fallback to next rank based on availability. Machine types and instance selections with the same priority have the same preference. + + * `instance_selection_results`: Output only. A list of instance selection results in the group. + + * `machine_type`: Output only. Full machine-type names, e.g. "n1-standard-16". + + * `vm_count`: Output only. Number of VM provisioned with the machine_type. + + * `startup_config`: Configuration to handle the startup of instances during cluster create and update process. + + * `required_registration_fraction`: Optional. The config setting to enable cluster creation/ updation to be successful only after required_registration_fraction of instances are up and running. This configuration is applicable to only secondary workers for now. The cluster will fail if required_registration_fraction of instances are not available. This will include instance creation, agent registration, and service registration (if enabled). + + * `secondary_worker_config`: The config settings for Compute Engine resources in an instance group, such as a master or worker group. + + * `num_instances`: Optional. The number of VM instances in the instance group. For HA cluster master_config groups, must be set to 3. For standard cluster master_config groups, must be set to 1. + + * `instance_names`: Output only. The list of instance names. Dataproc derives the names from cluster_name, num_instances, and the instance group. + + * `instance_references`: Output only. List of references to Compute Engine instances. + + * `instance_name`: The user-friendly name of the Compute Engine instance. + + * `instance_id`: The unique identifier of the Compute Engine instance. + + * `public_key`: The public RSA key used for sharing data with this instance. + + * `public_ecies_key`: The public ECIES key used for sharing data with this instance. + + * `image_uri`: Optional. The Compute Engine image resource used for cluster instances.The URI can represent an image or image family.Image examples: https://www.googleapis.com/compute/v1/projects/[project_id]/global/images/[image-id] projects/[project_id]/global/images/[image-id] image-idImage family examples. Dataproc will use the most recent image from the family: https://www.googleapis.com/compute/v1/projects/[project_id]/global/images/family/[custom-image-family-name] projects/[project_id]/global/images/family/[custom-image-family-name]If the URI is unspecified, it will be inferred from SoftwareConfig.image_version or the system default. + + * `machine_type_uri`: Optional. The Compute Engine machine type used for cluster instances.A full URL, partial URI, or short name are valid. Examples: https://www.googleapis.com/compute/v1/projects/[project_id]/zones/[zone]/machineTypes/n1-standard-2 projects/[project_id]/zones/[zone]/machineTypes/n1-standard-2 n1-standard-2Auto Zone Exception: If you are using the Dataproc Auto Zone Placement (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/auto-zone#using_auto_zone_placement) feature, you must use the short name of the machine type resource, for example, n1-standard-2. + + * `disk_config`: Specifies the config of disk options for a group of VM instances. + + * `boot_disk_type`: Optional. Type of the boot disk (default is "pd-standard"). Valid values: "pd-balanced" (Persistent Disk Balanced Solid State Drive), "pd-ssd" (Persistent Disk Solid State Drive), or "pd-standard" (Persistent Disk Hard Disk Drive). See Disk types (https://cloud.google.com/compute/docs/disks#disk-types). + + * `boot_disk_size_gb`: Optional. Size in GB of the boot disk (default is 500GB). + + * `num_local_ssds`: Optional. Number of attached SSDs, from 0 to 8 (default is 0). If SSDs are not attached, the boot disk is used to store runtime logs and HDFS (https://hadoop.apache.org/docs/r1.2.1/hdfs_user_guide.html) data. If one or more SSDs are attached, this runtime bulk data is spread across them, and the boot disk contains only basic config and installed binaries.Note: Local SSD options may vary by machine type and number of vCPUs selected. + + * `local_ssd_interface`: Optional. Interface type of local SSDs (default is "scsi"). Valid values: "scsi" (Small Computer System Interface), "nvme" (Non-Volatile Memory Express). See local SSD performance (https://cloud.google.com/compute/docs/disks/local-ssd#performance). + + * `is_preemptible`: Output only. Specifies that this instance group contains preemptible instances. + + * `preemptibility`: Optional. Specifies the preemptibility of the instance group.The default value for master and worker groups is NON_PREEMPTIBLE. This default cannot be changed.The default value for secondary instances is PREEMPTIBLE. + Possible values: + * PREEMPTIBILITY_UNSPECIFIED + * NON_PREEMPTIBLE + * PREEMPTIBLE + * SPOT + + * `managed_group_config`: Specifies the resources used to actively manage an instance group. + + * `instance_template_name`: Output only. The name of the Instance Template used for the Managed Instance Group. + + * `instance_group_manager_name`: Output only. The name of the Instance Group Manager for this group. + + * `instance_group_manager_uri`: Output only. The partial URI to the instance group manager for this group. E.g. projects/my-project/regions/us-central1/instanceGroupManagers/my-igm. + + * `accelerators`: Optional. The Compute Engine accelerator configuration for these instances. + + * `accelerator_type_uri`: Full URL, partial URI, or short name of the accelerator type resource to expose to this instance. See Compute Engine AcceleratorTypes (https://cloud.google.com/compute/docs/reference/v1/acceleratorTypes).Examples: https://www.googleapis.com/compute/v1/projects/[project_id]/zones/[zone]/acceleratorTypes/nvidia-tesla-t4 projects/[project_id]/zones/[zone]/acceleratorTypes/nvidia-tesla-t4 nvidia-tesla-t4Auto Zone Exception: If you are using the Dataproc Auto Zone Placement (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/auto-zone#using_auto_zone_placement) feature, you must use the short name of the accelerator type resource, for example, nvidia-tesla-t4. + + * `accelerator_count`: The number of the accelerator cards of this type exposed to this instance. + + * `min_cpu_platform`: Optional. Specifies the minimum cpu platform for the Instance Group. See Dataproc -> Minimum CPU Platform (https://cloud.google.com/dataproc/docs/concepts/compute/dataproc-min-cpu). + + * `min_num_instances`: Optional. The minimum number of primary worker instances to create. If min_num_instances is set, cluster creation will succeed if the number of primary workers created is at least equal to the min_num_instances number.Example: Cluster creation request with num_instances = 5 and min_num_instances = 3: If 4 VMs are created and 1 instance fails, the failed VM is deleted. The cluster is resized to 4 instances and placed in a RUNNING state. If 2 instances are created and 3 instances fail, the cluster in placed in an ERROR state. The failed VMs are not deleted. + + * `instance_flexibility_policy`: Instance flexibility Policy allowing a mixture of VM shapes and provisioning models. + + * `instance_selection_list`: Optional. List of instance selection options that the group will use when creating new VMs. + + * `machine_types`: Optional. Full machine-type names, e.g. "n1-standard-16". + + * `rank`: Optional. Preference of this instance selection. Lower number means higher preference. Dataproc will first try to create a VM based on the machine-type with priority rank and fallback to next rank based on availability. Machine types and instance selections with the same priority have the same preference. + + * `instance_selection_results`: Output only. A list of instance selection results in the group. + + * `machine_type`: Output only. Full machine-type names, e.g. "n1-standard-16". + + * `vm_count`: Output only. Number of VM provisioned with the machine_type. + + * `startup_config`: Configuration to handle the startup of instances during cluster create and update process. + + * `required_registration_fraction`: Optional. The config setting to enable cluster creation/ updation to be successful only after required_registration_fraction of instances are up and running. This configuration is applicable to only secondary workers for now. The cluster will fail if required_registration_fraction of instances are not available. This will include instance creation, agent registration, and service registration (if enabled). + + * `software_config`: Specifies the selection and config of software inside the cluster. + + * `image_version`: Optional. The version of software inside the cluster. It must be one of the supported Dataproc Versions (https://cloud.google.com/dataproc/docs/concepts/versioning/dataproc-versions#supported_dataproc_versions), such as "1.2" (including a subminor version, such as "1.2.29"), or the "preview" version (https://cloud.google.com/dataproc/docs/concepts/versioning/dataproc-versions#other_versions). If unspecified, it defaults to the latest Debian version. + + * `properties`: Optional. The properties to set on daemon config files.Property keys are specified in prefix:property format, for example core:hadoop.tmp.dir. The following are supported prefixes and their mappings: capacity-scheduler: capacity-scheduler.xml core: core-site.xml distcp: distcp-default.xml hdfs: hdfs-site.xml hive: hive-site.xml mapred: mapred-site.xml pig: pig.properties spark: spark-defaults.conf yarn: yarn-site.xmlFor more information, see Cluster properties (https://cloud.google.com/dataproc/docs/concepts/cluster-properties). + + * `additional_properties`: + + * `optional_components`: Optional. The set of components to activate on the cluster. + + * `initialization_actions`: Optional. Commands to execute on each node after config is completed. By default, executables are run on master and all worker nodes. You can test a node's role metadata to run an executable on a master or worker node, as shown below using curl (you can also use wget): ROLE=$(curl -H Metadata-Flavor:Google http://metadata/computeMetadata/v1/instance/attributes/dataproc-role) if [[ "${ROLE}" == 'Master' ]]; then ... master specific actions ... else ... worker specific actions ... fi + + * `executable_file`: Required. Cloud Storage URI of executable file. + + * `execution_timeout`: Optional. Amount of time executable has to complete. Default is 10 minutes (see JSON representation of Duration (https://developers.google.com/protocol-buffers/docs/proto3#json)).Cluster creation fails with an explanatory error message (the name of the executable that caused the error and the exceeded timeout period) if the executable is not completed at end of the timeout period. + + * `encryption_config`: Encryption settings for the cluster. + + * `gce_pd_kms_key_name`: Optional. The Cloud KMS key resource name to use for persistent disk encryption for all instances in the cluster. See Use CMEK with cluster data (https://cloud.google.com//dataproc/docs/concepts/configuring-clusters/customer-managed-encryption#use_cmek_with_cluster_data) for more information. + + * `kms_key`: Optional. The Cloud KMS key resource name to use for cluster persistent disk and job argument encryption. See Use CMEK with cluster data (https://cloud.google.com//dataproc/docs/concepts/configuring-clusters/customer-managed-encryption#use_cmek_with_cluster_data) for more information.When this key resource name is provided, the following job arguments of the following job types submitted to the cluster are encrypted using CMEK: FlinkJob args (https://cloud.google.com/dataproc/docs/reference/rest/v1/FlinkJob) HadoopJob args (https://cloud.google.com/dataproc/docs/reference/rest/v1/HadoopJob) SparkJob args (https://cloud.google.com/dataproc/docs/reference/rest/v1/SparkJob) SparkRJob args (https://cloud.google.com/dataproc/docs/reference/rest/v1/SparkRJob) PySparkJob args (https://cloud.google.com/dataproc/docs/reference/rest/v1/PySparkJob) SparkSqlJob (https://cloud.google.com/dataproc/docs/reference/rest/v1/SparkSqlJob) scriptVariables and queryList.queries HiveJob (https://cloud.google.com/dataproc/docs/reference/rest/v1/HiveJob) scriptVariables and queryList.queries PigJob (https://cloud.google.com/dataproc/docs/reference/rest/v1/PigJob) scriptVariables and queryList.queries PrestoJob (https://cloud.google.com/dataproc/docs/reference/rest/v1/PrestoJob) scriptVariables and queryList.queries + + * `autoscaling_config`: Autoscaling Policy config associated with the cluster. + + * `policy_uri`: Optional. The autoscaling policy used by the cluster.Only resource names including projectid and location (region) are valid. Examples: https://www.googleapis.com/compute/v1/projects/[project_id]/locations/[dataproc_region]/autoscalingPolicies/[policy_id] projects/[project_id]/locations/[dataproc_region]/autoscalingPolicies/[policy_id]Note that the policy must be in the same project and Dataproc region. + + * `security_config`: Security related configuration, including encryption, Kerberos, etc. + + * `kerberos_config`: Specifies Kerberos related configuration. + + * `enable_kerberos`: Optional. Flag to indicate whether to Kerberize the cluster (default: false). Set this field to true to enable Kerberos on a cluster. + + * `root_principal_password_uri`: Optional. The Cloud Storage URI of a KMS encrypted file containing the root principal password. + + * `kms_key_uri`: Optional. The URI of the KMS key used to encrypt sensitive files. + + * `keystore_uri`: Optional. The Cloud Storage URI of the keystore file used for SSL encryption. If not provided, Dataproc will provide a self-signed certificate. + + * `truststore_uri`: Optional. The Cloud Storage URI of the truststore file used for SSL encryption. If not provided, Dataproc will provide a self-signed certificate. + + * `keystore_password_uri`: Optional. The Cloud Storage URI of a KMS encrypted file containing the password to the user provided keystore. For the self-signed certificate, this password is generated by Dataproc. + + * `key_password_uri`: Optional. The Cloud Storage URI of a KMS encrypted file containing the password to the user provided key. For the self-signed certificate, this password is generated by Dataproc. + + * `truststore_password_uri`: Optional. The Cloud Storage URI of a KMS encrypted file containing the password to the user provided truststore. For the self-signed certificate, this password is generated by Dataproc. + + * `cross_realm_trust_realm`: Optional. The remote realm the Dataproc on-cluster KDC will trust, should the user enable cross realm trust. + + * `cross_realm_trust_kdc`: Optional. The KDC (IP or hostname) for the remote trusted realm in a cross realm trust relationship. + + * `cross_realm_trust_admin_server`: Optional. The admin server (IP or hostname) for the remote trusted realm in a cross realm trust relationship. + + * `cross_realm_trust_shared_password_uri`: Optional. The Cloud Storage URI of a KMS encrypted file containing the shared password between the on-cluster Kerberos realm and the remote trusted realm, in a cross realm trust relationship. + + * `kdc_db_key_uri`: Optional. The Cloud Storage URI of a KMS encrypted file containing the master key of the KDC database. + + * `tgt_lifetime_hours`: Optional. The lifetime of the ticket granting ticket, in hours. If not specified, or user specifies 0, then default value 10 will be used. + + * `realm`: Optional. The name of the on-cluster Kerberos realm. If not specified, the uppercased domain of hostnames will be the realm. + + * `identity_config`: Identity related configuration, including service account based secure multi-tenancy user mappings. + + * `user_service_account_mapping`: Required. Map of user to service account. + + * `additional_properties`: + + * `lifecycle_config`: Specifies the cluster auto-delete schedule configuration. + + * `idle_delete_ttl`: Optional. The duration to keep the cluster alive while idling (when no jobs are running). Passing this threshold will cause the cluster to be deleted. Minimum value is 5 minutes; maximum value is 14 days (see JSON representation of Duration (https://developers.google.com/protocol-buffers/docs/proto3#json)). + + * `auto_delete_time`: Optional. The time when cluster will be auto-deleted (see JSON representation of Timestamp (https://developers.google.com/protocol-buffers/docs/proto3#json)). + + * `auto_delete_ttl`: Optional. The lifetime duration of cluster. The cluster will be auto-deleted at the end of this period. Minimum value is 10 minutes; maximum value is 14 days (see JSON representation of Duration (https://developers.google.com/protocol-buffers/docs/proto3#json)). + + * `idle_start_time`: Output only. The time when cluster became idle (most recent job finished) and became eligible for deletion due to idleness (see JSON representation of Timestamp (https://developers.google.com/protocol-buffers/docs/proto3#json)). + + * `endpoint_config`: Endpoint config for this cluster + + * `http_ports`: Output only. The map of port descriptions to URLs. Will only be populated if enable_http_port_access is true. + + * `additional_properties`: + + * `enable_http_port_access`: Optional. If true, enable http access to specific ports on the cluster from external sources. Defaults to false. + + * `metastore_config`: Specifies a Metastore configuration. + + * `dataproc_metastore_service`: Required. Resource name of an existing Dataproc Metastore service.Example: projects/[project_id]/locations/[dataproc_region]/services/[service-name] + + * `gke_cluster_config`: The cluster's GKE config. + + * `namespaced_gke_deployment_target`: Deprecated. Used only for the deprecated beta. A full, namespace-isolated deployment target for an existing GKE cluster. + + * `target_gke_cluster`: Optional. The target GKE cluster to deploy to. Format: 'projects/{project}/locations/{location}/clusters/{cluster_id}' + + * `cluster_namespace`: Optional. A namespace within the GKE cluster to deploy into. + + * `gke_cluster_target`: Optional. A target GKE cluster to deploy to. It must be in the same project and region as the Dataproc cluster (the GKE cluster can be zonal or regional). Format: 'projects/{project}/locations/{location}/clusters/{cluster_id}' + + * `node_pool_target`: Optional. GKE node pools where workloads will be scheduled. At least one node pool must be assigned the DEFAULT GkeNodePoolTarget.Role. If a GkeNodePoolTarget is not specified, Dataproc constructs a DEFAULT GkeNodePoolTarget. Each role can be given to only one GkeNodePoolTarget. All node pools must have the same location settings. + + * `node_pool`: Required. The target GKE node pool. Format: 'projects/{project}/locations/{location}/clusters/{cluster}/nodePools/{node_pool}' + + * `roles`: Required. The roles associated with the GKE node pool. + + * `node_pool_config`: The configuration of a GKE node pool used by a Dataproc-on-GKE cluster (https://cloud.google.com/dataproc/docs/concepts/jobs/dataproc-gke#create-a-dataproc-on-gke-cluster). + + * `config`: Parameters that describe cluster nodes. + + * `machine_type`: Optional. The name of a Compute Engine machine type (https://cloud.google.com/compute/docs/machine-types). + + * `local_ssd_count`: Optional. The number of local SSD disks to attach to the node, which is limited by the maximum number of disks allowable per zone (see Adding Local SSDs (https://cloud.google.com/compute/docs/disks/local-ssd)). + + * `preemptible`: Optional. Whether the nodes are created as legacy preemptible VM instances (https://cloud.google.com/compute/docs/instances/preemptible). Also see Spot VMs, preemptible VM instances without a maximum lifetime. Legacy and Spot preemptible nodes cannot be used in a node pool with the CONTROLLER role or in the DEFAULT node pool if the CONTROLLER role is not assigned (the DEFAULT node pool will assume the CONTROLLER role). + + * `accelerators`: Optional. A list of hardware accelerators (https://cloud.google.com/compute/docs/gpus) to attach to each node. + + * `accelerator_count`: The number of accelerator cards exposed to an instance. + + * `accelerator_type`: The accelerator type resource namename (see GPUs on Compute Engine). + + * `gpu_partition_size`: Size of partitions to create on the GPU. Valid values are described in the NVIDIA mig user guide (https://docs.nvidia.com/datacenter/tesla/mig-user-guide/#partitioning). + + * `min_cpu_platform`: Optional. Minimum CPU platform (https://cloud.google.com/compute/docs/instances/specify-min-cpu-platform) to be used by this instance. The instance may be scheduled on the specified or a newer CPU platform. Specify the friendly names of CPU platforms, such as "Intel Haswell"` or Intel Sandy Bridge". + + * `boot_disk_kms_key`: Optional. The Customer Managed Encryption Key (CMEK) (https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek) used to encrypt the boot disk attached to each node in the node pool. Specify the key using the following format: projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key} + + * `spot`: Optional. Whether the nodes are created as Spot VM instances (https://cloud.google.com/compute/docs/instances/spot). Spot VMs are the latest update to legacy preemptible VMs. Spot VMs do not have a maximum lifetime. Legacy and Spot preemptible nodes cannot be used in a node pool with the CONTROLLER role or in the DEFAULT node pool if the CONTROLLER role is not assigned (the DEFAULT node pool will assume the CONTROLLER role). + + * `locations`: Optional. The list of Compute Engine zones (https://cloud.google.com/compute/docs/zones#available) where node pool nodes associated with a Dataproc on GKE virtual cluster will be located.Note: All node pools associated with a virtual cluster must be located in the same region as the virtual cluster, and they must be located in the same zone within that region.If a location is not specified during node pool creation, Dataproc on GKE will choose the zone. + + * `autoscaling`: GkeNodePoolAutoscaling contains information the cluster autoscaler needs to adjust the size of the node pool to the current cluster usage. + + * `min_node_count`: The minimum number of nodes in the node pool. Must be >= 0 and <= max_node_count. + + * `max_node_count`: The maximum number of nodes in the node pool. Must be >= min_node_count, and must be > 0. Note: Quota must be sufficient to scale up the cluster. + + * `dataproc_metric_config`: Dataproc metric config. + + * `metrics`: Required. Metrics sources to enable. + + * `metric_source`: Required. A standard set of metrics is collected unless metricOverrides are specified for the metric source (see Custom metrics (https://cloud.google.com/dataproc/docs/guides/dataproc-metrics#custom_metrics) for more information). + Possible values: + * METRIC_SOURCE_UNSPECIFIED + * MONITORING_AGENT_DEFAULTS + * HDFS + * SPARK + * YARN + * SPARK_HISTORY_SERVER + * HIVESERVER2 + * HIVEMETASTORE + * FLINK + + * `metric_overrides`: Optional. Specify one or more Custom metrics (https://cloud.google.com/dataproc/docs/guides/dataproc-metrics#custom_metrics) to collect for the metric course (for the SPARK metric source (any Spark metric (https://spark.apache.org/docs/latest/monitoring.html#metrics) can be specified).Provide metrics in the following format: METRIC_SOURCE: INSTANCE:GROUP:METRIC Use camelcase as appropriate.Examples: yarn:ResourceManager:QueueMetrics:AppsCompleted spark:driver:DAGScheduler:job.allJobs sparkHistoryServer:JVM:Memory:NonHeapMemoryUsage.committed hiveserver2:JVM:Memory:NonHeapMemoryUsage.used Notes: Only the specified overridden metrics are collected for the metric source. For example, if one or more spark:executive metrics are listed as metric overrides, other SPARK metrics are not collected. The collection of the metrics for other enabled custom metric sources is unaffected. For example, if both SPARK andd YARN metric sources are enabled, and overrides are provided for Spark metrics only, all YARN metrics are collected. + + * `auxiliary_node_groups`: Optional. The node group settings. + + * `node_group`: Dataproc Node Group. The Dataproc NodeGroup resource is not related to the Dataproc NodeGroupAffinity resource. + + * `name`: The Node group resource name (https://aip.dev/122). + + * `roles`: Required. Node group roles. + + * `node_group_config`: The config settings for Compute Engine resources in an instance group, such as a master or worker group. + + * `num_instances`: Optional. The number of VM instances in the instance group. For HA cluster master_config groups, must be set to 3. For standard cluster master_config groups, must be set to 1. + + * `instance_names`: Output only. The list of instance names. Dataproc derives the names from cluster_name, num_instances, and the instance group. + + * `instance_references`: Output only. List of references to Compute Engine instances. + + * `instance_name`: The user-friendly name of the Compute Engine instance. + + * `instance_id`: The unique identifier of the Compute Engine instance. + + * `public_key`: The public RSA key used for sharing data with this instance. + + * `public_ecies_key`: The public ECIES key used for sharing data with this instance. + + * `image_uri`: Optional. The Compute Engine image resource used for cluster instances.The URI can represent an image or image family.Image examples: https://www.googleapis.com/compute/v1/projects/[project_id]/global/images/[image-id] projects/[project_id]/global/images/[image-id] image-idImage family examples. Dataproc will use the most recent image from the family: https://www.googleapis.com/compute/v1/projects/[project_id]/global/images/family/[custom-image-family-name] projects/[project_id]/global/images/family/[custom-image-family-name]If the URI is unspecified, it will be inferred from SoftwareConfig.image_version or the system default. + + * `machine_type_uri`: Optional. The Compute Engine machine type used for cluster instances.A full URL, partial URI, or short name are valid. Examples: https://www.googleapis.com/compute/v1/projects/[project_id]/zones/[zone]/machineTypes/n1-standard-2 projects/[project_id]/zones/[zone]/machineTypes/n1-standard-2 n1-standard-2Auto Zone Exception: If you are using the Dataproc Auto Zone Placement (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/auto-zone#using_auto_zone_placement) feature, you must use the short name of the machine type resource, for example, n1-standard-2. + + * `disk_config`: Specifies the config of disk options for a group of VM instances. + + * `boot_disk_type`: Optional. Type of the boot disk (default is "pd-standard"). Valid values: "pd-balanced" (Persistent Disk Balanced Solid State Drive), "pd-ssd" (Persistent Disk Solid State Drive), or "pd-standard" (Persistent Disk Hard Disk Drive). See Disk types (https://cloud.google.com/compute/docs/disks#disk-types). + + * `boot_disk_size_gb`: Optional. Size in GB of the boot disk (default is 500GB). + + * `num_local_ssds`: Optional. Number of attached SSDs, from 0 to 8 (default is 0). If SSDs are not attached, the boot disk is used to store runtime logs and HDFS (https://hadoop.apache.org/docs/r1.2.1/hdfs_user_guide.html) data. If one or more SSDs are attached, this runtime bulk data is spread across them, and the boot disk contains only basic config and installed binaries.Note: Local SSD options may vary by machine type and number of vCPUs selected. + + * `local_ssd_interface`: Optional. Interface type of local SSDs (default is "scsi"). Valid values: "scsi" (Small Computer System Interface), "nvme" (Non-Volatile Memory Express). See local SSD performance (https://cloud.google.com/compute/docs/disks/local-ssd#performance). + + * `is_preemptible`: Output only. Specifies that this instance group contains preemptible instances. + + * `preemptibility`: Optional. Specifies the preemptibility of the instance group.The default value for master and worker groups is NON_PREEMPTIBLE. This default cannot be changed.The default value for secondary instances is PREEMPTIBLE. + Possible values: + * PREEMPTIBILITY_UNSPECIFIED + * NON_PREEMPTIBLE + * PREEMPTIBLE + * SPOT + + * `managed_group_config`: Specifies the resources used to actively manage an instance group. + + * `instance_template_name`: Output only. The name of the Instance Template used for the Managed Instance Group. + + * `instance_group_manager_name`: Output only. The name of the Instance Group Manager for this group. + + * `instance_group_manager_uri`: Output only. The partial URI to the instance group manager for this group. E.g. projects/my-project/regions/us-central1/instanceGroupManagers/my-igm. + + * `accelerators`: Optional. The Compute Engine accelerator configuration for these instances. + + * `accelerator_type_uri`: Full URL, partial URI, or short name of the accelerator type resource to expose to this instance. See Compute Engine AcceleratorTypes (https://cloud.google.com/compute/docs/reference/v1/acceleratorTypes).Examples: https://www.googleapis.com/compute/v1/projects/[project_id]/zones/[zone]/acceleratorTypes/nvidia-tesla-t4 projects/[project_id]/zones/[zone]/acceleratorTypes/nvidia-tesla-t4 nvidia-tesla-t4Auto Zone Exception: If you are using the Dataproc Auto Zone Placement (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/auto-zone#using_auto_zone_placement) feature, you must use the short name of the accelerator type resource, for example, nvidia-tesla-t4. + + * `accelerator_count`: The number of the accelerator cards of this type exposed to this instance. + + * `min_cpu_platform`: Optional. Specifies the minimum cpu platform for the Instance Group. See Dataproc -> Minimum CPU Platform (https://cloud.google.com/dataproc/docs/concepts/compute/dataproc-min-cpu). + + * `min_num_instances`: Optional. The minimum number of primary worker instances to create. If min_num_instances is set, cluster creation will succeed if the number of primary workers created is at least equal to the min_num_instances number.Example: Cluster creation request with num_instances = 5 and min_num_instances = 3: If 4 VMs are created and 1 instance fails, the failed VM is deleted. The cluster is resized to 4 instances and placed in a RUNNING state. If 2 instances are created and 3 instances fail, the cluster in placed in an ERROR state. The failed VMs are not deleted. + + * `instance_flexibility_policy`: Instance flexibility Policy allowing a mixture of VM shapes and provisioning models. + + * `instance_selection_list`: Optional. List of instance selection options that the group will use when creating new VMs. + + * `machine_types`: Optional. Full machine-type names, e.g. "n1-standard-16". + + * `rank`: Optional. Preference of this instance selection. Lower number means higher preference. Dataproc will first try to create a VM based on the machine-type with priority rank and fallback to next rank based on availability. Machine types and instance selections with the same priority have the same preference. + + * `instance_selection_results`: Output only. A list of instance selection results in the group. + + * `machine_type`: Output only. Full machine-type names, e.g. "n1-standard-16". + + * `vm_count`: Output only. Number of VM provisioned with the machine_type. + + * `startup_config`: Configuration to handle the startup of instances during cluster create and update process. + + * `required_registration_fraction`: Optional. The config setting to enable cluster creation/ updation to be successful only after required_registration_fraction of instances are up and running. This configuration is applicable to only secondary workers for now. The cluster will fail if required_registration_fraction of instances are not available. This will include instance creation, agent registration, and service registration (if enabled). + + * `labels`: Optional. Node group labels. Label keys must consist of from 1 to 63 characters and conform to RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt). Label values can be empty. If specified, they must consist of from 1 to 63 characters and conform to RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt). The node group must have no more than 32 labelsn. + + * `additional_properties`: + + * `node_group_id`: Optional. A node group ID. Generated if not specified.The ID must contain only letters (a-z, A-Z), numbers (0-9), underscores (_), and hyphens (-). Cannot begin or end with underscore or hyphen. Must consist of from 3 to 33 characters. + + * `labels`: Optional. The labels to associate with this cluster.Label keys must be between 1 and 63 characters long, and must conform to the following PCRE regular expression: \p{Ll}\p{Lo}{0,62}Label values must be between 1 and 63 characters long, and must conform to the following PCRE regular expression: \p{Ll}\p{Lo}\p{N}_-{0,63}No more than 32 labels can be associated with a given cluster. + + * `additional_properties`: + + * `cluster_selector`: A selector that chooses target cluster for jobs based on metadata. + + * `zone`: Optional. The zone where workflow process executes. This parameter does not affect the selection of the cluster.If unspecified, the zone of the first cluster matching the selector is used. + + * `cluster_labels`: Required. The cluster labels. Cluster must have all labels to match. + + * `additional_properties`: + + * `jobs`: Required. The Directed Acyclic Graph of Jobs to submit. + + * `step_id`: Required. The step id. The id must be unique among all jobs within the template.The step id is used as prefix for job id, as job goog-dataproc-workflow-step-id label, and in prerequisiteStepIds field from other steps.The id must contain only letters (a-z, A-Z), numbers (0-9), underscores (_), and hyphens (-). Cannot begin or end with underscore or hyphen. Must consist of between 3 and 50 characters. + + * `hadoop_job`: A Dataproc job for running Apache Hadoop MapReduce (https://hadoop.apache.org/docs/current/hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapReduceTutorial.html) jobs on Apache Hadoop YARN (https://hadoop.apache.org/docs/r2.7.1/hadoop-yarn/hadoop-yarn-site/YARN.html). + + * `main_jar_file_uri`: The HCFS URI of the jar file containing the main class. Examples: 'gs://foo-bucket/analytics-binaries/extract-useful-metrics-mr.jar' 'hdfs:/tmp/test-samples/custom-wordcount.jar' 'file:///home/usr/lib/hadoop-mapreduce/hadoop-mapreduce-examples.jar' + + * `main_class`: The name of the driver's main class. The jar file containing the class must be in the default CLASSPATH or specified in jar_file_uris. + + * `args`: Optional. The arguments to pass to the driver. Do not include arguments, such as -libjars or -Dfoo=bar, that can be set as job properties, since a collision might occur that causes an incorrect job submission. + + * `jar_file_uris`: Optional. Jar file URIs to add to the CLASSPATHs of the Hadoop driver and tasks. + + * `file_uris`: Optional. HCFS (Hadoop Compatible Filesystem) URIs of files to be copied to the working directory of Hadoop drivers and distributed tasks. Useful for naively parallel tasks. + + * `archive_uris`: Optional. HCFS URIs of archives to be extracted in the working directory of Hadoop drivers and tasks. Supported file types: .jar, .tar, .tar.gz, .tgz, or .zip. + + * `properties`: Optional. A mapping of property names to values, used to configure Hadoop. Properties that conflict with values set by the Dataproc API might be overwritten. Can include properties set in /etc/hadoop/conf/*-site and classes in user code. + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `spark_job`: A Dataproc job for running Apache Spark (https://spark.apache.org/) applications on YARN. + + * `main_jar_file_uri`: The HCFS URI of the jar file that contains the main class. + + * `main_class`: The name of the driver's main class. The jar file that contains the class must be in the default CLASSPATH or specified in SparkJob.jar_file_uris. + + * `args`: Optional. The arguments to pass to the driver. Do not include arguments, such as --conf, that can be set as job properties, since a collision may occur that causes an incorrect job submission. + + * `jar_file_uris`: Optional. HCFS URIs of jar files to add to the CLASSPATHs of the Spark driver and tasks. + + * `file_uris`: Optional. HCFS URIs of files to be placed in the working directory of each executor. Useful for naively parallel tasks. + + * `archive_uris`: Optional. HCFS URIs of archives to be extracted into the working directory of each executor. Supported file types: .jar, .tar, .tar.gz, .tgz, and .zip. + + * `properties`: Optional. A mapping of property names to values, used to configure Spark. Properties that conflict with values set by the Dataproc API might be overwritten. Can include properties set in /etc/spark/conf/spark-defaults.conf and classes in user code. + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `pyspark_job`: A Dataproc job for running Apache PySpark (https://spark.apache.org/docs/0.9.0/python-programming-guide.html) applications on YARN. + + * `main_python_file_uri`: Required. The HCFS URI of the main Python file to use as the driver. Must be a .py file. + + * `args`: Optional. The arguments to pass to the driver. Do not include arguments, such as --conf, that can be set as job properties, since a collision may occur that causes an incorrect job submission. + + * `python_file_uris`: Optional. HCFS file URIs of Python files to pass to the PySpark framework. Supported file types: .py, .egg, and .zip. + + * `jar_file_uris`: Optional. HCFS URIs of jar files to add to the CLASSPATHs of the Python driver and tasks. + + * `file_uris`: Optional. HCFS URIs of files to be placed in the working directory of each executor. Useful for naively parallel tasks. + + * `archive_uris`: Optional. HCFS URIs of archives to be extracted into the working directory of each executor. Supported file types: .jar, .tar, .tar.gz, .tgz, and .zip. + + * `properties`: Optional. A mapping of property names to values, used to configure PySpark. Properties that conflict with values set by the Dataproc API might be overwritten. Can include properties set in /etc/spark/conf/spark-defaults.conf and classes in user code. + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `hive_job`: A Dataproc job for running Apache Hive (https://hive.apache.org/) queries on YARN. + + * `query_file_uri`: The HCFS URI of the script that contains Hive queries. + + * `query_list`: A list of queries to run on a cluster. + + * `queries`: Required. The queries to execute. You do not need to end a query expression with a semicolon. Multiple queries can be specified in one string by separating each with a semicolon. Here is an example of a Dataproc API snippet that uses a QueryList to specify a HiveJob: "hiveJob": { "queryList": { "queries": [ "query1", "query2", "query3;query4", ] } } + + * `continue_on_failure`: Optional. Whether to continue executing queries if a query fails. The default value is false. Setting to true can be useful when executing independent parallel queries. + + * `script_variables`: Optional. Mapping of query variable names to values (equivalent to the Hive command: SET name="value";). + + * `additional_properties`: + + * `properties`: Optional. A mapping of property names and values, used to configure Hive. Properties that conflict with values set by the Dataproc API might be overwritten. Can include properties set in /etc/hadoop/conf/*-site.xml, /etc/hive/conf/hive-site.xml, and classes in user code. + + * `additional_properties`: + + * `jar_file_uris`: Optional. HCFS URIs of jar files to add to the CLASSPATH of the Hive server and Hadoop MapReduce (MR) tasks. Can contain Hive SerDes and UDFs. + + * `pig_job`: A Dataproc job for running Apache Pig (https://pig.apache.org/) queries on YARN. + + * `query_file_uri`: The HCFS URI of the script that contains the Pig queries. + + * `query_list`: A list of queries to run on a cluster. + + * `queries`: Required. The queries to execute. You do not need to end a query expression with a semicolon. Multiple queries can be specified in one string by separating each with a semicolon. Here is an example of a Dataproc API snippet that uses a QueryList to specify a HiveJob: "hiveJob": { "queryList": { "queries": [ "query1", "query2", "query3;query4", ] } } + + * `continue_on_failure`: Optional. Whether to continue executing queries if a query fails. The default value is false. Setting to true can be useful when executing independent parallel queries. + + * `script_variables`: Optional. Mapping of query variable names to values (equivalent to the Pig command: name=[value]). + + * `additional_properties`: + + * `properties`: Optional. A mapping of property names to values, used to configure Pig. Properties that conflict with values set by the Dataproc API might be overwritten. Can include properties set in /etc/hadoop/conf/*-site.xml, /etc/pig/conf/pig.properties, and classes in user code. + + * `additional_properties`: + + * `jar_file_uris`: Optional. HCFS URIs of jar files to add to the CLASSPATH of the Pig Client and Hadoop MapReduce (MR) tasks. Can contain Pig UDFs. + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `spark_r_job`: A Dataproc job for running Apache SparkR (https://spark.apache.org/docs/latest/sparkr.html) applications on YARN. + + * `main_r_file_uri`: Required. The HCFS URI of the main R file to use as the driver. Must be a .R file. + + * `args`: Optional. The arguments to pass to the driver. Do not include arguments, such as --conf, that can be set as job properties, since a collision may occur that causes an incorrect job submission. + + * `file_uris`: Optional. HCFS URIs of files to be placed in the working directory of each executor. Useful for naively parallel tasks. + + * `archive_uris`: Optional. HCFS URIs of archives to be extracted into the working directory of each executor. Supported file types: .jar, .tar, .tar.gz, .tgz, and .zip. + + * `properties`: Optional. A mapping of property names to values, used to configure SparkR. Properties that conflict with values set by the Dataproc API might be overwritten. Can include properties set in /etc/spark/conf/spark-defaults.conf and classes in user code. + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `spark_sql_job`: A Dataproc job for running Apache Spark SQL (https://spark.apache.org/sql/) queries. + + * `query_file_uri`: The HCFS URI of the script that contains SQL queries. + + * `query_list`: A list of queries to run on a cluster. + + * `queries`: Required. The queries to execute. You do not need to end a query expression with a semicolon. Multiple queries can be specified in one string by separating each with a semicolon. Here is an example of a Dataproc API snippet that uses a QueryList to specify a HiveJob: "hiveJob": { "queryList": { "queries": [ "query1", "query2", "query3;query4", ] } } + + * `script_variables`: Optional. Mapping of query variable names to values (equivalent to the Spark SQL command: SET name="value";). + + * `additional_properties`: + + * `properties`: Optional. A mapping of property names to values, used to configure Spark SQL's SparkConf. Properties that conflict with values set by the Dataproc API might be overwritten. + + * `additional_properties`: + + * `jar_file_uris`: Optional. HCFS URIs of jar files to be added to the Spark CLASSPATH. + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `presto_job`: A Dataproc job for running Presto (https://prestosql.io/) queries. IMPORTANT: The Dataproc Presto Optional Component (https://cloud.google.com/dataproc/docs/concepts/components/presto) must be enabled when the cluster is created to submit a Presto job to the cluster. + + * `query_file_uri`: The HCFS URI of the script that contains SQL queries. + + * `query_list`: A list of queries to run on a cluster. + + * `queries`: Required. The queries to execute. You do not need to end a query expression with a semicolon. Multiple queries can be specified in one string by separating each with a semicolon. Here is an example of a Dataproc API snippet that uses a QueryList to specify a HiveJob: "hiveJob": { "queryList": { "queries": [ "query1", "query2", "query3;query4", ] } } + + * `continue_on_failure`: Optional. Whether to continue executing queries if a query fails. The default value is false. Setting to true can be useful when executing independent parallel queries. + + * `output_format`: Optional. The format in which query output will be displayed. See the Presto documentation for supported output formats + + * `client_tags`: Optional. Presto client tags to attach to this query + + * `properties`: Optional. A mapping of property names to values. Used to set Presto session properties (https://prestodb.io/docs/current/sql/set-session.html) Equivalent to using the --session flag in the Presto CLI + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `trino_job`: A Dataproc job for running Trino (https://trino.io/) queries. IMPORTANT: The Dataproc Trino Optional Component (https://cloud.google.com/dataproc/docs/concepts/components/trino) must be enabled when the cluster is created to submit a Trino job to the cluster. + + * `query_file_uri`: The HCFS URI of the script that contains SQL queries. + + * `query_list`: A list of queries to run on a cluster. + + * `queries`: Required. The queries to execute. You do not need to end a query expression with a semicolon. Multiple queries can be specified in one string by separating each with a semicolon. Here is an example of a Dataproc API snippet that uses a QueryList to specify a HiveJob: "hiveJob": { "queryList": { "queries": [ "query1", "query2", "query3;query4", ] } } + + * `continue_on_failure`: Optional. Whether to continue executing queries if a query fails. The default value is false. Setting to true can be useful when executing independent parallel queries. + + * `output_format`: Optional. The format in which query output will be displayed. See the Trino documentation for supported output formats + + * `client_tags`: Optional. Trino client tags to attach to this query + + * `properties`: Optional. A mapping of property names to values. Used to set Trino session properties (https://trino.io/docs/current/sql/set-session.html) Equivalent to using the --session flag in the Trino CLI + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `flink_job`: A Dataproc job for running Apache Flink applications on YARN. + + * `main_jar_file_uri`: The HCFS URI of the jar file that contains the main class. + + * `main_class`: The name of the driver's main class. The jar file that contains the class must be in the default CLASSPATH or specified in jarFileUris. + + * `args`: Optional. The arguments to pass to the driver. Do not include arguments, such as --conf, that can be set as job properties, since a collision might occur that causes an incorrect job submission. + + * `jar_file_uris`: Optional. HCFS URIs of jar files to add to the CLASSPATHs of the Flink driver and tasks. + + * `savepoint_uri`: Optional. HCFS URI of the savepoint, which contains the last saved progress for starting the current job. + + * `properties`: Optional. A mapping of property names to values, used to configure Flink. Properties that conflict with values set by the Dataproc API might beoverwritten. Can include properties set in/etc/flink/conf/flink-defaults.conf and classes in user code. + + * `additional_properties`: + + * `logging_config`: The runtime logging config of the job. + + * `driver_log_levels`: The per-package log levels for the driver. This can include "root" package name to configure rootLogger. Examples: - 'com.google = FATAL' - 'root = INFO' - 'org.apache = DEBUG' + + * `additional_properties`: + + * `labels`: Optional. The labels to associate with this job.Label keys must be between 1 and 63 characters long, and must conform to the following regular expression: \p{Ll}\p{Lo}{0,62}Label values must be between 1 and 63 characters long, and must conform to the following regular expression: \p{Ll}\p{Lo}\p{N}_-{0,63}No more than 32 labels can be associated with a given job. + + * `additional_properties`: + + * `scheduling`: Job scheduling options. + + * `max_failures_per_hour`: Optional. Maximum number of times per hour a driver can be restarted as a result of driver exiting with non-zero code before job is reported failed.A job might be reported as thrashing if the driver exits with a non-zero code four times within a 10-minute window.Maximum value is 10.Note: This restartable job option is not supported in Dataproc workflow templates (https://cloud.google.com/dataproc/docs/concepts/workflows/using-workflows#adding_jobs_to_a_template). + + * `max_failures_total`: Optional. Maximum total number of times a driver can be restarted as a result of the driver exiting with a non-zero code. After the maximum number is reached, the job will be reported as failed.Maximum value is 240.Note: Currently, this restartable job option is not supported in Dataproc workflow templates (https://cloud.google.com/dataproc/docs/concepts/workflows/using-workflows#adding_jobs_to_a_template). + + * `prerequisite_step_ids`: Optional. The optional list of prerequisite job step_ids. If not specified, the job will start at the beginning of workflow. + + * `parameters`: Optional. Template parameters whose values are substituted into the template. Values for parameters must be provided when the template is instantiated. + + * `name`: Required. Parameter name. The parameter name is used as the key, and paired with the parameter value, which are passed to the template when the template is instantiated. The name must contain only capital letters (A-Z), numbers (0-9), and underscores (_), and must not start with a number. The maximum length is 40 characters. + + * `fields`: Required. Paths to all fields that the parameter replaces. A field is allowed to appear in at most one parameter's list of field paths.A field path is similar in syntax to a google.protobuf.FieldMask. For example, a field path that references the zone field of a workflow template's cluster selector would be specified as placement.clusterSelector.zone.Also, field paths can reference fields using the following syntax: Values in maps can be referenced by key: labels'key' placement.clusterSelector.clusterLabels'key' placement.managedCluster.labels'key' placement.clusterSelector.clusterLabels'key' jobs'step-id'.labels'key' Jobs in the jobs list can be referenced by step-id: jobs'step-id'.hadoopJob.mainJarFileUri jobs'step-id'.hiveJob.queryFileUri jobs'step-id'.pySparkJob.mainPythonFileUri jobs'step-id'.hadoopJob.jarFileUris0 jobs'step-id'.hadoopJob.archiveUris0 jobs'step-id'.hadoopJob.fileUris0 jobs'step-id'.pySparkJob.pythonFileUris0 Items in repeated fields can be referenced by a zero-based index: jobs'step-id'.sparkJob.args0 Other examples: jobs'step-id'.hadoopJob.properties'key' jobs'step-id'.hadoopJob.args0 jobs'step-id'.hiveJob.scriptVariables'key' jobs'step-id'.hadoopJob.mainJarFileUri placement.clusterSelector.zoneIt may not be possible to parameterize maps and repeated fields in their entirety since only individual map values and individual items in repeated fields can be referenced. For example, the following field paths are invalid: placement.clusterSelector.clusterLabels jobs'step-id'.sparkJob.args + + * `description`: Optional. Brief description of the parameter. Must not exceed 1024 characters. + + * `validation`: Configuration for parameter validation. + + * `regex`: Validation based on regular expressions. + + * `regexes`: Required. RE2 regular expressions used to validate the parameter's value. The value must match the regex in its entirety (substring matches are not sufficient). + + * `values`: Validation based on a list of allowed values. + + * `values`: Required. List of allowed values for the parameter. + + * `dag_timeout`: Optional. Timeout duration for the DAG of jobs, expressed in seconds (see JSON representation of duration (https://developers.google.com/protocol-buffers/docs/proto3#json)). The timeout duration must be from 10 minutes ("600s") to 24 hours ("86400s"). The timer begins when the first job is submitted. If the workflow is running at the end of the timeout period, any remaining jobs are cancelled, the workflow is ended, and if the workflow was running on a managed cluster, the cluster is deleted. + + * `encryption_config`: Encryption settings for encrypting workflow template job arguments. + + * `kms_key`: Optional. The Cloud KMS key name to use for encrypting workflow template job arguments.When this this key is provided, the following workflow template job arguments (https://cloud.google.com/dataproc/docs/concepts/workflows/use-workflows#adding_jobs_to_a_template), if present, are CMEK encrypted (https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption#use_cmek_with_workflow_template_data): FlinkJob args (https://cloud.google.com/dataproc/docs/reference/rest/v1/FlinkJob) HadoopJob args (https://cloud.google.com/dataproc/docs/reference/rest/v1/HadoopJob) SparkJob args (https://cloud.google.com/dataproc/docs/reference/rest/v1/SparkJob) SparkRJob args (https://cloud.google.com/dataproc/docs/reference/rest/v1/SparkRJob) PySparkJob args (https://cloud.google.com/dataproc/docs/reference/rest/v1/PySparkJob) SparkSqlJob (https://cloud.google.com/dataproc/docs/reference/rest/v1/SparkSqlJob) scriptVariables and queryList.queries HiveJob (https://cloud.google.com/dataproc/docs/reference/rest/v1/HiveJob) scriptVariables and queryList.queries PigJob (https://cloud.google.com/dataproc/docs/reference/rest/v1/PigJob) scriptVariables and queryList.queries PrestoJob (https://cloud.google.com/dataproc/docs/reference/rest/v1/PrestoJob) scriptVariables and queryList.queries + + +## GCP permissions + +Ensure the [Cloud Dataproc API](https://console.cloud.google.com/apis/library/dataproc.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_workflow_templates.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_workflow_templates.md new file mode 100644 index 0000000..198386e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dataproc_workflow_templates.md @@ -0,0 +1,57 @@ ++++ +title = "google_dataproc_workflow_templates resource" + +draft = false + + +[menu.gcp] +title = "google_dataproc_workflow_templates" +identifier = "inspec/resources/gcp/google_dataproc_workflow_templates resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dataproc_workflow_templates` InSpec audit resource to to test a Google Cloud WorkflowTemplates resource. + +## Examples + +```ruby + describe google_dataproc_workflow_templates(parent: 'value_parent') do + it { should exist } + its('ids') { should include 'value_id' } + its('names') { should include 'value_name' } + its('create_times') { should include 'value_createtime' } + its('update_times') { should include 'value_updatetime' } + its('dag_timeouts') { should include 'value_dagtimeout' } + end +``` +## Parameters + * `parent`: The resource name of the region or location, as described in https://cloud.google.com/apis/design/resource_names. + For projects.regions.workflowTemplates,list, the resource name of the region has the following format: projects/{projectId}/regions/{region} + For projects.locations.workflowTemplates.list, the resource name of the location has the following format: projects/{projectId}/locations/{location} + +## Properties + +Properties that can be accessed from the `google_dataproc_workflow_templates` resource: + +See [google_dataproc_project_location_workflow_template](google_dataproc_project_location_workflow_template) for more detailed information. + + * `ids`: an array of `google_dataproc_project_location_workflow_template` id + * `names`: an array of `google_dataproc_project_location_workflow_template` name + * `versions`: an array of `google_dataproc_project_location_workflow_template` version + * `create_times`: an array of `google_dataproc_project_location_workflow_template` create_time + * `update_times`: an array of `google_dataproc_project_location_workflow_template` update_time + * `labels`: an array of `google_dataproc_project_location_workflow_template` labels + * `placements`: an array of `google_dataproc_project_location_workflow_template` placement + * `jobs`: an array of `google_dataproc_project_location_workflow_template` jobs + * `parameters`: an array of `google_dataproc_project_location_workflow_template` parameters + * `dag_timeouts`: an array of `google_dataproc_project_location_workflow_template` dag_timeout + * `encryption_configs`: an array of `google_dataproc_project_location_workflow_template` encryption_config + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Dataproc API](https://console.cloud.google.com/apis/library/dataproc.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_dt.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_dt.md new file mode 100644 index 0000000..52e36f6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_dt.md @@ -0,0 +1,180 @@ ++++ +title = "google_dlp_dt resource" + +draft = false + + +[menu.gcp] +title = "google_dlp_dt" +identifier = "inspec/resources/gcp/google_dlp_dt resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dlp_dt` InSpec audit resource to to test a Google Cloud DT resource. + +## Examples + +```ruby + +describe google_dlp_dts(parent: "projects/#{'chef-gcp-inspec'}/locations/#{''}") do + it { should exist } + its('display_names') { should include '' } +end + +``` + +## Properties + +Properties that can be accessed from the `google_dlp_dt` resource: + + + * `name`: The resource name of the template. Set by the server. + + * `description`: A description of the template. + + * `display_name`: User set display name of the template. + + * `config`: deidentifyConfig - Configuration of the deidentify template + + * `info_type_tf`: infoTypeTransformations - Specifies free-text based transformations to be applied to the dataset. + + * `tf`: transformations - Transformation for each infoType. Cannot specify more than one for a given infoType. + + * `info_types`: InfoTypes to apply the transformation to. Leaving this empty will apply the transformation to apply to all findings that correspond to infoTypes that were requested in InspectConfig. + + * `name`: Name of the information type. + + * `primitive_tf`: Primitive transformation to apply to the infoType. + + * `replace_config`: Replace each input value with a given value. + + * `new_value`: Replace each input value with a given value. + + * `integer_value`: An integer value. + + * `float_value`: A float value. + + * `string_value`: A string value. + + * `boolean_value`: A boolean value. + + * `timestamp_value`: A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `time_value`: Represents a time of day. + + * `hours`: Hours of day in 24 hour format. Should be from 0 to 23. + + * `minutes`: Minutes of hour of day. Must be from 0 to 59. + + * `seconds`: Seconds of minutes of the time. Must normally be from 0 to 59. + + * `nanos`: Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. + + * `date_value`: Represents a whole or partial calendar date. + + * `year`: Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year. + + * `month`: Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day. + + * `day`: Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant. + + * `day_of_week_value`: Represents a day of the week. + Possible values: + * MONDAY + * TUESDAY + * WEDNESDAY + * THURSDAY + * FRIDAY + * SATURDAY + * SUNDAY + + * `replace_with_info_type_config`: Replace each matching finding with the name of the info type. + + * `character_mask_config`: Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. + + * `masking_character`: Character to use to mask the sensitive values—for example, * for an alphabetic string such as a name, or 0 for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to * for strings, and 0 for digits. + + * `number_to_mask`: Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. + + * `reverse_order`: Mask characters in reverse order. For example, if masking_character is 0, number_to_mask is 14, and reverse_order is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. + + * `characters_to_ignore`: Characters to skip when doing de-identification of a value. These will be left alone and skipped. + + * `characters_to_skip`: Characters to not transform when masking. + + * `common_characters_to_ignore`: Common characters to not transform when masking. Useful to avoid removing punctuation. + Possible values: + * NUMERIC + * ALPHA_UPPER_CASE + * ALPHA_LOWER_CASE + * PUNCTUATION + * WHITESPACE + + * `crypto_deterministic_config`: Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC [https://tools.ietf.org/html/rfc5297](https://tools.ietf.org/html/rfc5297). + + * `crypto_key`: The key used by the encryption function. + + * `transient`: Transient crypto key + + * `name`: Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). + + * `unwrapped`: Unwrapped crypto key + + * `key`: A 128/192/256 bit key. A base64-encoded string. + + * `kms_wrapped`: Kms wrapped key + + * `wrapped_key`: The wrapped data crypto key. A base64-encoded string. + + * `crypto_key_name`: The resource name of the KMS CryptoKey to use for unwrapping. + + * `surrogate_info_type`: The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY\_TOKEN\_INFO\_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY\_TOKEN\_INFO\_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either * reverse a surrogate that does not correspond to an actual identifier * be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY\_TOKEN\_TYPE. + + * `name`: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at [https://cloud.google.com/dlp/docs/infotypes-reference](https://cloud.google.com/dlp/docs/infotypes-reference) when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. + + * `context`: A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. + + * `name`: Name describing the field. + + * `crypto_replace_ffx_fpe_config`: Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `content.reidentify` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See [https://cloud.google.com/dlp/docs/pseudonymization](https://cloud.google.com/dlp/docs/pseudonymization) to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. + + * `crypto_key`: The key used by the encryption algorithm. + + * `transient`: Transient crypto key + + * `name`: Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). + + * `unwrapped`: Unwrapped crypto key + + * `key`: A 128/192/256 bit key. A base64-encoded string. + + * `kms_wrapped`: Kms wrapped key + + * `wrapped_key`: The wrapped data crypto key. A base64-encoded string. + + * `crypto_key_name`: The resource name of the KMS CryptoKey to use for unwrapping. + + * `context`: The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: * a 64 bit integer is encoded followed by a single byte of value 1 * a string is encoded in UTF-8 format followed by a single byte of value 2 + + * `name`: Name describing the field. + + * `surrogate_info_type`: The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info\_type\_name(surrogate\_character\_count):surrogate For example, if the name of custom infoType is 'MY\_TOKEN\_INFO\_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY\_TOKEN\_INFO\_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY\_TOKEN\_TYPE + + * `name`: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at [https://cloud.google.com/dlp/docs/infotypes-reference](https://cloud.google.com/dlp/docs/infotypes-reference) when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. + + * `common_alphabet`: Common alphabets. + Possible values: + * FFX_COMMON_NATIVE_ALPHABET_UNSPECIFIED + * NUMERIC + * HEXADECIMAL + * UPPER_CASE_ALPHA_NUMERIC + * ALPHA_NUMERIC + + * `custom_alphabet`: This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range \[2, 95\]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: ``0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|:;"'<,>.?/`` + + * `radix`: The native way to select the alphabet. Must be in the range \[2, 95\]. + + * `parent`: The parent of the template in any of the following formats: * `projects/{{project}}` * `projects/{{project}}/locations/{{location}}` * `organizations/{{organization_id}}` * `organizations/{{organization_id}}/locations/{{location}}` + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_dts.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_dts.md new file mode 100644 index 0000000..34f78ff --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_dts.md @@ -0,0 +1,46 @@ ++++ +title = "google_dlp_dts resource" + +draft = false + + +[menu.gcp] +title = "google_dlp_dts" +identifier = "inspec/resources/gcp/google_dlp_dts resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dlp_dts` InSpec audit resource to to test a Google Cloud DT resource. + +## Examples + +```ruby +describe google_dlp_dt(parent: "projects/#{'chef-gcp-inspec'}/locations/#{''}", name: '') do + it { should exist } + its('display_name') { should cmp '' } +end + +describe google_dlp_dt(parent: "projects/#{'chef-gcp-inspec'}/locations/#{''}", name: 'nonexistent') do + it { should_not exist } +end + +``` + +## Properties + +Properties that can be accessed from the `google_dlp_dts` resource: + +See [google_dlp_dt](google_dlp_dt) for more detailed information. + + * `names`: an array of `google_dlp_dt` name + * `descriptions`: an array of `google_dlp_dt` description + * `display_names`: an array of `google_dlp_dt` display_name + * `configs`: an array of `google_dlp_dt` config + * `parents`: an array of `google_dlp_dt` parent + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_inspect_template.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_inspect_template.md new file mode 100644 index 0000000..aa2629a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_inspect_template.md @@ -0,0 +1,182 @@ ++++ +title = "google_dlp_inspect_template resource" + +draft = false + + +[menu.gcp] +title = "google_dlp_inspect_template" +identifier = "inspec/resources/gcp/google_dlp_inspect_template resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dlp_inspect_template` InSpec audit resource to to test a Google Cloud InspectTemplate resource. + +## Examples + +```ruby +describe google_dlp_inspect_template(parent: "projects/#{'chef-gcp-inspec'}/locations/#{'us-east-2'}", name: 'i-inspec-gcp-dlp') do +it { should exist } +its('name') { should cmp 'i-inspec-gcp-dlp' } +its('type') { should cmp 'INSPECT_JOB' } +its('state') { should cmp 'ACTIVE' } +its('inspectDetails.requestedOptions.snapshotInspectTemplate') { should cmp '' } +end + +describe google_dlp_inspect_template(parent: "projects/#{'chef-gcp-inspec'}/locations/#{'us-east-2'}", name: 'nonexistent') do +it { should_not exist } +end + +``` + +## Properties + +Properties that can be accessed from the `google_dlp_inspect_template` resource: + + + * `name`: The resource name of the inspect template. Set by the server. + + * `description`: A description of the inspect template. + + * `display_name`: User set display name of the inspect template. + + * `inspect_config`: The core content of the template. + + * `exclude_info_types`: When true, excludes type information of the findings. + + * `include_quote`: When true, a contextual quote from the data that triggered a finding is included in the response. + + * `min_likelihood`: Only returns findings equal or above this threshold. See https://cloud.google.com/dlp/docs/likelihood for more info + Possible values: + * VERY_UNLIKELY + * UNLIKELY + * POSSIBLE + * LIKELY + * VERY_LIKELY + + * `limits`: Configuration to control the number of findings returned. + + * `max_findings_per_item`: Max number of findings that will be returned for each item scanned. The maximum returned is 2000. + + * `max_findings_per_request`: Max number of findings that will be returned per request/job. The maximum returned is 2000. + + * `max_findings_per_info_type`: Configuration of findings limit given for specified infoTypes. + + * `info_type`: Type of information the findings limit applies to. Only one limit per infoType should be provided. If InfoTypeLimit does not have an infoType, the DLP API applies the limit against all infoTypes that are found but not specified in another InfoTypeLimit. + + * `name`: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. + + * `max_findings`: Max findings limit for the given infoType. + + * `info_types`: Restricts what infoTypes to look for. The values must correspond to InfoType values returned by infoTypes.list or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. + + * `name`: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. + + * `content_options`: List of options defining data content to scan. If empty, text, images, and other content will be included. + + * `rule_set`: Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type. + + * `info_types`: List of infoTypes this rule set is applied to. + + * `name`: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. + + * `rules`: Set of rules to be applied to infoTypes. The rules are applied in order. + + * `hotword_rule`: Hotword-based detection rule. + + * `hotword_regex`: Regular expression pattern defining what qualifies as a hotword. + + * `pattern`: Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. + + * `group_indexes`: The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. + + * `proximity`: Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex `(\d{3}) \d{3}-\d{4}` could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex `(xxx)`, where `xxx` is the area code in question. + + * `window_before`: Number of characters before the finding to consider. Either this or window_after must be specified + + * `window_after`: Number of characters after the finding to consider. Either this or window_before must be specified + + * `likelihood_adjustment`: Likelihood adjustment to apply to all matching findings. + + * `fixed_likelihood`: Set the likelihood of a finding to a fixed value. Either this or relative_likelihood can be set. + Possible values: + * VERY_UNLIKELY + * UNLIKELY + * POSSIBLE + * LIKELY + * VERY_LIKELY + + * `relative_likelihood`: Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be POSSIBLE without the detection rule and relativeLikelihood is 1, then it is upgraded to LIKELY, while a value of -1 would downgrade it to UNLIKELY. Likelihood may never drop below VERY_UNLIKELY or exceed VERY_LIKELY, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is VERY_LIKELY will result in a final likelihood of LIKELY. Either this or fixed_likelihood can be set. + + * `exclusion_rule`: The rule that specifies conditions when findings of infoTypes specified in InspectionRuleSet are removed from results. + + * `matching_type`: How the rule is applied. See the documentation for more information: https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#MatchingType + Possible values: + * MATCHING_TYPE_FULL_MATCH + * MATCHING_TYPE_PARTIAL_MATCH + * MATCHING_TYPE_INVERSE_MATCH + + * `dictionary`: Dictionary which defines the rule. + + * `word_list`: List of words or phrases to search for. + + * `words`: Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. + + * `cloud_storage_path`: Newline-delimited file of words in Cloud Storage. Only a single file is accepted. + + * `path`: A url representing a file or path (no wildcards) in Cloud Storage. Example: `gs://[BUCKET_NAME]/dictionary.txt` + + * `regex`: Regular expression which defines the rule. + + * `pattern`: Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. + + * `group_indexes`: The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. + + * `exclude_info_types`: Set of infoTypes for which findings would affect this rule. + + * `info_types`: If a finding is matched by any of the infoType detectors listed here, the finding will be excluded from the scan results. + + * `name`: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. + + * `custom_info_types`: Custom info types to be used. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more. + + * `info_type`: CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `info_types` list then the name is treated as a custom info type. + + * `name`: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. + + * `likelihood`: Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. + Possible values: + * VERY_UNLIKELY + * UNLIKELY + * POSSIBLE + * LIKELY + * VERY_LIKELY + + * `exclusion_type`: If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching. + Possible values: + * EXCLUSION_TYPE_EXCLUDE + + * `regex`: Regular expression which defines the rule. + + * `pattern`: Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. + + * `group_indexes`: The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. + + * `dictionary`: Dictionary which defines the rule. + + * `word_list`: List of words or phrases to search for. + + * `words`: Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. + + * `cloud_storage_path`: Newline-delimited file of words in Cloud Storage. Only a single file is accepted. + + * `path`: A url representing a file or path (no wildcards) in Cloud Storage. Example: `gs://[BUCKET_NAME]/dictionary.txt` + + * `stored_type`: A reference to a StoredInfoType to use with scanning. + + * `name`: Resource name of the requested StoredInfoType, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`. + + * `parent`: The parent of the inspect template in any of the following formats: * `projects/{{project}}` * `projects/{{project}}/locations/{{location}}` * `organizations/{{organization_id}}` * `organizations/{{organization_id}}/locations/{{location}}` + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_inspect_templates.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_inspect_templates.md new file mode 100644 index 0000000..ce1ae87 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_inspect_templates.md @@ -0,0 +1,45 @@ ++++ +title = "google_dlp_inspect_templates resource" + +draft = false + + +[menu.gcp] +title = "google_dlp_inspect_templates" +identifier = "inspec/resources/gcp/google_dlp_inspect_templates resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dlp_inspect_templates` InSpec audit resource to to test a Google Cloud InspectTemplate resource. + +## Examples + +```ruby + +describe google_dlp_inspect_templates(parent: "projects/#{'chef-gcp-inspec'}/locations/#{'us-east-2'}") do +it { should exist } +its('names') { should include 'i-inspec-gcp-dlp' } +its('types') { should include 'INSPECT_JOB' } +its('states') { should include 'ACTIVE' } +end + +``` + +## Properties + +Properties that can be accessed from the `google_dlp_inspect_templates` resource: + +See [google_dlp_inspect_template](google_dlp_inspect_template) for more detailed information. + + * `names`: an array of `google_dlp_inspect_template` name + * `descriptions`: an array of `google_dlp_inspect_template` description + * `display_names`: an array of `google_dlp_inspect_template` display_name + * `inspect_configs`: an array of `google_dlp_inspect_template` inspect_config + * `parents`: an array of `google_dlp_inspect_template` parent + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_job.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_job.md new file mode 100644 index 0000000..0e5ae16 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_job.md @@ -0,0 +1,353 @@ ++++ +title = "google_dlp_job resource" + +draft = false + + +[menu.gcp] +title = "google_dlp_job" +identifier = "inspec/resources/gcp/google_dlp_job resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dlp_job` InSpec audit resource to to test a Google Cloud Job resource. + +## Examples + +```ruby +describe google_dlp_job(parent: "projects/#{'chef-gcp-inspec'}/locations/#{'us-east-2'}", name: 'i-inspec-gcp-dlp') do + it { should exist } + its('name') { should cmp 'i-inspec-gcp-dlp' } + its('type') { should cmp 'INSPECT_JOB' } + its('state') { should cmp 'ACTIVE' } + its('inspectDetails.requestedOptions.snapshotInspectTemplate') { should cmp '' } +end + +describe google_dlp_job(parent: "projects/#{'chef-gcp-inspec'}/locations/#{'us-east-2'}", name: 'nonexistent') do + it { should_not exist } +end + +``` + +## Properties + +Properties that can be accessed from the `google_dlp_job` resource: + + + * `name`: The resource name of the template. Set by the server. + + * `type`: An enum to represent the various types of DLP jobs. + Possible values: + * DLP_JOB_TYPE_UNSPECIFIED + * INSPECT_JOB + * RISK_ANALYSIS_JOB + + * `state`: Possible states of a job. New items may be added. + Possible values: + * JOB_STATE_UNSPECIFIED + * PENDING + * RUNNING + * DONE + * CANCELED + * FAILED + * ACTIVE + + * `create_time`: Time when the job started. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `start_time`: Time when the job was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `end_time`: Time when the job started. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `job_trigger_name`: If created by a job trigger, the resource name of the trigger that instantiated the job. + + * `errors`: Details information about an error encountered during job execution or the results of an unsuccessful activation of the JobTrigger. + + * `details`: Specifies free-text based transformations to be applied to the dataset. + + * `status`: The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. An object containing fields of an arbitrary type. An additional field "type" contains a URI identifying the type. Example: { "id": 1234, "type": "types.example.com/standard/id" }. + + * `type`: type of field + + * `field1`: name of field + + * `act_det`: actionDetails - Details information about an error encountered during job execution or the results of an unsuccessful activation of the JobTrigger. + + * `dt_det`: DeIdentifyDetails - Specifies free-text based transformations to be applied to the dataset. + + * `de_stats`: deidentifyStats - Specifies free-text based transformations to be applied to the dataset. + + * `transformed_bytes`: Total size in bytes that were transformed in some way. + + * `transformation_count`: Number of successfully applied transformations. + + * `transformation_error_count`: Number of errors encountered while trying to apply transformations. + + * `req_opt`: requestedOptions The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. + + * `snapshot_dt`: snapshotDeidentifyTemplate Snapshot of the state of the DeidentifyTemplate from the Deidentify action at the time this job was run. + + * `name`: The status code, which should be an enum value of google.rpc.Code. + + * `display_name`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `description`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `create_time`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `update_time`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `config`: deidentifyConfig The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. + + * `tf_error_handling`: transformationErrorHandling The status code, which should be an enum value of google.rpc.Code. + + * `snapshot_structured_dt`: snapshotStructuredDeidentifyTemplate Snapshot of the state of the structured DeidentifyTemplate from the Deidentify action at the time this job was run. + + * `name`: The status code, which should be an enum value of google.rpc.Code. + + * `display_name`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `description`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `create_time`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `update_time`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `deidentify_config`: The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. + + * `tf_error_handling`: transformationErrorHandling The status code, which should be an enum value of google.rpc.Code. + + * `snapshot_img_rt`: snapshotImageRedactTemplate Snapshot of the state of the image transformation DeidentifyTemplate from the Deidentify action at the time this job was run. + + * `name`: Output only. The template name. The template will have one of the following formats: projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID OR organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID + + * `display_name`: Display name (max 256 chars). + + * `description`: Short description (max 256 chars). + + * `create_time`: Output only. The creation timestamp of an inspectTemplate. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `update_time`: Output only. The creation timestamp of an inspectTemplate. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `dt_con`: deidentifyConfig The configuration that controls how the data will change. + + * `tf_error_handling`: transformationErrorHandling How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a DateShift transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the TransformationOverviews. + + * `info_type_tf`: infoTypeTransformations Treat the dataset as free-form text and apply the same free text transformation everywhere. + + * `tf`: transformations A type of transformation that will scan unstructured text and apply various PrimitiveTransformations to each finding, where the transformation is applied to only values that were identified as a specific infoType. + + * `info_types`: InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in InspectConfig. + + * `name`: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern [A-Za-z0-9$_-]{1,64}. + + * `version`: Optional version name for this InfoType. + + * `sensitivity_score`: Score is calculated from of all elements in the data profile. A higher level means the data is more sensitive. + + * `score`: Various sensitivity score levels for resources. Enums **SENSITIVITY_SCORE_UNSPECIFIED** - Unused. **SENSITIVITY_LOW** - No sensitive information detected. The resource isn't publicly accessible. **SENSITIVITY_MODERATE** - Medium risk. Contains personally identifiable information (PII), potentially sensitive data, or fields with free-text data that are at a higher risk of having intermittent sensitive data. Consider limiting access. **SENSITIVITY_HIGH** - High risk. Sensitive personally identifiable information (SPII) can be present. Exfiltration of data can lead to user data loss. Re-identification of users might be possible. Consider limiting usage and or removing SPII. + Possible values: + * SENSITIVITY_SCORE_UNSPECIFIED + * SENSITIVITY_LOW + * SENSITIVITY_MODERATE + * SENSITIVITY_HIGH + + * `rec_tf`: recordTransformations - Treat the dataset as free-form text and apply the same free text transformation everywhere. + + * `field_tf`: The transformation to apply to the field. + + * `fields`: InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in InspectConfig. + + * `name`: Name describing the field. + + * `con`: condition A condition for determining whether a transformation should be applied to a field. + + * `exps`: expressions Only apply the transformation if the condition evaluates to true for the given RecordCondition. The conditions are allowed to reference fields that are not used in the actual transformation.Example Use Cases: Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. Redact a field if the date of birth field is greater than 85. + + * `logical_operator`: The operator to apply to the result of conditions. Default and currently only supported value is AND. Enums **LOGICAL_OPERATOR_UNSPECIFIED** - Unused **AND** - Conditional AND + Possible values: + * LOGICAL_OPERATOR_UNSPECIFIED + * AND + + * `con`: Conditions to apply to the expression. + + * `cond`: A collection of conditions. + + * `field`: Designated field in the BigQuery table. + + * `name`: Name describing the field. + + * `operator`: Operators available for comparing the value of fields. Enums **RELATIONAL_OPERATOR_UNSPECIFIED** Unused **EQUAL_TO** Equal. Attempts to match even with incompatible types. **NOT_EQUAL_TO** Not equal to. Attempts to match even with incompatible types. **GREATER_THAN** Greater than. **LESS_THAN** Less than. **GREATER_THAN_OR_EQUALS** Greater than or equals. **LESS_THAN_OR_EQUALS** Less than or equals. **EXISTS** Exists + Possible values: + * RELATIONAL_OPERATOR_UNSPECIFIED + * EQUAL_TO + * NOT_EQUAL_TO + * GREATER_THAN + * LESS_THAN + * GREATER_THAN_OR_EQUALS + * LESS_THAN_OR_EQUALS + * EXISTS + + * `new_val`: newValue Replace each input value with a given value. + + * `integer_value`: An integer value. + + * `float_value`: A float value. + + * `string_value`: A string value. + + * `boolean_value`: A boolean value. + + * `timestamp_value`: A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `time_val`: Represents a time of day. + + * `hours`: Hours of day in 24 hour format. Should be from 0 to 23. + + * `minutes`: Minutes of hour of day. Must be from 0 to 59. + + * `seconds`: Seconds of minutes of the time. Must normally be from 0 to 59. + + * `nanos`: Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. + + * `date_val`: dateValue Represents a whole or partial calendar date. + + * `year`: Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year. + + * `month`: Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day. + + * `day`: Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant. + + * `day_of_week_val`: datOfWeekValue Represents a day of the week. + Possible values: + * MONDAY + * TUESDAY + * WEDNESDAY + * THURSDAY + * FRIDAY + * SATURDAY + * SUNDAY + + * `rec_sup`: recordSuppressions - The transformation to apply to the field. + + * `con`: A condition for determining whether a transformation should be applied to a field. + + * `exp`: expressions Only apply the transformation if the condition evaluates to true for the given RecordCondition. The conditions are allowed to reference fields that are not used in the actual transformation.Example Use Cases: Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. Redact a field if the date of birth field is greater than 85. + + * `logical_operator`: The operator to apply to the result of conditions. Default and currently only supported value is AND. Enums **LOGICAL_OPERATOR_UNSPECIFIED** - Unused **AND** - Conditional AND + Possible values: + * LOGICAL_OPERATOR_UNSPECIFIED + * AND + + * `con`: Conditions to apply to the expression. + + * `con`: A collection of conditions. + + * `field`: Designated field in the BigQuery table. + + * `name`: Name describing the field. + + * `operator`: Operators available for comparing the value of fields. Enums **RELATIONAL_OPERATOR_UNSPECIFIED** Unused **EQUAL_TO** Equal. Attempts to match even with incompatible types. **NOT_EQUAL_TO** Not equal to. Attempts to match even with incompatible types. **GREATER_THAN** Greater than. **LESS_THAN** Less than. **GREATER_THAN_OR_EQUALS** Greater than or equals. **LESS_THAN_OR_EQUALS** Less than or equals. **EXISTS** Exists + Possible values: + * RELATIONAL_OPERATOR_UNSPECIFIED + * EQUAL_TO + * NOT_EQUAL_TO + * GREATER_THAN + * LESS_THAN + * GREATER_THAN_OR_EQUALS + * LESS_THAN_OR_EQUALS + * EXISTS + + * `new_val`: newValue Replace each input value with a given value. + + * `integer_val`: An integer value. + + * `float_val`: A float value. + + * `string_val`: A string value. + + * `boolean_val`: A boolean value. + + * `timestamp_val`: A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `time_val`: timeValue Represents a time of day. + + * `hours`: Hours of day in 24 hour format. Should be from 0 to 23. + + * `minutes`: Minutes of hour of day. Must be from 0 to 59. + + * `seconds`: Seconds of minutes of the time. Must normally be from 0 to 59. + + * `nanos`: Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. + + * `date_val`: dateValue Represents a whole or partial calendar date. + + * `year`: Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year. + + * `month`: Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day. + + * `day`: Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant. + + * `day_of_week_val`: dayOfWeekValue Represents a day of the week. + Possible values: + * MONDAY + * TUESDAY + * WEDNESDAY + * THURSDAY + * FRIDAY + * SATURDAY + * SUNDAY + + * `image_tf`: ImageTransformations Treat the dataset as free-form text and apply the same free text transformation everywhere. + + * `redaction_color`: Treat the dataset as free-form text and apply the same free text transformation everywhere. + + * `red`: red color + + * `green`: green color + + * `blue`: blue color + + * `selected_info_types`: Restricts what infoTypes to look for. The values must correspond to InfoType values returned by infoTypes.list or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. + + * `name`: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. + + * `all_info_types`: Restricts what infoTypes to look for. The values must correspond to InfoType values returned by infoTypes.list or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. + + * `name`: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. + + * `all_text`: Apply to all text. + + * `red`: red color + + * `green`: green color + + * `blue`: blue color + + * `deidentify_stats`: Specifies free-text based transformations to be applied to the dataset. + + * `requested_options`: The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. An object containing fields of an arbitrary type. An additional field "type" contains a URI identifying the type. Example: { "id": 1234, "type": "types.example.com/standard/id" }. + + * `type`: type of field + + * `field1`: name of field + + * `risk_details`: Result of a risk analysis operation request. + + * `inspect_details`: Results from inspecting a data source. + + * `parent`: The parent of the template in any of the following formats: * `projects/{{project}}` * `projects/{{project}}/locations/{{location}}` * `organizations/{{organization_id}}` * `organizations/{{organization_id}}/locations/{{location}}` + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_job_trigger.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_job_trigger.md new file mode 100644 index 0000000..092736e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_job_trigger.md @@ -0,0 +1,149 @@ ++++ +title = "google_dlp_job_trigger resource" + +draft = false + + +[menu.gcp] +title = "google_dlp_job_trigger" +identifier = "inspec/resources/gcp/google_dlp_job_trigger resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dlp_job_trigger` InSpec audit resource to to test a Google Cloud JobTrigger resource. + +## Examples + +```ruby +describe google_dlp_job_trigger(parent: "projects/#{'chef-gcp-inspec'}/locations/#{'us-east-2'}",name: 'name1') do +it { should exist } +its('name') { should cmp 'name1' } +its('display_name') { should cmp 'dp' } +its('description') { should cmp 'description' } +its('status') { should cmp 'HEALTHY' } +end + +describe google_dlp_job_trigger(parent: 'chef-gcp-inspec', name: 'nonexistent') do +it { should_not exist } +end + +``` + +## Properties + +Properties that can be accessed from the `google_dlp_job_trigger` resource: + + + * `name`: The resource name of the job trigger.Set by the server. + + * `description`: A description of the job trigger. + + * `display_name`: User set display name of the job trigger. + + * `last_run_time`: The timestamp of the last time this trigger executed. + + * `status`: Whether the trigger is currently active. + Possible values: + * PAUSED + * HEALTHY + * CANCELLED + + * `triggers`: What event needs to occur for a new job to be started. + + * `schedule`: Schedule for triggered jobs + + * `recurrence_period_duration`: With this option a job is started a regular periodic basis. For example: every day (86400 seconds). A scheduled start time will be skipped if the previous execution has not ended when its scheduled time occurs. This value must be set to a time duration greater than or equal to 1 day and can be no longer than 60 days. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". + + * `inspect_job`: Controls what and how to inspect for findings. + + * `inspect_template_name`: The name of the template to run when this job is triggered. + + * `storage_config`: Information on where to inspect + + * `timespan_config`: Information on where to inspect + + * `start_time`: Exclude files or rows older than this value. + + * `end_time`: Exclude files or rows newer than this value. If set to zero, no upper time limit is applied. + + * `enable_auto_population_of_timespan_config`: When the job is started by a JobTrigger we will automatically figure out a valid startTime to avoid scanning files that have not been modified since the last time the JobTrigger executed. This will be based on the time of the execution of the last run of the JobTrigger. + + * `timestamp_field`: Information on where to inspect + + * `name`: Specification of the field containing the timestamp of scanned items. Used for data sources like Datastore and BigQuery. For BigQuery: Required to filter out rows based on the given start and end times. If not specified and the table was modified between the given start and end times, the entire table will be scanned. The valid data types of the timestamp field are: INTEGER, DATE, TIMESTAMP, or DATETIME BigQuery column. For Datastore. Valid data types of the timestamp field are: TIMESTAMP. Datastore entity will be scanned if the timestamp property does not exist or its value is empty or invalid. + + * `datastore_options`: Options defining a data set within Google Cloud Datastore. + + * `partition_id`: Datastore partition ID. A partition ID identifies a grouping of entities. The grouping is always by project and namespace, however the namespace ID may be empty. + + * `project_id`: The ID of the project to which the entities belong. + + * `namespace_id`: If not empty, the ID of the namespace to which the entities belong. + + * `kind`: A representation of a Datastore kind. + + * `name`: The name of the Datastore kind. + + * `cloud_storage_options`: Options defining a file or a set of files within a Google Cloud Storage bucket. + + * `file_set`: Set of files to scan. + + * `url`: The Cloud Storage url of the file(s) to scan, in the format `gs:///`. Trailing wildcard in the path is allowed. If the url ends in a trailing slash, the bucket or directory represented by the url will be scanned non-recursively (content in sub-directories will not be scanned). This means that `gs://mybucket/` is equivalent to `gs://mybucket/*`, and `gs://mybucket/directory/` is equivalent to `gs://mybucket/directory/*`. + + * `regex_file_set`: The regex-filtered set of files to scan. + + * `bucket_name`: The name of a Cloud Storage bucket. + + * `include_regex`: A list of regular expressions matching file paths to include. All files in the bucket that match at least one of these regular expressions will be included in the set of files, except for those that also match an item in excludeRegex. Leaving this field empty will match all files by default (this is equivalent to including .* in the list) + + * `exclude_regex`: A list of regular expressions matching file paths to exclude. All files in the bucket that match at least one of these regular expressions will be excluded from the scan. + + * `bytes_limit_per_file`: Max number of bytes to scan from a file. If a scanned file's size is bigger than this value then the rest of the bytes are omitted. + + * `bytes_limit_per_file_percent`: Max percentage of bytes to scan from a file. The rest are omitted. The number of bytes scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. + + * `files_limit_percent`: Limits the number of files to scan to this percentage of the input FileSet. Number of files scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. + + * `file_types`: List of file type groups to include in the scan. If empty, all files are scanned and available data format processors are applied. In addition, the binary content of the selected files is always scanned as well. Images are scanned only as binary if the specified region does not support image inspection and no fileTypes were specified. + + * `sample_method`: How to sample bytes if not all bytes are scanned. Meaningful only when used in conjunction with bytesLimitPerFile. If not specified, scanning would start from the top. + Possible values: + * TOP + * RANDOM_START + + * `big_query_options`: Options defining BigQuery table and row identifiers. + + * `table_reference`: Set of files to scan. + + * `project_id`: The Google Cloud Platform project ID of the project containing the table. + + * `dataset_id`: The dataset ID of the table. + + * `table_id`: The name of the table. + + * `actions`: A task to execute on the completion of a job. + + * `save_findings`: Schedule for triggered jobs + + * `output_config`: Information on where to store output + + * `table`: Information on the location of the target BigQuery Table. + + * `project_id`: The Google Cloud Platform project ID of the project containing the table. + + * `dataset_id`: Dataset ID of the table. + + * `table_id`: Name of the table. If is not set a new one will be generated for you with the following format: `dlp_googleapis_yyyy_mm_dd_[dlp_job_id]`. Pacific timezone will be used for generating the date details. + + * `output_schema`: Schema used for writing the findings for Inspect jobs. This field is only used for Inspect and must be unspecified for Risk jobs. Columns are derived from the Finding object. If appending to an existing table, any columns from the predefined schema that are missing will be added. No columns in the existing table will be deleted. If unspecified, then all available columns will be used for a new table or an (existing) table with no schema, and no changes will be made to an existing table that has a schema. Only for use with external storage. + Possible values: + * BASIC_COLUMNS + * GCS_COLUMNS + * DATASTORE_COLUMNS + * BIG_QUERY_COLUMNS + * ALL_COLUMNS + + * `parent`: The parent of the trigger, either in the format `projects/{{project}}` or `projects/{{project}}/locations/{{location}}` + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_job_triggers.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_job_triggers.md new file mode 100644 index 0000000..4f2f1e7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_job_triggers.md @@ -0,0 +1,49 @@ ++++ +title = "google_dlp_job_triggers resource" + +draft = false + + +[menu.gcp] +title = "google_dlp_job_triggers" +identifier = "inspec/resources/gcp/google_dlp_job_triggers resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dlp_job_triggers` InSpec audit resource to to test a Google Cloud JobTrigger resource. + +## Examples + +```ruby + +describe google_dlp_job_triggers(parent: "projects/#{'chef-gcp-inspec'}/locations/#{'us-east-2'}") do +it { should exist } +its('names') { should include 'name1' } +its('display_name') { should include 'dp' } +its('descriptions') { should include 'description' } +its('status') { should include 'HEALTHY' } +end + +``` + +## Properties + +Properties that can be accessed from the `google_dlp_job_triggers` resource: + +See [google_dlp_job_trigger](google_dlp_job_trigger) for more detailed information. + + * `names`: an array of `google_dlp_job_trigger` name + * `descriptions`: an array of `google_dlp_job_trigger` description + * `display_names`: an array of `google_dlp_job_trigger` display_name + * `last_run_times`: an array of `google_dlp_job_trigger` last_run_time + * `statuses`: an array of `google_dlp_job_trigger` status + * `triggers`: an array of `google_dlp_job_trigger` triggers + * `inspect_jobs`: an array of `google_dlp_job_trigger` inspect_job + * `parents`: an array of `google_dlp_job_trigger` parent + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_jobs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_jobs.md new file mode 100644 index 0000000..c8a1dc1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_jobs.md @@ -0,0 +1,52 @@ ++++ +title = "google_dlp_jobs resource" + +draft = false + + +[menu.gcp] +title = "google_dlp_jobs" +identifier = "inspec/resources/gcp/google_dlp_jobs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dlp_jobs` InSpec audit resource to to test a Google Cloud Job resource. + +## Examples + +```ruby + +describe google_dlp_jobs(parent: "projects/#{'chef-gcp-inspec'}/locations/#{'us-east-2'}") do + it { should exist } + its('names') { should include 'i-inspec-gcp-dlp' } + its('types') { should include 'INSPECT_JOB' } + its('states') { should include 'ACTIVE' } +end + +``` + +## Properties + +Properties that can be accessed from the `google_dlp_jobs` resource: + +See [google_dlp_job](google_dlp_job) for more detailed information. + + * `names`: an array of `google_dlp_job` name + * `types`: an array of `google_dlp_job` type + * `states`: an array of `google_dlp_job` state + * `create_times`: an array of `google_dlp_job` create_time + * `start_times`: an array of `google_dlp_job` start_time + * `end_times`: an array of `google_dlp_job` end_time + * `job_trigger_names`: an array of `google_dlp_job` job_trigger_name + * `errors`: an array of `google_dlp_job` errors + * `act_dets`: an array of `google_dlp_job` act_det + * `risk_details`: an array of `google_dlp_job` risk_details + * `inspect_details`: an array of `google_dlp_job` inspect_details + * `parents`: an array of `google_dlp_job` parent + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_stored_info_type.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_stored_info_type.md new file mode 100644 index 0000000..a56401e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_stored_info_type.md @@ -0,0 +1,85 @@ ++++ +title = "google_dlp_stored_info_type resource" + +draft = false + + +[menu.gcp] +title = "google_dlp_stored_info_type" +identifier = "inspec/resources/gcp/google_dlp_stored_info_type resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dlp_stored_info_type` InSpec audit resource to to test a Google Cloud StoredInfoType resource. + +## Examples + +```ruby +describe google_dlp_stored_info_type(parent: "projects/#{'chef-gcp-inspec'}/locations/#{'us-east-2'}",name: '') do +it { should exist } +its('name') { should cmp 'i-inspec-gcp-dlp' } +its('type') { should cmp 'INSPECT_JOB' } +its('state') { should cmp 'ACTIVE' } +end + +describe google_dlp_stored_info_type(parent: "projects/#{'chef-gcp-inspec'}/locations/#{'us-east-2'}", name: 'nonexistent') do +it { should_not exist } +end + +``` + +## Properties + +Properties that can be accessed from the `google_dlp_stored_info_type` resource: + + + * `name`: The resource name of the info type. Set by the server. + + * `description`: A description of the info type. + + * `display_name`: User set display name of the info type. + + * `regex`: Regular expression which defines the rule. + + * `pattern`: Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. + + * `group_indexes`: The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. + + * `dictionary`: Dictionary which defines the rule. + + * `word_list`: List of words or phrases to search for. + + * `words`: Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. + + * `cloud_storage_path`: Newline-delimited file of words in Cloud Storage. Only a single file is accepted. + + * `path`: A url representing a file or path (no wildcards) in Cloud Storage. Example: `gs://[BUCKET_NAME]/dictionary.txt` + + * `large_custom_dictionary`: Dictionary which defines the rule. + + * `output_path`: Location to store dictionary artifacts in Google Cloud Storage. These files will only be accessible by project owners and the DLP API. If any of these artifacts are modified, the dictionary is considered invalid and can no longer be used. + + * `path`: A url representing a file or path (no wildcards) in Cloud Storage. Example: `gs://[BUCKET_NAME]/dictionary.txt` + + * `cloud_storage_file_set`: Set of files containing newline-delimited lists of dictionary phrases. + + * `url`: The url, in the format `gs:///`. Trailing wildcard in the path is allowed. + + * `big_query_field`: Field in a BigQuery table where each cell represents a dictionary phrase. + + * `table`: Field in a BigQuery table where each cell represents a dictionary phrase. + + * `project_id`: The Google Cloud Platform project ID of the project containing the table. + + * `dataset_id`: The dataset ID of the table. + + * `table_id`: The name of the table. + + * `field`: Designated field in the BigQuery table. + + * `name`: Name describing the field. + + * `parent`: The parent of the info type in any of the following formats: * `projects/{{project}}` * `projects/{{project}}/locations/{{location}}` * `organizations/{{organization_id}}` * `organizations/{{organization_id}}/locations/{{location}}` + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_stored_info_types.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_stored_info_types.md new file mode 100644 index 0000000..0c75d49 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dlp_stored_info_types.md @@ -0,0 +1,45 @@ ++++ +title = "google_dlp_stored_info_types resource" + +draft = false + + +[menu.gcp] +title = "google_dlp_stored_info_types" +identifier = "inspec/resources/gcp/google_dlp_stored_info_types resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_dlp_stored_info_types` InSpec audit resource to to test a Google Cloud StoredInfoType resource. + +## Examples + +```ruby + +describe google_dlp_stored_info_types(parent: "projects/#{'chef-gcp-inspec'}/locations/#{'us-east-2'}") do +it { should exist } +its('names') { should include 'i-inspec-gcp-dlp' } +end + +``` + +## Properties + +Properties that can be accessed from the `google_dlp_stored_info_types` resource: + +See [google_dlp_stored_info_type](google_dlp_stored_info_type) for more detailed information. + + * `names`: an array of `google_dlp_stored_info_type` name + * `descriptions`: an array of `google_dlp_stored_info_type` description + * `display_names`: an array of `google_dlp_stored_info_type` display_name + * `regexes`: an array of `google_dlp_stored_info_type` regex + * `dictionaries`: an array of `google_dlp_stored_info_type` dictionary + * `large_custom_dictionaries`: an array of `google_dlp_stored_info_type` large_custom_dictionary + * `parents`: an array of `google_dlp_stored_info_type` parent + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dns_managed_zone.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dns_managed_zone.md new file mode 100644 index 0000000..280db72 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dns_managed_zone.md @@ -0,0 +1,150 @@ ++++ +title = "google_dns_managed_zone resource" + +draft = false + + +[menu.gcp] +title = "google_dns_managed_zone" +identifier = "inspec/resources/gcp/google_dns_managed_zone resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_dns_managed_zone` is used to test a Google ManagedZone resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_dns_managed_zone(project: 'chef-gcp-inspec', zone: 'example-zone') do + it { should exist } + its('dns_name') { should cmp 'dns-zone-name.com.' } + + its('description') { should cmp 'example description' } + its('zone_signing_key_algorithm') { should cmp 'rsasha256' } + its('key_signing_key_algorithm') { should cmp 'rsasha512' } +end + +describe google_dns_managed_zone(project: 'chef-gcp-inspec', zone: 'nonexistent') do + it { should_not exist } +end +``` + +### Test that a GCP compute zone exists + + describe google_dns_managed_zone(project: 'chef-inspec-gcp', zone: 'zone-name') do + it { should exist } + end + +### Test that a GCP DNS managed zone has the expected DNS name + + describe google_dns_managed_zone(project: 'chef-inspec-gcp', zone: 'zone-name') do + its('dns_name') { should match 'mydomain.com' } + end + +### Test that a GCP DNS managed zone has expected name server + + describe google_dns_managed_zone(project: 'chef-inspec-gcp', zone: 'zone-name') do + its('name_servers') { should include 'ns-cloud-d1.googledomains.com.' } + end + +## Properties + +Properties that can be accessed from the `google_dns_managed_zone` resource: + + + * `description`: A mutable string of at most 1024 characters associated with this resource for the user's convenience. Has no effect on the managed zone's function. + + * `dns_name`: The DNS name of this managed zone, for instance "example.com.". + + * `dnssec_config`: DNSSEC configuration + + * `kind`: Identifies what kind of resource this is + + * `non_existence`: Specifies the mechanism used to provide authenticated denial-of-existence responses. non_existence can only be updated when the state is `off`. + Possible values: + * nsec + * nsec3 + + * `state`: Specifies whether DNSSEC is enabled, and what mode it is in + Possible values: + * off + * on + * transfer + + * `default_key_specs`: Specifies parameters that will be used for generating initial DnsKeys for this ManagedZone. If you provide a spec for keySigning or zoneSigning, you must also provide one for the other. default_key_specs can only be updated when the state is `off`. + + * `algorithm`: String mnemonic specifying the DNSSEC algorithm of this key + Possible values: + * ecdsap256sha256 + * ecdsap384sha384 + * rsasha1 + * rsasha256 + * rsasha512 + + * `key_length`: Length of the keys in bits + + * `key_type`: Specifies whether this is a key signing key (KSK) or a zone signing key (ZSK). Key signing keys have the Secure Entry Point flag set and, when active, will only be used to sign resource record sets of type DNSKEY. Zone signing keys do not have the Secure Entry Point flag set and will be used to sign all other types of resource record sets. + Possible values: + * keySigning + * zoneSigning + + * `kind`: Identifies what kind of resource this is + + * `id`: Unique identifier for the resource; defined by the server. + + * `name`: User assigned name for this resource. Must be unique within the project. + + * `name_servers`: Delegate your managed_zone to these virtual name servers; defined by the server + + * `name_server_set`: Optionally specifies the NameServerSet for this ManagedZone. A NameServerSet is a set of DNS name servers that all host the same ManagedZones. Most users will leave this field unset. + + * `creation_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `labels`: A set of key/value label pairs to assign to this ManagedZone. + + * `visibility`: The zone's visibility: public zones are exposed to the Internet, while private zones are visible only to Virtual Private Cloud resources. + Possible values: + * private + * public + + * `private_visibility_config`: For privately visible zones, the set of Virtual Private Cloud resources that the zone is visible from. + + * `networks`: The list of VPC networks that can see this zone. + + * `network_url`: The fully qualified URL of the VPC network to bind to. This should be formatted like `https://www.googleapis.com/compute/v1/projects/{project}/global/networks/{network}` + + * `forwarding_config`: The presence for this field indicates that outbound forwarding is enabled for this zone. The value of this field contains the set of destinations to forward to. + + * `target_name_servers`: List of target name servers to forward to. Cloud DNS will select the best available name server if more than one target is given. + + * `ipv4_address`: IPv4 address of a target name server. + + * `forwarding_path`: Forwarding path for this TargetNameServer. If unset or `default` Cloud DNS will make forwarding decision based on address ranges, i.e. RFC1918 addresses go to the VPC, Non-RFC1918 addresses go to the Internet. When set to `private`, Cloud DNS will always send queries through VPC for this target + Possible values: + * default + * private + + * `peering_config`: The presence of this field indicates that DNS Peering is enabled for this zone. The value of this field contains the network to peer with. + + * `target_network`: The network with which to peer. + + * `network_url`: The fully qualified URL of the VPC network to forward queries to. This should be formatted like `https://www.googleapis.com/compute/v1/projects/{project}/global/networks/{network}` + + * `reverse_lookup`: (Beta only) Specifies if this is a managed reverse lookup zone. If true, Cloud DNS will resolve reverse lookup queries using automatically configured records for VPC resources. This only applies to networks listed under `private_visibility_config`. + + * `service_directory_config`: (Beta only) The presence of this field indicates that this zone is backed by Service Directory. The value of this field contains information related to the namespace associated with the zone. + + * `namespace`: The namespace associated with the zone. + + * `namespace_url`: The fully qualified URL of the service directory namespace that should be associated with the zone. Ignored for `public` visibility zones. + + +## GCP permissions + +Ensure the [Google Cloud DNS API](https://console.cloud.google.com/apis/library/dns.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dns_managed_zones.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dns_managed_zones.md new file mode 100644 index 0000000..771935b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dns_managed_zones.md @@ -0,0 +1,80 @@ ++++ +title = "google_dns_managed_zones resource" + +draft = false + + +[menu.gcp] +title = "google_dns_managed_zones" +identifier = "inspec/resources/gcp/google_dns_managed_zones resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_dns_managed_zones` is used to test a Google ManagedZone resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_dns_managed_zones(project: 'chef-gcp-inspec') do + it { should exist } + its('zone_names') { should include 'example-zone' } + its('zone_dns_names') { should include 'dns-zone-name.com.' } +end +``` + +### Test that there are no more than a specified number of zones available for the project + + describe google_dns_managed_zones(project: 'chef-inspec-gcp') do + its('count') { should be <= 100} + end + +### Test that an expected, named managed zone is available for the project + + describe google_dns_managed_zones(project: 'chef-inspec-gcp') do + its('zone_names') { should include "zone-name" } + end + +### Test that a subset of all zones matching "myzone*" exist + + google_dns_managed_zones(project: 'chef-inspec-gcp').where(zone_name: /^myzone/).zone_names.each do |zone_name| + describe google_dns_managed_zone(project: 'chef-inspec-gcp', zone: zone_name) do + it { should exist } + end + end + +## Properties + +Properties that can be accessed from the `google_dns_managed_zones` resource: + +See [google_dns_managed_zone](google_dns_managed_zone) for more detailed information. + + * `descriptions`: an array of `google_dns_managed_zone` description + * `zone_dns_names`: an array of `google_dns_managed_zone` dns_name + * `dnssec_configs`: an array of `google_dns_managed_zone` dnssec_config + * `zone_ids`: an array of `google_dns_managed_zone` id + * `zone_names`: an array of `google_dns_managed_zone` name + * `name_servers`: an array of `google_dns_managed_zone` name_servers + * `name_server_sets`: an array of `google_dns_managed_zone` name_server_set + * `creation_times`: an array of `google_dns_managed_zone` creation_time + * `labels`: an array of `google_dns_managed_zone` labels + * `visibilities`: an array of `google_dns_managed_zone` visibility + * `private_visibility_configs`: an array of `google_dns_managed_zone` private_visibility_config + * `forwarding_configs`: an array of `google_dns_managed_zone` forwarding_config + * `peering_configs`: an array of `google_dns_managed_zone` peering_config + * `reverse_lookups`: (Beta only) an array of `google_dns_managed_zone` reverse_lookup + * `service_directory_configs`: (Beta only) an array of `google_dns_managed_zone` service_directory_config + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Google Cloud DNS API](https://console.cloud.google.com/apis/library/dns.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dns_resource_record_set.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dns_resource_record_set.md new file mode 100644 index 0000000..f4bf1b4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dns_resource_record_set.md @@ -0,0 +1,65 @@ ++++ +title = "google_dns_resource_record_set resource" + +draft = false + + +[menu.gcp] +title = "google_dns_resource_record_set" +identifier = "inspec/resources/gcp/google_dns_resource_record_set resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_dns_resource_record_set` is used to test a Google ResourceRecordSet resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_dns_resource_record_set(project: 'chef-gcp-inspec', name: 'backend.my.domain.com.', type: 'A', managed_zone: 'inspec-gcp-managed-zone') do + it { should exist } + its('type') { should eq 'A' } + its('ttl') { should eq '300' } + its('target') { should include '8.8.8.8' } + its('target') { should include '8.8.4.4' } +end +``` + +## Properties + +Properties that can be accessed from the `google_dns_resource_record_set` resource: + + + * `name`: For example, www.example.com. + + * `type`: One of valid DNS resource types. + Possible values: + * A + * AAAA + * CAA + * CNAME + * MX + * NAPTR + * NS + * PTR + * SOA + * SPF + * SRV + * TLSA + * TXT + + * `ttl`: Number of seconds that this ResourceRecordSet can be cached by resolvers. + + * `target`: As defined in RFC 1035 (section 5) and RFC 1034 (section 3.6.1) + + * `managed_zone`: Identifies the managed zone addressed by this request. + + +## GCP permissions + +Ensure the [Google Cloud DNS API](https://console.cloud.google.com/apis/library/dns.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dns_resource_record_sets.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dns_resource_record_sets.md new file mode 100644 index 0000000..00465f7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_dns_resource_record_sets.md @@ -0,0 +1,52 @@ ++++ +title = "google_dns_resource_record_sets resource" + +draft = false + + +[menu.gcp] +title = "google_dns_resource_record_sets" +identifier = "inspec/resources/gcp/google_dns_resource_record_sets resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_dns_resource_record_sets` is used to test a Google ResourceRecordSet resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_dns_resource_record_sets(project: 'chef-gcp-inspec', name: 'backend.my.domain.com.', managed_zone: 'inspec-gcp-managed-zone') do + its('count') { should eq 3 } + its('types') { should include 'A' } + its('ttls') { should include '300' } + its('targets.flatten') { should include '8.8.8.8' } + its('targets.flatten') { should include '8.8.4.4' } +end +``` + +## Properties + +Properties that can be accessed from the `google_dns_resource_record_sets` resource: + +See [google_dns_resource_record_set](google_dns_resource_record_set) for more detailed information. + + * `names`: an array of `google_dns_resource_record_set` name + * `types`: an array of `google_dns_resource_record_set` type + * `ttls`: an array of `google_dns_resource_record_set` ttl + * `targets`: an array of `google_dns_resource_record_set` target + * `managed_zones`: an array of `google_dns_resource_record_set` managed_zone + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Google Cloud DNS API](https://console.cloud.google.com/apis/library/dns.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_filestore_instance.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_filestore_instance.md new file mode 100644 index 0000000..c131ec4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_filestore_instance.md @@ -0,0 +1,101 @@ ++++ +title = "google_filestore_instance resource" + +draft = false + + +[menu.gcp] +title = "google_filestore_instance" +identifier = "inspec/resources/gcp/google_filestore_instance resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_filestore_instance` is used to test a Google Instance resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_filestore_instance(project: 'chef-gcp-inspec', zone: 'us-central1-b', name: 'inspecgcp') do + it { should exist } + its('tier') { should cmp 'PREMIUM' } + its('file_shares.count') { should cmp 1 } + its('file_shares.first.capacity_gb') { should cmp '2660' } + its('file_shares.first.name') { should cmp 'inspecgcp' } + its('networks.count') { should cmp 1 } + its('networks.first.network') { should cmp 'default' } + its('networks.first.modes') { should include 'MODE_IPV4' } +end + +describe google_filestore_instance(project: 'chef-gcp-inspec', zone: 'us-central1-b', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_filestore_instance` resource: + + + * `name`: The resource name of the instance. + + * `description`: A description of the instance. + + * `create_time`: Creation timestamp in RFC3339 text format. + + * `tier`: The service tier of the instance. + Possible values: + * TIER_UNSPECIFIED + * STANDARD + * PREMIUM + * BASIC_HDD + * BASIC_SSD + * HIGH_SCALE_SSD + + * `labels`: Resource labels to represent user-provided metadata. + + * `file_shares`: File system shares on the instance. For this version, only a single file share is supported. + + * `name`: The name of the fileshare (16 characters or less) + + * `capacity_gb`: File share capacity in GiB. This must be at least 1024 GiB for the standard tier, or 2560 GiB for the premium tier. + + * `nfs_export_options`: (Beta only) Nfs Export Options. There is a limit of 10 export options per file share. + + * `ip_ranges`: List of either IPv4 addresses, or ranges in CIDR notation which may mount the file share. Overlapping IP ranges are not allowed, both within and across NfsExportOptions. An error will be returned. The limit is 64 IP ranges/addresses for each FileShareConfig among all NfsExportOptions. + + * `access_mode`: Either READ_ONLY, for allowing only read requests on the exported directory, or READ_WRITE, for allowing both read and write requests. The default is READ_WRITE. + Possible values: + * READ_ONLY + * READ_WRITE + + * `squash_mode`: Either NO_ROOT_SQUASH, for allowing root access on the exported directory, or ROOT_SQUASH, for not allowing root access. The default is NO_ROOT_SQUASH. + Possible values: + * NO_ROOT_SQUASH + * ROOT_SQUASH + + * `anon_uid`: An integer representing the anonymous user id with a default value of 65534. Anon_uid may only be set with squashMode of ROOT_SQUASH. An error will be returned if this field is specified for other squashMode settings. + + * `anon_gid`: An integer representing the anonymous group id with a default value of 65534. Anon_gid may only be set with squashMode of ROOT_SQUASH. An error will be returned if this field is specified for other squashMode settings. + + * `networks`: VPC networks to which the instance is connected. For this version, only a single network is supported. + + * `network`: The name of the GCE VPC network to which the instance is connected. + + * `modes`: IP versions for which the instance has IP addresses assigned. + + * `reserved_ip_range`: A /29 CIDR block that identifies the range of IP addresses reserved for this instance. + + * `ip_addresses`: A list of IPv4 or IPv6 addresses. + + * `etag`: Server-specified ETag for the instance resource to prevent simultaneous updates from overwriting each other. + + * `zone`: The name of the Filestore zone of the instance. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_filestore_instances.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_filestore_instances.md new file mode 100644 index 0000000..8700736 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_filestore_instances.md @@ -0,0 +1,50 @@ ++++ +title = "google_filestore_instances resource" + +draft = false + + +[menu.gcp] +title = "google_filestore_instances" +identifier = "inspec/resources/gcp/google_filestore_instances resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_filestore_instances` is used to test a Google Instance resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_filestore_instances(project: 'chef-gcp-inspec', zone: 'us-central1-b') do + its('tiers') { should include 'PREMIUM' } +end +``` + +## Properties + +Properties that can be accessed from the `google_filestore_instances` resource: + +See [google_filestore_instance](google_filestore_instance) for more detailed information. + + * `names`: an array of `google_filestore_instance` name + * `descriptions`: an array of `google_filestore_instance` description + * `create_times`: an array of `google_filestore_instance` create_time + * `tiers`: an array of `google_filestore_instance` tier + * `labels`: an array of `google_filestore_instance` labels + * `file_shares`: an array of `google_filestore_instance` file_shares + * `networks`: an array of `google_filestore_instance` networks + * `etags`: an array of `google_filestore_instance` etag + * `zones`: an array of `google_filestore_instance` zone + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_custom_role.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_custom_role.md new file mode 100644 index 0000000..6a75d5b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_custom_role.md @@ -0,0 +1,49 @@ ++++ +title = "google_iam_custom_role resource" + +draft = false + + +[menu.gcp] +title = "google_iam_custom_role" +identifier = "inspec/resources/gcp/google_iam_custom_role resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_iam_custom_role` InSpec audit resource to to test a Google Cloud CustomRole resource. + +## Examples + +```ruby +describe google_iam_custom_role(project: 'chef-gcp-inspec', name: 'admin-role') do + it { should exist } + its('stage') { should eq 'GA' } + its('included_permissions') { should eq ["iam.roles.list"] } +end + +describe google_iam_custom_role(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_iam_custom_role` resource: + + + * `name`: The name of the role. + + * `title`: A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes. + + * `description`: Human-readable description for the role + + * `included_permissions`: Names of permissions this role grants when bound in an IAM policy. + + * `stage`: The current launch stage of the role. + + * `deleted`: The current deleted state of the role + + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_custom_roles.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_custom_roles.md new file mode 100644 index 0000000..75f9137 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_custom_roles.md @@ -0,0 +1,43 @@ ++++ +title = "google_iam_custom_roles resource" + +draft = false + + +[menu.gcp] +title = "google_iam_custom_roles" +identifier = "inspec/resources/gcp/google_iam_custom_roles resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_iam_custom_roles` InSpec audit resource to to test a Google Cloud CustomRole resource. + +## Examples + +```ruby +describe google_iam_custom_roles(project: 'chef-gcp-inspec') do + its('names') { should include "projects/project-id/roles/role-id" } +end +``` + +## Properties + +Properties that can be accessed from the `google_iam_custom_roles` resource: + +See [google_iam_custom_role](google_iam_custom_role) for more detailed information. + + * `names`: an array of `google_iam_custom_role` name + * `titles`: an array of `google_iam_custom_role` title + * `descriptions`: an array of `google_iam_custom_role` description + * `included_permissions`: an array of `google_iam_custom_role` included_permissions + * `stages`: an array of `google_iam_custom_role` stage + * `deleteds`: an array of `google_iam_custom_role` deleted + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_organization_custom_role.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_organization_custom_role.md new file mode 100644 index 0000000..580331b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_organization_custom_role.md @@ -0,0 +1,56 @@ ++++ +title = "google_iam_organization_custom_role resource" + +draft = false + + +[menu.gcp] +title = "google_iam_organization_custom_role" +identifier = "inspec/resources/gcp/google_iam_organization_custom_role resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_iam_organization_custom_role` InSpec audit resource to to test a Google Cloud OrganizationCustomRole resource. + +## Examples + +```ruby +describe google_iam_organization_custom_role(org_id: '12345', name: 'org-role') do + it { should exist } + its('stage') { should eq 'GA' } + its('included_permissions') { should eq ["iam.roles.list"] } +end + +describe google_iam_organization_custom_role(org_id: '12345', name: 'org-role', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_iam_organization_custom_role` resource: + + + * `name`: The name of the role. + + * `title`: A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes. + + * `description`: Human-readable description for the role + + * `included_permissions`: Names of permissions this role grants when bound in an IAM policy. + + * `stage`: The current launch stage of the role. + Possible values: + * ALPHA + * BETA + * GA + * DEPRECATED + * DISABLED + * EAP + + * `deleted`: The current deleted state of the role + + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_organization_custom_roles.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_organization_custom_roles.md new file mode 100644 index 0000000..9fda09f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_organization_custom_roles.md @@ -0,0 +1,43 @@ ++++ +title = "google_iam_organization_custom_roles resource" + +draft = false + + +[menu.gcp] +title = "google_iam_organization_custom_roles" +identifier = "inspec/resources/gcp/google_iam_organization_custom_roles resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_iam_organization_custom_roles` InSpec audit resource to to test a Google Cloud OrganizationCustomRole resource. + +## Examples + +```ruby +describe google_iam_organization_custom_roles(org_id: '190694428152') do + its('names') { should include "organizations/123456/roles/role-id" } +end +``` + +## Properties + +Properties that can be accessed from the `google_iam_organization_custom_roles` resource: + +See [google_iam_organization_custom_role](google_iam_organization_custom_role) for more detailed information. + + * `names`: an array of `google_iam_organization_custom_role` name + * `titles`: an array of `google_iam_organization_custom_role` title + * `descriptions`: an array of `google_iam_organization_custom_role` description + * `included_permissions`: an array of `google_iam_organization_custom_role` included_permissions + * `stages`: an array of `google_iam_organization_custom_role` stage + * `deleteds`: an array of `google_iam_organization_custom_role` deleted + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_service_account.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_service_account.md new file mode 100644 index 0000000..fe8a628 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_service_account.md @@ -0,0 +1,48 @@ ++++ +title = "google_iam_service_account resource" + +draft = false + + +[menu.gcp] +title = "google_iam_service_account" +identifier = "inspec/resources/gcp/google_iam_service_account resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_iam_service_account` InSpec audit resource to to test a Google Cloud ServiceAccount resource. + +## Examples + +```ruby +describe google_service_account(project: 'chef-gcp-inspec', name: "display-name@project-id.iam.gserviceaccount.com") do + it { should exist } + its('display_name') { should cmp '' } +end + +describe google_service_account(project: 'chef-gcp-inspec', name: "nonexistent@project-id.iam.gserviceaccount.com") do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_service_account` resource: + + + * `name`: The name of the service account. + + * `project_id`: Id of the project that owns the service account. + + * `unique_id`: Unique and stable id of the service account + + * `email`: Email address of the service account. + + * `display_name`: User specified description of service account. + + * `oauth2_client_id`: OAuth2 client id for the service account. + + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_service_account_key.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_service_account_key.md new file mode 100644 index 0000000..d274b80 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_service_account_key.md @@ -0,0 +1,51 @@ ++++ +title = "google_iam_service_account_key resource" + +draft = false + + +[menu.gcp] +title = "google_iam_service_account_key" +identifier = "inspec/resources/gcp/google_iam_service_account_key resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_iam_service_account_key` InSpec audit resource to to test a Google Cloud ServiceAccountKey resource. + +## Examples + +```ruby +google_iam_service_account_keys(project: 'chef-gcp-inspec', service_account: "display-name@project-id.iam.gserviceaccount.com").key_names.each do |sa_key_name| + describe +end +``` + +## Properties + +Properties that can be accessed from the `google_iam_service_account_key` resource: + + + * `name`: The name of the key. + + * `private_key_type`: Output format for the service account key. + + * `key_algorithm`: Specifies the algorithm for the key. + + * `private_key_data`: Private key data. Base-64 encoded. + + * `public_key_data`: Public key data. Base-64 encoded. + + * `valid_after_time`: Key can only be used after this time. + + * `valid_before_time`: Key can only be used before this time. + + * `key_type`: Specifies the type of the key. Possible values include KEY_TYPE_UNSPECIFIED, USER_MANAGED and SYSTEM_MANAGED + + * `service_account`: The name of the serviceAccount. + + * `path`: The full name of the file that will hold the service account private key. The management of this file will depend on the value of sync_file parameter. File path must be absolute. + + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_service_account_keys.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_service_account_keys.md new file mode 100644 index 0000000..3efc296 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_service_account_keys.md @@ -0,0 +1,47 @@ ++++ +title = "google_iam_service_account_keys resource" + +draft = false + + +[menu.gcp] +title = "google_iam_service_account_keys" +identifier = "inspec/resources/gcp/google_iam_service_account_keys resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_iam_service_account_keys` InSpec audit resource to to test a Google Cloud ServiceAccountKey resource. + +## Examples + +```ruby +describe google_iam_service_account_keys(project: 'chef-gcp-inspec', service_account: "display-name@project-id.iam.gserviceaccount.com") do + its('count') { should be <= 1000 } +end +``` + +## Properties + +Properties that can be accessed from the `google_iam_service_account_keys` resource: + +See [google_iam_service_account_key](google_iam_service_account_key) for more detailed information. + + * `key_names`: an array of `google_iam_service_account_key` name + * `private_key_types`: an array of `google_iam_service_account_key` private_key_type + * `key_algorithms`: an array of `google_iam_service_account_key` key_algorithm + * `private_key_data`: an array of `google_iam_service_account_key` private_key_data + * `public_key_data`: an array of `google_iam_service_account_key` public_key_data + * `valid_after_times`: an array of `google_iam_service_account_key` valid_after_time + * `valid_before_times`: an array of `google_iam_service_account_key` valid_before_time + * `key_types`: an array of `google_iam_service_account_key` key_type + * `service_accounts`: an array of `google_iam_service_account_key` service_account + * `paths`: an array of `google_iam_service_account_key` path + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_service_accounts.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_service_accounts.md new file mode 100644 index 0000000..22260b8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_iam_service_accounts.md @@ -0,0 +1,44 @@ ++++ +title = "google_iam_service_accounts resource" + +draft = false + + +[menu.gcp] +title = "google_iam_service_accounts" +identifier = "inspec/resources/gcp/google_iam_service_accounts resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_iam_service_accounts` InSpec audit resource to to test a Google Cloud ServiceAccount resource. + +## Examples + +```ruby +describe google_iam_service_accounts(project: 'chef-gcp-inspec', name: "display-name@project-id.iam.gserviceaccount.com") do + its('service_account_emails') { should include "display-name@project-id.iam.gserviceaccount.com" } + its('count') { should be <= 1000 } +end +``` + +## Properties + +Properties that can be accessed from the `google_iam_service_accounts` resource: + +See [google_iam_service_account](google_iam_service_account) for more detailed information. + + * `service_account_names`: an array of `google_iam_service_account` name + * `project_ids`: an array of `google_iam_service_account` project_id + * `service_account_ids`: an array of `google_iam_service_account` unique_id + * `service_account_emails`: an array of `google_iam_service_account` email + * `service_account_display_names`: an array of `google_iam_service_account` display_name + * `oauth2_client_ids`: an array of `google_iam_service_account` oauth2_client_id + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key.md new file mode 100644 index 0000000..888c218 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key.md @@ -0,0 +1,93 @@ ++++ +title = "google_kms_crypto_key resource" + +draft = false + + +[menu.gcp] +title = "google_kms_crypto_key" +identifier = "inspec/resources/gcp/google_kms_crypto_key resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_kms_crypto_key` InSpec audit resource to to test a Google Cloud CryptoKey resource. + +## Examples + +```ruby +describe google_kms_crypto_key(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring_name: 'kms-key-ring', name: 'kms-key') do + it { should exist } + its('crypto_key_name') { should cmp 'kms-key' } + its('primary_state') { should eq "ENABLED" } + its('purpose') { should eq "ENCRYPT_DECRYPT" } + its('next_rotation_time') { should be > Time.now - 100000 } + its('create_time') { should be > Time.now - 365*60*60*24*10 } +end + +describe google_kms_crypto_key(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring_name: 'kms-key-ring', name: "nonexistent") do + it { should_not exist } +end +``` + +### Test that a GCP KMS crypto key was created recently + + describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do + its('create_time_date') { should be > Time.now - 365*60*60*24*10 } + end + +### Test when the next rotation time for a GCP KMS crypto key is scheduled + + describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do + its('next_rotation_time_date') { should be > Time.now - 100000 } + end + +### Check that the crypto key purpose is as expected + + describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do + its('purpose') { should eq "ENCRYPT_DECRYPT" } + end + +### Check that the crypto key primary is in "ENABLED" state + + describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do + its('primary_state') { should eq "ENABLED" } + end + +## Properties + +Properties that can be accessed from the `google_kms_crypto_key` resource: + + + * `crypto_key_name`: The resource name for the CryptoKey. + + * `create_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `labels`: Labels with user-defined metadata to apply to this resource. + + * `purpose`: The immutable purpose of this CryptoKey. See the [purpose reference](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) for possible inputs. + Possible values: + * ENCRYPT_DECRYPT + * ASYMMETRIC_SIGN + * ASYMMETRIC_DECRYPT + + * `rotation_period`: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter `s` (seconds). It must be greater than a day (ie, 86400). + + * `version_template`: A template describing settings for new crypto key versions. + + * `algorithm`: The algorithm to use when creating a version based on this template. See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm) for possible inputs. + + * `protection_level`: The protection level to use when creating a version based on this template. + Possible values: + * SOFTWARE + * HSM + + * `next_rotation_time`: The time when KMS will create a new version of this Crypto Key. + + * `key_ring`: The KeyRing that this key belongs to. Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`. + + * `skip_initial_version_creation`: If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the `google_kms_key_ring_import_job` resource to import the CryptoKeyVersion. + + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_iam_binding.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_iam_binding.md new file mode 100644 index 0000000..517e4c7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_iam_binding.md @@ -0,0 +1,38 @@ ++++ +title = "google_kms_crypto_key_iam_binding resource" + +draft = false + + +[menu.gcp] +title = "google_kms_crypto_key_iam_binding" +identifier = "inspec/resources/gcp/google_kms_crypto_key_iam_binding resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_kms_crypto_key_iam_binding` is used to test a Google CryptoKey Iam Bindings + +## Examples + +```ruby +describe google_kms_crypto_key_iam_binding(project: "project", location: "location", key_ring_name: "key_ring_name", crypto_key_name: "crypto_key_name", role: "roles/editor") do + it { should exist } + its('members') { should include 'user:testuser@example.com' } +end +``` + + +## Properties + +Properties that can be accessed from the `google_kms_crypto_key_iam_binding` resource: + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_iam_bindings.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_iam_bindings.md new file mode 100644 index 0000000..0c91eba --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_iam_bindings.md @@ -0,0 +1,77 @@ ++++ +title = "google_kms_crypto_key_iam_bindings resource" + +draft = false + + +[menu.gcp] +title = "google_kms_crypto_key_iam_bindings" +identifier = "inspec/resources/gcp/google_kms_crypto_key_iam_bindings resource" +parent = "inspec/resources/gcp" ++++ + +# google\_kms\_crypto\_key\_iam\_bindings + +**This resource is deprecated. Please use google_kms_crypto_key_iam_policy instead** + +Use the `google_kms_crypto_key_iam_bindings` InSpec audit resource to test properties of all, or a filtered group of, GCP KMS Crypto Key IAM Bindings. + +
+ +## Syntax + +A `google_kms_crypto_key_iam_bindings` resource block collects GCP KMS Crypto Key IAM Bindings then tests that group. + + describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name') do + it { should exist } + end + +Use this InSpec resource to enumerate roles then test in-depth using `google_kms_key_ring_iam_binding`. + + google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name').iam_binding_roles.each do |iam_binding_role| + describe google_kms_crypto_key_iam_binding(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name', role: "roles/owner") do + it { should exist } + its('members') {should include 'user:someuser@domain.com' } + end + end + +
+ +## Examples + +The following examples show how to use this InSpec audit resource. + +### Test that there are no more than a specified number of IAM bindings roles available for the crypto key + + describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name') do + its('count') { should be <= 100} + end + +### Test that an expected IAM binding is available for the crypto key + + describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name') do + its('iam_binding_roles') { should include "roles/storage.admin" } + end + +### Test that a particular role does not exist using filtering of the plural resource + + describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name').where(iam_binding_role: "roles/iam.securityReviewer") do + it { should_not exist } + end + +
+ +## Filter criteria + +This resource supports the following filter criteria: `iam_binding_role`. This may be used with `where`, as a block or as a method. + +## Properties + +* `iam_binding_roles` - an array of google_kms_crypto_key_iam_binding role strings e.g. `["roles/compute.admin", "roles/owner"]` + +
+ + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.s \ No newline at end of file diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_iam_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_iam_policy.md new file mode 100644 index 0000000..7422096 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_iam_policy.md @@ -0,0 +1,58 @@ ++++ +title = "google_kms_crypto_key_iam_policy resource" + +draft = false + + +[menu.gcp] +title = "google_kms_crypto_key_iam_policy" +identifier = "inspec/resources/gcp/google_kms_crypto_key_iam_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_kms_crypto_key_iam_policy` is used to test a Google CryptoKey Iam Policy resource. + +## Examples + +```ruby +describe google_kms_crypto_key_iam_policy(project: "project", location: "location", key_ring_name: "key_ring_name", crypto_key_name: "crypto_key_name") do + it { should exist } +end + +google_kms_crypto_key_iam_policy(project: "project", location: "location", key_ring_name: "key_ring_name", crypto_key_name: "crypto_key_name").bindings.each do |binding| + describe binding do + its('role') { should eq 'roles/editor'} + its('members') { should include 'user:testuser@example.com'} + end +end +``` + +## Properties + +Properties that can be accessed from the `google_kms_crypto_key_iam_policy` resource: + + * `iam_binding_roles`: The list of roles that exist on the policy. + + * `bindings`: Associates a list of members to a role. + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + * `audit_configs`: Specifies cloud audit logging configuration for this policy. + + * `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. + + * `audit_log_configs`: The configuration for logging of each type of permission. + + * `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ + + * `exempted_members`: Specifies the identities that do not cause logging for this type of permission. + + + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_version.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_version.md new file mode 100644 index 0000000..33e5e3c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_version.md @@ -0,0 +1,121 @@ ++++ +title = "google_kms_crypto_key_version resource" + +draft = false + + +[menu.gcp] +title = "google_kms_crypto_key_version" +identifier = "inspec/resources/gcp/google_kms_crypto_key_version resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_kms_crypto_key_version` InSpec audit resource to to test a Google Cloud CryptoKeyVersion resource. + +## Examples + +```ruby +describe google_kms_crypto_key_version(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring: 'kms-key-ring', crypto_key: '', name: 'kms-key') do + it { should exist } + its('crypto_key_name') { should cmp 'kms-key' } + its('primary_state') { should eq "ENABLED" } + its('purpose') { should eq "ENCRYPT_DECRYPT" } + its('next_rotation_time') { should be > Time.now - 100000 } + its('create_time') { should be > Time.now - 365*60*60*24*10 } +end + +describe google_kms_crypto_key_version(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring: 'kms-key-ring', crypto_key: '', name: "nonexistent") do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_kms_crypto_key_version` resource: + + + * `name`: The resource name for the CryptoKey. + + * `create_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `generate_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `destroy_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `destroy_event_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `state`: The state of a CryptoKeyVersion, indicating if it can be used. + Possible values: + * CRYPTO_KEY_VERSION_STATE_UNSPECIFIED + * PENDING_GENERATION + * ENABLED + * DISABLED + * DESTROYED + * DESTROY_SCHEDULED + * PENDING_IMPORT + * IMPORT_FAILED + + * `protection_level`: ProtectionLevel specifies how cryptographic operations are performed. For more information, see Protection levels. + Possible values: + * PROTECTION_LEVEL_UNSPECIFIED + * SOFTWARE + * HSM + * EXTERNAL + * EXTERNAL_VPC + + * `algorithm`: The algorithm of the CryptoKeyVersion, indicating what parameters must be used for each cryptographic operation. The GOOGLE_SYMMETRIC_ENCRYPTION algorithm is usable with CryptoKey.purpose ENCRYPT_DECRYPT. Algorithms beginning with "RSA_SIGN_" are usable with CryptoKey.purpose ASYMMETRIC_SIGN. The fields in the name after "RSA_SIGN_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm. For PSS, the salt length used is equal to the length of digest algorithm. For example, RSA_SIGN_PSS_2048_SHA256 will use PSS with a salt length of 256 bits or 32 bytes. Algorithms beginning with "RSA_DECRYPT_" are usable with CryptoKey.purpose ASYMMETRIC_DECRYPT. The fields in the name after "RSA_DECRYPT_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm. Algorithms beginning with "EC_SIGN_" are usable with CryptoKey.purpose ASYMMETRIC_SIGN. The fields in the name after "EC_SIGN_" correspond to the following parameters: elliptic curve, digest algorithm. Algorithms beginning with "HMAC_" are usable with CryptoKey.purpose MAC. The suffix following "HMAC_" corresponds to the hash algorithm being used (eg. SHA256). + Possible values: + * CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED + * GOOGLE_SYMMETRIC_ENCRYPTION + * RSA_SIGN_PSS_2048_SHA256 + * RSA_SIGN_PSS_3072_SHA256 + * RSA_SIGN_PSS_4096_SHA256 + * RSA_SIGN_PSS_4096_SHA512 + * RSA_SIGN_PKCS1_2048_SHA256 + * RSA_SIGN_PKCS1_3072_SHA256 + * RSA_SIGN_PKCS1_4096_SHA512 + * RSA_SIGN_PKCS1_4096_SHA256 + * RSA_SIGN_RAW_PKCS1_2048 + * RSA_SIGN_RAW_PKCS1_3072 + * RSA_SIGN_RAW_PKCS1_4096 + * RSA_DECRYPT_OAEP_2048_SHA256 + * RSA_DECRYPT_OAEP_3072_SHA256 + * RSA_DECRYPT_OAEP_4096_SHA256 + * RSA_DECRYPT_OAEP_4096_SHA512 + * RSA_DECRYPT_OAEP_2048_SHA1 + * RSA_DECRYPT_OAEP_3072_SHA1 + * RSA_DECRYPT_OAEP_4096_SHA1 + * EC_SIGN_P256_SHA256 + * EC_SIGN_P384_SHA384 + * EC_SIGN_SECP256K1_SHA256 + * HMAC_SHA256 + * EXTERNAL_SYMMETRIC_ENCRYPTION + + * `attestation`: Statement that was generated and signed by the key creator (for example, an HSM) at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only present if the chosen ImportMethod is one with a protection level of HSM. + + * `format`: The format of the attestation data. + + * `content`: The attestation data provided by the HSM when the key operation was performed. A base64-encoded string. + + * `import_job`: Output only. The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported. + + * `import_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `import_failure_reason`: Output only. The root cause of the most recent import failure. Only present if state is IMPORT_FAILED. + + * `external_protection_level_options`: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. + + * `external_key_uri`: The URI for an external resource that this CryptoKeyVersion represents. + + * `ekm_connection_key_path`: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection. + + * `reimport_eligible`: Output only. Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version. + + * `key_ring`: The KeyRing that this key belongs to. Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`. + + * `crypto_key`: The KeyRing that this key belongs to. Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'`. + + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_versions.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_versions.md new file mode 100644 index 0000000..4f28d36 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_key_versions.md @@ -0,0 +1,54 @@ ++++ +title = "google_kms_crypto_key_versions resource" + +draft = false + + +[menu.gcp] +title = "google_kms_crypto_key_versions" +identifier = "inspec/resources/gcp/google_kms_crypto_key_versions resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_kms_crypto_key_versions` InSpec audit resource to to test a Google Cloud CryptoKeyVersion resource. + +## Examples + +```ruby +describe google_kms_crypto_key_versions(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring: 'kms-key-ring', crypto_key: '') do + its('count') { should be >= 1 } + its('crypto_key_names') { should include 'kms-key' } +end +``` + +## Properties + +Properties that can be accessed from the `google_kms_crypto_key_versions` resource: + +See [google_kms_crypto_key_version](google_kms_crypto_key_version) for more detailed information. + + * `names`: an array of `google_kms_crypto_key_version` name + * `create_times`: an array of `google_kms_crypto_key_version` create_time + * `generate_times`: an array of `google_kms_crypto_key_version` generate_time + * `destroy_times`: an array of `google_kms_crypto_key_version` destroy_time + * `destroy_event_times`: an array of `google_kms_crypto_key_version` destroy_event_time + * `states`: an array of `google_kms_crypto_key_version` state + * `protection_levels`: an array of `google_kms_crypto_key_version` protection_level + * `algorithms`: an array of `google_kms_crypto_key_version` algorithm + * `attestations`: an array of `google_kms_crypto_key_version` attestation + * `import_jobs`: an array of `google_kms_crypto_key_version` import_job + * `import_times`: an array of `google_kms_crypto_key_version` import_time + * `import_failure_reasons`: an array of `google_kms_crypto_key_version` import_failure_reason + * `external_protection_level_options`: an array of `google_kms_crypto_key_version` external_protection_level_options + * `reimport_eligibles`: an array of `google_kms_crypto_key_version` reimport_eligible + * `key_rings`: an array of `google_kms_crypto_key_version` key_ring + * `crypto_keys`: an array of `google_kms_crypto_key_version` crypto_key + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_keys.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_keys.md new file mode 100644 index 0000000..1d683ef --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_crypto_keys.md @@ -0,0 +1,59 @@ ++++ +title = "google_kms_crypto_keys resource" + +draft = false + + +[menu.gcp] +title = "google_kms_crypto_keys" +identifier = "inspec/resources/gcp/google_kms_crypto_keys resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_kms_crypto_keys` InSpec audit resource to to test a Google Cloud CryptoKey resource. + +## Examples + +```ruby +describe google_kms_crypto_keys(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring_name: 'kms-key-ring') do + its('count') { should be >= 1 } + its('crypto_key_names') { should include 'kms-key' } +end +``` + +### Test that there are no more than a specified number of keys in the key ring + + describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring') do + its('count') { should be <= 100} + end + +### Test that an expected key name is present in the key ring + + describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring') do + its('crypto_key_names') { should include "my-crypto-key-name" } + end + +## Properties + +Properties that can be accessed from the `google_kms_crypto_keys` resource: + +See [google_kms_crypto_key](google_kms_crypto_key) for more detailed information. + + * `crypto_key_names`: an array of `google_kms_crypto_key` crypto_key_name + * `create_times`: an array of `google_kms_crypto_key` create_time + * `labels`: an array of `google_kms_crypto_key` labels + * `purposes`: an array of `google_kms_crypto_key` purpose + * `rotation_periods`: an array of `google_kms_crypto_key` rotation_period + * `version_templates`: an array of `google_kms_crypto_key` version_template + * `next_rotation_times`: an array of `google_kms_crypto_key` next_rotation_time + * `key_rings`: an array of `google_kms_crypto_key` key_ring + * `skip_initial_version_creations`: an array of `google_kms_crypto_key` skip_initial_version_creation + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_ekm_connection.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_ekm_connection.md new file mode 100644 index 0000000..4c317a8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_ekm_connection.md @@ -0,0 +1,70 @@ ++++ +title = "google_kms_ekm_connection resource" + +draft = false + + +[menu.gcp] +title = "google_kms_ekm_connection" +identifier = "inspec/resources/gcp/google_kms_ekm_connection resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_kms_ekm_connection` InSpec audit resource to to test a Google Cloud EkmConnection resource. + +## Examples + +```ruby +describe google_kms_ekm_connection(project: 'chef-gcp-inspec', location: 'europe-west2', name: '') do + it { should exist } + its('name') { should cmp '' } +end + +describe google_kms_ekm_connection(project: 'chef-gcp-inspec', location: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_kms_ekm_connection` resource: + + + * `name`: Resource name for the location, which may vary between implementations. For example: projects/example-project/locations/us-east1 + + * `create_time`: string (Timestamp format) Output only. The time at which the EkmConnection was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `service_resolvers`: object (ServiceResolver) A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported. + + * `service_directory_service`: Required. The resource name of the Service Directory service pointing to an EKM replica, in the format projects/*/locations/*/namespaces/*/services/*. + + * `endpoint_filter`: Optional. The filter applied to the endpoints of the resolved service. If no filter is specified, all endpoints will be considered. An endpoint will be chosen arbitrarily from the filtered list for each request. For endpoint filter syntax and examples, see https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest. + + * `hostname`: Required. The hostname of the EKM replica used at TLS and HTTP layers. + + * `server_certificates`: A Certificate represents an X.509 certificate used to authenticate HTTPS connections to EKM replicas. + + * `raw_der`: Required. The raw certificate bytes in DER format. A base64-encoded string. + + * `parsed`: Output only. True if the certificate was parsed successfully. + + * `issuer`: Output only. The issuer distinguished name in RFC 2253 format. Only present if parsed is true. + + * `subject`: Output only. The subject distinguished name in RFC 2253 format. Only present if parsed is true. + + * `subject_alternative_dns_names`: Output only. The subject Alternative DNS names. Only present if parsed is true. + + * `not_before_time`: string (Timestamp format) Output only. The certificate is not valid before this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `not_after_time`: string (Timestamp format) Output only. The certificate is not valid after this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `serial_number`: Output only. The certificate serial number as a hex string. Only present if parsed is true. + + * `sha256_fingerprint`: Output only. The SHA-256 certificate fingerprint as a hex string. Only present if parsed is true. + + * `location`: Resource name for the location. + + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_ekm_connections.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_ekm_connections.md new file mode 100644 index 0000000..cb7d50c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_ekm_connections.md @@ -0,0 +1,41 @@ ++++ +title = "google_kms_ekm_connections resource" + +draft = false + + +[menu.gcp] +title = "google_kms_ekm_connections" +identifier = "inspec/resources/gcp/google_kms_ekm_connections resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_kms_ekm_connections` InSpec audit resource to to test a Google Cloud EkmConnection resource. + +## Examples + +```ruby +describe google_kms_ekm_connections(project: 'chef-gcp-inspec', location: 'europe-west2') do + it { should exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_kms_ekm_connections` resource: + +See [google_kms_ekm_connection](google_kms_ekm_connection) for more detailed information. + + * `names`: an array of `google_kms_ekm_connection` name + * `create_times`: an array of `google_kms_ekm_connection` create_time + * `service_resolvers`: an array of `google_kms_ekm_connection` service_resolvers + * `locations`: an array of `google_kms_ekm_connection` location + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring.md new file mode 100644 index 0000000..49d7b6e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring.md @@ -0,0 +1,58 @@ ++++ +title = "google_kms_key_ring resource" + +draft = false + + +[menu.gcp] +title = "google_kms_key_ring" +identifier = "inspec/resources/gcp/google_kms_key_ring resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_kms_key_ring` InSpec audit resource to to test a Google Cloud KeyRing resource. + +## Examples + +```ruby +describe google_kms_key_ring(project: 'chef-gcp-inspec', location: 'europe-west2', name: 'kms-key-ring') do + it { should exist } + its('create_time') { should be > Time.now - 365*60*60*24*10 } + its('key_ring_name'){ should eq 'kms-key-ring' } + its('key_ring_url'){ should match 'kms-key-ring' } +end + +describe google_kms_key_ring(project: 'chef-gcp-inspec', location: 'europe-west2', name: "nonexistent") do + it { should_not exist } +end +``` + +### Test that a GCP kms key ring exists + + describe google_kms_key_ring(project: 'chef-inspec-gcp', location: 'us-east1', name: 'key-ring-name') do + it { should exist } + end + +### Test that a GCP kms key ring is in the expected state + +For any existing key ring, below should definitely be true! + + describe google_kms_key_ring(project: 'chef-inspec-gcp', location: 'us-east1', name: 'key-ring-name') do + its('create_time_date') { should be > Time.now - 365*60*60*24*50 } + end + +## Properties + +Properties that can be accessed from the `google_kms_key_ring` resource: + + + * `create_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `key_ring_url`: The full resource name for the KeyRing + + * `location`: The location for the KeyRing. A full list of valid locations can be found by running `gcloud kms locations list`. + + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_iam_binding.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_iam_binding.md new file mode 100644 index 0000000..38be5c8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_iam_binding.md @@ -0,0 +1,38 @@ ++++ +title = "google_kms_key_ring_iam_binding resource" + +draft = false + + +[menu.gcp] +title = "google_kms_key_ring_iam_binding" +identifier = "inspec/resources/gcp/google_kms_key_ring_iam_binding resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_kms_key_ring_iam_binding` is used to test a Google KeyRing Iam Bindings + +## Examples + +```ruby +describe google_kms_key_ring_iam_binding(project: "project", location: "location", key_ring_name: "key_ring_name", role: "roles/editor") do + it { should exist } + its('members') { should include 'user:testuser@example.com' } +end +``` + + +## Properties + +Properties that can be accessed from the `google_kms_key_ring_iam_binding` resource: + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_iam_bindings.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_iam_bindings.md new file mode 100644 index 0000000..03ea9ae --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_iam_bindings.md @@ -0,0 +1,77 @@ ++++ +title = "google_kms_key_ring_iam_bindings resource" + +draft = false + + +[menu.gcp] +title = "google_kms_key_ring_iam_bindings" +identifier = "inspec/resources/gcp/google_kms_key_ring_iam_bindings resource" +parent = "inspec/resources/gcp" ++++ + +# google\_kms\_key\_ring\_iam\_bindings + +**This resource is deprecated. Please use `google_kms_key_ring_iam_policy` instead** + +Use the `google_kms_key_ring_iam_bindings` InSpec audit resource to test properties of all, or a filtered group of, GCP KMS key ring IAM bindings. + +
+ +## Syntax + +A `google_kms_key_ring_iam_bindings` resource block collects GCP KMS key ring IAM bindings then tests that group. + + describe google_kms_key_ring_iam_bindings(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring') do + it { should exist } + end + +Use this InSpec resource to enumerate roles then test in-depth using `google_kms_key_ring_iam_binding`. + + google_kms_key_ring_iam_bindings(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring').iam_binding_roles.each do |iam_binding_role| + describe google_kms_key_ring_iam_binding(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring', role: "roles/owner") do + it { should exist } + its('members') {should include 'user:someuser@domain.com' } + end + end + +
+ +## Examples + +The following examples show how to use this InSpec audit resource. + +### Test that there are no more than a specified number of IAM bindings roles available for the key ring + + describe google_kms_key_ring_iam_bindings(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring') do + its('count') { should be <= 100} + end + +### Test that an expected IAM binding is available for the key ring + + describe google_kms_key_ring_iam_bindings(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring') do + its('iam_binding_roles') { should include "roles/storage.admin" } + end + +### Test that a particular role does not exist using filtering of the plural resource + + describe google_kms_key_ring_iam_bindings(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring').where(iam_binding_role: "roles/iam.securityReviewer") do + it { should_not exist } + end + +
+ +## Filter criteria + +This resource supports the following filter criteria: `iam_binding_role`. This may be used with `where`, as a block or as a method. + +## Properties + +* `iam_binding_roles` - an array of google_kms_key_ring_iam_binding role strings e.g. `["roles/compute.admin", "roles/owner"]` + +
+ + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.s \ No newline at end of file diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_iam_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_iam_policy.md new file mode 100644 index 0000000..ee850c6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_iam_policy.md @@ -0,0 +1,58 @@ ++++ +title = "google_kms_key_ring_iam_policy resource" + +draft = false + + +[menu.gcp] +title = "google_kms_key_ring_iam_policy" +identifier = "inspec/resources/gcp/google_kms_key_ring_iam_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_kms_key_ring_iam_policy` is used to test a Google KeyRing Iam Policy resource. + +## Examples + +```ruby +describe google_kms_key_ring_iam_policy(project: "project", location: "location", key_ring_name: "key_ring_name") do + it { should exist } +end + +google_kms_key_ring_iam_policy(project: "project", location: "location", key_ring_name: "key_ring_name").bindings.each do |binding| + describe binding do + its('role') { should eq 'roles/editor'} + its('members') { should include 'user:testuser@example.com'} + end +end +``` + +## Properties + +Properties that can be accessed from the `google_kms_key_ring_iam_policy` resource: + + * `iam_binding_roles`: The list of roles that exist on the policy. + + * `bindings`: Associates a list of members to a role. + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + * `audit_configs`: Specifies cloud audit logging configuration for this policy. + + * `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. + + * `audit_log_configs`: The configuration for logging of each type of permission. + + * `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ + + * `exempted_members`: Specifies the identities that do not cause logging for this type of permission. + + + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_import_job.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_import_job.md new file mode 100644 index 0000000..1bc58e2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_import_job.md @@ -0,0 +1,72 @@ ++++ +title = "google_kms_key_ring_import_job resource" + +draft = false + + +[menu.gcp] +title = "google_kms_key_ring_import_job" +identifier = "inspec/resources/gcp/google_kms_key_ring_import_job resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_kms_key_ring_import_job` InSpec audit resource to to test a Google Cloud KeyRingImportJob resource. + +## Examples + +```ruby +describe google_kms_key_ring_import_job(project: 'chef-gcp-inspec', location: 'europe-west2', name: '') do + it { should exist } +end + +describe google_kms_key_ring_import_job(project: 'chef-gcp-inspec', location: 'nonexistent', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_kms_key_ring_import_job` resource: + + + * `name`: The resource name for this ImportJob in the format projects/*/locations/*/keyRings/*/importJobs/*. + + * `import_method`: The wrapping method to be used for incoming key material. + Possible values: + * RSA_OAEP_3072_SHA1_AES_256 + * RSA_OAEP_4096_SHA1_AES_256 + + * `protection_level`: The protection level of the ImportJob. This must match the protectionLevel of the versionTemplate on the CryptoKey you attempt to import into. + Possible values: + * SOFTWARE + * HSM + * EXTERNAL + + * `create_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `generate_time`: The time that this resource was generated. This is in RFC3339 text format. + + * `expire_time`: The time at which this resource is scheduled for expiration and can no longer be used. This is in RFC3339 text format. + + * `expire_event_time`: The time this resource expired. Only present if state is EXPIRED. + + * `state`: The current state of the ImportJob, indicating if it can be used. + + * `public_key`: The public key with which to wrap key material prior to import. Only returned if state is `ACTIVE`. + + * `pem`: The public key, encoded in PEM format. For more information, see the RFC 7468 sections for General Considerations and Textual Encoding of Subject Public Key Info. + + * `attestation`: Statement that was generated and signed by the key creator (for example, an HSM) at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only present if the chosen ImportMethod is one with a protection level of HSM. + + * `format`: The format of the attestation data. + + * `content`: The attestation data provided by the HSM when the key operation was performed. A base64-encoded string. + + * `key_ring`: The KeyRing that this import job belongs to. Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`. + + * `import_job_id`: It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63} + + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_import_jobs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_import_jobs.md new file mode 100644 index 0000000..3708876 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_ring_import_jobs.md @@ -0,0 +1,49 @@ ++++ +title = "google_kms_key_ring_import_jobs resource" + +draft = false + + +[menu.gcp] +title = "google_kms_key_ring_import_jobs" +identifier = "inspec/resources/gcp/google_kms_key_ring_import_jobs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_kms_key_ring_import_jobs` InSpec audit resource to to test a Google Cloud KeyRingImportJob resource. + +## Examples + +```ruby +describe google_kms_key_ring_import_job(project: 'chef-gcp-inspec', location: 'europe-west2') do + it { should exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_kms_key_ring_import_jobs` resource: + +See [google_kms_key_ring_import_job](google_kms_key_ring_import_job) for more detailed information. + + * `names`: an array of `google_kms_key_ring_import_job` name + * `import_methods`: an array of `google_kms_key_ring_import_job` import_method + * `protection_levels`: an array of `google_kms_key_ring_import_job` protection_level + * `create_times`: an array of `google_kms_key_ring_import_job` create_time + * `generate_times`: an array of `google_kms_key_ring_import_job` generate_time + * `expire_times`: an array of `google_kms_key_ring_import_job` expire_time + * `expire_event_times`: an array of `google_kms_key_ring_import_job` expire_event_time + * `states`: an array of `google_kms_key_ring_import_job` state + * `public_keys`: an array of `google_kms_key_ring_import_job` public_key + * `attestations`: an array of `google_kms_key_ring_import_job` attestation + * `key_rings`: an array of `google_kms_key_ring_import_job` key_ring + * `import_job_ids`: an array of `google_kms_key_ring_import_job` import_job_id + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_rings.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_rings.md new file mode 100644 index 0000000..01a317c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_key_rings.md @@ -0,0 +1,70 @@ ++++ +title = "google_kms_key_rings resource" + +draft = false + + +[menu.gcp] +title = "google_kms_key_rings" +identifier = "inspec/resources/gcp/google_kms_key_rings resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_kms_key_rings` InSpec audit resource to to test a Google Cloud KeyRing resource. + +## Examples + +```ruby +describe google_kms_key_rings(project: 'chef-gcp-inspec', location: 'europe-west2') do + its('key_ring_names'){ should include 'kms-key-ring' } +end + +describe.one do + google_kms_key_rings(project: 'chef-gcp-inspec', location: 'europe-west2').key_ring_urls do |url| + describe url do + it { should match 'kms-key-ring' } + end + end +end +``` + +### Test that there are no more than a specified number of kms_key_rings available for the project + + describe google_kms_key_rings(project: 'chef-inspec-gcp', location: 'us-east1') do + its('count') { should be <= 200} + end + +### Test that an expected kms_key_ring is available for the project + + describe google_kms_key_rings(project: 'chef-inspec-gcp', location: 'us-east1') do + its('key_ring_names') { should include "a-named-key" } + end + + +### Test that all KMS key rings were created in the past year + + describe google_kms_key_rings(project: gcp_project_id, location: 'us-east1').key_ring_names.each do |key_ring_name| + describe google_kms_key_ring(project: 'chef-inspec-gcp', location: 'us-east1', 'name: key_ring_name) do + it { should exist } + its('create_time_date') { should be > Time.now - 365*60*60*24 } + end + end + +## Properties + +Properties that can be accessed from the `google_kms_key_rings` resource: + +See [google_kms_key_ring](google_kms_key_ring) for more detailed information. + + * `create_times`: an array of `google_kms_key_ring` create_time + * `key_ring_urls`: an array of `google_kms_key_ring` key_ring_url + * `locations`: an array of `google_kms_key_ring` location + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_location.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_location.md new file mode 100644 index 0000000..45c867e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_location.md @@ -0,0 +1,43 @@ ++++ +title = "google_kms_location resource" + +draft = false + + +[menu.gcp] +title = "google_kms_location" +identifier = "inspec/resources/gcp/google_kms_location resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_kms_location` InSpec audit resource to to test a Google Cloud Location resource. + +## Examples + +```ruby +describe google_kms_location(project: 'chef-gcp-inspec', location: 'europe-west2') do + it { should exist } +end + +describe google_kms_location(project: 'chef-gcp-inspec', location: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_kms_location` resource: + + + * `name`: Resource name for the location, which may vary between implementations. For example: projects/example-project/locations/us-east1 + + * `location_id`: The canonical id for this location. For example: "us-east1". + + * `display_name`: The friendly name for this location, typically a nearby city name. For example, "Tokyo". + + * `location`: Resource name for the location. + + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_locations.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_locations.md new file mode 100644 index 0000000..4b80c0a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_kms_locations.md @@ -0,0 +1,41 @@ ++++ +title = "google_kms_locations resource" + +draft = false + + +[menu.gcp] +title = "google_kms_locations" +identifier = "inspec/resources/gcp/google_kms_locations resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_kms_locations` InSpec audit resource to to test a Google Cloud Location resource. + +## Examples + +```ruby +describe google_kms_locations(project: 'chef-gcp-inspec') do + it { should exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_kms_locations` resource: + +See [google_kms_location](google_kms_location) for more detailed information. + + * `names`: an array of `google_kms_location` name + * `location_ids`: an array of `google_kms_location` location_id + * `display_names`: an array of `google_kms_location` display_name + * `locations`: an array of `google_kms_location` location + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_folder_exclusion.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_folder_exclusion.md new file mode 100644 index 0000000..4e4e23a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_folder_exclusion.md @@ -0,0 +1,52 @@ ++++ +title = "google_logging_folder_exclusion resource" + +draft = false + + +[menu.gcp] +title = "google_logging_folder_exclusion" +identifier = "inspec/resources/gcp/google_logging_folder_exclusion resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_logging_folder_exclusion` InSpec audit resource to to test a Google Cloud FolderExclusion resource. + +## Examples + +```ruby +# Getting folder exclusions is complicated due to the name being generated by the server. +# This can be drastically simplified if you have the name when writing the test +describe.one do + google_resourcemanager_folders(parent: 'organizations/12345').names.each do |folder_name| + # name on a folder is in the form `folders/12345` + google_logging_folder_exclusions(folder: folder_name.split('/')[1]).names.each do |exclusion_name| + describe google_logging_folder_exclusion(folder: folder_name.split('/')[1], name: exclusion_name) do + its('name'){ should cmp 'inspec-folder-exclusion' } + its('description'){ should cmp 'My folder exclusion description' } + its('filter'){ should cmp 'resource.type = gce_instance AND severity <= DEBUG' } + end + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_logging_folder_exclusion` resource: + + + * `folder`: Id of the folder that this exclusion applies to. + + * `name`: Name of the exclusion, specified by the server during create. + + * `description`: A user provided description of this exclusion. + + * `filter`: An advanced logs filter. The only exported log entries are those that are in the resource owning the sink and that match the filter. + + * `disabled`: If set to true then this exclusion is disabled and it does not exclude any log entries. + + +## GCP permissions + +Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_folder_exclusions.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_folder_exclusions.md new file mode 100644 index 0000000..a0277ee --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_folder_exclusions.md @@ -0,0 +1,51 @@ ++++ +title = "google_logging_folder_exclusions resource" + +draft = false + + +[menu.gcp] +title = "google_logging_folder_exclusions" +identifier = "inspec/resources/gcp/google_logging_folder_exclusions resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_logging_folder_exclusions` InSpec audit resource to to test a Google Cloud FolderExclusion resource. + +## Examples + +```ruby +# Getting folder exclusions is complicated due to the name being generated by the server. +# This can be drastically simplified if you have the name when writing the test +describe.one do + google_resourcemanager_folders(parent: 'organizations/12345').names.each do |name| + # name on a folder is in the form `folders/12345` + describe google_logging_folder_exclusions(folder: name.split('/')[1]) do + its('names'){ should include 'inspec-folder-exclusion' } + its('descriptions'){ should include 'My folder exclusion description' } + its('filters'){ should include 'resource.type = gce_instance AND severity <= DEBUG' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_logging_folder_exclusions` resource: + +See [google_logging_folder_exclusion](google_logging_folder_exclusion) for more detailed information. + + * `folders`: an array of `google_logging_folder_exclusion` folder + * `names`: an array of `google_logging_folder_exclusion` name + * `descriptions`: an array of `google_logging_folder_exclusion` description + * `filters`: an array of `google_logging_folder_exclusion` filter + * `disableds`: an array of `google_logging_folder_exclusion` disabled + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_folder_log_sink.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_folder_log_sink.md new file mode 100644 index 0000000..e5eae80 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_folder_log_sink.md @@ -0,0 +1,51 @@ ++++ +title = "google_logging_folder_log_sink resource" + +draft = false + + +[menu.gcp] +title = "google_logging_folder_log_sink" +identifier = "inspec/resources/gcp/google_logging_folder_log_sink resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_logging_folder_log_sink` InSpec audit resource to to test a Google Cloud FolderLogSink resource. + +## Examples + +```ruby +# Getting folder sinks is complicated due to the name being generated by the server. +# This can be drastically simplified if you have the folder name when writing the test +describe.one do + google_resourcemanager_folders(parent: 'organizations/12345').names.each do |folder_name| + # name on a folder is in the form `folders/12345` + describe google_logging_folder_log_sink(folder: folder_name.split('/')[1], name: 'inspec-gcp-folder-sink') do + it { should exist } + its('filter') { should cmp 'resource.type = gce_instance AND severity >= ERROR' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_logging_folder_log_sink` resource: + + + * `folder`: Id of the folder that this sink belongs to. + + * `name`: Name of the log sink. + + * `filter`: An advanced logs filter. The only exported log entries are those that are in the resource owning the sink and that match the filter. + + * `destination`: The export destination. + + * `writer_identity`: An IAM identity—a service account or group—under which Logging writes the exported log entries to the sink's destination. This field is set by sinks.create and sinks.update based on the value of uniqueWriterIdentity in those methods. + + * `include_children`: If the field is false, the default, only the logs owned by the sink's parent resource are available for export. If the field is true, then logs from all the projects, folders, and billing accounts contained in the sink's parent resource are also available for export. Whether a particular log entry from the children is exported depends on the sink's filter expression. + + +## GCP permissions + +Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_folder_log_sinks.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_folder_log_sinks.md new file mode 100644 index 0000000..3d78fb3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_folder_log_sinks.md @@ -0,0 +1,51 @@ ++++ +title = "google_logging_folder_log_sinks resource" + +draft = false + + +[menu.gcp] +title = "google_logging_folder_log_sinks" +identifier = "inspec/resources/gcp/google_logging_folder_log_sinks resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_logging_folder_log_sinks` InSpec audit resource to to test a Google Cloud FolderLogSink resource. + +## Examples + +```ruby +# Getting folder sinks is complicated due to the name being generated by the server. +# This can be drastically simplified if you have the folder name when writing the test +describe.one do + google_resourcemanager_folders(parent: 'organizations/12345').names.each do |folder_name| + # name on a folder is in the form `folders/12345` + describe google_logging_folder_log_sinks(folder: folder_name.split('/')[1]) do + its('names') { should include 'inspec-gcp-folder-sink' } + its('filters') { should include 'resource.type = gce_instance AND severity >= ERROR' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_logging_folder_log_sinks` resource: + +See [google_logging_folder_log_sink](google_logging_folder_log_sink) for more detailed information. + + * `folders`: an array of `google_logging_folder_log_sink` folder + * `names`: an array of `google_logging_folder_log_sink` name + * `filters`: an array of `google_logging_folder_log_sink` filter + * `destinations`: an array of `google_logging_folder_log_sink` destination + * `writer_identities`: an array of `google_logging_folder_log_sink` writer_identity + * `include_children`: an array of `google_logging_folder_log_sink` include_children + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_organization_log_sink.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_organization_log_sink.md new file mode 100644 index 0000000..c6b145a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_organization_log_sink.md @@ -0,0 +1,48 @@ ++++ +title = "google_logging_organization_log_sink resource" + +draft = false + + +[menu.gcp] +title = "google_logging_organization_log_sink" +identifier = "inspec/resources/gcp/google_logging_organization_log_sink resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_logging_organization_log_sink` InSpec audit resource to to test a Google Cloud OrganizationLogSink resource. + +## Examples + +```ruby +describe google_logging_organization_log_sink(organization: '190694428152', name: 'inspec-gcp-org-sink') do + it { should exist } + its('filter') { should cmp 'resource.type = gce_instance' } +end + +describe google_logging_organization_log_sink(organization: '190694428152', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_logging_organization_log_sink` resource: + + + * `organization`: Id of the organization that this sink belongs to. + + * `name`: Name of the log sink. + + * `filter`: An advanced logs filter. The only exported log entries are those that are in the resource owning the sink and that match the filter. + + * `destination`: The export destination. + + * `writer_identity`: An IAM identity—a service account or group—under which Logging writes the exported log entries to the sink's destination. This field is set by sinks.create and sinks.update based on the value of uniqueWriterIdentity in those methods. + + * `include_children`: If the field is false, the default, only the logs owned by the sink's parent resource are available for export. If the field is true, then logs from all the projects, folders, and billing accounts contained in the sink's parent resource are also available for export. Whether a particular log entry from the children is exported depends on the sink's filter expression. + + +## GCP permissions + +Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_organization_log_sinks.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_organization_log_sinks.md new file mode 100644 index 0000000..909f090 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_organization_log_sinks.md @@ -0,0 +1,43 @@ ++++ +title = "google_logging_organization_log_sinks resource" + +draft = false + + +[menu.gcp] +title = "google_logging_organization_log_sinks" +identifier = "inspec/resources/gcp/google_logging_organization_log_sinks resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_logging_organization_log_sinks` InSpec audit resource to to test a Google Cloud OrganizationLogSink resource. + +## Examples + +```ruby +describe google_logging_organization_log_sinks(organization: '190694428152') do + its('names') { should include 'inspec-gcp-org-sink' } +end +``` + +## Properties + +Properties that can be accessed from the `google_logging_organization_log_sinks` resource: + +See [google_logging_organization_log_sink](google_logging_organization_log_sink) for more detailed information. + + * `organizations`: an array of `google_logging_organization_log_sink` organization + * `names`: an array of `google_logging_organization_log_sink` name + * `filters`: an array of `google_logging_organization_log_sink` filter + * `destinations`: an array of `google_logging_organization_log_sink` destination + * `writer_identities`: an array of `google_logging_organization_log_sink` writer_identity + * `include_children`: an array of `google_logging_organization_log_sink` include_children + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_project_exclusion.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_project_exclusion.md new file mode 100644 index 0000000..fa72d89 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_project_exclusion.md @@ -0,0 +1,65 @@ ++++ +title = "google_logging_project_exclusion resource" + +draft = false + + +[menu.gcp] +title = "google_logging_project_exclusion" +identifier = "inspec/resources/gcp/google_logging_project_exclusion resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_logging_project_exclusion` InSpec audit resource to to test a Google Cloud ProjectExclusion resource. + +## Examples + +```ruby +describe google_logging_project_exclusion(project: 'chef-gcp-inspec', name: 'inspec-project-exclusion') do + it { should exist } + its('description'){ should cmp 'My project exclusion description' } + its('filter'){ should cmp 'resource.type = gce_instance AND severity <= DEBUG' } +end + +describe google_logging_project_exclusion(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +### Test that a GCP project logging exclusion name is as expected + + describe google_logging_project_exclusion(project: 'chef-inspec-gcp', exclusion: 'exclusion-name-abcd') do + its('name') { should eq 'exclusion-name-abcd' } + end + +### Test that a GCP project logging exclusion filter is set correctly + + describe google_logging_project_exclusion(project: 'chef-inspec-gcp', exclusion: 'exclusion-name-abcd') do + its('filter') { should eq 'resource.type = gce_instance AND severity <= DEBUG' } + end + +### Test that a GCP project logging exclusion description is as expected + + describe google_logging_project_exclusion(project: 'chef-inspec-gcp', exclusion: 'exclusion-name-abcd') do + its('description') { should eq 'Exclude GCE instance debug logs' } + end + +## Properties + +Properties that can be accessed from the `google_logging_project_exclusion` resource: + + + * `project`: Id of the project that this exclusion applies to. + + * `name`: Name of the exclusion, specified by the server during create. + + * `description`: A user provided description of this exclusion. + + * `filter`: An advanced logs filter. The only exported log entries are those that are in the resource owning the sink and that match the filter. + + * `disabled`: If set to true then this exclusion is disabled and it does not exclude any log entries. + + +## GCP permissions + +Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_project_exclusions.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_project_exclusions.md new file mode 100644 index 0000000..5efa6ef --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_project_exclusions.md @@ -0,0 +1,42 @@ ++++ +title = "google_logging_project_exclusions resource" + +draft = false + + +[menu.gcp] +title = "google_logging_project_exclusions" +identifier = "inspec/resources/gcp/google_logging_project_exclusions resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_logging_project_exclusions` InSpec audit resource to to test a Google Cloud ProjectExclusion resource. + +## Examples + +```ruby +describe google_logging_project_exclusions(project: 'chef-gcp-inspec') do + its('names'){ should include 'inspec-folder-exclusion' } +end +``` + +## Properties + +Properties that can be accessed from the `google_logging_project_exclusions` resource: + +See [google_logging_project_exclusion](google_logging_project_exclusion) for more detailed information. + + * `projects`: an array of `google_logging_project_exclusion` project + * `names`: an array of `google_logging_project_exclusion` name + * `descriptions`: an array of `google_logging_project_exclusion` description + * `filters`: an array of `google_logging_project_exclusion` filter + * `disableds`: an array of `google_logging_project_exclusion` disabled + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_project_sink.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_project_sink.md new file mode 100644 index 0000000..3d722af --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_project_sink.md @@ -0,0 +1,73 @@ ++++ +title = "google_logging_project_sink resource" + +draft = false + + +[menu.gcp] +title = "google_logging_project_sink" +identifier = "inspec/resources/gcp/google_logging_project_sink resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_logging_project_sink` InSpec audit resource to to test a Google Cloud ProjectSink resource. + +## Examples + +```ruby +describe google_logging_project_sink(project: 'chef-gcp-inspec', name: 'inspec-gcp-org-sink') do + it { should exist } + its('filter') { should cmp 'resource.type = gce_instance AND severity = DEBUG' } +end + +describe google_logging_project_sink(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +### Test that a GCP project logging sink destination is correct + + describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: 'sink-name-abcd') do + its('destination') { should eq 'storage.googleapis.com/gcp-inspec-logging-bucket' } + end + +### Test that a GCP project logging sink filter is correct + + describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: 'sink-name-abcd') do + its('filter') { should eq "resource.type = gce_instance AND resource.labels.instance_id = \"12345678910123123\"" } + end + +### Test a GCP project logging sink output version format + + describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: 'sink-name-abcd') do + its('output_version_format') { should eq "V2" } + end + +### Test a GCP project logging sink writer identity is as expected + + describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: 'sink-name-abcd') do + its('writer_identity') { should eq "serviceAccount:my-logging-service-account.iam.gserviceaccount.com" } + end + + +## Properties + +Properties that can be accessed from the `google_logging_project_sink` resource: + + + * `project`: Id of the project that this sink belongs to. + + * `name`: Name of the log sink. + + * `filter`: An advanced logs filter. The only exported log entries are those that are in the resource owning the sink and that match the filter. + + * `destination`: The export destination. + + * `writer_identity`: An IAM identity—a service account or group—under which Logging writes the exported log entries to the sink's destination. This field is set by sinks.create and sinks.update based on the value of uniqueWriterIdentity in those methods. + + * `include_children`: If the field is false, the default, only the logs owned by the sink's parent resource are available for export. If the field is true, then logs from all the projects, folders, and billing accounts contained in the sink's parent resource are also available for export. Whether a particular log entry from the children is exported depends on the sink's filter expression. + + +## GCP permissions + +Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_project_sinks.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_project_sinks.md new file mode 100644 index 0000000..72bde09 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_logging_project_sinks.md @@ -0,0 +1,69 @@ ++++ +title = "google_logging_project_sinks resource" + +draft = false + + +[menu.gcp] +title = "google_logging_project_sinks" +identifier = "inspec/resources/gcp/google_logging_project_sinks resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_logging_project_sinks` InSpec audit resource to to test a Google Cloud ProjectSink resource. + +## Examples + +```ruby +describe google_logging_project_sinks(project: 'chef-gcp-inspec') do + its('names') { should include 'inspec-gcp-org-sink' } +end +``` + +### Test that there are no more than a specified number of sinks available for the project + + describe google_logging_project_sinks(project: 'chef-inspec-gcp') do + its('count') { should be <= 100} + end + +### Test that an expected sink name is available for the project + + describe google_logging_project_sinks(project: 'chef-inspec-gcp') do + its('sink_names') { should include "my-sink" } + end + +### Test that an expected sink destination is available for the project + + describe google_logging_project_sinks(project: 'chef-inspec-gcp') do + its('sink_destinations') { should include "storage.googleapis.com/a-logging-bucket" } + end + +### Test that a subset of all sinks matching "project*" have a particular writer identity + + google_logging_project_sinks(project: 'chef-inspec-gcp').where(sink_name: /project/).sink_names.each do |sink_name| + describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: sink_name) do + its('writer_identity') { should eq "serviceAccount:my-logging-service-account.iam.gserviceaccount.com" } + end + end + +## Properties + +Properties that can be accessed from the `google_logging_project_sinks` resource: + +See [google_logging_project_sink](google_logging_project_sink) for more detailed information. + + * `projects`: an array of `google_logging_project_sink` project + * `names`: an array of `google_logging_project_sink` name + * `filters`: an array of `google_logging_project_sink` filter + * `destinations`: an array of `google_logging_project_sink` destination + * `writer_identities`: an array of `google_logging_project_sink` writer_identity + * `include_children`: an array of `google_logging_project_sink` include_children + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_memcache_instance.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_memcache_instance.md new file mode 100644 index 0000000..d880cac --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_memcache_instance.md @@ -0,0 +1,82 @@ ++++ +title = "google_memcache_instance resource" + +draft = false + + +[menu.gcp] +title = "google_memcache_instance" +identifier = "inspec/resources/gcp/google_memcache_instance resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_memcache_instance` InSpec audit resource to to test a Google Cloud Instance resource. + +## Examples + +```ruby +describe google_memcache_instance(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'mem-instance') do + it { should exist } + its('node_count') { should cmp 1 } +end + +describe google_memcache_instance(project: 'chef-gcp-inspec', region: 'europe-west2', name: "nonexistent") do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_memcache_instance` resource: + + + * `name`: (Beta only) The resource name of the instance. + + * `display_name`: (Beta only) A user-visible name for the instance. + + * `memcache_nodes`: (Beta only) Additional information about the instance state, if available. + + * `node_id`: (Beta only) Identifier of the Memcached node. The node id does not include project or location like the Memcached instance name. + + * `zone`: (Beta only) Location (GCP Zone) for the Memcached node. + + * `port`: (Beta only) The port number of the Memcached server on this node. + + * `host`: (Beta only) Hostname or IP address of the Memcached node used by the clients to connect to the Memcached server on this node. + + * `state`: (Beta only) Current state of the Memcached node. + + * `create_time`: (Beta only) Creation timestamp in RFC3339 text format. + + * `discovery_endpoint`: (Beta only) Endpoint for Discovery API + + * `labels`: (Beta only) Resource labels to represent user-provided metadata. + + * `memcache_full_version`: (Beta only) The full version of memcached server running on this instance. + + * `zones`: (Beta only) Zones where memcache nodes should be provisioned. If not provided, all zones will be used. + + * `authorized_network`: (Beta only) The full name of the GCE network to connect the instance to. If not provided, 'default' will be used. + + * `node_count`: (Beta only) Number of nodes in the memcache instance. + + * `memcache_version`: (Beta only) The major version of Memcached software. If not provided, latest supported version will be used. Currently the latest supported major version is MEMCACHE_1_5. The minor version will be automatically determined by our system based on the latest supported minor version. + Possible values: + * MEMCACHE_1_5 + + * `node_config`: (Beta only) Configuration for memcache nodes. + + * `cpu_count`: (Beta only) Number of CPUs per node. + + * `memory_size_mb`: (Beta only) Memory size in Mebibytes for each memcache node. + + * `parameters`: (Beta only) User-specified parameters for this memcache instance. + + * `id`: (Beta only) This is a unique ID associated with this set of parameters. + + * `params`: (Beta only) User-defined set of parameters to use in the memcache process. + + * `region`: (Beta only) The region of the Memcache instance. If it is not provided, the provider region is used. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_memcache_instances.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_memcache_instances.md new file mode 100644 index 0000000..b6ddbf4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_memcache_instances.md @@ -0,0 +1,50 @@ ++++ +title = "google_memcache_instances resource" + +draft = false + + +[menu.gcp] +title = "google_memcache_instances" +identifier = "inspec/resources/gcp/google_memcache_instances resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_memcache_instances` InSpec audit resource to to test a Google Cloud Instance resource. + +## Examples + +```ruby +describe google_memcache_instances(project: 'chef-gcp-inspec', region: 'europe-west2') do + its('count') { should be >= 1 } + its('node_counts') { should include 1 } +end +``` + +## Properties + +Properties that can be accessed from the `google_memcache_instances` resource: + +See [google_memcache_instance](google_memcache_instance) for more detailed information. + + * `names`: (Beta only) an array of `google_memcache_instance` name + * `display_names`: (Beta only) an array of `google_memcache_instance` display_name + * `memcache_nodes`: (Beta only) an array of `google_memcache_instance` memcache_nodes + * `create_times`: (Beta only) an array of `google_memcache_instance` create_time + * `discovery_endpoints`: (Beta only) an array of `google_memcache_instance` discovery_endpoint + * `labels`: (Beta only) an array of `google_memcache_instance` labels + * `memcache_full_versions`: (Beta only) an array of `google_memcache_instance` memcache_full_version + * `zones`: (Beta only) an array of `google_memcache_instance` zones + * `authorized_networks`: (Beta only) an array of `google_memcache_instance` authorized_network + * `node_counts`: (Beta only) an array of `google_memcache_instance` node_count + * `memcache_versions`: (Beta only) an array of `google_memcache_instance` memcache_version + * `node_configs`: (Beta only) an array of `google_memcache_instance` node_config + * `parameters`: (Beta only) an array of `google_memcache_instance` parameters + * `regions`: (Beta only) an array of `google_memcache_instance` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_ml_engine_model.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_ml_engine_model.md new file mode 100644 index 0000000..02e9c35 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_ml_engine_model.md @@ -0,0 +1,55 @@ ++++ +title = "google_ml_engine_model resource" + +draft = false + + +[menu.gcp] +title = "google_ml_engine_model" +identifier = "inspec/resources/gcp/google_ml_engine_model resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_ml_engine_model` InSpec audit resource to to test a Google Cloud Model resource. + +## Examples + +```ruby +describe google_ml_engine_model(project: 'chef-gcp-inspec', name: 'ml_model') do + it { should exist } + its('description') { should cmp 'My awesome ML model' } + its('regions') { should include 'us-central1' } + its('online_prediction_logging') { should cmp 'true' } + its('online_prediction_console_logging') { should cmp 'true' } +end + +describe google_ml_engine_model(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_ml_engine_model` resource: + + + * `name`: The name specified for the model. + + * `description`: The description specified for the model when it was created. + + * `default_version`: The default version of the model. This version will be used to handle prediction requests that do not specify a version. + + * `name`: The name specified for the version when it was created. + + * `regions`: The list of regions where the model is going to be deployed. Currently only one region per model is supported + + * `online_prediction_logging`: If true, online prediction access logs are sent to StackDriver Logging. + + * `online_prediction_console_logging`: If true, online prediction nodes send stderr and stdout streams to Stackdriver Logging + + * `labels`: One or more labels that you can add, to organize your models. + + +## GCP permissions + +Ensure the [Cloud ML](https://console.cloud.google.com/apis/library/ml.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_ml_engine_models.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_ml_engine_models.md new file mode 100644 index 0000000..44a7aa9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_ml_engine_models.md @@ -0,0 +1,46 @@ ++++ +title = "google_ml_engine_models resource" + +draft = false + + +[menu.gcp] +title = "google_ml_engine_models" +identifier = "inspec/resources/gcp/google_ml_engine_models resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_ml_engine_models` InSpec audit resource to to test a Google Cloud Model resource. + +## Examples + +```ruby +describe google_ml_engine_models(project: 'chef-gcp-inspec') do + its('descriptions') { should include 'My awesome ML model' } + its('online_prediction_loggings') { should include 'true' } + its('online_prediction_console_loggings') { should include 'true' } +end +``` + +## Properties + +Properties that can be accessed from the `google_ml_engine_models` resource: + +See [google_ml_engine_model](google_ml_engine_model) for more detailed information. + + * `names`: an array of `google_ml_engine_model` name + * `descriptions`: an array of `google_ml_engine_model` description + * `default_versions`: an array of `google_ml_engine_model` default_version + * `regions`: an array of `google_ml_engine_model` regions + * `online_prediction_loggings`: an array of `google_ml_engine_model` online_prediction_logging + * `online_prediction_console_loggings`: an array of `google_ml_engine_model` online_prediction_console_logging + * `labels`: an array of `google_ml_engine_model` labels + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud ML](https://console.cloud.google.com/apis/library/ml.googleapis.com) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_monitoring_group.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_monitoring_group.md new file mode 100644 index 0000000..5e14905 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_monitoring_group.md @@ -0,0 +1,53 @@ ++++ +title = "google_monitoring_group resource" + +draft = false + + + +[menu.gcp] +title = "google_monitoring_group" +identifier = "inspec/resources/gcp/google_monitoring_group resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_monitoring_group` InSpec audit resource to test the properties of a Google Cloud Group resource. + +## Examples + +```ruby +describe google_monitoring_group(name: 'projects/*/groups/value_group_id') do + it { should exist } + its('name') { should cmp 'value_name' } + its('display_name') { should cmp 'value_displayname' } + its('filter') { should cmp 'value_filter' } +end + +describe google_monitoring_group(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_monitoring_group` resource: + +## Properties + +Properties that can be accessed from the `google_monitoring_group` resource: + + + * `name`: Output only. The name of this group. The format is: projects/[PROJECT_ID_OR_NUMBER]/groups/[GROUP_ID] When creating a group, this field is ignored and a new name is created consisting of the project specified in the call to CreateGroup and a unique [GROUP_ID] that is generated automatically. + + * `display_name`: A user-assigned name for this group, used only for display purposes. + + * `parent_name`: The name of the group's parent, if it has one. The format is: projects/[PROJECT_ID_OR_NUMBER]/groups/[GROUP_ID] For groups with no parent, parent_name is the empty string, "". + + * `filter`: The filter used to determine which monitored resources belong to this group. + + * `is_cluster`: If true, the members of this group are considered to be a cluster. The system can perform additional analysis on groups that are clusters. + + +## GCP permissions + +Ensure the [Stackdriver Monitoring API](https://console.cloud.google.com/apis/library/monitoring.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_monitoring_groups.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_monitoring_groups.md new file mode 100644 index 0000000..23923e1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_monitoring_groups.md @@ -0,0 +1,58 @@ ++++ +title = "google_monitoring_groups resource" + +draft = false + + + +[menu.gcp] +title = "google_monitoring_groups" +identifier = "inspec/resources/gcp/google_monitoring_groups resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_monitoring_groups` InSpec audit resource to test the properties of a Google Cloud Group resource. + +## Examples + +```ruby + describe google_monitoring_groups(name: 'projects/*') do + it { should exist } + its('names') { should include 'value_name' } + its('display_names') { should include 'value_displayname' } + its('filters') { should include 'value_filter' } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_monitoring_groups` resource: + +See [google_monitoring_group](google_monitoring_group) for more detailed information. + +* `names`: an array of `google_monitoring_group` name +* `display_names`: an array of `google_monitoring_group` display_name +* `parent_names`: an array of `google_monitoring_group` parent_name +* `filters`: an array of `google_monitoring_group` filter +* `is_clusters`: an array of `google_monitoring_group` is_cluster + +## Properties + +Properties that can be accessed from the `google_monitoring_groups` resource: + +See [google_monitoring_group](google_monitoring_group) for more detailed information. + +* `names`: an array of `google_monitoring_group` name +* `display_names`: an array of `google_monitoring_group` display_name +* `parent_names`: an array of `google_monitoring_group` parent_name +* `filters`: an array of `google_monitoring_group` filter +* `is_clusters`: an array of `google_monitoring_group` is_cluster + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Stackdriver Monitoring API](https://console.cloud.google.com/apis/library/monitoring.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organization.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organization.md new file mode 100644 index 0000000..5e06e66 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organization.md @@ -0,0 +1,60 @@ ++++ +title = "google_organization resource" + +draft = false + + +[menu.gcp] +title = "google_organization" +identifier = "inspec/resources/gcp/google_organization resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_organization` InSpec audit resource to to test a Google Cloud Organization resource. + +## Examples + +```ruby +describe google_organization(name: "organizations/123456") do + its('name') { should eq "organizations/123456" } + its('lifecycle_state') { should cmp 'ACTIVE' } +end +``` + +### Test that a GCP organization has the expected name + + describe google_organization(name: 'organizations/1234') do + its('name') { should eq 'organizations/1234' } + end + +### Test that a GCP organization has the expected lifecycle state e.g. "ACTIVE" + + describe google_organization(display_name: 'google.com') do + its('lifecycle_state') { should eq "ACTIVE" } + end + +## Properties + +Properties that can be accessed from the `google_organization` resource: + + + * `name`: The resource name of the organization. This is the organization's relative path in the API. Its format is "organizations/[organizationId]". For example, "organizations/1234". + + * `display_name`: A human-readable string that refers to the Organization in the GCP Console UI. This string is set by the server and cannot be changed. The string will be set to the primary domain (for example, "google.com") of the G Suite customer that owns the organization. + + * `lifecycle_state`: The lifecycle state of the folder. Updates to the lifecycleState must be performed via folders.delete and folders.undelete. + Possible values: + * LIFECYCLE_STATE_UNSPECIFIED + * ACTIVE + * DELETE_REQUESTED + + * `creation_time`: Timestamp when the Organization was created. Assigned by the server. + + * `owner`: The entity that owns the Organization + + * `directory_customer_id`: The G Suite customer id used in the Directory API + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organization_iam_binding.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organization_iam_binding.md new file mode 100644 index 0000000..90c74ee --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organization_iam_binding.md @@ -0,0 +1,38 @@ ++++ +title = "google_organization_iam_binding resource" + +draft = false + + +[menu.gcp] +title = "google_organization_iam_binding" +identifier = "inspec/resources/gcp/google_organization_iam_binding resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_organization_iam_binding` is used to test a Google Organization Iam Bindings + +## Examples + +```ruby +describe google_organization_iam_binding(name: "name", role: "roles/editor") do + it { should exist } + its('members') { should include 'user:testuser@example.com' } +end +``` + + +## Properties + +Properties that can be accessed from the `google_organization_iam_binding` resource: + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organization_iam_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organization_iam_policy.md new file mode 100644 index 0000000..8a51722 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organization_iam_policy.md @@ -0,0 +1,58 @@ ++++ +title = "google_organization_iam_policy resource" + +draft = false + + +[menu.gcp] +title = "google_organization_iam_policy" +identifier = "inspec/resources/gcp/google_organization_iam_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_organization_iam_policy` is used to test a Google Organization Iam Policy resource. + +## Examples + +```ruby +describe google_organization_iam_policy(name: "name") do + it { should exist } +end + +google_organization_iam_policy(name: "name").bindings.each do |binding| + describe binding do + its('role') { should eq 'roles/editor'} + its('members') { should include 'user:testuser@example.com'} + end +end +``` + +## Properties + +Properties that can be accessed from the `google_organization_iam_policy` resource: + + * `iam_binding_roles`: The list of roles that exist on the policy. + + * `bindings`: Associates a list of members to a role. + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + * `audit_configs`: Specifies cloud audit logging configuration for this policy. + + * `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. + + * `audit_log_configs`: The configuration for logging of each type of permission. + + * `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ + + * `exempted_members`: Specifies the identities that do not cause logging for this type of permission. + + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organization_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organization_policy.md new file mode 100644 index 0000000..e055299 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organization_policy.md @@ -0,0 +1,75 @@ ++++ +title = "google_organization_policy resource" + +draft = false + + +[menu.gcp] +title = "google_organization_policy" +identifier = "inspec/resources/gcp/google_organization_policy resource" +parent = "inspec/resources/gcp" ++++ + +# google\_organization\_policy + +**This resource is deprecated. Please use `google_orgpolicy_organization_policy` instead** + +Use the `google_organization_policy` InSpec audit resource to test constraints set on a GCP organization. + +
+ +## Syntax + +Google organization policies can restrict certain GCP services. For more information see https://cloud.google.com/resource-manager/docs/organization-policy/understanding-constraints + +A `google_organization_policy` resource block declares the tests for a single GCP organization constraint identified by the pair of the `name` of the organization and the `constraint`: + + describe google_organization_policy(name: 'organizations/123456', constraint: 'constraints/compute.disableGuestAttributesAccess') do + it { should exist } + its('boolean_policy.enforced') { should be true } + end + +
+ +## Examples + +The following examples show how to use this InSpec audit resource. + +### Test that a GCP organization has a specific constraint enforced + + describe google_organization_policy(name: 'organizations/123456', constraint: 'constraints/compute.disableGuestAttributesAccess') do + it { should exist } + its('boolean_policy.enforced') { should be true } + end + +### Test that a GCP organization has certain values allowed for a list constraint + + describe google_organization_policy(name: 'organizations/123456', constraint: 'constraints/someListConstraint') do + it { should exist } + its('list_policy.allowed_values') { should include 'included_val' } + its('list_policy.allowed_values') { should_not include 'excluded' } + its('list_policy.denied_values') { should include 'denied' } + end + +
+ +## Properties + + * `update_time`: The time stamp this policy was last updated. + + * `boolean_policy`: Only available for constraints that are boolean policies. + + * `enforced`: Boolean for if this policy is enforced. + + * `list_policy`: Available for list policies. + + * `allowed_values`: List of values allowed at this resource. + + * `denied_values`: List of values denied at this resource. + +
+ + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organizations.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organizations.md new file mode 100644 index 0000000..5b9bc64 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_organizations.md @@ -0,0 +1,74 @@ ++++ +title = "google_organizations resource" + +draft = false + + +[menu.gcp] +title = "google_organizations" +identifier = "inspec/resources/gcp/google_organizations resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_organizations` InSpec audit resource to to test a Google Cloud Organization resource. + +## Examples + +```ruby +describe google_organizations do + its('names') { should include "organizations/123456" } +end +``` + +### Test that there are no more than a specified number of organizations available + + describe google_organizations do + its('count') { should be <= 100} + end + +### Test that an expected organization name is available + + describe google_organizations do + its('names') { should include "organization/1234" } + end + +### Test that an expected organization display name is available + + describe google_organizations do + its('display_names') { should include "google.com" } + end + +### Test that all organizations are ACTIVE + + describe google_organizations do + its('lifecycle_state'){ should eq 'ACTIVE' } + end + +### Test that a particular subset of ACTIVE organizations with display name 'goog*' exist + + google_organizations.where(display_name: /^goog/, lifecycle_state: 'ACTIVE').names.each do |name| + describe google_organization(name: name) do + it { should exist } + end + end + +## Properties + +Properties that can be accessed from the `google_organizations` resource: + +See [google_organization](google_organization) for more detailed information. + + * `names`: an array of `google_organization` name + * `display_names`: an array of `google_organization` display_name + * `lifecycle_states`: an array of `google_organization` lifecycle_state + * `creation_times`: an array of `google_organization` creation_time + * `owners`: an array of `google_organization` owner + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_folder_constraints.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_folder_constraints.md new file mode 100644 index 0000000..7e84b32 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_folder_constraints.md @@ -0,0 +1,59 @@ ++++ +title = "google_orgpolicy_folder_constraints resource" + +draft = false + + +[menu.gcp] +title = "google_orgpolicy_folder_constraints" +identifier = "inspec/resources/gcp/google_orgpolicy_folder_constraints resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_orgpolicy_folder_constraints` InSpec audit resource to to test a Google Cloud FolderConstraint resource. + +## Examples + +```ruby + describe google_orgpolicy_folder_constraints(parent: ' value_parent') do + it { should exist } + its('names') { should include 'value_name'} + its('display_names') { should include 'value_displayName'} + its('descriptions') { should include 'value_description'} + its('constraint_defaults') { should include 'value_constraint_default'} + its('list_constraints') { should include 'value_list_constraint'} + end +``` + +## Properties + +Properties that can be accessed from the `google_orgpolicy_folder_constraints` resource: + + * `display_names`: The human readable name. Mutable. + + * `descriptions`: Detailed description of what this constraint controls as well as how and where it is enforced. Mutable. + + * `constraint_defaults`: The evaluation behavior of this constraint in the absence of a policy. + Possible values: + * CONSTRAINT_DEFAULT_UNSPECIFIED + * ALLOW + * DENY + + * `supports_dry_runs`: Shows if dry run is supported for this constraint or not. + + * `names`: Immutable. The resource name of the constraint. Must be in one of the following forms: * `projects/{project_number}/constraints/{constraint_name}` * `folders/{folder_id}/constraints/{constraint_name}` * `organizations/{organization_id}/constraints/{constraint_name}` For example, "/projects/123/constraints/compute.disableSerialPortAccess". + + * `list_constraints`: A constraint that allows or disallows a list of string values, which are configured by an Organization Policy administrator with a policy. + + * `supports_under`: Indicates whether subtrees of the Resource Manager resource hierarchy can be used in `Policy.allowed_values` and `Policy.denied_values`. For example, `"under:folders/123"` would match any resource under the 'folders/123' folder. + + * `supports_in`: Indicates whether values grouped into categories can be used in `Policy.allowed_values` and `Policy.denied_values`. For example, `"in:Python"` would match any value in the 'Python' group. + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://orgpolicy.googleapis.com/](https://console.cloud.google.com/apis/library/orgpolicy.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_folder_policies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_folder_policies.md new file mode 100644 index 0000000..2cfcbe8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_folder_policies.md @@ -0,0 +1,41 @@ ++++ +title = "google_orgpolicy_folder_policies resource" + +draft = false + + +[menu.gcp] +title = "google_orgpolicy_folder_policies" +identifier = "inspec/resources/gcp/google_orgpolicy_folder_policies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_orgpolicy_folder_policies` InSpec audit resource to to test a Google Cloud FolderPolicy resource. + +## Examples + +```ruby + describe google_orgpolicy_folder_policies(parent: ' value_parent') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_orgpolicy_folder_policies` resource: + +See [google_orgpolicy_folder_policy](google_orgpolicy_folder_policy) for more detailed information. + + * `dry_run_specs`: an array of `google_orgpolicy_folder_policy` dry_run_spec + * `specs`: an array of `google_orgpolicy_folder_policy` spec + * `names`: an array of `google_orgpolicy_folder_policy` name + * `alternates`: an array of `google_orgpolicy_folder_policy` alternate + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://orgpolicy.googleapis.com/](https://console.cloud.google.com/apis/library/orgpolicy.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_folder_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_folder_policy.md new file mode 100644 index 0000000..4775252 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_folder_policy.md @@ -0,0 +1,145 @@ ++++ +title = "google_orgpolicy_folder_policy resource" + +draft = false + + +[menu.gcp] +title = "google_orgpolicy_folder_policy" +identifier = "inspec/resources/gcp/google_orgpolicy_folder_policy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_orgpolicy_folder_policy` InSpec audit resource to to test a Google Cloud FolderPolicy resource. + +## Examples + +```ruby +describe google_orgpolicy_folder_policy(parent: 'value_parent', name: ' value_name') do + it { should exist } + its('name') { should cmp 'value_name' } + +end + +describe google_orgpolicy_folder_policy(parent: 'value_parent', name: ' value_name') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_orgpolicy_folder_policy` resource: + + + * `dry_run_spec`: Defines a Google Cloud policy specification which is used to specify constraints for configurations of Google Cloud resources. + + * `update_time`: Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy. + + * `rules`: In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. + + * `condition`: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. + + * `title`: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + + * `location`: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `description`: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + + * `deny_all`: Setting this to true means that all values are denied. This field can be set only in policies for list constraints. + + * `allow_all`: Setting this to true means that all values are allowed. This field can be set only in policies for list constraints. + + * `enforce`: If `true`, then the policy is enforced. If `false`, then any configuration is acceptable. This field can be set only in policies for boolean constraints. + + * `values`: A message that holds specific allowed and denied values. This message can define specific values and subtrees of the Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - `projects/` (for example, `projects/tokyo-rain-123`) - `folders/` (for example, `folders/1234`) - `organizations/` (for example, `organizations/1234`) The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. + + * `denied_values`: List of values denied at this resource. + + * `allowed_values`: List of values allowed at this resource. + + * `etag`: An opaque tag indicating the current version of the policySpec, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the policy is returned from either a `GetPolicy` or a `ListPolicies` request, this `etag` indicates the version of the current policySpec to use when executing a read-modify-write loop. When the policy is returned from a `GetEffectivePolicy` request, the `etag` will be unset. + + * `reset`: Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inherit_from_parent` must be set to false. + + * `inherit_from_parent`: Determines the inheritance behavior for this policy. If `inherit_from_parent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. + + * `spec`: Defines a Google Cloud policy specification which is used to specify constraints for configurations of Google Cloud resources. + + * `update_time`: Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy. + + * `rules`: In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. + + * `condition`: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. + + * `title`: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + + * `location`: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `description`: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + + * `deny_all`: Setting this to true means that all values are denied. This field can be set only in policies for list constraints. + + * `allow_all`: Setting this to true means that all values are allowed. This field can be set only in policies for list constraints. + + * `enforce`: If `true`, then the policy is enforced. If `false`, then any configuration is acceptable. This field can be set only in policies for boolean constraints. + + * `values`: A message that holds specific allowed and denied values. This message can define specific values and subtrees of the Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - `projects/` (for example, `projects/tokyo-rain-123`) - `folders/` (for example, `folders/1234`) - `organizations/` (for example, `organizations/1234`) The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. + + * `denied_values`: List of values denied at this resource. + + * `allowed_values`: List of values allowed at this resource. + + * `etag`: An opaque tag indicating the current version of the policySpec, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the policy is returned from either a `GetPolicy` or a `ListPolicies` request, this `etag` indicates the version of the current policySpec to use when executing a read-modify-write loop. When the policy is returned from a `GetEffectivePolicy` request, the `etag` will be unset. + + * `reset`: Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inherit_from_parent` must be set to false. + + * `inherit_from_parent`: Determines the inheritance behavior for this policy. If `inherit_from_parent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. + + * `name`: Immutable. The resource name of the policy. Must be one of the following forms, where `constraint_name` is the name of the constraint which this policy configures: * `projects/{project_number}/policies/{constraint_name}` * `folders/{folder_id}/policies/{constraint_name}` * `organizations/{organization_id}/policies/{constraint_name}` For example, `projects/123/policies/compute.disableSerialPortAccess`. Note: `projects/{project_id}/policies/{constraint_name}` is also an acceptable name for API requests, but responses will return the name using the equivalent project number. + + * `alternate`: Similar to PolicySpec but with an extra 'launch' field for launch reference. The PolicySpec here is specific for dry-run/darklaunch. + + * `launch`: Reference to the launch that will be used while audit logging and to control the launch. Should be set only in the alternate policy. + + * `spec`: Defines a Google Cloud policy specification which is used to specify constraints for configurations of Google Cloud resources. + + * `update_time`: Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy. + + * `rules`: In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. + + * `condition`: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. + + * `title`: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + + * `location`: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `description`: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + + * `deny_all`: Setting this to true means that all values are denied. This field can be set only in policies for list constraints. + + * `allow_all`: Setting this to true means that all values are allowed. This field can be set only in policies for list constraints. + + * `enforce`: If `true`, then the policy is enforced. If `false`, then any configuration is acceptable. This field can be set only in policies for boolean constraints. + + * `values`: A message that holds specific allowed and denied values. This message can define specific values and subtrees of the Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - `projects/` (for example, `projects/tokyo-rain-123`) - `folders/` (for example, `folders/1234`) - `organizations/` (for example, `organizations/1234`) The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. + + * `denied_values`: List of values denied at this resource. + + * `allowed_values`: List of values allowed at this resource. + + * `etag`: An opaque tag indicating the current version of the policySpec, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the policy is returned from either a `GetPolicy` or a `ListPolicies` request, this `etag` indicates the version of the current policySpec to use when executing a read-modify-write loop. When the policy is returned from a `GetEffectivePolicy` request, the `etag` will be unset. + + * `reset`: Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inherit_from_parent` must be set to false. + + * `inherit_from_parent`: Determines the inheritance behavior for this policy. If `inherit_from_parent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. + + +## GCP permissions + +Ensure the [https://orgpolicy.googleapis.com/](https://console.cloud.google.com/apis/library/orgpolicy.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_organization_constraints.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_organization_constraints.md new file mode 100644 index 0000000..08a24ad --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_organization_constraints.md @@ -0,0 +1,60 @@ ++++ +title = "google_orgpolicy_organization_constraints resource" + +draft = false + + +[menu.gcp] +title = "google_orgpolicy_organization_constraints" +identifier = "inspec/resources/gcp/google_orgpolicy_organization_constraints resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_orgpolicy_organization_constraints` InSpec audit resource to to test a Google Cloud OrganizationConstraint resource. + +## Examples + +```ruby + describe google_orgpolicy_organization_constraints(parent: 'value_parent') do + it { should exist } + its('names') { should include 'value_name'} + its('display_names') { should include 'value_displayName'} + its('descriptions') { should include 'value_description'} + its('constraint_defaults') { should include 'value_constraint_default'} + its('list_constraints') { should include 'value_list_constraint'} + end +``` + +## Properties + +Properties that can be accessed from the `google_orgpolicy_organization_constraints` resource: + + * `display_names`: The human readable name. Mutable. + + * `descriptions`: Detailed description of what this constraint controls as well as how and where it is enforced. Mutable. + + * `constraint_defaults`: The evaluation behavior of this constraint in the absence of a policy. + Possible values: + * CONSTRAINT_DEFAULT_UNSPECIFIED + * ALLOW + * DENY + + * `supports_dry_runs`: Shows if dry run is supported for this constraint or not. + + * `names`: Immutable. The resource name of the constraint. Must be in one of the following forms: * `projects/{project_number}/constraints/{constraint_name}` * `folders/{folder_id}/constraints/{constraint_name}` * `organizations/{organization_id}/constraints/{constraint_name}` For example, "/projects/123/constraints/compute.disableSerialPortAccess". + + * `list_constraints`: A constraint that allows or disallows a list of string values, which are configured by an Organization Policy administrator with a policy. + + * `supports_under`: Indicates whether subtrees of the Resource Manager resource hierarchy can be used in `Policy.allowed_values` and `Policy.denied_values`. For example, `"under:folders/123"` would match any resource under the 'folders/123' folder. + + * `supports_in`: Indicates whether values grouped into categories can be used in `Policy.allowed_values` and `Policy.denied_values`. For example, `"in:Python"` would match any value in the 'Python' group. + + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://orgpolicy.googleapis.com/](https://console.cloud.google.com/apis/library/orgpolicy.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_organization_policies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_organization_policies.md new file mode 100644 index 0000000..7091de4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_organization_policies.md @@ -0,0 +1,41 @@ ++++ +title = "google_orgpolicy_organization_policies resource" + +draft = false + + +[menu.gcp] +title = "google_orgpolicy_organization_policies" +identifier = "inspec/resources/gcp/google_orgpolicy_organization_policies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_orgpolicy_organization_policies` InSpec audit resource to to test a Google Cloud OrganizationPolicy resource. + +## Examples + +```ruby + describe google_orgpolicy_organization_policies(parent: ' value_parent') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_orgpolicy_organization_policies` resource: + +See [google_orgpolicy_organization_policy](google_orgpolicy_organization_policy) for more detailed information. + + * `dry_run_specs`: an array of `google_orgpolicy_organization_policy` dry_run_spec + * `specs`: an array of `google_orgpolicy_organization_policy` spec + * `names`: an array of `google_orgpolicy_organization_policy` name + * `alternates`: an array of `google_orgpolicy_organization_policy` alternate + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://orgpolicy.googleapis.com/](https://console.cloud.google.com/apis/library/orgpolicy.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_organization_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_organization_policy.md new file mode 100644 index 0000000..b5c82ae --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_organization_policy.md @@ -0,0 +1,144 @@ ++++ +title = "google_orgpolicy_organization_policy resource" + +draft = false + + +[menu.gcp] +title = "google_orgpolicy_organization_policy" +identifier = "inspec/resources/gcp/google_orgpolicy_organization_policy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_orgpolicy_organization_policy` InSpec audit resource to to test a Google Cloud OrganizationPolicy resource. + +## Examples + +```ruby +describe google_orgpolicy_organization_policy(parent: 'value_parent', name: ' value_name') do + it { should exist } + its('name') { should cmp 'value_name' } +end + +describe google_orgpolicy_organization_policy(parent: 'value_parent', name: "does_not_exit") do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_orgpolicy_organization_policy` resource: + + + * `dry_run_spec`: Defines a Google Cloud policy specification which is used to specify constraints for configurations of Google Cloud resources. + + * `update_time`: Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy. + + * `rules`: In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. + + * `condition`: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. + + * `title`: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + + * `location`: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `description`: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + + * `deny_all`: Setting this to true means that all values are denied. This field can be set only in policies for list constraints. + + * `allow_all`: Setting this to true means that all values are allowed. This field can be set only in policies for list constraints. + + * `enforce`: If `true`, then the policy is enforced. If `false`, then any configuration is acceptable. This field can be set only in policies for boolean constraints. + + * `values`: A message that holds specific allowed and denied values. This message can define specific values and subtrees of the Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - `projects/` (for example, `projects/tokyo-rain-123`) - `folders/` (for example, `folders/1234`) - `organizations/` (for example, `organizations/1234`) The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. + + * `denied_values`: List of values denied at this resource. + + * `allowed_values`: List of values allowed at this resource. + + * `etag`: An opaque tag indicating the current version of the policySpec, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the policy is returned from either a `GetPolicy` or a `ListPolicies` request, this `etag` indicates the version of the current policySpec to use when executing a read-modify-write loop. When the policy is returned from a `GetEffectivePolicy` request, the `etag` will be unset. + + * `reset`: Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inherit_from_parent` must be set to false. + + * `inherit_from_parent`: Determines the inheritance behavior for this policy. If `inherit_from_parent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. + + * `spec`: Defines a Google Cloud policy specification which is used to specify constraints for configurations of Google Cloud resources. + + * `update_time`: Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy. + + * `rules`: In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. + + * `condition`: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. + + * `title`: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + + * `location`: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `description`: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + + * `deny_all`: Setting this to true means that all values are denied. This field can be set only in policies for list constraints. + + * `allow_all`: Setting this to true means that all values are allowed. This field can be set only in policies for list constraints. + + * `enforce`: If `true`, then the policy is enforced. If `false`, then any configuration is acceptable. This field can be set only in policies for boolean constraints. + + * `values`: A message that holds specific allowed and denied values. This message can define specific values and subtrees of the Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - `projects/` (for example, `projects/tokyo-rain-123`) - `folders/` (for example, `folders/1234`) - `organizations/` (for example, `organizations/1234`) The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. + + * `denied_values`: List of values denied at this resource. + + * `allowed_values`: List of values allowed at this resource. + + * `etag`: An opaque tag indicating the current version of the policySpec, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the policy is returned from either a `GetPolicy` or a `ListPolicies` request, this `etag` indicates the version of the current policySpec to use when executing a read-modify-write loop. When the policy is returned from a `GetEffectivePolicy` request, the `etag` will be unset. + + * `reset`: Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inherit_from_parent` must be set to false. + + * `inherit_from_parent`: Determines the inheritance behavior for this policy. If `inherit_from_parent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. + + * `name`: Immutable. The resource name of the policy. Must be one of the following forms, where `constraint_name` is the name of the constraint which this policy configures: * `projects/{project_number}/policies/{constraint_name}` * `folders/{folder_id}/policies/{constraint_name}` * `organizations/{organization_id}/policies/{constraint_name}` For example, `projects/123/policies/compute.disableSerialPortAccess`. Note: `projects/{project_id}/policies/{constraint_name}` is also an acceptable name for API requests, but responses will return the name using the equivalent project number. + + * `alternate`: Similar to PolicySpec but with an extra 'launch' field for launch reference. The PolicySpec here is specific for dry-run/darklaunch. + + * `launch`: Reference to the launch that will be used while audit logging and to control the launch. Should be set only in the alternate policy. + + * `spec`: Defines a Google Cloud policy specification which is used to specify constraints for configurations of Google Cloud resources. + + * `update_time`: Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy. + + * `rules`: In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. + + * `condition`: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. + + * `title`: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + + * `location`: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `description`: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + + * `deny_all`: Setting this to true means that all values are denied. This field can be set only in policies for list constraints. + + * `allow_all`: Setting this to true means that all values are allowed. This field can be set only in policies for list constraints. + + * `enforce`: If `true`, then the policy is enforced. If `false`, then any configuration is acceptable. This field can be set only in policies for boolean constraints. + + * `values`: A message that holds specific allowed and denied values. This message can define specific values and subtrees of the Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - `projects/` (for example, `projects/tokyo-rain-123`) - `folders/` (for example, `folders/1234`) - `organizations/` (for example, `organizations/1234`) The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. + + * `denied_values`: List of values denied at this resource. + + * `allowed_values`: List of values allowed at this resource. + + * `etag`: An opaque tag indicating the current version of the policySpec, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the policy is returned from either a `GetPolicy` or a `ListPolicies` request, this `etag` indicates the version of the current policySpec to use when executing a read-modify-write loop. When the policy is returned from a `GetEffectivePolicy` request, the `etag` will be unset. + + * `reset`: Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inherit_from_parent` must be set to false. + + * `inherit_from_parent`: Determines the inheritance behavior for this policy. If `inherit_from_parent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. + + +## GCP permissions + +Ensure the [https://orgpolicy.googleapis.com/](https://console.cloud.google.com/apis/library/orgpolicy.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_project_constraints.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_project_constraints.md new file mode 100644 index 0000000..c6646f2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_project_constraints.md @@ -0,0 +1,60 @@ ++++ +title = "google_orgpolicy_project_constraints resource" + +draft = false + + +[menu.gcp] +title = "google_orgpolicy_project_constraints" +identifier = "inspec/resources/gcp/google_orgpolicy_project_constraints resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_orgpolicy_project_constraints` is used to test a Google Orgpolicy Project Constraint resource. + +## Examples + +```ruby + describe google_orgpolicy_project_constraints(parent: 'projects/test') do + it { should exist } + its('names') { should include 'value_name'} + its('display_names') { should include 'value_display_name'} + its('descriptions') { should include 'value_description'} + its('constraint_defaults') { should include value_constraint_default'} + end +``` + +## Properties + +Properties that can be accessed from the `google_orgpolicy_project_constraint` resource: + + * `display_names`: The human readable name. Mutable. + + * `descriptions`: Detailed description of what this constraint controls as well as how and where it is enforced. Mutable. + + * `constraint_defaults`: The evaluation behavior of this constraint in the absence of a policy. + Possible values: + * CONSTRAINT_DEFAULT_UNSPECIFIED + * ALLOW + * DENY + + * `supports_dry_runs`: Shows if dry run is supported for this constraint or not. + + * `names`: Immutable. The resource name of the constraint. Must be in one of the following forms: * `projects/{project_number}/constraints/{constraint_name}` * `folders/{folder_id}/constraints/{constraint_name}` * `organizations/{organization_id}/constraints/{constraint_name}` For example, "/projects/123/constraints/compute.disableSerialPortAccess". + + * `list_constraints`: A constraint that allows or disallows a list of string values, which are configured by an Organization Policy administrator with a policy. + + * `supports_under`: Indicates whether subtrees of the Resource Manager resource hierarchy can be used in `Policy.allowed_values` and `Policy.denied_values`. For example, `"under:folders/123"` would match any resource under the 'folders/123' folder. + + * `supports_in`: Indicates whether values grouped into categories can be used in `Policy.allowed_values` and `Policy.denied_values`. For example, `"in:Python"` would match any value in the 'Python' group. + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://orgpolicy.googleapis.com/](https://console.cloud.google.com/apis/library/orgpolicy.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_project_policies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_project_policies.md new file mode 100644 index 0000000..0e4caae --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_project_policies.md @@ -0,0 +1,42 @@ ++++ +title = "google_orgpolicy_project_policies resource" + +draft = false + + +[menu.gcp] +title = "google_orgpolicy_project_policies" +identifier = "inspec/resources/gcp/google_orgpolicy_project_policies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_orgpolicy_project_policies` InSpec audit resource to to test a Google Cloud ProjectPolicy resource. + +## Examples + +```ruby + describe google_orgpolicy_project_policies(parent: 'value_parent') do + it { should exist } + its('names'){ should include value_name} + end +``` + +## Properties + +Properties that can be accessed from the `google_orgpolicy_project_policies` resource: + +See [google_orgpolicy_project_policy](google_orgpolicy_project_policy) for more detailed information. + + * `dry_run_specs`: an array of `google_orgpolicy_project_policy` dry_run_spec + * `specs`: an array of `google_orgpolicy_project_policy` spec + * `names`: an array of `google_orgpolicy_project_policy` name + * `alternates`: an array of `google_orgpolicy_project_policy` alternate + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [None](https://console.cloud.google.com/apis/library/orgpolicy.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_project_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_project_policy.md new file mode 100644 index 0000000..06df4ea --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_orgpolicy_project_policy.md @@ -0,0 +1,145 @@ ++++ +title = "google_orgpolicy_project_policy resource" + +draft = false + + +[menu.gcp] +title = "google_orgpolicy_project_policy" +identifier = "inspec/resources/gcp/google_orgpolicy_project_policy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_orgpolicy_project_policy` InSpec audit resource to to test a Google Cloud ProjectPolicy resource. + +## Examples + +```ruby +describe google_orgpolicy_project_policy(parent: value_parent,name: 'value_name') do + it { should exist } + its('name'){ should cmp value_name} + +end + +describe google_orgpolicy_project_policy(parent: value_parent,name: "does_not_exit") do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_orgpolicy_project_policy` resource: + + + * `dry_run_spec`: Defines a Google Cloud policy specification which is used to specify constraints for configurations of Google Cloud resources. + + * `update_time`: Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy. + + * `rules`: In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. + + * `condition`: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. + + * `title`: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + + * `location`: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `description`: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + + * `deny_all`: Setting this to true means that all values are denied. This field can be set only in policies for list constraints. + + * `allow_all`: Setting this to true means that all values are allowed. This field can be set only in policies for list constraints. + + * `enforce`: If `true`, then the policy is enforced. If `false`, then any configuration is acceptable. This field can be set only in policies for boolean constraints. + + * `values`: A message that holds specific allowed and denied values. This message can define specific values and subtrees of the Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - `projects/` (for example, `projects/tokyo-rain-123`) - `folders/` (for example, `folders/1234`) - `organizations/` (for example, `organizations/1234`) The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. + + * `denied_values`: List of values denied at this resource. + + * `allowed_values`: List of values allowed at this resource. + + * `etag`: An opaque tag indicating the current version of the policySpec, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the policy is returned from either a `GetPolicy` or a `ListPolicies` request, this `etag` indicates the version of the current policySpec to use when executing a read-modify-write loop. When the policy is returned from a `GetEffectivePolicy` request, the `etag` will be unset. + + * `reset`: Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inherit_from_parent` must be set to false. + + * `inherit_from_parent`: Determines the inheritance behavior for this policy. If `inherit_from_parent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. + + * `spec`: Defines a Google Cloud policy specification which is used to specify constraints for configurations of Google Cloud resources. + + * `update_time`: Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy. + + * `rules`: In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. + + * `condition`: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. + + * `title`: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + + * `location`: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `description`: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + + * `deny_all`: Setting this to true means that all values are denied. This field can be set only in policies for list constraints. + + * `allow_all`: Setting this to true means that all values are allowed. This field can be set only in policies for list constraints. + + * `enforce`: If `true`, then the policy is enforced. If `false`, then any configuration is acceptable. This field can be set only in policies for boolean constraints. + + * `values`: A message that holds specific allowed and denied values. This message can define specific values and subtrees of the Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - `projects/` (for example, `projects/tokyo-rain-123`) - `folders/` (for example, `folders/1234`) - `organizations/` (for example, `organizations/1234`) The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. + + * `denied_values`: List of values denied at this resource. + + * `allowed_values`: List of values allowed at this resource. + + * `etag`: An opaque tag indicating the current version of the policySpec, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the policy is returned from either a `GetPolicy` or a `ListPolicies` request, this `etag` indicates the version of the current policySpec to use when executing a read-modify-write loop. When the policy is returned from a `GetEffectivePolicy` request, the `etag` will be unset. + + * `reset`: Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inherit_from_parent` must be set to false. + + * `inherit_from_parent`: Determines the inheritance behavior for this policy. If `inherit_from_parent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. + + * `name`: Immutable. The resource name of the policy. Must be one of the following forms, where `constraint_name` is the name of the constraint which this policy configures: * `projects/{project_number}/policies/{constraint_name}` * `folders/{folder_id}/policies/{constraint_name}` * `organizations/{organization_id}/policies/{constraint_name}` For example, `projects/123/policies/compute.disableSerialPortAccess`. Note: `projects/{project_id}/policies/{constraint_name}` is also an acceptable name for API requests, but responses will return the name using the equivalent project number. + + * `alternate`: Similar to PolicySpec but with an extra 'launch' field for launch reference. The PolicySpec here is specific for dry-run/darklaunch. + + * `launch`: Reference to the launch that will be used while audit logging and to control the launch. Should be set only in the alternate policy. + + * `spec`: Defines a Google Cloud policy specification which is used to specify constraints for configurations of Google Cloud resources. + + * `update_time`: Output only. The time stamp this was previously updated. This represents the last time a call to `CreatePolicy` or `UpdatePolicy` was made for that policy. + + * `rules`: In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set `enforced` to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. + + * `condition`: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. + + * `title`: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + + * `location`: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `description`: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + + * `deny_all`: Setting this to true means that all values are denied. This field can be set only in policies for list constraints. + + * `allow_all`: Setting this to true means that all values are allowed. This field can be set only in policies for list constraints. + + * `enforce`: If `true`, then the policy is enforced. If `false`, then any configuration is acceptable. This field can be set only in policies for boolean constraints. + + * `values`: A message that holds specific allowed and denied values. This message can define specific values and subtrees of the Resource Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that are allowed or denied. This is achieved by using the `under:` and optional `is:` prefixes. The `under:` prefix is used to denote resource subtree values. The `is:` prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - `projects/` (for example, `projects/tokyo-rain-123`) - `folders/` (for example, `folders/1234`) - `organizations/` (for example, `organizations/1234`) The `supports_under` field of the associated `Constraint` defines whether ancestry prefixes can be used. + + * `denied_values`: List of values denied at this resource. + + * `allowed_values`: List of values allowed at this resource. + + * `etag`: An opaque tag indicating the current version of the policySpec, used for concurrency control. This field is ignored if used in a `CreatePolicy` request. When the policy is returned from either a `GetPolicy` or a `ListPolicies` request, this `etag` indicates the version of the current policySpec to use when executing a read-modify-write loop. When the policy is returned from a `GetEffectivePolicy` request, the `etag` will be unset. + + * `reset`: Ignores policies set above this resource and restores the `constraint_default` enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inherit_from_parent` must be set to false. + + * `inherit_from_parent`: Determines the inheritance behavior for this policy. If `inherit_from_parent` is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. + + +## GCP permissions + +Ensure the [None](https://console.cloud.google.com/apis/library/orgpolicy.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project.md new file mode 100644 index 0000000..bc218c7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project.md @@ -0,0 +1,74 @@ ++++ +title = "google_project resource" + +draft = false + + +[menu.gcp] +title = "google_project" +identifier = "inspec/resources/gcp/google_project resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_project` InSpec audit resource to to test a Google Cloud Project resource. + +## Examples + +```ruby +describe google_project(project: 'chef-gcp-inspec') do + it { should exist } + its('project_id') { should cmp 'chef-gcp-inspec' } + its('lifecycle_state') { should cmp 'ACTIVE' } +end +``` + +### Test that a GCP project has the expected project number + + describe google_project(project: 'chef-inspec-gcp') do + its('project_number') { should eq 12345678 } + end + +### Test that a GCP project has the expected lifecycle state e.g. "ACTIVE" + + describe google_project(project: 'chef-inspec-gcp') do + its('lifecycle_state') { should eq "ACTIVE" } + end + +### Validate that a GCP project has some arbitrary label with expected content (for example defined by regexp ) + + describe google_project(project: 'chef-inspec-gcp').label_value_by_key('season') do + it {should match '^(winter|spring|summer|autumn)$' } + end + +## Properties + +Properties that can be accessed from the `google_project` resource: + + + * `number`: Number uniquely identifying the project. + + * `lifecycle_state`: The Project lifecycle state. + Possible values: + * LIFECYCLE_STATE_UNSPECIFIED + * ACTIVE + * DELETE_REQUESTED + * DELETE_IN_PROGRESS + + * `name`: The user-assigned display name of the Project. It must be 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, single-quote, double-quote, space, and exclamation point. + + * `create_time`: Time of creation + + * `labels`: The labels associated with this Project. Label keys must be between 1 and 63 characters long and must conform to the following regular expression: `[a-z]([-a-z0-9]*[a-z0-9])?`. Label values must be between 0 and 63 characters long and must conform to the regular expression `([a-z]([-a-z0-9]*[a-z0-9])?)?`. No more than 256 labels can be associated with a given resource. Clients should store labels in a representation such as JSON that does not depend on specific characters being disallowed + + * `parent`: A parent organization + + * `type`: Must be organization. + + * `id`: Id of the organization + + * `project_id`: The unique, user-assigned ID of the Project. It must be 6 to 30 lowercase letters, digits, or hyphens. It must start with a letter. Trailing hyphens are prohibited. + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_alert_policies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_alert_policies.md new file mode 100644 index 0000000..d5b3411 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_alert_policies.md @@ -0,0 +1,72 @@ ++++ +title = "google_project_alert_policies resource" + +draft = false + + +[menu.gcp] +title = "google_project_alert_policies" +identifier = "inspec/resources/gcp/google_project_alert_policies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_project_alert_policies` InSpec audit resource to to test a Google Cloud AlertPolicy resource. + +## Examples + +```ruby +describe google_project_alert_policies(project: 'chef-gcp-inspec') do + it { should exist } + its('policy_display_names') { should include 'Display'} + its('combiners') { should include 'OR'} +end +``` + +### Test that there are no more than a specified number of project alert policies available for the project + + describe google_project_alert_policies(project: 'chef-inspec-gcp') do + its('count') { should be <= 100} + end + +### Test that an expected policy name is available for the project + + describe google_project_alert_policies(project: 'chef-inspec-gcp') do + its('policy_names') { should include 'projects/spaterson-project/alertPolicies/9271751234503117449' } + end + +### Test whether any expected policy display name is available for the project + + describe google_project_alert_policies(project: 'chef-inspec-gcp') do + its('policy_display_names') { should_not include 'banned policy' } + end + +### Ensure no existing policies are inactive + + describe google_project_alert_policies(project: 'chef-inspec-gcp') do + its('policy_enabled_states') { should_not include false } + end + +## Properties + +Properties that can be accessed from the `google_project_alert_policies` resource: + +See [google_project_alert_policy](google_project_alert_policy) for more detailed information. + + * `policy_names`: an array of `google_project_alert_policy` name + * `policy_display_names`: an array of `google_project_alert_policy` display_name + * `combiners`: an array of `google_project_alert_policy` combiner + * `creation_records`: an array of `google_project_alert_policy` creation_record + * `policy_enabled_states`: an array of `google_project_alert_policy` enabled + * `conditions`: an array of `google_project_alert_policy` conditions + * `notification_channels`: an array of `google_project_alert_policy` notification_channels + * `user_labels`: an array of `google_project_alert_policy` user_labels + * `documentations`: an array of `google_project_alert_policy` documentation + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Stackdriver Monitoring API](https://console.cloud.google.com/apis/library/monitoring.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_alert_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_alert_policy.md new file mode 100644 index 0000000..7fc94ba --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_alert_policy.md @@ -0,0 +1,268 @@ ++++ +title = "google_project_alert_policy resource" + +draft = false + + +[menu.gcp] +title = "google_project_alert_policy" +identifier = "inspec/resources/gcp/google_project_alert_policy resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_project_alert_policy` InSpec audit resource to to test a Google Cloud AlertPolicy resource. + +## Examples + +```ruby +describe.one do + google_project_alert_policies(project: 'chef-gcp-inspec').policy_names do |policy_name| + describe google_project_alert_policy(project: 'chef-gcp-inspec', name: policy_name) do + it { should exist } + its('display_name') { should cmp 'Display'} + its('combiner') { should cmp 'OR'} + it { should be_enabled } + end + end +end +``` + +### Test that a GCP alert policy is enabled + + describe google_project_alert_policy(policy: 'spaterson', name: '9271751234503117449') do + it { should be_enabled } + end + +### Test that a GCP compute alert policy display name is correct + + describe google_project_alert_policy(policy: 'spaterson-project', name: '9271751234503117449') do + its('display_name') { should eq 'policy name' } + end + +## Properties + +Properties that can be accessed from the `google_project_alert_policy` resource: + + + * `name`: The unique resource name for this policy. Its syntax is: projects/[PROJECT_ID]/alertPolicies/[ALERT_POLICY_ID] + + * `display_name`: A short name or phrase used to identify the policy in dashboards, notifications, and incidents. To avoid confusion, don't use the same display name for multiple policies in the same project. The name is limited to 512 Unicode characters. + + * `combiner`: How to combine the results of multiple conditions to determine if an incident should be opened. + Possible values: + * AND + * OR + * AND_WITH_MATCHING_RESOURCE + + * `creation_record`: A read-only record of the creation of the alerting policy. If provided in a call to create or update, this field will be ignored. + + * `mutate_time`: When the change occurred. + + * `mutated_by`: The email address of the user making the change. + + * `enabled`: Whether or not the policy is enabled. The default is true. + + * `conditions`: A list of conditions for the policy. The conditions are combined by AND or OR according to the combiner field. If the combined conditions evaluate to true, then an incident is created. A policy can have from one to six conditions. + + * `condition_absent`: A condition that checks that a time series continues to receive new data points. + + * `aggregations`: Specifies the alignment of data points in individual time series as well as how to combine the retrieved time series together (such as when aggregating multiple streams on each resource to a single stream for each resource or when aggregating streams across all members of a group of resources). Multiple aggregations are applied in the order specified. + + * `per_series_aligner`: The approach to be used to align individual time series. Not all alignment functions may be applied to all time series, depending on the metric type and value type of the original time series. Alignment may change the metric type or the value type of the time series.Time series data must be aligned in order to perform cross- time series reduction. If crossSeriesReducer is specified, then perSeriesAligner must be specified and not equal ALIGN_NONE and alignmentPeriod must be specified; otherwise, an error is returned. + Possible values: + * ALIGN_NONE + * ALIGN_DELTA + * ALIGN_RATE + * ALIGN_INTERPOLATE + * ALIGN_NEXT_OLDER + * ALIGN_MIN + * ALIGN_MAX + * ALIGN_MEAN + * ALIGN_COUNT + * ALIGN_SUM + * ALIGN_STDDEV + * ALIGN_COUNT_TRUE + * ALIGN_COUNT_FALSE + * ALIGN_FRACTION_TRUE + * ALIGN_PERCENTILE_99 + * ALIGN_PERCENTILE_95 + * ALIGN_PERCENTILE_50 + * ALIGN_PERCENTILE_05 + * ALIGN_PERCENT_CHANGE + + * `group_by_fields`: The set of fields to preserve when crossSeriesReducer is specified. The groupByFields determine how the time series are partitioned into subsets prior to applying the aggregation function. Each subset contains time series that have the same value for each of the grouping fields. Each individual time series is a member of exactly one subset. The crossSeriesReducer is applied to each subset of time series. It is not possible to reduce across different resource types, so this field implicitly contains resource.type. Fields not specified in groupByFields are aggregated away. If groupByFields is not specified and all the time series have the same resource type, then the time series are aggregated into a single output time series. If crossSeriesReducer is not defined, this field is ignored. + + * `alignment_period`: The alignment period for per-time series alignment. If present, alignmentPeriod must be at least 60 seconds. After per-time series alignment, each time series will contain data points only on the period boundaries. If perSeriesAligner is not specified or equals ALIGN_NONE, then this field is ignored. If perSeriesAligner is specified and does not equal ALIGN_NONE, then this field must be defined; otherwise an error is returned. + + * `cross_series_reducer`: The approach to be used to combine time series. Not all reducer functions may be applied to all time series, depending on the metric type and the value type of the original time series. Reduction may change the metric type of value type of the time series.Time series data must be aligned in order to perform cross- time series reduction. If crossSeriesReducer is specified, then perSeriesAligner must be specified and not equal ALIGN_NONE and alignmentPeriod must be specified; otherwise, an error is returned. + Possible values: + * REDUCE_NONE + * REDUCE_MEAN + * REDUCE_MIN + * REDUCE_MAX + * REDUCE_SUM + * REDUCE_STDDEV + * REDUCE_COUNT + * REDUCE_COUNT_TRUE + * REDUCE_COUNT_FALSE + * REDUCE_FRACTION_TRUE + * REDUCE_PERCENTILE_99 + * REDUCE_PERCENTILE_95 + * REDUCE_PERCENTILE_50 + * REDUCE_PERCENTILE_05 + + * `trigger`: The number/percent of time series for which the comparison must hold in order for the condition to trigger. If unspecified, then the condition will trigger if the comparison is true for any of the time series that have been identified by filter and aggregations. + + * `percent`: The percentage of time series that must fail the predicate for the condition to be triggered. + + * `count`: The absolute number of time series that must fail the predicate for the condition to be triggered. + + * `duration`: The amount of time that a time series must fail to report new data to be considered failing. Currently, only values that are a multiple of a minute--e.g. 60s, 120s, or 300s --are supported. + + * `filter`: A filter that identifies which time series should be compared with the threshold.The filter is similar to the one that is specified in the MetricService.ListTimeSeries request (that call is useful to verify the time series that will be retrieved / processed) and must specify the metric type and optionally may contain restrictions on resource type, resource labels, and metric labels. This field may not exceed 2048 Unicode characters in length. + + * `name`: The unique resource name for this condition. Its syntax is: projects/[PROJECT_ID]/alertPolicies/[POLICY_ID]/conditions/[CONDITION_ID] [CONDITION_ID] is assigned by Stackdriver Monitoring when the condition is created as part of a new or updated alerting policy. + + * `condition_monitoring_query_language`: A Monitoring Query Language query that outputs a boolean stream + + * `query`: Monitoring Query Language query that outputs a boolean stream. + + * `duration`: The amount of time that a time series must violate the threshold to be considered failing. Currently, only values that are a multiple of a minute--e.g., 0, 60, 120, or 300 seconds--are supported. If an invalid value is given, an error will be returned. When choosing a duration, it is useful to keep in mind the frequency of the underlying time series data (which may also be affected by any alignments specified in the aggregations field); a good duration is long enough so that a single outlier does not generate spurious alerts, but short enough that unhealthy states are detected and alerted on quickly. + + * `trigger`: The number/percent of time series for which the comparison must hold in order for the condition to trigger. If unspecified, then the condition will trigger if the comparison is true for any of the time series that have been identified by filter and aggregations, or by the ratio, if denominator_filter and denominator_aggregations are specified. + + * `percent`: The percentage of time series that must fail the predicate for the condition to be triggered. + + * `count`: The absolute number of time series that must fail the predicate for the condition to be triggered. + + * `condition_threshold`: A condition that compares a time series against a threshold. + + * `threshold_value`: A value against which to compare the time series. + + * `denominator_filter`: A filter that identifies a time series that should be used as the denominator of a ratio that will be compared with the threshold. If a denominator_filter is specified, the time series specified by the filter field will be used as the numerator.The filter is similar to the one that is specified in the MetricService.ListTimeSeries request (that call is useful to verify the time series that will be retrieved / processed) and must specify the metric type and optionally may contain restrictions on resource type, resource labels, and metric labels. This field may not exceed 2048 Unicode characters in length. + + * `denominator_aggregations`: Specifies the alignment of data points in individual time series selected by denominatorFilter as well as how to combine the retrieved time series together (such as when aggregating multiple streams on each resource to a single stream for each resource or when aggregating streams across all members of a group of resources).When computing ratios, the aggregations and denominator_aggregations fields must use the same alignment period and produce time series that have the same periodicity and labels.This field is similar to the one in the MetricService.ListTimeSeries request. It is advisable to use the ListTimeSeries method when debugging this field. + + * `per_series_aligner`: The approach to be used to align individual time series. Not all alignment functions may be applied to all time series, depending on the metric type and value type of the original time series. Alignment may change the metric type or the value type of the time series.Time series data must be aligned in order to perform cross- time series reduction. If crossSeriesReducer is specified, then perSeriesAligner must be specified and not equal ALIGN_NONE and alignmentPeriod must be specified; otherwise, an error is returned. + Possible values: + * ALIGN_NONE + * ALIGN_DELTA + * ALIGN_RATE + * ALIGN_INTERPOLATE + * ALIGN_NEXT_OLDER + * ALIGN_MIN + * ALIGN_MAX + * ALIGN_MEAN + * ALIGN_COUNT + * ALIGN_SUM + * ALIGN_STDDEV + * ALIGN_COUNT_TRUE + * ALIGN_COUNT_FALSE + * ALIGN_FRACTION_TRUE + * ALIGN_PERCENTILE_99 + * ALIGN_PERCENTILE_95 + * ALIGN_PERCENTILE_50 + * ALIGN_PERCENTILE_05 + * ALIGN_PERCENT_CHANGE + + * `group_by_fields`: The set of fields to preserve when crossSeriesReducer is specified. The groupByFields determine how the time series are partitioned into subsets prior to applying the aggregation function. Each subset contains time series that have the same value for each of the grouping fields. Each individual time series is a member of exactly one subset. The crossSeriesReducer is applied to each subset of time series. It is not possible to reduce across different resource types, so this field implicitly contains resource.type. Fields not specified in groupByFields are aggregated away. If groupByFields is not specified and all the time series have the same resource type, then the time series are aggregated into a single output time series. If crossSeriesReducer is not defined, this field is ignored. + + * `alignment_period`: The alignment period for per-time series alignment. If present, alignmentPeriod must be at least 60 seconds. After per-time series alignment, each time series will contain data points only on the period boundaries. If perSeriesAligner is not specified or equals ALIGN_NONE, then this field is ignored. If perSeriesAligner is specified and does not equal ALIGN_NONE, then this field must be defined; otherwise an error is returned. + + * `cross_series_reducer`: The approach to be used to combine time series. Not all reducer functions may be applied to all time series, depending on the metric type and the value type of the original time series. Reduction may change the metric type of value type of the time series.Time series data must be aligned in order to perform cross- time series reduction. If crossSeriesReducer is specified, then perSeriesAligner must be specified and not equal ALIGN_NONE and alignmentPeriod must be specified; otherwise, an error is returned. + Possible values: + * REDUCE_NONE + * REDUCE_MEAN + * REDUCE_MIN + * REDUCE_MAX + * REDUCE_SUM + * REDUCE_STDDEV + * REDUCE_COUNT + * REDUCE_COUNT_TRUE + * REDUCE_COUNT_FALSE + * REDUCE_FRACTION_TRUE + * REDUCE_PERCENTILE_99 + * REDUCE_PERCENTILE_95 + * REDUCE_PERCENTILE_50 + * REDUCE_PERCENTILE_05 + + * `duration`: The amount of time that a time series must violate the threshold to be considered failing. Currently, only values that are a multiple of a minute--e.g., 0, 60, 120, or 300 seconds--are supported. If an invalid value is given, an error will be returned. When choosing a duration, it is useful to keep in mind the frequency of the underlying time series data (which may also be affected by any alignments specified in the aggregations field); a good duration is long enough so that a single outlier does not generate spurious alerts, but short enough that unhealthy states are detected and alerted on quickly. + + * `comparison`: The comparison to apply between the time series (indicated by filter and aggregation) and the threshold (indicated by threshold_value). The comparison is applied on each time series, with the time series on the left-hand side and the threshold on the right-hand side. Only COMPARISON_LT and COMPARISON_GT are supported currently. + Possible values: + * COMPARISON_GT + * COMPARISON_GE + * COMPARISON_LT + * COMPARISON_LE + * COMPARISON_EQ + * COMPARISON_NE + + * `trigger`: The number/percent of time series for which the comparison must hold in order for the condition to trigger. If unspecified, then the condition will trigger if the comparison is true for any of the time series that have been identified by filter and aggregations, or by the ratio, if denominator_filter and denominator_aggregations are specified. + + * `percent`: The percentage of time series that must fail the predicate for the condition to be triggered. + + * `count`: The absolute number of time series that must fail the predicate for the condition to be triggered. + + * `aggregations`: Specifies the alignment of data points in individual time series as well as how to combine the retrieved time series together (such as when aggregating multiple streams on each resource to a single stream for each resource or when aggregating streams across all members of a group of resources). Multiple aggregations are applied in the order specified.This field is similar to the one in the MetricService.ListTimeSeries request. It is advisable to use the ListTimeSeries method when debugging this field. + + * `per_series_aligner`: The approach to be used to align individual time series. Not all alignment functions may be applied to all time series, depending on the metric type and value type of the original time series. Alignment may change the metric type or the value type of the time series.Time series data must be aligned in order to perform cross- time series reduction. If crossSeriesReducer is specified, then perSeriesAligner must be specified and not equal ALIGN_NONE and alignmentPeriod must be specified; otherwise, an error is returned. + Possible values: + * ALIGN_NONE + * ALIGN_DELTA + * ALIGN_RATE + * ALIGN_INTERPOLATE + * ALIGN_NEXT_OLDER + * ALIGN_MIN + * ALIGN_MAX + * ALIGN_MEAN + * ALIGN_COUNT + * ALIGN_SUM + * ALIGN_STDDEV + * ALIGN_COUNT_TRUE + * ALIGN_COUNT_FALSE + * ALIGN_FRACTION_TRUE + * ALIGN_PERCENTILE_99 + * ALIGN_PERCENTILE_95 + * ALIGN_PERCENTILE_50 + * ALIGN_PERCENTILE_05 + * ALIGN_PERCENT_CHANGE + + * `group_by_fields`: The set of fields to preserve when crossSeriesReducer is specified. The groupByFields determine how the time series are partitioned into subsets prior to applying the aggregation function. Each subset contains time series that have the same value for each of the grouping fields. Each individual time series is a member of exactly one subset. The crossSeriesReducer is applied to each subset of time series. It is not possible to reduce across different resource types, so this field implicitly contains resource.type. Fields not specified in groupByFields are aggregated away. If groupByFields is not specified and all the time series have the same resource type, then the time series are aggregated into a single output time series. If crossSeriesReducer is not defined, this field is ignored. + + * `alignment_period`: The alignment period for per-time series alignment. If present, alignmentPeriod must be at least 60 seconds. After per-time series alignment, each time series will contain data points only on the period boundaries. If perSeriesAligner is not specified or equals ALIGN_NONE, then this field is ignored. If perSeriesAligner is specified and does not equal ALIGN_NONE, then this field must be defined; otherwise an error is returned. + + * `cross_series_reducer`: The approach to be used to combine time series. Not all reducer functions may be applied to all time series, depending on the metric type and the value type of the original time series. Reduction may change the metric type of value type of the time series.Time series data must be aligned in order to perform cross- time series reduction. If crossSeriesReducer is specified, then perSeriesAligner must be specified and not equal ALIGN_NONE and alignmentPeriod must be specified; otherwise, an error is returned. + Possible values: + * REDUCE_NONE + * REDUCE_MEAN + * REDUCE_MIN + * REDUCE_MAX + * REDUCE_SUM + * REDUCE_STDDEV + * REDUCE_COUNT + * REDUCE_COUNT_TRUE + * REDUCE_COUNT_FALSE + * REDUCE_FRACTION_TRUE + * REDUCE_PERCENTILE_99 + * REDUCE_PERCENTILE_95 + * REDUCE_PERCENTILE_50 + * REDUCE_PERCENTILE_05 + + * `filter`: A filter that identifies which time series should be compared with the threshold.The filter is similar to the one that is specified in the MetricService.ListTimeSeries request (that call is useful to verify the time series that will be retrieved / processed) and must specify the metric type and optionally may contain restrictions on resource type, resource labels, and metric labels. This field may not exceed 2048 Unicode characters in length. + + * `display_name`: A short name or phrase used to identify the condition in dashboards, notifications, and incidents. To avoid confusion, don't use the same display name for multiple conditions in the same policy. + + * `notification_channels`: Identifies the notification channels to which notifications should be sent when incidents are opened or closed or when new violations occur on an already opened incident. Each element of this array corresponds to the name field in each of the NotificationChannel objects that are returned from the notificationChannels.list method. The syntax of the entries in this field is `projects/[PROJECT_ID]/notificationChannels/[CHANNEL_ID]` + + * `user_labels`: This field is intended to be used for organizing and identifying the AlertPolicy objects.The field can contain up to 64 entries. Each key and value is limited to 63 Unicode characters or 128 bytes, whichever is smaller. Labels and values can contain only lowercase letters, numerals, underscores, and dashes. Keys must begin with a letter. + + * `documentation`: Documentation that is included with notifications and incidents related to this policy. Best practice is for the documentation to include information to help responders understand, mitigate, escalate, and correct the underlying problems detected by the alerting policy. Notification channels that have limited capacity might not show this documentation. + + * `content`: The text of the documentation, interpreted according to mimeType. The content may not exceed 8,192 Unicode characters and may not exceed more than 10,240 bytes when encoded in UTF-8 format, whichever is smaller. + + * `mime_type`: The format of the content field. Presently, only the value "text/markdown" is supported. + + +## GCP permissions + +Ensure the [Stackdriver Monitoring API](https://console.cloud.google.com/apis/library/monitoring.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_alert_policy_condition.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_alert_policy_condition.md new file mode 100644 index 0000000..55b2a7c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_alert_policy_condition.md @@ -0,0 +1,57 @@ ++++ +title = "google_project_alert_policy_condition resource" + +draft = false + + +[menu.gcp] +title = "google_project_alert_policy_condition" +identifier = "inspec/resources/gcp/google_project_alert_policy_condition resource" +parent = "inspec/resources/gcp" ++++ + +# google\_project\_alert\_policy\_condition + +Use the `google_project_alert_policy_condition` InSpec audit resource to test properties of a single GCP project alert policy condition. + +
+ +## Syntax + +A `google_project_alert_policy_condition` resource block declares the tests for a single GCP project alert policy condition by name and filter. + + describe google_project_alert_policy_condition(name: 'projects/spaterson-project/alertPolicies/9271751234503117449', filter 'project=\"spaterson-project\"') do + it { should exist } + end + +
+ +## Examples + +The following examples show how to use this InSpec audit resource. + + +### Test that a GCP project alert policy condition has a particular threshold value + + describe google_project_alert_policy_condition(name: 'projects/spaterson-project/alertPolicies/9271751234503117449', filter 'project=\"spaterson-project\"') do + its('condition_threshold_value'){ should eq 0.001 } + end + +### Test that a GCP project alert policy condition has a particular aggregation alignment period + + describe google_project_alert_policy_condition(name: 'projects/spaterson-project/alertPolicies/9271751234503117449', filter 'project=\"spaterson-project\"') do + its('aggregation_alignment_period'){ should eq '60s' } + end + +
+ +## Properties + +* `condition_threshold_value`, `aggregation_alignment_period`, `aggregation_per_series_aligner`, `aggregation_cross_series_reducer` + +
+ + +## GCP permissions + +Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_binding.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_binding.md new file mode 100644 index 0000000..d4d89da --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_binding.md @@ -0,0 +1,58 @@ ++++ +title = "google_project_iam_binding resource" + +draft = false + + +[menu.gcp] +title = "google_project_iam_binding" +identifier = "inspec/resources/gcp/google_project_iam_binding resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_project_iam_binding` is used to test a Google Project Iam Bindings + +## Examples + +```ruby +describe google_project_iam_binding(project: "project", role: "roles/editor") do + it { should exist } + its('members') { should include 'user:testuser@example.com' } +end +``` + + +This resource supports [IAM conditions](https://cloud.google.com/iam/docs/conditions-overview). Specifying a `condition` in the constructor matches only bindings with that condition. `condition` has three possible fields, `title`, `expression` and `description`. If any of these fields are unspecified they will not be matched. + +``` +describe google_project_iam_binding(project: "project", role: "roles/browser", condition: { title: "my title" }) do + it { should exist } + its('members.count'){ should cmp 1 } + its('members') { should include 'user:testuser@example.com' } + its('condition.title') {should cmp 'my title' } + its('condition.expression') { should cmp "request.time < timestamp('2020-10-01T00:00:00.000Z')" } +end +``` + +## Properties + +Properties that can be accessed from the `google_project_iam_binding` resource: + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + * `condition`: Contains information about when this binding is to be applied. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `title`: An optional title for the expression, i.e. a short string describing its purpose. + + * `description`: An optional description of the expression. This is a longer text which describes the expression. + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_bindings.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_bindings.md new file mode 100644 index 0000000..8649ffa --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_bindings.md @@ -0,0 +1,77 @@ ++++ +title = "google_project_iam_bindings resource" + +draft = false + + +[menu.gcp] +title = "google_project_iam_bindings" +identifier = "inspec/resources/gcp/google_project_iam_bindings resource" +parent = "inspec/resources/gcp" ++++ + +# google\_project\_iam\_bindings + +**This resource is deprecated. Please use `google_project_iam_policy` instead** + +Use the `google_project_iam_bindings` InSpec audit resource to test properties of all, or a filtered group of, GCP project IAM bindings. + +
+ +## Syntax + +A `google_project_iam_bindings` resource block collects GCP project IAM bindings then tests that group. + + describe google_project_iam_bindings(project: 'chef-inspec-gcp') do + it { should exist } + end + +Use this InSpec resource to enumerate roles then test in-depth using `google_project_iam_binding`. + + google_project_iam_bindings(project: 'chef-inspec-gcp').iam_binding_roles.each do |iam_binding_role| + describe google_project_iam_binding(project: 'chef-inspec-gcp', role: iam_binding_role) do + it { should exist } + its('members') {should include 'user:someuser@domain.com' } + end + end + +
+ +## Examples + +The following examples show how to use this InSpec audit resource. + +### Test that there are no more than a specified number of IAM bindings roles available for the project + + describe google_project_iam_bindings(project: 'chef-inspec-gcp') do + its('count') { should be <= 100} + end + +### Test that an expected role is available for the project + + describe google_project_iam_bindings(project: 'chef-inspec-gcp') do + its('iam_binding_roles') { should include "roles/storage.admin" } + end + +### Test that a particular role does not exist using filtering of the plural resource + + describe google_project_iam_bindings(project: 'chef-inspec-gcp').where(iam_binding_role: "roles/iam.securityReviewer") do + it { should_not exist } + end + +
+ +## Filter criteria + +This resource supports the following filter criteria: `iam_binding_role`. This may be used with `where`, as a block or as a method. + +## Properties + +* `iam_binding_roles` - an array of google_project_iam_binding role strings e.g. `["roles/compute.admin", "roles/owner"]` + +
+ + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the project. \ No newline at end of file diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_custom_role.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_custom_role.md new file mode 100644 index 0000000..ea38bd3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_custom_role.md @@ -0,0 +1,68 @@ ++++ +title = "google_project_iam_custom_role resource" + +draft = false + + +[menu.gcp] +title = "google_project_iam_custom_role" +identifier = "inspec/resources/gcp/google_project_iam_custom_role resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_project_iam_custom_role` InSpec audit resource to to test a Google Cloud CustomRole resource. + +## Examples + +```ruby +describe google_project_iam_custom_role(project: 'chef-gcp-inspec', name: 'admin-role') do + it { should exist } + its('stage') { should eq 'GA' } + its('included_permissions') { should eq ["iam.roles.list"] } +end + +describe google_project_iam_custom_role(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +### Test that a GCP project IAM custom role has the expected stage in the launch lifecycle + + describe google_project_iam_custom_role(project: 'chef-inspec-gcp', name: 'chef-inspec-gcp-role-abcd') do + its('stage') { should eq "GA" } + end + +### Test that a GCP project IAM custom role has the expected included permissions + + describe google_project_iam_custom_role(project: 'chef-inspec-gcp', name: 'chef-inspec-gcp-role-abcd') do + its('included_permissions') { should eq ["iam.roles.list"] } + end + +## Properties + +Properties that can be accessed from the `google_project_iam_custom_role` resource: + + + * `name`: The name of the role. + + * `title`: A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes. + + * `description`: Human-readable description for the role + + * `included_permissions`: Names of permissions this role grants when bound in an IAM policy. + + * `stage`: The current launch stage of the role. + Possible values: + * ALPHA + * BETA + * GA + * DEPRECATED + * DISABLED + * EAP + + * `deleted`: The current deleted state of the role + + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_custom_roles.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_custom_roles.md new file mode 100644 index 0000000..6096478 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_custom_roles.md @@ -0,0 +1,43 @@ ++++ +title = "google_project_iam_custom_roles resource" + +draft = false + + +[menu.gcp] +title = "google_project_iam_custom_roles" +identifier = "inspec/resources/gcp/google_project_iam_custom_roles resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_project_iam_custom_roles` InSpec audit resource to to test a Google Cloud CustomRole resource. + +## Examples + +```ruby +describe google_project_iam_custom_roles(project: 'chef-gcp-inspec') do + its('names') { should include "projects/project-id/roles/role-id" } +end +``` + +## Properties + +Properties that can be accessed from the `google_project_iam_custom_roles` resource: + +See [google_project_iam_custom_role](google_project_iam_custom_role) for more detailed information. + + * `names`: an array of `google_project_iam_custom_role` name + * `titles`: an array of `google_project_iam_custom_role` title + * `descriptions`: an array of `google_project_iam_custom_role` description + * `included_permissions`: an array of `google_project_iam_custom_role` included_permissions + * `stages`: an array of `google_project_iam_custom_role` stage + * `deleteds`: an array of `google_project_iam_custom_role` deleted + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_policy.md new file mode 100644 index 0000000..a78df9a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_iam_policy.md @@ -0,0 +1,68 @@ ++++ +title = "google_project_iam_policy resource" + +draft = false + + +[menu.gcp] +title = "google_project_iam_policy" +identifier = "inspec/resources/gcp/google_project_iam_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_project_iam_policy` is used to test a Google Project Iam Policy resource. + +## Examples + +```ruby +describe google_project_iam_policy(project: "project") do + it { should exist } +end + +google_project_iam_policy(project: "project").bindings.each do |binding| + describe binding do + its('role') { should eq 'roles/editor'} + its('members') { should include 'user:testuser@example.com'} + end +end +``` + +This resource supports [IAM conditions](https://cloud.google.com/iam/docs/conditions-overview). + +## Properties + +Properties that can be accessed from the `google_project_iam_policy` resource: + + * `iam_binding_roles`: The list of roles that exist on the policy. + + * `bindings`: Associates a list of members to a role. + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + * `condition`: Contains information about when this binding is to be applied. + + * `expression`: Textual representation of an expression in Common Expression Language syntax. + + * `title`: An optional title for the expression, i.e. a short string describing its purpose. + + * `description`: An optional description of the expression. This is a longer text which describes the expression. + + * `audit_configs`: Specifies cloud audit logging configuration for this policy. + + * `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. + + * `audit_log_configs`: The configuration for logging of each type of permission. + + * `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ + + * `exempted_members`: Specifies the identities that do not cause logging for this type of permission. + + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_logging_audit_config.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_logging_audit_config.md new file mode 100644 index 0000000..be6dc5d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_logging_audit_config.md @@ -0,0 +1,58 @@ ++++ +title = "google_project_logging_audit_config resource" + +draft = false + + +[menu.gcp] +title = "google_project_logging_audit_config" +identifier = "inspec/resources/gcp/google_project_logging_audit_config resource" +parent = "inspec/resources/gcp" ++++ + +# google\_project\_logging\_audit\_config + +Use the `google_compute_zone` InSpec audit resource to test properties of a single GCP compute zone. + +
+ +## Syntax + +A `google_project_logging_audit_config` resource block declares the tests for a single GCP zone by project and name. + + describe google_project_logging_audit_config(project: 'chef-inspec-gcp') do + it { should exist } + end + +
+ +## Examples + +The following examples show how to use this InSpec audit resource. + + +### Test that a GCP project logging audit configuration has a default type defined + + describe google_project_logging_audit_config(project: 'chef-inspec-gcp') do + its('default_types') { should include 'ADMIN_READ' } + end + + +### Test that a GCP project logging audit configuration has default exempted members + + describe google_compute_zone(project: 'chef-inspec-gcp', zone: 'us-east1-b') do + it { should_not have_default_exempted_members } + end + +
+ +## Properties + +* `default_types`, `default_exempted_members` + +
+ + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the project. \ No newline at end of file diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_metric.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_metric.md new file mode 100644 index 0000000..1966f9a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_metric.md @@ -0,0 +1,117 @@ ++++ +title = "google_project_metric resource" + +draft = false + + +[menu.gcp] +title = "google_project_metric" +identifier = "inspec/resources/gcp/google_project_metric resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_project_metric` InSpec audit resource to to test a Google Cloud Metric resource. + +## Examples + +```ruby +describe google_project_metric(project: 'chef-gcp-inspec', name: 'some/metric') do + it { should exist } + its('filter') { should cmp 'resource.type=gae_app AND severity>=ERROR' } + its('metric_descriptor.metric_kind') { should cmp 'DELTA' } + its('metric_descriptor.value_type') { should cmp 'INT64' } +end + +describe google_project_metric(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +### Test that a GCP project metric exists + + describe google_project_metric(project: 'chef-inspec-gcp', metric: 'metric_name') do + it { should exist } + end + +### Test that a GCP compute zone has an expected CPU platform + + describe google_project_metric(project: 'chef-inspec-gcp', metric: 'metric_name') do + its('filter') { should eq "(protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\")" } + end + +## Properties + +Properties that can be accessed from the `google_project_metric` resource: + + + * `name`: The client-assigned metric identifier. Examples - "error_count", "nginx/requests". Metric identifiers are limited to 100 characters and can include only the following characters A-Z, a-z, 0-9, and the special characters _-.,+!*',()%/. The forward-slash character (/) denotes a hierarchy of name pieces, and it cannot be the first character of the name. + + * `description`: A description of this metric, which is used in documentation. The maximum length of the description is 8000 characters. + + * `filter`: An advanced logs filter (https://cloud.google.com/logging/docs/view/advanced-filters) which is used to match log entries. + + * `metric_descriptor`: The metric descriptor associated with the logs-based metric. + + * `unit`: The unit in which the metric value is reported. It is only applicable if the valueType is `INT64`, `DOUBLE`, or `DISTRIBUTION`. The supported units are a subset of [The Unified Code for Units of Measure](http://unitsofmeasure.org/ucum.html) standard + + * `value_type`: Whether the measurement is an integer, a floating-point number, etc. Some combinations of metricKind and valueType might not be supported. For counter metrics, set this to INT64. + Possible values: + * BOOL + * INT64 + * DOUBLE + * STRING + * DISTRIBUTION + * MONEY + + * `metric_kind`: Whether the metric records instantaneous values, changes to a value, etc. Some combinations of metricKind and valueType might not be supported. For counter metrics, set this to DELTA. + Possible values: + * DELTA + * GAUGE + * CUMULATIVE + + * `labels`: The set of labels that can be used to describe a specific instance of this metric type. For example, the appengine.googleapis.com/http/server/response_latencies metric type has a label for the HTTP response code, response_code, so you can look at latencies for successful responses or just for responses that failed. + + * `key`: The label key. + + * `description`: A human-readable description for the label. + + * `value_type`: The type of data that can be assigned to the label. + Possible values: + * BOOL + * INT64 + * STRING + + * `display_name`: A concise name for the metric, which can be displayed in user interfaces. Use sentence case without an ending period, for example "Request count". This field is optional but it is recommended to be set for any metrics associated with user-visible concepts, such as Quota. + + * `type`: The metric type, including its DNS name prefix. The type is not URL-encoded. All user-defined metric types have the DNS name `custom.googleapis.com` or `external.googleapis.com`. + + * `label_extractors`: A map from a label key string to an extractor expression which is used to extract data from a log entry field and assign as the label value. Each label key specified in the LabelDescriptor must have an associated extractor expression in this map. The syntax of the extractor expression is the same as for the valueExtractor field. + + * `value_extractor`: A valueExtractor is required when using a distribution logs-based metric to extract the values to record from a log entry. Two functions are supported for value extraction - EXTRACT(field) or REGEXP_EXTRACT(field, regex). The argument are 1. field - The name of the log entry field from which the value is to be extracted. 2. regex - A regular expression using the Google RE2 syntax (https://github.com/google/re2/wiki/Syntax) with a single capture group to extract data from the specified log entry field. The value of the field is converted to a string before applying the regex. It is an error to specify a regex that does not include exactly one capture group. + + * `bucket_options`: The bucketOptions are required when the logs-based metric is using a DISTRIBUTION value type and it describes the bucket boundaries used to create a histogram of the extracted values. + + * `linear_buckets`: Specifies a linear sequence of buckets that all have the same width (except overflow and underflow). Each bucket represents a constant absolute uncertainty on the specific value in the bucket. + + * `num_finite_buckets`: Must be greater than 0. + + * `width`: Must be greater than 0. + + * `offset`: Lower bound of the first bucket. + + * `exponential_buckets`: Specifies an exponential sequence of buckets that have a width that is proportional to the value of the lower bound. Each bucket represents a constant relative uncertainty on a specific value in the bucket. + + * `num_finite_buckets`: Must be greater than 0. + + * `growth_factor`: Must be greater than 1. + + * `scale`: Must be greater than 0. + + * `explicit_buckets`: Specifies a set of buckets with arbitrary widths. + + * `bounds`: The values must be monotonically increasing. + + +## GCP permissions + +Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_metrics.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_metrics.md new file mode 100644 index 0000000..ca8d6b7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_metrics.md @@ -0,0 +1,74 @@ ++++ +title = "google_project_metrics resource" + +draft = false + + +[menu.gcp] +title = "google_project_metrics" +identifier = "inspec/resources/gcp/google_project_metrics resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_project_metrics` InSpec audit resource to to test a Google Cloud Metric resource. + +## Examples + +```ruby +describe google_project_metrics(project: 'chef-gcp-inspec') do + it { should exist } + its('metric_filters') { should include 'resource.type=gae_app AND severity>=ERROR' } + its('metric_names') { should include 'some/metric' } +end + +describe.one do + google_project_metrics(project: 'chef-gcp-inspec').metric_types.each do |metric_type| + describe metric_type do + it { should match 'some/metric' } + end + end +end +``` + +### Test that there are no more than a specified number of metrics available for the project + + describe google_project_metrics(project: 'chef-inspec-gcp') do + its('count') { should be <= 100} + end + +### Test that an expected metric name is available for the project + + describe google_project_metrics(project: 'chef-inspec-gcp') do + its('metric_names') { should include "metric-name" } + end + +### Test that a subset of all metrics with name matching "*project*" have a particular writer identity + + google_project_metrics(project: 'chef-inspec-gcp').where(metric_name: /project/).metric_names.each do |metric_name| + describe google_project_metric(project: 'chef-inspec-gcp', metric: metric_name) do + its('filter') { should eq "(protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\")" } + end + end + +## Properties + +Properties that can be accessed from the `google_project_metrics` resource: + +See [google_project_metric](google_project_metric) for more detailed information. + + * `metric_names`: an array of `google_project_metric` name + * `descriptions`: an array of `google_project_metric` description + * `metric_filters`: an array of `google_project_metric` filter + * `metric_descriptors`: an array of `google_project_metric` metric_descriptor + * `label_extractors`: an array of `google_project_metric` label_extractors + * `value_extractors`: an array of `google_project_metric` value_extractor + * `bucket_options`: an array of `google_project_metric` bucket_options + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_service.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_service.md new file mode 100644 index 0000000..e331452 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_service.md @@ -0,0 +1,62 @@ ++++ +title = "google_project_service resource" + +draft = false + + +[menu.gcp] +title = "google_project_service" +identifier = "inspec/resources/gcp/google_project_service resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_project_service` is used to test a Google Service resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_project_service(project: 'chef-gcp-inspec', name: 'maps-android-backend.googleapis.com') do + it { should exist } + its('state') { should cmp "ENABLED" } +end +``` + +## Properties + +Properties that can be accessed from the `google_project_service` resource: + + + * `name`: The resource name of the service + + * `parent`: The name of the parent of this service. For example 'projects/123' + + * `state`: Whether or not the service has been enabled for use by the consumer. + Possible values: + * STATE_UNSPECIFIED + * DISABLED + * ENABLED + + * `disable_dependent_services`: Indicates if dependent services should also be disabled. Can only be turned on if service is disabled. + + * `config`: The service configuration of the available service. + + * `name`: The DNS address at which this service is available. + + * `title`: The product title for this service + + * `apis`: The list of API interfaces exported by this service. + + * `name`: Name of the API + + * `version`: The version of the API + + +## GCP permissions + +Ensure the [Service Usage API](https://console.cloud.google.com/apis/library/serviceusage.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_services.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_services.md new file mode 100644 index 0000000..8dbca9e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_project_services.md @@ -0,0 +1,52 @@ ++++ +title = "google_project_services resource" + +draft = false + + +[menu.gcp] +title = "google_project_services" +identifier = "inspec/resources/gcp/google_project_services resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_project_services` is used to test a Google Service resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe.one do + google_project_services(project: 'chef-gcp-inspec').names.each do |name| + describe name do + it { should match 'maps-android-backend.googleapis.com' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_project_services` resource: + +See [google_project_service](google_project_service) for more detailed information. + + * `names`: an array of `google_project_service` name + * `parents`: an array of `google_project_service` parent + * `states`: an array of `google_project_service` state + * `disable_dependent_services`: an array of `google_project_service` disable_dependent_services + * `configs`: an array of `google_project_service` config + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Service Usage API](https://console.cloud.google.com/apis/library/serviceusage.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_projects.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_projects.md new file mode 100644 index 0000000..f4a24df --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_projects.md @@ -0,0 +1,87 @@ ++++ +title = "google_projects resource" + +draft = false + + +[menu.gcp] +title = "google_projects" +identifier = "inspec/resources/gcp/google_projects resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_projects` InSpec audit resource to to test a Google Cloud Project resource. + +## Examples + +```ruby +describe google_projects() do + its('count') { should be >= 1 } + its('project_ids') { should include 'chef-gcp-inspec' } + its('lifecycle_states') { should include 'ACTIVE' } +end +``` + +### Test that there are no more than a specified number of projects available for the project + + describe google_projects do + its('count') { should be <= 100} + end + +### Test that an expected named project is available + + describe google_projects do + its('project_names'){ should include "GCP Project Name" } + end + +### Test that an expected project identifier is available + + describe google_projects do + its('project_ids'){ should include "gcp_project_id" } + end + +### Test that an expected project number is available + + describe google_projects do + its('project_numbers'){ should include 1122334455 } + end + +### Test that a particular subset of projects with id 'prod*' are in ACTIVE lifecycle state + + google_projects.where(project_id: /^prod/).project_ids.each do |gcp_project_id| + describe google_project(project: gcp_project_id) do + it { should exist } + its('lifecycle_state') { should eq "ACTIVE" } + end + end + +### Test that a particular subset of ACTIVE projects with id 'prod*' exist + + google_projects.where(project_id: /^prod/, lifecycle_state: 'ACTIVE').project_ids.each do |gcp_project_id| + describe google_project(project: gcp_project_id) do + it { should exist } + end + end + +## Properties + +Properties that can be accessed from the `google_projects` resource: + +See [google_project](google_project) for more detailed information. + + * `project_numbers`: an array of `google_project` number + * `lifecycle_states`: an array of `google_project` lifecycle_state + * `project_names`: an array of `google_project` name + * `create_times`: an array of `google_project` create_time + * `labels`: an array of `google_project` labels + * `parents`: an array of `google_project` parent + * `project_ids`: an array of `google_project` project_id + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_subscription.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_subscription.md new file mode 100644 index 0000000..e2d4598 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_subscription.md @@ -0,0 +1,79 @@ ++++ +title = "google_pubsub_subscription resource" + +draft = false + + +[menu.gcp] +title = "google_pubsub_subscription" +identifier = "inspec/resources/gcp/google_pubsub_subscription resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_pubsub_subscription` InSpec audit resource to to test a Google Cloud Subscription resource. + +## Examples + +```ruby +describe google_pubsub_subscription(project: 'chef-gcp-inspec', name: 'inspec-gcp-subscription') do + it { should exist } +end + +describe google_pubsub_subscription(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_pubsub_subscription` resource: + + + * `name`: Name of the subscription. + + * `topic`: A reference to a Topic resource. + + * `labels`: A set of key/value label pairs to assign to this Subscription. + + * `push_config`: If push delivery is used with this subscription, this field is used to configure it. An empty pushConfig signifies that the subscriber will pull and ack messages using API methods. + + * `oidc_token`: If specified, Pub/Sub will generate and attach an OIDC JWT token as an Authorization header in the HTTP request for every pushed message. + + * `service_account_email`: Service account email to be used for generating the OIDC token. The caller (for subscriptions.create, subscriptions.patch, and subscriptions.modifyPushConfig RPCs) must have the iam.serviceAccounts.actAs permission for the service account. + + * `audience`: Audience to be used when generating OIDC token. The audience claim identifies the recipients that the JWT is intended for. The audience value is a single case-sensitive string. Having multiple values (array) for the audience field is not supported. More info about the OIDC JWT token audience here: https://tools.ietf.org/html/rfc7519#section-4.1.3 Note: if not specified, the Push endpoint URL will be used. + + * `push_endpoint`: A URL locating the endpoint to which messages should be pushed. For example, a Webhook endpoint might use "https://example.com/push". + + * `attributes`: Endpoint configuration attributes. Every endpoint has a set of API supported attributes that can be used to control different aspects of the message delivery. The currently supported attribute is x-goog-version, which you can use to change the format of the pushed message. This attribute indicates the version of the data expected by the endpoint. This controls the shape of the pushed message (i.e., its fields and metadata). The endpoint version is based on the version of the Pub/Sub API. If not present during the subscriptions.create call, it will default to the version of the API used to make such call. If not present during a subscriptions.modifyPushConfig call, its value will not be changed. subscriptions.get calls will always return a valid version, even if the subscription was created without this attribute. The possible values for this attribute are: - v1beta1: uses the push format defined in the v1beta1 Pub/Sub API. - v1 or v1beta2: uses the push format defined in the v1 Pub/Sub API. + + * `ack_deadline_seconds`: This value is the maximum time after a subscriber receives a message before the subscriber should acknowledge the message. After message delivery but before the ack deadline expires and before the message is acknowledged, it is an outstanding message and will not be delivered again during that time (on a best-effort basis). For pull subscriptions, this value is used as the initial value for the ack deadline. To override this value for a given message, call subscriptions.modifyAckDeadline with the corresponding ackId if using pull. The minimum custom deadline you can specify is 10 seconds. The maximum custom deadline you can specify is 600 seconds (10 minutes). If this parameter is 0, a default value of 10 seconds is used. For push delivery, this value is also used to set the request timeout for the call to the push endpoint. If the subscriber never acknowledges the message, the Pub/Sub system will eventually redeliver the message. + + * `message_retention_duration`: How long to retain unacknowledged messages in the subscription's backlog, from the moment a message is published. If retainAckedMessages is true, then this also configures the retention of acknowledged messages, and thus configures how far back in time a subscriptions.seek can be done. Defaults to 7 days. Cannot be more than 7 days (`"604800s"`) or less than 10 minutes (`"600s"`). A duration in seconds with up to nine fractional digits, terminated by 's'. Example: `"600.5s"`. + + * `retain_acked_messages`: Indicates whether to retain acknowledged messages. If `true`, then messages are not expunged from the subscription's backlog, even if they are acknowledged, until they fall out of the messageRetentionDuration window. + + * `expiration_policy`: A policy that specifies the conditions for this subscription's expiration. A subscription is considered active as long as any connected subscriber is successfully consuming messages from the subscription or is issuing operations on the subscription. If expirationPolicy is not set, a default policy with ttl of 31 days will be used. If it is set but ttl is "", the resource never expires. The minimum allowed value for expirationPolicy.ttl is 1 day. + + * `ttl`: Specifies the "time-to-live" duration for an associated resource. The resource expires if it is not active for a period of ttl. If ttl is not set, the associated resource never expires. A duration in seconds with up to nine fractional digits, terminated by 's'. Example - "3.5s". + + * `filter`: The subscription only delivers the messages that match the filter. Pub/Sub automatically acknowledges the messages that don't match the filter. You can filter messages by their attributes. The maximum length of a filter is 256 bytes. After creating the subscription, you can't modify the filter. + + * `dead_letter_policy`: A policy that specifies the conditions for dead lettering messages in this subscription. If dead_letter_policy is not set, dead lettering is disabled. The Cloud Pub/Sub service account associated with this subscription's parent project (i.e., service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com) must have permission to Acknowledge() messages on this subscription. + + * `dead_letter_topic`: The name of the topic to which dead letter messages should be published. Format is `projects/{project}/topics/{topic}`. The Cloud Pub/Sub service account associated with the enclosing subscription's parent project (i.e., service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com) must have permission to Publish() to this topic. The operation will fail if the topic does not exist. Users should ensure that there is a subscription attached to this topic since messages published to a topic with no subscriptions are lost. + + * `max_delivery_attempts`: The maximum number of delivery attempts for any message. The value must be between 5 and 100. The number of delivery attempts is defined as 1 + (the sum of number of NACKs and number of times the acknowledgement deadline has been exceeded for the message). A NACK is any call to ModifyAckDeadline with a 0 deadline. Note that client libraries may automatically extend ack_deadlines. This field will be honored on a best effort basis. If this parameter is 0, a default value of 5 is used. + + * `retry_policy`: A policy that specifies how Pub/Sub retries message delivery for this subscription. If not set, the default retry policy is applied. This generally implies that messages will be retried as soon as possible for healthy subscribers. RetryPolicy will be triggered on NACKs or acknowledgement deadline exceeded events for a given message + + * `minimum_backoff`: The minimum delay between consecutive deliveries of a given message. Value should be between 0 and 600 seconds. Defaults to 10 seconds. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". + + * `maximum_backoff`: The maximum delay between consecutive deliveries of a given message. Value should be between 0 and 600 seconds. Defaults to 600 seconds. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". + + * `enable_message_ordering`: If `true`, messages published with the same orderingKey in PubsubMessage will be delivered to the subscribers in the order in which they are received by the Pub/Sub system. Otherwise, they may be delivered in any order. + + +## GCP permissions + +Ensure the [Cloud Pub/Sub API](https://console.cloud.google.com/apis/library/pubsub.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_subscription_iam_binding.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_subscription_iam_binding.md new file mode 100644 index 0000000..04a5f2f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_subscription_iam_binding.md @@ -0,0 +1,38 @@ ++++ +title = "google_pubsub_subscription_iam_binding resource" + +draft = false + + +[menu.gcp] +title = "google_pubsub_subscription_iam_binding" +identifier = "inspec/resources/gcp/google_pubsub_subscription_iam_binding resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_pubsub_subscription_iam_binding` is used to test a Google Subscription Iam Bindings + +## Examples + +```ruby +describe google_pubsub_subscription_iam_binding(project: "project", name: "name", role: "roles/editor") do + it { should exist } + its('members') { should include 'user:testuser@example.com' } +end +``` + + +## Properties + +Properties that can be accessed from the `google_pubsub_subscription_iam_binding` resource: + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + +## GCP permissions + +Ensure the [Cloud Pub/Sub API](https://console.cloud.google.com/apis/library/pubsub.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_subscription_iam_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_subscription_iam_policy.md new file mode 100644 index 0000000..3f4d991 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_subscription_iam_policy.md @@ -0,0 +1,58 @@ ++++ +title = "google_pubsub_subscription_iam_policy resource" + +draft = false + + +[menu.gcp] +title = "google_pubsub_subscription_iam_policy" +identifier = "inspec/resources/gcp/google_pubsub_subscription_iam_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_pubsub_subscription_iam_policy` is used to test a Google Subscription Iam Policy resource. + +## Examples + +```ruby +describe google_pubsub_subscription_iam_policy(project: "project", name: "name") do + it { should exist } +end + +google_pubsub_subscription_iam_policy(project: "project", name: "name").bindings.each do |binding| + describe binding do + its('role') { should eq 'roles/editor'} + its('members') { should include 'user:testuser@example.com'} + end +end +``` + +## Properties + +Properties that can be accessed from the `google_pubsub_subscription_iam_policy` resource: + + * `iam_binding_roles`: The list of roles that exist on the policy. + + * `bindings`: Associates a list of members to a role. + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + * `audit_configs`: Specifies cloud audit logging configuration for this policy. + + * `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. + + * `audit_log_configs`: The configuration for logging of each type of permission. + + * `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ + + * `exempted_members`: Specifies the identities that do not cause logging for this type of permission. + + + +## GCP permissions + +Ensure the [Cloud Pub/Sub API](https://console.cloud.google.com/apis/library/pubsub.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_subscriptions.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_subscriptions.md new file mode 100644 index 0000000..db193bb --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_subscriptions.md @@ -0,0 +1,55 @@ ++++ +title = "google_pubsub_subscriptions resource" + +draft = false + + +[menu.gcp] +title = "google_pubsub_subscriptions" +identifier = "inspec/resources/gcp/google_pubsub_subscriptions resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_pubsub_subscriptions` InSpec audit resource to to test a Google Cloud Subscription resource. + +## Examples + +```ruby +describe google_pubsub_subscriptions(project: 'chef-gcp-inspec') do + its('count') { should be >= 1 } +end + +google_pubsub_subscriptions(project: 'chef-gcp-inspec').names.each do |subscription_name| + describe google_pubsub_subscription(project: 'chef-gcp-inspec', name: subscription_name) do + it { should exist } + end +end +``` + +## Properties + +Properties that can be accessed from the `google_pubsub_subscriptions` resource: + +See [google_pubsub_subscription](google_pubsub_subscription) for more detailed information. + + * `names`: an array of `google_pubsub_subscription` name + * `topics`: an array of `google_pubsub_subscription` topic + * `labels`: an array of `google_pubsub_subscription` labels + * `push_configs`: an array of `google_pubsub_subscription` push_config + * `ack_deadline_seconds`: an array of `google_pubsub_subscription` ack_deadline_seconds + * `message_retention_durations`: an array of `google_pubsub_subscription` message_retention_duration + * `retain_acked_messages`: an array of `google_pubsub_subscription` retain_acked_messages + * `expiration_policies`: an array of `google_pubsub_subscription` expiration_policy + * `filters`: an array of `google_pubsub_subscription` filter + * `dead_letter_policies`: an array of `google_pubsub_subscription` dead_letter_policy + * `retry_policies`: an array of `google_pubsub_subscription` retry_policy + * `enable_message_orderings`: an array of `google_pubsub_subscription` enable_message_ordering + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Pub/Sub API](https://console.cloud.google.com/apis/library/pubsub.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_topic.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_topic.md new file mode 100644 index 0000000..49bdc08 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_topic.md @@ -0,0 +1,45 @@ ++++ +title = "google_pubsub_topic resource" + +draft = false + + +[menu.gcp] +title = "google_pubsub_topic" +identifier = "inspec/resources/gcp/google_pubsub_topic resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_pubsub_topic` InSpec audit resource to to test a Google Cloud Topic resource. + +## Examples + +```ruby +describe google_pubsub_topic(project: 'chef-gcp-inspec', name: 'inspec-gcp-topic') do + it { should exist } +end + +describe google_pubsub_topic(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_pubsub_topic` resource: + + + * `name`: Name of the topic. + + * `kms_key_name`: The resource name of the Cloud KMS CryptoKey to be used to protect access to messages published on this topic. Your project's PubSub service account (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) must have `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature. The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*` + + * `labels`: A set of key/value label pairs to assign to this Topic. + + * `message_storage_policy`: Policy constraining the set of Google Cloud Platform regions where messages published to the topic may be stored. If not present, then no constraints are in effect. + + * `allowed_persistence_regions`: A list of IDs of GCP regions where messages that are published to the topic may be persisted in storage. Messages published by publishers running in non-allowed GCP regions (or running outside of GCP altogether) will be routed for storage in one of the allowed regions. An empty list means that no regions are allowed, and is not a valid configuration. + + +## GCP permissions + +Ensure the [Cloud Pub/Sub API](https://console.cloud.google.com/apis/library/pubsub.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_topic_iam_binding.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_topic_iam_binding.md new file mode 100644 index 0000000..5a23239 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_topic_iam_binding.md @@ -0,0 +1,38 @@ ++++ +title = "google_pubsub_topic_iam_binding resource" + +draft = false + + +[menu.gcp] +title = "google_pubsub_topic_iam_binding" +identifier = "inspec/resources/gcp/google_pubsub_topic_iam_binding resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_pubsub_topic_iam_binding` is used to test a Google Topic Iam Bindings + +## Examples + +```ruby +describe google_pubsub_topic_iam_binding(project: "project", name: "name", role: "roles/editor") do + it { should exist } + its('members') { should include 'user:testuser@example.com' } +end +``` + + +## Properties + +Properties that can be accessed from the `google_pubsub_topic_iam_binding` resource: + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + +## GCP permissions + +Ensure the [Cloud Pub/Sub API](https://console.cloud.google.com/apis/library/pubsub.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_topic_iam_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_topic_iam_policy.md new file mode 100644 index 0000000..9baf994 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_topic_iam_policy.md @@ -0,0 +1,58 @@ ++++ +title = "google_pubsub_topic_iam_policy resource" + +draft = false + + +[menu.gcp] +title = "google_pubsub_topic_iam_policy" +identifier = "inspec/resources/gcp/google_pubsub_topic_iam_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_pubsub_topic_iam_policy` is used to test a Google Topic Iam Policy resource. + +## Examples + +```ruby +describe google_pubsub_topic_iam_policy(project: "project", name: "name") do + it { should exist } +end + +google_pubsub_topic_iam_policy(project: "project", name: "name").bindings.each do |binding| + describe binding do + its('role') { should eq 'roles/editor'} + its('members') { should include 'user:testuser@example.com'} + end +end +``` + +## Properties + +Properties that can be accessed from the `google_pubsub_topic_iam_policy` resource: + + * `iam_binding_roles`: The list of roles that exist on the policy. + + * `bindings`: Associates a list of members to a role. + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + * `audit_configs`: Specifies cloud audit logging configuration for this policy. + + * `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. + + * `audit_log_configs`: The configuration for logging of each type of permission. + + * `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ + + * `exempted_members`: Specifies the identities that do not cause logging for this type of permission. + + + +## GCP permissions + +Ensure the [Cloud Pub/Sub API](https://console.cloud.google.com/apis/library/pubsub.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_topics.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_topics.md new file mode 100644 index 0000000..4879de4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_pubsub_topics.md @@ -0,0 +1,51 @@ ++++ +title = "google_pubsub_topics resource" + +draft = false + + +[menu.gcp] +title = "google_pubsub_topics" +identifier = "inspec/resources/gcp/google_pubsub_topics resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_pubsub_topics` InSpec audit resource to to test a Google Cloud Topic resource. + +## Examples + +```ruby +describe google_pubsub_topics(project: 'chef-gcp-inspec') do + it { should exist } + its('names') { should include 'inspec-gcp-topic' } + its('count') { should be >=1 } +end + +describe.one do + google_pubsub_topics(project: 'chef-gcp-inspec').names.each do |topic_name| + describe google_pubsub_topic(project: 'chef-gcp-inspec', name: topic_name) do + it { should exist } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_pubsub_topics` resource: + +See [google_pubsub_topic](google_pubsub_topic) for more detailed information. + + * `names`: an array of `google_pubsub_topic` name + * `kms_key_names`: an array of `google_pubsub_topic` kms_key_name + * `labels`: an array of `google_pubsub_topic` labels + * `message_storage_policies`: an array of `google_pubsub_topic` message_storage_policy + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Pub/Sub API](https://console.cloud.google.com/apis/library/pubsub.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_redis_instance.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_redis_instance.md new file mode 100644 index 0000000..704ed21 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_redis_instance.md @@ -0,0 +1,107 @@ ++++ +title = "google_redis_instance resource" + +draft = false + + +[menu.gcp] +title = "google_redis_instance" +identifier = "inspec/resources/gcp/google_redis_instance resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_redis_instance` is used to test a Google Instance resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_redis_instance(project: 'chef-gcp-inspec', region: 'us-central1', name: 'my-redis-cache') do + it { should exist } + its('tier') { should cmp 'STANDARD_HA' } + its('memory_size_gb') { should cmp '1' } + its('alternative_location_id') { should cmp 'us-central1-f' } + its('redis_version') { should cmp 'REDIS_3_2' } + its('display_name') { should cmp 'InSpec test instance' } + its('reserved_ip_range') { should cmp '192.168.0.0/29' } + its('labels') { should include('key' => 'value') } +end + +describe google_redis_instance(project: 'chef-gcp-inspec', region: 'us-central1', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_redis_instance` resource: + + + * `alternative_location_id`: Only applicable to STANDARD_HA tier which protects the instance against zonal failures by provisioning it across two zones. If provided, it must be a different zone from the one provided in [locationId]. + + * `auth_enabled`: Optional. Indicates whether OSS Redis AUTH is enabled for the instance. If set to "true" AUTH is enabled on the instance. Default value is "false" meaning AUTH is disabled. + + * `authorized_network`: The full name of the Google Compute Engine network to which the instance is connected. If left unspecified, the default network will be used. + + * `connect_mode`: The connection mode of the Redis instance. + Possible values: + * DIRECT_PEERING + * PRIVATE_SERVICE_ACCESS + + * `create_time`: The time the instance was created in RFC3339 UTC "Zulu" format, accurate to nanoseconds. + + * `current_location_id`: The current zone where the Redis endpoint is placed. For Basic Tier instances, this will always be the same as the [locationId] provided by the user at creation time. For Standard Tier instances, this can be either [locationId] or [alternativeLocationId] and can change after a failover event. + + * `display_name`: An arbitrary and optional user-provided name for the instance. + + * `host`: Hostname or IP address of the exposed Redis endpoint used by clients to connect to the service. + + * `labels`: Resource labels to represent user provided metadata. + + * `redis_configs`: Redis configuration parameters, according to http://redis.io/topics/config. Please check Memorystore documentation for the list of supported parameters: https://cloud.google.com/memorystore/docs/redis/reference/rest/v1/projects.locations.instances#Instance.FIELDS.redis_configs + + * `location_id`: The zone where the instance will be provisioned. If not provided, the service will choose a zone for the instance. For STANDARD_HA tier, instances will be created across two zones for protection against zonal failures. If [alternativeLocationId] is also provided, it must be different from [locationId]. + + * `name`: The ID of the instance or a fully qualified identifier for the instance. + + * `memory_size_gb`: Redis memory size in GiB. + + * `port`: The port number of the exposed Redis endpoint. + + * `persistence_iam_identity`: Output only. Cloud IAM identity used by import / export operations to transfer data to/from Cloud Storage. Format is "serviceAccount:". The value may change over time for a given instance so should be checked before each import/export operation. + + * `redis_version`: The version of Redis software. If not provided, latest supported version will be used. Currently, the supported values are: - REDIS_5_0 for Redis 5.0 compatibility - REDIS_4_0 for Redis 4.0 compatibility - REDIS_3_2 for Redis 3.2 compatibility + + * `reserved_ip_range`: The CIDR range of internal addresses that are reserved for this instance. If not provided, the service will choose an unused /29 block, for example, 10.0.0.0/29 or 192.168.0.0/29. Ranges must be unique and non-overlapping with existing subnets in an authorized network. + + * `tier`: The service tier of the instance. Must be one of these values: - BASIC: standalone instance - STANDARD_HA: highly available primary/replica instances + Possible values: + * BASIC + * STANDARD_HA + + * `transit_encryption_mode`: (Beta only) The TLS mode of the Redis instance, If not provided, TLS is disabled for the instance. - SERVER_AUTHENTICATION: Client to Server traffic encryption enabled with server authentcation + Possible values: + * SERVER_AUTHENTICATION + * DISABLED + + * `server_ca_certs`: (Beta only) List of server CA certificates for the instance. + + * `serial_number`: Serial number, as extracted from the certificate. + + * `cert`: Serial number, as extracted from the certificate. + + * `create_time`: The time when the certificate was created. + + * `expire_time`: The time when the certificate expires. + + * `sha1_fingerprint`: Sha1 Fingerprint of the certificate. + + * `region`: The name of the Redis region of the instance. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_redis_instances.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_redis_instances.md new file mode 100644 index 0000000..c148647 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_redis_instances.md @@ -0,0 +1,67 @@ ++++ +title = "google_redis_instances resource" + +draft = false + + +[menu.gcp] +title = "google_redis_instances" +identifier = "inspec/resources/gcp/google_redis_instances resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_redis_instances` is used to test a Google Instance resource + + +## Beta Resource +This resource has beta fields available. To retrieve these fields, include `beta: true` in the constructor for the resource. + +## Examples + +```ruby +describe google_redis_instances(project: 'chef-gcp-inspec', region: 'us-central1') do + its('tiers') { should include 'STANDARD_HA' } + its('memory_size_gbs') { should include '1' } + its('alternative_location_ids') { should include 'us-central1-f' } + its('redis_versions') { should include 'REDIS_3_2' } + its('display_names') { should include 'InSpec test instance' } + its('reserved_ip_ranges') { should include '192.168.0.0/29' } +end +``` + +## Properties + +Properties that can be accessed from the `google_redis_instances` resource: + +See [google_redis_instance](google_redis_instance) for more detailed information. + + * `alternative_location_ids`: an array of `google_redis_instance` alternative_location_id + * `auth_enableds`: an array of `google_redis_instance` auth_enabled + * `authorized_networks`: an array of `google_redis_instance` authorized_network + * `connect_modes`: an array of `google_redis_instance` connect_mode + * `create_times`: an array of `google_redis_instance` create_time + * `current_location_ids`: an array of `google_redis_instance` current_location_id + * `display_names`: an array of `google_redis_instance` display_name + * `hosts`: an array of `google_redis_instance` host + * `labels`: an array of `google_redis_instance` labels + * `redis_configs`: an array of `google_redis_instance` redis_configs + * `location_ids`: an array of `google_redis_instance` location_id + * `names`: an array of `google_redis_instance` name + * `memory_size_gbs`: an array of `google_redis_instance` memory_size_gb + * `ports`: an array of `google_redis_instance` port + * `persistence_iam_identities`: an array of `google_redis_instance` persistence_iam_identity + * `redis_versions`: an array of `google_redis_instance` redis_version + * `reserved_ip_ranges`: an array of `google_redis_instance` reserved_ip_range + * `tiers`: an array of `google_redis_instance` tier + * `transit_encryption_modes`: (Beta only) an array of `google_redis_instance` transit_encryption_mode + * `server_ca_certs`: (Beta only) an array of `google_redis_instance` server_ca_certs + * `regions`: an array of `google_redis_instance` region + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_folder.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_folder.md new file mode 100644 index 0000000..3aa9c3b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_folder.md @@ -0,0 +1,50 @@ ++++ +title = "google_resourcemanager_folder resource" + +draft = false + + +[menu.gcp] +title = "google_resourcemanager_folder" +identifier = "inspec/resources/gcp/google_resourcemanager_folder resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_resourcemanager_folder` InSpec audit resource to to test a Google Cloud Folder resource. + +## Examples + +```ruby +describe.one do + google_resourcemanager_folders(parent: 'organizations/12345').names.each do |name| + describe google_resourcemanager_folder(name: name) do + it { should exist } + its('display_name') { should eq 'inspec-gcp-folder' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_resourcemanager_folder` resource: + + + * `name`: The resource name of the Folder. Its format is folders/{folder_id}, for example: "folders/1234". + + * `lifecycle_state`: The lifecycle state of the folder. Updates to the lifecycleState must be performed via folders.delete and folders.undelete. + Possible values: + * LIFECYCLE_STATE_UNSPECIFIED + * ACTIVE + * DELETE_REQUESTED + + * `create_time`: Time of creation + + * `parent`: The Folder’s parent's resource name. Updates to the folder's parent must be performed via folders.move. + + * `display_name`: The folder’s display name. A folder’s display name must be unique amongst its siblings, e.g. no two folders with the same parent can share the same display name. The display name must start and end with a letter or digit, may contain letters, digits, spaces, hyphens and underscores and can be no longer than 30 characters. This is captured by the regular expression: `[\p{L}\p{N}]([\p{L}\p{N}_- ]{0,28}[\p{L}\p{N}])?`. + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_folder_iam_binding.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_folder_iam_binding.md new file mode 100644 index 0000000..7ced9e7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_folder_iam_binding.md @@ -0,0 +1,38 @@ ++++ +title = "google_resourcemanager_folder_iam_binding resource" + +draft = false + + +[menu.gcp] +title = "google_resourcemanager_folder_iam_binding" +identifier = "inspec/resources/gcp/google_resourcemanager_folder_iam_binding resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_resourcemanager_folder_iam_binding` is used to test a Google Folder Iam Bindings + +## Examples + +```ruby +describe google_resourcemanager_folder_iam_binding(name: "name", role: "roles/editor") do + it { should exist } + its('members') { should include 'user:testuser@example.com' } +end +``` + + +## Properties + +Properties that can be accessed from the `google_resourcemanager_folder_iam_binding` resource: + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_folder_iam_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_folder_iam_policy.md new file mode 100644 index 0000000..46068dd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_folder_iam_policy.md @@ -0,0 +1,58 @@ ++++ +title = "google_resourcemanager_folder_iam_policy resource" + +draft = false + + +[menu.gcp] +title = "google_resourcemanager_folder_iam_policy" +identifier = "inspec/resources/gcp/google_resourcemanager_folder_iam_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_resourcemanager_folder_iam_policy` is used to test a Google Folder Iam Policy resource. + +## Examples + +```ruby +describe google_resourcemanager_folder_iam_policy(name: "name") do + it { should exist } +end + +google_resourcemanager_folder_iam_policy(name: "name").bindings.each do |binding| + describe binding do + its('role') { should eq 'roles/editor'} + its('members') { should include 'user:testuser@example.com'} + end +end +``` + +## Properties + +Properties that can be accessed from the `google_resourcemanager_folder_iam_policy` resource: + + * `iam_binding_roles`: The list of roles that exist on the policy. + + * `bindings`: Associates a list of members to a role. + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + * `audit_configs`: Specifies cloud audit logging configuration for this policy. + + * `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. + + * `audit_log_configs`: The configuration for logging of each type of permission. + + * `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ + + * `exempted_members`: Specifies the identities that do not cause logging for this type of permission. + + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_folders.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_folders.md new file mode 100644 index 0000000..eed13d3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_folders.md @@ -0,0 +1,46 @@ ++++ +title = "google_resourcemanager_folders resource" + +draft = false + + +[menu.gcp] +title = "google_resourcemanager_folders" +identifier = "inspec/resources/gcp/google_resourcemanager_folders resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_resourcemanager_folders` InSpec audit resource to to test a Google Cloud Folder resource. + +## Examples + +```ruby +describe.one do + google_resourcemanager_folders(parent: 'organizations/12345').display_names.each do |display_name| + describe display_name do + it { should eq 'inspec-gcp-folder' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_resourcemanager_folders` resource: + +See [google_resourcemanager_folder](google_resourcemanager_folder) for more detailed information. + + * `names`: an array of `google_resourcemanager_folder` name + * `lifecycle_states`: an array of `google_resourcemanager_folder` lifecycle_state + * `create_times`: an array of `google_resourcemanager_folder` create_time + * `parents`: an array of `google_resourcemanager_folder` parent + * `display_names`: an array of `google_resourcemanager_folder` display_name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_organization_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_organization_policy.md new file mode 100644 index 0000000..bbcdfd5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_organization_policy.md @@ -0,0 +1,51 @@ ++++ +title = "google_resourcemanager_organization_policy resource" + +draft = false + + +[menu.gcp] +title = "google_resourcemanager_organization_policy" +identifier = "inspec/resources/gcp/google_resourcemanager_organization_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_resourcemanager_organization_policy` is used to test organization policy constraints. More information can be found here [Organization Policy Constraints](https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints) + +## Examples + +```ruby +describe google_resourcemanager_organization_policy(organization_name: "organizations/123456789", constraint: "constraints/compute.disableSerialPortAccess") do + it { should exist } + its('constraint') { should eq 'constraints/compute.disableSerialPortAccess' } + its('boolean_policy.enforced') { should be true } +end +``` + +## Properties + +Properties that can be accessed from the `google_resourcemanager_organization_policy` resource: + + * `version`: The version of the policy. + + * `constraint`: The name of the constraint the policy is configuring. + + * `update_time`: The time stamp the policy was previously updated. + + * `list_policy`: List of values either allowed or disallowed + + * `allowed_values`: List of values allowed + + * `denied_values`: List of values denied + + * `boolean_policy`: Used to specify how a boolean policy will behave + + * `enforced`: If true then the policy is enforced. If false then any configuration is acceptable + + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_project_iam_binding.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_project_iam_binding.md new file mode 100644 index 0000000..bdf0ba3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_project_iam_binding.md @@ -0,0 +1,37 @@ ++++ +title = "google_resourcemanager_project_iam_binding resource" + +draft = false + + +[menu.gcp] +title = "google_resourcemanager_project_iam_binding" +identifier = "inspec/resources/gcp/google_resourcemanager_project_iam_binding resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_resourcemanager_project_iam_binding` is used to test a Google Project Iam Bindings + +## Examples + +```ruby +describe google_resourcemanager_project_iam_binding(project_id: "projectId", role: "roles/editor") do + it { should exist } + its('members') { should include 'user:testuser@example.com' } +end +``` + +## Properties + +Properties that can be accessed from the `google_resourcemanager_project_iam_binding` resource: + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_project_iam_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_project_iam_policy.md new file mode 100644 index 0000000..cd4ed93 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_resourcemanager_project_iam_policy.md @@ -0,0 +1,58 @@ ++++ +title = "google_resourcemanager_project_iam_policy resource" + +draft = false + + +[menu.gcp] +title = "google_resourcemanager_project_iam_policy" +identifier = "inspec/resources/gcp/google_resourcemanager_project_iam_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_resourcemanager_project_iam_policy` is used to test a Google Project Iam Policy resource. + +## Examples + +```ruby +describe google_resourcemanager_project_iam_policy(project_id: "projectId") do + it { should exist } +end + +google_resourcemanager_project_iam_policy(project_id: "projectId").bindings.each do |binding| + describe binding do + its('role') { should eq 'roles/editor'} + its('members') { should include 'user:testuser@example.com'} + end +end +``` + +## Properties + +Properties that can be accessed from the `google_resourcemanager_project_iam_policy` resource: + + * `iam_binding_roles`: The list of roles that exist on the policy. + + * `bindings`: Associates a list of members to a role. + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + * `audit_configs`: Specifies cloud audit logging configuration for this policy. + + * `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. + + * `audit_log_configs`: The configuration for logging of each type of permission. + + * `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ + + * `exempted_members`: Specifies the identities that do not cause logging for this type of permission. + + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_run_job.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_run_job.md new file mode 100644 index 0000000..1b61038 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_run_job.md @@ -0,0 +1,477 @@ ++++ +title = "google_run_job resource" + +draft = false + + + +[menu.gcp] +title = "google_run_job" +identifier = "inspec/resources/gcp/google_run_job resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_run_job` InSpec audit resource to test the properties of a Google Cloud Job resource. + +## Examples + +```ruby +describe google_run_job(name: 'projects/{project}/locations/{location}/jobs/{value_name}') do + it { should exist } + its('name') { should cmp 'value_name' } + its('uid') { should cmp 'value_uid' } + its('generation') { should cmp 'value_generation' } + its('create_time') { should cmp 'value_createtime' } + its('update_time') { should cmp 'value_updatetime' } + its('delete_time') { should cmp 'value_deletetime' } + its('expire_time') { should cmp 'value_expiretime' } + its('creator') { should cmp 'value_creator' } + its('last_modifier') { should cmp 'value_lastmodifier' } + its('client') { should cmp 'value_client' } + its('client_version') { should cmp 'value_clientversion' } + its('launch_stage') { should cmp 'value_launchstage' } + its('observed_generation') { should cmp 'value_observedgeneration' } + its('start_execution_token') { should cmp 'value_startexecutiontoken' } + its('run_execution_token') { should cmp 'value_runexecutiontoken' } + its('etag') { should cmp 'value_etag' } +end + +describe google_run_job(name: "projects/{project}/locations/{location}/jobs/{does_not_exit}") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_run_job` resource: + +## Properties + +Properties that can be accessed from the `google_run_job` resource: + + + * `name`: The fully qualified name of this Job. Format: projects/{project}/locations/{location}/jobs/{job} + + * `uid`: Output only. Server assigned unique identifier for the Execution. The value is a UUID4 string and guaranteed to remain unchanged until the resource is deleted. + + * `generation`: Output only. A number that monotonically increases every time the user modifies the desired state. + + * `labels`: Unstructured key value map that can be used to organize and categorize objects. User-provided labels are shared with Google's billing system, so they can be used to filter, or break down billing charges by team, component, environment, state, etc. For more information, visit https://cloud.google.com/resource-manager/docs/creating-managing-labels or https://cloud.google.com/run/docs/configuring/labels. Cloud Run API v2 does not support labels with `run.googleapis.com`, `cloud.googleapis.com`, `serving.knative.dev`, or `autoscaling.knative.dev` namespaces, and they will be rejected. All system labels in v1 now have a corresponding field in v2 Job. + + * `additional_properties`: + + * `annotations`: Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with `run.googleapis.com`, `cloud.googleapis.com`, `serving.knative.dev`, or `autoscaling.knative.dev` namespaces, and they will be rejected on new resources. All system annotations in v1 now have a corresponding field in v2 Job. This field follows Kubernetes annotations' namespacing, limits, and rules. + + * `additional_properties`: + + * `create_time`: Output only. The creation time. + + * `update_time`: Output only. The last-modified time. + + * `delete_time`: Output only. The deletion time. It is only populated as a response to a Delete request. + + * `expire_time`: Output only. For a deleted resource, the time after which it will be permamently deleted. + + * `creator`: Output only. Email address of the authenticated creator. + + * `last_modifier`: Output only. Email address of the last authenticated modifier. + + * `client`: Arbitrary identifier for the API client. + + * `client_version`: Arbitrary version identifier for the API client. + + * `launch_stage`: The launch stage as defined by [Google Cloud Platform Launch Stages](https://cloud.google.com/terms/launch-stages). Cloud Run supports `ALPHA`, `BETA`, and `GA`. If no value is specified, GA is assumed. Set the launch stage to a preview stage on input to allow use of preview features in that stage. On read (or output), describes whether the resource uses preview features. For example, if ALPHA is provided as input, but only BETA and GA-level features are used, this field will be BETA on output. + Possible values: + * LAUNCH_STAGE_UNSPECIFIED + * UNIMPLEMENTED + * PRELAUNCH + * EARLY_ACCESS + * ALPHA + * BETA + * GA + * DEPRECATED + + * `binary_authorization`: Settings for Binary Authorization feature. + + * `use_default`: Optional. If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled. + + * `policy`: Optional. The path to a binary authorization policy. Format: projects/{project}/platforms/cloudRun/{policy-name} + + * `breakglass_justification`: Optional. If present, indicates to use Breakglass using this justification. If use_default is False, then it must be empty. For more information on breakglass, see https://cloud.google.com/binary-authorization/docs/using-breakglass + + * `template`: ExecutionTemplate describes the data an execution should have when created from a template. + + * `labels`: Unstructured key value map that can be used to organize and categorize objects. User-provided labels are shared with Google's billing system, so they can be used to filter, or break down billing charges by team, component, environment, state, etc. For more information, visit https://cloud.google.com/resource-manager/docs/creating-managing-labels or https://cloud.google.com/run/docs/configuring/labels. Cloud Run API v2 does not support labels with `run.googleapis.com`, `cloud.googleapis.com`, `serving.knative.dev`, or `autoscaling.knative.dev` namespaces, and they will be rejected. All system labels in v1 now have a corresponding field in v2 ExecutionTemplate. + + * `additional_properties`: + + * `annotations`: Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with `run.googleapis.com`, `cloud.googleapis.com`, `serving.knative.dev`, or `autoscaling.knative.dev` namespaces, and they will be rejected. All system annotations in v1 now have a corresponding field in v2 ExecutionTemplate. This field follows Kubernetes annotations' namespacing, limits, and rules. + + * `additional_properties`: + + * `parallelism`: Specifies the maximum desired number of tasks the execution should run at given time. Must be <= task_count. When the job is run, if this field is 0 or unset, the maximum possible value will be used for that execution. The actual number of tasks running in steady state will be less than this number when there are fewer tasks waiting to be completed remaining, i.e. when the work left to do is less than max parallelism. + + * `task_count`: Specifies the desired number of tasks the execution should run. Setting to 1 means that parallelism is limited to 1 and the success of that task signals the success of the execution. Defaults to 1. + + * `template`: TaskTemplate describes the data a task should have when created from a template. + + * `containers`: Holds the single container that defines the unit of execution for this task. + + * `name`: Name of the container specified as a DNS_LABEL (RFC 1123). + + * `image`: Required. Name of the container image in Dockerhub, Google Artifact Registry, or Google Container Registry. If the host is not provided, Dockerhub is assumed. + + * `command`: Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. + + * `args`: Arguments to the entrypoint. The docker image's CMD is used if this is not provided. + + * `env`: List of environment variables to set in the container. + + * `name`: Required. Name of the environment variable. Must not exceed 32768 characters. + + * `value`: Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any route environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "", and the maximum length is 32768 bytes. + + * `value_source`: EnvVarSource represents a source for the value of an EnvVar. + + * `secret_key_ref`: SecretEnvVarSource represents a source for the value of an EnvVar. + + * `secret`: Required. The name of the secret in Cloud Secret Manager. Format: {secret_name} if the secret is in the same project. projects/{project}/secrets/{secret_name} if the secret is in a different project. + + * `version`: The Cloud Secret Manager secret version. Can be 'latest' for the latest version, an integer for a specific version, or a version alias. + + * `resources`: ResourceRequirements describes the compute resource requirements. + + * `limits`: Only `memory` and `cpu` keys in the map are supported. Notes: * The only supported values for CPU are '1', '2', '4', and '8'. Setting 4 CPU requires at least 2Gi of memory. For more information, go to https://cloud.google.com/run/docs/configuring/cpu. * For supported 'memory' values and syntax, go to https://cloud.google.com/run/docs/configuring/memory-limits + + * `additional_properties`: + + * `cpu_idle`: Determines whether CPU is only allocated during requests (true by default). However, if ResourceRequirements is set, the caller must explicitly set this field to true to preserve the default behavior. + + * `startup_cpu_boost`: Determines whether CPU should be boosted on startup of a new container instance above the requested CPU threshold, this can help reduce cold-start latency. + + * `ports`: List of ports to expose from the container. Only a single port can be specified. The specified ports must be listening on all interfaces (0.0.0.0) within the container to be accessible. If omitted, a port number will be chosen and passed to the container through the PORT environment variable for the container to listen on. + + * `name`: If specified, used to specify which protocol to use. Allowed values are "http1" and "h2c". + + * `container_port`: Port number the container listens on. This must be a valid TCP port number, 0 < container_port < 65536. + + * `volume_mounts`: Volume to mount into the container's filesystem. + + * `name`: Required. This must match the Name of a Volume. + + * `mount_path`: Required. Path within the container at which the volume should be mounted. Must not contain ':'. For Cloud SQL volumes, it can be left empty, or must otherwise be `/cloudsql`. All instances defined in the Volume will be available as `/cloudsql/[instance]`. For more information on Cloud SQL volumes, visit https://cloud.google.com/sql/docs/mysql/connect-run + + * `working_dir`: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. + + * `liveness_probe`: Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic. + + * `initial_delay_seconds`: Optional. Number of seconds after the container has started before the probe is initiated. Defaults to 0 seconds. Minimum value is 0. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. + + * `timeout_seconds`: Optional. Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 3600. Must be smaller than period_seconds. + + * `period_seconds`: Optional. How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. Must be greater or equal than timeout_seconds. + + * `failure_threshold`: Optional. Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + + * `http_get`: HTTPGetAction describes an action based on HTTP Get requests. + + * `path`: Optional. Path to access on the HTTP server. Defaults to '/'. + + * `http_headers`: Optional. Custom headers to set in the request. HTTP allows repeated headers. + + * `name`: Required. The header field name + + * `value`: Optional. The header field value + + * `port`: Optional. Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. + + * `tcp_socket`: TCPSocketAction describes an action based on opening a socket + + * `port`: Optional. Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. + + * `grpc`: GRPCAction describes an action involving a GRPC port. + + * `port`: Optional. Port number of the gRPC service. Number must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. + + * `service`: Optional. Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md ). If this is not specified, the default behavior is defined by gRPC. + + * `startup_probe`: Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic. + + * `initial_delay_seconds`: Optional. Number of seconds after the container has started before the probe is initiated. Defaults to 0 seconds. Minimum value is 0. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. + + * `timeout_seconds`: Optional. Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 3600. Must be smaller than period_seconds. + + * `period_seconds`: Optional. How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. Must be greater or equal than timeout_seconds. + + * `failure_threshold`: Optional. Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + + * `http_get`: HTTPGetAction describes an action based on HTTP Get requests. + + * `path`: Optional. Path to access on the HTTP server. Defaults to '/'. + + * `http_headers`: Optional. Custom headers to set in the request. HTTP allows repeated headers. + + * `name`: Required. The header field name + + * `value`: Optional. The header field value + + * `port`: Optional. Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. + + * `tcp_socket`: TCPSocketAction describes an action based on opening a socket + + * `port`: Optional. Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. + + * `grpc`: GRPCAction describes an action involving a GRPC port. + + * `port`: Optional. Port number of the gRPC service. Number must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. + + * `service`: Optional. Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md ). If this is not specified, the default behavior is defined by gRPC. + + * `depends_on`: Names of the containers that must start before this container. + + * `volumes`: Optional. A list of Volumes to make available to containers. + + * `name`: Required. Volume's name. + + * `secret`: The secret's value will be presented as the content of a file whose name is defined in the item path. If no items are defined, the name of the file is the secret. + + * `secret`: Required. The name of the secret in Cloud Secret Manager. Format: {secret} if the secret is in the same project. projects/{project}/secrets/{secret} if the secret is in a different project. + + * `items`: If unspecified, the volume will expose a file whose name is the secret, relative to VolumeMount.mount_path. If specified, the key will be used as the version to fetch from Cloud Secret Manager and the path will be the name of the file exposed in the volume. When items are defined, they must specify a path and a version. + + * `path`: Required. The relative path of the secret in the container. + + * `version`: The Cloud Secret Manager secret version. Can be 'latest' for the latest value, or an integer or a secret alias for a specific version. + + * `mode`: Integer octal mode bits to use on this file, must be a value between 01 and 0777 (octal). If 0 or not set, the Volume's default mode will be used. Notes * Internally, a umask of 0222 will be applied to any non-zero value. * This is an integer representation of the mode bits. So, the octal integer value should look exactly as the chmod numeric notation with a leading zero. Some examples: for chmod 777 (a=rwx), set to 0777 (octal) or 511 (base-10). For chmod 640 (u=rw,g=r), set to 0640 (octal) or 416 (base-10). For chmod 755 (u=rwx,g=rx,o=rx), set to 0755 (octal) or 493 (base-10). * This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. + + * `default_mode`: Integer representation of mode bits to use on created files by default. Must be a value between 0000 and 0777 (octal), defaulting to 0444. Directories within the path are not affected by this setting. Notes * Internally, a umask of 0222 will be applied to any non-zero value. * This is an integer representation of the mode bits. So, the octal integer value should look exactly as the chmod numeric notation with a leading zero. Some examples: for chmod 777 (a=rwx), set to 0777 (octal) or 511 (base-10). For chmod 640 (u=rw,g=r), set to 0640 (octal) or 416 (base-10). For chmod 755 (u=rwx,g=rx,o=rx), set to 0755 (octal) or 493 (base-10). * This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. This might be in conflict with other options that affect the file mode, like fsGroup, and as a result, other mode bits could be set. + + * `cloud_sql_instance`: Represents a set of Cloud SQL instances. Each one will be available under /cloudsql/[instance]. Visit https://cloud.google.com/sql/docs/mysql/connect-run for more information on how to connect Cloud SQL and Cloud Run. + + * `instances`: The Cloud SQL instance connection names, as can be found in https://console.cloud.google.com/sql/instances. Visit https://cloud.google.com/sql/docs/mysql/connect-run for more information on how to connect Cloud SQL and Cloud Run. Format: {project}:{location}:{instance} + + * `empty_dir`: In memory (tmpfs) ephemeral storage. It is ephemeral in the sense that when the sandbox is taken down, the data is destroyed with it (it does not persist across sandbox runs). + + * `medium`: The medium on which the data is stored. Acceptable values today is only MEMORY or none. When none, the default will currently be backed by memory but could change over time. +optional + Possible values: + * MEDIUM_UNSPECIFIED + * MEMORY + + * `size_limit`: Limit on the storage usable by this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers. The default is nil which means that the limit is undefined. More info: https://cloud.google.com/run/docs/configuring/in-memory-volumes#configure-volume. Info in Kubernetes: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir + + * `nfs`: Represents an NFS mount. + + * `server`: Hostname or IP address of the NFS server + + * `path`: Path that is exported by the NFS server. + + * `read_only`: If true, the volume will be mounted as read only for all mounts. + + * `gcs`: Represents a volume backed by a Cloud Storage bucket using Cloud Storage FUSE. + + * `bucket`: Cloud Storage Bucket name. + + * `read_only`: If true, the volume will be mounted as read only for all mounts. + + * `max_retries`: Number of retries allowed per Task, before marking this Task failed. Defaults to 3. + + * `timeout`: Optional. Max allowed time duration the Task may be active before the system will actively try to mark it failed and kill associated containers. This applies per attempt of a task, meaning each retry can run for the full timeout. Defaults to 600 seconds. + + * `service_account`: Optional. Email address of the IAM service account associated with the Task of a Job. The service account represents the identity of the running task, and determines what permissions the task has. If not provided, the task will use the project's default service account. + + * `execution_environment`: Optional. The execution environment being used to host this Task. + Possible values: + * EXECUTION_ENVIRONMENT_UNSPECIFIED + * EXECUTION_ENVIRONMENT_GEN1 + * EXECUTION_ENVIRONMENT_GEN2 + + * `encryption_key`: A reference to a customer managed encryption key (CMEK) to use to encrypt this container image. For more information, go to https://cloud.google.com/run/docs/securing/using-cmek + + * `vpc_access`: VPC Access settings. For more information on sending traffic to a VPC network, visit https://cloud.google.com/run/docs/configuring/connecting-vpc. + + * `connector`: VPC Access connector name. Format: projects/{project}/locations/{location}/connectors/{connector}, where {project} can be project id or number. For more information on sending traffic to a VPC network via a connector, visit https://cloud.google.com/run/docs/configuring/vpc-connectors. + + * `egress`: Optional. Traffic VPC egress settings. If not provided, it defaults to PRIVATE_RANGES_ONLY. + Possible values: + * VPC_EGRESS_UNSPECIFIED + * ALL_TRAFFIC + * PRIVATE_RANGES_ONLY + + * `network_interfaces`: Optional. Direct VPC egress settings. Currently only single network interface is supported. + + * `network`: Optional. The VPC network that the Cloud Run resource will be able to send traffic to. At least one of network or subnetwork must be specified. If both network and subnetwork are specified, the given VPC subnetwork must belong to the given VPC network. If network is not specified, it will be looked up from the subnetwork. + + * `subnetwork`: Optional. The VPC subnetwork that the Cloud Run resource will get IPs from. At least one of network or subnetwork must be specified. If both network and subnetwork are specified, the given VPC subnetwork must belong to the given VPC network. If subnetwork is not specified, the subnetwork with the same name with the network will be used. + + * `tags`: Optional. Network tags applied to this Cloud Run resource. + + * `observed_generation`: Output only. The generation of this Job. See comments in `reconciling` for additional information on reconciliation process in Cloud Run. + + * `terminal_condition`: Defines a status condition for a resource. + + * `type`: type is used to communicate the status of the reconciliation process. See also: https://github.com/knative/serving/blob/main/docs/spec/errors.md#error-conditions-and-reporting Types common to all resources include: * "Ready": True when the Resource is ready. + + * `state`: State of the condition. + Possible values: + * STATE_UNSPECIFIED + * CONDITION_PENDING + * CONDITION_RECONCILING + * CONDITION_FAILED + * CONDITION_SUCCEEDED + + * `message`: Human readable message indicating details about the current status. + + * `last_transition_time`: Last time the condition transitioned from one status to another. + + * `severity`: How to interpret failures of this condition, one of Error, Warning, Info + Possible values: + * SEVERITY_UNSPECIFIED + * ERROR + * WARNING + * INFO + + * `reason`: Output only. A common (service-level) reason for this condition. + Possible values: + * COMMON_REASON_UNDEFINED + * UNKNOWN + * REVISION_FAILED + * PROGRESS_DEADLINE_EXCEEDED + * CONTAINER_MISSING + * CONTAINER_PERMISSION_DENIED + * CONTAINER_IMAGE_UNAUTHORIZED + * CONTAINER_IMAGE_AUTHORIZATION_CHECK_FAILED + * ENCRYPTION_KEY_PERMISSION_DENIED + * ENCRYPTION_KEY_CHECK_FAILED + * SECRETS_ACCESS_CHECK_FAILED + * WAITING_FOR_OPERATION + * IMMEDIATE_RETRY + * POSTPONED_RETRY + * INTERNAL + + * `revision_reason`: Output only. A reason for the revision condition. + Possible values: + * REVISION_REASON_UNDEFINED + * PENDING + * RESERVE + * RETIRED + * RETIRING + * RECREATING + * HEALTH_CHECK_CONTAINER_ERROR + * CUSTOMIZED_PATH_RESPONSE_PENDING + * MIN_INSTANCES_NOT_PROVISIONED + * ACTIVE_REVISION_LIMIT_REACHED + * NO_DEPLOYMENT + * HEALTH_CHECK_SKIPPED + * MIN_INSTANCES_WARMING + + * `execution_reason`: Output only. A reason for the execution condition. + Possible values: + * EXECUTION_REASON_UNDEFINED + * JOB_STATUS_SERVICE_POLLING_ERROR + * NON_ZERO_EXIT_CODE + * CANCELLED + * CANCELLING + * DELETED + + * `conditions`: Output only. The Conditions of all other associated sub-resources. They contain additional diagnostics information in case the Job does not reach its desired state. See comments in `reconciling` for additional information on reconciliation process in Cloud Run. + + * `type`: type is used to communicate the status of the reconciliation process. See also: https://github.com/knative/serving/blob/main/docs/spec/errors.md#error-conditions-and-reporting Types common to all resources include: * "Ready": True when the Resource is ready. + + * `state`: State of the condition. + Possible values: + * STATE_UNSPECIFIED + * CONDITION_PENDING + * CONDITION_RECONCILING + * CONDITION_FAILED + * CONDITION_SUCCEEDED + + * `message`: Human readable message indicating details about the current status. + + * `last_transition_time`: Last time the condition transitioned from one status to another. + + * `severity`: How to interpret failures of this condition, one of Error, Warning, Info + Possible values: + * SEVERITY_UNSPECIFIED + * ERROR + * WARNING + * INFO + + * `reason`: Output only. A common (service-level) reason for this condition. + Possible values: + * COMMON_REASON_UNDEFINED + * UNKNOWN + * REVISION_FAILED + * PROGRESS_DEADLINE_EXCEEDED + * CONTAINER_MISSING + * CONTAINER_PERMISSION_DENIED + * CONTAINER_IMAGE_UNAUTHORIZED + * CONTAINER_IMAGE_AUTHORIZATION_CHECK_FAILED + * ENCRYPTION_KEY_PERMISSION_DENIED + * ENCRYPTION_KEY_CHECK_FAILED + * SECRETS_ACCESS_CHECK_FAILED + * WAITING_FOR_OPERATION + * IMMEDIATE_RETRY + * POSTPONED_RETRY + * INTERNAL + + * `revision_reason`: Output only. A reason for the revision condition. + Possible values: + * REVISION_REASON_UNDEFINED + * PENDING + * RESERVE + * RETIRED + * RETIRING + * RECREATING + * HEALTH_CHECK_CONTAINER_ERROR + * CUSTOMIZED_PATH_RESPONSE_PENDING + * MIN_INSTANCES_NOT_PROVISIONED + * ACTIVE_REVISION_LIMIT_REACHED + * NO_DEPLOYMENT + * HEALTH_CHECK_SKIPPED + * MIN_INSTANCES_WARMING + + * `execution_reason`: Output only. A reason for the execution condition. + Possible values: + * EXECUTION_REASON_UNDEFINED + * JOB_STATUS_SERVICE_POLLING_ERROR + * NON_ZERO_EXIT_CODE + * CANCELLED + * CANCELLING + * DELETED + + * `execution_count`: Output only. Number of executions created for this job. + + * `latest_created_execution`: Reference to an Execution. Use /Executions.GetExecution with the given name to get full execution including the latest status. + + * `name`: Name of the execution. + + * `create_time`: Creation timestamp of the execution. + + * `completion_time`: Creation timestamp of the execution. + + * `delete_time`: The deletion time of the execution. It is only populated as a response to a Delete request. + + * `completion_status`: Status for the execution completion. + Possible values: + * COMPLETION_STATUS_UNSPECIFIED + * EXECUTION_SUCCEEDED + * EXECUTION_FAILED + * EXECUTION_RUNNING + * EXECUTION_PENDING + * EXECUTION_CANCELLED + + * `reconciling`: Output only. Returns true if the Job is currently being acted upon by the system to bring it into the desired state. When a new Job is created, or an existing one is updated, Cloud Run will asynchronously perform all necessary steps to bring the Job to the desired state. This process is called reconciliation. While reconciliation is in process, `observed_generation` and `latest_succeeded_execution`, will have transient values that might mismatch the intended state: Once reconciliation is over (and this field is false), there are two possible outcomes: reconciliation succeeded and the state matches the Job, or there was an error, and reconciliation failed. This state can be found in `terminal_condition.state`. If reconciliation succeeded, the following fields will match: `observed_generation` and `generation`, `latest_succeeded_execution` and `latest_created_execution`. If reconciliation failed, `observed_generation` and `latest_succeeded_execution` will have the state of the last succeeded execution or empty for newly created Job. Additional information on the failure can be found in `terminal_condition` and `conditions`. + + * `satisfies_pzs`: Output only. Reserved for future use. + + * `start_execution_token`: A unique string used as a suffix creating a new execution. The Job will become ready when the execution is successfully started. The sum of job name and token length must be fewer than 63 characters. + + * `run_execution_token`: A unique string used as a suffix for creating a new execution. The Job will become ready when the execution is successfully completed. The sum of job name and token length must be fewer than 63 characters. + + * `etag`: Output only. A system-generated fingerprint for this version of the resource. May be used to detect modification conflict during updates. + + +## GCP permissions + +Ensure the [https://run.googleapis.com/](https://console.cloud.google.com/apis/library/run.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_run_jobs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_run_jobs.md new file mode 100644 index 0000000..7d6ece9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_run_jobs.md @@ -0,0 +1,99 @@ ++++ +title = "google_run_jobs resource" + +draft = false + + + +[menu.gcp] +title = "google_run_jobs" +identifier = "inspec/resources/gcp/google_run_jobs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_run_jobs` InSpec audit resource to test the properties of a Google Cloud Job resource. + +## Examples + +```ruby + describe google_run_jobs(parent: 'projects/{project}/locations/{location}') do + it { should exist } + its('names') { should include 'value_name' } + its('creators') { should include 'value_creator' } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_run_jobs` resource: + +See [google_run_job](google_run_job) for more detailed information. + +* `names`: an array of `google_run_job` name +* `uids`: an array of `google_run_job` uid +* `generations`: an array of `google_run_job` generation +* `labels`: an array of `google_run_job` labels +* `annotations`: an array of `google_run_job` annotations +* `create_times`: an array of `google_run_job` create_time +* `update_times`: an array of `google_run_job` update_time +* `delete_times`: an array of `google_run_job` delete_time +* `expire_times`: an array of `google_run_job` expire_time +* `creators`: an array of `google_run_job` creator +* `last_modifiers`: an array of `google_run_job` last_modifier +* `clients`: an array of `google_run_job` client +* `client_versions`: an array of `google_run_job` client_version +* `launch_stages`: an array of `google_run_job` launch_stage +* `binary_authorizations`: an array of `google_run_job` binary_authorization +* `templates`: an array of `google_run_job` template +* `observed_generations`: an array of `google_run_job` observed_generation +* `terminal_conditions`: an array of `google_run_job` terminal_condition +* `conditions`: an array of `google_run_job` conditions +* `execution_counts`: an array of `google_run_job` execution_count +* `latest_created_executions`: an array of `google_run_job` latest_created_execution +* `reconcilings`: an array of `google_run_job` reconciling +* `satisfies_pzs`: an array of `google_run_job` satisfies_pzs +* `start_execution_tokens`: an array of `google_run_job` start_execution_token +* `run_execution_tokens`: an array of `google_run_job` run_execution_token +* `etags`: an array of `google_run_job` etag + +## Properties + +Properties that can be accessed from the `google_run_jobs` resource: + +See [google_run_job](google_run_job) for more detailed information. + +* `names`: an array of `google_run_job` name +* `uids`: an array of `google_run_job` uid +* `generations`: an array of `google_run_job` generation +* `labels`: an array of `google_run_job` labels +* `annotations`: an array of `google_run_job` annotations +* `create_times`: an array of `google_run_job` create_time +* `update_times`: an array of `google_run_job` update_time +* `delete_times`: an array of `google_run_job` delete_time +* `expire_times`: an array of `google_run_job` expire_time +* `creators`: an array of `google_run_job` creator +* `last_modifiers`: an array of `google_run_job` last_modifier +* `clients`: an array of `google_run_job` client +* `client_versions`: an array of `google_run_job` client_version +* `launch_stages`: an array of `google_run_job` launch_stage +* `binary_authorizations`: an array of `google_run_job` binary_authorization +* `templates`: an array of `google_run_job` template +* `observed_generations`: an array of `google_run_job` observed_generation +* `terminal_conditions`: an array of `google_run_job` terminal_condition +* `conditions`: an array of `google_run_job` conditions +* `execution_counts`: an array of `google_run_job` execution_count +* `latest_created_executions`: an array of `google_run_job` latest_created_execution +* `reconcilings`: an array of `google_run_job` reconciling +* `satisfies_pzs`: an array of `google_run_job` satisfies_pzs +* `start_execution_tokens`: an array of `google_run_job` start_execution_token +* `run_execution_tokens`: an array of `google_run_job` run_execution_token +* `etags`: an array of `google_run_job` etag + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://run.googleapis.com/](https://console.cloud.google.com/apis/library/run.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_run_service.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_run_service.md new file mode 100644 index 0000000..db97b40 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_run_service.md @@ -0,0 +1,507 @@ ++++ +title = "google_run_service resource" + +draft = false + + + +[menu.gcp] +title = "google_run_service" +identifier = "inspec/resources/gcp/google_run_service resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_run_service` InSpec audit resource to test the properties of a Google Cloud Service resource. + +## Examples + +```ruby +describe google_run_service(name: 'value_name') do + it { should exist } + its('name') { should cmp value_name } + its('uri') { should cmp value_uri } + its('generation') { should cmp value_generation } + its('create_time') { should cmp value_create_time } + its('update_time') { should cmp value_update_time } + its('creator') { should cmp value_creator } + its('ingress') { should cmp value_ingress } +end + +describe google_run_service(name: "does_not_exit") do + it { should_not exist } +end +``` + +## Parameters + +Parameters that can be accessed from the `google_run_service` resource: + +## Properties + +Properties that can be accessed from the `google_run_service` resource: + + + * `name`: The fully qualified name of this Service. In CreateServiceRequest, this field is ignored, and instead composed from CreateServiceRequest.parent and CreateServiceRequest.service_id. Format: projects/{project}/locations/{location}/services/{service_id} + + * `description`: User-provided description of the Service. This field currently has a 512-character limit. + + * `uid`: Output only. Server assigned unique identifier for the trigger. The value is a UUID4 string and guaranteed to remain unchanged until the resource is deleted. + + * `generation`: Output only. A number that monotonically increases every time the user modifies the desired state. Please note that unlike v1, this is an int64 value. As with most Google APIs, its JSON representation will be a `string` instead of an `integer`. + + * `labels`: Optional. Unstructured key value map that can be used to organize and categorize objects. User-provided labels are shared with Google's billing system, so they can be used to filter, or break down billing charges by team, component, environment, state, etc. For more information, visit https://cloud.google.com/resource-manager/docs/creating-managing-labels or https://cloud.google.com/run/docs/configuring/labels. Cloud Run API v2 does not support labels with `run.googleapis.com`, `cloud.googleapis.com`, `serving.knative.dev`, or `autoscaling.knative.dev` namespaces, and they will be rejected. All system labels in v1 now have a corresponding field in v2 Service. + + * `additional_properties`: + + * `annotations`: Optional. Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with `run.googleapis.com`, `cloud.googleapis.com`, `serving.knative.dev`, or `autoscaling.knative.dev` namespaces, and they will be rejected in new resources. All system annotations in v1 now have a corresponding field in v2 Service. This field follows Kubernetes annotations' namespacing, limits, and rules. + + * `additional_properties`: + + * `create_time`: Output only. The creation time. + + * `update_time`: Output only. The last-modified time. + + * `delete_time`: Output only. The deletion time. It is only populated as a response to a Delete request. + + * `expire_time`: Output only. For a deleted resource, the time after which it will be permamently deleted. + + * `creator`: Output only. Email address of the authenticated creator. + + * `last_modifier`: Output only. Email address of the last authenticated modifier. + + * `client`: Arbitrary identifier for the API client. + + * `client_version`: Arbitrary version identifier for the API client. + + * `ingress`: Optional. Provides the ingress settings for this Service. On output, returns the currently observed ingress settings, or INGRESS_TRAFFIC_UNSPECIFIED if no revision is active. + Possible values: + * INGRESS_TRAFFIC_UNSPECIFIED + * INGRESS_TRAFFIC_ALL + * INGRESS_TRAFFIC_INTERNAL_ONLY + * INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER + * INGRESS_TRAFFIC_NONE + + * `launch_stage`: Optional. The launch stage as defined by [Google Cloud Platform Launch Stages](https://cloud.google.com/terms/launch-stages). Cloud Run supports `ALPHA`, `BETA`, and `GA`. If no value is specified, GA is assumed. Set the launch stage to a preview stage on input to allow use of preview features in that stage. On read (or output), describes whether the resource uses preview features. For example, if ALPHA is provided as input, but only BETA and GA-level features are used, this field will be BETA on output. + Possible values: + * LAUNCH_STAGE_UNSPECIFIED + * UNIMPLEMENTED + * PRELAUNCH + * EARLY_ACCESS + * ALPHA + * BETA + * GA + * DEPRECATED + + * `binary_authorization`: Settings for Binary Authorization feature. + + * `use_default`: Optional. If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled. + + * `policy`: Optional. The path to a binary authorization policy. Format: projects/{project}/platforms/cloudRun/{policy-name} + + * `breakglass_justification`: Optional. If present, indicates to use Breakglass using this justification. If use_default is False, then it must be empty. For more information on breakglass, see https://cloud.google.com/binary-authorization/docs/using-breakglass + + * `template`: RevisionTemplate describes the data a revision should have when created from a template. + + * `revision`: Optional. The unique name for the revision. If this field is omitted, it will be automatically generated based on the Service name. + + * `labels`: Optional. Unstructured key value map that can be used to organize and categorize objects. User-provided labels are shared with Google's billing system, so they can be used to filter, or break down billing charges by team, component, environment, state, etc. For more information, visit https://cloud.google.com/resource-manager/docs/creating-managing-labels or https://cloud.google.com/run/docs/configuring/labels. Cloud Run API v2 does not support labels with `run.googleapis.com`, `cloud.googleapis.com`, `serving.knative.dev`, or `autoscaling.knative.dev` namespaces, and they will be rejected. All system labels in v1 now have a corresponding field in v2 RevisionTemplate. + + * `additional_properties`: + + * `annotations`: Optional. Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with `run.googleapis.com`, `cloud.googleapis.com`, `serving.knative.dev`, or `autoscaling.knative.dev` namespaces, and they will be rejected. All system annotations in v1 now have a corresponding field in v2 RevisionTemplate. This field follows Kubernetes annotations' namespacing, limits, and rules. + + * `additional_properties`: + + * `scaling`: Settings for revision-level scaling settings. + + * `min_instance_count`: Optional. Minimum number of serving instances that this resource should have. + + * `max_instance_count`: Optional. Maximum number of serving instances that this resource should have. + + * `vpc_access`: VPC Access settings. For more information on sending traffic to a VPC network, visit https://cloud.google.com/run/docs/configuring/connecting-vpc. + + * `connector`: VPC Access connector name. Format: projects/{project}/locations/{location}/connectors/{connector}, where {project} can be project id or number. For more information on sending traffic to a VPC network via a connector, visit https://cloud.google.com/run/docs/configuring/vpc-connectors. + + * `egress`: Optional. Traffic VPC egress settings. If not provided, it defaults to PRIVATE_RANGES_ONLY. + Possible values: + * VPC_EGRESS_UNSPECIFIED + * ALL_TRAFFIC + * PRIVATE_RANGES_ONLY + + * `network_interfaces`: Optional. Direct VPC egress settings. Currently only single network interface is supported. + + * `network`: Optional. The VPC network that the Cloud Run resource will be able to send traffic to. At least one of network or subnetwork must be specified. If both network and subnetwork are specified, the given VPC subnetwork must belong to the given VPC network. If network is not specified, it will be looked up from the subnetwork. + + * `subnetwork`: Optional. The VPC subnetwork that the Cloud Run resource will get IPs from. At least one of network or subnetwork must be specified. If both network and subnetwork are specified, the given VPC subnetwork must belong to the given VPC network. If subnetwork is not specified, the subnetwork with the same name with the network will be used. + + * `tags`: Optional. Network tags applied to this Cloud Run resource. + + * `timeout`: Optional. Max allowed time for an instance to respond to a request. + + * `service_account`: Optional. Email address of the IAM service account associated with the revision of the service. The service account represents the identity of the running revision, and determines what permissions the revision has. If not provided, the revision will use the project's default service account. + + * `containers`: Holds the single container that defines the unit of execution for this Revision. + + * `name`: Name of the container specified as a DNS_LABEL (RFC 1123). + + * `image`: Required. Name of the container image in Dockerhub, Google Artifact Registry, or Google Container Registry. If the host is not provided, Dockerhub is assumed. + + * `command`: Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. + + * `args`: Arguments to the entrypoint. The docker image's CMD is used if this is not provided. + + * `env`: List of environment variables to set in the container. + + * `name`: Required. Name of the environment variable. Must not exceed 32768 characters. + + * `value`: Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any route environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "", and the maximum length is 32768 bytes. + + * `value_source`: EnvVarSource represents a source for the value of an EnvVar. + + * `secret_key_ref`: SecretEnvVarSource represents a source for the value of an EnvVar. + + * `secret`: Required. The name of the secret in Cloud Secret Manager. Format: {secret_name} if the secret is in the same project. projects/{project}/secrets/{secret_name} if the secret is in a different project. + + * `version`: The Cloud Secret Manager secret version. Can be 'latest' for the latest version, an integer for a specific version, or a version alias. + + * `resources`: ResourceRequirements describes the compute resource requirements. + + * `limits`: Only `memory` and `cpu` keys in the map are supported. Notes: * The only supported values for CPU are '1', '2', '4', and '8'. Setting 4 CPU requires at least 2Gi of memory. For more information, go to https://cloud.google.com/run/docs/configuring/cpu. * For supported 'memory' values and syntax, go to https://cloud.google.com/run/docs/configuring/memory-limits + + * `additional_properties`: + + * `cpu_idle`: Determines whether CPU is only allocated during requests (true by default). However, if ResourceRequirements is set, the caller must explicitly set this field to true to preserve the default behavior. + + * `startup_cpu_boost`: Determines whether CPU should be boosted on startup of a new container instance above the requested CPU threshold, this can help reduce cold-start latency. + + * `ports`: List of ports to expose from the container. Only a single port can be specified. The specified ports must be listening on all interfaces (0.0.0.0) within the container to be accessible. If omitted, a port number will be chosen and passed to the container through the PORT environment variable for the container to listen on. + + * `name`: If specified, used to specify which protocol to use. Allowed values are "http1" and "h2c". + + * `container_port`: Port number the container listens on. This must be a valid TCP port number, 0 < container_port < 65536. + + * `volume_mounts`: Volume to mount into the container's filesystem. + + * `name`: Required. This must match the Name of a Volume. + + * `mount_path`: Required. Path within the container at which the volume should be mounted. Must not contain ':'. For Cloud SQL volumes, it can be left empty, or must otherwise be `/cloudsql`. All instances defined in the Volume will be available as `/cloudsql/[instance]`. For more information on Cloud SQL volumes, visit https://cloud.google.com/sql/docs/mysql/connect-run + + * `working_dir`: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. + + * `liveness_probe`: Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic. + + * `initial_delay_seconds`: Optional. Number of seconds after the container has started before the probe is initiated. Defaults to 0 seconds. Minimum value is 0. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. + + * `timeout_seconds`: Optional. Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 3600. Must be smaller than period_seconds. + + * `period_seconds`: Optional. How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. Must be greater or equal than timeout_seconds. + + * `failure_threshold`: Optional. Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + + * `http_get`: HTTPGetAction describes an action based on HTTP Get requests. + + * `path`: Optional. Path to access on the HTTP server. Defaults to '/'. + + * `http_headers`: Optional. Custom headers to set in the request. HTTP allows repeated headers. + + * `name`: Required. The header field name + + * `value`: Optional. The header field value + + * `port`: Optional. Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. + + * `tcp_socket`: TCPSocketAction describes an action based on opening a socket + + * `port`: Optional. Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. + + * `grpc`: GRPCAction describes an action involving a GRPC port. + + * `port`: Optional. Port number of the gRPC service. Number must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. + + * `service`: Optional. Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md ). If this is not specified, the default behavior is defined by gRPC. + + * `startup_probe`: Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic. + + * `initial_delay_seconds`: Optional. Number of seconds after the container has started before the probe is initiated. Defaults to 0 seconds. Minimum value is 0. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. + + * `timeout_seconds`: Optional. Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 3600. Must be smaller than period_seconds. + + * `period_seconds`: Optional. How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. Must be greater or equal than timeout_seconds. + + * `failure_threshold`: Optional. Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + + * `http_get`: HTTPGetAction describes an action based on HTTP Get requests. + + * `path`: Optional. Path to access on the HTTP server. Defaults to '/'. + + * `http_headers`: Optional. Custom headers to set in the request. HTTP allows repeated headers. + + * `name`: Required. The header field name + + * `value`: Optional. The header field value + + * `port`: Optional. Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. + + * `tcp_socket`: TCPSocketAction describes an action based on opening a socket + + * `port`: Optional. Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. + + * `grpc`: GRPCAction describes an action involving a GRPC port. + + * `port`: Optional. Port number of the gRPC service. Number must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort. + + * `service`: Optional. Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md ). If this is not specified, the default behavior is defined by gRPC. + + * `depends_on`: Names of the containers that must start before this container. + + * `volumes`: Optional. A list of Volumes to make available to containers. + + * `name`: Required. Volume's name. + + * `secret`: The secret's value will be presented as the content of a file whose name is defined in the item path. If no items are defined, the name of the file is the secret. + + * `secret`: Required. The name of the secret in Cloud Secret Manager. Format: {secret} if the secret is in the same project. projects/{project}/secrets/{secret} if the secret is in a different project. + + * `items`: If unspecified, the volume will expose a file whose name is the secret, relative to VolumeMount.mount_path. If specified, the key will be used as the version to fetch from Cloud Secret Manager and the path will be the name of the file exposed in the volume. When items are defined, they must specify a path and a version. + + * `path`: Required. The relative path of the secret in the container. + + * `version`: The Cloud Secret Manager secret version. Can be 'latest' for the latest value, or an integer or a secret alias for a specific version. + + * `mode`: Integer octal mode bits to use on this file, must be a value between 01 and 0777 (octal). If 0 or not set, the Volume's default mode will be used. Notes * Internally, a umask of 0222 will be applied to any non-zero value. * This is an integer representation of the mode bits. So, the octal integer value should look exactly as the chmod numeric notation with a leading zero. Some examples: for chmod 777 (a=rwx), set to 0777 (octal) or 511 (base-10). For chmod 640 (u=rw,g=r), set to 0640 (octal) or 416 (base-10). For chmod 755 (u=rwx,g=rx,o=rx), set to 0755 (octal) or 493 (base-10). * This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. + + * `default_mode`: Integer representation of mode bits to use on created files by default. Must be a value between 0000 and 0777 (octal), defaulting to 0444. Directories within the path are not affected by this setting. Notes * Internally, a umask of 0222 will be applied to any non-zero value. * This is an integer representation of the mode bits. So, the octal integer value should look exactly as the chmod numeric notation with a leading zero. Some examples: for chmod 777 (a=rwx), set to 0777 (octal) or 511 (base-10). For chmod 640 (u=rw,g=r), set to 0640 (octal) or 416 (base-10). For chmod 755 (u=rwx,g=rx,o=rx), set to 0755 (octal) or 493 (base-10). * This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. This might be in conflict with other options that affect the file mode, like fsGroup, and as a result, other mode bits could be set. + + * `cloud_sql_instance`: Represents a set of Cloud SQL instances. Each one will be available under /cloudsql/[instance]. Visit https://cloud.google.com/sql/docs/mysql/connect-run for more information on how to connect Cloud SQL and Cloud Run. + + * `instances`: The Cloud SQL instance connection names, as can be found in https://console.cloud.google.com/sql/instances. Visit https://cloud.google.com/sql/docs/mysql/connect-run for more information on how to connect Cloud SQL and Cloud Run. Format: {project}:{location}:{instance} + + * `empty_dir`: In memory (tmpfs) ephemeral storage. It is ephemeral in the sense that when the sandbox is taken down, the data is destroyed with it (it does not persist across sandbox runs). + + * `medium`: The medium on which the data is stored. Acceptable values today is only MEMORY or none. When none, the default will currently be backed by memory but could change over time. +optional + Possible values: + * MEDIUM_UNSPECIFIED + * MEMORY + + * `size_limit`: Limit on the storage usable by this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers. The default is nil which means that the limit is undefined. More info: https://cloud.google.com/run/docs/configuring/in-memory-volumes#configure-volume. Info in Kubernetes: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir + + * `nfs`: Represents an NFS mount. + + * `server`: Hostname or IP address of the NFS server + + * `path`: Path that is exported by the NFS server. + + * `read_only`: If true, the volume will be mounted as read only for all mounts. + + * `gcs`: Represents a volume backed by a Cloud Storage bucket using Cloud Storage FUSE. + + * `bucket`: Cloud Storage Bucket name. + + * `read_only`: If true, the volume will be mounted as read only for all mounts. + + * `execution_environment`: Optional. The sandbox environment to host this Revision. + Possible values: + * EXECUTION_ENVIRONMENT_UNSPECIFIED + * EXECUTION_ENVIRONMENT_GEN1 + * EXECUTION_ENVIRONMENT_GEN2 + + * `encryption_key`: A reference to a customer managed encryption key (CMEK) to use to encrypt this container image. For more information, go to https://cloud.google.com/run/docs/securing/using-cmek + + * `max_instance_request_concurrency`: Optional. Sets the maximum number of requests that each serving instance can receive. If not specified or 0, defaults to 80 when requested CPU >= 1 and defaults to 1 when requested CPU < 1. + + * `session_affinity`: Optional. Enable session affinity. + + * `health_check_disabled`: Optional. Disables health checking containers during deployment. + + * `node_selector`: Hardware constraints configuration. + + * `accelerator`: Required. GPU accelerator type to attach to an instance. + + * `traffic`: Optional. Specifies how to distribute traffic over a collection of Revisions belonging to the Service. If traffic is empty or not provided, defaults to 100% traffic to the latest `Ready` Revision. + + * `type`: The allocation type for this traffic target. + Possible values: + * TRAFFIC_TARGET_ALLOCATION_TYPE_UNSPECIFIED + * TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST + * TRAFFIC_TARGET_ALLOCATION_TYPE_REVISION + + * `revision`: Revision to which to send this portion of traffic, if traffic allocation is by revision. + + * `percent`: Specifies percent of the traffic to this Revision. This defaults to zero if unspecified. + + * `tag`: Indicates a string to be part of the URI to exclusively reference this target. + + * `scaling`: Scaling settings applied at the service level rather than at the revision level. + + * `min_instance_count`: Optional. total min instances for the service. This number of instances is divided among all revisions with specified traffic based on the percent of traffic they are receiving. (BETA) + + * `default_uri_disabled`: Optional. Disables public resolution of the default URI of this service. + + * `custom_audiences`: One or more custom audiences that you want this service to support. Specify each custom audience as the full URL in a string. The custom audiences are encoded in the token and used to authenticate requests. For more information, see https://cloud.google.com/run/docs/configuring/custom-audiences. + + * `observed_generation`: Output only. The generation of this Service currently serving traffic. See comments in `reconciling` for additional information on reconciliation process in Cloud Run. Please note that unlike v1, this is an int64 value. As with most Google APIs, its JSON representation will be a `string` instead of an `integer`. + + * `terminal_condition`: Defines a status condition for a resource. + + * `type`: type is used to communicate the status of the reconciliation process. See also: https://github.com/knative/serving/blob/main/docs/spec/errors.md#error-conditions-and-reporting Types common to all resources include: * "Ready": True when the Resource is ready. + + * `state`: State of the condition. + Possible values: + * STATE_UNSPECIFIED + * CONDITION_PENDING + * CONDITION_RECONCILING + * CONDITION_FAILED + * CONDITION_SUCCEEDED + + * `message`: Human readable message indicating details about the current status. + + * `last_transition_time`: Last time the condition transitioned from one status to another. + + * `severity`: How to interpret failures of this condition, one of Error, Warning, Info + Possible values: + * SEVERITY_UNSPECIFIED + * ERROR + * WARNING + * INFO + + * `reason`: Output only. A common (service-level) reason for this condition. + Possible values: + * COMMON_REASON_UNDEFINED + * UNKNOWN + * REVISION_FAILED + * PROGRESS_DEADLINE_EXCEEDED + * CONTAINER_MISSING + * CONTAINER_PERMISSION_DENIED + * CONTAINER_IMAGE_UNAUTHORIZED + * CONTAINER_IMAGE_AUTHORIZATION_CHECK_FAILED + * ENCRYPTION_KEY_PERMISSION_DENIED + * ENCRYPTION_KEY_CHECK_FAILED + * SECRETS_ACCESS_CHECK_FAILED + * WAITING_FOR_OPERATION + * IMMEDIATE_RETRY + * POSTPONED_RETRY + * INTERNAL + + * `revision_reason`: Output only. A reason for the revision condition. + Possible values: + * REVISION_REASON_UNDEFINED + * PENDING + * RESERVE + * RETIRED + * RETIRING + * RECREATING + * HEALTH_CHECK_CONTAINER_ERROR + * CUSTOMIZED_PATH_RESPONSE_PENDING + * MIN_INSTANCES_NOT_PROVISIONED + * ACTIVE_REVISION_LIMIT_REACHED + * NO_DEPLOYMENT + * HEALTH_CHECK_SKIPPED + * MIN_INSTANCES_WARMING + + * `execution_reason`: Output only. A reason for the execution condition. + Possible values: + * EXECUTION_REASON_UNDEFINED + * JOB_STATUS_SERVICE_POLLING_ERROR + * NON_ZERO_EXIT_CODE + * CANCELLED + * CANCELLING + * DELETED + + * `conditions`: Output only. The Conditions of all other associated sub-resources. They contain additional diagnostics information in case the Service does not reach its Serving state. See comments in `reconciling` for additional information on reconciliation process in Cloud Run. + + * `type`: type is used to communicate the status of the reconciliation process. See also: https://github.com/knative/serving/blob/main/docs/spec/errors.md#error-conditions-and-reporting Types common to all resources include: * "Ready": True when the Resource is ready. + + * `state`: State of the condition. + Possible values: + * STATE_UNSPECIFIED + * CONDITION_PENDING + * CONDITION_RECONCILING + * CONDITION_FAILED + * CONDITION_SUCCEEDED + + * `message`: Human readable message indicating details about the current status. + + * `last_transition_time`: Last time the condition transitioned from one status to another. + + * `severity`: How to interpret failures of this condition, one of Error, Warning, Info + Possible values: + * SEVERITY_UNSPECIFIED + * ERROR + * WARNING + * INFO + + * `reason`: Output only. A common (service-level) reason for this condition. + Possible values: + * COMMON_REASON_UNDEFINED + * UNKNOWN + * REVISION_FAILED + * PROGRESS_DEADLINE_EXCEEDED + * CONTAINER_MISSING + * CONTAINER_PERMISSION_DENIED + * CONTAINER_IMAGE_UNAUTHORIZED + * CONTAINER_IMAGE_AUTHORIZATION_CHECK_FAILED + * ENCRYPTION_KEY_PERMISSION_DENIED + * ENCRYPTION_KEY_CHECK_FAILED + * SECRETS_ACCESS_CHECK_FAILED + * WAITING_FOR_OPERATION + * IMMEDIATE_RETRY + * POSTPONED_RETRY + * INTERNAL + + * `revision_reason`: Output only. A reason for the revision condition. + Possible values: + * REVISION_REASON_UNDEFINED + * PENDING + * RESERVE + * RETIRED + * RETIRING + * RECREATING + * HEALTH_CHECK_CONTAINER_ERROR + * CUSTOMIZED_PATH_RESPONSE_PENDING + * MIN_INSTANCES_NOT_PROVISIONED + * ACTIVE_REVISION_LIMIT_REACHED + * NO_DEPLOYMENT + * HEALTH_CHECK_SKIPPED + * MIN_INSTANCES_WARMING + + * `execution_reason`: Output only. A reason for the execution condition. + Possible values: + * EXECUTION_REASON_UNDEFINED + * JOB_STATUS_SERVICE_POLLING_ERROR + * NON_ZERO_EXIT_CODE + * CANCELLED + * CANCELLING + * DELETED + + * `latest_ready_revision`: Output only. Name of the latest revision that is serving traffic. See comments in `reconciling` for additional information on reconciliation process in Cloud Run. + + * `latest_created_revision`: Output only. Name of the last created revision. See comments in `reconciling` for additional information on reconciliation process in Cloud Run. + + * `traffic_statuses`: Output only. Detailed status information for corresponding traffic targets. See comments in `reconciling` for additional information on reconciliation process in Cloud Run. + + * `type`: The allocation type for this traffic target. + Possible values: + * TRAFFIC_TARGET_ALLOCATION_TYPE_UNSPECIFIED + * TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST + * TRAFFIC_TARGET_ALLOCATION_TYPE_REVISION + + * `revision`: Revision to which this traffic is sent. + + * `percent`: Specifies percent of the traffic to this Revision. + + * `tag`: Indicates the string used in the URI to exclusively reference this target. + + * `uri`: Displays the target URI. + + * `uri`: Output only. The main URI in which this Service is serving traffic. + + * `satisfies_pzs`: Output only. Reserved for future use. + + * `reconciling`: Output only. Returns true if the Service is currently being acted upon by the system to bring it into the desired state. When a new Service is created, or an existing one is updated, Cloud Run will asynchronously perform all necessary steps to bring the Service to the desired serving state. This process is called reconciliation. While reconciliation is in process, `observed_generation`, `latest_ready_revison`, `traffic_statuses`, and `uri` will have transient values that might mismatch the intended state: Once reconciliation is over (and this field is false), there are two possible outcomes: reconciliation succeeded and the serving state matches the Service, or there was an error, and reconciliation failed. This state can be found in `terminal_condition.state`. If reconciliation succeeded, the following fields will match: `traffic` and `traffic_statuses`, `observed_generation` and `generation`, `latest_ready_revision` and `latest_created_revision`. If reconciliation failed, `traffic_statuses`, `observed_generation`, and `latest_ready_revision` will have the state of the last serving revision, or empty for newly created Services. Additional information on the failure can be found in `terminal_condition` and `conditions`. + + * `etag`: Output only. A system-generated fingerprint for this version of the resource. May be used to detect modification conflict during updates. + + +## GCP permissions + +Ensure the [https://run.googleapis.com/](https://console.cloud.google.com/apis/library/run.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_run_services.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_run_services.md new file mode 100644 index 0000000..221a13a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_run_services.md @@ -0,0 +1,116 @@ ++++ +title = "google_run_services resource" + +draft = false + + + +[menu.gcp] +title = "google_run_services" +identifier = "inspec/resources/gcp/google_run_services resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_run_services` InSpec audit resource to test the properties of a Google Cloud Service resource. + +## Examples + +```ruby + describe google_run_services(parent: 'value_parent') do + it { should exist } + its('names') { should include value_name } + its('uris') { should include value_uri } + its('generations') { should include value_generation } + its('create_times') { should include value_create_time } + its('update_times') { should include value_update_time } + its('creators') { should include value_creator } + its('ingresses') { should include value_ingress } + end +``` + +## Parameters + +Parameters that can be accessed from the `google_run_services` resource: + +See [google_run_service](google_run_service) for more detailed information. + +* `names`: an array of `google_run_service` name +* `descriptions`: an array of `google_run_service` description +* `uids`: an array of `google_run_service` uid +* `generations`: an array of `google_run_service` generation +* `labels`: an array of `google_run_service` labels +* `annotations`: an array of `google_run_service` annotations +* `create_times`: an array of `google_run_service` create_time +* `update_times`: an array of `google_run_service` update_time +* `delete_times`: an array of `google_run_service` delete_time +* `expire_times`: an array of `google_run_service` expire_time +* `creators`: an array of `google_run_service` creator +* `last_modifiers`: an array of `google_run_service` last_modifier +* `clients`: an array of `google_run_service` client +* `client_versions`: an array of `google_run_service` client_version +* `ingresses`: an array of `google_run_service` ingress +* `launch_stages`: an array of `google_run_service` launch_stage +* `binary_authorizations`: an array of `google_run_service` binary_authorization +* `templates`: an array of `google_run_service` template +* `traffics`: an array of `google_run_service` traffic +* `scalings`: an array of `google_run_service` scaling +* `default_uri_disableds`: an array of `google_run_service` default_uri_disabled +* `custom_audiences`: an array of `google_run_service` custom_audiences +* `observed_generations`: an array of `google_run_service` observed_generation +* `terminal_conditions`: an array of `google_run_service` terminal_condition +* `conditions`: an array of `google_run_service` conditions +* `latest_ready_revisions`: an array of `google_run_service` latest_ready_revision +* `latest_created_revisions`: an array of `google_run_service` latest_created_revision +* `traffic_statuses`: an array of `google_run_service` traffic_statuses +* `uris`: an array of `google_run_service` uri +* `satisfies_pzs`: an array of `google_run_service` satisfies_pzs +* `reconcilings`: an array of `google_run_service` reconciling +* `etags`: an array of `google_run_service` etag + +## Properties + +Properties that can be accessed from the `google_run_services` resource: + +See [google_run_service](google_run_service) for more detailed information. + +* `names`: an array of `google_run_service` name +* `descriptions`: an array of `google_run_service` description +* `uids`: an array of `google_run_service` uid +* `generations`: an array of `google_run_service` generation +* `labels`: an array of `google_run_service` labels +* `annotations`: an array of `google_run_service` annotations +* `create_times`: an array of `google_run_service` create_time +* `update_times`: an array of `google_run_service` update_time +* `delete_times`: an array of `google_run_service` delete_time +* `expire_times`: an array of `google_run_service` expire_time +* `creators`: an array of `google_run_service` creator +* `last_modifiers`: an array of `google_run_service` last_modifier +* `clients`: an array of `google_run_service` client +* `client_versions`: an array of `google_run_service` client_version +* `ingresses`: an array of `google_run_service` ingress +* `launch_stages`: an array of `google_run_service` launch_stage +* `binary_authorizations`: an array of `google_run_service` binary_authorization +* `templates`: an array of `google_run_service` template +* `traffics`: an array of `google_run_service` traffic +* `scalings`: an array of `google_run_service` scaling +* `default_uri_disableds`: an array of `google_run_service` default_uri_disabled +* `custom_audiences`: an array of `google_run_service` custom_audiences +* `observed_generations`: an array of `google_run_service` observed_generation +* `terminal_conditions`: an array of `google_run_service` terminal_condition +* `conditions`: an array of `google_run_service` conditions +* `latest_ready_revisions`: an array of `google_run_service` latest_ready_revision +* `latest_created_revisions`: an array of `google_run_service` latest_created_revision +* `traffic_statuses`: an array of `google_run_service` traffic_statuses +* `uris`: an array of `google_run_service` uri +* `satisfies_pzs`: an array of `google_run_service` satisfies_pzs +* `reconcilings`: an array of `google_run_service` reconciling +* `etags`: an array of `google_run_service` etag + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://run.googleapis.com/](https://console.cloud.google.com/apis/library/run.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_config.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_config.md new file mode 100644 index 0000000..6ea3090 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_config.md @@ -0,0 +1,40 @@ ++++ +title = "google_runtime_config_config resource" + +draft = false + + +[menu.gcp] +title = "google_runtime_config_config" +identifier = "inspec/resources/gcp/google_runtime_config_config resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_runtime_config_config` InSpec audit resource to to test a Google Cloud Config resource. + +## Examples + +```ruby +describe google_runtime_config_config(project: 'chef-gcp-inspec', name: 'inspec-gcp-runtime-config') do + it { should exist } + its('description') { should cmp 'My runtime configurations' } +end + +describe google_runtime_config_config(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_runtime_config_config` resource: + + + * `description`: The description to associate with the runtime config. + + * `name`: The name of the runtime config. + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_config_iam_binding.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_config_iam_binding.md new file mode 100644 index 0000000..2659a41 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_config_iam_binding.md @@ -0,0 +1,38 @@ ++++ +title = "google_runtime_config_config_iam_binding resource" + +draft = false + + +[menu.gcp] +title = "google_runtime_config_config_iam_binding" +identifier = "inspec/resources/gcp/google_runtime_config_config_iam_binding resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_runtime_config_config_iam_binding` is used to test a Google Config Iam Bindings + +## Examples + +```ruby +describe google_runtime_config_config_iam_binding(project: "project", name: "name", role: "roles/editor") do + it { should exist } + its('members') { should include 'user:testuser@example.com' } +end +``` + + +## Properties + +Properties that can be accessed from the `google_runtime_config_config_iam_binding` resource: + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_config_iam_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_config_iam_policy.md new file mode 100644 index 0000000..9b5d1e8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_config_iam_policy.md @@ -0,0 +1,58 @@ ++++ +title = "google_runtime_config_config_iam_policy resource" + +draft = false + + +[menu.gcp] +title = "google_runtime_config_config_iam_policy" +identifier = "inspec/resources/gcp/google_runtime_config_config_iam_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_runtime_config_config_iam_policy` is used to test a Google Config Iam Policy resource. + +## Examples + +```ruby +describe google_runtime_config_config_iam_policy(project: "project", name: "name") do + it { should exist } +end + +google_runtime_config_config_iam_policy(project: "project", name: "name").bindings.each do |binding| + describe binding do + its('role') { should eq 'roles/editor'} + its('members') { should include 'user:testuser@example.com'} + end +end +``` + +## Properties + +Properties that can be accessed from the `google_runtime_config_config_iam_policy` resource: + + * `iam_binding_roles`: The list of roles that exist on the policy. + + * `bindings`: Associates a list of members to a role. + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + * `audit_configs`: Specifies cloud audit logging configuration for this policy. + + * `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. + + * `audit_log_configs`: The configuration for logging of each type of permission. + + * `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ + + * `exempted_members`: Specifies the identities that do not cause logging for this type of permission. + + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_configs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_configs.md new file mode 100644 index 0000000..e029c38 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_configs.md @@ -0,0 +1,39 @@ ++++ +title = "google_runtime_config_configs resource" + +draft = false + + +[menu.gcp] +title = "google_runtime_config_configs" +identifier = "inspec/resources/gcp/google_runtime_config_configs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_runtime_config_configs` InSpec audit resource to to test a Google Cloud Config resource. + +## Examples + +```ruby +describe google_runtime_config_configs(project: 'chef-gcp-inspec') do + its('descriptions') { should include 'My runtime configurations' } +end +``` + +## Properties + +Properties that can be accessed from the `google_runtime_config_configs` resource: + +See [google_runtime_config_config](google_runtime_config_config) for more detailed information. + + * `descriptions`: an array of `google_runtime_config_config` description + * `names`: an array of `google_runtime_config_config` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_variable.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_variable.md new file mode 100644 index 0000000..0a75185 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_variable.md @@ -0,0 +1,44 @@ ++++ +title = "google_runtime_config_variable resource" + +draft = false + + +[menu.gcp] +title = "google_runtime_config_variable" +identifier = "inspec/resources/gcp/google_runtime_config_variable resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_runtime_config_variable` InSpec audit resource to to test a Google Cloud Variable resource. + +## Examples + +```ruby +describe google_runtime_config_variable(project: 'chef-gcp-inspec', config: 'inspec-gcp-runtime-config', name: 'prod-variables/hostname') do + it { should exist } + its('text') { should cmp 'example.com' } +end + +describe google_runtime_config_variable(project: 'chef-gcp-inspec', config: 'inspec-gcp-runtime-config', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_runtime_config_variable` resource: + + + * `value`: The binary value of the variable. Either this or `text` can be set. + + * `text`: The string value of the variable. Either this or `value` can be set. + + * `name`: The name of the variable resource. + + * `config`: The name of the runtime config that this variable belongs to. + + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_variables.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_variables.md new file mode 100644 index 0000000..02c5bf4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_runtime_config_variables.md @@ -0,0 +1,41 @@ ++++ +title = "google_runtime_config_variables resource" + +draft = false + + +[menu.gcp] +title = "google_runtime_config_variables" +identifier = "inspec/resources/gcp/google_runtime_config_variables resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_runtime_config_variables` InSpec audit resource to to test a Google Cloud Variable resource. + +## Examples + +```ruby +describe google_runtime_config_variables(project: 'chef-gcp-inspec', config: 'inspec-gcp-runtime-config') do + its('texts') { should include 'example.com' } +end +``` + +## Properties + +Properties that can be accessed from the `google_runtime_config_variables` resource: + +See [google_runtime_config_variable](google_runtime_config_variable) for more detailed information. + + * `values`: an array of `google_runtime_config_variable` value + * `texts`: an array of `google_runtime_config_variable` text + * `names`: an array of `google_runtime_config_variable` name + * `configs`: an array of `google_runtime_config_variable` config + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_secret_manager_secret.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_secret_manager_secret.md new file mode 100644 index 0000000..9833647 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_secret_manager_secret.md @@ -0,0 +1,73 @@ ++++ +title = "google_secret_manager_secret resource" + +draft = false + + +[menu.gcp] +title = "google_secret_manager_secret" +identifier = "inspec/resources/gcp/google_secret_manager_secret resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_secret_manager_secret` InSpec audit resource to to test a Google Cloud Secret resource. + +## Examples + +```ruby +describe google_secret_manager_secret(name: ' value_name') do + it { should exist } + +end + +describe google_secret_manager_secret(name: "does_not_exit") do + it { should_not exist } +end + +``` + +## Properties + +Properties that can be accessed from the `google_secret_manager_secret` resource: + + + * `name`: The resource name of the Secret. Format: `projects/{{project}}/secrets/{{secret_id}}` + + * `create_time`: The time at which the Secret was created. + + * `labels`: The labels assigned to this Secret. Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62} Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63} No more than 64 labels can be assigned to a given resource. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + + * `replication`: The replication policy of the secret data attached to the Secret. It cannot be changed after the Secret has been created. + + * `automatic`: The Secret will automatically be replicated without any restrictions. + + * `user_managed`: The Secret will automatically be replicated without any restrictions. + + * `replicas`: The list of Replicas for this Secret. Cannot be empty. + + * `location`: The canonical IDs of the location to replicate data. For example: "us-east1". + + * `customer_managed_encryption`: Customer Managed Encryption for the secret. + + * `kms_key_name`: Describes the Cloud KMS encryption key that will be used to protect destination secret. + + * `topics`: A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions. + + * `name`: The resource name of the Pub/Sub topic that will be published to, in the following format: projects/*/topics/*. For publication to succeed, the Secret Manager Service Agent service account must have pubsub.publisher permissions on the topic. + + * `expire_time`: Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `ttl`: The TTL for the Secret. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". + + * `rotation`: The rotation time and period for a Secret. At `next_rotation_time`, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. `topics` must be set to configure rotation. + + * `next_rotation_time`: Timestamp in UTC at which the Secret is scheduled to rotate. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `rotation_period`: The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years). If rotationPeriod is set, `next_rotation_time` must be set. `next_rotation_time` will be advanced by this period when the service automatically sends rotation notifications. + + * `secret_id`: This must be unique within the project. + + +## GCP permissions + +Ensure the [Secret Manager API](https://console.cloud.google.com/apis/library/secretmanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_secret_manager_secrets.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_secret_manager_secrets.md new file mode 100644 index 0000000..d0e3a98 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_secret_manager_secrets.md @@ -0,0 +1,47 @@ ++++ +title = "google_secret_manager_secrets resource" + +draft = false + + +[menu.gcp] +title = "google_secret_manager_secrets" +identifier = "inspec/resources/gcp/google_secret_manager_secrets resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_secret_manager_secrets` InSpec audit resource to to test a Google Cloud Secret resource. + +## Examples + +```ruby + describe google_secret_manager_secrets(parent: ' value_parent') do + it { should exist } + end + +``` + +## Properties + +Properties that can be accessed from the `google_secret_manager_secrets` resource: + +See [google_secret_manager_secret](google_secret_manager_secret) for more detailed information. + + * `names`: an array of `google_secret_manager_secret` name + * `create_times`: an array of `google_secret_manager_secret` create_time + * `labels`: an array of `google_secret_manager_secret` labels + * `replications`: an array of `google_secret_manager_secret` replication + * `topics`: an array of `google_secret_manager_secret` topics + * `expire_times`: an array of `google_secret_manager_secret` expire_time + * `ttls`: an array of `google_secret_manager_secret` ttl + * `rotations`: an array of `google_secret_manager_secret` rotation + * `secret_ids`: an array of `google_secret_manager_secret` secret_id + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Secret Manager API](https://console.cloud.google.com/apis/library/secretmanager.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_account.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_account.md new file mode 100644 index 0000000..eb2fddf --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_account.md @@ -0,0 +1,66 @@ ++++ +title = "google_service_account resource" + +draft = false + + +[menu.gcp] +title = "google_service_account" +identifier = "inspec/resources/gcp/google_service_account resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_service_account` InSpec audit resource to to test a Google Cloud ServiceAccount resource. + +## Examples + +```ruby +describe google_service_account(project: 'chef-gcp-inspec', name: "display-name@project-id.iam.gserviceaccount.com") do + it { should exist } + its('display_name') { should cmp '' } +end + +describe google_service_account(project: 'chef-gcp-inspec', name: "nonexistent@project-id.iam.gserviceaccount.com") do + it { should_not exist } +end +``` + +### Test that a GCP project IAM service account has the expected unique identifier + + describe google_service_account(project: 'sample-project', name: 'sample-account@sample-project.iam.gserviceaccount.com') do + its('unique_id') { should eq 12345678 } + end + +### Test that a GCP project IAM service account has the expected oauth2 client identifier + + describe google_service_account(project: 'sample-project', name: 'sample-account@sample-project.iam.gserviceaccount.com') do + its('oauth2_client_id') { should eq 12345678 } + end + +### Test that a GCP project IAM service account does not have user managed keys + + describe google_service_account_keys(project: 'chef-gcp-inspec', service_account: "display-name@project-id.iam.gserviceaccount.com") do + its('key_types') { should_not include 'USER_MANAGED' } + end + +## Properties + +Properties that can be accessed from the `google_service_account` resource: + + + * `name`: The name of the service account. + + * `project_id`: Id of the project that owns the service account. + + * `unique_id`: Unique and stable id of the service account + + * `email`: Email address of the service account. + + * `display_name`: User specified description of service account. + + * `oauth2_client_id`: OAuth2 client id for the service account. + + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_account_key.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_account_key.md new file mode 100644 index 0000000..0105fd7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_account_key.md @@ -0,0 +1,79 @@ ++++ +title = "google_service_account_key resource" + +draft = false + + +[menu.gcp] +title = "google_service_account_key" +identifier = "inspec/resources/gcp/google_service_account_key resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_service_account_key` InSpec audit resource to to test a Google Cloud ServiceAccountKey resource. + +## Examples + +```ruby +google_service_account_keys(project: 'chef-gcp-inspec', service_account: "display-name@project-id.iam.gserviceaccount.com").key_names.each do |sa_key_name| + describe google_service_account_key(project: 'chef-gcp-inspec', service_account: "display-name@project-id.iam.gserviceaccount.com", name: sa_key_name.split('/').last) do + it { should exist } + its('key_type') { should_not cmp 'USER_MANAGED' } + end +end +``` + +### Test that a GCP project IAM service account key has the expected key algorithm + + describe google_service_account_key(name: "projects/sample-project/serviceAccounts/test-sa@sample-project.iam.gserviceaccount.com/keys/c6bd986da9fac6d71178db41d1741cbe751a5080" ) do + its('key_algorithm') { should eq "KEY_ALG_RSA_2048" } + end + +## Properties + +Properties that can be accessed from the `google_service_account_key` resource: + + + * `name`: The name of the key. + + * `private_key_type`: Output format for the service account key. + Possible values: + * TYPE_UNSPECIFIED + * TYPE_PKCS12_FILE + * TYPE_GOOGLE_CREDENTIALS_FILE + + * `key_algorithm`: Specifies the algorithm for the key. + Possible values: + * KEY_ALG_UNSPECIFIED + * KEY_ALG_RSA_1024 + * KEY_ALG_RSA_2048 + + * `private_key_data`: Private key data. Base-64 encoded. + + * `public_key_data`: Public key data. Base-64 encoded. + + * `valid_after_time`: Key can only be used after this time. + + * `valid_before_time`: Key can only be used before this time. + + * `key_type`: Specifies the type of the key. Possible values include KEY_TYPE_UNSPECIFIED, USER_MANAGED and SYSTEM_MANAGED + Possible values: + * KEY_TYPE_UNSPECIFIED + * USER_MANAGED + * SYSTEM_MANAGED + + * `key_origin`: The key origin. + Possible values: + * ORIGIN_UNSPECIFIED + * USER_PROVIDED + * GOOGLE_PROVIDED + + * `service_account`: The name of the serviceAccount. + + * `path`: The full name of the file that will hold the service account private key. The management of this file will depend on the value of sync_file parameter. File path must be absolute. + * `disabled`: The key status. + + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_account_keys.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_account_keys.md new file mode 100644 index 0000000..2fb31d6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_account_keys.md @@ -0,0 +1,62 @@ ++++ +title = "google_service_account_keys resource" + +draft = false + + +[menu.gcp] +title = "google_service_account_keys" +identifier = "inspec/resources/gcp/google_service_account_keys resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_service_account_keys` InSpec audit resource to to test a Google Cloud ServiceAccountKey resource. + +## Examples + +```ruby +describe google_service_account_keys(project: 'chef-gcp-inspec', service_account: "display-name@project-id.iam.gserviceaccount.com") do + its('count') { should be <= 1000 } + its('key_types') { should_not include 'USER_MANAGED' } +end +``` + +### Test that there are no more than a specified number of keys for the service account + + describe google_service_account_keys(project: 'sample-project', service_account: 'sample-account@sample-project.iam.gserviceaccount.com') do + its('count') { should be <= 1000} + end + +### Test that a service account with expected name is available + + describe google_service_account_keys(project: 'sample-project', service_account: 'sample-account@sample-project.iam.gserviceaccount.com') do + its('key_names'){ should include "projects/sample-project/serviceAccounts/test-sa@sample-project.iam.gserviceaccount.com/keys/c6bd986da9fac6d71178db41d1741cbe751a5080" } + end + +## Properties + +Properties that can be accessed from the `google_service_account_keys` resource: + +See [google_service_account_key](google_service_account_key) for more detailed information. + + * `key_names`: an array of `google_service_account_key` name + * `private_key_types`: an array of `google_service_account_key` private_key_type + * `key_algorithms`: an array of `google_service_account_key` key_algorithm + * `private_key_data`: an array of `google_service_account_key` private_key_data + * `public_key_data`: an array of `google_service_account_key` public_key_data + * `valid_after_times`: an array of `google_service_account_key` valid_after_time + * `valid_before_times`: an array of `google_service_account_key` valid_before_time + * `key_origins`: an array of `google_service_account_key` key_origin + * `key_types`: an array of `google_service_account_key` key_type + * `service_accounts`: an array of `google_service_account_key` service_account + * `paths`: an array of `google_service_account_key` path + * `disableds`: an array of `google_service_account_key` disabled + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_accounts.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_accounts.md new file mode 100644 index 0000000..cb3035c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_accounts.md @@ -0,0 +1,76 @@ ++++ +title = "google_service_accounts resource" + +draft = false + + +[menu.gcp] +title = "google_service_accounts" +identifier = "inspec/resources/gcp/google_service_accounts resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_service_accounts` InSpec audit resource to to test a Google Cloud ServiceAccount resource. + +## Examples + +```ruby +describe google_service_accounts(project: 'chef-gcp-inspec', name: "display-name@project-id.iam.gserviceaccount.com") do + its('service_account_emails') { should include "display-name@project-id.iam.gserviceaccount.com" } + its('count') { should be <= 1000 } +end +``` + +### Test that there are no more than a specified number of service accounts for the project + + describe google_service_accounts(project: 'chef-inspec-gcp') do + its('count') { should be <= 1000} + end + +### Test that an expected service account display name is available + + describe google_service_accounts(project: 'chef-inspec-gcp') do + its('service_account_display_names'){ should include "gcp_sa_name" } + end + +### Test that an expected service account unique identifier is available + + describe google_service_accounts(project: 'chef-inspec-gcp') do + its('service_account_ids'){ should include 12345678 } + end + +### Test that a service account with expected name is available + + describe google_service_accounts(project: 'dummy-project') do + its('service_account_names'){ should include "projects/dummy-project/serviceAccounts/dummy-acct@dummy-project.iam.gserviceaccount.com" } + end + +### Use filtering to retrieve a particular service account + + google_service_accounts(project: 'chef-inspec-gcp').where(service_account_display_names: /^dummyaccount/).service_account_names.each do |sa_name| + describe google_service_account(name: sa_name) do + it { should exist } + end + end + +## Properties + +Properties that can be accessed from the `google_service_accounts` resource: + +See [google_service_account](google_service_account) for more detailed information. + + * `service_account_names`: an array of `google_service_account` name + * `project_ids`: an array of `google_service_account` project_id + * `service_account_ids`: an array of `google_service_account` unique_id + * `service_account_emails`: an array of `google_service_account` email + * `service_account_display_names`: an array of `google_service_account` display_name + * `oauth2_client_ids`: an array of `google_service_account` oauth2_client_id + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Identity and Access Management (IAM) API](https://console.cloud.google.com/apis/library/iam.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_networking_service_connections.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_networking_service_connections.md new file mode 100644 index 0000000..1dd1825 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_service_networking_service_connections.md @@ -0,0 +1,41 @@ ++++ +title = "google_service_networking_service_connections resource" + +draft = false + + +[menu.gcp] +title = "google_service_networking_service_connections" +identifier = "inspec/resources/gcp/google_service_networking_service_connections resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_service_networking_service_connections` InSpec audit resource to to test a Google Cloud service_connection resource. + +## Examples + +```ruby + describe google_servicenetworking_service_connections(parent: ' value_parent',network: 'value_network') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_service_networking_service_connections` resource: + +See [google_service_networking_service_connection](google_service_networking_service_connection) for more detailed information. + + * `networks`: an array of `google_service_networking_service_connection` network + * `reserved_peering_ranges`: an array of `google_service_networking_service_connection` reserved_peering_ranges + * `peerings`: an array of `google_service_networking_service_connection` peering + * `services`: an array of `google_service_networking_service_connection` service + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [https://servicenetworking.googleapis.com/](https://console.cloud.google.com/apis/library/servicenetworking.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sourcerepo_repositories.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sourcerepo_repositories.md new file mode 100644 index 0000000..5b0a2e4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sourcerepo_repositories.md @@ -0,0 +1,46 @@ ++++ +title = "google_sourcerepo_repositories resource" + +draft = false + + +[menu.gcp] +title = "google_sourcerepo_repositories" +identifier = "inspec/resources/gcp/google_sourcerepo_repositories resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sourcerepo_repositories` InSpec audit resource to to test a Google Cloud Repository resource. + +## Examples + +```ruby +repo_name = 'inspec-gcp-repository' +describe.one do + google_sourcerepo_repositories(project: 'chef-gcp-inspec').names.each do |name| + describe name do + it { should match /\/repos\/#{repo_name}$/ } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_sourcerepo_repositories` resource: + +See [google_sourcerepo_repository](google_sourcerepo_repository) for more detailed information. + + * `names`: an array of `google_sourcerepo_repository` name + * `urls`: an array of `google_sourcerepo_repository` url + * `sizes`: an array of `google_sourcerepo_repository` size + * `pubsub_configs`: an array of `google_sourcerepo_repository` pubsub_configs + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Source Repositories API](https://console.cloud.google.com/apis/library/sourcerepo.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sourcerepo_repository.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sourcerepo_repository.md new file mode 100644 index 0000000..9504972 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sourcerepo_repository.md @@ -0,0 +1,43 @@ ++++ +title = "google_sourcerepo_repository resource" + +draft = false + + +[menu.gcp] +title = "google_sourcerepo_repository" +identifier = "inspec/resources/gcp/google_sourcerepo_repository resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sourcerepo_repository` InSpec audit resource to to test a Google Cloud Repository resource. + +## Examples + +```ruby +describe google_sourcerepo_repository(project: 'chef-gcp-inspec', name: 'inspec-gcp-repository') do + it { should exist } +end + +describe google_sourcerepo_repository(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_sourcerepo_repository` resource: + + + * `name`: Resource name of the repository, of the form projects/{{project}}/repos/{{repo}}. The repo name may contain slashes. eg, projects/myproject/repos/name/with/slash + + * `url`: URL to clone the repository from Google Cloud Source Repositories. + + * `size`: The disk usage of the repo, in bytes. + + * `pubsub_configs`: How this repository publishes a change in the repository through Cloud Pub/Sub. Keyed by the topic names. + + +## GCP permissions + +Ensure the [Cloud Source Repositories API](https://console.cloud.google.com/apis/library/sourcerepo.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_database.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_database.md new file mode 100644 index 0000000..4a2210b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_database.md @@ -0,0 +1,36 @@ ++++ +title = "google_spanner_database resource" + +draft = false + + +[menu.gcp] +title = "google_spanner_database" +identifier = "inspec/resources/gcp/google_spanner_database resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_spanner_database` InSpec audit resource to to test a Google Cloud Database resource. + +## Examples + +```ruby +describe google_spanner_database(project: 'chef-gcp-inspec', instance: 'spinstance', name: 'spdatabase') do + it { should exist } + its('name') { should match 'spdatabase' } +end +``` + +## Properties + +Properties that can be accessed from the `google_spanner_database` resource: + + + * `name`: A unique identifier for the database, which cannot be changed after the instance is created. Values are of the form [a-z][-a-z0-9]*[a-z0-9]. + + * `instance`: The instance to create the database on. + + +## GCP permissions + +Ensure the [Cloud Spanner API](https://console.cloud.google.com/apis/library/spanner.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_databases.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_databases.md new file mode 100644 index 0000000..a166971 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_databases.md @@ -0,0 +1,43 @@ ++++ +title = "google_spanner_databases resource" + +draft = false + + +[menu.gcp] +title = "google_spanner_databases" +identifier = "inspec/resources/gcp/google_spanner_databases resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_spanner_databases` InSpec audit resource to to test a Google Cloud Database resource. + +## Examples + +```ruby +describe.one do + google_spanner_databases(project: 'chef-gcp-inspec', instance: 'spinstance').names.each do |name| + describe name do + it { should match 'spdatabase' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_spanner_databases` resource: + +See [google_spanner_database](google_spanner_database) for more detailed information. + + * `names`: an array of `google_spanner_database` name + * `instances`: an array of `google_spanner_database` instance + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Spanner API](https://console.cloud.google.com/apis/library/spanner.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_instance.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_instance.md new file mode 100644 index 0000000..242803d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_instance.md @@ -0,0 +1,46 @@ ++++ +title = "google_spanner_instance resource" + +draft = false + + +[menu.gcp] +title = "google_spanner_instance" +identifier = "inspec/resources/gcp/google_spanner_instance resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_spanner_instance` InSpec audit resource to to test a Google Cloud Instance resource. + +## Examples + +```ruby +describe google_spanner_instance(project: 'chef-gcp-inspec', name: 'spinstance', config: 'regional-us-east1') do + it { should exist } + its('config') { should match 'regional-us-east1' } + its('name') { should match 'spinstance' } + its('display_name') { should eq 'inspectest' } + its('node_count') { should eq '1' } + its('labels') { should include('env' => 'test') } +end +``` + +## Properties + +Properties that can be accessed from the `google_spanner_instance` resource: + + + * `name`: A unique identifier for the instance, which cannot be changed after the instance is created. The name must be between 6 and 30 characters in length. + + * `config`: The name of the instance's configuration (similar but not quite the same as a region) which defines defines the geographic placement and replication of your databases in this instance. It determines where your data is stored. Values are typically of the form `regional-europe-west1` , `us-central` etc. In order to obtain a valid list please consult the [Configuration section of the docs](https://cloud.google.com/spanner/docs/instances). + + * `display_name`: The descriptive name for this instance as it appears in UIs. Must be unique per project and between 4 and 30 characters in length. + + * `node_count`: The number of nodes allocated to this instance. + + * `labels`: An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + + +## GCP permissions + +Ensure the [Cloud Spanner API](https://console.cloud.google.com/apis/library/spanner.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_instance_iam_binding.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_instance_iam_binding.md new file mode 100644 index 0000000..bc746c9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_instance_iam_binding.md @@ -0,0 +1,38 @@ ++++ +title = "google_spanner_instance_iam_binding resource" + +draft = false + + +[menu.gcp] +title = "google_spanner_instance_iam_binding" +identifier = "inspec/resources/gcp/google_spanner_instance_iam_binding resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_spanner_instance_iam_binding` is used to test a Google Instance Iam Bindings + +## Examples + +```ruby +describe google_spanner_instance_iam_binding(project: "project", name: "name", role: "roles/editor") do + it { should exist } + its('members') { should include 'user:testuser@example.com' } +end +``` + + +## Properties + +Properties that can be accessed from the `google_spanner_instance_iam_binding` resource: + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + +## GCP permissions + +Ensure the [Cloud Spanner API](https://console.cloud.google.com/apis/library/spanner.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_instance_iam_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_instance_iam_policy.md new file mode 100644 index 0000000..84fa0e2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_instance_iam_policy.md @@ -0,0 +1,58 @@ ++++ +title = "google_spanner_instance_iam_policy resource" + +draft = false + + +[menu.gcp] +title = "google_spanner_instance_iam_policy" +identifier = "inspec/resources/gcp/google_spanner_instance_iam_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_spanner_instance_iam_policy` is used to test a Google Instance Iam Policy resource. + +## Examples + +```ruby +describe google_spanner_instance_iam_policy(project: "project", name: "name") do + it { should exist } +end + +google_spanner_instance_iam_policy(project: "project", name: "name").bindings.each do |binding| + describe binding do + its('role') { should eq 'roles/editor'} + its('members') { should include 'user:testuser@example.com'} + end +end +``` + +## Properties + +Properties that can be accessed from the `google_spanner_instance_iam_policy` resource: + + * `iam_binding_roles`: The list of roles that exist on the policy. + + * `bindings`: Associates a list of members to a role. + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + * `audit_configs`: Specifies cloud audit logging configuration for this policy. + + * `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. + + * `audit_log_configs`: The configuration for logging of each type of permission. + + * `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ + + * `exempted_members`: Specifies the identities that do not cause logging for this type of permission. + + + +## GCP permissions + +Ensure the [Cloud Spanner API](https://console.cloud.google.com/apis/library/spanner.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_instances.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_instances.md new file mode 100644 index 0000000..7e73a5f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_spanner_instances.md @@ -0,0 +1,46 @@ ++++ +title = "google_spanner_instances resource" + +draft = false + + +[menu.gcp] +title = "google_spanner_instances" +identifier = "inspec/resources/gcp/google_spanner_instances resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_spanner_instances` InSpec audit resource to to test a Google Cloud Instance resource. + +## Examples + +```ruby +describe.one do + google_spanner_instances(project: 'chef-gcp-inspec', config: 'regional-us-east1').configs.each do |config| + describe config do + it { should match 'regional-us-east1' } + end + end +end +``` + +## Properties + +Properties that can be accessed from the `google_spanner_instances` resource: + +See [google_spanner_instance](google_spanner_instance) for more detailed information. + + * `names`: an array of `google_spanner_instance` name + * `configs`: an array of `google_spanner_instance` config + * `display_names`: an array of `google_spanner_instance` display_name + * `node_counts`: an array of `google_spanner_instance` node_count + * `labels`: an array of `google_spanner_instance` labels + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud Spanner API](https://console.cloud.google.com/apis/library/spanner.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_connect.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_connect.md new file mode 100644 index 0000000..fe576cf --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_connect.md @@ -0,0 +1,77 @@ ++++ +title = "google_sql_connect resource" + +draft = false + + +[menu.gcp] +title = "google_sql_connect" +identifier = "inspec/resources/gcp/google_sql_connect resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sql_connect` InSpec audit resource to to test a Google Cloud Connect resource. + +## Examples + +```ruby +describe google_sql_connect(project: 'chef-gcp-inspec', instance: 'test-pg') do + it { should exist } + its('region') { should include 'us-central1' } + its('database_version') { should include 'POSTGRES_13' } + its('backend_type') { should include 'SECOND_GEN' } +end + +``` + +## Properties + +Properties that can be accessed from the `google_sql_connect` resource: + + + * `region`: The region where you want your Cloud SQL replicas to reside. + + * `ip_addresses`: The assigned IP addresses for the instance. + + * `ip_address`: The IP address assigned. + + * `time_to_retire`: The due time for this IP to be retired in RFC 3339 format, for example 2012-11-15T16:19:00.094Z. This field is only available when the IP is scheduled to be retired. + + * `type`: The type of this IP address. A PRIMARY address is an address that can accept incoming connections. An OUTGOING address is the source address of connections originating from the instance, if supported. + Possible values: + * PRIMARY + * OUTGOING + + * `database_version`: The MySQL version running on your source database server. + Possible values: + * MYSQL_5_5 + * MYSQL_5_6 + * MYSQL_5_7 + * MYSQL_8_0 + + * `backend_type`: * FIRST_GEN: First Generation instance. MySQL only. * SECOND_GEN: Second Generation instance or PostgreSQL instance. * EXTERNAL: A database server that is not managed by Google. + Possible values: + * FIRST_GEN + * SECOND_GEN + * EXTERNAL + + * `server_ca_cert`: Configuration specific to on-premises instances. + + * `cert`: PEM representation of the X.509 certificate. + + * `cert_serial_number`: Serial number, as extracted from the certificate. + + * `common_name`: User supplied name. Constrained to [a-zA-Z.-_ ]+. + + * `sha1_fingerprint`: Sha1 Fingerprint. + + * `instance`: Name of the database instance. + + * `create_time`: The time when the certificate was created in RFC 3339 format, for example 2012-11-15T16:19:00.094Z. + + * `expiration_time`: The time when the certificate expires in RFC 3339 format, for example 2012-11-15T16:19:00.094Z. + + +## GCP permissions + +Ensure the [Cloud SQL Admin API](https://console.cloud.google.com/apis/library/sqladmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_database.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_database.md new file mode 100644 index 0000000..1a29db8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_database.md @@ -0,0 +1,41 @@ ++++ +title = "google_sql_database resource" + +draft = false + + +[menu.gcp] +title = "google_sql_database" +identifier = "inspec/resources/gcp/google_sql_database resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sql_database` InSpec audit resource to to test a Google Cloud Database resource. + +## Examples + +```ruby +describe google_sql_database(project: 'chef-gcp-inspec', instance: 'my-database', gcp_db_name: 'my-db') do + it { should exist } + its('name') { should eq 'my-db' } + its('instance') { should eq 'my-database' } +end +``` + +## Properties + +Properties that can be accessed from the `google_sql_database` resource: + + + * `charset`: The charset value. See MySQL's [Supported Character Sets and Collations](https://dev.mysql.com/doc/refman/5.7/en/charset-charsets.html) and Postgres' [Character Set Support](https://www.postgresql.org/docs/9.6/static/multibyte.html) for more details and supported values. Postgres databases only support a value of `UTF8` at creation time. + + * `collation`: The collation value. See MySQL's [Supported Character Sets and Collations](https://dev.mysql.com/doc/refman/5.7/en/charset-charsets.html) and Postgres' [Collation Support](https://www.postgresql.org/docs/9.6/static/collation.html) for more details and supported values. Postgres databases only support a value of `en_US.UTF8` at creation time. + + * `name`: The name of the database in the Cloud SQL instance. This does not include the project ID or instance name. + + * `instance`: The name of the Cloud SQL instance. This does not include the project ID. + + +## GCP permissions + +Ensure the [Cloud SQL Admin API](https://console.cloud.google.com/apis/library/sqladmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_database_instance.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_database_instance.md new file mode 100644 index 0000000..bab3e90 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_database_instance.md @@ -0,0 +1,252 @@ ++++ +title = "google_sql_database_instance resource" + +draft = false + + +[menu.gcp] +title = "google_sql_database_instance" +identifier = "inspec/resources/gcp/google_sql_database_instance resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sql_database_instance` InSpec audit resource to to test a Google Cloud DatabaseInstance resource. + +## Examples + +```ruby +describe google_sql_database_instance(project: 'chef-gcp-inspec', instance: 'my-database') do + it { should exist } + its('state') { should eq 'RUNNABLE' } + its('backend_type') { should eq 'SECOND_GEN' } + its('database_version') { should eq 'MYSQL_5_7' } +end +``` + +### Test that a GCP Cloud SQL Database instance is in the expected state + + describe google_sql_database_instance(project: 'chef-inspec-gcp', database: 'my-database') do + its('state') { should eq 'RUNNABLE' } + end + +### Test that a GCP Cloud SQL Database instance generation type + + describe google_sql_database_instance(project: 'chef-inspec-gcp', database: 'my-database') do + its('backend_type') { should eq "SECOND_GEN" } + end + +### Test that a GCP Cloud SQL Database instance connection name is as expected + + describe google_sql_database_instance(project: 'spaterson-project', database: 'gcp-inspec-db-instance') do + its('connection_name') { should eq "spaterson-project:europe-west2:gcp-inspec-db-instance" } + end + +### Confirm that a GCP Cloud SQL Database instance has the correct version + + describe google_sql_database_instance(project: 'spaterson-project', database: 'gcp-inspec-db-instance') do + its('database_version') { should eq "MYSQL_5_7" } + end + +### Confirm that a GCP Cloud SQL Database instance is running in the desired region and zone + + describe google_sql_database_instance(project: 'spaterson-project', database: 'gcp-inspec-db-instance') do + its('gce_zone') { should eq "europe-west2-a" } + its('region') { should eq "europe-west2" } + end + +## Properties + +Properties that can be accessed from the `google_sql_database_instance` resource: + + + * `backend_type`: * FIRST_GEN: First Generation instance. MySQL only. * SECOND_GEN: Second Generation instance or PostgreSQL instance. * EXTERNAL: A database server that is not managed by Google. + Possible values: + * FIRST_GEN + * SECOND_GEN + * EXTERNAL + + * `kind`: This is always sql#instancesList. + + * `connection_name`: Connection name of the Cloud SQL instance used in connection strings. + + * `database_version`: The database engine type and version. For First Generation instances, can be MYSQL_5_5, or MYSQL_5_6. For Second Generation instances, can be MYSQL_5_6 or MYSQL_5_7. Defaults to MYSQL_5_6. PostgreSQL instances: POSTGRES_9_6 The databaseVersion property can not be changed after instance creation. + Possible values: + * MYSQL_5_5 + * MYSQL_5_6 + * MYSQL_5_7 + * POSTGRES_9_6 + + * `failover_replica`: The name and status of the failover replica. This property is applicable only to Second Generation instances. + + * `available`: The availability status of the failover replica. A false status indicates that the failover replica is out of sync. The master can only failover to the failover replica when the status is true. + + * `name`: The name of the failover replica. If specified at instance creation, a failover replica is created for the instance. The name doesn't include the project ID. This property is applicable only to Second Generation instances. + + * `instance_type`: The instance type. This can be one of the following. * CLOUD_SQL_INSTANCE: A Cloud SQL instance that is not replicating from a master. * ON_PREMISES_INSTANCE: An instance running on the customer's premises. * READ_REPLICA_INSTANCE: A Cloud SQL instance configured as a read-replica. + Possible values: + * CLOUD_SQL_INSTANCE + * ON_PREMISES_INSTANCE + * READ_REPLICA_INSTANCE + + * `ip_addresses`: The assigned IP addresses for the instance. + + * `ip_address`: The IP address assigned. + + * `time_to_retire`: The due time for this IP to be retired in RFC 3339 format, for example 2012-11-15T16:19:00.094Z. This field is only available when the IP is scheduled to be retired. + + * `type`: The type of this IP address. A PRIMARY address is an address that can accept incoming connections. An OUTGOING address is the source address of connections originating from the instance, if supported. + Possible values: + * PRIMARY + * OUTGOING + + * `ipv6_address`: The IPv6 address assigned to the instance. This property is applicable only to First Generation instances. + + * `master_instance_name`: The name of the instance which will act as master in the replication setup. + + * `max_disk_size`: The maximum disk size of the instance in bytes. + + * `name`: Name of the Cloud SQL instance. This does not include the project ID. + + * `region`: The geographical region. Defaults to us-central or us-central1 depending on the instance type (First Generation or Second Generation/PostgreSQL). + + * `replica_configuration`: Configuration specific to failover replicas and read replicas. + + * `failover_target`: Specifies if the replica is the failover target. If the field is set to true the replica will be designated as a failover replica. In case the master instance fails, the replica instance will be promoted as the new master instance. Only one replica can be specified as failover target, and the replica has to be in different zone with the master instance. + + * `mysql_replica_configuration`: MySQL specific configuration when replicating from a MySQL on-premises master. Replication configuration information such as the username, password, certificates, and keys are not stored in the instance metadata. The configuration information is used only to set up the replication connection and is stored by MySQL in a file named master.info in the data directory. + + * `ca_certificate`: PEM representation of the trusted CA's x509 certificate. + + * `client_certificate`: PEM representation of the replica's x509 certificate + + * `client_key`: PEM representation of the replica's private key. The corresponding public key is encoded in the client's certificate. + + * `connect_retry_interval`: Seconds to wait between connect retries. MySQL's default is 60 seconds. + + * `dump_file_path`: Path to a SQL dump file in Google Cloud Storage from which the replica instance is to be created. The URI is in the form gs://bucketName/fileName. Compressed gzip files (.gz) are also supported. Dumps should have the binlog coordinates from which replication should begin. This can be accomplished by setting --master-data to 1 when using mysqldump. + + * `master_heartbeat_period`: Interval in milliseconds between replication heartbeats. + + * `password`: The password for the replication connection. + + * `ssl_cipher`: A list of permissible ciphers to use for SSL encryption. + + * `username`: The username for the replication connection. + + * `verify_server_certificate`: Whether or not to check the master's Common Name value in the certificate that it sends during the SSL handshake. + + * `replica_names`: The replicas of the instance. + + * `service_account_email_address`: The service account email address assigned to the instance. This property is applicable only to Second Generation instances. + + * `settings`: The user settings. + + * `kind`: This is always sql#settings. + + * `database_flags`: The database flags passed to the instance at startup + + * `name`: The name of the flag. These flags are passed at instance startup, so include both server options and system variables for MySQL. Flags should be specified with underscores, not hyphens. + + * `value`: The value of the flag. Booleans should be set to on for true and off for false. This field must be omitted if the flag doesn't take a value. + + * `ip_configuration`: The settings for IP Management. This allows to enable or disable the instance IP and manage which external networks can connect to the instance. The IPv4 address cannot be disabled for Second Generation instances. + + * `ipv4_enabled`: Whether the instance should be assigned an IP address or not. + + * `authorized_networks`: The list of external networks that are allowed to connect to the instance using the IP. In CIDR notation, also known as 'slash' notation (e.g. 192.168.100.0/24). + + * `expiration_time`: The time when this access control entry expires in RFC 3339 format, for example 2012-11-15T16:19:00.094Z. + + * `name`: An optional label to identify this entry. + + * `value`: The whitelisted value for the access control list. For example, to grant access to a client from an external IP (IPv4 or IPv6) address or subnet, use that address or subnet here. + + * `require_ssl`: Whether the mysqld should default to 'REQUIRE X509' for users connecting over IP. + + * `tier`: The tier or machine type for this instance, for example db-n1-standard-1. For MySQL instances, this field determines whether the instance is Second Generation (recommended) or First Generation. + + * `availability_type`: The availabilityType define if your postgres instance is run zonal or regional. + Possible values: + * ZONAL + * REGIONAL + + * `backup_configuration`: The daily backup configuration for the instance. + + * `enabled`: Enable Autobackup for your instance. + + * `binary_log_enabled`: Whether binary log is enabled. If backup configuration is disabled, binary log must be disabled as well. MySQL only. + + * `start_time`: Define the backup start time in UTC (HH:MM) + + * `settings_version`: The version of instance settings. This is a required field for update method to make sure concurrent updates are handled properly. During update, use the most recent settingsVersion value for this instance and do not try to update this value. + + * `user_labels`: User-provided labels, represented as a dictionary where each label is a single key value pair. + + * `activation_policy`: Specifies when the instance is activated. + Possible values: + * SQL_ACTIVATION_POLICY_UNSPECIFIED + * ALWAYS + * NEVER + + * `data_disk_size_gb`: The size of data disk, in GB. The data disk size minimum is 10GB. + + * `data_disk_type`: Specifies when the instance is activated. + Possible values: + * SQL_ACTIVATION_POLICY_UNSPECIFIED + * ALWAYS + * NEVER + + * `pricing_plan`: The pricing plan for this instance. + Possible values: + * SQL_PRICING_PLAN_UNSPECIFIED + * PACKAGE + * PER_USE + + * `replication_type`: The pricing plan for this instance. + Possible values: + * SQL_REPLICATION_TYPE_UNSPECIFIED + * SYNCHRONOUS + * ASYNCHRONOUS + + * `storage_auto_resize`: Configuration to increase storage size automatically. The default value is true. + + * `storage_auto_resize_limit`: The maximum size to which storage capacity can be automatically increased. The default value is 0, which specifies that there is no limit. + + * `gce_zone`: The Compute Engine zone that the instance is currently serving from. This value could be different from the zone that was specified when the instance was created if the instance has failed over to its secondary zone. + + * `state`: The current serving state of the database instance. + Possible values: + * SQL_INSTANCE_STATE_UNSPECIFIED + * RUNNABLE + * SUSPENDED + * PENDING_DELETE + * PENDING_CREATE + * MAINTENANCE + * FAILED + + * `disk_encryption_configuration`: Disk encryption settings + + * `kms_key_name`: The KMS key used to encrypt the Cloud SQL instance + + * `disk_encryption_status`: Disk encryption status + + * `kms_key_version_name`: The KMS key version used to encrypt the Cloud SQL instance + + * `server_ca_cert`: SSL configuration + + * `cert`: PEM representation of the X.509 certificate. + + * `cert_serial_number`: Serial number, as extracted from the certificate. + + * `common_name`: User supplied name. Constrained to [a-zA-Z.-_ ]+. + + * `create_time`: The time when the certificate was created in RFC 3339 format, for example 2012-11-15T16:19:00.094Z. + + * `expiration_time`: The time when the certificate expires in RFC 3339 format, for example 2012-11-15T16:19:00.094Z. + + * `sha1_fingerprint`: SHA-1 fingerprint of the certificate. + + +## GCP permissions + +Ensure the [Cloud SQL Admin API](https://console.cloud.google.com/apis/library/sqladmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_database_instances.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_database_instances.md new file mode 100644 index 0000000..60c7ee7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_database_instances.md @@ -0,0 +1,92 @@ ++++ +title = "google_sql_database_instances resource" + +draft = false + + +[menu.gcp] +title = "google_sql_database_instances" +identifier = "inspec/resources/gcp/google_sql_database_instances resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sql_database_instances` InSpec audit resource to to test a Google Cloud DatabaseInstance resource. + +## Examples + +```ruby +describe google_sql_database_instances(project: 'chef-gcp-inspec') do + its('instance_states') { should include 'RUNNABLE' } + its('instance_names') { should include 'my-database' } +end +``` + +### Test that there are no more than a specified number of zones available for the project + + describe google_sql_database_instances(project: 'chef-inspec-gcp') do + its('count') { should be <= 100} + end + + +### Test that a database instance exists in the expected zone + + describe google_sql_database_instances(project: 'chef-inspec-gcp') do + its('instance_zones') { should include "us-east1-b" } + end + +### Test that a database instance exists in the expected region + + describe google_sql_database_instances(project: 'chef-inspec-gcp') do + its('instance_regions') { should include "us-east1" } + end + + +### Confirm that at least one database instance is in "RUNNABLE" state + + describe google_sql_database_instances(project: 'chef-inspec-gcp') do + its('instance_states') { should include "RUNNABLE" } + end + +### Test that a subset of all database instances matching "*mysqldb*" are all version "MYSQL_5_7" + + google_sql_database_instances(project: 'chef-inspec-gcp').where(instance_name: /mysqldb/).instance_names.each do |instance_name| + describe google_sql_database_instance(project: 'chef-inspec-gcp', database: instance_name) do + it { should exist } + its('database_version') { should eq "MYSQL_5_7" } + end + end + +## Properties + +Properties that can be accessed from the `google_sql_database_instances` resource: + +See [google_sql_database_instance](google_sql_database_instance) for more detailed information. + + * `backend_types`: an array of `google_sql_database_instance` backend_type + * `kinds`: an array of `google_sql_database_instance` kind + * `connection_names`: an array of `google_sql_database_instance` connection_name + * `instance_versions`: an array of `google_sql_database_instance` database_version + * `failover_replicas`: an array of `google_sql_database_instance` failover_replica + * `instance_types`: an array of `google_sql_database_instance` instance_type + * `ip_addresses`: an array of `google_sql_database_instance` ip_addresses + * `ipv6_addresses`: an array of `google_sql_database_instance` ipv6_address + * `master_instance_names`: an array of `google_sql_database_instance` master_instance_name + * `max_disk_sizes`: an array of `google_sql_database_instance` max_disk_size + * `instance_names`: an array of `google_sql_database_instance` name + * `instance_regions`: an array of `google_sql_database_instance` region + * `replica_configurations`: an array of `google_sql_database_instance` replica_configuration + * `settings`: an array of `google_sql_database_instance` settings + * `instance_zones`: an array of `google_sql_database_instance` gce_zone + * `instance_states`: an array of `google_sql_database_instance` state + * `disk_encryption_configurations`: an array of `google_sql_database_instance` disk_encryption_configuration + * `disk_encryption_statuses`: an array of `google_sql_database_instance` disk_encryption_status + * `server_ca_certs`: an array of `google_sql_database_instance` server_ca_cert + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud SQL Admin API](https://console.cloud.google.com/apis/library/sqladmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_databases.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_databases.md new file mode 100644 index 0000000..34b5253 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_databases.md @@ -0,0 +1,43 @@ ++++ +title = "google_sql_databases resource" + +draft = false + + +[menu.gcp] +title = "google_sql_databases" +identifier = "inspec/resources/gcp/google_sql_databases resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sql_databases` InSpec audit resource to to test a Google Cloud Database resource. + +## Examples + +```ruby +describe google_sql_databases(project: 'chef-gcp-inspec', instance: 'my-database') do + it { should exist } + its('names') { should include 'my-db' } + its('instances') { should include 'my-database' } +end +``` + +## Properties + +Properties that can be accessed from the `google_sql_databases` resource: + +See [google_sql_database](google_sql_database) for more detailed information. + + * `charsets`: an array of `google_sql_database` charset + * `collations`: an array of `google_sql_database` collation + * `names`: an array of `google_sql_database` name + * `instances`: an array of `google_sql_database` instance + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud SQL Admin API](https://console.cloud.google.com/apis/library/sqladmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_flags.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_flags.md new file mode 100644 index 0000000..74bdee5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_flags.md @@ -0,0 +1,48 @@ ++++ +title = "google_sql_flags resource" + +draft = false + + +[menu.gcp] +title = "google_sql_flags" +identifier = "inspec/resources/gcp/google_sql_flags resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sql_flags` InSpec audit resource to to test a Google Cloud Flag resource. + +## Examples + +```ruby +describe google_sql_flags do +its('names') { should include , 'audit_log' } +its('types') { should include , 'STRING' } +its('applies_tos.first') { should include , 'MYSQL_5_6' } +its('allowed_string_values.first') { should include , 'true' } +its('requires_restarts') { should include , 'true' } +end +``` + +## Properties + +Properties that can be accessed from the `google_sql_flags` resource: + +See [google_sql_flag](google_sql_flag) for more detailed information. + + * `allowed_string_values`: an array of `google_sql_flag` allowed_string_values + * `applies_tos`: an array of `google_sql_flag` applies_to + * `max_values`: an array of `google_sql_flag` max_value + * `min_values`: an array of `google_sql_flag` min_value + * `names`: an array of `google_sql_flag` name + * `requires_restarts`: an array of `google_sql_flag` requires_restart + * `types`: an array of `google_sql_flag` type + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud SQL Admin API](https://console.cloud.google.com/apis/library/sqladmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_operation.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_operation.md new file mode 100644 index 0000000..5634d9f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_operation.md @@ -0,0 +1,85 @@ ++++ +title = "google_sql_operation resource" + +draft = false + + +[menu.gcp] +title = "google_sql_operation" +identifier = "inspec/resources/gcp/google_sql_operation resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sql_operation` InSpec audit resource to to test a Google Cloud Operation resource. + +## Examples + +```ruby +describe google_sql_operation(project: 'chef-gcp-inspec', operation: 'e5c522f1-8391-4830-a8ff-ff1cc4a7b2a5') do + it { should exist } + its('name') { should eq 'e5c522f1-8391-4830-a8ff-ff1cc4a7b2a5' } + its('status') { should eq 'DONE' } + its('operation_type') { should eq 'CREATE' } +end + +describe google_sql_operation(project: 'chef-gcp-inspec', operation: 'nonexistant') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_sql_operation` resource: + + + * `user`: The email address of the user who initiated this operation. + + * `name`: An identifier that uniquely identifies the operation. You can use this identifier to retrieve the Operations resource that has information about the operation. + + * `status`: An Operation resource. For successful operations that return an Operation resource, only the fields relevant to the operation are populated in the resource. + Possible values: + * PENDING + * RUNNING + * DONE + * SQL_OPERATION_STATUS_UNSPECIFIED + + * `operation_type`: An Operation resource. For successful operations that return an Operation resource, only the fields relevant to the operation are populated in the resource. + Possible values: + * SQL_OPERATION_TYPE_UNSPECIFIED + * IMPORT + * EXPORT + * CREATE + * UPDATE + * DELETE + * RESTART + * BACKUP_VOLUME + * DELETE_VOLUME + * RESTORE_VOLUME + * INJECT_USER + * CLONE + * STOP_REPLICA + * START_REPLICA + * START_REPLICA + * CREATE_REPLICA + * CREATE_USER + * DELETE_USER + * UPDATE_USER + * CREATE_DATABASE + * DELETE_DATABASE + * CREATE_REPLICA + * UPDATE_DATABASE + * FAILOVER + * DELETE_BACKUP + * RECREATE_REPLICA + * TRUNCATE_LOG + * DEMOTE_MASTER + * MAINTENANCE + * RESCHEDULE_MAINTENANCE + * START_EXTERNAL_SYNC + + * `instance`: The name of the Cloud SQL instance. This does not include the project ID. + + +## GCP permissions + +Ensure the [Cloud SQL Admin API](https://console.cloud.google.com/apis/library/sqladmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_operations.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_operations.md new file mode 100644 index 0000000..ea7631f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_operations.md @@ -0,0 +1,45 @@ ++++ +title = "google_sql_operations resource" + +draft = false + + +[menu.gcp] +title = "google_sql_operations" +identifier = "inspec/resources/gcp/google_sql_operations resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sql_operations` InSpec audit resource to to test a Google Cloud Operation resource. + +## Examples + +```ruby +describe google_sql_operations(project: 'chef-gcp-inspec', instance: 'my-database') do + it { should exist } + its('names') { should include 'e5c522f1-8391-4830-a8ff-ff1cc4a7b2a5' } + its('statuses') { should include 'DONE' } + its('operation_types') { should include 'CREATE' } +end +``` + +## Properties + +Properties that can be accessed from the `google_sql_operations` resource: + +See [google_sql_operation](google_sql_operation) for more detailed information. + + * `users`: an array of `google_sql_operation` user + * `names`: an array of `google_sql_operation` name + * `statuses`: an array of `google_sql_operation` status + * `operation_types`: an array of `google_sql_operation` operation_type + * `instances`: an array of `google_sql_operation` instance + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud SQL Admin API](https://console.cloud.google.com/apis/library/sqladmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_ssl_cert.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_ssl_cert.md new file mode 100644 index 0000000..8221aa9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_ssl_cert.md @@ -0,0 +1,53 @@ ++++ +title = "google_sql_ssl_cert resource" + +draft = false + + +[menu.gcp] +title = "google_sql_ssl_cert" +identifier = "inspec/resources/gcp/google_sql_ssl_cert resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sql_ssl_cert` InSpec audit resource to to test a Google Cloud SslCert resource. + +## Examples + +```ruby +describe google_sql_ssl_cert(project: 'chef-gcp-inspec', instance: 'test-pg', sha1_fingerprint: '80c5c611c0a591db967c7dda3467e23127288fed') do + it { should exist } + its('instance') { should eq 'test-pg' } + its('common_name') { should eq 'C=US,O=Google\, Inc,CN=Google Cloud SQL Server CA,dnQualifier=68c79386-b63e-4998-8254-ba59729cdf78' } + its('sha1_fingerprint') { should eq '80c5c611c0a591db967c7dda3467e23127288fed' } +end + +describe google_sql_ssl_cert(project: 'chef-gcp-inspec', instance: 'nonexistent', sha1_fingerprint: '80c5c611c0a591db967c7dda3467e23127288fed') do + it { should_not exist } +end + +``` + +## Properties + +Properties that can be accessed from the `google_sql_ssl_cert` resource: + + + * `cert`: PEM representation of the X.509 certificate. + + * `cert_serial_number`: Serial number, as extracted from the certificate. + + * `common_name`: User supplied name. Constrained to [a-zA-Z.-_ ]+. + + * `create_time`: The time when the certificate was created in RFC 3339 format, for example 2012-11-15T16:19:00.094Z. + + * `expiration_time`: The time when the certificate expires in RFC 3339 format, for example 2012-11-15T16:19:00.094Z. + + * `instance`: The name of the Cloud SQL instance. This does not include the project ID. + + * `sha1_fingerprint`: The SHA-1 of the certificate. + + +## GCP permissions + +Ensure the [Cloud SQL Admin API](https://console.cloud.google.com/apis/library/sqladmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_ssl_certs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_ssl_certs.md new file mode 100644 index 0000000..3ed8702 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_ssl_certs.md @@ -0,0 +1,51 @@ ++++ +title = "google_sql_ssl_certs resource" + +draft = false + + +[menu.gcp] +title = "google_sql_ssl_certs" +identifier = "inspec/resources/gcp/google_sql_ssl_certs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sql_ssl_certs` InSpec audit resource to to test a Google Cloud SslCerts resource. + +## Examples + +```ruby +describe google_sql_ssl_certs(project: 'chef-gcp-inspec', instance: 'test-pg') do + it { should exist } + its('instances') { should include 'test-pg' } + its('common_names') { should include 'C=US,O=Google\, Inc,CN=Google Cloud SQL Server CA,dnQualifier=68c79386-b63e-4998-8254-ba59729cdf78' } + its('sha1_fingerprints') { should include '80c5c611c0a591db967c7dda3467e23127288fed' } +end + +describe google_sql_ssl_certs(project: 'chef-gcp-inspec', instance: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_sql_ssl_certs` resource: + +See [google_sql_ssl_cert](google_sql_ssl_cert) for more detailed information. + + * `certs`: an array of `google_sql_ssl_cert` cert + * `cert_serial_numbers`: an array of `google_sql_ssl_cert` cert_serial_number + * `common_names`: an array of `google_sql_ssl_cert` common_name + * `create_times`: an array of `google_sql_ssl_cert` create_time + * `expiration_times`: an array of `google_sql_ssl_cert` expiration_time + * `instances`: an array of `google_sql_ssl_cert` instance + * `sha1_fingerprints`: an array of `google_sql_ssl_cert` sha1_fingerprint + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud SQL Admin API](https://console.cloud.google.com/apis/library/sqladmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_user.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_user.md new file mode 100644 index 0000000..64dd01c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_user.md @@ -0,0 +1,45 @@ ++++ +title = "google_sql_user resource" + +draft = false + + +[menu.gcp] +title = "google_sql_user" +identifier = "inspec/resources/gcp/google_sql_user resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sql_user` InSpec audit resource to to test a Google Cloud User resource. + +## Examples + +```ruby +describe google_sql_user(project: 'chef-gcp-inspec', database: 'my-database', name: 'user-name', host: "example.com") do + it { should exist } + its('name') { should cmp 'user-name' } + its('instance') { should cmp 'my-database' } +end + +describe google_sql_user(project: 'chef-gcp-inspec', database: 'my-database', name: "nonexistent", host: "example.com") do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_sql_user` resource: + + + * `host`: The host name from which the user can connect. For insert operations, host defaults to an empty string. For update operations, host is specified as part of the request URL. The host name cannot be updated after insertion. + + * `name`: The name of the user in the Cloud SQL instance. + + * `instance`: The name of the Cloud SQL instance. This does not include the project ID. + + * `password`: The password for the user. + + +## GCP permissions + +Ensure the [Cloud SQL Admin API](https://console.cloud.google.com/apis/library/sqladmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_users.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_users.md new file mode 100644 index 0000000..708d71b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_sql_users.md @@ -0,0 +1,67 @@ ++++ +title = "google_sql_users resource" + +draft = false + + +[menu.gcp] +title = "google_sql_users" +identifier = "inspec/resources/gcp/google_sql_users resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_sql_users` InSpec audit resource to to test a Google Cloud User resource. + +## Examples + +```ruby +describe google_sql_users(project: 'chef-gcp-inspec', database: 'my-database') do + its('user_names') { should include 'user-name' } +end +``` + +### Test that there are no more than a specified number of users available for the project + + describe google_sql_users(project: 'chef-inspec-gcp', database: 'database-instance') do + its('count') { should be <= 100} + end + +### Test that an expected user is available for the project + + describe google_sql_users(project: 'chef-inspec-gcp') do + its('user_names') { should include "us-east1-b" } + end + +### Test whether any users are in status "DOWN" + + describe google_sql_users(project: 'chef-inspec-gcp') do + its('user_statuses') { should_not include "DOWN" } + end + +### Test users exist for all database instances in a project + + google_sql_database_instances(project: 'chef-inspec-gcp').instance_names.each do |instance_name| + describe google_sql_users(project: 'chef-inspec-gcp', database: instance_name) do + it { should exist } + end + end + +## Properties + +Properties that can be accessed from the `google_sql_users` resource: + +See [google_sql_user](google_sql_user) for more detailed information. + + * `user_hosts`: an array of `google_sql_user` host + * `user_names`: an array of `google_sql_user` name + * `user_instances`: an array of `google_sql_user` instance + * `passwords`: an array of `google_sql_user` password + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Cloud SQL Admin API](https://console.cloud.google.com/apis/library/sqladmin.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket.md new file mode 100644 index 0000000..8fc00c3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket.md @@ -0,0 +1,229 @@ ++++ +title = "google_storage_bucket resource" + +draft = false + + +[menu.gcp] +title = "google_storage_bucket" +identifier = "inspec/resources/gcp/google_storage_bucket resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_storage_bucket` InSpec audit resource to to test a Google Cloud Bucket resource. + +## Examples + +```ruby +describe google_storage_bucket(name: bucket-name) do + it { should exist } + its('location') { should cmp 'europe-west2'.upcase } + + its('storage_class') { should eq "STANDARD" } + its('labels') { should include("key" => "value") } + its('retention_policy.retention_period') { should cmp 1000 } +end + +describe google_storage_bucket(name: "nonexistent") do + it { should_not exist } +end +``` + +### Test that a GCP storage bucket is in the expected location + + describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do + its('location') { should eq "EUROPE-WEST2" } + end + +### Test that a GCP storage bucket has the expected project number + + describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do + its('project_number') {should eq 12345678 } + end + +### Test that a GCP storage bucket has the expected storage class + + describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do + its('storage_class') { should eq 'STANDARD' } + end + +## Properties + +Properties that can be accessed from the `google_storage_bucket` resource: + + + * `acl`: Access controls on the bucket. + + * `bucket`: The name of the bucket. + + * `domain`: The domain associated with the entity. + + * `email`: The email address associated with the entity. + + * `entity`: The entity holding the permission, in one of the following forms: user-userId user-email group-groupId group-email domain-domain project-team-projectId allUsers allAuthenticatedUsers Examples: The user liz@example.com would be user-liz@example.com. The group example@googlegroups.com would be group-example@googlegroups.com. To refer to all members of the Google Apps for Business domain example.com, the entity would be domain-example.com. + + * `entity_id`: The ID for the entity + + * `id`: The ID of the access-control entry. + + * `project_team`: The project team associated with the entity + + * `project_number`: The project team associated with the entity + + * `team`: The team. + Possible values: + * editors + * owners + * viewers + + * `role`: The access permission for the entity. + Possible values: + * OWNER + * READER + * WRITER + + * `cors`: The bucket's Cross-Origin Resource Sharing (CORS) configuration. + + * `max_age_seconds`: The value, in seconds, to return in the Access-Control-Max-Age header used in preflight responses. + + * `method`: The list of HTTP methods on which to include CORS response headers, (GET, OPTIONS, POST, etc) Note: "*" is permitted in the list of methods, and means "any method". + + * `origin`: The list of Origins eligible to receive CORS response headers. Note: "*" is permitted in the list of origins, and means "any Origin". + + * `response_header`: The list of HTTP headers other than the simple response headers to give permission for the user-agent to share across domains. + + * `default_event_based_hold`: Whether or not to automatically apply an eventBasedHold to new objects added to the bucket. + + * `default_object_acl`: Default access controls to apply to new objects when no ACL is provided. + + * `bucket`: The name of the bucket. + + * `domain`: The domain associated with the entity. + + * `email`: The email address associated with the entity. + + * `entity`: The entity holding the permission, in one of the following forms: * user-{{userId}} * user-{{email}} (such as "user-liz@example.com") * group-{{groupId}} * group-{{email}} (such as "group-example@googlegroups.com") * domain-{{domain}} (such as "domain-example.com") * project-team-{{projectId}} * allUsers * allAuthenticatedUsers + + * `entity_id`: The ID for the entity + + * `generation`: The content generation of the object, if applied to an object. + + * `id`: The ID of the access-control entry. + + * `object`: The name of the object, if applied to an object. + + * `project_team`: The project team associated with the entity + + * `project_number`: The project team associated with the entity + + * `team`: The team. + Possible values: + * editors + * owners + * viewers + + * `role`: The access permission for the entity. + Possible values: + * OWNER + * READER + + * `id`: The ID of the bucket. For buckets, the id and name properities are the same. + + * `lifecycle`: The bucket's lifecycle configuration. See https://developers.google.com/storage/docs/lifecycle for more information. + + * `rule`: A lifecycle management rule, which is made of an action to take and the condition(s) under which the action will be taken. + + * `action`: The action to take. + + * `storage_class`: Target storage class. Required iff the type of the action is SetStorageClass. + + * `type`: Type of the action. Currently, only Delete and SetStorageClass are supported. + Possible values: + * Delete + * SetStorageClass + + * `condition`: The condition(s) under which the action will be taken. + + * `age_days`: Age of an object (in days). This condition is satisfied when an object reaches the specified age. + + * `created_before`: A date in RFC 3339 format with only the date part (for instance, "2013-01-15"). This condition is satisfied when an object is created before midnight of the specified date in UTC. + + * `is_live`: Relevant only for versioned objects. If the value is true, this condition matches live objects; if the value is false, it matches archived objects. + + * `matches_storage_class`: Objects having any of the storage classes specified by this condition will be matched. Values include MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE, STANDARD, and DURABLE_REDUCED_AVAILABILITY. + + * `num_newer_versions`: Relevant only for versioned objects. If the value is N, this condition is satisfied when there are at least N versions (including the live version) newer than this version of the object. + + * `location`: The location of the bucket. Object data for objects in the bucket resides in physical storage within this region. Defaults to US. See the developer's guide for the authoritative list. + + * `logging`: The bucket's logging configuration, which defines the destination bucket and optional name prefix for the current bucket's logs. + + * `log_bucket`: The destination bucket where the current bucket's logs should be placed. + + * `log_object_prefix`: A prefix for log object names. + + * `metageneration`: The metadata generation of this bucket. + + * `name`: The name of the bucket + + * `owner`: The owner of the bucket. This is always the project team's owner group. + + * `entity`: The entity, in the form project-owner-projectId. + + * `entity_id`: The ID for the entity. + + * `project_number`: The project number of the project the bucket belongs to. + + * `storage_class`: The bucket's default storage class, used whenever no storageClass is specified for a newly-created object. This defines how objects in the bucket are stored and determines the SLA and the cost of storage. Values include MULTI_REGIONAL, REGIONAL, STANDARD, NEARLINE, COLDLINE, ARCHIVE, and DURABLE_REDUCED_AVAILABILITY. If this value is not specified when the bucket is created, it will default to STANDARD. For more information, see storage classes. + Possible values: + * MULTI_REGIONAL + * REGIONAL + * STANDARD + * NEARLINE + * COLDLINE + * ARCHIVE + * DURABLE_REDUCED_AVAILABILITY + + * `time_created`: The creation time of the bucket in RFC 3339 format. + + * `updated`: The modification time of the bucket in RFC 3339 format. + + * `versioning`: The bucket's versioning configuration. + + * `enabled`: While set to true, versioning is fully enabled for this bucket. + + * `website`: The bucket's website configuration, controlling how the service behaves when accessing bucket contents as a web site. See the Static Website Examples for more information. + + * `main_page_suffix`: If the requested object path is missing, the service will ensure the path has a trailing '/', append this suffix, and attempt to retrieve the resulting object. This allows the creation of index.html objects to represent directory pages. + + * `not_found_page`: If the requested object path is missing, and any mainPageSuffix object is missing, if applicable, the service will return the named object from this bucket as the content for a 404 Not Found result. + + * `labels`: Labels applied to this bucket. A list of key->value pairs. + + * `encryption`: Encryption configuration for the bucket + + * `default_kms_key_name`: A Cloud KMS key that will be used to encrypt objects inserted into this bucket, if no encryption method is specified. + + * `retention_policy`: Retention policy for the bucket + + * `effective_time`: The time from which the retention policy was effective + + * `is_locked`: If the retention policy is locked. If true, the retention policy cannot be removed and the period cannot be reduced. + + * `retention_period`: The period of time, in seconds, that objects in the bucket must be retained and cannot be deleted, overwritten, or made noncurrent. + + * `project`: A valid API project identifier. + + * `predefined_default_object_acl`: Apply a predefined set of default object access controls to this bucket. Acceptable values are: - "authenticatedRead": Object owner gets OWNER access, and allAuthenticatedUsers get READER access. - "bucketOwnerFullControl": Object owner gets OWNER access, and project team owners get OWNER access. - "bucketOwnerRead": Object owner gets OWNER access, and project team owners get READER access. - "private": Object owner gets OWNER access. - "projectPrivate": Object owner gets OWNER access, and project team members get access according to their roles. - "publicRead": Object owner gets OWNER access, and allUsers get READER access. + Possible values: + * authenticatedRead + * bucketOwnerFullControl + * bucketOwnerRead + * private + * projectPrivate + * publicRead + + +## GCP permissions + +Ensure the [Google Cloud Storage](https://console.cloud.google.com/apis/library/storage-component.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_acl.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_acl.md new file mode 100644 index 0000000..51f41ae --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_acl.md @@ -0,0 +1,77 @@ ++++ +title = "google_storage_bucket_acl resource" + +draft = false + + +[menu.gcp] +title = "google_storage_bucket_acl" +identifier = "inspec/resources/gcp/google_storage_bucket_acl resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_storage_bucket_acl` InSpec audit resource to to test a Google Cloud BucketACL resource. + +## Examples + +```ruby +describe google_storage_bucket_acl(bucket: 'storage-bucket-name', entity: user-email) do + it { should exist } + its('role') { should cmp "OWNER" } + + its('bucket') { should eq 'storage-bucket-name' } + its('email') { should include entity-email.com } +end + +describe google_storage_bucket_acl(bucket: 'storage-bucket-name', entity: "allUsers") do + it { should_not exist } +end +``` + +### Test that a GCP storage bucket ACL exists + + describe google_storage_bucket_acl(bucket: 'bucket-buvsjjcndqz', entity: 'user-object-viewer@spaterson-project.iam.gserviceaccount.com') do + it { should exist } + end + +### Test that a GCP storage bucket ACL has the expected role (READER, WRITER or OWNER) + + describe google_storage_bucket_acl(bucket: 'bucket-buvsjjcndqz', entity: 'user-object-viewer@spaterson-project.iam.gserviceaccount.com') do + its('role') { should eq 'OWNER' } + end + +## Properties + +Properties that can be accessed from the `google_storage_bucket_acl` resource: + + + * `domain`: The domain associated with the entity. + + * `email`: The email address associated with the entity. + + * `entity`: The entity holding the permission, in one of the following forms: user-userId user-email group-groupId group-email domain-domain project-team-projectId allUsers allAuthenticatedUsers Examples: The user liz@example.com would be user-liz@example.com. The group example@googlegroups.com would be group-example@googlegroups.com. To refer to all members of the Google Apps for Business domain example.com, the entity would be domain-example.com. + + * `entity_id`: The ID for the entity + + * `id`: The ID of the access-control entry. + + * `project_team`: The project team associated with the entity + + * `project_number`: The project team associated with the entity + + * `team`: The team. + Possible values: + * editors + * owners + * viewers + + * `role`: The access permission for the entity. + Possible values: + * OWNER + * READER + * WRITER + + +## GCP permissions + +Ensure the [Google Cloud Storage](https://console.cloud.google.com/apis/library/storage-component.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_iam_binding.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_iam_binding.md new file mode 100644 index 0000000..2ca1718 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_iam_binding.md @@ -0,0 +1,38 @@ ++++ +title = "google_storage_bucket_iam_binding resource" + +draft = false + + +[menu.gcp] +title = "google_storage_bucket_iam_binding" +identifier = "inspec/resources/gcp/google_storage_bucket_iam_binding resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_storage_bucket_iam_binding` is used to test a Google Bucket Iam Bindings + +## Examples + +```ruby +describe google_storage_bucket_iam_binding(bucket: "bucket", role: "roles/editor") do + it { should exist } + its('members') { should include 'user:testuser@example.com' } +end +``` + + +## Properties + +Properties that can be accessed from the `google_storage_bucket_iam_binding` resource: + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + +## GCP permissions + +Ensure the [Google Cloud Storage](https://console.cloud.google.com/apis/library/storage-component.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_iam_bindings.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_iam_bindings.md new file mode 100644 index 0000000..ff03ccc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_iam_bindings.md @@ -0,0 +1,77 @@ ++++ +title = "google_storage_bucket_iam_bindings resource" + +draft = false + + +[menu.gcp] +title = "google_storage_bucket_iam_bindings" +identifier = "inspec/resources/gcp/google_storage_bucket_iam_bindings resource" +parent = "inspec/resources/gcp" ++++ + +# google\_storage\_bucket\_iam\_bindings + +**This resource is deprecated. Please use `google_storage_bucket_iam_policy` instead** + +Use the `google_storage_bucket_iam_bindings` InSpec audit resource to test properties of all, or a filtered group of, GCP storage bucket IAM bindings. + +
+ +## Syntax + +A `google_storage_bucket_iam_bindings` resource block collects GCP storage bucket IAM bindings then tests that group. + + describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do + it { should exist } + end + +Use this InSpec resource to enumerate roles then test in-depth using `google_project_iam_binding`. + + google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz').iam_binding_roles.each do |iam_binding_role| + describe google_storage_bucket_iam_binding(bucket: 'bucket-buvsjjcndqz', role: iam_binding_role) do + it { should exist } + its('members') {should include 'user:someuser@domain.com' } + end + end + +
+ +## Examples + +The following examples show how to use this InSpec audit resource. + +### Test that there are no more than a specified number of IAM bindings roles available for the bucket + + describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do + its('count') { should be <= 100} + end + +### Test that an expected role is available for the bucket + + describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do + its('iam_binding_roles') { should include "roles/storage.admin" } + end + +### Test that a particular role does not exist using filtering of the plural resource + + describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz').where(iam_binding_role: "roles/iam.securityReviewer") do + it { should_not exist } + end + +
+ +## Filter criteria + +This resource supports the following filter criteria: `iam_binding_role`. This may be used with `where`, as a block or as a method. + +## Properties + +* `iam_binding_roles` - an array of google_storage_bucket_iam_binding role strings e.g. `["roles/storage.admin", "roles/owner"]` + +
+ + +## GCP permissions + +Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled. \ No newline at end of file diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_iam_policy.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_iam_policy.md new file mode 100644 index 0000000..d0004c2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_iam_policy.md @@ -0,0 +1,58 @@ ++++ +title = "google_storage_bucket_iam_policy resource" + +draft = false + + +[menu.gcp] +title = "google_storage_bucket_iam_policy" +identifier = "inspec/resources/gcp/google_storage_bucket_iam_policy resource" +parent = "inspec/resources/gcp" ++++ + +## Syntax + +A `google_storage_bucket_iam_policy` is used to test a Google Bucket Iam Policy resource. + +## Examples + +```ruby +describe google_storage_bucket_iam_policy(bucket: "bucket") do + it { should exist } +end + +google_storage_bucket_iam_policy(bucket: "bucket").bindings.each do |binding| + describe binding do + its('role') { should eq 'roles/editor'} + its('members') { should include 'user:testuser@example.com'} + end +end +``` + +## Properties + +Properties that can be accessed from the `google_storage_bucket_iam_policy` resource: + + * `iam_binding_roles`: The list of roles that exist on the policy. + + * `bindings`: Associates a list of members to a role. + + * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. + + * `members`: Specifies the identities requesting access for a Cloud Platform resource. + + * `audit_configs`: Specifies cloud audit logging configuration for this policy. + + * `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. + + * `audit_log_configs`: The configuration for logging of each type of permission. + + * `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ + + * `exempted_members`: Specifies the identities that do not cause logging for this type of permission. + + + +## GCP permissions + +Ensure the [Google Cloud Storage](https://console.cloud.google.com/apis/library/storage-component.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_object.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_object.md new file mode 100644 index 0000000..a30db0e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_object.md @@ -0,0 +1,105 @@ ++++ +title = "google_storage_bucket_object resource" + +draft = false + + +[menu.gcp] +title = "google_storage_bucket_object" +identifier = "inspec/resources/gcp/google_storage_bucket_object resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_storage_bucket_object` InSpec audit resource to to test a Google Cloud BucketObject resource. + +## Examples + +```ruby +describe google_storage_bucket_object(bucket: 'bucket-with-object', object: 'image1') do + it { should exist } + its('size.to_i') { should be > 0 } + + its('time_created') { should be > Time.now - 60*60*24*10 } + its('time_updated') { should be > Time.now - 60*60*24*10 } +end + +describe google_storage_bucket_object(bucket: 'bucket-with-object', object: "nonexistent") do + it { should_not exist } +end +``` + +### Test that a GCP compute zone exists + + describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do + it { should exist } + end + +### Test that a GCP storage bucket object has non-zero size + + describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do + its('size') { should be > 0 } + end + +### Test that a GCP storage bucket object has the expected content type + + describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do + its('content_type') { should eq "text/plain; charset=utf-8" } + end + + +### Test that a GCP storage bucket object was created within a certain time period + + describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do + its('time_created_date') { should be > Time.now - 365*60*60*24*10 } + end + + +### Test that a GCP storage bucket object was last updated within a certain time period + + describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do + its('time_updated') { should be > Time.now - 365*60*60*24*10 } + end + +## Properties + +Properties that can be accessed from the `google_storage_bucket_object` resource: + + + * `bucket`: The name of the bucket. + + * `object`: The name of the object. + + * `content_type`: The Content-Type of the object data. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Complete_list_of_MIME_types for more information on possible Content-Types + + * `crc32c`: CRC32c checksum. + + * `etag`: The object entity tag. + + * `generation`: The content generation of this object. Used for object versioning. + + * `id`: The ID of the object, including the bucket name, object name, and generation number. + + * `md5_hash`: MD5 hash of the data; encoded using base64. + + * `media_link`: Media download link. + + * `metageneration`: The version of the metadata for this object at this generation. Used for preconditions and for detecting changes in metadata. A metageneration number is only meaningful in the context of a particular generation of a particular object. + + * `name`: The name of the object. + + * `size`: Content-Length of the data in bytes. + + * `storage_class`: Storage class of the object. + + * `time_created`: The time this object was created. + + * `time_deleted`: The time this object was deleted. Returned if and only if this version of the object is no longer a live version, but remains in the bucket as a noncurrent version. + + * `time_storage_class_updated`: The time at which the object's storage class was last changed. + + * `time_updated`: The modification time of the object metadata. + + +## GCP permissions + +Ensure the [Google Cloud Storage](https://console.cloud.google.com/apis/library/storage-component.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_objects.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_objects.md new file mode 100644 index 0000000..d35cff5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_bucket_objects.md @@ -0,0 +1,80 @@ ++++ +title = "google_storage_bucket_objects resource" + +draft = false + + +[menu.gcp] +title = "google_storage_bucket_objects" +identifier = "inspec/resources/gcp/google_storage_bucket_objects resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_storage_bucket_objects` InSpec audit resource to to test a Google Cloud BucketObject resource. + +## Examples + +```ruby +describe google_storage_bucket_objects(bucket: 'bucket-with-object') do + its('object_names') { should include 'image1' } + its('count') { should be <= 10 } +end +``` + +### Test that there are no more than a specified number of storage buckets for the project + + describe google_storage_bucket_objects(bucket: 'bucket-name') do + its('count') { should be <= 100 } + end + + +### Test that an expected named bucket is available + + describe google_storage_bucket_objects(bucket: 'bucket-name') do + its('object_buckets'){ should include 'my_expected_bucket' } + end + +### Test that an expected named bucket is available + + describe google_storage_bucket_objects(bucket: 'bucket-name') do + its('object_names'){ should include 'my_expected_object' } + end + +### Test a filtered group of bucket objects created within the last 24hrs + + describe google_storage_bucket_objects(bucket: 'bucket-name').where(object_created_time > Time.now - 60*60*24) do + it { should exist } + end + +## Properties + +Properties that can be accessed from the `google_storage_bucket_objects` resource: + +See [google_storage_bucket_object](google_storage_bucket_object) for more detailed information. + + * `object_buckets`: an array of `google_storage_bucket_object` bucket + * `objects`: an array of `google_storage_bucket_object` object + * `content_types`: an array of `google_storage_bucket_object` content_type + * `crc32cs`: an array of `google_storage_bucket_object` crc32c + * `etags`: an array of `google_storage_bucket_object` etag + * `generations`: an array of `google_storage_bucket_object` generation + * `ids`: an array of `google_storage_bucket_object` id + * `md5_hashes`: an array of `google_storage_bucket_object` md5_hash + * `media_links`: an array of `google_storage_bucket_object` media_link + * `metagenerations`: an array of `google_storage_bucket_object` metageneration + * `object_names`: an array of `google_storage_bucket_object` name + * `sizes`: an array of `google_storage_bucket_object` size + * `storage_classes`: an array of `google_storage_bucket_object` storage_class + * `object_created_times`: an array of `google_storage_bucket_object` time_created + * `time_deleteds`: an array of `google_storage_bucket_object` time_deleted + * `time_storage_class_updateds`: an array of `google_storage_bucket_object` time_storage_class_updated + * `time_updateds`: an array of `google_storage_bucket_object` time_updated + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Google Cloud Storage](https://console.cloud.google.com/apis/library/storage-component.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_buckets.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_buckets.md new file mode 100644 index 0000000..e4635e7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_buckets.md @@ -0,0 +1,81 @@ ++++ +title = "google_storage_buckets resource" + +draft = false + + +[menu.gcp] +title = "google_storage_buckets" +identifier = "inspec/resources/gcp/google_storage_buckets resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_storage_buckets` InSpec audit resource to to test a Google Cloud Bucket resource. + +## Examples + +```ruby +describe google_storage_buckets(project: 'chef-gcp-inspec') do + its('bucket_names') { should include bucket-name } +end +``` + +### Test that there are no more than a specified number of storage buckets for the project + + describe google_storage_buckets(project: 'chef-inspec-gcp') do + its('count') { should be <= 100} + end + + +### Test that an expected named bucket is available + + describe google_storage_buckets do + its('bucket_names'){ should include "my_expected_bucket" } + end + +### Test that all buckets belong to the expected project number + + google_storage_buckets(project: 'chef-inspec-gcp').bucket_names.each do |bucket_name| + describe google_storage_bucket(name: bucket_name) do + it { should exist } + its('project_number'){ should eq 1122334455 } + end + end + +## Properties + +Properties that can be accessed from the `google_storage_buckets` resource: + +See [google_storage_bucket](google_storage_bucket) for more detailed information. + + * `acls`: an array of `google_storage_bucket` acl + * `cors`: an array of `google_storage_bucket` cors + * `default_event_based_holds`: an array of `google_storage_bucket` default_event_based_hold + * `default_object_acls`: an array of `google_storage_bucket` default_object_acl + * `bucket_ids`: an array of `google_storage_bucket` id + * `lifecycles`: an array of `google_storage_bucket` lifecycle + * `bucket_locations`: an array of `google_storage_bucket` location + * `loggings`: an array of `google_storage_bucket` logging + * `metagenerations`: an array of `google_storage_bucket` metageneration + * `bucket_names`: an array of `google_storage_bucket` name + * `owners`: an array of `google_storage_bucket` owner + * `bucket_project_numbers`: an array of `google_storage_bucket` project_number + * `storage_classes`: an array of `google_storage_bucket` storage_class + * `time_createds`: an array of `google_storage_bucket` time_created + * `updateds`: an array of `google_storage_bucket` updated + * `versionings`: an array of `google_storage_bucket` versioning + * `websites`: an array of `google_storage_bucket` website + * `labels`: an array of `google_storage_bucket` labels + * `encryptions`: an array of `google_storage_bucket` encryption + * `retention_policies`: an array of `google_storage_bucket` retention_policy + * `projects`: an array of `google_storage_bucket` project + * `predefined_default_object_acls`: an array of `google_storage_bucket` predefined_default_object_acl + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions + +Ensure the [Google Cloud Storage](https://console.cloud.google.com/apis/library/storage-component.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_default_object_acl.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_default_object_acl.md new file mode 100644 index 0000000..3c23f50 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_default_object_acl.md @@ -0,0 +1,80 @@ ++++ +title = "google_storage_default_object_acl resource" + +draft = false + + +[menu.gcp] +title = "google_storage_default_object_acl" +identifier = "inspec/resources/gcp/google_storage_default_object_acl resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_storage_default_object_acl` InSpec audit resource to to test a Google Cloud DefaultObjectACL resource. + +## Examples + +```ruby +describe google_storage_default_object_acl(bucket: 'gcp-inspec-storage-bucket', entity: user-email) do + it { should exist } + its('role') { should cmp "OWNER" } + + its('bucket') { should eq 'gcp-inspec-storage-bucket' } + its('email') { should include entity-email.com } +end + +describe google_storage_default_object_acl(bucket: 'gcp-inspec-storage-bucket', entity: "allUsers") do + it { should_not exist } +end +``` + +### Test that a GCP storage bucket ACL exists + + describe google_storage_default_object_acl(bucket: 'bucket-buvsjjcndqz', entity: 'user-object-viewer@spaterson-project.iam.gserviceaccount.com') do + it { should exist } + end + +### Test that a GCP storage default object ACL has the expected role (READER, WRITER or OWNER) + + describe google_storage_default_object_acl(bucket: 'bucket-buvsjjcndqz', entity: 'user-object-viewer@spaterson-project.iam.gserviceaccount.com') do + its('role') { should eq 'OWNER' } + end + +## Properties + +Properties that can be accessed from the `google_storage_default_object_acl` resource: + + + * `domain`: The domain associated with the entity. + + * `email`: The email address associated with the entity. + + * `entity`: The entity holding the permission, in one of the following forms: * user-{{userId}} * user-{{email}} (such as "user-liz@example.com") * group-{{groupId}} * group-{{email}} (such as "group-example@googlegroups.com") * domain-{{domain}} (such as "domain-example.com") * project-team-{{projectId}} * allUsers * allAuthenticatedUsers + + * `entity_id`: The ID for the entity + + * `generation`: The content generation of the object, if applied to an object. + + * `id`: The ID of the access-control entry. + + * `object`: The name of the object, if applied to an object. + + * `project_team`: The project team associated with the entity + + * `project_number`: The project team associated with the entity + + * `team`: The team. + Possible values: + * editors + * owners + * viewers + + * `role`: The access permission for the entity. + Possible values: + * OWNER + * READER + + +## GCP permissions + +Ensure the [Google Cloud Storage](https://console.cloud.google.com/apis/library/storage-component.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_object_acl.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_object_acl.md new file mode 100644 index 0000000..fef58b5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_storage_object_acl.md @@ -0,0 +1,80 @@ ++++ +title = "google_storage_object_acl resource" + +draft = false + + +[menu.gcp] +title = "google_storage_object_acl" +identifier = "inspec/resources/gcp/google_storage_object_acl resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_storage_object_acl` InSpec audit resource to to test a Google Cloud ObjectACL resource. + +## Examples + +```ruby +describe google_storage_object_acl(bucket: 'bucket-with-object', object: 'image1', entity: user-email) do + it { should exist } + its('role') { should cmp "OWNER" } + + its('bucket') { should eq 'bucket-with-object' } + its('email') { should include entity-email.com } +end + +describe google_storage_object_acl(bucket: 'bucket-with-object', object: 'image1', entity: "allUsers") do + it { should_not exist } +end +``` + +### Test that a GCP storage bucket ACL exists + + describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: 'user-object-viewer@spaterson-project.iam.gserviceaccount.com') do + it { should exist } + end + +### Test that a GCP storage object ACL has the expected role (READER, WRITER or OWNER) + + describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: 'user-object-viewer@spaterson-project.iam.gserviceaccount.com') do + its('role') { should eq 'OWNER' } + end + +## Properties + +Properties that can be accessed from the `google_storage_object_acl` resource: + + + * `domain`: The domain associated with the entity. + + * `email`: The email address associated with the entity. + + * `entity`: The entity holding the permission, in one of the following forms: * user-{{userId}} * user-{{email}} (such as "user-liz@example.com") * group-{{groupId}} * group-{{email}} (such as "group-example@googlegroups.com") * domain-{{domain}} (such as "domain-example.com") * project-team-{{projectId}} * allUsers * allAuthenticatedUsers + + * `entity_id`: The ID for the entity + + * `generation`: The content generation of the object, if applied to an object. + + * `id`: The ID of the access-control entry. + + * `object`: The name of the object, if applied to an object. + + * `project_team`: The project team associated with the entity + + * `project_number`: The project team associated with the entity + + * `team`: The team. + Possible values: + * editors + * owners + * viewers + + * `role`: The access permission for the entity. + Possible values: + * OWNER + * READER + + +## GCP permissions + +Ensure the [Google Cloud Storage](https://console.cloud.google.com/apis/library/storage-component.googleapis.com/) is enabled for the current project. diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_user.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_user.md new file mode 100644 index 0000000..c0492e5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_user.md @@ -0,0 +1,68 @@ ++++ +title = "google_user resource" + +draft = false + + +[menu.gcp] +title = "google_user" +identifier = "inspec/resources/gcp/google_user resource" +parent = "inspec/resources/gcp" ++++ + +# google\_user + +Use the `google_user` InSpec audit resource to test properties of a single GCP user. + +
+ +## Syntax + +A `google_user` resource block declares the tests for a single GCP user by principal email address or immutable ID. + + describe google_user(user_key: 'principal_email_address@domain.com') do + it { should exist } + end + +
+ +## Examples + +The following examples show how to use this InSpec audit resource. + +### Test that a GCP user with specified ID exists + + describe google_user(user_key: '110491234567894702010') do + it { should exist } + end + +### Test that a GCP user has expected full name + + describe google_user(user_key: '110491234567894702010') do + its('name.full_name') { should eq "Bill S. Preston Esq." } + end + +### Test that a GCP user has MFA enabled + + describe google_user(user_key: 'theodore_ted_logan@excellentadventure.com') do + it { should have_mfa_enabled } + end + +### Test that a GCP user is suspended or not + + describe google_user(user_key: 'theodore_ted_logan@excellentadventure.com') do + it { should_not be_suspended } + end + +
+ +## Properties + +* `agreed_to_terms`, `archived`, `change_password_at_next_login`, `creation_time`, `customer_id`, `emails`, `etag`, `id`, `include_in_global_address_list`, `ip_whitelisted`, `is_admin`, `is_delegated_admin`, `is_enforced_in2_sv`, `is_enrolled_in2_sv`, `is_mailbox_setup`, `kind`, `last_login_time`, `name`, `non_editable_aliases`, `org_unit_path`, `primary_email`, `suspended` + +
+ + +## GCP permissions + +Ensure the G Suite Admin SDK [Directory API](https://developers.google.com/admin-sdk/directory/) is enabled and you have sufficient privileges to list users. \ No newline at end of file diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_users.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_users.md new file mode 100644 index 0000000..dd6536b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_users.md @@ -0,0 +1,85 @@ ++++ +title = "google_users resource" + +draft = false + + +[menu.gcp] +title = "google_users" +identifier = "inspec/resources/gcp/google_users resource" +parent = "inspec/resources/gcp" ++++ + +# google\_users + +Use the `google_users` InSpec audit resource to test properties of all, or a filtered group of, GCP users. + +
+ +## Syntax + +A `google_users` resource block collects GCP users for the specified customer. As documented [here](https://developers.google.com/admin-sdk/directory/v1/reference/users/list), this defaults to the `my_customer` alias to represent your account's `customerId`. + + describe google_users(customer: 'my_customer') do + it { should exist } + end + +The `domain` argument can optionally be provided to get fields from only one domain. Either the customer or the domain parameter must be provided. + + describe google_users(domain: 'my_domain.com') do + it { should exist } + end + +Use this InSpec resource to enumerate IDs then test in-depth using `google_user`. + + google_users(customer: 'my_customer').user_ids.each do |user_id| + describe google_user(user_key: user_id) do + it { should exist } + it { should_not be_suspended } + end + end + +
+ +## Examples + +The following examples show how to use this InSpec audit resource. + +### Test that there are no more than a specified number of users available for the project + + describe google_users(customer: 'my_customer') do + its('count') { should be <= 100} + end + +### Test that an expected user is available for the project + + describe google_users(customer: 'my_customer') do + its('user_names') { should include "Monsieur Happy" } + end + +### Test that a subset of all users with name matching "Batman" exists + + google_users(customer: 'my_customer').where(user_full_name: /Batman/).user_ids.each do |user_id| + describe google_user(user_key: user_id) do + it { should exist } + end + end + +
+ +## Filter criteria + +This resource supports the following filter criteria: `user_id`; `user_full_name` and `user_email`. Any of these may be used with `where`, as a block or as a method. + +## Properties + +* `user_ids` - an array of google_user identifier integers +* `user_full_names` - an array of google_user full name strings +* `user_emails`- an array of google_user primary email address strings + +
+ + +## GCP permissions + +Ensure the G Suite Admin SDK [Directory API](https://developers.google.com/admin-sdk/directory/) is enabled and you have sufficient privileges to list users. \ No newline at end of file diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_batch_prediction_job.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_batch_prediction_job.md new file mode 100644 index 0000000..92ecebc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_batch_prediction_job.md @@ -0,0 +1,314 @@ ++++ +title = "google_vertex_ai_batch_prediction_job resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_batch_prediction_job" +identifier = "inspec/resources/gcp/google_vertex_ai_batch_prediction_job resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_batch_prediction_job` InSpec audit resource to to test a Google Cloud BatchPredictionJob resource. + +## Examples + +```ruby + describe google_vertex_ai_batch_prediction_job(name: ' value_name', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_batch_prediction_job` resource: + + + * `create_time`: Output only. Time when the BatchPredictionJob was created. + + * `model_parameters`: The parameters that govern the predictions. The schema of the parameters may be specified via the Model's PredictSchemata's parameters_schema_uri. + + * `instance_config`: Configuration defining how to transform batch prediction input instances to the instances that the Model accepts. + + * `included_fields`: Fields that will be included in the prediction instance that is sent to the Model. If instance_type is `array`, the order of field names in included_fields also determines the order of the values in the array. When included_fields is populated, excluded_fields must be empty. The input must be JSONL with objects at each line, CSV, BigQuery or TfRecord. + + * `instance_type`: The format of the instance that the Model accepts. Vertex AI will convert compatible batch prediction input instance formats to the specified format. Supported values are: * `object`: Each input is converted to JSON object format. * For `bigquery`, each row is converted to an object. * For `jsonl`, each line of the JSONL input must be an object. * Does not apply to `csv`, `file-list`, `tf-record`, or `tf-record-gzip`. * `array`: Each input is converted to JSON array format. * For `bigquery`, each row is converted to an array. The order of columns is determined by the BigQuery column order, unless included_fields is populated. included_fields must be populated for specifying field orders. * For `jsonl`, if each line of the JSONL input is an object, included_fields must be populated for specifying field orders. * Does not apply to `csv`, `file-list`, `tf-record`, or `tf-record-gzip`. If not specified, Vertex AI converts the batch prediction input as follows: * For `bigquery` and `csv`, the behavior is the same as `array`. The order of columns is the same as defined in the file or table, unless included_fields is populated. * For `jsonl`, the prediction instance format is determined by each line of the input. * For `tf-record`/`tf-record-gzip`, each record will be converted to an object in the format of `{"b64": }`, where `` is the Base64-encoded string of the content of the record. * For `file-list`, each file in the list will be converted to an object in the format of `{"b64": }`, where `` is the Base64-encoded string of the content of the file. + + * `excluded_fields`: Fields that will be excluded in the prediction instance that is sent to the Model. Excluded will be attached to the batch prediction output if key_field is not specified. When excluded_fields is populated, included_fields must be empty. The input must be JSONL with objects at each line, CSV, BigQuery or TfRecord. + + * `key_field`: The name of the field that is considered as a key. The values identified by the key field is not included in the transformed instances that is sent to the Model. This is similar to specifying this name of the field in excluded_fields. In addition, the batch prediction output will not include the instances. Instead the output will only include the value of the key field, in a field named `key` in the output: * For `jsonl` output format, the output will have a `key` field instead of the `instance` field. * For `csv`/`bigquery` output format, the output will have have a `key` column instead of the instance feature columns. The input must be JSONL with objects at each line, CSV, BigQuery or TfRecord. + + * `model_version_id`: Output only. The version ID of the Model that produces the predictions via this job. + + * `dedicated_resources`: A description of resources that are used for performing batch operations, are dedicated to a Model, and need manual configuration. + + * `starting_replica_count`: Immutable. The number of machine replicas used at the start of the batch operation. If not set, Vertex AI decides starting number, not greater than max_replica_count + + * `max_replica_count`: Immutable. The maximum number of machine replicas the batch operation may be scaled to. The default value is 10. + + * `machine_spec`: Specification of a single machine. + + * `accelerator_type`: Immutable. The type of accelerator(s) that may be attached to the machine as per accelerator_count. + Possible values: + * ACCELERATOR_TYPE_UNSPECIFIED + * NVIDIA_TESLA_K80 + * NVIDIA_TESLA_P100 + * NVIDIA_TESLA_V100 + * NVIDIA_TESLA_P4 + * NVIDIA_TESLA_T4 + * NVIDIA_TESLA_A100 + * NVIDIA_A100_80GB + * NVIDIA_L4 + * TPU_V2 + * TPU_V3 + * TPU_V4_POD + + * `machine_type`: Immutable. The type of the machine. See the [list of machine types supported for prediction](https://cloud.google.com/vertex-ai/docs/predictions/configure-compute#machine-types) See the [list of machine types supported for custom training](https://cloud.google.com/vertex-ai/docs/training/configure-compute#machine-types). For DeployedModel this field is optional, and the default value is `n1-standard-2`. For BatchPredictionJob or as part of WorkerPoolSpec this field is required. + + * `accelerator_count`: The number of accelerators to attach to the machine. + + * `output_info`: Further describes this job's output. Supplements output_config. + + * `bigquery_output_dataset`: Output only. The path of the BigQuery dataset created, in `bq://projectId.bqDatasetId` format, into which the prediction output is written. + + * `gcs_output_directory`: Output only. The full path of the Cloud Storage directory created, into which the prediction output is written. + + * `bigquery_output_table`: Output only. The name of the BigQuery table created, in `predictions_` format, into which the prediction output is written. Can be used by UI to generate the BigQuery output path, for example. + + * `disable_container_logging`: For custom-trained Models and AutoML Tabular Models, the container of the DeployedModel instances will send `stderr` and `stdout` streams to Cloud Logging by default. Please note that the logs incur cost, which are subject to [Cloud Logging pricing](https://cloud.google.com/logging/pricing). User can disable container logging by setting this flag to true. + + * `explanation_spec`: Specification of Model explanation. + + * `parameters`: Parameters to configure explaining for Model's predictions. + + * `output_indices`: If populated, only returns attributions that have output_index contained in output_indices. It must be an ndarray of integers, with the same shape of the output it's explaining. If not populated, returns attributions for top_k indices of outputs. If neither top_k nor output_indices is populated, returns the argmax index of the outputs. Only applicable to Models that predict multiple outputs (e,g, multi-class Models that predict multiple classes). + + * `examples`: Example-based explainability that returns the nearest neighbors from the provided dataset. + + * `presets`: Preset configuration for example-based explanations + + * `modality`: The modality of the uploaded model, which automatically configures the distance measurement and feature normalization for the underlying example index and queries. If your model does not precisely fit one of these types, it is okay to choose the closest type. + Possible values: + * MODALITY_UNSPECIFIED + * IMAGE + * TEXT + * TABULAR + + * `query`: Preset option controlling parameters for speed-precision trade-off when querying for examples. If omitted, defaults to `PRECISE`. + Possible values: + * PRECISE + * FAST + + * `neighbor_count`: The number of neighbors to return when querying for examples. + + * `example_gcs_source`: The Cloud Storage input instances. + + * `gcs_source`: The Google Cloud Storage location for the input content. + + * `uris`: Required. Google Cloud Storage URI(-s) to the input file(s). May contain wildcards. For more information on wildcards, see https://cloud.google.com/storage/docs/gsutil/addlhelp/WildcardNames. + + * `data_format`: The format in which instances are given, if not specified, assume it's JSONL format. Currently only JSONL format is supported. + Possible values: + * DATA_FORMAT_UNSPECIFIED + * JSONL + + * `nearest_neighbor_search_config`: The full configuration for the generated index, the semantics are the same as metadata and should match [NearestNeighborSearchConfig](https://cloud.google.com/vertex-ai/docs/explainable-ai/configuring-explanations-example-based#nearest-neighbor-search-config). + + * `xrai_attribution`: An explanation method that redistributes Integrated Gradients attributions to segmented regions, taking advantage of the model's fully differentiable structure. Refer to this paper for more details: https://arxiv.org/abs/1906.02825 Supported only by image Models. + + * `smooth_grad_config`: Config for SmoothGrad approximation of gradients. When enabled, the gradients are approximated by averaging the gradients from noisy samples in the vicinity of the inputs. Adding noise can help improve the computed gradients. Refer to this paper for more details: https://arxiv.org/pdf/1706.03825.pdf + + * `feature_noise_sigma`: Noise sigma by features. Noise sigma represents the standard deviation of the gaussian kernel that will be used to add noise to interpolated inputs prior to computing gradients. + + * `noise_sigma`: Noise sigma per feature. No noise is added to features that are not set. + + * `name`: The name of the input feature for which noise sigma is provided. The features are defined in explanation metadata inputs. + + * `sigma`: This represents the standard deviation of the Gaussian kernel that will be used to add noise to the feature prior to computing gradients. Similar to noise_sigma but represents the noise added to the current feature. Defaults to 0.1. + + * `noise_sigma`: This is a single float value and will be used to add noise to all the features. Use this field when all features are normalized to have the same distribution: scale to range [0, 1], [-1, 1] or z-scoring, where features are normalized to have 0-mean and 1-variance. Learn more about [normalization](https://developers.google.com/machine-learning/data-prep/transform/normalization). For best results the recommended value is about 10% - 20% of the standard deviation of the input feature. Refer to section 3.2 of the SmoothGrad paper: https://arxiv.org/pdf/1706.03825.pdf. Defaults to 0.1. If the distribution is different per feature, set feature_noise_sigma instead for each feature. + + * `noisy_sample_count`: The number of gradient samples to use for approximation. The higher this number, the more accurate the gradient is, but the runtime complexity increases by this factor as well. Valid range of its value is [1, 50]. Defaults to 3. + + * `step_count`: Required. The number of steps for approximating the path integral. A good value to start is 50 and gradually increase until the sum to diff property is met within the desired error range. Valid range of its value is [1, 100], inclusively. + + * `blur_baseline_config`: Config for blur baseline. When enabled, a linear path from the maximally blurred image to the input image is created. Using a blurred baseline instead of zero (black image) is motivated by the BlurIG approach explained here: https://arxiv.org/abs/2004.03383 + + * `max_blur_sigma`: The standard deviation of the blur kernel for the blurred baseline. The same blurring parameter is used for both the height and the width dimension. If not set, the method defaults to the zero (i.e. black for images) baseline. + + * `top_k`: If populated, returns attributions for top K indices of outputs (defaults to 1). Only applies to Models that predicts more than one outputs (e,g, multi-class Models). When set to -1, returns explanations for all outputs. + + * `integrated_gradients_attribution`: An attribution method that computes the Aumann-Shapley value taking advantage of the model's fully differentiable structure. Refer to this paper for more details: https://arxiv.org/abs/1703.01365 + + * `step_count`: Required. The number of steps for approximating the path integral. A good value to start is 50 and gradually increase until the sum to diff property is within the desired error range. Valid range of its value is [1, 100], inclusively. + + * `smooth_grad_config`: Config for SmoothGrad approximation of gradients. When enabled, the gradients are approximated by averaging the gradients from noisy samples in the vicinity of the inputs. Adding noise can help improve the computed gradients. Refer to this paper for more details: https://arxiv.org/pdf/1706.03825.pdf + + * `feature_noise_sigma`: Noise sigma by features. Noise sigma represents the standard deviation of the gaussian kernel that will be used to add noise to interpolated inputs prior to computing gradients. + + * `noise_sigma`: Noise sigma per feature. No noise is added to features that are not set. + + * `name`: The name of the input feature for which noise sigma is provided. The features are defined in explanation metadata inputs. + + * `sigma`: This represents the standard deviation of the Gaussian kernel that will be used to add noise to the feature prior to computing gradients. Similar to noise_sigma but represents the noise added to the current feature. Defaults to 0.1. + + * `noise_sigma`: This is a single float value and will be used to add noise to all the features. Use this field when all features are normalized to have the same distribution: scale to range [0, 1], [-1, 1] or z-scoring, where features are normalized to have 0-mean and 1-variance. Learn more about [normalization](https://developers.google.com/machine-learning/data-prep/transform/normalization). For best results the recommended value is about 10% - 20% of the standard deviation of the input feature. Refer to section 3.2 of the SmoothGrad paper: https://arxiv.org/pdf/1706.03825.pdf. Defaults to 0.1. If the distribution is different per feature, set feature_noise_sigma instead for each feature. + + * `noisy_sample_count`: The number of gradient samples to use for approximation. The higher this number, the more accurate the gradient is, but the runtime complexity increases by this factor as well. Valid range of its value is [1, 50]. Defaults to 3. + + * `blur_baseline_config`: Config for blur baseline. When enabled, a linear path from the maximally blurred image to the input image is created. Using a blurred baseline instead of zero (black image) is motivated by the BlurIG approach explained here: https://arxiv.org/abs/2004.03383 + + * `max_blur_sigma`: The standard deviation of the blur kernel for the blurred baseline. The same blurring parameter is used for both the height and the width dimension. If not set, the method defaults to the zero (i.e. black for images) baseline. + + * `sampled_shapley_attribution`: An attribution method that approximates Shapley values for features that contribute to the label being predicted. A sampling strategy is used to approximate the value rather than considering all subsets of features. + + * `path_count`: Required. The number of feature permutations to consider when approximating the Shapley values. Valid range of its value is [1, 50], inclusively. + + * `metadata`: Metadata describing the Model's input and output for explanation. + + * `feature_attributions_schema_uri`: Points to a YAML file stored on Google Cloud Storage describing the format of the feature attributions. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML tabular Models always have this field populated by Vertex AI. Note: The URI given on output may be different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `latent_space_source`: Name of the source to generate embeddings for example based explanations. + + * `outputs`: Required. Map from output names to output metadata. For Vertex AI-provided Tensorflow images, keys can be any user defined string that consists of any UTF-8 characters. For custom images, keys are the name of the output field in the prediction to be explained. Currently only one key is allowed. + + * `additional_properties`: Metadata of the prediction output to be explained. + + * `inputs`: Required. Map from feature names to feature input metadata. Keys are the name of the features. Values are the specification of the feature. An empty InputMetadata is valid. It describes a text feature which has the name specified as the key in ExplanationMetadata.inputs. The baseline of the empty feature is chosen by Vertex AI. For Vertex AI-provided Tensorflow images, the key can be any friendly name of the feature. Once specified, featureAttributions are keyed by this key (if not grouped with another feature). For custom images, the key must match with the key in instance. + + * `additional_properties`: Metadata of the input of a feature. Fields other than InputMetadata.input_baselines are applicable only for Models that are using Vertex AI-provided images for Tensorflow. + + * `end_time`: Output only. Time when the BatchPredictionJob entered any of the following states: `JOB_STATE_SUCCEEDED`, `JOB_STATE_FAILED`, `JOB_STATE_CANCELLED`. + + * `generate_explanation`: Generate explanation with the batch prediction results. When set to `true`, the batch prediction output changes based on the `predictions_format` field of the BatchPredictionJob.output_config object: * `bigquery`: output includes a column named `explanation`. The value is a struct that conforms to the Explanation object. * `jsonl`: The JSON objects on each line include an additional entry keyed `explanation`. The value of the entry is a JSON object that conforms to the Explanation object. * `csv`: Generating explanations for CSV format is not supported. If this field is set to true, either the Model.explanation_spec or explanation_spec must be populated. + + * `resources_consumed`: Statistics information about resource consumption. + + * `replica_hours`: Output only. The number of replica hours used. Note that many replicas may run in parallel, and additionally any given work may be queued for some time. Therefore this value is not strictly related to wall time. + + * `error`: The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `input_config`: Configures the input to BatchPredictionJob. See Model.supported_input_storage_formats for Model's supported input formats, and how instances should be expressed via any of them. + + * `instances_format`: Required. The format in which instances are given, must be one of the Model's supported_input_storage_formats. + + * `bigquery_source`: The BigQuery location for the input content. + + * `input_uri`: Required. BigQuery URI to a table, up to 2000 characters long. Accepted forms: * BigQuery path. For example: `bq://projectId.bqDatasetId.bqTableId`. + + * `gcs_source`: The Google Cloud Storage location for the input content. + + * `uris`: Required. Google Cloud Storage URI(-s) to the input file(s). May contain wildcards. For more information on wildcards, see https://cloud.google.com/storage/docs/gsutil/addlhelp/WildcardNames. + + * `unmanaged_container_model`: Contains model information necessary to perform batch prediction without requiring a full model import. + + * `artifact_uri`: The path to the directory containing the Model artifact and any of its supporting files. + + * `predict_schemata`: Contains the schemata used in Model's predictions and explanations via PredictionService.Predict, PredictionService.Explain and BatchPredictionJob. + + * `instance_schema_uri`: Immutable. Points to a YAML file stored on Google Cloud Storage describing the format of a single instance, which are used in PredictRequest.instances, ExplainRequest.instances and BatchPredictionJob.input_config. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML Models always have this field populated by Vertex AI. Note: The URI given on output will be immutable and probably different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `parameters_schema_uri`: Immutable. Points to a YAML file stored on Google Cloud Storage describing the parameters of prediction and explanation via PredictRequest.parameters, ExplainRequest.parameters and BatchPredictionJob.model_parameters. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML Models always have this field populated by Vertex AI, if no parameters are supported, then it is set to an empty string. Note: The URI given on output will be immutable and probably different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `prediction_schema_uri`: Immutable. Points to a YAML file stored on Google Cloud Storage describing the format of a single prediction produced by this Model, which are returned via PredictResponse.predictions, ExplainResponse.explanations, and BatchPredictionJob.output_config. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML Models always have this field populated by Vertex AI. Note: The URI given on output will be immutable and probably different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `container_spec`: Specification of a container for serving predictions. Some fields in this message correspond to fields in the [Kubernetes Container v1 core specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `predict_route`: Immutable. HTTP path on the container to send prediction requests to. Vertex AI forwards requests sent using projects.locations.endpoints.predict to this path on the container's IP address and port. Vertex AI then returns the container's response in the API response. For example, if you set this field to `/foo`, then when Vertex AI receives a prediction request, it forwards the request body in a POST request to the `/foo` path on the port of your container specified by the first value of this `ModelContainerSpec`'s ports field. If you don't specify this field, it defaults to the following value when you deploy this Model to an Endpoint: /v1/endpoints/ENDPOINT/deployedModels/DEPLOYED_MODEL:predict The placeholders in this value are replaced as follows: * ENDPOINT: The last segment (following `endpoints/`)of the Endpoint.name][] field of the Endpoint where this Model has been deployed. (Vertex AI makes this value available to your container code as the [`AIP_ENDPOINT_ID` environment variable](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables).) * DEPLOYED_MODEL: DeployedModel.id of the `DeployedModel`. (Vertex AI makes this value available to your container code as the [`AIP_DEPLOYED_MODEL_ID` environment variable](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables).) + + * `image_uri`: Required. Immutable. URI of the Docker image to be used as the custom container for serving predictions. This URI must identify an image in Artifact Registry or Container Registry. Learn more about the [container publishing requirements](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#publishing), including permissions requirements for the Vertex AI Service Agent. The container image is ingested upon ModelService.UploadModel, stored internally, and this original path is afterwards not used. To learn about the requirements for the Docker image itself, see [Custom container requirements](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#). You can use the URI to one of Vertex AI's [pre-built container images for prediction](https://cloud.google.com/vertex-ai/docs/predictions/pre-built-containers) in this field. + + * `env`: Immutable. List of environment variables to set in the container. After the container starts running, code running in the container can read these environment variables. Additionally, the command and args fields can reference these variables. Later entries in this list can also reference earlier entries. For example, the following example sets the variable `VAR_2` to have the value `foo bar`: ```json [ { "name": "VAR_1", "value": "foo" }, { "name": "VAR_2", "value": "$(VAR_1) bar" } ] ``` If you switch the order of the variables in the example, then the expansion does not occur. This field corresponds to the `env` field of the Kubernetes Containers [v1 core API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `name`: Required. Name of the environment variable. Must be a valid C identifier. + + * `value`: Required. Variables that reference a $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. + + * `args`: Immutable. Specifies arguments for the command that runs when the container starts. This overrides the container's [`CMD`](https://docs.docker.com/engine/reference/builder/#cmd). Specify this field as an array of executable and arguments, similar to a Docker `CMD`'s "default parameters" form. If you don't specify this field but do specify the command field, then the command from the `command` field runs without any additional arguments. See the [Kubernetes documentation about how the `command` and `args` fields interact with a container's `ENTRYPOINT` and `CMD`](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#notes). If you don't specify this field and don't specify the `command` field, then the container's [`ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#cmd) and `CMD` determine what runs based on their default behavior. See the Docker documentation about [how `CMD` and `ENTRYPOINT` interact](https://docs.docker.com/engine/reference/builder/#understand-how-cmd-and-entrypoint-interact). In this field, you can reference [environment variables set by Vertex AI](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables) and environment variables set in the env field. You cannot reference environment variables set in the Docker image. In order for environment variables to be expanded, reference them by using the following syntax: $( VARIABLE_NAME) Note that this differs from Bash variable expansion, which does not use parentheses. If a variable cannot be resolved, the reference in the input string is used unchanged. To avoid variable expansion, you can escape this syntax with `$$`; for example: $$(VARIABLE_NAME) This field corresponds to the `args` field of the Kubernetes Containers [v1 core API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `command`: Immutable. Specifies the command that runs when the container starts. This overrides the container's [ENTRYPOINT](https://docs.docker.com/engine/reference/builder/#entrypoint). Specify this field as an array of executable and arguments, similar to a Docker `ENTRYPOINT`'s "exec" form, not its "shell" form. If you do not specify this field, then the container's `ENTRYPOINT` runs, in conjunction with the args field or the container's [`CMD`](https://docs.docker.com/engine/reference/builder/#cmd), if either exists. If this field is not specified and the container does not have an `ENTRYPOINT`, then refer to the Docker documentation about [how `CMD` and `ENTRYPOINT` interact](https://docs.docker.com/engine/reference/builder/#understand-how-cmd-and-entrypoint-interact). If you specify this field, then you can also specify the `args` field to provide additional arguments for this command. However, if you specify this field, then the container's `CMD` is ignored. See the [Kubernetes documentation about how the `command` and `args` fields interact with a container's `ENTRYPOINT` and `CMD`](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#notes). In this field, you can reference [environment variables set by Vertex AI](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables) and environment variables set in the env field. You cannot reference environment variables set in the Docker image. In order for environment variables to be expanded, reference them by using the following syntax: $( VARIABLE_NAME) Note that this differs from Bash variable expansion, which does not use parentheses. If a variable cannot be resolved, the reference in the input string is used unchanged. To avoid variable expansion, you can escape this syntax with `$$`; for example: $$(VARIABLE_NAME) This field corresponds to the `command` field of the Kubernetes Containers [v1 core API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `ports`: Immutable. List of ports to expose from the container. Vertex AI sends any prediction requests that it receives to the first port on this list. Vertex AI also sends [liveness and health checks](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#liveness) to this port. If you do not specify this field, it defaults to following value: ```json [ { "containerPort": 8080 } ] ``` Vertex AI does not use ports other than the first one listed. This field corresponds to the `ports` field of the Kubernetes Containers [v1 core API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `container_port`: The number of the port to expose on the pod's IP address. Must be a valid port number, between 1 and 65535 inclusive. + + * `health_route`: Immutable. HTTP path on the container to send health checks to. Vertex AI intermittently sends GET requests to this path on the container's IP address and port to check that the container is healthy. Read more about [health checks](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#health). For example, if you set this field to `/bar`, then Vertex AI intermittently sends a GET request to the `/bar` path on the port of your container specified by the first value of this `ModelContainerSpec`'s ports field. If you don't specify this field, it defaults to the following value when you deploy this Model to an Endpoint: /v1/endpoints/ENDPOINT/deployedModels/ DEPLOYED_MODEL:predict The placeholders in this value are replaced as follows: * ENDPOINT: The last segment (following `endpoints/`)of the Endpoint.name][] field of the Endpoint where this Model has been deployed. (Vertex AI makes this value available to your container code as the [`AIP_ENDPOINT_ID` environment variable](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables).) * DEPLOYED_MODEL: DeployedModel.id of the `DeployedModel`. (Vertex AI makes this value available to your container code as the [`AIP_DEPLOYED_MODEL_ID` environment variable](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables).) + + * `completion_stats`: Success and error statistics of processing multiple entities (for example, DataItems or structured data rows) in batch. + + * `successful_forecast_point_count`: Output only. The number of the successful forecast points that are generated by the forecasting model. This is ONLY used by the forecasting batch prediction. + + * `incomplete_count`: Output only. In cases when enough errors are encountered a job, pipeline, or operation may be failed as a whole. Below is the number of entities for which the processing had not been finished (either in successful or failed state). Set to -1 if the number is unknown (for example, the operation failed before the total entity number could be collected). + + * `failed_count`: Output only. The number of entities for which any error was encountered. + + * `successful_count`: Output only. The number of entities that had been processed successfully. + + * `start_time`: Output only. Time when the BatchPredictionJob for the first time entered the `JOB_STATE_RUNNING` state. + + * `manual_batch_tuning_parameters`: Manual batch tuning parameters. + + * `batch_size`: Immutable. The number of the records (e.g. instances) of the operation given in each batch to a machine replica. Machine type, and size of a single record should be considered when setting this parameter, higher value speeds up the batch operation's execution, but too high value will result in a whole batch not fitting in a machine's memory, and the whole operation will fail. The default value is 64. + + * `update_time`: Output only. Time when the BatchPredictionJob was most recently updated. + + * `name`: Output only. Resource name of the BatchPredictionJob. + + * `labels`: The labels with user-defined metadata to organize BatchPredictionJobs. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information and examples of labels. + + * `additional_properties`: + + * `state`: Output only. The detailed state of the job. + Possible values: + * JOB_STATE_UNSPECIFIED + * JOB_STATE_QUEUED + * JOB_STATE_PENDING + * JOB_STATE_RUNNING + * JOB_STATE_SUCCEEDED + * JOB_STATE_FAILED + * JOB_STATE_CANCELLING + * JOB_STATE_CANCELLED + * JOB_STATE_PAUSED + * JOB_STATE_EXPIRED + * JOB_STATE_UPDATING + * JOB_STATE_PARTIALLY_SUCCEEDED + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `partial_failures`: Output only. Partial failures encountered. For example, single files that can't be read. This field never exceeds 20 entries. Status details fields contain standard Google Cloud error details. + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `model`: The name of the Model resource that produces the predictions via this job, must share the same ancestor Location. Starting this job has no impact on any existing deployments of the Model and their resources. Exactly one of model and unmanaged_container_model must be set. The model resource name may contain version id or version alias to specify the version. Example: `projects/{project}/locations/{location}/models/{model}@2` or `projects/{project}/locations/{location}/models/{model}@golden` if no version is specified, the default version will be deployed. The model resource could also be a publisher model. Example: `publishers/{publisher}/models/{model}` or `projects/{project}/locations/{location}/publishers/{publisher}/models/{model}` + + * `output_config`: Configures the output of BatchPredictionJob. See Model.supported_output_storage_formats for supported output formats, and how predictions are expressed via any of them. + + * `gcs_destination`: The Google Cloud Storage location where the output is to be written to. + + * `output_uri_prefix`: Required. Google Cloud Storage URI to output directory. If the uri doesn't end with '/', a '/' will be automatically appended. The directory is created if it doesn't exist. + + * `predictions_format`: Required. The format in which Vertex AI gives the predictions, must be one of the Model's supported_output_storage_formats. + + * `bigquery_destination`: The BigQuery location for the output content. + + * `output_uri`: Required. BigQuery URI to a project or table, up to 2000 characters long. When only the project is specified, the Dataset and Table is created. When the full table reference is specified, the Dataset must exist and table must not exist. Accepted forms: * BigQuery path. For example: `bq://projectId` or `bq://projectId.bqDatasetId` or `bq://projectId.bqDatasetId.bqTableId`. + + * `display_name`: Required. The user-defined name of this BatchPredictionJob. + + * `service_account`: The service account that the DeployedModel's container runs as. If not specified, a system generated one will be used, which has minimal permissions and the custom container, if used, may not have enough permission to access other Google Cloud resources. Users deploying the Model must have the `iam.serviceAccounts.actAs` permission on this service account. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_batch_prediction_jobs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_batch_prediction_jobs.md new file mode 100644 index 0000000..cafd34a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_batch_prediction_jobs.md @@ -0,0 +1,62 @@ ++++ +title = "google_vertex_ai_batch_prediction_jobs resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_batch_prediction_jobs" +identifier = "inspec/resources/gcp/google_vertex_ai_batch_prediction_jobs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_batch_prediction_jobs` InSpec audit resource to to test a Google Cloud BatchPredictionJob resource. + +## Examples + +```ruby + describe google_vertex_ai_batch_prediction_jobs(parent: ' value_parent', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_batch_prediction_jobs` resource: + +See [google_vertex_ai_batch_prediction_job](google_vertex_ai_batch_prediction_job) for more detailed information. + + * `create_times`: an array of `google_vertex_ai_batch_prediction_job` create_time + * `model_parameters`: an array of `google_vertex_ai_batch_prediction_job` model_parameters + * `instance_configs`: an array of `google_vertex_ai_batch_prediction_job` instance_config + * `model_version_ids`: an array of `google_vertex_ai_batch_prediction_job` model_version_id + * `dedicated_resources`: an array of `google_vertex_ai_batch_prediction_job` dedicated_resources + * `output_infos`: an array of `google_vertex_ai_batch_prediction_job` output_info + * `disable_container_loggings`: an array of `google_vertex_ai_batch_prediction_job` disable_container_logging + * `explanation_specs`: an array of `google_vertex_ai_batch_prediction_job` explanation_spec + * `end_times`: an array of `google_vertex_ai_batch_prediction_job` end_time + * `generate_explanations`: an array of `google_vertex_ai_batch_prediction_job` generate_explanation + * `resources_consumeds`: an array of `google_vertex_ai_batch_prediction_job` resources_consumed + * `errors`: an array of `google_vertex_ai_batch_prediction_job` error + * `input_configs`: an array of `google_vertex_ai_batch_prediction_job` input_config + * `unmanaged_container_models`: an array of `google_vertex_ai_batch_prediction_job` unmanaged_container_model + * `completion_stats`: an array of `google_vertex_ai_batch_prediction_job` completion_stats + * `start_times`: an array of `google_vertex_ai_batch_prediction_job` start_time + * `manual_batch_tuning_parameters`: an array of `google_vertex_ai_batch_prediction_job` manual_batch_tuning_parameters + * `update_times`: an array of `google_vertex_ai_batch_prediction_job` update_time + * `names`: an array of `google_vertex_ai_batch_prediction_job` name + * `labels`: an array of `google_vertex_ai_batch_prediction_job` labels + * `states`: an array of `google_vertex_ai_batch_prediction_job` state + * `encryption_specs`: an array of `google_vertex_ai_batch_prediction_job` encryption_spec + * `partial_failures`: an array of `google_vertex_ai_batch_prediction_job` partial_failures + * `models`: an array of `google_vertex_ai_batch_prediction_job` model + * `output_configs`: an array of `google_vertex_ai_batch_prediction_job` output_config + * `display_names`: an array of `google_vertex_ai_batch_prediction_job` display_name + * `service_accounts`: an array of `google_vertex_ai_batch_prediction_job` service_account + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_custom_job.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_custom_job.md new file mode 100644 index 0000000..6ead8da --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_custom_job.md @@ -0,0 +1,175 @@ ++++ +title = "google_vertex_ai_custom_job resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_custom_job" +identifier = "inspec/resources/gcp/google_vertex_ai_custom_job resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_custom_job` InSpec audit resource to to test a Google Cloud CustomJob resource. + +## Examples + +```ruby + describe google_vertex_ai_custom_job(name: ' value_name', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_custom_job` resource: + + + * `error`: The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `web_access_uris`: Output only. URIs for accessing [interactive shells](https://cloud.google.com/vertex-ai/docs/training/monitor-debug-interactive-shell) (one URI for each training node). Only available if job_spec.enable_web_access is `true`. The keys are names of each node in the training job; for example, `workerpool0-0` for the primary node, `workerpool1-0` for the first node in the second worker pool, and `workerpool1-1` for the second node in the second worker pool. The values are the URIs for each node's interactive shell. + + * `additional_properties`: + + * `job_spec`: Represents the spec of a CustomJob. + + * `worker_pool_specs`: Required. The spec of the worker pools including machine type and Docker image. All worker pools except the first one are optional and can be skipped by providing an empty value. + + * `container_spec`: The spec of a Container. + + * `env`: Environment variables to be passed to the container. Maximum limit is 100. + + * `name`: Required. Name of the environment variable. Must be a valid C identifier. + + * `value`: Required. Variables that reference a $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. + + * `args`: The arguments to be passed when starting the container. + + * `command`: The command to be invoked when the container is started. It overrides the entrypoint instruction in Dockerfile when provided. + + * `image_uri`: Required. The URI of a container image in the Container Registry that is to be run on each worker replica. + + * `machine_spec`: Specification of a single machine. + + * `accelerator_type`: Immutable. The type of accelerator(s) that may be attached to the machine as per accelerator_count. + Possible values: + * ACCELERATOR_TYPE_UNSPECIFIED + * NVIDIA_TESLA_K80 + * NVIDIA_TESLA_P100 + * NVIDIA_TESLA_V100 + * NVIDIA_TESLA_P4 + * NVIDIA_TESLA_T4 + * NVIDIA_TESLA_A100 + * NVIDIA_A100_80GB + * NVIDIA_L4 + * TPU_V2 + * TPU_V3 + * TPU_V4_POD + + * `machine_type`: Immutable. The type of the machine. See the [list of machine types supported for prediction](https://cloud.google.com/vertex-ai/docs/predictions/configure-compute#machine-types) See the [list of machine types supported for custom training](https://cloud.google.com/vertex-ai/docs/training/configure-compute#machine-types). For DeployedModel this field is optional, and the default value is `n1-standard-2`. For BatchPredictionJob or as part of WorkerPoolSpec this field is required. + + * `accelerator_count`: The number of accelerators to attach to the machine. + + * `replica_count`: Optional. The number of worker replicas to use for this worker pool. + + * `nfs_mounts`: Optional. List of NFS mount spec. + + * `path`: Required. Source path exported from NFS server. Has to start with '/', and combined with the ip address, it indicates the source mount path in the form of `server:path` + + * `mount_point`: Required. Destination mount path. The NFS will be mounted for the user under /mnt/nfs/ + + * `server`: Required. IP address of the NFS server. + + * `python_package_spec`: The spec of a Python packaged code. + + * `package_uris`: Required. The Google Cloud Storage location of the Python package files which are the training program and its dependent packages. The maximum number of package URIs is 100. + + * `env`: Environment variables to be passed to the python module. Maximum limit is 100. + + * `name`: Required. Name of the environment variable. Must be a valid C identifier. + + * `value`: Required. Variables that reference a $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. + + * `executor_image_uri`: Required. The URI of a container image in Artifact Registry that will run the provided Python package. Vertex AI provides a wide range of executor images with pre-installed packages to meet users' various use cases. See the list of [pre-built containers for training](https://cloud.google.com/vertex-ai/docs/training/pre-built-containers). You must use an image from this list. + + * `args`: Command line arguments to be passed to the Python task. + + * `python_module`: Required. The Python module name to run after installing the packages. + + * `disk_spec`: Represents the spec of disk options. + + * `boot_disk_type`: Type of the boot disk (default is "pd-ssd"). Valid values: "pd-ssd" (Persistent Disk Solid State Drive) or "pd-standard" (Persistent Disk Hard Disk Drive). + + * `boot_disk_size_gb`: Size in GB of the boot disk (default is 100GB). + + * `enable_web_access`: Optional. Whether you want Vertex AI to enable [interactive shell access](https://cloud.google.com/vertex-ai/docs/training/monitor-debug-interactive-shell) to training containers. If set to `true`, you can access interactive shells at the URIs given by CustomJob.web_access_uris or Trial.web_access_uris (within HyperparameterTuningJob.trials). + + * `tensorboard`: Optional. The name of a Vertex AI Tensorboard resource to which this CustomJob will upload Tensorboard logs. Format: `projects/{project}/locations/{location}/tensorboards/{tensorboard}` + + * `experiment`: Optional. The Experiment associated with this job. Format: `projects/{project}/locations/{location}/metadataStores/{metadataStores}/contexts/{experiment-name}` + + * `experiment_run`: Optional. The Experiment Run associated with this job. Format: `projects/{project}/locations/{location}/metadataStores/{metadataStores}/contexts/{experiment-name}-{experiment-run-name}` + + * `scheduling`: All parameters related to queuing and scheduling of custom jobs. + + * `disable_retries`: Optional. Indicates if the job should retry for internal errors after the job starts running. If true, overrides `Scheduling.restart_job_on_worker_restart` to false. + + * `timeout`: The maximum job running time. The default is 7 days. + + * `restart_job_on_worker_restart`: Restarts the entire CustomJob if a worker gets restarted. This feature can be used by distributed training jobs that are not resilient to workers leaving and joining a job. + + * `enable_dashboard_access`: Optional. Whether you want Vertex AI to enable access to the customized dashboard in training chief container. If set to `true`, you can access the dashboard at the URIs given by CustomJob.web_access_uris or Trial.web_access_uris (within HyperparameterTuningJob.trials). + + * `service_account`: Specifies the service account for workload run-as account. Users submitting jobs must have act-as permission on this run-as account. If unspecified, the [Vertex AI Custom Code Service Agent](https://cloud.google.com/vertex-ai/docs/general/access-control#service-agents) for the CustomJob's project is used. + + * `base_output_directory`: The Google Cloud Storage location where the output is to be written to. + + * `output_uri_prefix`: Required. Google Cloud Storage URI to output directory. If the uri doesn't end with '/', a '/' will be automatically appended. The directory is created if it doesn't exist. + + * `reserved_ip_ranges`: Optional. A list of names for the reserved ip ranges under the VPC network that can be used for this job. If set, we will deploy the job within the provided ip ranges. Otherwise, the job will be deployed to any ip ranges under the provided VPC network. Example: ['vertex-ai-ip-range']. + + * `network`: Optional. The full name of the Compute Engine [network](/compute/docs/networks-and-firewalls#networks) to which the Job should be peered. For example, `projects/12345/global/networks/myVPC`. [Format](/compute/docs/reference/rest/v1/networks/insert) is of the form `projects/{project}/global/networks/{network}`. Where {project} is a project number, as in `12345`, and {network} is a network name. To specify this field, you must have already [configured VPC Network Peering for Vertex AI](https://cloud.google.com/vertex-ai/docs/general/vpc-peering). If this field is left unspecified, the job is not peered with any network. + + * `start_time`: Output only. Time when the CustomJob for the first time entered the `JOB_STATE_RUNNING` state. + + * `labels`: The labels with user-defined metadata to organize CustomJobs. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information and examples of labels. + + * `additional_properties`: + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `create_time`: Output only. Time when the CustomJob was created. + + * `update_time`: Output only. Time when the CustomJob was most recently updated. + + * `end_time`: Output only. Time when the CustomJob entered any of the following states: `JOB_STATE_SUCCEEDED`, `JOB_STATE_FAILED`, `JOB_STATE_CANCELLED`. + + * `state`: Output only. The detailed state of the job. + Possible values: + * JOB_STATE_UNSPECIFIED + * JOB_STATE_QUEUED + * JOB_STATE_PENDING + * JOB_STATE_RUNNING + * JOB_STATE_SUCCEEDED + * JOB_STATE_FAILED + * JOB_STATE_CANCELLING + * JOB_STATE_CANCELLED + * JOB_STATE_PAUSED + * JOB_STATE_EXPIRED + * JOB_STATE_UPDATING + * JOB_STATE_PARTIALLY_SUCCEEDED + + * `display_name`: Required. The display name of the CustomJob. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + * `name`: Output only. Resource name of a CustomJob. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_custom_jobs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_custom_jobs.md new file mode 100644 index 0000000..2b6b904 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_custom_jobs.md @@ -0,0 +1,47 @@ ++++ +title = "google_vertex_ai_custom_jobs resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_custom_jobs" +identifier = "inspec/resources/gcp/google_vertex_ai_custom_jobs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_custom_jobs` InSpec audit resource to to test a Google Cloud CustomJob resource. + +## Examples + +```ruby + describe google_vertex_ai_custom_job(parent: ' value_parent', region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_custom_jobs` resource: + +See [google_vertex_ai_custom_job](google_vertex_ai_custom_job) for more detailed information. + + * `errors`: an array of `google_vertex_ai_custom_job` error + * `web_access_uris`: an array of `google_vertex_ai_custom_job` web_access_uris + * `job_specs`: an array of `google_vertex_ai_custom_job` job_spec + * `start_times`: an array of `google_vertex_ai_custom_job` start_time + * `labels`: an array of `google_vertex_ai_custom_job` labels + * `encryption_specs`: an array of `google_vertex_ai_custom_job` encryption_spec + * `create_times`: an array of `google_vertex_ai_custom_job` create_time + * `update_times`: an array of `google_vertex_ai_custom_job` update_time + * `end_times`: an array of `google_vertex_ai_custom_job` end_time + * `states`: an array of `google_vertex_ai_custom_job` state + * `display_names`: an array of `google_vertex_ai_custom_job` display_name + * `names`: an array of `google_vertex_ai_custom_job` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_dataset.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_dataset.md new file mode 100644 index 0000000..32de96b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_dataset.md @@ -0,0 +1,79 @@ ++++ +title = "google_vertex_ai_dataset resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_dataset" +identifier = "inspec/resources/gcp/google_vertex_ai_dataset resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_dataset` InSpec audit resource to to test a Google Cloud Dataset resource. + +## Examples + +```ruby + describe google_vertex_ai_dataset(name: ' ', region: ' ') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_dataset` resource: + + + * `saved_queries`: All SavedQueries belong to the Dataset will be returned in List/Get Dataset response. The annotation_specs field will not be populated except for UI cases which will only use annotation_spec_count. In CreateDataset request, a SavedQuery is created together if this field is set, up to one SavedQuery can be set in CreateDatasetRequest. The SavedQuery should not contain any AnnotationSpec. + + * `annotation_spec_count`: Output only. Number of AnnotationSpecs in the context of the SavedQuery. + + * `update_time`: Output only. Timestamp when SavedQuery was last updated. + + * `support_automl_training`: Output only. If the Annotations belonging to the SavedQuery can be used for AutoML training. + + * `metadata`: Some additional information about the SavedQuery. + + * `problem_type`: Required. Problem type of the SavedQuery. Allowed values: * IMAGE_CLASSIFICATION_SINGLE_LABEL * IMAGE_CLASSIFICATION_MULTI_LABEL * IMAGE_BOUNDING_POLY * IMAGE_BOUNDING_BOX * TEXT_CLASSIFICATION_SINGLE_LABEL * TEXT_CLASSIFICATION_MULTI_LABEL * TEXT_EXTRACTION * TEXT_SENTIMENT * VIDEO_CLASSIFICATION * VIDEO_OBJECT_TRACKING + + * `name`: Output only. Resource name of the SavedQuery. + + * `create_time`: Output only. Timestamp when this SavedQuery was created. + + * `etag`: Used to perform a consistent read-modify-write update. If not set, a blind "overwrite" update happens. + + * `display_name`: Required. The user-defined name of the SavedQuery. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + * `annotation_filter`: Output only. Filters on the Annotations in the dataset. + + * `create_time`: Output only. Timestamp when this Dataset was created. + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `name`: Output only. The resource name of the Dataset. + + * `metadata`: Required. Additional information about the Dataset. + + * `etag`: Used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `description`: The description of the Dataset. + + * `labels`: The labels with user-defined metadata to organize your Datasets. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. No more than 64 user labels can be associated with one Dataset (System labels are excluded). See https://goo.gl/xmQnxf for more information and examples of labels. System reserved label keys are prefixed with "aiplatform.googleapis.com/" and are immutable. Following system labels exist for each Dataset: * "aiplatform.googleapis.com/dataset_metadata_schema": output only, its value is the metadata_schema's title. + + * `additional_properties`: + + * `metadata_schema_uri`: Required. Points to a YAML file stored on Google Cloud Storage describing additional information about the Dataset. The schema is defined as an OpenAPI 3.0.2 Schema Object. The schema files that can be used here are found in gs://google-cloud-aiplatform/schema/dataset/metadata/. + + * `metadata_artifact`: Output only. The resource name of the Artifact that was created in MetadataStore when creating the Dataset. The Artifact resource name pattern is `projects/{project}/locations/{location}/metadataStores/{metadata_store}/artifacts/{artifact}`. + + * `update_time`: Output only. Timestamp when this Dataset was last updated. + + * `data_item_count`: Output only. The number of DataItems in this Dataset. Only apply for non-structured Dataset. + + * `display_name`: Required. The user-defined name of the Dataset. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_dataset_data_item_annotations.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_dataset_data_item_annotations.md new file mode 100644 index 0000000..ba3a828 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_dataset_data_item_annotations.md @@ -0,0 +1,43 @@ ++++ +title = "google_vertex_ai_dataset_data_item_annotations resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_dataset_data_item_annotations" +identifier = "inspec/resources/gcp/google_vertex_ai_dataset_data_item_annotations resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_dataset_data_item_annotations` InSpec audit resource to to test a Google Cloud DatasetDataItemAnnotation resource. + +## Examples + +```ruby + describe google_vertex_ai_dataset_data_item_annotations(parent: "projects/#{gcp_project_id}/locations/#{dataset_data_item_annotation['region']}/datasets/#{dataset_data_item_annotation['dataset']}/dataItems/#{dataset_data_item_annotation['dataItem']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_dataset_data_item_annotations` resource: + +See [google_vertex_ai_dataset_data_item_annotation](google_vertex_ai_dataset_data_item_annotation) for more detailed information. + + * `payload_schema_uris`: an array of `google_vertex_ai_dataset_data_item_annotation` payload_schema_uri + * `create_times`: an array of `google_vertex_ai_dataset_data_item_annotation` create_time + * `etags`: an array of `google_vertex_ai_dataset_data_item_annotation` etag + * `labels`: an array of `google_vertex_ai_dataset_data_item_annotation` labels + * `update_times`: an array of `google_vertex_ai_dataset_data_item_annotation` update_time + * `payloads`: an array of `google_vertex_ai_dataset_data_item_annotation` payload + * `annotation_sources`: an array of `google_vertex_ai_dataset_data_item_annotation` annotation_source + * `names`: an array of `google_vertex_ai_dataset_data_item_annotation` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_datasets.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_datasets.md new file mode 100644 index 0000000..1c5a1d7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_datasets.md @@ -0,0 +1,48 @@ ++++ +title = "google_vertex_ai_datasets resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_datasets" +identifier = "inspec/resources/gcp/google_vertex_ai_datasets resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_datasets` InSpec audit resource to to test a Google Cloud Dataset resource. + +## Examples + +```ruby + describe google_vertex_ai_dataset(parent: ' ', region: ' ') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_datasets` resource: + +See [google_vertex_ai_dataset](google_vertex_ai_dataset) for more detailed information. + + * `saved_queries`: an array of `google_vertex_ai_dataset` saved_queries + * `create_times`: an array of `google_vertex_ai_dataset` create_time + * `encryption_specs`: an array of `google_vertex_ai_dataset` encryption_spec + * `names`: an array of `google_vertex_ai_dataset` name + * `metadata`: an array of `google_vertex_ai_dataset` metadata + * `etags`: an array of `google_vertex_ai_dataset` etag + * `descriptions`: an array of `google_vertex_ai_dataset` description + * `labels`: an array of `google_vertex_ai_dataset` labels + * `metadata_schema_uris`: an array of `google_vertex_ai_dataset` metadata_schema_uri + * `metadata_artifacts`: an array of `google_vertex_ai_dataset` metadata_artifact + * `update_times`: an array of `google_vertex_ai_dataset` update_time + * `data_item_counts`: an array of `google_vertex_ai_dataset` data_item_count + * `display_names`: an array of `google_vertex_ai_dataset` display_name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_datasets_annotation_spec.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_datasets_annotation_spec.md new file mode 100644 index 0000000..43823c3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_datasets_annotation_spec.md @@ -0,0 +1,49 @@ ++++ +title = "google_vertex_ai_datasets_annotation_spec resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_datasets_annotation_spec" +identifier = "inspec/resources/gcp/google_vertex_ai_datasets_annotation_spec resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_datasets_annotation_spec` InSpec audit resource to to test a Google Cloud DatasetsAnnotationSpec resource. + +## Examples + +```ruby +describe google_vertex_ai_datasets_annotation_spec(name: "projects/#{gcp_project_id}/locations/#{datasets_annotation_spec['region']}/datasets/#{datasets_annotation_spec['dataset']}/annotationSpecs/#{datasets_annotation_spec['name']}", region: ' value_region') do + it { should exist } + its('display_name') { should cmp 'value_displayname' } + its('name') { should cmp 'value_name' } + its('etag') { should cmp 'value_etag' } + its('create_time') { should cmp 'value_createtime' } + its('update_time') { should cmp 'value_updatetime' } + +end + +describe google_vertex_ai_datasets_annotation_spec(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_datasets_annotation_spec` resource: + + + * `display_name`: Required. The user-defined name of the AnnotationSpec. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + * `name`: Output only. Resource name of the AnnotationSpec. + + * `etag`: Optional. Used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `create_time`: Output only. Timestamp when this AnnotationSpec was created. + + * `update_time`: Output only. Timestamp when AnnotationSpec was last updated. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_datasets_data_items.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_datasets_data_items.md new file mode 100644 index 0000000..8498822 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_datasets_data_items.md @@ -0,0 +1,41 @@ ++++ +title = "google_vertex_ai_datasets_data_items resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_datasets_data_items" +identifier = "inspec/resources/gcp/google_vertex_ai_datasets_data_items resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_datasets_data_items` InSpec audit resource to to test a Google Cloud DatasetsDataItem resource. + +## Examples + +```ruby + describe google_vertex_ai_datasets_data_items(parent: "projects/#{gcp_project_id}/locations/#{datasets_data_item['region']}/datasets/#{datasets_data_item['dataset']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_datasets_data_items` resource: + +See [google_vertex_ai_datasets_data_item](google_vertex_ai_datasets_data_item) for more detailed information. + + * `update_times`: an array of `google_vertex_ai_datasets_data_item` update_time + * `etags`: an array of `google_vertex_ai_datasets_data_item` etag + * `names`: an array of `google_vertex_ai_datasets_data_item` name + * `create_times`: an array of `google_vertex_ai_datasets_data_item` create_time + * `payloads`: an array of `google_vertex_ai_datasets_data_item` payload + * `labels`: an array of `google_vertex_ai_datasets_data_item` labels + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_datasets_saved_queries.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_datasets_saved_queries.md new file mode 100644 index 0000000..c13ca02 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_datasets_saved_queries.md @@ -0,0 +1,45 @@ ++++ +title = "google_vertex_ai_datasets_saved_queries resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_datasets_saved_queries" +identifier = "inspec/resources/gcp/google_vertex_ai_datasets_saved_queries resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_datasets_saved_queries` InSpec audit resource to to test a Google Cloud DatasetsSavedQuery resource. + +## Examples + +```ruby + describe google_vertex_ai_datasets_saved_queries(parent: "projects/#{gcp_project_id}/locations/#{datasets_saved_query['region']}/datasets/#{datasets_saved_query['dataset']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_datasets_saved_queries` resource: + +See [google_vertex_ai_datasets_saved_query](google_vertex_ai_datasets_saved_query) for more detailed information. + + * `annotation_spec_counts`: an array of `google_vertex_ai_datasets_saved_query` annotation_spec_count + * `update_times`: an array of `google_vertex_ai_datasets_saved_query` update_time + * `support_automl_trainings`: an array of `google_vertex_ai_datasets_saved_query` support_automl_training + * `metadata`: an array of `google_vertex_ai_datasets_saved_query` metadata + * `problem_types`: an array of `google_vertex_ai_datasets_saved_query` problem_type + * `names`: an array of `google_vertex_ai_datasets_saved_query` name + * `create_times`: an array of `google_vertex_ai_datasets_saved_query` create_time + * `etags`: an array of `google_vertex_ai_datasets_saved_query` etag + * `display_names`: an array of `google_vertex_ai_datasets_saved_query` display_name + * `annotation_filters`: an array of `google_vertex_ai_datasets_saved_query` annotation_filter + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_endpoint.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_endpoint.md new file mode 100644 index 0000000..b2d0888 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_endpoint.md @@ -0,0 +1,250 @@ ++++ +title = "google_vertex_ai_endpoint resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_endpoint" +identifier = "inspec/resources/gcp/google_vertex_ai_endpoint resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_endpoint` InSpec audit resource to to test a Google Cloud Endpoint resource. + +## Examples + +```ruby +describe google_vertex_ai_endpoint(name: "projects/#{gcp_project_id}/locations/#{endpoint['region']}/endpoints/#{endpoint['name']}", region: ' value_region') do +it { should exist } + its('update_time') { should cmp 'value_updatetime' } + its('model_deployment_monitoring_job') { should cmp 'value_modeldeploymentmonitoringjob' } + its('description') { should cmp 'value_description' } + its('network') { should cmp 'value_network' } + its('display_name') { should cmp 'value_displayname' } + its('etag') { should cmp 'value_etag' } + its('create_time') { should cmp 'value_createtime' } + its('name') { should cmp 'value_name' } + +end + +describe google_vertex_ai_endpoint(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_endpoint` resource: + + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `enable_private_service_connect`: Deprecated: If true, expose the Endpoint via private service connect. Only one of the fields, network or enable_private_service_connect, can be set. + + * `update_time`: Output only. Timestamp when this Endpoint was last updated. + + * `model_deployment_monitoring_job`: Output only. Resource name of the Model Monitoring job associated with this Endpoint if monitoring is enabled by JobService.CreateModelDeploymentMonitoringJob. Format: `projects/{project}/locations/{location}/modelDeploymentMonitoringJobs/{model_deployment_monitoring_job}` + + * `description`: The description of the Endpoint. + + * `deployed_models`: Output only. The models deployed in this Endpoint. To add or remove DeployedModels use EndpointService.DeployModel and EndpointService.UndeployModel respectively. + + * `create_time`: Output only. Timestamp when the DeployedModel was created. + + * `private_endpoints`: PrivateEndpoints proto is used to provide paths for users to send requests privately. To send request via private service access, use predict_http_uri, explain_http_uri or health_http_uri. To send request via private service connect, use service_attachment. + + * `health_http_uri`: Output only. Http(s) path to send health check requests. + + * `explain_http_uri`: Output only. Http(s) path to send explain requests. + + * `predict_http_uri`: Output only. Http(s) path to send prediction requests. + + * `service_attachment`: Output only. The name of the service attachment resource. Populated if private service connect is enabled. + + * `disable_container_logging`: For custom-trained Models and AutoML Tabular Models, the container of the DeployedModel instances will send `stderr` and `stdout` streams to Cloud Logging by default. Please note that the logs incur cost, which are subject to [Cloud Logging pricing](https://cloud.google.com/logging/pricing). User can disable container logging by setting this flag to true. + + * `model_version_id`: Output only. The version ID of the model that is deployed. + + * `explanation_spec`: Specification of Model explanation. + + * `parameters`: Parameters to configure explaining for Model's predictions. + + * `output_indices`: If populated, only returns attributions that have output_index contained in output_indices. It must be an ndarray of integers, with the same shape of the output it's explaining. If not populated, returns attributions for top_k indices of outputs. If neither top_k nor output_indices is populated, returns the argmax index of the outputs. Only applicable to Models that predict multiple outputs (e,g, multi-class Models that predict multiple classes). + + * `examples`: Example-based explainability that returns the nearest neighbors from the provided dataset. + + * `presets`: Preset configuration for example-based explanations + + * `modality`: The modality of the uploaded model, which automatically configures the distance measurement and feature normalization for the underlying example index and queries. If your model does not precisely fit one of these types, it is okay to choose the closest type. + Possible values: + * MODALITY_UNSPECIFIED + * IMAGE + * TEXT + * TABULAR + + * `query`: Preset option controlling parameters for speed-precision trade-off when querying for examples. If omitted, defaults to `PRECISE`. + Possible values: + * PRECISE + * FAST + + * `neighbor_count`: The number of neighbors to return when querying for examples. + + * `example_gcs_source`: The Cloud Storage input instances. + + * `gcs_source`: The Google Cloud Storage location for the input content. + + * `uris`: Required. Google Cloud Storage URI(-s) to the input file(s). May contain wildcards. For more information on wildcards, see https://cloud.google.com/storage/docs/gsutil/addlhelp/WildcardNames. + + * `data_format`: The format in which instances are given, if not specified, assume it's JSONL format. Currently only JSONL format is supported. + Possible values: + * DATA_FORMAT_UNSPECIFIED + * JSONL + + * `nearest_neighbor_search_config`: The full configuration for the generated index, the semantics are the same as metadata and should match [NearestNeighborSearchConfig](https://cloud.google.com/vertex-ai/docs/explainable-ai/configuring-explanations-example-based#nearest-neighbor-search-config). + + * `xrai_attribution`: An explanation method that redistributes Integrated Gradients attributions to segmented regions, taking advantage of the model's fully differentiable structure. Refer to this paper for more details: https://arxiv.org/abs/1906.02825 Supported only by image Models. + + * `smooth_grad_config`: Config for SmoothGrad approximation of gradients. When enabled, the gradients are approximated by averaging the gradients from noisy samples in the vicinity of the inputs. Adding noise can help improve the computed gradients. Refer to this paper for more details: https://arxiv.org/pdf/1706.03825.pdf + + * `feature_noise_sigma`: Noise sigma by features. Noise sigma represents the standard deviation of the gaussian kernel that will be used to add noise to interpolated inputs prior to computing gradients. + + * `noise_sigma`: Noise sigma per feature. No noise is added to features that are not set. + + * `name`: The name of the input feature for which noise sigma is provided. The features are defined in explanation metadata inputs. + + * `sigma`: This represents the standard deviation of the Gaussian kernel that will be used to add noise to the feature prior to computing gradients. Similar to noise_sigma but represents the noise added to the current feature. Defaults to 0.1. + + * `noise_sigma`: This is a single float value and will be used to add noise to all the features. Use this field when all features are normalized to have the same distribution: scale to range [0, 1], [-1, 1] or z-scoring, where features are normalized to have 0-mean and 1-variance. Learn more about [normalization](https://developers.google.com/machine-learning/data-prep/transform/normalization). For best results the recommended value is about 10% - 20% of the standard deviation of the input feature. Refer to section 3.2 of the SmoothGrad paper: https://arxiv.org/pdf/1706.03825.pdf. Defaults to 0.1. If the distribution is different per feature, set feature_noise_sigma instead for each feature. + + * `noisy_sample_count`: The number of gradient samples to use for approximation. The higher this number, the more accurate the gradient is, but the runtime complexity increases by this factor as well. Valid range of its value is [1, 50]. Defaults to 3. + + * `step_count`: Required. The number of steps for approximating the path integral. A good value to start is 50 and gradually increase until the sum to diff property is met within the desired error range. Valid range of its value is [1, 100], inclusively. + + * `blur_baseline_config`: Config for blur baseline. When enabled, a linear path from the maximally blurred image to the input image is created. Using a blurred baseline instead of zero (black image) is motivated by the BlurIG approach explained here: https://arxiv.org/abs/2004.03383 + + * `max_blur_sigma`: The standard deviation of the blur kernel for the blurred baseline. The same blurring parameter is used for both the height and the width dimension. If not set, the method defaults to the zero (i.e. black for images) baseline. + + * `top_k`: If populated, returns attributions for top K indices of outputs (defaults to 1). Only applies to Models that predicts more than one outputs (e,g, multi-class Models). When set to -1, returns explanations for all outputs. + + * `integrated_gradients_attribution`: An attribution method that computes the Aumann-Shapley value taking advantage of the model's fully differentiable structure. Refer to this paper for more details: https://arxiv.org/abs/1703.01365 + + * `step_count`: Required. The number of steps for approximating the path integral. A good value to start is 50 and gradually increase until the sum to diff property is within the desired error range. Valid range of its value is [1, 100], inclusively. + + * `smooth_grad_config`: Config for SmoothGrad approximation of gradients. When enabled, the gradients are approximated by averaging the gradients from noisy samples in the vicinity of the inputs. Adding noise can help improve the computed gradients. Refer to this paper for more details: https://arxiv.org/pdf/1706.03825.pdf + + * `feature_noise_sigma`: Noise sigma by features. Noise sigma represents the standard deviation of the gaussian kernel that will be used to add noise to interpolated inputs prior to computing gradients. + + * `noise_sigma`: Noise sigma per feature. No noise is added to features that are not set. + + * `name`: The name of the input feature for which noise sigma is provided. The features are defined in explanation metadata inputs. + + * `sigma`: This represents the standard deviation of the Gaussian kernel that will be used to add noise to the feature prior to computing gradients. Similar to noise_sigma but represents the noise added to the current feature. Defaults to 0.1. + + * `noise_sigma`: This is a single float value and will be used to add noise to all the features. Use this field when all features are normalized to have the same distribution: scale to range [0, 1], [-1, 1] or z-scoring, where features are normalized to have 0-mean and 1-variance. Learn more about [normalization](https://developers.google.com/machine-learning/data-prep/transform/normalization). For best results the recommended value is about 10% - 20% of the standard deviation of the input feature. Refer to section 3.2 of the SmoothGrad paper: https://arxiv.org/pdf/1706.03825.pdf. Defaults to 0.1. If the distribution is different per feature, set feature_noise_sigma instead for each feature. + + * `noisy_sample_count`: The number of gradient samples to use for approximation. The higher this number, the more accurate the gradient is, but the runtime complexity increases by this factor as well. Valid range of its value is [1, 50]. Defaults to 3. + + * `blur_baseline_config`: Config for blur baseline. When enabled, a linear path from the maximally blurred image to the input image is created. Using a blurred baseline instead of zero (black image) is motivated by the BlurIG approach explained here: https://arxiv.org/abs/2004.03383 + + * `max_blur_sigma`: The standard deviation of the blur kernel for the blurred baseline. The same blurring parameter is used for both the height and the width dimension. If not set, the method defaults to the zero (i.e. black for images) baseline. + + * `sampled_shapley_attribution`: An attribution method that approximates Shapley values for features that contribute to the label being predicted. A sampling strategy is used to approximate the value rather than considering all subsets of features. + + * `path_count`: Required. The number of feature permutations to consider when approximating the Shapley values. Valid range of its value is [1, 50], inclusively. + + * `metadata`: Metadata describing the Model's input and output for explanation. + + * `feature_attributions_schema_uri`: Points to a YAML file stored on Google Cloud Storage describing the format of the feature attributions. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML tabular Models always have this field populated by Vertex AI. Note: The URI given on output may be different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `latent_space_source`: Name of the source to generate embeddings for example based explanations. + + * `outputs`: Required. Map from output names to output metadata. For Vertex AI-provided Tensorflow images, keys can be any user defined string that consists of any UTF-8 characters. For custom images, keys are the name of the output field in the prediction to be explained. Currently only one key is allowed. + + * `additional_properties`: Metadata of the prediction output to be explained. + + * `inputs`: Required. Map from feature names to feature input metadata. Keys are the name of the features. Values are the specification of the feature. An empty InputMetadata is valid. It describes a text feature which has the name specified as the key in ExplanationMetadata.inputs. The baseline of the empty feature is chosen by Vertex AI. For Vertex AI-provided Tensorflow images, the key can be any friendly name of the feature. Once specified, featureAttributions are keyed by this key (if not grouped with another feature). For custom images, the key must match with the key in instance. + + * `additional_properties`: Metadata of the input of a feature. Fields other than InputMetadata.input_baselines are applicable only for Models that are using Vertex AI-provided images for Tensorflow. + + * `enable_access_logging`: If true, online prediction access logs are sent to Cloud Logging. These logs are like standard server access logs, containing information like timestamp and latency for each prediction request. Note that logs may incur a cost, especially if your project receives prediction requests at a high queries per second rate (QPS). Estimate your costs before enabling this option. + + * `service_account`: The service account that the DeployedModel's container runs as. Specify the email address of the service account. If this service account is not specified, the container runs as a service account that doesn't have access to the resource project. Users deploying the Model must have the `iam.serviceAccounts.actAs` permission on this service account. + + * `dedicated_resources`: A description of resources that are dedicated to a DeployedModel, and that need a higher degree of manual configuration. + + * `machine_spec`: Specification of a single machine. + + * `accelerator_type`: Immutable. The type of accelerator(s) that may be attached to the machine as per accelerator_count. + Possible values: + * ACCELERATOR_TYPE_UNSPECIFIED + * NVIDIA_TESLA_K80 + * NVIDIA_TESLA_P100 + * NVIDIA_TESLA_V100 + * NVIDIA_TESLA_P4 + * NVIDIA_TESLA_T4 + * NVIDIA_TESLA_A100 + * NVIDIA_A100_80GB + * NVIDIA_L4 + * TPU_V2 + * TPU_V3 + * TPU_V4_POD + + * `machine_type`: Immutable. The type of the machine. See the [list of machine types supported for prediction](https://cloud.google.com/vertex-ai/docs/predictions/configure-compute#machine-types) See the [list of machine types supported for custom training](https://cloud.google.com/vertex-ai/docs/training/configure-compute#machine-types). For DeployedModel this field is optional, and the default value is `n1-standard-2`. For BatchPredictionJob or as part of WorkerPoolSpec this field is required. + + * `accelerator_count`: The number of accelerators to attach to the machine. + + * `max_replica_count`: Immutable. The maximum number of replicas this DeployedModel may be deployed on when the traffic against it increases. If the requested value is too large, the deployment will error, but if deployment succeeds then the ability to scale the model to that many replicas is guaranteed (barring service outages). If traffic against the DeployedModel increases beyond what its replicas at maximum may handle, a portion of the traffic will be dropped. If this value is not provided, will use min_replica_count as the default value. The value of this field impacts the charge against Vertex CPU and GPU quotas. Specifically, you will be charged for (max_replica_count * number of cores in the selected machine type) and (max_replica_count * number of GPUs per replica in the selected machine type). + + * `autoscaling_metric_specs`: Immutable. The metric specifications that overrides a resource utilization metric (CPU utilization, accelerator's duty cycle, and so on) target value (default to 60 if not set). At most one entry is allowed per metric. If machine_spec.accelerator_count is above 0, the autoscaling will be based on both CPU utilization and accelerator's duty cycle metrics and scale up when either metrics exceeds its target value while scale down if both metrics are under their target value. The default target value is 60 for both metrics. If machine_spec.accelerator_count is 0, the autoscaling will be based on CPU utilization metric only with default target value 60 if not explicitly set. For example, in the case of Online Prediction, if you want to override target CPU utilization to 80, you should set autoscaling_metric_specs.metric_name to `aiplatform.googleapis.com/prediction/online/cpu/utilization` and autoscaling_metric_specs.target to `80`. + + * `target`: The target resource utilization in percentage (1% - 100%) for the given metric; once the real usage deviates from the target by a certain percentage, the machine replicas change. The default value is 60 (representing 60%) if not provided. + + * `metric_name`: Required. The resource metric name. Supported metrics: * For Online Prediction: * `aiplatform.googleapis.com/prediction/online/accelerator/duty_cycle` * `aiplatform.googleapis.com/prediction/online/cpu/utilization` + + * `min_replica_count`: Required. Immutable. The minimum number of machine replicas this DeployedModel will be always deployed on. This value must be greater than or equal to 1. If traffic against the DeployedModel increases, it may dynamically be deployed onto more replicas, and as traffic decreases, some of these extra replicas may be freed. + + * `automatic_resources`: A description of resources that to large degree are decided by Vertex AI, and require only a modest additional configuration. Each Model supporting these resources documents its specific guidelines. + + * `max_replica_count`: Immutable. The maximum number of replicas this DeployedModel may be deployed on when the traffic against it increases. If the requested value is too large, the deployment will error, but if deployment succeeds then the ability to scale the model to that many replicas is guaranteed (barring service outages). If traffic against the DeployedModel increases beyond what its replicas at maximum may handle, a portion of the traffic will be dropped. If this value is not provided, a no upper bound for scaling under heavy traffic will be assume, though Vertex AI may be unable to scale beyond certain replica number. + + * `min_replica_count`: Immutable. The minimum number of replicas this DeployedModel will be always deployed on. If traffic against it increases, it may dynamically be deployed onto more replicas up to max_replica_count, and as traffic decreases, some of these extra replicas may be freed. If the requested value is too large, the deployment will error. + + * `display_name`: The display name of the DeployedModel. If not provided upon creation, the Model's display_name is used. + + * `model`: Required. The resource name of the Model that this is the deployment of. Note that the Model may be in a different location than the DeployedModel's Endpoint. The resource name may contain version id or version alias to specify the version. Example: `projects/{project}/locations/{location}/models/{model}@2` or `projects/{project}/locations/{location}/models/{model}@golden` if no version is specified, the default version will be deployed. + + * `id`: Immutable. The ID of the DeployedModel. If not provided upon deployment, Vertex AI will generate a value for this ID. This value should be 1-10 characters, and valid characters are /[0-9]/. + + * `network`: Optional. The full name of the Google Compute Engine [network](https://cloud.google.com//compute/docs/networks-and-firewalls#networks) to which the Endpoint should be peered. Private services access must already be configured for the network. If left unspecified, the Endpoint is not peered with any network. Only one of the fields, network or enable_private_service_connect, can be set. [Format](https://cloud.google.com/compute/docs/reference/rest/v1/networks/insert): `projects/{project}/global/networks/{network}`. Where `{project}` is a project number, as in `12345`, and `{network}` is network name. + + * `traffic_split`: A map from a DeployedModel's ID to the percentage of this Endpoint's traffic that should be forwarded to that DeployedModel. If a DeployedModel's ID is not listed in this map, then it receives no traffic. The traffic percentage values must add up to 100, or map must be empty if the Endpoint is to not accept any traffic at a moment. + + * `additional_properties`: + + * `labels`: The labels with user-defined metadata to organize your Endpoints. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information and examples of labels. + + * `additional_properties`: + + * `display_name`: Required. The display name of the Endpoint. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + * `predict_request_response_logging_config`: Configuration for logging request-response to a BigQuery table. + + * `sampling_rate`: Percentage of requests to be logged, expressed as a fraction in range(0,1]. + + * `enabled`: If logging is enabled or not. + + * `bigquery_destination`: The BigQuery location for the output content. + + * `output_uri`: Required. BigQuery URI to a project or table, up to 2000 characters long. When only the project is specified, the Dataset and Table is created. When the full table reference is specified, the Dataset must exist and table must not exist. Accepted forms: * BigQuery path. For example: `bq://projectId` or `bq://projectId.bqDatasetId` or `bq://projectId.bqDatasetId.bqTableId`. + + * `etag`: Used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `create_time`: Output only. Timestamp when this Endpoint was created. + + * `name`: Output only. The resource name of the Endpoint. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_endpoints.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_endpoints.md new file mode 100644 index 0000000..79781a0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_endpoints.md @@ -0,0 +1,49 @@ ++++ +title = "google_vertex_ai_endpoints resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_endpoints" +identifier = "inspec/resources/gcp/google_vertex_ai_endpoints resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_endpoints` InSpec audit resource to to test a Google Cloud Endpoint resource. + +## Examples + +```ruby + describe google_vertex_ai_endpoints(parent: "projects/#{gcp_project_id}/locations/#{endpoint['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_endpoints` resource: + +See [google_vertex_ai_endpoint](google_vertex_ai_endpoint) for more detailed information. + + * `encryption_specs`: an array of `google_vertex_ai_endpoint` encryption_spec + * `enable_private_service_connects`: an array of `google_vertex_ai_endpoint` enable_private_service_connect + * `update_times`: an array of `google_vertex_ai_endpoint` update_time + * `model_deployment_monitoring_jobs`: an array of `google_vertex_ai_endpoint` model_deployment_monitoring_job + * `descriptions`: an array of `google_vertex_ai_endpoint` description + * `deployed_models`: an array of `google_vertex_ai_endpoint` deployed_models + * `networks`: an array of `google_vertex_ai_endpoint` network + * `traffic_splits`: an array of `google_vertex_ai_endpoint` traffic_split + * `labels`: an array of `google_vertex_ai_endpoint` labels + * `display_names`: an array of `google_vertex_ai_endpoint` display_name + * `predict_request_response_logging_configs`: an array of `google_vertex_ai_endpoint` predict_request_response_logging_config + * `etags`: an array of `google_vertex_ai_endpoint` etag + * `create_times`: an array of `google_vertex_ai_endpoint` create_time + * `names`: an array of `google_vertex_ai_endpoint` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestore.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestore.md new file mode 100644 index 0000000..b4a8602 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestore.md @@ -0,0 +1,75 @@ ++++ +title = "google_vertex_ai_featurestore resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_featurestore" +identifier = "inspec/resources/gcp/google_vertex_ai_featurestore resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_featurestore` InSpec audit resource to to test a Google Cloud Featurestore resource. + +## Examples + +```ruby +describe google_vertex_ai_featurestore(name: "projects/#{gcp_project_id}/locations/#{featurestore['region']}/featurestores/#{featurestore['name']}", region: ' value_region') do + it { should exist } + its('state') { should cmp 'value_state' } + its('create_time') { should cmp 'value_createtime' } + its('etag') { should cmp 'value_etag' } + its('update_time') { should cmp 'value_updatetime' } + its('name') { should cmp 'value_name' } + +end + +describe google_vertex_ai_featurestore(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_featurestore` resource: + + + * `state`: Output only. State of the featurestore. + Possible values: + * STATE_UNSPECIFIED + * STABLE + * UPDATING + + * `create_time`: Output only. Timestamp when this Featurestore was created. + + * `etag`: Optional. Used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `online_storage_ttl_days`: Optional. TTL in days for feature values that will be stored in online serving storage. The Feature Store online storage periodically removes obsolete feature values older than `online_storage_ttl_days` since the feature generation time. Note that `online_storage_ttl_days` should be less than or equal to `offline_storage_ttl_days` for each EntityType under a featurestore. If not set, default to 4000 days + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `labels`: Optional. The labels with user-defined metadata to organize your Featurestore. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information on and examples of labels. No more than 64 user labels can be associated with one Featurestore(System labels are excluded)." System reserved label keys are prefixed with "aiplatform.googleapis.com/" and are immutable. + + * `additional_properties`: + + * `update_time`: Output only. Timestamp when this Featurestore was last updated. + + * `name`: Output only. Name of the Featurestore. Format: `projects/{project}/locations/{location}/featurestores/{featurestore}` + + * `online_serving_config`: OnlineServingConfig specifies the details for provisioning online serving resources. + + * `fixed_node_count`: The number of nodes for the online store. The number of nodes doesn't scale automatically, but you can manually update the number of nodes. If set to 0, the featurestore will not have an online store and cannot be used for online serving. + + * `scaling`: Online serving scaling configuration. If min_node_count and max_node_count are set to the same value, the cluster will be configured with the fixed number of node (no auto-scaling). + + * `max_node_count`: The maximum number of nodes to scale up to. Must be greater than min_node_count, and less than or equal to 10 times of 'min_node_count'. + + * `min_node_count`: Required. The minimum number of nodes to scale down to. Must be greater than or equal to 1. + + * `cpu_utilization_target`: Optional. The cpu utilization that the Autoscaler should be trying to achieve. This number is on a scale from 0 (no utilization) to 100 (total utilization), and is limited between 10 and 80. When a cluster's CPU utilization exceeds the target that you have set, Bigtable immediately adds nodes to the cluster. When CPU utilization is substantially lower than the target, Bigtable removes nodes. If not set or set to 0, default to 50. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestore_entity_type_feature.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestore_entity_type_feature.md new file mode 100644 index 0000000..716db17 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestore_entity_type_feature.md @@ -0,0 +1,71 @@ ++++ +title = "google_vertex_ai_featurestore_entity_type_feature resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_featurestore_entity_type_feature" +identifier = "inspec/resources/gcp/google_vertex_ai_featurestore_entity_type_feature resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_featurestore_entity_type_feature` InSpec audit resource to to test a Google Cloud FeaturestoreEntityTypeFeature resource. + +## Examples + +```ruby +describe google_vertex_ai_featurestore_entity_type_feature(name: "projects/#{gcp_project_id}/locations/#{featurestore_entity_type_feature['region']}/featurestores/#{featurestore_entity_type_feature['featurestore']}/entityTypes/#{featurestore_entity_type_feature['entityType']}/features/#{featurestore_entity_type_feature['feature']}", region: ' value_region') do + it { should exist } + its('description') { should cmp 'value_description' } + its('create_time') { should cmp 'value_createtime' } + its('etag') { should cmp 'value_etag' } + its('name') { should cmp 'value_name' } + its('update_time') { should cmp 'value_updatetime' } + its('value_type') { should cmp 'value_valuetype' } + +end + +describe google_vertex_ai_featurestore_entity_type_feature(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_featurestore_entity_type_feature` resource: + + + * `description`: Description of the Feature. + + * `create_time`: Output only. Timestamp when this EntityType was created. + + * `monitoring_stats_anomalies`: Output only. The list of historical stats and anomalies with specified objectives. + + * `etag`: Used to perform a consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `labels`: Optional. The labels with user-defined metadata to organize your Features. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information on and examples of labels. No more than 64 user labels can be associated with one Feature (System labels are excluded)." System reserved label keys are prefixed with "aiplatform.googleapis.com/" and are immutable. + + * `additional_properties`: + + * `name`: Immutable. Name of the Feature. Format: `projects/{project}/locations/{location}/featurestores/{featurestore}/entityTypes/{entity_type}/features/{feature}` The last part feature is assigned by the client. The feature can be up to 64 characters long and can consist only of ASCII Latin letters A-Z and a-z, underscore(_), and ASCII digits 0-9 starting with a letter. The value will be unique given an entity type. + + * `update_time`: Output only. Timestamp when this EntityType was most recently updated. + + * `disable_monitoring`: Optional. If not set, use the monitoring_config defined for the EntityType this Feature belongs to. Only Features with type (Feature.ValueType) BOOL, STRING, DOUBLE or INT64 can enable monitoring. If set to true, all types of data monitoring are disabled despite the config on EntityType. + + * `value_type`: Required. Immutable. Type of Feature value. + Possible values: + * VALUE_TYPE_UNSPECIFIED + * BOOL + * BOOL_ARRAY + * DOUBLE + * DOUBLE_ARRAY + * INT64 + * INT64_ARRAY + * STRING + * STRING_ARRAY + * BYTES + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestore_entity_type_features.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestore_entity_type_features.md new file mode 100644 index 0000000..9192891 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestore_entity_type_features.md @@ -0,0 +1,44 @@ ++++ +title = "google_vertex_ai_featurestore_entity_type_features resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_featurestore_entity_type_features" +identifier = "inspec/resources/gcp/google_vertex_ai_featurestore_entity_type_features resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_featurestore_entity_type_features` InSpec audit resource to to test a Google Cloud FeaturestoreEntityTypeFeature resource. + +## Examples + +```ruby + describe google_vertex_ai_featurestore_entity_type_features(parent: "projects/#{gcp_project_id}/locations/#{featurestore_entity_type_feature['region']}/featurestores/#{featurestore_entity_type_feature['featurestore']}/entityTypes/#{featurestore_entity_type_feature['entityType']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_featurestore_entity_type_features` resource: + +See [google_vertex_ai_featurestore_entity_type_feature](google_vertex_ai_featurestore_entity_type_feature) for more detailed information. + + * `descriptions`: an array of `google_vertex_ai_featurestore_entity_type_feature` description + * `create_times`: an array of `google_vertex_ai_featurestore_entity_type_feature` create_time + * `monitoring_stats_anomalies`: an array of `google_vertex_ai_featurestore_entity_type_feature` monitoring_stats_anomalies + * `etags`: an array of `google_vertex_ai_featurestore_entity_type_feature` etag + * `labels`: an array of `google_vertex_ai_featurestore_entity_type_feature` labels + * `names`: an array of `google_vertex_ai_featurestore_entity_type_feature` name + * `update_times`: an array of `google_vertex_ai_featurestore_entity_type_feature` update_time + * `disable_monitorings`: an array of `google_vertex_ai_featurestore_entity_type_feature` disable_monitoring + * `value_types`: an array of `google_vertex_ai_featurestore_entity_type_feature` value_type + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestores.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestores.md new file mode 100644 index 0000000..c1a3f65 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestores.md @@ -0,0 +1,44 @@ ++++ +title = "google_vertex_ai_featurestores resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_featurestores" +identifier = "inspec/resources/gcp/google_vertex_ai_featurestores resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_featurestores` InSpec audit resource to to test a Google Cloud Featurestore resource. + +## Examples + +```ruby + describe google_vertex_ai_featurestores(parent: "projects/#{gcp_project_id}/locations/#{featurestore['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_featurestores` resource: + +See [google_vertex_ai_featurestore](google_vertex_ai_featurestore) for more detailed information. + + * `states`: an array of `google_vertex_ai_featurestore` state + * `create_times`: an array of `google_vertex_ai_featurestore` create_time + * `etags`: an array of `google_vertex_ai_featurestore` etag + * `online_storage_ttl_days`: an array of `google_vertex_ai_featurestore` online_storage_ttl_days + * `encryption_specs`: an array of `google_vertex_ai_featurestore` encryption_spec + * `labels`: an array of `google_vertex_ai_featurestore` labels + * `update_times`: an array of `google_vertex_ai_featurestore` update_time + * `names`: an array of `google_vertex_ai_featurestore` name + * `online_serving_configs`: an array of `google_vertex_ai_featurestore` online_serving_config + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestores_entity_type.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestores_entity_type.md new file mode 100644 index 0000000..9b85fce --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestores_entity_type.md @@ -0,0 +1,89 @@ ++++ +title = "google_vertex_ai_featurestores_entity_type resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_featurestores_entity_type" +identifier = "inspec/resources/gcp/google_vertex_ai_featurestores_entity_type resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_featurestores_entity_type` InSpec audit resource to to test a Google Cloud FeaturestoresEntityType resource. + +## Examples + +```ruby +describe google_vertex_ai_featurestores_entity_type(name: "projects/#{gcp_project_id}/locations/#{featurestores_entity_type['region']}/featurestores/#{featurestores_entity_type['featurestore']}/entityTypes/#{featurestores_entity_type['name']}", region: ' value_region') do + it { should exist } + its('description') { should cmp 'value_description' } + its('name') { should cmp 'value_name' } + its('create_time') { should cmp 'value_createtime' } + its('etag') { should cmp 'value_etag' } + its('update_time') { should cmp 'value_updatetime' } + +end + +describe google_vertex_ai_featurestores_entity_type(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_featurestores_entity_type` resource: + + + * `labels`: Optional. The labels with user-defined metadata to organize your EntityTypes. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information on and examples of labels. No more than 64 user labels can be associated with one EntityType (System labels are excluded)." System reserved label keys are prefixed with "aiplatform.googleapis.com/" and are immutable. + + * `additional_properties`: + + * `description`: Optional. Description of the EntityType. + + * `name`: Immutable. Name of the EntityType. Format: `projects/{project}/locations/{location}/featurestores/{featurestore}/entityTypes/{entity_type}` The last part entity_type is assigned by the client. The entity_type can be up to 64 characters long and can consist only of ASCII Latin letters A-Z and a-z and underscore(_), and ASCII digits 0-9 starting with a letter. The value will be unique given a featurestore. + + * `create_time`: Output only. Timestamp when this EntityType was created. + + * `monitoring_config`: Configuration of how features in Featurestore are monitored. + + * `import_features_analysis`: Configuration of the Featurestore's ImportFeature Analysis Based Monitoring. This type of analysis generates statistics for values of each Feature imported by every ImportFeatureValues operation. + + * `anomaly_detection_baseline`: The baseline used to do anomaly detection for the statistics generated by import features analysis. + Possible values: + * BASELINE_UNSPECIFIED + * LATEST_STATS + * MOST_RECENT_SNAPSHOT_STATS + * PREVIOUS_IMPORT_FEATURES_STATS + + * `state`: Whether to enable / disable / inherite default hebavior for import features analysis. + Possible values: + * STATE_UNSPECIFIED + * DEFAULT + * ENABLED + * DISABLED + + * `numerical_threshold_config`: The config for Featurestore Monitoring threshold. + + * `value`: Specify a threshold value that can trigger the alert. 1. For categorical feature, the distribution distance is calculated by L-inifinity norm. 2. For numerical feature, the distribution distance is calculated by Jensen–Shannon divergence. Each feature must have a non-zero threshold if they need to be monitored. Otherwise no alert will be triggered for that feature. + + * `categorical_threshold_config`: The config for Featurestore Monitoring threshold. + + * `value`: Specify a threshold value that can trigger the alert. 1. For categorical feature, the distribution distance is calculated by L-inifinity norm. 2. For numerical feature, the distribution distance is calculated by Jensen–Shannon divergence. Each feature must have a non-zero threshold if they need to be monitored. Otherwise no alert will be triggered for that feature. + + * `snapshot_analysis`: Configuration of the Featurestore's Snapshot Analysis Based Monitoring. This type of analysis generates statistics for each Feature based on a snapshot of the latest feature value of each entities every monitoring_interval. + + * `monitoring_interval_days`: Configuration of the snapshot analysis based monitoring pipeline running interval. The value indicates number of days. + + * `staleness_days`: Customized export features time window for snapshot analysis. Unit is one day. Default value is 3 weeks. Minimum value is 1 day. Maximum value is 4000 days. + + * `disabled`: The monitoring schedule for snapshot analysis. For EntityType-level config: unset / disabled = true indicates disabled by default for Features under it; otherwise by default enable snapshot analysis monitoring with monitoring_interval for Features under it. Feature-level config: disabled = true indicates disabled regardless of the EntityType-level config; unset monitoring_interval indicates going with EntityType-level config; otherwise run snapshot analysis monitoring with monitoring_interval regardless of the EntityType-level config. Explicitly Disable the snapshot analysis based monitoring. + + * `etag`: Optional. Used to perform a consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `update_time`: Output only. Timestamp when this EntityType was most recently updated. + + * `offline_storage_ttl_days`: Optional. Config for data retention policy in offline storage. TTL in days for feature values that will be stored in offline storage. The Feature Store offline storage periodically removes obsolete feature values older than `offline_storage_ttl_days` since the feature generation time. If unset (or explicitly set to 0), default to 4000 days TTL. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestores_entity_types.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestores_entity_types.md new file mode 100644 index 0000000..3bc705f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_featurestores_entity_types.md @@ -0,0 +1,43 @@ ++++ +title = "google_vertex_ai_featurestores_entity_types resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_featurestores_entity_types" +identifier = "inspec/resources/gcp/google_vertex_ai_featurestores_entity_types resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_featurestores_entity_types` InSpec audit resource to to test a Google Cloud FeaturestoresEntityType resource. + +## Examples + +```ruby + describe google_vertex_ai_featurestores_entity_types(parent: "projects/#{gcp_project_id}/locations/#{featurestores_entity_type['region']}/featurestores/#{featurestores_entity_type['featurestore']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_featurestores_entity_types` resource: + +See [google_vertex_ai_featurestores_entity_type](google_vertex_ai_featurestores_entity_type) for more detailed information. + + * `labels`: an array of `google_vertex_ai_featurestores_entity_type` labels + * `descriptions`: an array of `google_vertex_ai_featurestores_entity_type` description + * `names`: an array of `google_vertex_ai_featurestores_entity_type` name + * `create_times`: an array of `google_vertex_ai_featurestores_entity_type` create_time + * `monitoring_configs`: an array of `google_vertex_ai_featurestores_entity_type` monitoring_config + * `etags`: an array of `google_vertex_ai_featurestores_entity_type` etag + * `update_times`: an array of `google_vertex_ai_featurestores_entity_type` update_time + * `offline_storage_ttl_days`: an array of `google_vertex_ai_featurestores_entity_type` offline_storage_ttl_days + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_hyperparameter_tuning_job.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_hyperparameter_tuning_job.md new file mode 100644 index 0000000..d59e045 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_hyperparameter_tuning_job.md @@ -0,0 +1,88 @@ ++++ +title = "google_vertex_ai_hyperparameter_tuning_job resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_hyperparameter_tuning_job" +identifier = "inspec/resources/gcp/google_vertex_ai_hyperparameter_tuning_job resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_hyperparameter_tuning_job` InSpec audit resource to to test a Google Cloud HyperparameterTuningJob resource. + +## Examples + +```ruby +describe google_vertex_ai_hyperparameter_tuning_job(name: "projects/#{gcp_project_id}/locations/#{hyperparameter_tuning_job['region']}/hyperparameterTuningJobs/#{hyperparameter_tuning_job['name']}", region: ' value_region') do + it { should exist } + its('state') { should cmp 'value_state' } + its('end_time') { should cmp 'value_endtime' } + its('update_time') { should cmp 'value_updatetime' } + its('start_time') { should cmp 'value_starttime' } + its('create_time') { should cmp 'value_createtime' } + its('display_name') { should cmp 'value_displayname' } + its('name') { should cmp 'value_name' } + +end + +describe google_vertex_ai_hyperparameter_tuning_job(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_hyperparameter_tuning_job` resource: + + + * `study_spec`: Required. Study configuration of the HyperparameterTuningJob. + + * `trials`: Output only. Trials of the HyperparameterTuningJob. + + * `state`: Output only. The detailed state of the job. + Possible values: + * JOB_STATE_UNSPECIFIED + * JOB_STATE_QUEUED + * JOB_STATE_PENDING + * JOB_STATE_RUNNING + * JOB_STATE_SUCCEEDED + * JOB_STATE_FAILED + * JOB_STATE_CANCELLING + * JOB_STATE_CANCELLED + * JOB_STATE_PAUSED + * JOB_STATE_EXPIRED + * JOB_STATE_UPDATING + * JOB_STATE_PARTIALLY_SUCCEEDED + + * `max_failed_trial_count`: The number of failed Trials that need to be seen before failing the HyperparameterTuningJob. If set to 0, Vertex AI decides how many Trials must fail before the whole job fails. + + * `encryption_spec`: Customer-managed encryption key options for a HyperparameterTuningJob. If this is set, then all resources created by the HyperparameterTuningJob will be encrypted with the provided encryption key. + + * `error`: Output only. Only populated when job's state is JOB_STATE_FAILED or JOB_STATE_CANCELLED. + + * `end_time`: Output only. Time when the HyperparameterTuningJob entered any of the following states: `JOB_STATE_SUCCEEDED`, `JOB_STATE_FAILED`, `JOB_STATE_CANCELLED`. + + * `update_time`: Output only. Time when the HyperparameterTuningJob was most recently updated. + + * `start_time`: Output only. Time when the HyperparameterTuningJob for the first time entered the `JOB_STATE_RUNNING` state. + + * `labels`: The labels with user-defined metadata to organize HyperparameterTuningJobs. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information and examples of labels. + + * `additional_properties`: + + * `create_time`: Output only. Time when the HyperparameterTuningJob was created. + + * `parallel_trial_count`: Required. The desired number of Trials to run in parallel. + + * `trial_job_spec`: Required. The spec of a trial job. The same spec applies to the CustomJobs created in all the trials. + + * `max_trial_count`: Required. The desired total number of Trials. + + * `display_name`: Required. The display name of the HyperparameterTuningJob. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + * `name`: Output only. Resource name of the HyperparameterTuningJob. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_hyperparameter_tuning_jobs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_hyperparameter_tuning_jobs.md new file mode 100644 index 0000000..e031fea --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_hyperparameter_tuning_jobs.md @@ -0,0 +1,51 @@ ++++ +title = "google_vertex_ai_hyperparameter_tuning_jobs resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_hyperparameter_tuning_jobs" +identifier = "inspec/resources/gcp/google_vertex_ai_hyperparameter_tuning_jobs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_hyperparameter_tuning_jobs` InSpec audit resource to to test a Google Cloud HyperparameterTuningJob resource. + +## Examples + +```ruby + describe google_vertex_ai_hyperparameter_tuning_jobs(parent: "projects/#{gcp_project_id}/locations/#{hyperparameter_tuning_job['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_hyperparameter_tuning_jobs` resource: + +See [google_vertex_ai_hyperparameter_tuning_job](google_vertex_ai_hyperparameter_tuning_job) for more detailed information. + + * `study_specs`: an array of `google_vertex_ai_hyperparameter_tuning_job` study_spec + * `trials`: an array of `google_vertex_ai_hyperparameter_tuning_job` trials + * `states`: an array of `google_vertex_ai_hyperparameter_tuning_job` state + * `max_failed_trial_counts`: an array of `google_vertex_ai_hyperparameter_tuning_job` max_failed_trial_count + * `encryption_specs`: an array of `google_vertex_ai_hyperparameter_tuning_job` encryption_spec + * `errors`: an array of `google_vertex_ai_hyperparameter_tuning_job` error + * `end_times`: an array of `google_vertex_ai_hyperparameter_tuning_job` end_time + * `update_times`: an array of `google_vertex_ai_hyperparameter_tuning_job` update_time + * `start_times`: an array of `google_vertex_ai_hyperparameter_tuning_job` start_time + * `labels`: an array of `google_vertex_ai_hyperparameter_tuning_job` labels + * `create_times`: an array of `google_vertex_ai_hyperparameter_tuning_job` create_time + * `parallel_trial_counts`: an array of `google_vertex_ai_hyperparameter_tuning_job` parallel_trial_count + * `trial_job_specs`: an array of `google_vertex_ai_hyperparameter_tuning_job` trial_job_spec + * `max_trial_counts`: an array of `google_vertex_ai_hyperparameter_tuning_job` max_trial_count + * `display_names`: an array of `google_vertex_ai_hyperparameter_tuning_job` display_name + * `names`: an array of `google_vertex_ai_hyperparameter_tuning_job` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_index.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_index.md new file mode 100644 index 0000000..44561ed --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_index.md @@ -0,0 +1,72 @@ ++++ +title = "google_vertex_ai_index resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_index" +identifier = "inspec/resources/gcp/google_vertex_ai_index resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_index` InSpec audit resource to to test a Google Cloud Index resource. + +## Examples + +```ruby +describe google_vertex_ai_index(name: "projects/#{gcp_project_id}/locations/#{index['region']}/indexes/#{index['name']}", region: ' value_region') do + it { should exist } + its('description') { should cmp 'value_description' } + its('name') { should cmp 'value_name' } + its('display_name') { should cmp 'value_displayname' } + its('metadata_schema_uri') { should cmp 'value_metadataschemauri' } + its('index_update_method') { should cmp 'value_indexupdatemethod' } + its('update_time') { should cmp 'value_updatetime' } + its('create_time') { should cmp 'value_createtime' } + its('etag') { should cmp 'value_etag' } + +end + +describe google_vertex_ai_index(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_index` resource: + + + * `description`: The description of the Index. + + * `metadata`: An additional information about the Index; the schema of the metadata can be found in metadata_schema. + + * `index_stats`: Output only. Stats of the index resource. + + * `name`: Output only. The resource name of the Index. + + * `deployed_indexes`: Output only. The pointers to DeployedIndexes created from this Index. An Index can be only deleted if all its DeployedIndexes had been undeployed first. + + * `display_name`: Required. The display name of the Index. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + * `metadata_schema_uri`: Immutable. Points to a YAML file stored on Google Cloud Storage describing additional information about the Index, that is specific to it. Unset if the Index does not have any additional information. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). Note: The URI given on output will be immutable and probably different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `index_update_method`: Immutable. The update method to use with this Index. If not set, BATCH_UPDATE will be used by default. + Possible values: + * INDEX_UPDATE_METHOD_UNSPECIFIED + * BATCH_UPDATE + * STREAM_UPDATE + + * `update_time`: Output only. Timestamp when this Index was most recently updated. This also includes any update to the contents of the Index. Note that Operations working on this Index may have their Operations.metadata.generic_metadata.update_time a little after the value of this timestamp, yet that does not mean their results are not already reflected in the Index. Result of any successfully completed Operation on the Index is reflected in it. + + * `create_time`: Output only. Timestamp when this Index was created. + + * `etag`: Used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `labels`: The labels with user-defined metadata to organize your Indexes. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information and examples of labels. + + * `additional_properties`: + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_index_endpoint.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_index_endpoint.md new file mode 100644 index 0000000..5224ad8 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_index_endpoint.md @@ -0,0 +1,143 @@ ++++ +title = "google_vertex_ai_index_endpoint resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_index_endpoint" +identifier = "inspec/resources/gcp/google_vertex_ai_index_endpoint resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_index_endpoint` InSpec audit resource to to test a Google Cloud IndexEndpoint resource. + +## Examples + +```ruby +describe google_vertex_ai_index_endpoint(name: "projects/#{gcp_project_id}/locations/#{index_endpoint['region']}/indexEndpoints/#{index_endpoint['name']}", region: ' value_region') do + it { should exist } + its('display_name') { should cmp 'value_displayname' } + its('create_time') { should cmp 'value_createtime' } + its('name') { should cmp 'value_name' } + its('network') { should cmp 'value_network' } + its('update_time') { should cmp 'value_updatetime' } + its('public_endpoint_domain_name') { should cmp 'value_publicendpointdomainname' } + its('etag') { should cmp 'value_etag' } + its('description') { should cmp 'value_description' } + +end + +describe google_vertex_ai_index_endpoint(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_index_endpoint` resource: + + + * `deployed_indexes`: Output only. The indexes deployed in this endpoint. + + * `private_endpoints`: IndexPrivateEndpoints proto is used to provide paths for users to send requests via private endpoints (e.g. private service access, private service connect). To send request via private service access, use match_grpc_address. To send request via private service connect, use service_attachment. + + * `service_attachment`: Output only. The name of the service attachment resource. Populated if private service connect is enabled. + + * `match_grpc_address`: Output only. The ip address used to send match gRPC requests. + + * `deployment_group`: Optional. The deployment group can be no longer than 64 characters (eg: 'test', 'prod'). If not set, we will use the 'default' deployment group. Creating `deployment_groups` with `reserved_ip_ranges` is a recommended practice when the peered network has multiple peering ranges. This creates your deployments from predictable IP spaces for easier traffic administration. Also, one deployment_group (except 'default') can only be used with the same reserved_ip_ranges which means if the deployment_group has been used with reserved_ip_ranges: [a, b, c], using it with [a, b] or [d, e] is disallowed. Note: we only support up to 5 deployment groups(not including 'default'). + + * `dedicated_resources`: A description of resources that are dedicated to a DeployedModel, and that need a higher degree of manual configuration. + + * `machine_spec`: Specification of a single machine. + + * `accelerator_type`: Immutable. The type of accelerator(s) that may be attached to the machine as per accelerator_count. + Possible values: + * ACCELERATOR_TYPE_UNSPECIFIED + * NVIDIA_TESLA_K80 + * NVIDIA_TESLA_P100 + * NVIDIA_TESLA_V100 + * NVIDIA_TESLA_P4 + * NVIDIA_TESLA_T4 + * NVIDIA_TESLA_A100 + * NVIDIA_A100_80GB + * NVIDIA_L4 + * TPU_V2 + * TPU_V3 + * TPU_V4_POD + + * `machine_type`: Immutable. The type of the machine. See the [list of machine types supported for prediction](https://cloud.google.com/vertex-ai/docs/predictions/configure-compute#machine-types) See the [list of machine types supported for custom training](https://cloud.google.com/vertex-ai/docs/training/configure-compute#machine-types). For DeployedModel this field is optional, and the default value is `n1-standard-2`. For BatchPredictionJob or as part of WorkerPoolSpec this field is required. + + * `accelerator_count`: The number of accelerators to attach to the machine. + + * `max_replica_count`: Immutable. The maximum number of replicas this DeployedModel may be deployed on when the traffic against it increases. If the requested value is too large, the deployment will error, but if deployment succeeds then the ability to scale the model to that many replicas is guaranteed (barring service outages). If traffic against the DeployedModel increases beyond what its replicas at maximum may handle, a portion of the traffic will be dropped. If this value is not provided, will use min_replica_count as the default value. The value of this field impacts the charge against Vertex CPU and GPU quotas. Specifically, you will be charged for (max_replica_count * number of cores in the selected machine type) and (max_replica_count * number of GPUs per replica in the selected machine type). + + * `autoscaling_metric_specs`: Immutable. The metric specifications that overrides a resource utilization metric (CPU utilization, accelerator's duty cycle, and so on) target value (default to 60 if not set). At most one entry is allowed per metric. If machine_spec.accelerator_count is above 0, the autoscaling will be based on both CPU utilization and accelerator's duty cycle metrics and scale up when either metrics exceeds its target value while scale down if both metrics are under their target value. The default target value is 60 for both metrics. If machine_spec.accelerator_count is 0, the autoscaling will be based on CPU utilization metric only with default target value 60 if not explicitly set. For example, in the case of Online Prediction, if you want to override target CPU utilization to 80, you should set autoscaling_metric_specs.metric_name to `aiplatform.googleapis.com/prediction/online/cpu/utilization` and autoscaling_metric_specs.target to `80`. + + * `target`: The target resource utilization in percentage (1% - 100%) for the given metric; once the real usage deviates from the target by a certain percentage, the machine replicas change. The default value is 60 (representing 60%) if not provided. + + * `metric_name`: Required. The resource metric name. Supported metrics: * For Online Prediction: * `aiplatform.googleapis.com/prediction/online/accelerator/duty_cycle` * `aiplatform.googleapis.com/prediction/online/cpu/utilization` + + * `min_replica_count`: Required. Immutable. The minimum number of machine replicas this DeployedModel will be always deployed on. This value must be greater than or equal to 1. If traffic against the DeployedModel increases, it may dynamically be deployed onto more replicas, and as traffic decreases, some of these extra replicas may be freed. + + * `deployed_index_auth_config`: Used to set up the auth on the DeployedIndex's private endpoint. + + * `auth_provider`: Configuration for an authentication provider, including support for [JSON Web Token (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32). + + * `audiences`: The list of JWT [audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3). that are allowed to access. A JWT containing any of these audiences will be accepted. + + * `allowed_issuers`: A list of allowed JWT issuers. Each entry must be a valid Google service account, in the following format: `service-account-name@project-id.iam.gserviceaccount.com` + + * `id`: Required. The user specified ID of the DeployedIndex. The ID can be up to 128 characters long and must start with a letter and only contain letters, numbers, and underscores. The ID must be unique within the project it is created in. + + * `index_sync_time`: Output only. The DeployedIndex may depend on various data on its original Index. Additionally when certain changes to the original Index are being done (e.g. when what the Index contains is being changed) the DeployedIndex may be asynchronously updated in the background to reflect these changes. If this timestamp's value is at least the Index.update_time of the original Index, it means that this DeployedIndex and the original Index are in sync. If this timestamp is older, then to see which updates this DeployedIndex already contains (and which it does not), one must list the operations that are running on the original Index. Only the successfully completed Operations with update_time equal or before this sync time are contained in this DeployedIndex. + + * `automatic_resources`: A description of resources that to large degree are decided by Vertex AI, and require only a modest additional configuration. Each Model supporting these resources documents its specific guidelines. + + * `max_replica_count`: Immutable. The maximum number of replicas this DeployedModel may be deployed on when the traffic against it increases. If the requested value is too large, the deployment will error, but if deployment succeeds then the ability to scale the model to that many replicas is guaranteed (barring service outages). If traffic against the DeployedModel increases beyond what its replicas at maximum may handle, a portion of the traffic will be dropped. If this value is not provided, a no upper bound for scaling under heavy traffic will be assume, though Vertex AI may be unable to scale beyond certain replica number. + + * `min_replica_count`: Immutable. The minimum number of replicas this DeployedModel will be always deployed on. If traffic against it increases, it may dynamically be deployed onto more replicas up to max_replica_count, and as traffic decreases, some of these extra replicas may be freed. If the requested value is too large, the deployment will error. + + * `enable_access_logging`: Optional. If true, private endpoint's access logs are sent to Cloud Logging. These logs are like standard server access logs, containing information like timestamp and latency for each MatchRequest. Note that logs may incur a cost, especially if the deployed index receives a high queries per second rate (QPS). Estimate your costs before enabling this option. + + * `create_time`: Output only. Timestamp when the DeployedIndex was created. + + * `reserved_ip_ranges`: Optional. A list of reserved ip ranges under the VPC network that can be used for this DeployedIndex. If set, we will deploy the index within the provided ip ranges. Otherwise, the index might be deployed to any ip ranges under the provided VPC network. The value should be the name of the address (https://cloud.google.com/compute/docs/reference/rest/v1/addresses) Example: 'vertex-ai-ip-range'. + + * `index`: Required. The name of the Index this is the deployment of. We may refer to this Index as the DeployedIndex's "original" Index. + + * `display_name`: The display name of the DeployedIndex. If not provided upon creation, the Index's display_name is used. + + * `private_service_connect_config`: Represents configuration for private service connect. + + * `project_allowlist`: A list of Projects from which the forwarding rule will target the service attachment. + + * `enable_private_service_connect`: Required. If true, expose the IndexEndpoint via private service connect. + + * `display_name`: Required. The display name of the IndexEndpoint. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + * `public_endpoint_enabled`: Optional. If true, the deployed index will be accessible through public endpoint. + + * `labels`: The labels with user-defined metadata to organize your IndexEndpoints. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information and examples of labels. + + * `additional_properties`: + + * `create_time`: Output only. Timestamp when this IndexEndpoint was created. + + * `name`: Output only. The resource name of the IndexEndpoint. + + * `network`: Optional. The full name of the Google Compute Engine [network](https://cloud.google.com/compute/docs/networks-and-firewalls#networks) to which the IndexEndpoint should be peered. Private services access must already be configured for the network. If left unspecified, the Endpoint is not peered with any network. network and private_service_connect_config are mutually exclusive. [Format](https://cloud.google.com/compute/docs/reference/rest/v1/networks/insert): `projects/{project}/global/networks/{network}`. Where {project} is a project number, as in '12345', and {network} is network name. + + * `update_time`: Output only. Timestamp when this IndexEndpoint was last updated. This timestamp is not updated when the endpoint's DeployedIndexes are updated, e.g. due to updates of the original Indexes they are the deployments of. + + * `public_endpoint_domain_name`: Output only. If public_endpoint_enabled is true, this field will be populated with the domain name to use for this index endpoint. + + * `enable_private_service_connect`: Optional. Deprecated: If true, expose the IndexEndpoint via private service connect. Only one of the fields, network or enable_private_service_connect, can be set. + + * `etag`: Used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `description`: The description of the IndexEndpoint. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_index_endpoints.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_index_endpoints.md new file mode 100644 index 0000000..c88388b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_index_endpoints.md @@ -0,0 +1,48 @@ ++++ +title = "google_vertex_ai_index_endpoints resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_index_endpoints" +identifier = "inspec/resources/gcp/google_vertex_ai_index_endpoints resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_index_endpoints` InSpec audit resource to to test a Google Cloud IndexEndpoint resource. + +## Examples + +```ruby + describe google_vertex_ai_index_endpoints(parent: "projects/#{gcp_project_id}/locations/#{index_endpoint['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_index_endpoints` resource: + +See [google_vertex_ai_index_endpoint](google_vertex_ai_index_endpoint) for more detailed information. + + * `deployed_indexes`: an array of `google_vertex_ai_index_endpoint` deployed_indexes + * `private_service_connect_configs`: an array of `google_vertex_ai_index_endpoint` private_service_connect_config + * `display_names`: an array of `google_vertex_ai_index_endpoint` display_name + * `public_endpoint_enableds`: an array of `google_vertex_ai_index_endpoint` public_endpoint_enabled + * `labels`: an array of `google_vertex_ai_index_endpoint` labels + * `create_times`: an array of `google_vertex_ai_index_endpoint` create_time + * `names`: an array of `google_vertex_ai_index_endpoint` name + * `networks`: an array of `google_vertex_ai_index_endpoint` network + * `update_times`: an array of `google_vertex_ai_index_endpoint` update_time + * `public_endpoint_domain_names`: an array of `google_vertex_ai_index_endpoint` public_endpoint_domain_name + * `enable_private_service_connects`: an array of `google_vertex_ai_index_endpoint` enable_private_service_connect + * `etags`: an array of `google_vertex_ai_index_endpoint` etag + * `descriptions`: an array of `google_vertex_ai_index_endpoint` description + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_indices.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_indices.md new file mode 100644 index 0000000..6198db2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_indices.md @@ -0,0 +1,47 @@ ++++ +title = "google_vertex_ai_indices resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_indices" +identifier = "inspec/resources/gcp/google_vertex_ai_indices resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_indices` InSpec audit resource to to test a Google Cloud Index resource. + +## Examples + +```ruby + describe google_vertex_ai_indices(parent: "projects/#{gcp_project_id}/locations/#{index['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_indices` resource: + +See [google_vertex_ai_index](google_vertex_ai_index) for more detailed information. + + * `descriptions`: an array of `google_vertex_ai_index` description + * `metadata`: an array of `google_vertex_ai_index` metadata + * `index_stats`: an array of `google_vertex_ai_index` index_stats + * `names`: an array of `google_vertex_ai_index` name + * `deployed_indexes`: an array of `google_vertex_ai_index` deployed_indexes + * `display_names`: an array of `google_vertex_ai_index` display_name + * `metadata_schema_uris`: an array of `google_vertex_ai_index` metadata_schema_uri + * `index_update_methods`: an array of `google_vertex_ai_index` index_update_method + * `update_times`: an array of `google_vertex_ai_index` update_time + * `create_times`: an array of `google_vertex_ai_index` create_time + * `etags`: an array of `google_vertex_ai_index` etag + * `labels`: an array of `google_vertex_ai_index` labels + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_store.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_store.md new file mode 100644 index 0000000..ffe5bb4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_store.md @@ -0,0 +1,54 @@ ++++ +title = "google_vertex_ai_metadata_store resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_metadata_store" +identifier = "inspec/resources/gcp/google_vertex_ai_metadata_store resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_metadata_store` InSpec audit resource to to test a Google Cloud MetadataStore resource. + +## Examples + +```ruby +describe google_vertex_ai_metadata_store(name: "projects/#{gcp_project_id}/locations/#{metadata_store['region']}/metadataStores/#{metadata_store['name']}", region: ' value_region') do + it { should exist } + its('description') { should cmp 'value_description' } + its('create_time') { should cmp 'value_createtime' } + its('update_time') { should cmp 'value_updatetime' } + its('name') { should cmp 'value_name' } + +end + +describe google_vertex_ai_metadata_store(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_metadata_store` resource: + + + * `description`: Description of the MetadataStore. + + * `create_time`: Output only. Timestamp when this MetadataStore was created. + + * `update_time`: Output only. Timestamp when this MetadataStore was last updated. + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `state`: Represents state information for a MetadataStore. + + * `disk_utilization_bytes`: The disk utilization of the MetadataStore in bytes. + + * `name`: Output only. The resource name of the MetadataStore instance. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores.md new file mode 100644 index 0000000..e6ec814 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores.md @@ -0,0 +1,41 @@ ++++ +title = "google_vertex_ai_metadata_stores resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_metadata_stores" +identifier = "inspec/resources/gcp/google_vertex_ai_metadata_stores resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_metadata_stores` InSpec audit resource to to test a Google Cloud MetadataStore resource. + +## Examples + +```ruby + describe google_vertex_ai_metadata_stores(parent: "projects/#{gcp_project_id}/locations/#{metadata_store['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_metadata_stores` resource: + +See [google_vertex_ai_metadata_store](google_vertex_ai_metadata_store) for more detailed information. + + * `descriptions`: an array of `google_vertex_ai_metadata_store` description + * `create_times`: an array of `google_vertex_ai_metadata_store` create_time + * `update_times`: an array of `google_vertex_ai_metadata_store` update_time + * `encryption_specs`: an array of `google_vertex_ai_metadata_store` encryption_spec + * `states`: an array of `google_vertex_ai_metadata_store` state + * `names`: an array of `google_vertex_ai_metadata_store` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_artifact.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_artifact.md new file mode 100644 index 0000000..8c1a4e2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_artifact.md @@ -0,0 +1,76 @@ ++++ +title = "google_vertex_ai_metadata_stores_artifact resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_metadata_stores_artifact" +identifier = "inspec/resources/gcp/google_vertex_ai_metadata_stores_artifact resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_metadata_stores_artifact` InSpec audit resource to to test a Google Cloud MetadataStoresArtifact resource. + +## Examples + +```ruby +describe google_vertex_ai_metadata_stores_artifact(name: "projects/#{gcp_project_id}/locations/#{metadata_stores_artifact['region']}/metadataStores/#{metadata_stores_artifact['metadataStore']}/artifacts/#{metadata_stores_artifact['name']}", region: ' value_region') do + it { should exist } + its('schema_version') { should cmp 'value_schemaversion' } + its('display_name') { should cmp 'value_displayname' } + its('etag') { should cmp 'value_etag' } + its('name') { should cmp 'value_name' } + its('update_time') { should cmp 'value_updatetime' } + its('state') { should cmp 'value_state' } + its('uri') { should cmp 'value_uri' } + its('create_time') { should cmp 'value_createtime' } + its('schema_title') { should cmp 'value_schematitle' } + its('description') { should cmp 'value_description' } + +end + +describe google_vertex_ai_metadata_stores_artifact(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_metadata_stores_artifact` resource: + + + * `schema_version`: The version of the schema in schema_name to use. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `display_name`: User provided display name of the Artifact. May be up to 128 Unicode characters. + + * `etag`: An eTag used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `name`: Output only. The resource name of the Artifact. + + * `update_time`: Output only. Timestamp when this Artifact was last updated. + + * `state`: The state of this Artifact. This is a property of the Artifact, and does not imply or capture any ongoing process. This property is managed by clients (such as Vertex AI Pipelines), and the system does not prescribe or check the validity of state transitions. + Possible values: + * STATE_UNSPECIFIED + * PENDING + * LIVE + + * `metadata`: Properties of the Artifact. Top level metadata keys' heading and trailing spaces will be trimmed. The size of this field should not exceed 200KB. + + * `additional_properties`: Properties of the object. + + * `uri`: The uniform resource identifier of the artifact file. May be empty if there is no actual artifact file. + + * `create_time`: Output only. Timestamp when this Artifact was created. + + * `schema_title`: The title of the schema describing the metadata. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `description`: Description of the Artifact + + * `labels`: The labels with user-defined metadata to organize your Artifacts. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. No more than 64 user labels can be associated with one Artifact (System labels are excluded). + + * `additional_properties`: + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_artifacts.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_artifacts.md new file mode 100644 index 0000000..4be0c2c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_artifacts.md @@ -0,0 +1,47 @@ ++++ +title = "google_vertex_ai_metadata_stores_artifacts resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_metadata_stores_artifacts" +identifier = "inspec/resources/gcp/google_vertex_ai_metadata_stores_artifacts resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_metadata_stores_artifacts` InSpec audit resource to to test a Google Cloud MetadataStoresArtifact resource. + +## Examples + +```ruby + describe google_vertex_ai_metadata_stores_artifacts(parent: "projects/#{gcp_project_id}/locations/#{metadata_stores_artifact['region']}/metadataStores/#{metadata_stores_artifact['metadataStore']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_metadata_stores_artifacts` resource: + +See [google_vertex_ai_metadata_stores_artifact](google_vertex_ai_metadata_stores_artifact) for more detailed information. + + * `schema_versions`: an array of `google_vertex_ai_metadata_stores_artifact` schema_version + * `display_names`: an array of `google_vertex_ai_metadata_stores_artifact` display_name + * `etags`: an array of `google_vertex_ai_metadata_stores_artifact` etag + * `names`: an array of `google_vertex_ai_metadata_stores_artifact` name + * `update_times`: an array of `google_vertex_ai_metadata_stores_artifact` update_time + * `states`: an array of `google_vertex_ai_metadata_stores_artifact` state + * `metadata`: an array of `google_vertex_ai_metadata_stores_artifact` metadata + * `uris`: an array of `google_vertex_ai_metadata_stores_artifact` uri + * `create_times`: an array of `google_vertex_ai_metadata_stores_artifact` create_time + * `schema_titles`: an array of `google_vertex_ai_metadata_stores_artifact` schema_title + * `descriptions`: an array of `google_vertex_ai_metadata_stores_artifact` description + * `labels`: an array of `google_vertex_ai_metadata_stores_artifact` labels + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_context.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_context.md new file mode 100644 index 0000000..885b7d1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_context.md @@ -0,0 +1,68 @@ ++++ +title = "google_vertex_ai_metadata_stores_context resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_metadata_stores_context" +identifier = "inspec/resources/gcp/google_vertex_ai_metadata_stores_context resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_metadata_stores_context` InSpec audit resource to to test a Google Cloud MetadataStoresContext resource. + +## Examples + +```ruby +describe google_vertex_ai_metadata_stores_context(name: "projects/#{gcp_project_id}/locations/#{metadata_stores_context['region']}/metadataStores/#{metadata_stores_context['metadataStore']}/contexts/#{metadata_stores_context['name']}", region: ' value_region') do + it { should exist } + its('name') { should cmp 'value_name' } + its('schema_title') { should cmp 'value_schematitle' } + its('etag') { should cmp 'value_etag' } + its('description') { should cmp 'value_description' } + its('display_name') { should cmp 'value_displayname' } + its('schema_version') { should cmp 'value_schemaversion' } + its('create_time') { should cmp 'value_createtime' } + its('update_time') { should cmp 'value_updatetime' } + +end + +describe google_vertex_ai_metadata_stores_context(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_metadata_stores_context` resource: + + + * `name`: Immutable. The resource name of the Context. + + * `schema_title`: The title of the schema describing the metadata. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `etag`: An eTag used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `description`: Description of the Context + + * `display_name`: User provided display name of the Context. May be up to 128 Unicode characters. + + * `schema_version`: The version of the schema in schema_name to use. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `create_time`: Output only. Timestamp when this Context was created. + + * `labels`: The labels with user-defined metadata to organize your Contexts. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. No more than 64 user labels can be associated with one Context (System labels are excluded). + + * `additional_properties`: + + * `metadata`: Properties of the Context. Top level metadata keys' heading and trailing spaces will be trimmed. The size of this field should not exceed 200KB. + + * `additional_properties`: Properties of the object. + + * `update_time`: Output only. Timestamp when this Context was last updated. + + * `parent_contexts`: Output only. A list of resource names of Contexts that are parents of this Context. A Context may have at most 10 parent_contexts. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_contexts.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_contexts.md new file mode 100644 index 0000000..c633623 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_contexts.md @@ -0,0 +1,46 @@ ++++ +title = "google_vertex_ai_metadata_stores_contexts resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_metadata_stores_contexts" +identifier = "inspec/resources/gcp/google_vertex_ai_metadata_stores_contexts resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_metadata_stores_contexts` InSpec audit resource to to test a Google Cloud MetadataStoresContext resource. + +## Examples + +```ruby + describe google_vertex_ai_metadata_stores_contexts(parent: "projects/#{gcp_project_id}/locations/#{metadata_stores_context['region']}/metadataStores/#{metadata_stores_context['metadataStore']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_metadata_stores_contexts` resource: + +See [google_vertex_ai_metadata_stores_context](google_vertex_ai_metadata_stores_context) for more detailed information. + + * `names`: an array of `google_vertex_ai_metadata_stores_context` name + * `schema_titles`: an array of `google_vertex_ai_metadata_stores_context` schema_title + * `etags`: an array of `google_vertex_ai_metadata_stores_context` etag + * `descriptions`: an array of `google_vertex_ai_metadata_stores_context` description + * `display_names`: an array of `google_vertex_ai_metadata_stores_context` display_name + * `schema_versions`: an array of `google_vertex_ai_metadata_stores_context` schema_version + * `create_times`: an array of `google_vertex_ai_metadata_stores_context` create_time + * `labels`: an array of `google_vertex_ai_metadata_stores_context` labels + * `metadata`: an array of `google_vertex_ai_metadata_stores_context` metadata + * `update_times`: an array of `google_vertex_ai_metadata_stores_context` update_time + * `parent_contexts`: an array of `google_vertex_ai_metadata_stores_context` parent_contexts + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_execution.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_execution.md new file mode 100644 index 0000000..e4e4ae2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_execution.md @@ -0,0 +1,77 @@ ++++ +title = "google_vertex_ai_metadata_stores_execution resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_metadata_stores_execution" +identifier = "inspec/resources/gcp/google_vertex_ai_metadata_stores_execution resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_metadata_stores_execution` InSpec audit resource to to test a Google Cloud MetadataStoresExecution resource. + +## Examples + +```ruby +describe google_vertex_ai_metadata_stores_execution(name: "projects/#{gcp_project_id}/locations/#{metadata_stores_execution['region']}/metadataStores/#{metadata_stores_execution['metadataStore']}/executions/#{metadata_stores_execution['name']}", region: ' value_region') do + it { should exist } + its('create_time') { should cmp 'value_createtime' } + its('schema_version') { should cmp 'value_schemaversion' } + its('state') { should cmp 'value_state' } + its('name') { should cmp 'value_name' } + its('etag') { should cmp 'value_etag' } + its('display_name') { should cmp 'value_displayname' } + its('schema_title') { should cmp 'value_schematitle' } + its('description') { should cmp 'value_description' } + its('update_time') { should cmp 'value_updatetime' } + +end + +describe google_vertex_ai_metadata_stores_execution(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_metadata_stores_execution` resource: + + + * `labels`: The labels with user-defined metadata to organize your Executions. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. No more than 64 user labels can be associated with one Execution (System labels are excluded). + + * `additional_properties`: + + * `create_time`: Output only. Timestamp when this Execution was created. + + * `schema_version`: The version of the schema in `schema_title` to use. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `state`: The state of this Execution. This is a property of the Execution, and does not imply or capture any ongoing process. This property is managed by clients (such as Vertex AI Pipelines) and the system does not prescribe or check the validity of state transitions. + Possible values: + * STATE_UNSPECIFIED + * NEW + * RUNNING + * COMPLETE + * FAILED + * CACHED + * CANCELLED + + * `name`: Output only. The resource name of the Execution. + + * `etag`: An eTag used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `display_name`: User provided display name of the Execution. May be up to 128 Unicode characters. + + * `metadata`: Properties of the Execution. Top level metadata keys' heading and trailing spaces will be trimmed. The size of this field should not exceed 200KB. + + * `additional_properties`: Properties of the object. + + * `schema_title`: The title of the schema describing the metadata. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `description`: Description of the Execution + + * `update_time`: Output only. Timestamp when this Execution was last updated. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_executions.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_executions.md new file mode 100644 index 0000000..8a6d232 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_executions.md @@ -0,0 +1,46 @@ ++++ +title = "google_vertex_ai_metadata_stores_executions resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_metadata_stores_executions" +identifier = "inspec/resources/gcp/google_vertex_ai_metadata_stores_executions resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_metadata_stores_executions` InSpec audit resource to to test a Google Cloud MetadataStoresExecution resource. + +## Examples + +```ruby + describe google_vertex_ai_metadata_stores_executions(parent: "projects/#{gcp_project_id}/locations/#{metadata_stores_execution['region']}/metadataStores/#{metadata_stores_execution['metadataStore']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_metadata_stores_executions` resource: + +See [google_vertex_ai_metadata_stores_execution](google_vertex_ai_metadata_stores_execution) for more detailed information. + + * `labels`: an array of `google_vertex_ai_metadata_stores_execution` labels + * `create_times`: an array of `google_vertex_ai_metadata_stores_execution` create_time + * `schema_versions`: an array of `google_vertex_ai_metadata_stores_execution` schema_version + * `states`: an array of `google_vertex_ai_metadata_stores_execution` state + * `names`: an array of `google_vertex_ai_metadata_stores_execution` name + * `etags`: an array of `google_vertex_ai_metadata_stores_execution` etag + * `display_names`: an array of `google_vertex_ai_metadata_stores_execution` display_name + * `metadata`: an array of `google_vertex_ai_metadata_stores_execution` metadata + * `schema_titles`: an array of `google_vertex_ai_metadata_stores_execution` schema_title + * `descriptions`: an array of `google_vertex_ai_metadata_stores_execution` description + * `update_times`: an array of `google_vertex_ai_metadata_stores_execution` update_time + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_metadata_schema.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_metadata_schema.md new file mode 100644 index 0000000..d5d3822 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_metadata_schema.md @@ -0,0 +1,57 @@ ++++ +title = "google_vertex_ai_metadata_stores_metadata_schema resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_metadata_stores_metadata_schema" +identifier = "inspec/resources/gcp/google_vertex_ai_metadata_stores_metadata_schema resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_metadata_stores_metadata_schema` InSpec audit resource to to test a Google Cloud MetadataStoresMetadataSchema resource. + +## Examples + +```ruby +describe google_vertex_ai_metadata_stores_metadata_schema(name: "projects/#{gcp_project_id}/locations/#{metadata_stores_metadata_schema['region']}/metadataStores/#{metadata_stores_metadata_schema['metadataStore']}/metadataSchemas/#{metadata_stores_metadata_schema['name']}", region: ' value_region') do + it { should exist } + its('schema_type') { should cmp 'value_schematype' } + its('description') { should cmp 'value_description' } + its('schema_version') { should cmp 'value_schemaversion' } + its('name') { should cmp 'value_name' } + its('create_time') { should cmp 'value_createtime' } + its('schema') { should cmp 'value_schema' } + +end + +describe google_vertex_ai_metadata_stores_metadata_schema(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_metadata_stores_metadata_schema` resource: + + + * `schema_type`: The type of the MetadataSchema. This is a property that identifies which metadata types will use the MetadataSchema. + Possible values: + * METADATA_SCHEMA_TYPE_UNSPECIFIED + * ARTIFACT_TYPE + * EXECUTION_TYPE + * CONTEXT_TYPE + + * `description`: Description of the Metadata Schema + + * `schema_version`: The version of the MetadataSchema. The version's format must match the following regular expression: `^[0-9]+.+.+$`, which would allow to order/compare different versions. Example: 1.0.0, 1.0.1, etc. + + * `name`: Output only. The resource name of the MetadataSchema. + + * `create_time`: Output only. Timestamp when this MetadataSchema was created. + + * `schema`: Required. The raw YAML string representation of the MetadataSchema. The combination of [MetadataSchema.version] and the schema name given by `title` in [MetadataSchema.schema] must be unique within a MetadataStore. The schema is defined as an OpenAPI 3.0.2 [MetadataSchema Object](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md#schemaObject) + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_metadata_schemas.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_metadata_schemas.md new file mode 100644 index 0000000..d8b1abd --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_metadata_stores_metadata_schemas.md @@ -0,0 +1,41 @@ ++++ +title = "google_vertex_ai_metadata_stores_metadata_schemas resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_metadata_stores_metadata_schemas" +identifier = "inspec/resources/gcp/google_vertex_ai_metadata_stores_metadata_schemas resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_metadata_stores_metadata_schemas` InSpec audit resource to to test a Google Cloud MetadataStoresMetadataSchema resource. + +## Examples + +```ruby + describe google_vertex_ai_metadata_stores_metadata_schemas(parent: "projects/#{gcp_project_id}/locations/#{metadata_stores_metadata_schema['region']}/metadataStores/#{metadata_stores_metadata_schema['metadataStore']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_metadata_stores_metadata_schemas` resource: + +See [google_vertex_ai_metadata_stores_metadata_schema](google_vertex_ai_metadata_stores_metadata_schema) for more detailed information. + + * `schema_types`: an array of `google_vertex_ai_metadata_stores_metadata_schema` schema_type + * `descriptions`: an array of `google_vertex_ai_metadata_stores_metadata_schema` description + * `schema_versions`: an array of `google_vertex_ai_metadata_stores_metadata_schema` schema_version + * `names`: an array of `google_vertex_ai_metadata_stores_metadata_schema` name + * `create_times`: an array of `google_vertex_ai_metadata_stores_metadata_schema` create_time + * `schemas`: an array of `google_vertex_ai_metadata_stores_metadata_schema` schema + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model.md new file mode 100644 index 0000000..38841b6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model.md @@ -0,0 +1,257 @@ ++++ +title = "google_vertex_ai_model resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_model" +identifier = "inspec/resources/gcp/google_vertex_ai_model resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_model` InSpec audit resource to to test a Google Cloud Model resource. + +## Examples + +```ruby +describe google_vertex_ai_model(name: "projects/#{gcp_project_id}/locations/#{model['region']}/models/#{model['name']}", region: ' value_region') do + it { should exist } + its('name') { should cmp 'value_name' } + its('update_time') { should cmp 'value_updatetime' } + its('etag') { should cmp 'value_etag' } + its('description') { should cmp 'value_description' } + its('create_time') { should cmp 'value_createtime' } + its('pipeline_job') { should cmp 'value_pipelinejob' } + its('version_update_time') { should cmp 'value_versionupdatetime' } + its('metadata_artifact') { should cmp 'value_metadataartifact' } + its('metadata_schema_uri') { should cmp 'value_metadataschemauri' } + its('version_id') { should cmp 'value_versionid' } + its('artifact_uri') { should cmp 'value_artifacturi' } + its('training_pipeline') { should cmp 'value_trainingpipeline' } + its('display_name') { should cmp 'value_displayname' } + its('version_create_time') { should cmp 'value_versioncreatetime' } + its('version_description') { should cmp 'value_versiondescription' } + +end + +describe google_vertex_ai_model(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_model` resource: + + + * `model_source_info`: Detail description of the source information of the model. + + * `copy`: If this Model is copy of another Model. If true then source_type pertains to the original. + + * `source_type`: Type of the model source. + Possible values: + * MODEL_SOURCE_TYPE_UNSPECIFIED + * AUTOML + * CUSTOM + * BQML + * MODEL_GARDEN + * GENIE + + * `name`: The resource name of the Model. + + * `metadata`: Immutable. An additional information about the Model; the schema of the metadata can be found in metadata_schema. Unset if the Model does not have any additional information. + + * `update_time`: Output only. Timestamp when this Model was most recently updated. + + * `etag`: Used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `description`: The description of the Model. + + * `deployed_models`: Output only. The pointers to DeployedModels created from this Model. Note that Model could have been deployed to Endpoints in different Locations. + + * `deployed_model_id`: Immutable. An ID of a DeployedModel in the above Endpoint. + + * `endpoint`: Immutable. A resource name of an Endpoint. + + * `create_time`: Output only. Timestamp when this Model was uploaded into Vertex AI. + + * `explanation_spec`: Specification of Model explanation. + + * `parameters`: Parameters to configure explaining for Model's predictions. + + * `output_indices`: If populated, only returns attributions that have output_index contained in output_indices. It must be an ndarray of integers, with the same shape of the output it's explaining. If not populated, returns attributions for top_k indices of outputs. If neither top_k nor output_indices is populated, returns the argmax index of the outputs. Only applicable to Models that predict multiple outputs (e,g, multi-class Models that predict multiple classes). + + * `examples`: Example-based explainability that returns the nearest neighbors from the provided dataset. + + * `presets`: Preset configuration for example-based explanations + + * `modality`: The modality of the uploaded model, which automatically configures the distance measurement and feature normalization for the underlying example index and queries. If your model does not precisely fit one of these types, it is okay to choose the closest type. + Possible values: + * MODALITY_UNSPECIFIED + * IMAGE + * TEXT + * TABULAR + + * `query`: Preset option controlling parameters for speed-precision trade-off when querying for examples. If omitted, defaults to `PRECISE`. + Possible values: + * PRECISE + * FAST + + * `neighbor_count`: The number of neighbors to return when querying for examples. + + * `example_gcs_source`: The Cloud Storage input instances. + + * `gcs_source`: The Google Cloud Storage location for the input content. + + * `uris`: Required. Google Cloud Storage URI(-s) to the input file(s). May contain wildcards. For more information on wildcards, see https://cloud.google.com/storage/docs/gsutil/addlhelp/WildcardNames. + + * `data_format`: The format in which instances are given, if not specified, assume it's JSONL format. Currently only JSONL format is supported. + Possible values: + * DATA_FORMAT_UNSPECIFIED + * JSONL + + * `nearest_neighbor_search_config`: The full configuration for the generated index, the semantics are the same as metadata and should match [NearestNeighborSearchConfig](https://cloud.google.com/vertex-ai/docs/explainable-ai/configuring-explanations-example-based#nearest-neighbor-search-config). + + * `xrai_attribution`: An explanation method that redistributes Integrated Gradients attributions to segmented regions, taking advantage of the model's fully differentiable structure. Refer to this paper for more details: https://arxiv.org/abs/1906.02825 Supported only by image Models. + + * `smooth_grad_config`: Config for SmoothGrad approximation of gradients. When enabled, the gradients are approximated by averaging the gradients from noisy samples in the vicinity of the inputs. Adding noise can help improve the computed gradients. Refer to this paper for more details: https://arxiv.org/pdf/1706.03825.pdf + + * `feature_noise_sigma`: Noise sigma by features. Noise sigma represents the standard deviation of the gaussian kernel that will be used to add noise to interpolated inputs prior to computing gradients. + + * `noise_sigma`: Noise sigma per feature. No noise is added to features that are not set. + + * `name`: The name of the input feature for which noise sigma is provided. The features are defined in explanation metadata inputs. + + * `sigma`: This represents the standard deviation of the Gaussian kernel that will be used to add noise to the feature prior to computing gradients. Similar to noise_sigma but represents the noise added to the current feature. Defaults to 0.1. + + * `noise_sigma`: This is a single float value and will be used to add noise to all the features. Use this field when all features are normalized to have the same distribution: scale to range [0, 1], [-1, 1] or z-scoring, where features are normalized to have 0-mean and 1-variance. Learn more about [normalization](https://developers.google.com/machine-learning/data-prep/transform/normalization). For best results the recommended value is about 10% - 20% of the standard deviation of the input feature. Refer to section 3.2 of the SmoothGrad paper: https://arxiv.org/pdf/1706.03825.pdf. Defaults to 0.1. If the distribution is different per feature, set feature_noise_sigma instead for each feature. + + * `noisy_sample_count`: The number of gradient samples to use for approximation. The higher this number, the more accurate the gradient is, but the runtime complexity increases by this factor as well. Valid range of its value is [1, 50]. Defaults to 3. + + * `step_count`: Required. The number of steps for approximating the path integral. A good value to start is 50 and gradually increase until the sum to diff property is met within the desired error range. Valid range of its value is [1, 100], inclusively. + + * `blur_baseline_config`: Config for blur baseline. When enabled, a linear path from the maximally blurred image to the input image is created. Using a blurred baseline instead of zero (black image) is motivated by the BlurIG approach explained here: https://arxiv.org/abs/2004.03383 + + * `max_blur_sigma`: The standard deviation of the blur kernel for the blurred baseline. The same blurring parameter is used for both the height and the width dimension. If not set, the method defaults to the zero (i.e. black for images) baseline. + + * `top_k`: If populated, returns attributions for top K indices of outputs (defaults to 1). Only applies to Models that predicts more than one outputs (e,g, multi-class Models). When set to -1, returns explanations for all outputs. + + * `integrated_gradients_attribution`: An attribution method that computes the Aumann-Shapley value taking advantage of the model's fully differentiable structure. Refer to this paper for more details: https://arxiv.org/abs/1703.01365 + + * `step_count`: Required. The number of steps for approximating the path integral. A good value to start is 50 and gradually increase until the sum to diff property is within the desired error range. Valid range of its value is [1, 100], inclusively. + + * `smooth_grad_config`: Config for SmoothGrad approximation of gradients. When enabled, the gradients are approximated by averaging the gradients from noisy samples in the vicinity of the inputs. Adding noise can help improve the computed gradients. Refer to this paper for more details: https://arxiv.org/pdf/1706.03825.pdf + + * `feature_noise_sigma`: Noise sigma by features. Noise sigma represents the standard deviation of the gaussian kernel that will be used to add noise to interpolated inputs prior to computing gradients. + + * `noise_sigma`: Noise sigma per feature. No noise is added to features that are not set. + + * `name`: The name of the input feature for which noise sigma is provided. The features are defined in explanation metadata inputs. + + * `sigma`: This represents the standard deviation of the Gaussian kernel that will be used to add noise to the feature prior to computing gradients. Similar to noise_sigma but represents the noise added to the current feature. Defaults to 0.1. + + * `noise_sigma`: This is a single float value and will be used to add noise to all the features. Use this field when all features are normalized to have the same distribution: scale to range [0, 1], [-1, 1] or z-scoring, where features are normalized to have 0-mean and 1-variance. Learn more about [normalization](https://developers.google.com/machine-learning/data-prep/transform/normalization). For best results the recommended value is about 10% - 20% of the standard deviation of the input feature. Refer to section 3.2 of the SmoothGrad paper: https://arxiv.org/pdf/1706.03825.pdf. Defaults to 0.1. If the distribution is different per feature, set feature_noise_sigma instead for each feature. + + * `noisy_sample_count`: The number of gradient samples to use for approximation. The higher this number, the more accurate the gradient is, but the runtime complexity increases by this factor as well. Valid range of its value is [1, 50]. Defaults to 3. + + * `blur_baseline_config`: Config for blur baseline. When enabled, a linear path from the maximally blurred image to the input image is created. Using a blurred baseline instead of zero (black image) is motivated by the BlurIG approach explained here: https://arxiv.org/abs/2004.03383 + + * `max_blur_sigma`: The standard deviation of the blur kernel for the blurred baseline. The same blurring parameter is used for both the height and the width dimension. If not set, the method defaults to the zero (i.e. black for images) baseline. + + * `sampled_shapley_attribution`: An attribution method that approximates Shapley values for features that contribute to the label being predicted. A sampling strategy is used to approximate the value rather than considering all subsets of features. + + * `path_count`: Required. The number of feature permutations to consider when approximating the Shapley values. Valid range of its value is [1, 50], inclusively. + + * `metadata`: Metadata describing the Model's input and output for explanation. + + * `feature_attributions_schema_uri`: Points to a YAML file stored on Google Cloud Storage describing the format of the feature attributions. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML tabular Models always have this field populated by Vertex AI. Note: The URI given on output may be different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `latent_space_source`: Name of the source to generate embeddings for example based explanations. + + * `outputs`: Required. Map from output names to output metadata. For Vertex AI-provided Tensorflow images, keys can be any user defined string that consists of any UTF-8 characters. For custom images, keys are the name of the output field in the prediction to be explained. Currently only one key is allowed. + + * `additional_properties`: Metadata of the prediction output to be explained. + + * `inputs`: Required. Map from feature names to feature input metadata. Keys are the name of the features. Values are the specification of the feature. An empty InputMetadata is valid. It describes a text feature which has the name specified as the key in ExplanationMetadata.inputs. The baseline of the empty feature is chosen by Vertex AI. For Vertex AI-provided Tensorflow images, the key can be any friendly name of the feature. Once specified, featureAttributions are keyed by this key (if not grouped with another feature). For custom images, the key must match with the key in instance. + + * `additional_properties`: Metadata of the input of a feature. Fields other than InputMetadata.input_baselines are applicable only for Models that are using Vertex AI-provided images for Tensorflow. + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `pipeline_job`: Optional. This field is populated if the model is produced by a pipeline job. + + * `predict_schemata`: Contains the schemata used in Model's predictions and explanations via PredictionService.Predict, PredictionService.Explain and BatchPredictionJob. + + * `instance_schema_uri`: Immutable. Points to a YAML file stored on Google Cloud Storage describing the format of a single instance, which are used in PredictRequest.instances, ExplainRequest.instances and BatchPredictionJob.input_config. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML Models always have this field populated by Vertex AI. Note: The URI given on output will be immutable and probably different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `parameters_schema_uri`: Immutable. Points to a YAML file stored on Google Cloud Storage describing the parameters of prediction and explanation via PredictRequest.parameters, ExplainRequest.parameters and BatchPredictionJob.model_parameters. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML Models always have this field populated by Vertex AI, if no parameters are supported, then it is set to an empty string. Note: The URI given on output will be immutable and probably different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `prediction_schema_uri`: Immutable. Points to a YAML file stored on Google Cloud Storage describing the format of a single prediction produced by this Model, which are returned via PredictResponse.predictions, ExplainResponse.explanations, and BatchPredictionJob.output_config. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML Models always have this field populated by Vertex AI. Note: The URI given on output will be immutable and probably different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `version_update_time`: Output only. Timestamp when this version was most recently updated. + + * `supported_export_formats`: Output only. The formats in which this Model may be exported. If empty, this Model is not available for export. + + * `exportable_contents`: Output only. The content of this Model that may be exported. + + * `id`: Output only. The ID of the export format. The possible format IDs are: * `tflite` Used for Android mobile devices. * `edgetpu-tflite` Used for [Edge TPU](https://cloud.google.com/edge-tpu/) devices. * `tf-saved-model` A tensorflow model in SavedModel format. * `tf-js` A [TensorFlow.js](https://www.tensorflow.org/js) model that can be used in the browser and in Node.js using JavaScript. * `core-ml` Used for iOS mobile devices. * `custom-trained` A Model that was uploaded or trained by custom code. + + * `original_model_info`: Contains information about the original Model if this Model is a copy. + + * `model`: Output only. The resource name of the Model this Model is a copy of, including the revision. Format: `projects/{project}/locations/{location}/models/{model_id}@{version_id}` + + * `metadata_artifact`: Output only. The resource name of the Artifact that was created in MetadataStore when creating the Model. The Artifact resource name pattern is `projects/{project}/locations/{location}/metadataStores/{metadata_store}/artifacts/{artifact}`. + + * `supported_input_storage_formats`: Output only. The formats this Model supports in BatchPredictionJob.input_config. If PredictSchemata.instance_schema_uri exists, the instances should be given as per that schema. The possible formats are: * `jsonl` The JSON Lines format, where each instance is a single line. Uses GcsSource. * `csv` The CSV format, where each instance is a single comma-separated line. The first line in the file is the header, containing comma-separated field names. Uses GcsSource. * `tf-record` The TFRecord format, where each instance is a single record in tfrecord syntax. Uses GcsSource. * `tf-record-gzip` Similar to `tf-record`, but the file is gzipped. Uses GcsSource. * `bigquery` Each instance is a single row in BigQuery. Uses BigQuerySource. * `file-list` Each line of the file is the location of an instance to process, uses `gcs_source` field of the InputConfig object. If this Model doesn't support any of these formats it means it cannot be used with a BatchPredictionJob. However, if it has supported_deployment_resources_types, it could serve online predictions by using PredictionService.Predict or PredictionService.Explain. + + * `metadata_schema_uri`: Immutable. Points to a YAML file stored on Google Cloud Storage describing additional information about the Model, that is specific to it. Unset if the Model does not have any additional information. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML Models always have this field populated by Vertex AI, if no additional metadata is needed, this field is set to an empty string. Note: The URI given on output will be immutable and probably different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `container_spec`: Specification of a container for serving predictions. Some fields in this message correspond to fields in the [Kubernetes Container v1 core specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `predict_route`: Immutable. HTTP path on the container to send prediction requests to. Vertex AI forwards requests sent using projects.locations.endpoints.predict to this path on the container's IP address and port. Vertex AI then returns the container's response in the API response. For example, if you set this field to `/foo`, then when Vertex AI receives a prediction request, it forwards the request body in a POST request to the `/foo` path on the port of your container specified by the first value of this `ModelContainerSpec`'s ports field. If you don't specify this field, it defaults to the following value when you deploy this Model to an Endpoint: /v1/endpoints/ENDPOINT/deployedModels/DEPLOYED_MODEL:predict The placeholders in this value are replaced as follows: * ENDPOINT: The last segment (following `endpoints/`)of the Endpoint.name][] field of the Endpoint where this Model has been deployed. (Vertex AI makes this value available to your container code as the [`AIP_ENDPOINT_ID` environment variable](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables).) * DEPLOYED_MODEL: DeployedModel.id of the `DeployedModel`. (Vertex AI makes this value available to your container code as the [`AIP_DEPLOYED_MODEL_ID` environment variable](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables).) + + * `image_uri`: Required. Immutable. URI of the Docker image to be used as the custom container for serving predictions. This URI must identify an image in Artifact Registry or Container Registry. Learn more about the [container publishing requirements](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#publishing), including permissions requirements for the Vertex AI Service Agent. The container image is ingested upon ModelService.UploadModel, stored internally, and this original path is afterwards not used. To learn about the requirements for the Docker image itself, see [Custom container requirements](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#). You can use the URI to one of Vertex AI's [pre-built container images for prediction](https://cloud.google.com/vertex-ai/docs/predictions/pre-built-containers) in this field. + + * `env`: Immutable. List of environment variables to set in the container. After the container starts running, code running in the container can read these environment variables. Additionally, the command and args fields can reference these variables. Later entries in this list can also reference earlier entries. For example, the following example sets the variable `VAR_2` to have the value `foo bar`: ```json [ { "name": "VAR_1", "value": "foo" }, { "name": "VAR_2", "value": "$(VAR_1) bar" } ] ``` If you switch the order of the variables in the example, then the expansion does not occur. This field corresponds to the `env` field of the Kubernetes Containers [v1 core API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `name`: Required. Name of the environment variable. Must be a valid C identifier. + + * `value`: Required. Variables that reference a $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. + + * `args`: Immutable. Specifies arguments for the command that runs when the container starts. This overrides the container's [`CMD`](https://docs.docker.com/engine/reference/builder/#cmd). Specify this field as an array of executable and arguments, similar to a Docker `CMD`'s "default parameters" form. If you don't specify this field but do specify the command field, then the command from the `command` field runs without any additional arguments. See the [Kubernetes documentation about how the `command` and `args` fields interact with a container's `ENTRYPOINT` and `CMD`](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#notes). If you don't specify this field and don't specify the `command` field, then the container's [`ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#cmd) and `CMD` determine what runs based on their default behavior. See the Docker documentation about [how `CMD` and `ENTRYPOINT` interact](https://docs.docker.com/engine/reference/builder/#understand-how-cmd-and-entrypoint-interact). In this field, you can reference [environment variables set by Vertex AI](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables) and environment variables set in the env field. You cannot reference environment variables set in the Docker image. In order for environment variables to be expanded, reference them by using the following syntax: $( VARIABLE_NAME) Note that this differs from Bash variable expansion, which does not use parentheses. If a variable cannot be resolved, the reference in the input string is used unchanged. To avoid variable expansion, you can escape this syntax with `$$`; for example: $$(VARIABLE_NAME) This field corresponds to the `args` field of the Kubernetes Containers [v1 core API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `command`: Immutable. Specifies the command that runs when the container starts. This overrides the container's [ENTRYPOINT](https://docs.docker.com/engine/reference/builder/#entrypoint). Specify this field as an array of executable and arguments, similar to a Docker `ENTRYPOINT`'s "exec" form, not its "shell" form. If you do not specify this field, then the container's `ENTRYPOINT` runs, in conjunction with the args field or the container's [`CMD`](https://docs.docker.com/engine/reference/builder/#cmd), if either exists. If this field is not specified and the container does not have an `ENTRYPOINT`, then refer to the Docker documentation about [how `CMD` and `ENTRYPOINT` interact](https://docs.docker.com/engine/reference/builder/#understand-how-cmd-and-entrypoint-interact). If you specify this field, then you can also specify the `args` field to provide additional arguments for this command. However, if you specify this field, then the container's `CMD` is ignored. See the [Kubernetes documentation about how the `command` and `args` fields interact with a container's `ENTRYPOINT` and `CMD`](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#notes). In this field, you can reference [environment variables set by Vertex AI](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables) and environment variables set in the env field. You cannot reference environment variables set in the Docker image. In order for environment variables to be expanded, reference them by using the following syntax: $( VARIABLE_NAME) Note that this differs from Bash variable expansion, which does not use parentheses. If a variable cannot be resolved, the reference in the input string is used unchanged. To avoid variable expansion, you can escape this syntax with `$$`; for example: $$(VARIABLE_NAME) This field corresponds to the `command` field of the Kubernetes Containers [v1 core API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `ports`: Immutable. List of ports to expose from the container. Vertex AI sends any prediction requests that it receives to the first port on this list. Vertex AI also sends [liveness and health checks](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#liveness) to this port. If you do not specify this field, it defaults to following value: ```json [ { "containerPort": 8080 } ] ``` Vertex AI does not use ports other than the first one listed. This field corresponds to the `ports` field of the Kubernetes Containers [v1 core API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `container_port`: The number of the port to expose on the pod's IP address. Must be a valid port number, between 1 and 65535 inclusive. + + * `health_route`: Immutable. HTTP path on the container to send health checks to. Vertex AI intermittently sends GET requests to this path on the container's IP address and port to check that the container is healthy. Read more about [health checks](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#health). For example, if you set this field to `/bar`, then Vertex AI intermittently sends a GET request to the `/bar` path on the port of your container specified by the first value of this `ModelContainerSpec`'s ports field. If you don't specify this field, it defaults to the following value when you deploy this Model to an Endpoint: /v1/endpoints/ENDPOINT/deployedModels/ DEPLOYED_MODEL:predict The placeholders in this value are replaced as follows: * ENDPOINT: The last segment (following `endpoints/`)of the Endpoint.name][] field of the Endpoint where this Model has been deployed. (Vertex AI makes this value available to your container code as the [`AIP_ENDPOINT_ID` environment variable](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables).) * DEPLOYED_MODEL: DeployedModel.id of the `DeployedModel`. (Vertex AI makes this value available to your container code as the [`AIP_DEPLOYED_MODEL_ID` environment variable](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables).) + + * `version_id`: Output only. Immutable. The version ID of the model. A new version is committed when a new model version is uploaded or trained under an existing model id. It is an auto-incrementing decimal number in string representation. + + * `artifact_uri`: Immutable. The path to the directory containing the Model artifact and any of its supporting files. Not present for AutoML Models or Large Models. + + * `training_pipeline`: Output only. The resource name of the TrainingPipeline that uploaded this Model, if any. + + * `display_name`: Required. The display name of the Model. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + * `supported_deployment_resources_types`: Output only. When this Model is deployed, its prediction resources are described by the `prediction_resources` field of the Endpoint.deployed_models object. Because not all Models support all resource configuration types, the configuration types this Model supports are listed here. If no configuration types are listed, the Model cannot be deployed to an Endpoint and does not support online predictions (PredictionService.Predict or PredictionService.Explain). Such a Model can serve predictions by using a BatchPredictionJob, if it has at least one entry each in supported_input_storage_formats and supported_output_storage_formats. + + * `supported_output_storage_formats`: Output only. The formats this Model supports in BatchPredictionJob.output_config. If both PredictSchemata.instance_schema_uri and PredictSchemata.prediction_schema_uri exist, the predictions are returned together with their instances. In other words, the prediction has the original instance data first, followed by the actual prediction content (as per the schema). The possible formats are: * `jsonl` The JSON Lines format, where each prediction is a single line. Uses GcsDestination. * `csv` The CSV format, where each prediction is a single comma-separated line. The first line in the file is the header, containing comma-separated field names. Uses GcsDestination. * `bigquery` Each prediction is a single row in a BigQuery table, uses BigQueryDestination . If this Model doesn't support any of these formats it means it cannot be used with a BatchPredictionJob. However, if it has supported_deployment_resources_types, it could serve online predictions by using PredictionService.Predict or PredictionService.Explain. + + * `version_aliases`: User provided version aliases so that a model version can be referenced via alias (i.e. `projects/{project}/locations/{location}/models/{model_id}@{version_alias}` instead of auto-generated version id (i.e. `projects/{project}/locations/{location}/models/{model_id}@{version_id})`. The format is a-z{0,126}[a-z0-9] to distinguish from version_id. A default version alias will be created for the first version of the model, and there must be exactly one default version alias for a model. + + * `version_create_time`: Output only. Timestamp when this version was created. + + * `version_description`: The description of this version. + + * `labels`: The labels with user-defined metadata to organize your Models. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information and examples of labels. + + * `additional_properties`: + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model_deployment_monitoring_job.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model_deployment_monitoring_job.md new file mode 100644 index 0000000..3dcb21b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model_deployment_monitoring_job.md @@ -0,0 +1,233 @@ ++++ +title = "google_vertex_ai_model_deployment_monitoring_job resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_model_deployment_monitoring_job" +identifier = "inspec/resources/gcp/google_vertex_ai_model_deployment_monitoring_job resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_model_deployment_monitoring_job` InSpec audit resource to to test a Google Cloud ModelDeploymentMonitoringJob resource. + +## Examples + +```ruby +describe google_vertex_ai_model_deployment_monitoring_job(name: "projects/#{gcp_project_id}/locations/#{model_deployment_monitoring_job['region']}/modelDeploymentMonitoringJobs/#{model_deployment_monitoring_job['name']}", region: ' value_region') do + it { should exist } + its('state') { should cmp 'value_state' } + its('analysis_instance_schema_uri') { should cmp 'value_analysisinstanceschemauri' } + its('endpoint') { should cmp 'value_endpoint' } + its('display_name') { should cmp 'value_displayname' } + its('schedule_state') { should cmp 'value_schedulestate' } + its('predict_instance_schema_uri') { should cmp 'value_predictinstanceschemauri' } + its('next_schedule_time') { should cmp 'value_nextscheduletime' } + its('create_time') { should cmp 'value_createtime' } + its('log_ttl') { should cmp 'value_logttl' } + its('update_time') { should cmp 'value_updatetime' } + its('name') { should cmp 'value_name' } + +end + +describe google_vertex_ai_model_deployment_monitoring_job(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_model_deployment_monitoring_job` resource: + + + * `model_deployment_monitoring_objective_configs`: Required. The config for monitoring objectives. This is a per DeployedModel config. Each DeployedModel needs to be configured separately. + + * `objective_config`: The objective configuration for model monitoring, including the information needed to detect anomalies for one particular model. + + * `explanation_config`: The config for integrating with Vertex Explainable AI. Only applicable if the Model has explanation_spec populated. + + * `explanation_baseline`: Output from BatchPredictionJob for Model Monitoring baseline dataset, which can be used to generate baseline attribution scores. + + * `prediction_format`: The storage format of the predictions generated BatchPrediction job. + Possible values: + * PREDICTION_FORMAT_UNSPECIFIED + * JSONL + * BIGQUERY + + * `gcs`: The Google Cloud Storage location where the output is to be written to. + + * `output_uri_prefix`: Required. Google Cloud Storage URI to output directory. If the uri doesn't end with '/', a '/' will be automatically appended. The directory is created if it doesn't exist. + + * `bigquery`: The BigQuery location for the output content. + + * `output_uri`: Required. BigQuery URI to a project or table, up to 2000 characters long. When only the project is specified, the Dataset and Table is created. When the full table reference is specified, the Dataset must exist and table must not exist. Accepted forms: * BigQuery path. For example: `bq://projectId` or `bq://projectId.bqDatasetId` or `bq://projectId.bqDatasetId.bqTableId`. + + * `enable_feature_attributes`: If want to analyze the Vertex Explainable AI feature attribute scores or not. If set to true, Vertex AI will log the feature attributions from explain response and do the skew/drift detection for them. + + * `training_dataset`: Training Dataset information. + + * `logging_sampling_strategy`: Sampling Strategy for logging, can be for both training and prediction dataset. + + * `random_sample_config`: Requests are randomly selected. + + * `sample_rate`: Sample rate (0, 1] + + * `dataset`: The resource name of the Dataset used to train this Model. + + * `gcs_source`: The Google Cloud Storage location for the input content. + + * `uris`: Required. Google Cloud Storage URI(-s) to the input file(s). May contain wildcards. For more information on wildcards, see https://cloud.google.com/storage/docs/gsutil/addlhelp/WildcardNames. + + * `target_field`: The target field name the model is to predict. This field will be excluded when doing Predict and (or) Explain for the training data. + + * `bigquery_source`: The BigQuery location for the input content. + + * `input_uri`: Required. BigQuery URI to a table, up to 2000 characters long. Accepted forms: * BigQuery path. For example: `bq://projectId.bqDatasetId.bqTableId`. + + * `data_format`: Data format of the dataset, only applicable if the input is from Google Cloud Storage. The possible formats are: "tf-record" The source file is a TFRecord file. "csv" The source file is a CSV file. "jsonl" The source file is a JSONL file. + + * `training_prediction_skew_detection_config`: The config for Training & Prediction data skew detection. It specifies the training dataset sources and the skew detection parameters. + + * `skew_thresholds`: Key is the feature name and value is the threshold. If a feature needs to be monitored for skew, a value threshold must be configured for that feature. The threshold here is against feature distribution distance between the training and prediction feature. + + * `additional_properties`: The config for feature monitoring threshold. + + * `default_skew_threshold`: The config for feature monitoring threshold. + + * `value`: Specify a threshold value that can trigger the alert. If this threshold config is for feature distribution distance: 1. For categorical feature, the distribution distance is calculated by L-inifinity norm. 2. For numerical feature, the distribution distance is calculated by Jensen–Shannon divergence. Each feature must have a non-zero threshold if they need to be monitored. Otherwise no alert will be triggered for that feature. + + * `attribution_score_skew_thresholds`: Key is the feature name and value is the threshold. The threshold here is against attribution score distance between the training and prediction feature. + + * `additional_properties`: The config for feature monitoring threshold. + + * `prediction_drift_detection_config`: The config for Prediction data drift detection. + + * `attribution_score_drift_thresholds`: Key is the feature name and value is the threshold. The threshold here is against attribution score distance between different time windows. + + * `additional_properties`: The config for feature monitoring threshold. + + * `drift_thresholds`: Key is the feature name and value is the threshold. If a feature needs to be monitored for drift, a value threshold must be configured for that feature. The threshold here is against feature distribution distance between different time windws. + + * `additional_properties`: The config for feature monitoring threshold. + + * `default_drift_threshold`: The config for feature monitoring threshold. + + * `value`: Specify a threshold value that can trigger the alert. If this threshold config is for feature distribution distance: 1. For categorical feature, the distribution distance is calculated by L-inifinity norm. 2. For numerical feature, the distribution distance is calculated by Jensen–Shannon divergence. Each feature must have a non-zero threshold if they need to be monitored. Otherwise no alert will be triggered for that feature. + + * `deployed_model_id`: The DeployedModel ID of the objective config. + + * `labels`: The labels with user-defined metadata to organize your ModelDeploymentMonitoringJob. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information and examples of labels. + + * `additional_properties`: + + * `state`: Output only. The detailed state of the monitoring job. When the job is still creating, the state will be 'PENDING'. Once the job is successfully created, the state will be 'RUNNING'. Pause the job, the state will be 'PAUSED'. Resume the job, the state will return to 'RUNNING'. + Possible values: + * JOB_STATE_UNSPECIFIED + * JOB_STATE_QUEUED + * JOB_STATE_PENDING + * JOB_STATE_RUNNING + * JOB_STATE_SUCCEEDED + * JOB_STATE_FAILED + * JOB_STATE_CANCELLING + * JOB_STATE_CANCELLED + * JOB_STATE_PAUSED + * JOB_STATE_EXPIRED + * JOB_STATE_UPDATING + * JOB_STATE_PARTIALLY_SUCCEEDED + + * `analysis_instance_schema_uri`: YAML schema file uri describing the format of a single instance that you want Tensorflow Data Validation (TFDV) to analyze. If this field is empty, all the feature data types are inferred from predict_instance_schema_uri, meaning that TFDV will use the data in the exact format(data type) as prediction request/response. If there are any data type differences between predict instance and TFDV instance, this field can be used to override the schema. For models trained with Vertex AI, this field must be set as all the fields in predict instance formatted as string. + + * `enable_monitoring_pipeline_logs`: If true, the scheduled monitoring pipeline logs are sent to Google Cloud Logging, including pipeline status and anomalies detected. Please note the logs incur cost, which are subject to [Cloud Logging pricing](https://cloud.google.com/logging#pricing). + + * `endpoint`: Required. Endpoint resource name. Format: `projects/{project}/locations/{location}/endpoints/{endpoint}` + + * `logging_sampling_strategy`: Sampling Strategy for logging, can be for both training and prediction dataset. + + * `random_sample_config`: Requests are randomly selected. + + * `sample_rate`: Sample rate (0, 1] + + * `bigquery_tables`: Output only. The created bigquery tables for the job under customer project. Customer could do their own query & analysis. There could be 4 log tables in maximum: 1. Training data logging predict request/response 2. Serving data logging predict request/response + + * `log_source`: The source of log. + Possible values: + * LOG_SOURCE_UNSPECIFIED + * TRAINING + * SERVING + + * `bigquery_table_path`: The created BigQuery table to store logs. Customer could do their own query & analysis. Format: `bq://.model_deployment_monitoring_._` + + * `log_type`: The type of log. + Possible values: + * LOG_TYPE_UNSPECIFIED + * PREDICT + * EXPLAIN + + * `display_name`: Required. The user-defined name of the ModelDeploymentMonitoringJob. The name can be up to 128 characters long and can consist of any UTF-8 characters. Display name of a ModelDeploymentMonitoringJob. + + * `schedule_state`: Output only. Schedule state when the monitoring job is in Running state. + Possible values: + * MONITORING_SCHEDULE_STATE_UNSPECIFIED + * PENDING + * OFFLINE + * RUNNING + + * `error`: The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `model_monitoring_alert_config`: + + * `email_alert_config`: The config for email alert. + + * `user_emails`: The email addresses to send the alert. + + * `enable_logging`: Dump the anomalies to Cloud Logging. The anomalies will be put to json payload encoded from proto google.cloud.aiplatform.logging.ModelMonitoringAnomaliesLogEntry. This can be further sinked to Pub/Sub or any other services supported by Cloud Logging. + + * `latest_monitoring_pipeline_metadata`: All metadata of most recent monitoring pipelines. + + * `status`: The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `run_time`: The time that most recent monitoring pipelines that is related to this run. + + * `sample_predict_instance`: Sample Predict instance, same format as PredictRequest.instances, this can be set as a replacement of ModelDeploymentMonitoringJob.predict_instance_schema_uri. If not set, we will generate predict schema from collected predict requests. + + * `predict_instance_schema_uri`: YAML schema file uri describing the format of a single instance, which are given to format this Endpoint's prediction (and explanation). If not set, we will generate predict schema from collected predict requests. + + * `next_schedule_time`: Output only. Timestamp when this monitoring pipeline will be scheduled to run for the next round. + + * `create_time`: Output only. Timestamp when this ModelDeploymentMonitoringJob was created. + + * `log_ttl`: The TTL of BigQuery tables in user projects which stores logs. A day is the basic unit of the TTL and we take the ceil of TTL/86400(a day). e.g. { second: 3600} indicates ttl = 1 day. + + * `stats_anomalies_base_directory`: The Google Cloud Storage location where the output is to be written to. + + * `output_uri_prefix`: Required. Google Cloud Storage URI to output directory. If the uri doesn't end with '/', a '/' will be automatically appended. The directory is created if it doesn't exist. + + * `update_time`: Output only. Timestamp when this ModelDeploymentMonitoringJob was updated most recently. + + * `model_deployment_monitoring_schedule_config`: The config for scheduling monitoring job. + + * `monitor_window`: The time window of the prediction data being included in each prediction dataset. This window specifies how long the data should be collected from historical model results for each run. If not set, ModelDeploymentMonitoringScheduleConfig.monitor_interval will be used. e.g. If currently the cutoff time is 2022-01-08 14:30:00 and the monitor_window is set to be 3600, then data from 2022-01-08 13:30:00 to 2022-01-08 14:30:00 will be retrieved and aggregated to calculate the monitoring statistics. + + * `monitor_interval`: Required. The model monitoring job scheduling interval. It will be rounded up to next full hour. This defines how often the monitoring jobs are triggered. + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `name`: Output only. Resource name of a ModelDeploymentMonitoringJob. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model_deployment_monitoring_jobs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model_deployment_monitoring_jobs.md new file mode 100644 index 0000000..589c729 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model_deployment_monitoring_jobs.md @@ -0,0 +1,58 @@ ++++ +title = "google_vertex_ai_model_deployment_monitoring_jobs resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_model_deployment_monitoring_jobs" +identifier = "inspec/resources/gcp/google_vertex_ai_model_deployment_monitoring_jobs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_model_deployment_monitoring_jobs` InSpec audit resource to to test a Google Cloud ModelDeploymentMonitoringJob resource. + +## Examples + +```ruby + describe google_vertex_ai_model_deployment_monitoring_jobs(parent: "projects/#{gcp_project_id}/locations/#{model_deployment_monitoring_job['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_model_deployment_monitoring_jobs` resource: + +See [google_vertex_ai_model_deployment_monitoring_job](google_vertex_ai_model_deployment_monitoring_job) for more detailed information. + + * `model_deployment_monitoring_objective_configs`: an array of `google_vertex_ai_model_deployment_monitoring_job` model_deployment_monitoring_objective_configs + * `labels`: an array of `google_vertex_ai_model_deployment_monitoring_job` labels + * `states`: an array of `google_vertex_ai_model_deployment_monitoring_job` state + * `analysis_instance_schema_uris`: an array of `google_vertex_ai_model_deployment_monitoring_job` analysis_instance_schema_uri + * `enable_monitoring_pipeline_logs`: an array of `google_vertex_ai_model_deployment_monitoring_job` enable_monitoring_pipeline_logs + * `endpoints`: an array of `google_vertex_ai_model_deployment_monitoring_job` endpoint + * `logging_sampling_strategies`: an array of `google_vertex_ai_model_deployment_monitoring_job` logging_sampling_strategy + * `bigquery_tables`: an array of `google_vertex_ai_model_deployment_monitoring_job` bigquery_tables + * `display_names`: an array of `google_vertex_ai_model_deployment_monitoring_job` display_name + * `schedule_states`: an array of `google_vertex_ai_model_deployment_monitoring_job` schedule_state + * `errors`: an array of `google_vertex_ai_model_deployment_monitoring_job` error + * `model_monitoring_alert_configs`: an array of `google_vertex_ai_model_deployment_monitoring_job` model_monitoring_alert_config + * `latest_monitoring_pipeline_metadata`: an array of `google_vertex_ai_model_deployment_monitoring_job` latest_monitoring_pipeline_metadata + * `sample_predict_instances`: an array of `google_vertex_ai_model_deployment_monitoring_job` sample_predict_instance + * `predict_instance_schema_uris`: an array of `google_vertex_ai_model_deployment_monitoring_job` predict_instance_schema_uri + * `next_schedule_times`: an array of `google_vertex_ai_model_deployment_monitoring_job` next_schedule_time + * `create_times`: an array of `google_vertex_ai_model_deployment_monitoring_job` create_time + * `log_ttls`: an array of `google_vertex_ai_model_deployment_monitoring_job` log_ttl + * `stats_anomalies_base_directories`: an array of `google_vertex_ai_model_deployment_monitoring_job` stats_anomalies_base_directory + * `update_times`: an array of `google_vertex_ai_model_deployment_monitoring_job` update_time + * `model_deployment_monitoring_schedule_configs`: an array of `google_vertex_ai_model_deployment_monitoring_job` model_deployment_monitoring_schedule_config + * `encryption_specs`: an array of `google_vertex_ai_model_deployment_monitoring_job` encryption_spec + * `names`: an array of `google_vertex_ai_model_deployment_monitoring_job` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model_evaluation_slice.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model_evaluation_slice.md new file mode 100644 index 0000000..63d0625 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model_evaluation_slice.md @@ -0,0 +1,75 @@ ++++ +title = "google_vertex_ai_model_evaluation_slice resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_model_evaluation_slice" +identifier = "inspec/resources/gcp/google_vertex_ai_model_evaluation_slice resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_model_evaluation_slice` InSpec audit resource to to test a Google Cloud ModelEvaluationSlice resource. + +## Examples + +```ruby +describe google_vertex_ai_model_evaluation_slice(name: "projects/#{gcp_project_id}/locations/#{models_evaluations_slice['region']}/models/#{models_evaluations_slice['model']}/evaluations/#{models_evaluations_slice['evaluation']}/slices/#{models_evaluations_slice['slice']}", region: ' value_region') do + it { should exist } + its('create_time') { should cmp 'value_createtime' } + its('name') { should cmp 'value_name' } + its('metrics_schema_uri') { should cmp 'value_metricsschemauri' } + +end + +describe google_vertex_ai_model_evaluation_slice(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_model_evaluation_slice` resource: + + + * `create_time`: Output only. Timestamp when this ModelEvaluationSlice was created. + + * `model_explanation`: Aggregated explanation metrics for a Model over a set of instances. + + * `mean_attributions`: Output only. Aggregated attributions explaining the Model's prediction outputs over the set of instances. The attributions are grouped by outputs. For Models that predict only one output, such as regression Models that predict only one score, there is only one attibution that explains the predicted output. For Models that predict multiple outputs, such as multiclass Models that predict multiple classes, each element explains one specific item. Attribution.output_index can be used to identify which output this attribution is explaining. The baselineOutputValue, instanceOutputValue and featureAttributions fields are averaged over the test data. NOTE: Currently AutoML tabular classification Models produce only one attribution, which averages attributions over all the classes it predicts. Attribution.approximation_error is not populated. + + * `output_display_name`: Output only. The display name of the output identified by output_index. For example, the predicted class name by a multi-classification Model. This field is only populated iff the Model predicts display names as a separate field along with the explained output. The predicted display name must has the same shape of the explained output, and can be located using output_index. + + * `baseline_output_value`: Output only. Model predicted output if the input instance is constructed from the baselines of all the features defined in ExplanationMetadata.inputs. The field name of the output is determined by the key in ExplanationMetadata.outputs. If the Model's predicted output has multiple dimensions (rank > 1), this is the value in the output located by output_index. If there are multiple baselines, their output values are averaged. + + * `output_name`: Output only. Name of the explain output. Specified as the key in ExplanationMetadata.outputs. + + * `feature_attributions`: Output only. Attributions of each explained feature. Features are extracted from the prediction instances according to explanation metadata for inputs. The value is a struct, whose keys are the name of the feature. The values are how much the feature in the instance contributed to the predicted result. The format of the value is determined by the feature's input format: * If the feature is a scalar value, the attribution value is a floating number. * If the feature is an array of scalar values, the attribution value is an array. * If the feature is a struct, the attribution value is a struct. The keys in the attribution value struct are the same as the keys in the feature struct. The formats of the values in the attribution struct are determined by the formats of the values in the feature struct. The ExplanationMetadata.feature_attributions_schema_uri field, pointed to by the ExplanationSpec field of the Endpoint.deployed_models object, points to the schema file that describes the features and their attribution values (if it is populated). + + * `output_index`: Output only. The index that locates the explained prediction output. If the prediction output is a scalar value, output_index is not populated. If the prediction output has multiple dimensions, the length of the output_index list is the same as the number of dimensions of the output. The i-th element in output_index is the element index of the i-th dimension of the output vector. Indices start from 0. + + * `instance_output_value`: Output only. Model predicted output on the corresponding explanation instance. The field name of the output is determined by the key in ExplanationMetadata.outputs. If the Model predicted output has multiple dimensions, this is the value in the output located by output_index. + + * `approximation_error`: Output only. Error of feature_attributions caused by approximation used in the explanation method. Lower value means more precise attributions. * For Sampled Shapley attribution, increasing path_count might reduce the error. * For Integrated Gradients attribution, increasing step_count might reduce the error. * For XRAI attribution, increasing step_count might reduce the error. See [this introduction](/vertex-ai/docs/explainable-ai/overview) for more information. + + * `name`: Output only. The resource name of the ModelEvaluationSlice. + + * `metrics`: Output only. Sliced evaluation metrics of the Model. The schema of the metrics is stored in metrics_schema_uri + + * `slice`: Definition of a slice. + + * `value`: Output only. The value of the dimension in this slice. + + * `dimension`: Output only. The dimension of the slice. Well-known dimensions are: * `annotationSpec`: This slice is on the test data that has either ground truth or prediction with AnnotationSpec.display_name equals to value. * `slice`: This slice is a user customized slice defined by its SliceSpec. + + * `slice_spec`: Specification for how the data should be sliced. + + * `configs`: Mapping configuration for this SliceSpec. The key is the name of the feature. By default, the key will be prefixed by "instance" as a dictionary prefix for Vertex Batch Predictions output format. + + * `additional_properties`: Specification message containing the config for this SliceSpec. When `kind` is selected as `value` and/or `range`, only a single slice will be computed. When `all_values` is present, a separate slice will be computed for each possible label/value for the corresponding key in `config`. Examples, with feature zip_code with values 12345, 23334, 88888 and feature country with values "US", "Canada", "Mexico" in the dataset: Example 1: { "zip_code": { "value": { "float_value": 12345.0 } } } A single slice for any data with zip_code 12345 in the dataset. Example 2: { "zip_code": { "range": { "low": 12345, "high": 20000 } } } A single slice containing data where the zip_codes between 12345 and 20000 For this example, data with the zip_code of 12345 will be in this slice. Example 3: { "zip_code": { "range": { "low": 10000, "high": 20000 } }, "country": { "value": { "string_value": "US" } } } A single slice containing data where the zip_codes between 10000 and 20000 has the country "US". For this example, data with the zip_code of 12345 and country "US" will be in this slice. Example 4: { "country": {"all_values": { "value": true } } } Three slices are computed, one for each unique country in the dataset. Example 5: { "country": { "all_values": { "value": true } }, "zip_code": { "value": { "float_value": 12345.0 } } } Three slices are computed, one for each unique country in the dataset where the zip_code is also 12345. For this example, data with zip_code 12345 and country "US" will be in one slice, zip_code 12345 and country "Canada" in another slice, and zip_code 12345 and country "Mexico" in another slice, totaling 3 slices. + + * `metrics_schema_uri`: Output only. Points to a YAML file stored on Google Cloud Storage describing the metrics of this ModelEvaluationSlice. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model_evaluation_slices.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model_evaluation_slices.md new file mode 100644 index 0000000..021653a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_model_evaluation_slices.md @@ -0,0 +1,41 @@ ++++ +title = "google_vertex_ai_model_evaluation_slices resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_model_evaluation_slices" +identifier = "inspec/resources/gcp/google_vertex_ai_model_evaluation_slices resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_model_evaluation_slices` InSpec audit resource to to test a Google Cloud ModelEvaluationSlice resource. + +## Examples + +```ruby + describe google_vertex_ai_model_evaluation_slices(parent: "projects/#{gcp_project_id}/locations/#{models_evaluations_slice['region']}/models/#{models_evaluations_slice['model']}/evaluations/#{models_evaluations_slice['evaluation']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_model_evaluation_slices` resource: + +See [google_vertex_ai_model_evaluation_slice](google_vertex_ai_model_evaluation_slice) for more detailed information. + + * `create_times`: an array of `google_vertex_ai_model_evaluation_slice` create_time + * `model_explanations`: an array of `google_vertex_ai_model_evaluation_slice` model_explanation + * `names`: an array of `google_vertex_ai_model_evaluation_slice` name + * `metrics`: an array of `google_vertex_ai_model_evaluation_slice` metrics + * `slices`: an array of `google_vertex_ai_model_evaluation_slice` slice + * `metrics_schema_uris`: an array of `google_vertex_ai_model_evaluation_slice` metrics_schema_uri + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_models.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_models.md new file mode 100644 index 0000000..7646e92 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_models.md @@ -0,0 +1,64 @@ ++++ +title = "google_vertex_ai_models resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_models" +identifier = "inspec/resources/gcp/google_vertex_ai_models resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_models` InSpec audit resource to to test a Google Cloud Model resource. + +## Examples + +```ruby + describe google_vertex_ai_models(parent: "projects/#{gcp_project_id}/locations/#{model['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_models` resource: + +See [google_vertex_ai_model](google_vertex_ai_model) for more detailed information. + + * `model_source_infos`: an array of `google_vertex_ai_model` model_source_info + * `names`: an array of `google_vertex_ai_model` name + * `metadata`: an array of `google_vertex_ai_model` metadata + * `update_times`: an array of `google_vertex_ai_model` update_time + * `etags`: an array of `google_vertex_ai_model` etag + * `descriptions`: an array of `google_vertex_ai_model` description + * `deployed_models`: an array of `google_vertex_ai_model` deployed_models + * `create_times`: an array of `google_vertex_ai_model` create_time + * `explanation_specs`: an array of `google_vertex_ai_model` explanation_spec + * `encryption_specs`: an array of `google_vertex_ai_model` encryption_spec + * `pipeline_jobs`: an array of `google_vertex_ai_model` pipeline_job + * `predict_schemata`: an array of `google_vertex_ai_model` predict_schemata + * `version_update_times`: an array of `google_vertex_ai_model` version_update_time + * `supported_export_formats`: an array of `google_vertex_ai_model` supported_export_formats + * `original_model_infos`: an array of `google_vertex_ai_model` original_model_info + * `metadata_artifacts`: an array of `google_vertex_ai_model` metadata_artifact + * `supported_input_storage_formats`: an array of `google_vertex_ai_model` supported_input_storage_formats + * `metadata_schema_uris`: an array of `google_vertex_ai_model` metadata_schema_uri + * `container_specs`: an array of `google_vertex_ai_model` container_spec + * `version_ids`: an array of `google_vertex_ai_model` version_id + * `artifact_uris`: an array of `google_vertex_ai_model` artifact_uri + * `training_pipelines`: an array of `google_vertex_ai_model` training_pipeline + * `display_names`: an array of `google_vertex_ai_model` display_name + * `supported_deployment_resources_types`: an array of `google_vertex_ai_model` supported_deployment_resources_types + * `supported_output_storage_formats`: an array of `google_vertex_ai_model` supported_output_storage_formats + * `version_aliases`: an array of `google_vertex_ai_model` version_aliases + * `version_create_times`: an array of `google_vertex_ai_model` version_create_time + * `version_descriptions`: an array of `google_vertex_ai_model` version_description + * `labels`: an array of `google_vertex_ai_model` labels + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_models_evaluation.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_models_evaluation.md new file mode 100644 index 0000000..c09108f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_models_evaluation.md @@ -0,0 +1,181 @@ ++++ +title = "google_vertex_ai_models_evaluation resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_models_evaluation" +identifier = "inspec/resources/gcp/google_vertex_ai_models_evaluation resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_models_evaluation` InSpec audit resource to to test a Google Cloud ModelsEvaluation resource. + +## Examples + +```ruby +describe google_vertex_ai_models_evaluation(name: "projects/#{gcp_project_id}/locations/#{models_evaluation['region']}/models/#{models_evaluation['model']}/evaluations/#{models_evaluation['name']}", region: ' value_region') do + it { should exist } + its('data_item_schema_uri') { should cmp 'value_dataitemschemauri' } + its('metrics_schema_uri') { should cmp 'value_metricsschemauri' } + its('create_time') { should cmp 'value_createtime' } + its('annotation_schema_uri') { should cmp 'value_annotationschemauri' } + its('name') { should cmp 'value_name' } + its('display_name') { should cmp 'value_displayname' } + +end + +describe google_vertex_ai_models_evaluation(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_models_evaluation` resource: + + + * `data_item_schema_uri`: Points to a YAML file stored on Google Cloud Storage describing EvaluatedDataItemView.data_item_payload and EvaluatedAnnotation.data_item_payload. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). This field is not populated if there are neither EvaluatedDataItemViews nor EvaluatedAnnotations under this ModelEvaluation. + + * `metadata`: The metadata of the ModelEvaluation. For the ModelEvaluation uploaded from Managed Pipeline, metadata contains a structured value with keys of "pipeline_job_id", "evaluation_dataset_type", "evaluation_dataset_path". + + * `metrics_schema_uri`: Points to a YAML file stored on Google Cloud Storage describing the metrics of this ModelEvaluation. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). + + * `create_time`: Output only. Timestamp when this ModelEvaluation was created. + + * `annotation_schema_uri`: Points to a YAML file stored on Google Cloud Storage describing EvaluatedDataItemView.predictions, EvaluatedDataItemView.ground_truths, EvaluatedAnnotation.predictions, and EvaluatedAnnotation.ground_truths. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). This field is not populated if there are neither EvaluatedDataItemViews nor EvaluatedAnnotations under this ModelEvaluation. + + * `metrics`: Evaluation metrics of the Model. The schema of the metrics is stored in metrics_schema_uri + + * `explanation_specs`: Describes the values of ExplanationSpec that are used for explaining the predicted values on the evaluated data. + + * `explanation_spec`: Specification of Model explanation. + + * `parameters`: Parameters to configure explaining for Model's predictions. + + * `output_indices`: If populated, only returns attributions that have output_index contained in output_indices. It must be an ndarray of integers, with the same shape of the output it's explaining. If not populated, returns attributions for top_k indices of outputs. If neither top_k nor output_indices is populated, returns the argmax index of the outputs. Only applicable to Models that predict multiple outputs (e,g, multi-class Models that predict multiple classes). + + * `examples`: Example-based explainability that returns the nearest neighbors from the provided dataset. + + * `presets`: Preset configuration for example-based explanations + + * `modality`: The modality of the uploaded model, which automatically configures the distance measurement and feature normalization for the underlying example index and queries. If your model does not precisely fit one of these types, it is okay to choose the closest type. + Possible values: + * MODALITY_UNSPECIFIED + * IMAGE + * TEXT + * TABULAR + + * `query`: Preset option controlling parameters for speed-precision trade-off when querying for examples. If omitted, defaults to `PRECISE`. + Possible values: + * PRECISE + * FAST + + * `neighbor_count`: The number of neighbors to return when querying for examples. + + * `example_gcs_source`: The Cloud Storage input instances. + + * `gcs_source`: The Google Cloud Storage location for the input content. + + * `uris`: Required. Google Cloud Storage URI(-s) to the input file(s). May contain wildcards. For more information on wildcards, see https://cloud.google.com/storage/docs/gsutil/addlhelp/WildcardNames. + + * `data_format`: The format in which instances are given, if not specified, assume it's JSONL format. Currently only JSONL format is supported. + Possible values: + * DATA_FORMAT_UNSPECIFIED + * JSONL + + * `nearest_neighbor_search_config`: The full configuration for the generated index, the semantics are the same as metadata and should match [NearestNeighborSearchConfig](https://cloud.google.com/vertex-ai/docs/explainable-ai/configuring-explanations-example-based#nearest-neighbor-search-config). + + * `xrai_attribution`: An explanation method that redistributes Integrated Gradients attributions to segmented regions, taking advantage of the model's fully differentiable structure. Refer to this paper for more details: https://arxiv.org/abs/1906.02825 Supported only by image Models. + + * `smooth_grad_config`: Config for SmoothGrad approximation of gradients. When enabled, the gradients are approximated by averaging the gradients from noisy samples in the vicinity of the inputs. Adding noise can help improve the computed gradients. Refer to this paper for more details: https://arxiv.org/pdf/1706.03825.pdf + + * `feature_noise_sigma`: Noise sigma by features. Noise sigma represents the standard deviation of the gaussian kernel that will be used to add noise to interpolated inputs prior to computing gradients. + + * `noise_sigma`: Noise sigma per feature. No noise is added to features that are not set. + + * `name`: The name of the input feature for which noise sigma is provided. The features are defined in explanation metadata inputs. + + * `sigma`: This represents the standard deviation of the Gaussian kernel that will be used to add noise to the feature prior to computing gradients. Similar to noise_sigma but represents the noise added to the current feature. Defaults to 0.1. + + * `noise_sigma`: This is a single float value and will be used to add noise to all the features. Use this field when all features are normalized to have the same distribution: scale to range [0, 1], [-1, 1] or z-scoring, where features are normalized to have 0-mean and 1-variance. Learn more about [normalization](https://developers.google.com/machine-learning/data-prep/transform/normalization). For best results the recommended value is about 10% - 20% of the standard deviation of the input feature. Refer to section 3.2 of the SmoothGrad paper: https://arxiv.org/pdf/1706.03825.pdf. Defaults to 0.1. If the distribution is different per feature, set feature_noise_sigma instead for each feature. + + * `noisy_sample_count`: The number of gradient samples to use for approximation. The higher this number, the more accurate the gradient is, but the runtime complexity increases by this factor as well. Valid range of its value is [1, 50]. Defaults to 3. + + * `step_count`: Required. The number of steps for approximating the path integral. A good value to start is 50 and gradually increase until the sum to diff property is met within the desired error range. Valid range of its value is [1, 100], inclusively. + + * `blur_baseline_config`: Config for blur baseline. When enabled, a linear path from the maximally blurred image to the input image is created. Using a blurred baseline instead of zero (black image) is motivated by the BlurIG approach explained here: https://arxiv.org/abs/2004.03383 + + * `max_blur_sigma`: The standard deviation of the blur kernel for the blurred baseline. The same blurring parameter is used for both the height and the width dimension. If not set, the method defaults to the zero (i.e. black for images) baseline. + + * `top_k`: If populated, returns attributions for top K indices of outputs (defaults to 1). Only applies to Models that predicts more than one outputs (e,g, multi-class Models). When set to -1, returns explanations for all outputs. + + * `integrated_gradients_attribution`: An attribution method that computes the Aumann-Shapley value taking advantage of the model's fully differentiable structure. Refer to this paper for more details: https://arxiv.org/abs/1703.01365 + + * `step_count`: Required. The number of steps for approximating the path integral. A good value to start is 50 and gradually increase until the sum to diff property is within the desired error range. Valid range of its value is [1, 100], inclusively. + + * `smooth_grad_config`: Config for SmoothGrad approximation of gradients. When enabled, the gradients are approximated by averaging the gradients from noisy samples in the vicinity of the inputs. Adding noise can help improve the computed gradients. Refer to this paper for more details: https://arxiv.org/pdf/1706.03825.pdf + + * `feature_noise_sigma`: Noise sigma by features. Noise sigma represents the standard deviation of the gaussian kernel that will be used to add noise to interpolated inputs prior to computing gradients. + + * `noise_sigma`: Noise sigma per feature. No noise is added to features that are not set. + + * `name`: The name of the input feature for which noise sigma is provided. The features are defined in explanation metadata inputs. + + * `sigma`: This represents the standard deviation of the Gaussian kernel that will be used to add noise to the feature prior to computing gradients. Similar to noise_sigma but represents the noise added to the current feature. Defaults to 0.1. + + * `noise_sigma`: This is a single float value and will be used to add noise to all the features. Use this field when all features are normalized to have the same distribution: scale to range [0, 1], [-1, 1] or z-scoring, where features are normalized to have 0-mean and 1-variance. Learn more about [normalization](https://developers.google.com/machine-learning/data-prep/transform/normalization). For best results the recommended value is about 10% - 20% of the standard deviation of the input feature. Refer to section 3.2 of the SmoothGrad paper: https://arxiv.org/pdf/1706.03825.pdf. Defaults to 0.1. If the distribution is different per feature, set feature_noise_sigma instead for each feature. + + * `noisy_sample_count`: The number of gradient samples to use for approximation. The higher this number, the more accurate the gradient is, but the runtime complexity increases by this factor as well. Valid range of its value is [1, 50]. Defaults to 3. + + * `blur_baseline_config`: Config for blur baseline. When enabled, a linear path from the maximally blurred image to the input image is created. Using a blurred baseline instead of zero (black image) is motivated by the BlurIG approach explained here: https://arxiv.org/abs/2004.03383 + + * `max_blur_sigma`: The standard deviation of the blur kernel for the blurred baseline. The same blurring parameter is used for both the height and the width dimension. If not set, the method defaults to the zero (i.e. black for images) baseline. + + * `sampled_shapley_attribution`: An attribution method that approximates Shapley values for features that contribute to the label being predicted. A sampling strategy is used to approximate the value rather than considering all subsets of features. + + * `path_count`: Required. The number of feature permutations to consider when approximating the Shapley values. Valid range of its value is [1, 50], inclusively. + + * `metadata`: Metadata describing the Model's input and output for explanation. + + * `feature_attributions_schema_uri`: Points to a YAML file stored on Google Cloud Storage describing the format of the feature attributions. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML tabular Models always have this field populated by Vertex AI. Note: The URI given on output may be different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `latent_space_source`: Name of the source to generate embeddings for example based explanations. + + * `outputs`: Required. Map from output names to output metadata. For Vertex AI-provided Tensorflow images, keys can be any user defined string that consists of any UTF-8 characters. For custom images, keys are the name of the output field in the prediction to be explained. Currently only one key is allowed. + + * `additional_properties`: Metadata of the prediction output to be explained. + + * `inputs`: Required. Map from feature names to feature input metadata. Keys are the name of the features. Values are the specification of the feature. An empty InputMetadata is valid. It describes a text feature which has the name specified as the key in ExplanationMetadata.inputs. The baseline of the empty feature is chosen by Vertex AI. For Vertex AI-provided Tensorflow images, the key can be any friendly name of the feature. Once specified, featureAttributions are keyed by this key (if not grouped with another feature). For custom images, the key must match with the key in instance. + + * `additional_properties`: Metadata of the input of a feature. Fields other than InputMetadata.input_baselines are applicable only for Models that are using Vertex AI-provided images for Tensorflow. + + * `explanation_type`: Explanation type. For AutoML Image Classification models, possible values are: * `image-integrated-gradients` * `image-xrai` + + * `slice_dimensions`: All possible dimensions of ModelEvaluationSlices. The dimensions can be used as the filter of the ModelService.ListModelEvaluationSlices request, in the form of `slice.dimension = `. + + * `model_explanation`: Aggregated explanation metrics for a Model over a set of instances. + + * `mean_attributions`: Output only. Aggregated attributions explaining the Model's prediction outputs over the set of instances. The attributions are grouped by outputs. For Models that predict only one output, such as regression Models that predict only one score, there is only one attibution that explains the predicted output. For Models that predict multiple outputs, such as multiclass Models that predict multiple classes, each element explains one specific item. Attribution.output_index can be used to identify which output this attribution is explaining. The baselineOutputValue, instanceOutputValue and featureAttributions fields are averaged over the test data. NOTE: Currently AutoML tabular classification Models produce only one attribution, which averages attributions over all the classes it predicts. Attribution.approximation_error is not populated. + + * `output_display_name`: Output only. The display name of the output identified by output_index. For example, the predicted class name by a multi-classification Model. This field is only populated iff the Model predicts display names as a separate field along with the explained output. The predicted display name must has the same shape of the explained output, and can be located using output_index. + + * `baseline_output_value`: Output only. Model predicted output if the input instance is constructed from the baselines of all the features defined in ExplanationMetadata.inputs. The field name of the output is determined by the key in ExplanationMetadata.outputs. If the Model's predicted output has multiple dimensions (rank > 1), this is the value in the output located by output_index. If there are multiple baselines, their output values are averaged. + + * `output_name`: Output only. Name of the explain output. Specified as the key in ExplanationMetadata.outputs. + + * `feature_attributions`: Output only. Attributions of each explained feature. Features are extracted from the prediction instances according to explanation metadata for inputs. The value is a struct, whose keys are the name of the feature. The values are how much the feature in the instance contributed to the predicted result. The format of the value is determined by the feature's input format: * If the feature is a scalar value, the attribution value is a floating number. * If the feature is an array of scalar values, the attribution value is an array. * If the feature is a struct, the attribution value is a struct. The keys in the attribution value struct are the same as the keys in the feature struct. The formats of the values in the attribution struct are determined by the formats of the values in the feature struct. The ExplanationMetadata.feature_attributions_schema_uri field, pointed to by the ExplanationSpec field of the Endpoint.deployed_models object, points to the schema file that describes the features and their attribution values (if it is populated). + + * `output_index`: Output only. The index that locates the explained prediction output. If the prediction output is a scalar value, output_index is not populated. If the prediction output has multiple dimensions, the length of the output_index list is the same as the number of dimensions of the output. The i-th element in output_index is the element index of the i-th dimension of the output vector. Indices start from 0. + + * `instance_output_value`: Output only. Model predicted output on the corresponding explanation instance. The field name of the output is determined by the key in ExplanationMetadata.outputs. If the Model predicted output has multiple dimensions, this is the value in the output located by output_index. + + * `approximation_error`: Output only. Error of feature_attributions caused by approximation used in the explanation method. Lower value means more precise attributions. * For Sampled Shapley attribution, increasing path_count might reduce the error. * For Integrated Gradients attribution, increasing step_count might reduce the error. * For XRAI attribution, increasing step_count might reduce the error. See [this introduction](/vertex-ai/docs/explainable-ai/overview) for more information. + + * `name`: Output only. The resource name of the ModelEvaluation. + + * `display_name`: The display name of the ModelEvaluation. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_models_evaluations.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_models_evaluations.md new file mode 100644 index 0000000..9bcde13 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_models_evaluations.md @@ -0,0 +1,46 @@ ++++ +title = "google_vertex_ai_models_evaluations resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_models_evaluations" +identifier = "inspec/resources/gcp/google_vertex_ai_models_evaluations resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_models_evaluations` InSpec audit resource to to test a Google Cloud ModelsEvaluation resource. + +## Examples + +```ruby + describe google_vertex_ai_models_evaluations(parent: "projects/#{gcp_project_id}/locations/#{models_evaluation['region']}/models/#{models_evaluation['model']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_models_evaluations` resource: + +See [google_vertex_ai_models_evaluation](google_vertex_ai_models_evaluation) for more detailed information. + + * `data_item_schema_uris`: an array of `google_vertex_ai_models_evaluation` data_item_schema_uri + * `metadata`: an array of `google_vertex_ai_models_evaluation` metadata + * `metrics_schema_uris`: an array of `google_vertex_ai_models_evaluation` metrics_schema_uri + * `create_times`: an array of `google_vertex_ai_models_evaluation` create_time + * `annotation_schema_uris`: an array of `google_vertex_ai_models_evaluation` annotation_schema_uri + * `metrics`: an array of `google_vertex_ai_models_evaluation` metrics + * `explanation_specs`: an array of `google_vertex_ai_models_evaluation` explanation_specs + * `slice_dimensions`: an array of `google_vertex_ai_models_evaluation` slice_dimensions + * `model_explanations`: an array of `google_vertex_ai_models_evaluation` model_explanation + * `names`: an array of `google_vertex_ai_models_evaluation` name + * `display_names`: an array of `google_vertex_ai_models_evaluation` display_name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_nas_job.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_nas_job.md new file mode 100644 index 0000000..0358142 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_nas_job.md @@ -0,0 +1,384 @@ ++++ +title = "google_vertex_ai_nas_job resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_nas_job" +identifier = "inspec/resources/gcp/google_vertex_ai_nas_job resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_nas_job` InSpec audit resource to to test a Google Cloud NasJob resource. + +## Examples + +```ruby +describe google_vertex_ai_nas_job(name: "projects/#{gcp_project_id}/locations/#{nas_job['region']}/nasJobs/#{nas_job['name']}", region: ' value_region') do + it { should exist } + its('name') { should cmp 'value_name' } + its('end_time') { should cmp 'value_endtime' } + its('state') { should cmp 'value_state' } + its('create_time') { should cmp 'value_createtime' } + its('display_name') { should cmp 'value_displayname' } + its('start_time') { should cmp 'value_starttime' } + its('update_time') { should cmp 'value_updatetime' } + +end + +describe google_vertex_ai_nas_job(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_nas_job` resource: + + + * `nas_job_output`: Represents a uCAIP NasJob output. + + * `multi_trial_job_output`: The output of a multi-trial Neural Architecture Search (NAS) jobs. + + * `search_trials`: Output only. List of NasTrials that were started as part of search stage. + + * `id`: Output only. The identifier of the NasTrial assigned by the service. + + * `state`: Output only. The detailed state of the NasTrial. + Possible values: + * STATE_UNSPECIFIED + * REQUESTED + * ACTIVE + * STOPPING + * SUCCEEDED + * INFEASIBLE + + * `final_measurement`: A message representing a Measurement of a Trial. A Measurement contains the Metrics got by executing a Trial using suggested hyperparameter values. + + * `metrics`: Output only. A list of metrics got by evaluating the objective functions using suggested Parameter values. + + * `metric_id`: Output only. The ID of the Metric. The Metric should be defined in StudySpec's Metrics. + + * `value`: Output only. The value for this metric. + + * `elapsed_duration`: Output only. Time that the Trial has been running at the point of this Measurement. + + * `step_count`: Output only. The number of steps the machine learning model has been trained for. Must be non-negative. + + * `start_time`: Output only. Time when the NasTrial was started. + + * `end_time`: Output only. Time when the NasTrial's status changed to `SUCCEEDED` or `INFEASIBLE`. + + * `train_trials`: Output only. List of NasTrials that were started as part of train stage. + + * `id`: Output only. The identifier of the NasTrial assigned by the service. + + * `state`: Output only. The detailed state of the NasTrial. + Possible values: + * STATE_UNSPECIFIED + * REQUESTED + * ACTIVE + * STOPPING + * SUCCEEDED + * INFEASIBLE + + * `final_measurement`: A message representing a Measurement of a Trial. A Measurement contains the Metrics got by executing a Trial using suggested hyperparameter values. + + * `metrics`: Output only. A list of metrics got by evaluating the objective functions using suggested Parameter values. + + * `metric_id`: Output only. The ID of the Metric. The Metric should be defined in StudySpec's Metrics. + + * `value`: Output only. The value for this metric. + + * `elapsed_duration`: Output only. Time that the Trial has been running at the point of this Measurement. + + * `step_count`: Output only. The number of steps the machine learning model has been trained for. Must be non-negative. + + * `start_time`: Output only. Time when the NasTrial was started. + + * `end_time`: Output only. Time when the NasTrial's status changed to `SUCCEEDED` or `INFEASIBLE`. + + * `name`: Output only. Resource name of the NasJob. + + * `end_time`: Output only. Time when the NasJob entered any of the following states: `JOB_STATE_SUCCEEDED`, `JOB_STATE_FAILED`, `JOB_STATE_CANCELLED`. + + * `error`: The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `state`: Output only. The detailed state of the job. + Possible values: + * JOB_STATE_UNSPECIFIED + * JOB_STATE_QUEUED + * JOB_STATE_PENDING + * JOB_STATE_RUNNING + * JOB_STATE_SUCCEEDED + * JOB_STATE_FAILED + * JOB_STATE_CANCELLING + * JOB_STATE_CANCELLED + * JOB_STATE_PAUSED + * JOB_STATE_EXPIRED + * JOB_STATE_UPDATING + * JOB_STATE_PARTIALLY_SUCCEEDED + + * `create_time`: Output only. Time when the NasJob was created. + + * `display_name`: Required. The display name of the NasJob. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + * `nas_job_spec`: Represents the spec of a NasJob. + + * `search_space_spec`: It defines the search space for Neural Architecture Search (NAS). + + * `resume_nas_job_id`: The ID of the existing NasJob in the same Project and Location which will be used to resume search. search_space_spec and nas_algorithm_spec are obtained from previous NasJob hence should not provide them again for this NasJob. + + * `multi_trial_algorithm_spec`: The spec of multi-trial Neural Architecture Search (NAS). + + * `search_trial_spec`: Represent spec for search trials. + + * `max_failed_trial_count`: The number of failed trials that need to be seen before failing the NasJob. If set to 0, Vertex AI decides how many trials must fail before the whole job fails. + + * `max_parallel_trial_count`: Required. The maximum number of trials to run in parallel. + + * `search_trial_job_spec`: Represents the spec of a CustomJob. + + * `worker_pool_specs`: Required. The spec of the worker pools including machine type and Docker image. All worker pools except the first one are optional and can be skipped by providing an empty value. + + * `container_spec`: The spec of a Container. + + * `env`: Environment variables to be passed to the container. Maximum limit is 100. + + * `name`: Required. Name of the environment variable. Must be a valid C identifier. + + * `value`: Required. Variables that reference a $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. + + * `args`: The arguments to be passed when starting the container. + + * `command`: The command to be invoked when the container is started. It overrides the entrypoint instruction in Dockerfile when provided. + + * `image_uri`: Required. The URI of a container image in the Container Registry that is to be run on each worker replica. + + * `machine_spec`: Specification of a single machine. + + * `accelerator_type`: Immutable. The type of accelerator(s) that may be attached to the machine as per accelerator_count. + Possible values: + * ACCELERATOR_TYPE_UNSPECIFIED + * NVIDIA_TESLA_K80 + * NVIDIA_TESLA_P100 + * NVIDIA_TESLA_V100 + * NVIDIA_TESLA_P4 + * NVIDIA_TESLA_T4 + * NVIDIA_TESLA_A100 + * NVIDIA_A100_80GB + * NVIDIA_L4 + * TPU_V2 + * TPU_V3 + * TPU_V4_POD + + * `machine_type`: Immutable. The type of the machine. See the [list of machine types supported for prediction](https://cloud.google.com/vertex-ai/docs/predictions/configure-compute#machine-types) See the [list of machine types supported for custom training](https://cloud.google.com/vertex-ai/docs/training/configure-compute#machine-types). For DeployedModel this field is optional, and the default value is `n1-standard-2`. For BatchPredictionJob or as part of WorkerPoolSpec this field is required. + + * `accelerator_count`: The number of accelerators to attach to the machine. + + * `replica_count`: Optional. The number of worker replicas to use for this worker pool. + + * `nfs_mounts`: Optional. List of NFS mount spec. + + * `path`: Required. Source path exported from NFS server. Has to start with '/', and combined with the ip address, it indicates the source mount path in the form of `server:path` + + * `mount_point`: Required. Destination mount path. The NFS will be mounted for the user under /mnt/nfs/ + + * `server`: Required. IP address of the NFS server. + + * `python_package_spec`: The spec of a Python packaged code. + + * `package_uris`: Required. The Google Cloud Storage location of the Python package files which are the training program and its dependent packages. The maximum number of package URIs is 100. + + * `env`: Environment variables to be passed to the python module. Maximum limit is 100. + + * `name`: Required. Name of the environment variable. Must be a valid C identifier. + + * `value`: Required. Variables that reference a $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. + + * `executor_image_uri`: Required. The URI of a container image in Artifact Registry that will run the provided Python package. Vertex AI provides a wide range of executor images with pre-installed packages to meet users' various use cases. See the list of [pre-built containers for training](https://cloud.google.com/vertex-ai/docs/training/pre-built-containers). You must use an image from this list. + + * `args`: Command line arguments to be passed to the Python task. + + * `python_module`: Required. The Python module name to run after installing the packages. + + * `disk_spec`: Represents the spec of disk options. + + * `boot_disk_type`: Type of the boot disk (default is "pd-ssd"). Valid values: "pd-ssd" (Persistent Disk Solid State Drive) or "pd-standard" (Persistent Disk Hard Disk Drive). + + * `boot_disk_size_gb`: Size in GB of the boot disk (default is 100GB). + + * `enable_web_access`: Optional. Whether you want Vertex AI to enable [interactive shell access](https://cloud.google.com/vertex-ai/docs/training/monitor-debug-interactive-shell) to training containers. If set to `true`, you can access interactive shells at the URIs given by CustomJob.web_access_uris or Trial.web_access_uris (within HyperparameterTuningJob.trials). + + * `tensorboard`: Optional. The name of a Vertex AI Tensorboard resource to which this CustomJob will upload Tensorboard logs. Format: `projects/{project}/locations/{location}/tensorboards/{tensorboard}` + + * `experiment`: Optional. The Experiment associated with this job. Format: `projects/{project}/locations/{location}/metadataStores/{metadataStores}/contexts/{experiment-name}` + + * `experiment_run`: Optional. The Experiment Run associated with this job. Format: `projects/{project}/locations/{location}/metadataStores/{metadataStores}/contexts/{experiment-name}-{experiment-run-name}` + + * `scheduling`: All parameters related to queuing and scheduling of custom jobs. + + * `disable_retries`: Optional. Indicates if the job should retry for internal errors after the job starts running. If true, overrides `Scheduling.restart_job_on_worker_restart` to false. + + * `timeout`: The maximum job running time. The default is 7 days. + + * `restart_job_on_worker_restart`: Restarts the entire CustomJob if a worker gets restarted. This feature can be used by distributed training jobs that are not resilient to workers leaving and joining a job. + + * `enable_dashboard_access`: Optional. Whether you want Vertex AI to enable access to the customized dashboard in training chief container. If set to `true`, you can access the dashboard at the URIs given by CustomJob.web_access_uris or Trial.web_access_uris (within HyperparameterTuningJob.trials). + + * `service_account`: Specifies the service account for workload run-as account. Users submitting jobs must have act-as permission on this run-as account. If unspecified, the [Vertex AI Custom Code Service Agent](https://cloud.google.com/vertex-ai/docs/general/access-control#service-agents) for the CustomJob's project is used. + + * `base_output_directory`: The Google Cloud Storage location where the output is to be written to. + + * `output_uri_prefix`: Required. Google Cloud Storage URI to output directory. If the uri doesn't end with '/', a '/' will be automatically appended. The directory is created if it doesn't exist. + + * `reserved_ip_ranges`: Optional. A list of names for the reserved ip ranges under the VPC network that can be used for this job. If set, we will deploy the job within the provided ip ranges. Otherwise, the job will be deployed to any ip ranges under the provided VPC network. Example: ['vertex-ai-ip-range']. + + * `network`: Optional. The full name of the Compute Engine [network](/compute/docs/networks-and-firewalls#networks) to which the Job should be peered. For example, `projects/12345/global/networks/myVPC`. [Format](/compute/docs/reference/rest/v1/networks/insert) is of the form `projects/{project}/global/networks/{network}`. Where {project} is a project number, as in `12345`, and {network} is a network name. To specify this field, you must have already [configured VPC Network Peering for Vertex AI](https://cloud.google.com/vertex-ai/docs/general/vpc-peering). If this field is left unspecified, the job is not peered with any network. + + * `max_trial_count`: Required. The maximum number of Neural Architecture Search (NAS) trials to run. + + * `multi_trial_algorithm`: The multi-trial Neural Architecture Search (NAS) algorithm type. Defaults to `REINFORCEMENT_LEARNING`. + Possible values: + * MULTI_TRIAL_ALGORITHM_UNSPECIFIED + * REINFORCEMENT_LEARNING + * GRID_SEARCH + + * `train_trial_spec`: Represent spec for train trials. + + * `frequency`: Required. Frequency of search trials to start train stage. Top N [TrainTrialSpec.max_parallel_trial_count] search trials will be trained for every M [TrainTrialSpec.frequency] trials searched. + + * `max_parallel_trial_count`: Required. The maximum number of trials to run in parallel. + + * `train_trial_job_spec`: Represents the spec of a CustomJob. + + * `worker_pool_specs`: Required. The spec of the worker pools including machine type and Docker image. All worker pools except the first one are optional and can be skipped by providing an empty value. + + * `container_spec`: The spec of a Container. + + * `env`: Environment variables to be passed to the container. Maximum limit is 100. + + * `name`: Required. Name of the environment variable. Must be a valid C identifier. + + * `value`: Required. Variables that reference a $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. + + * `args`: The arguments to be passed when starting the container. + + * `command`: The command to be invoked when the container is started. It overrides the entrypoint instruction in Dockerfile when provided. + + * `image_uri`: Required. The URI of a container image in the Container Registry that is to be run on each worker replica. + + * `machine_spec`: Specification of a single machine. + + * `accelerator_type`: Immutable. The type of accelerator(s) that may be attached to the machine as per accelerator_count. + Possible values: + * ACCELERATOR_TYPE_UNSPECIFIED + * NVIDIA_TESLA_K80 + * NVIDIA_TESLA_P100 + * NVIDIA_TESLA_V100 + * NVIDIA_TESLA_P4 + * NVIDIA_TESLA_T4 + * NVIDIA_TESLA_A100 + * NVIDIA_A100_80GB + * NVIDIA_L4 + * TPU_V2 + * TPU_V3 + * TPU_V4_POD + + * `machine_type`: Immutable. The type of the machine. See the [list of machine types supported for prediction](https://cloud.google.com/vertex-ai/docs/predictions/configure-compute#machine-types) See the [list of machine types supported for custom training](https://cloud.google.com/vertex-ai/docs/training/configure-compute#machine-types). For DeployedModel this field is optional, and the default value is `n1-standard-2`. For BatchPredictionJob or as part of WorkerPoolSpec this field is required. + + * `accelerator_count`: The number of accelerators to attach to the machine. + + * `replica_count`: Optional. The number of worker replicas to use for this worker pool. + + * `nfs_mounts`: Optional. List of NFS mount spec. + + * `path`: Required. Source path exported from NFS server. Has to start with '/', and combined with the ip address, it indicates the source mount path in the form of `server:path` + + * `mount_point`: Required. Destination mount path. The NFS will be mounted for the user under /mnt/nfs/ + + * `server`: Required. IP address of the NFS server. + + * `python_package_spec`: The spec of a Python packaged code. + + * `package_uris`: Required. The Google Cloud Storage location of the Python package files which are the training program and its dependent packages. The maximum number of package URIs is 100. + + * `env`: Environment variables to be passed to the python module. Maximum limit is 100. + + * `name`: Required. Name of the environment variable. Must be a valid C identifier. + + * `value`: Required. Variables that reference a $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. + + * `executor_image_uri`: Required. The URI of a container image in Artifact Registry that will run the provided Python package. Vertex AI provides a wide range of executor images with pre-installed packages to meet users' various use cases. See the list of [pre-built containers for training](https://cloud.google.com/vertex-ai/docs/training/pre-built-containers). You must use an image from this list. + + * `args`: Command line arguments to be passed to the Python task. + + * `python_module`: Required. The Python module name to run after installing the packages. + + * `disk_spec`: Represents the spec of disk options. + + * `boot_disk_type`: Type of the boot disk (default is "pd-ssd"). Valid values: "pd-ssd" (Persistent Disk Solid State Drive) or "pd-standard" (Persistent Disk Hard Disk Drive). + + * `boot_disk_size_gb`: Size in GB of the boot disk (default is 100GB). + + * `enable_web_access`: Optional. Whether you want Vertex AI to enable [interactive shell access](https://cloud.google.com/vertex-ai/docs/training/monitor-debug-interactive-shell) to training containers. If set to `true`, you can access interactive shells at the URIs given by CustomJob.web_access_uris or Trial.web_access_uris (within HyperparameterTuningJob.trials). + + * `tensorboard`: Optional. The name of a Vertex AI Tensorboard resource to which this CustomJob will upload Tensorboard logs. Format: `projects/{project}/locations/{location}/tensorboards/{tensorboard}` + + * `experiment`: Optional. The Experiment associated with this job. Format: `projects/{project}/locations/{location}/metadataStores/{metadataStores}/contexts/{experiment-name}` + + * `experiment_run`: Optional. The Experiment Run associated with this job. Format: `projects/{project}/locations/{location}/metadataStores/{metadataStores}/contexts/{experiment-name}-{experiment-run-name}` + + * `scheduling`: All parameters related to queuing and scheduling of custom jobs. + + * `disable_retries`: Optional. Indicates if the job should retry for internal errors after the job starts running. If true, overrides `Scheduling.restart_job_on_worker_restart` to false. + + * `timeout`: The maximum job running time. The default is 7 days. + + * `restart_job_on_worker_restart`: Restarts the entire CustomJob if a worker gets restarted. This feature can be used by distributed training jobs that are not resilient to workers leaving and joining a job. + + * `enable_dashboard_access`: Optional. Whether you want Vertex AI to enable access to the customized dashboard in training chief container. If set to `true`, you can access the dashboard at the URIs given by CustomJob.web_access_uris or Trial.web_access_uris (within HyperparameterTuningJob.trials). + + * `service_account`: Specifies the service account for workload run-as account. Users submitting jobs must have act-as permission on this run-as account. If unspecified, the [Vertex AI Custom Code Service Agent](https://cloud.google.com/vertex-ai/docs/general/access-control#service-agents) for the CustomJob's project is used. + + * `base_output_directory`: The Google Cloud Storage location where the output is to be written to. + + * `output_uri_prefix`: Required. Google Cloud Storage URI to output directory. If the uri doesn't end with '/', a '/' will be automatically appended. The directory is created if it doesn't exist. + + * `reserved_ip_ranges`: Optional. A list of names for the reserved ip ranges under the VPC network that can be used for this job. If set, we will deploy the job within the provided ip ranges. Otherwise, the job will be deployed to any ip ranges under the provided VPC network. Example: ['vertex-ai-ip-range']. + + * `network`: Optional. The full name of the Compute Engine [network](/compute/docs/networks-and-firewalls#networks) to which the Job should be peered. For example, `projects/12345/global/networks/myVPC`. [Format](/compute/docs/reference/rest/v1/networks/insert) is of the form `projects/{project}/global/networks/{network}`. Where {project} is a project number, as in `12345`, and {network} is a network name. To specify this field, you must have already [configured VPC Network Peering for Vertex AI](https://cloud.google.com/vertex-ai/docs/general/vpc-peering). If this field is left unspecified, the job is not peered with any network. + + * `metric`: Represents a metric to optimize. + + * `goal`: Required. The optimization goal of the metric. + Possible values: + * GOAL_TYPE_UNSPECIFIED + * MAXIMIZE + * MINIMIZE + + * `metric_id`: Required. The ID of the metric. Must not contain whitespaces. + + * `enable_restricted_image_training`: Optional. Enable a separation of Custom model training and restricted image training for tenant project. + + * `start_time`: Output only. Time when the NasJob for the first time entered the `JOB_STATE_RUNNING` state. + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `labels`: The labels with user-defined metadata to organize NasJobs. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information and examples of labels. + + * `additional_properties`: + + * `update_time`: Output only. Time when the NasJob was most recently updated. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_nas_jobs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_nas_jobs.md new file mode 100644 index 0000000..e6d0aaa --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_nas_jobs.md @@ -0,0 +1,48 @@ ++++ +title = "google_vertex_ai_nas_jobs resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_nas_jobs" +identifier = "inspec/resources/gcp/google_vertex_ai_nas_jobs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_nas_jobs` InSpec audit resource to to test a Google Cloud NasJob resource. + +## Examples + +```ruby + describe google_vertex_ai_nas_jobs(parent: "projects/#{gcp_project_id}/locations/#{nas_job['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_nas_jobs` resource: + +See [google_vertex_ai_nas_job](google_vertex_ai_nas_job) for more detailed information. + + * `nas_job_outputs`: an array of `google_vertex_ai_nas_job` nas_job_output + * `names`: an array of `google_vertex_ai_nas_job` name + * `end_times`: an array of `google_vertex_ai_nas_job` end_time + * `errors`: an array of `google_vertex_ai_nas_job` error + * `states`: an array of `google_vertex_ai_nas_job` state + * `create_times`: an array of `google_vertex_ai_nas_job` create_time + * `display_names`: an array of `google_vertex_ai_nas_job` display_name + * `nas_job_specs`: an array of `google_vertex_ai_nas_job` nas_job_spec + * `enable_restricted_image_trainings`: an array of `google_vertex_ai_nas_job` enable_restricted_image_training + * `start_times`: an array of `google_vertex_ai_nas_job` start_time + * `encryption_specs`: an array of `google_vertex_ai_nas_job` encryption_spec + * `labels`: an array of `google_vertex_ai_nas_job` labels + * `update_times`: an array of `google_vertex_ai_nas_job` update_time + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_nas_jobs_nas_trial_detail.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_nas_jobs_nas_trial_detail.md new file mode 100644 index 0000000..e5b5d7b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_nas_jobs_nas_trial_detail.md @@ -0,0 +1,98 @@ ++++ +title = "google_vertex_ai_nas_jobs_nas_trial_detail resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_nas_jobs_nas_trial_detail" +identifier = "inspec/resources/gcp/google_vertex_ai_nas_jobs_nas_trial_detail resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_nas_jobs_nas_trial_detail` InSpec audit resource to to test a Google Cloud NasJobsNasTrialDetail resource. + +## Examples + +```ruby +describe google_vertex_ai_nas_jobs_nas_trial_detail(name: "projects/#{gcp_project_id}/locations/#{nas_jobs_nas_trial_detail['region']}/nasJobs/#{nas_jobs_nas_trial_detail['nasJob']}/nasTrialDetails/#{nas_jobs_nas_trial_detail['name']}", region: ' value_region') do + it { should exist } + its('parameters') { should cmp 'value_parameters' } + its('name') { should cmp 'value_name' } + +end + +describe google_vertex_ai_nas_jobs_nas_trial_detail(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_nas_jobs_nas_trial_detail` resource: + + + * `parameters`: The parameters for the NasJob NasTrial. + + * `name`: Output only. Resource name of the NasTrialDetail. + + * `search_trial`: Represents a uCAIP NasJob trial. + + * `id`: Output only. The identifier of the NasTrial assigned by the service. + + * `state`: Output only. The detailed state of the NasTrial. + Possible values: + * STATE_UNSPECIFIED + * REQUESTED + * ACTIVE + * STOPPING + * SUCCEEDED + * INFEASIBLE + + * `final_measurement`: A message representing a Measurement of a Trial. A Measurement contains the Metrics got by executing a Trial using suggested hyperparameter values. + + * `metrics`: Output only. A list of metrics got by evaluating the objective functions using suggested Parameter values. + + * `metric_id`: Output only. The ID of the Metric. The Metric should be defined in StudySpec's Metrics. + + * `value`: Output only. The value for this metric. + + * `elapsed_duration`: Output only. Time that the Trial has been running at the point of this Measurement. + + * `step_count`: Output only. The number of steps the machine learning model has been trained for. Must be non-negative. + + * `start_time`: Output only. Time when the NasTrial was started. + + * `end_time`: Output only. Time when the NasTrial's status changed to `SUCCEEDED` or `INFEASIBLE`. + + * `train_trial`: Represents a uCAIP NasJob trial. + + * `id`: Output only. The identifier of the NasTrial assigned by the service. + + * `state`: Output only. The detailed state of the NasTrial. + Possible values: + * STATE_UNSPECIFIED + * REQUESTED + * ACTIVE + * STOPPING + * SUCCEEDED + * INFEASIBLE + + * `final_measurement`: A message representing a Measurement of a Trial. A Measurement contains the Metrics got by executing a Trial using suggested hyperparameter values. + + * `metrics`: Output only. A list of metrics got by evaluating the objective functions using suggested Parameter values. + + * `metric_id`: Output only. The ID of the Metric. The Metric should be defined in StudySpec's Metrics. + + * `value`: Output only. The value for this metric. + + * `elapsed_duration`: Output only. Time that the Trial has been running at the point of this Measurement. + + * `step_count`: Output only. The number of steps the machine learning model has been trained for. Must be non-negative. + + * `start_time`: Output only. Time when the NasTrial was started. + + * `end_time`: Output only. Time when the NasTrial's status changed to `SUCCEEDED` or `INFEASIBLE`. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_nas_jobs_nas_trial_details.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_nas_jobs_nas_trial_details.md new file mode 100644 index 0000000..97ce123 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_nas_jobs_nas_trial_details.md @@ -0,0 +1,39 @@ ++++ +title = "google_vertex_ai_nas_jobs_nas_trial_details resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_nas_jobs_nas_trial_details" +identifier = "inspec/resources/gcp/google_vertex_ai_nas_jobs_nas_trial_details resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_nas_jobs_nas_trial_details` InSpec audit resource to to test a Google Cloud NasJobsNasTrialDetail resource. + +## Examples + +```ruby + describe google_vertex_ai_nas_jobs_nas_trial_details(parent: "projects/#{gcp_project_id}/locations/#{nas_jobs_nas_trial_detail['region']}/nasJobs/#{nas_jobs_nas_trial_detail['nasJob']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_nas_jobs_nas_trial_details` resource: + +See [google_vertex_ai_nas_jobs_nas_trial_detail](google_vertex_ai_nas_jobs_nas_trial_detail) for more detailed information. + + * `parameters`: an array of `google_vertex_ai_nas_jobs_nas_trial_detail` parameters + * `names`: an array of `google_vertex_ai_nas_jobs_nas_trial_detail` name + * `search_trials`: an array of `google_vertex_ai_nas_jobs_nas_trial_detail` search_trial + * `train_trials`: an array of `google_vertex_ai_nas_jobs_nas_trial_detail` train_trial + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_pipeline_job.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_pipeline_job.md new file mode 100644 index 0000000..b2ab7e4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_pipeline_job.md @@ -0,0 +1,305 @@ ++++ +title = "google_vertex_ai_pipeline_job resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_pipeline_job" +identifier = "inspec/resources/gcp/google_vertex_ai_pipeline_job resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_pipeline_job` InSpec audit resource to to test a Google Cloud PipelineJob resource. + +## Examples + +```ruby +describe google_vertex_ai_pipeline_job(name: "projects/#{gcp_project_id}/locations/#{pipeline_job['region']}/pipelineJobs/#{pipeline_job['name']}", region: ' value_region') do + it { should exist } + its('end_time') { should cmp 'value_endtime' } + its('update_time') { should cmp 'value_updatetime' } + its('state') { should cmp 'value_state' } + its('create_time') { should cmp 'value_createtime' } + its('name') { should cmp 'value_name' } + its('schedule_name') { should cmp 'value_schedulename' } + its('start_time') { should cmp 'value_starttime' } + its('service_account') { should cmp 'value_serviceaccount' } + its('display_name') { should cmp 'value_displayname' } + its('template_uri') { should cmp 'value_templateuri' } + its('network') { should cmp 'value_network' } + +end + +describe google_vertex_ai_pipeline_job(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_pipeline_job` resource: + + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `end_time`: Output only. Pipeline end time. + + * `error`: The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `update_time`: Output only. Timestamp when this PipelineJob was most recently updated. + + * `job_detail`: The runtime detail of PipelineJob. + + * `task_details`: Output only. The runtime details of the tasks under the pipeline. + + * `inputs`: Output only. The runtime input artifacts of the task. + + * `additional_properties`: A list of artifact metadata. + + * `pipeline_task_status`: Output only. A list of task status. This field keeps a record of task status evolving over time. + + * `update_time`: Output only. Update time of this status. + + * `error`: The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `state`: Output only. The state of the task. + Possible values: + * STATE_UNSPECIFIED + * PENDING + * RUNNING + * SUCCEEDED + * CANCEL_PENDING + * CANCELLING + * CANCELLED + * FAILED + * SKIPPED + * NOT_TRIGGERED + + * `end_time`: Output only. Task end time. + + * `outputs`: Output only. The runtime output artifacts of the task. + + * `additional_properties`: A list of artifact metadata. + + * `create_time`: Output only. Task create time. + + * `start_time`: Output only. Task start time. + + * `execution`: Instance of a general execution. + + * `labels`: The labels with user-defined metadata to organize your Executions. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. No more than 64 user labels can be associated with one Execution (System labels are excluded). + + * `additional_properties`: + + * `create_time`: Output only. Timestamp when this Execution was created. + + * `schema_version`: The version of the schema in `schema_title` to use. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `state`: The state of this Execution. This is a property of the Execution, and does not imply or capture any ongoing process. This property is managed by clients (such as Vertex AI Pipelines) and the system does not prescribe or check the validity of state transitions. + Possible values: + * STATE_UNSPECIFIED + * NEW + * RUNNING + * COMPLETE + * FAILED + * CACHED + * CANCELLED + + * `name`: Output only. The resource name of the Execution. + + * `etag`: An eTag used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `display_name`: User provided display name of the Execution. May be up to 128 Unicode characters. + + * `metadata`: Properties of the Execution. Top level metadata keys' heading and trailing spaces will be trimmed. The size of this field should not exceed 200KB. + + * `additional_properties`: Properties of the object. + + * `schema_title`: The title of the schema describing the metadata. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `description`: Description of the Execution + + * `update_time`: Output only. Timestamp when this Execution was last updated. + + * `task_name`: Output only. The user specified name of the task that is defined in pipeline_spec. + + * `parent_task_id`: Output only. The id of the parent task if the task is within a component scope. Empty if the task is at the root level. + + * `state`: Output only. State of the task. + Possible values: + * STATE_UNSPECIFIED + * PENDING + * RUNNING + * SUCCEEDED + * CANCEL_PENDING + * CANCELLING + * CANCELLED + * FAILED + * SKIPPED + * NOT_TRIGGERED + + * `task_id`: Output only. The system generated ID of the task. + + * `executor_detail`: The runtime detail of a pipeline executor. + + * `container_detail`: The detail of a container execution. It contains the job names of the lifecycle of a container execution. + + * `failed_main_jobs`: Output only. The names of the previously failed CustomJob for the main container executions. The list includes the all attempts in chronological order. + + * `main_job`: Output only. The name of the CustomJob for the main container execution. + + * `pre_caching_check_job`: Output only. The name of the CustomJob for the pre-caching-check container execution. This job will be available if the PipelineJob.pipeline_spec specifies the `pre_caching_check` hook in the lifecycle events. + + * `failed_pre_caching_check_jobs`: Output only. The names of the previously failed CustomJob for the pre-caching-check container executions. This job will be available if the PipelineJob.pipeline_spec specifies the `pre_caching_check` hook in the lifecycle events. The list includes the all attempts in chronological order. + + * `custom_job_detail`: The detailed info for a custom job executor. + + * `failed_jobs`: Output only. The names of the previously failed CustomJob. The list includes the all attempts in chronological order. + + * `job`: Output only. The name of the CustomJob. + + * `error`: The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `pipeline_run_context`: Instance of a general context. + + * `name`: Immutable. The resource name of the Context. + + * `schema_title`: The title of the schema describing the metadata. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `etag`: An eTag used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `description`: Description of the Context + + * `display_name`: User provided display name of the Context. May be up to 128 Unicode characters. + + * `schema_version`: The version of the schema in schema_name to use. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `create_time`: Output only. Timestamp when this Context was created. + + * `labels`: The labels with user-defined metadata to organize your Contexts. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. No more than 64 user labels can be associated with one Context (System labels are excluded). + + * `additional_properties`: + + * `metadata`: Properties of the Context. Top level metadata keys' heading and trailing spaces will be trimmed. The size of this field should not exceed 200KB. + + * `additional_properties`: Properties of the object. + + * `update_time`: Output only. Timestamp when this Context was last updated. + + * `parent_contexts`: Output only. A list of resource names of Contexts that are parents of this Context. A Context may have at most 10 parent_contexts. + + * `pipeline_context`: Instance of a general context. + + * `name`: Immutable. The resource name of the Context. + + * `schema_title`: The title of the schema describing the metadata. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `etag`: An eTag used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `description`: Description of the Context + + * `display_name`: User provided display name of the Context. May be up to 128 Unicode characters. + + * `schema_version`: The version of the schema in schema_name to use. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `create_time`: Output only. Timestamp when this Context was created. + + * `labels`: The labels with user-defined metadata to organize your Contexts. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. No more than 64 user labels can be associated with one Context (System labels are excluded). + + * `additional_properties`: + + * `metadata`: Properties of the Context. Top level metadata keys' heading and trailing spaces will be trimmed. The size of this field should not exceed 200KB. + + * `additional_properties`: Properties of the object. + + * `update_time`: Output only. Timestamp when this Context was last updated. + + * `parent_contexts`: Output only. A list of resource names of Contexts that are parents of this Context. A Context may have at most 10 parent_contexts. + + * `template_metadata`: Pipeline template metadata if PipelineJob.template_uri is from supported template registry. Currently, the only supported registry is Artifact Registry. + + * `version`: The version_name in artifact registry. Will always be presented in output if the PipelineJob.template_uri is from supported template registry. Format is "sha256:abcdef123456...". + + * `state`: Output only. The detailed state of the job. + Possible values: + * PIPELINE_STATE_UNSPECIFIED + * PIPELINE_STATE_QUEUED + * PIPELINE_STATE_PENDING + * PIPELINE_STATE_RUNNING + * PIPELINE_STATE_SUCCEEDED + * PIPELINE_STATE_FAILED + * PIPELINE_STATE_CANCELLING + * PIPELINE_STATE_CANCELLED + * PIPELINE_STATE_PAUSED + + * `create_time`: Output only. Pipeline creation time. + + * `name`: Output only. The resource name of the PipelineJob. + + * `schedule_name`: Output only. The schedule resource name. Only returned if the Pipeline is created by Schedule API. + + * `reserved_ip_ranges`: A list of names for the reserved ip ranges under the VPC network that can be used for this Pipeline Job's workload. If set, we will deploy the Pipeline Job's workload within the provided ip ranges. Otherwise, the job will be deployed to any ip ranges under the provided VPC network. Example: ['vertex-ai-ip-range']. + + * `start_time`: Output only. Pipeline start time. + + * `service_account`: The service account that the pipeline workload runs as. If not specified, the Compute Engine default service account in the project will be used. See https://cloud.google.com/compute/docs/access/service-accounts#default_service_account Users starting the pipeline must have the `iam.serviceAccounts.actAs` permission on this service account. + + * `display_name`: The display name of the Pipeline. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + * `template_uri`: A template uri from where the PipelineJob.pipeline_spec, if empty, will be downloaded. + + * `pipeline_spec`: The spec of the pipeline. + + * `additional_properties`: Properties of the object. + + * `network`: The full name of the Compute Engine [network](/compute/docs/networks-and-firewalls#networks) to which the Pipeline Job's workload should be peered. For example, `projects/12345/global/networks/myVPC`. [Format](/compute/docs/reference/rest/v1/networks/insert) is of the form `projects/{project}/global/networks/{network}`. Where {project} is a project number, as in `12345`, and {network} is a network name. Private services access must already be configured for the network. Pipeline job will apply the network configuration to the Google Cloud resources being launched, if applied, such as Vertex AI Training or Dataflow job. If left unspecified, the workload is not peered with any network. + + * `labels`: The labels with user-defined metadata to organize PipelineJob. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information and examples of labels. Note there is some reserved label key for Vertex AI Pipelines. - `vertex-ai-pipelines-run-billing-id`, user set value will get overrided. + + * `additional_properties`: + + * `runtime_config`: The runtime config of a PipelineJob. + + * `gcs_output_directory`: Required. A path in a Cloud Storage bucket, which will be treated as the root output directory of the pipeline. It is used by the system to generate the paths of output artifacts. The artifact paths are generated with a sub-path pattern `{job_id}/{task_id}/{output_key}` under the specified output directory. The service account specified in this pipeline must have the `storage.objects.get` and `storage.objects.create` permissions for this bucket. + + * `parameter_values`: The runtime parameters of the PipelineJob. The parameters will be passed into PipelineJob.pipeline_spec to replace the placeholders at runtime. This field is used by pipelines built using `PipelineJob.pipeline_spec.schema_version` 2.1.0, such as pipelines built using Kubeflow Pipelines SDK 1.9 or higher and the v2 DSL. + + * `additional_properties`: + + * `failure_policy`: Represents the failure policy of a pipeline. Currently, the default of a pipeline is that the pipeline will continue to run until no more tasks can be executed, also known as PIPELINE_FAILURE_POLICY_FAIL_SLOW. However, if a pipeline is set to PIPELINE_FAILURE_POLICY_FAIL_FAST, it will stop scheduling any new tasks when a task has failed. Any scheduled tasks will continue to completion. + Possible values: + * PIPELINE_FAILURE_POLICY_UNSPECIFIED + * PIPELINE_FAILURE_POLICY_FAIL_SLOW + * PIPELINE_FAILURE_POLICY_FAIL_FAST + + * `parameters`: Deprecated. Use RuntimeConfig.parameter_values instead. The runtime parameters of the PipelineJob. The parameters will be passed into PipelineJob.pipeline_spec to replace the placeholders at runtime. This field is used by pipelines built using `PipelineJob.pipeline_spec.schema_version` 2.0.0 or lower, such as pipelines built using Kubeflow Pipelines SDK 1.8 or lower. + + * `additional_properties`: Value is the value of the field. + + * `input_artifacts`: The runtime artifacts of the PipelineJob. The key will be the input artifact name and the value would be one of the InputArtifact. + + * `additional_properties`: The type of an input artifact. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_pipeline_jobs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_pipeline_jobs.md new file mode 100644 index 0000000..37768b7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_pipeline_jobs.md @@ -0,0 +1,54 @@ ++++ +title = "google_vertex_ai_pipeline_jobs resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_pipeline_jobs" +identifier = "inspec/resources/gcp/google_vertex_ai_pipeline_jobs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_pipeline_jobs` InSpec audit resource to to test a Google Cloud PipelineJob resource. + +## Examples + +```ruby + describe google_vertex_ai_pipeline_jobs(parent: "projects/#{gcp_project_id}/locations/#{pipeline_job['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_pipeline_jobs` resource: + +See [google_vertex_ai_pipeline_job](google_vertex_ai_pipeline_job) for more detailed information. + + * `encryption_specs`: an array of `google_vertex_ai_pipeline_job` encryption_spec + * `end_times`: an array of `google_vertex_ai_pipeline_job` end_time + * `errors`: an array of `google_vertex_ai_pipeline_job` error + * `update_times`: an array of `google_vertex_ai_pipeline_job` update_time + * `job_details`: an array of `google_vertex_ai_pipeline_job` job_detail + * `template_metadata`: an array of `google_vertex_ai_pipeline_job` template_metadata + * `states`: an array of `google_vertex_ai_pipeline_job` state + * `create_times`: an array of `google_vertex_ai_pipeline_job` create_time + * `names`: an array of `google_vertex_ai_pipeline_job` name + * `schedule_names`: an array of `google_vertex_ai_pipeline_job` schedule_name + * `reserved_ip_ranges`: an array of `google_vertex_ai_pipeline_job` reserved_ip_ranges + * `start_times`: an array of `google_vertex_ai_pipeline_job` start_time + * `service_accounts`: an array of `google_vertex_ai_pipeline_job` service_account + * `display_names`: an array of `google_vertex_ai_pipeline_job` display_name + * `template_uris`: an array of `google_vertex_ai_pipeline_job` template_uri + * `pipeline_specs`: an array of `google_vertex_ai_pipeline_job` pipeline_spec + * `networks`: an array of `google_vertex_ai_pipeline_job` network + * `labels`: an array of `google_vertex_ai_pipeline_job` labels + * `runtime_configs`: an array of `google_vertex_ai_pipeline_job` runtime_config + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_schedule.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_schedule.md new file mode 100644 index 0000000..e4d202c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_schedule.md @@ -0,0 +1,359 @@ ++++ +title = "google_vertex_ai_schedule resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_schedule" +identifier = "inspec/resources/gcp/google_vertex_ai_schedule resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_schedule` InSpec audit resource to to test a Google Cloud Schedule resource. + +## Examples + +```ruby +describe google_vertex_ai_schedule(name: "projects/#{gcp_project_id}/locations/#{schedule['region']}/schedules/#{schedule['name']}", region: ' value_region') do + it { should exist } + its('started_run_count') { should cmp 'value_startedruncount' } + its('name') { should cmp 'value_name' } + its('cron') { should cmp 'value_cron' } + its('last_pause_time') { should cmp 'value_lastpausetime' } + its('create_time') { should cmp 'value_createtime' } + its('start_time') { should cmp 'value_starttime' } + its('max_run_count') { should cmp 'value_maxruncount' } + its('next_run_time') { should cmp 'value_nextruntime' } + its('update_time') { should cmp 'value_updatetime' } + its('last_resume_time') { should cmp 'value_lastresumetime' } + its('max_concurrent_run_count') { should cmp 'value_maxconcurrentruncount' } + its('state') { should cmp 'value_state' } + its('display_name') { should cmp 'value_displayname' } + its('end_time') { should cmp 'value_endtime' } + +end + +describe google_vertex_ai_schedule(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_schedule` resource: + + + * `started_run_count`: Output only. The number of runs started by this schedule. + + * `allow_queueing`: Optional. Whether new scheduled runs can be queued when max_concurrent_runs limit is reached. If set to true, new runs will be queued instead of skipped. Default to false. + + * `name`: Immutable. The resource name of the Schedule. + + * `cron`: Cron schedule (https://en.wikipedia.org/wiki/Cron) to launch scheduled runs. To explicitly set a timezone to the cron tab, apply a prefix in the cron tab: "CRON_TZ=${IANA_TIME_ZONE}" or "TZ=${IANA_TIME_ZONE}". The ${IANA_TIME_ZONE} may only be a valid string from IANA time zone database. For example, "CRON_TZ=America/New_York 1 * * * *", or "TZ=America/New_York 1 * * * *". + + * `last_pause_time`: Output only. Timestamp when this Schedule was last paused. Unset if never paused. + + * `create_time`: Output only. Timestamp when this Schedule was created. + + * `start_time`: Optional. Timestamp after which the first run can be scheduled. Default to Schedule create time if not specified. + + * `max_run_count`: Optional. Maximum run count of the schedule. If specified, The schedule will be completed when either started_run_count >= max_run_count or when end_time is reached. If not specified, new runs will keep getting scheduled until this Schedule is paused or deleted. Already scheduled runs will be allowed to complete. Unset if not specified. + + * `next_run_time`: Output only. Timestamp when this Schedule should schedule the next run. Having a next_run_time in the past means the runs are being started behind schedule. + + * `update_time`: Output only. Timestamp when this Schedule was updated. + + * `last_scheduled_run_response`: Status of a scheduled run. + + * `run_response`: The response of the scheduled run. + + * `scheduled_run_time`: The scheduled run time based on the user-specified schedule. + + * `last_resume_time`: Output only. Timestamp when this Schedule was last resumed. Unset if never resumed from pause. + + * `max_concurrent_run_count`: Required. Maximum number of runs that can be started concurrently for this Schedule. This is the limit for starting the scheduled requests and not the execution of the operations/jobs created by the requests (if applicable). + + * `state`: Output only. The state of this Schedule. + Possible values: + * STATE_UNSPECIFIED + * ACTIVE + * PAUSED + * COMPLETED + + * `create_pipeline_job_request`: Request message for PipelineService.CreatePipelineJob. + + * `pipeline_job`: An instance of a machine learning PipelineJob. + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `end_time`: Output only. Pipeline end time. + + * `error`: The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `update_time`: Output only. Timestamp when this PipelineJob was most recently updated. + + * `job_detail`: The runtime detail of PipelineJob. + + * `task_details`: Output only. The runtime details of the tasks under the pipeline. + + * `inputs`: Output only. The runtime input artifacts of the task. + + * `additional_properties`: A list of artifact metadata. + + * `pipeline_task_status`: Output only. A list of task status. This field keeps a record of task status evolving over time. + + * `update_time`: Output only. Update time of this status. + + * `error`: The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `state`: Output only. The state of the task. + Possible values: + * STATE_UNSPECIFIED + * PENDING + * RUNNING + * SUCCEEDED + * CANCEL_PENDING + * CANCELLING + * CANCELLED + * FAILED + * SKIPPED + * NOT_TRIGGERED + + * `end_time`: Output only. Task end time. + + * `outputs`: Output only. The runtime output artifacts of the task. + + * `additional_properties`: A list of artifact metadata. + + * `create_time`: Output only. Task create time. + + * `start_time`: Output only. Task start time. + + * `execution`: Instance of a general execution. + + * `labels`: The labels with user-defined metadata to organize your Executions. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. No more than 64 user labels can be associated with one Execution (System labels are excluded). + + * `additional_properties`: + + * `create_time`: Output only. Timestamp when this Execution was created. + + * `schema_version`: The version of the schema in `schema_title` to use. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `state`: The state of this Execution. This is a property of the Execution, and does not imply or capture any ongoing process. This property is managed by clients (such as Vertex AI Pipelines) and the system does not prescribe or check the validity of state transitions. + Possible values: + * STATE_UNSPECIFIED + * NEW + * RUNNING + * COMPLETE + * FAILED + * CACHED + * CANCELLED + + * `name`: Output only. The resource name of the Execution. + + * `etag`: An eTag used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `display_name`: User provided display name of the Execution. May be up to 128 Unicode characters. + + * `metadata`: Properties of the Execution. Top level metadata keys' heading and trailing spaces will be trimmed. The size of this field should not exceed 200KB. + + * `additional_properties`: Properties of the object. + + * `schema_title`: The title of the schema describing the metadata. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `description`: Description of the Execution + + * `update_time`: Output only. Timestamp when this Execution was last updated. + + * `task_name`: Output only. The user specified name of the task that is defined in pipeline_spec. + + * `parent_task_id`: Output only. The id of the parent task if the task is within a component scope. Empty if the task is at the root level. + + * `state`: Output only. State of the task. + Possible values: + * STATE_UNSPECIFIED + * PENDING + * RUNNING + * SUCCEEDED + * CANCEL_PENDING + * CANCELLING + * CANCELLED + * FAILED + * SKIPPED + * NOT_TRIGGERED + + * `task_id`: Output only. The system generated ID of the task. + + * `executor_detail`: The runtime detail of a pipeline executor. + + * `container_detail`: The detail of a container execution. It contains the job names of the lifecycle of a container execution. + + * `failed_main_jobs`: Output only. The names of the previously failed CustomJob for the main container executions. The list includes the all attempts in chronological order. + + * `main_job`: Output only. The name of the CustomJob for the main container execution. + + * `pre_caching_check_job`: Output only. The name of the CustomJob for the pre-caching-check container execution. This job will be available if the PipelineJob.pipeline_spec specifies the `pre_caching_check` hook in the lifecycle events. + + * `failed_pre_caching_check_jobs`: Output only. The names of the previously failed CustomJob for the pre-caching-check container executions. This job will be available if the PipelineJob.pipeline_spec specifies the `pre_caching_check` hook in the lifecycle events. The list includes the all attempts in chronological order. + + * `custom_job_detail`: The detailed info for a custom job executor. + + * `failed_jobs`: Output only. The names of the previously failed CustomJob. The list includes the all attempts in chronological order. + + * `job`: Output only. The name of the CustomJob. + + * `error`: The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `pipeline_run_context`: Instance of a general context. + + * `name`: Immutable. The resource name of the Context. + + * `schema_title`: The title of the schema describing the metadata. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `etag`: An eTag used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `description`: Description of the Context + + * `display_name`: User provided display name of the Context. May be up to 128 Unicode characters. + + * `schema_version`: The version of the schema in schema_name to use. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `create_time`: Output only. Timestamp when this Context was created. + + * `labels`: The labels with user-defined metadata to organize your Contexts. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. No more than 64 user labels can be associated with one Context (System labels are excluded). + + * `additional_properties`: + + * `metadata`: Properties of the Context. Top level metadata keys' heading and trailing spaces will be trimmed. The size of this field should not exceed 200KB. + + * `additional_properties`: Properties of the object. + + * `update_time`: Output only. Timestamp when this Context was last updated. + + * `parent_contexts`: Output only. A list of resource names of Contexts that are parents of this Context. A Context may have at most 10 parent_contexts. + + * `pipeline_context`: Instance of a general context. + + * `name`: Immutable. The resource name of the Context. + + * `schema_title`: The title of the schema describing the metadata. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `etag`: An eTag used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `description`: Description of the Context + + * `display_name`: User provided display name of the Context. May be up to 128 Unicode characters. + + * `schema_version`: The version of the schema in schema_name to use. Schema title and version is expected to be registered in earlier Create Schema calls. And both are used together as unique identifiers to identify schemas within the local metadata store. + + * `create_time`: Output only. Timestamp when this Context was created. + + * `labels`: The labels with user-defined metadata to organize your Contexts. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. No more than 64 user labels can be associated with one Context (System labels are excluded). + + * `additional_properties`: + + * `metadata`: Properties of the Context. Top level metadata keys' heading and trailing spaces will be trimmed. The size of this field should not exceed 200KB. + + * `additional_properties`: Properties of the object. + + * `update_time`: Output only. Timestamp when this Context was last updated. + + * `parent_contexts`: Output only. A list of resource names of Contexts that are parents of this Context. A Context may have at most 10 parent_contexts. + + * `template_metadata`: Pipeline template metadata if PipelineJob.template_uri is from supported template registry. Currently, the only supported registry is Artifact Registry. + + * `version`: The version_name in artifact registry. Will always be presented in output if the PipelineJob.template_uri is from supported template registry. Format is "sha256:abcdef123456...". + + * `state`: Output only. The detailed state of the job. + Possible values: + * PIPELINE_STATE_UNSPECIFIED + * PIPELINE_STATE_QUEUED + * PIPELINE_STATE_PENDING + * PIPELINE_STATE_RUNNING + * PIPELINE_STATE_SUCCEEDED + * PIPELINE_STATE_FAILED + * PIPELINE_STATE_CANCELLING + * PIPELINE_STATE_CANCELLED + * PIPELINE_STATE_PAUSED + + * `create_time`: Output only. Pipeline creation time. + + * `name`: Output only. The resource name of the PipelineJob. + + * `schedule_name`: Output only. The schedule resource name. Only returned if the Pipeline is created by Schedule API. + + * `reserved_ip_ranges`: A list of names for the reserved ip ranges under the VPC network that can be used for this Pipeline Job's workload. If set, we will deploy the Pipeline Job's workload within the provided ip ranges. Otherwise, the job will be deployed to any ip ranges under the provided VPC network. Example: ['vertex-ai-ip-range']. + + * `start_time`: Output only. Pipeline start time. + + * `service_account`: The service account that the pipeline workload runs as. If not specified, the Compute Engine default service account in the project will be used. See https://cloud.google.com/compute/docs/access/service-accounts#default_service_account Users starting the pipeline must have the `iam.serviceAccounts.actAs` permission on this service account. + + * `display_name`: The display name of the Pipeline. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + * `template_uri`: A template uri from where the PipelineJob.pipeline_spec, if empty, will be downloaded. + + * `pipeline_spec`: The spec of the pipeline. + + * `additional_properties`: Properties of the object. + + * `network`: The full name of the Compute Engine [network](/compute/docs/networks-and-firewalls#networks) to which the Pipeline Job's workload should be peered. For example, `projects/12345/global/networks/myVPC`. [Format](/compute/docs/reference/rest/v1/networks/insert) is of the form `projects/{project}/global/networks/{network}`. Where {project} is a project number, as in `12345`, and {network} is a network name. Private services access must already be configured for the network. Pipeline job will apply the network configuration to the Google Cloud resources being launched, if applied, such as Vertex AI Training or Dataflow job. If left unspecified, the workload is not peered with any network. + + * `labels`: The labels with user-defined metadata to organize PipelineJob. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information and examples of labels. Note there is some reserved label key for Vertex AI Pipelines. - `vertex-ai-pipelines-run-billing-id`, user set value will get overrided. + + * `additional_properties`: + + * `runtime_config`: The runtime config of a PipelineJob. + + * `gcs_output_directory`: Required. A path in a Cloud Storage bucket, which will be treated as the root output directory of the pipeline. It is used by the system to generate the paths of output artifacts. The artifact paths are generated with a sub-path pattern `{job_id}/{task_id}/{output_key}` under the specified output directory. The service account specified in this pipeline must have the `storage.objects.get` and `storage.objects.create` permissions for this bucket. + + * `parameter_values`: The runtime parameters of the PipelineJob. The parameters will be passed into PipelineJob.pipeline_spec to replace the placeholders at runtime. This field is used by pipelines built using `PipelineJob.pipeline_spec.schema_version` 2.1.0, such as pipelines built using Kubeflow Pipelines SDK 1.9 or higher and the v2 DSL. + + * `additional_properties`: + + * `failure_policy`: Represents the failure policy of a pipeline. Currently, the default of a pipeline is that the pipeline will continue to run until no more tasks can be executed, also known as PIPELINE_FAILURE_POLICY_FAIL_SLOW. However, if a pipeline is set to PIPELINE_FAILURE_POLICY_FAIL_FAST, it will stop scheduling any new tasks when a task has failed. Any scheduled tasks will continue to completion. + Possible values: + * PIPELINE_FAILURE_POLICY_UNSPECIFIED + * PIPELINE_FAILURE_POLICY_FAIL_SLOW + * PIPELINE_FAILURE_POLICY_FAIL_FAST + + * `parameters`: Deprecated. Use RuntimeConfig.parameter_values instead. The runtime parameters of the PipelineJob. The parameters will be passed into PipelineJob.pipeline_spec to replace the placeholders at runtime. This field is used by pipelines built using `PipelineJob.pipeline_spec.schema_version` 2.0.0 or lower, such as pipelines built using Kubeflow Pipelines SDK 1.8 or lower. + + * `additional_properties`: Value is the value of the field. + + * `input_artifacts`: The runtime artifacts of the PipelineJob. The key will be the input artifact name and the value would be one of the InputArtifact. + + * `additional_properties`: The type of an input artifact. + + * `pipeline_job_id`: The ID to use for the PipelineJob, which will become the final component of the PipelineJob name. If not provided, an ID will be automatically generated. This value should be less than 128 characters, and valid characters are /a-z-/. + + * `parent`: Required. The resource name of the Location to create the PipelineJob in. Format: `projects/{project}/locations/{location}` + + * `display_name`: Required. User provided name of the Schedule. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + * `catch_up`: Output only. Whether to backfill missed runs when the schedule is resumed from PAUSED state. If set to true, all missed runs will be scheduled. New runs will be scheduled after the backfill is complete. Default to false. + + * `end_time`: Optional. Timestamp after which no new runs can be scheduled. If specified, The schedule will be completed when either end_time is reached or when scheduled_run_count >= max_run_count. If not specified, new runs will keep getting scheduled until this Schedule is paused or deleted. Already scheduled runs will be allowed to complete. Unset if not specified. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_schedules.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_schedules.md new file mode 100644 index 0000000..adc184b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_schedules.md @@ -0,0 +1,53 @@ ++++ +title = "google_vertex_ai_schedules resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_schedules" +identifier = "inspec/resources/gcp/google_vertex_ai_schedules resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_schedules` InSpec audit resource to to test a Google Cloud Schedule resource. + +## Examples + +```ruby + describe google_vertex_ai_schedules(parent: "projects/#{gcp_project_id}/locations/#{schedule['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_schedules` resource: + +See [google_vertex_ai_schedule](google_vertex_ai_schedule) for more detailed information. + + * `started_run_counts`: an array of `google_vertex_ai_schedule` started_run_count + * `allow_queueings`: an array of `google_vertex_ai_schedule` allow_queueing + * `names`: an array of `google_vertex_ai_schedule` name + * `crons`: an array of `google_vertex_ai_schedule` cron + * `last_pause_times`: an array of `google_vertex_ai_schedule` last_pause_time + * `create_times`: an array of `google_vertex_ai_schedule` create_time + * `start_times`: an array of `google_vertex_ai_schedule` start_time + * `max_run_counts`: an array of `google_vertex_ai_schedule` max_run_count + * `next_run_times`: an array of `google_vertex_ai_schedule` next_run_time + * `update_times`: an array of `google_vertex_ai_schedule` update_time + * `last_scheduled_run_responses`: an array of `google_vertex_ai_schedule` last_scheduled_run_response + * `last_resume_times`: an array of `google_vertex_ai_schedule` last_resume_time + * `max_concurrent_run_counts`: an array of `google_vertex_ai_schedule` max_concurrent_run_count + * `states`: an array of `google_vertex_ai_schedule` state + * `create_pipeline_job_requests`: an array of `google_vertex_ai_schedule` create_pipeline_job_request + * `display_names`: an array of `google_vertex_ai_schedule` display_name + * `catch_ups`: an array of `google_vertex_ai_schedule` catch_up + * `end_times`: an array of `google_vertex_ai_schedule` end_time + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_studies.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_studies.md new file mode 100644 index 0000000..e47d25c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_studies.md @@ -0,0 +1,41 @@ ++++ +title = "google_vertex_ai_studies resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_studies" +identifier = "inspec/resources/gcp/google_vertex_ai_studies resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_studies` InSpec audit resource to to test a Google Cloud Study resource. + +## Examples + +```ruby + describe google_vertex_ai_studies(parent: "projects/#{gcp_project_id}/locations/#{study['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_studies` resource: + +See [google_vertex_ai_study](google_vertex_ai_study) for more detailed information. + + * `study_specs`: an array of `google_vertex_ai_study` study_spec + * `names`: an array of `google_vertex_ai_study` name + * `display_names`: an array of `google_vertex_ai_study` display_name + * `states`: an array of `google_vertex_ai_study` state + * `create_times`: an array of `google_vertex_ai_study` create_time + * `inactive_reasons`: an array of `google_vertex_ai_study` inactive_reason + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_studies_trial.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_studies_trial.md new file mode 100644 index 0000000..a27811e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_studies_trial.md @@ -0,0 +1,99 @@ ++++ +title = "google_vertex_ai_studies_trial resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_studies_trial" +identifier = "inspec/resources/gcp/google_vertex_ai_studies_trial resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_studies_trial` InSpec audit resource to to test a Google Cloud StudiesTrial resource. + +## Examples + +```ruby +describe google_vertex_ai_studies_trial(name: "projects/#{gcp_project_id}/locations/#{studies_trial['region']}/studies/#{studies_trial['study']}/trials/#{studies_trial['name']}", region: ' value_region') do + it { should exist } + its('start_time') { should cmp 'value_starttime' } + its('end_time') { should cmp 'value_endtime' } + its('name') { should cmp 'value_name' } + its('infeasible_reason') { should cmp 'value_infeasiblereason' } + its('client_id') { should cmp 'value_clientid' } + its('custom_job') { should cmp 'value_customjob' } + its('state') { should cmp 'value_state' } + its('id') { should cmp 'value_id' } + +end + +describe google_vertex_ai_studies_trial(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_studies_trial` resource: + + + * `measurements`: Output only. A list of measurements that are strictly lexicographically ordered by their induced tuples (steps, elapsed_duration). These are used for early stopping computations. + + * `metrics`: Output only. A list of metrics got by evaluating the objective functions using suggested Parameter values. + + * `metric_id`: Output only. The ID of the Metric. The Metric should be defined in StudySpec's Metrics. + + * `value`: Output only. The value for this metric. + + * `elapsed_duration`: Output only. Time that the Trial has been running at the point of this Measurement. + + * `step_count`: Output only. The number of steps the machine learning model has been trained for. Must be non-negative. + + * `start_time`: Output only. Time when the Trial was started. + + * `end_time`: Output only. Time when the Trial's status changed to `SUCCEEDED` or `INFEASIBLE`. + + * `parameters`: Output only. The parameters of the Trial. + + * `value`: Output only. The value of the parameter. `number_value` will be set if a parameter defined in StudySpec is in type 'INTEGER', 'DOUBLE' or 'DISCRETE'. `string_value` will be set if a parameter defined in StudySpec is in type 'CATEGORICAL'. + + * `parameter_id`: Output only. The ID of the parameter. The parameter should be defined in StudySpec's Parameters. + + * `name`: Output only. Resource name of the Trial assigned by the service. + + * `infeasible_reason`: Output only. A human readable string describing why the Trial is infeasible. This is set only if Trial state is `INFEASIBLE`. + + * `final_measurement`: A message representing a Measurement of a Trial. A Measurement contains the Metrics got by executing a Trial using suggested hyperparameter values. + + * `metrics`: Output only. A list of metrics got by evaluating the objective functions using suggested Parameter values. + + * `metric_id`: Output only. The ID of the Metric. The Metric should be defined in StudySpec's Metrics. + + * `value`: Output only. The value for this metric. + + * `elapsed_duration`: Output only. Time that the Trial has been running at the point of this Measurement. + + * `step_count`: Output only. The number of steps the machine learning model has been trained for. Must be non-negative. + + * `client_id`: Output only. The identifier of the client that originally requested this Trial. Each client is identified by a unique client_id. When a client asks for a suggestion, Vertex AI Vizier will assign it a Trial. The client should evaluate the Trial, complete it, and report back to Vertex AI Vizier. If suggestion is asked again by same client_id before the Trial is completed, the same Trial will be returned. Multiple clients with different client_ids can ask for suggestions simultaneously, each of them will get their own Trial. + + * `custom_job`: Output only. The CustomJob name linked to the Trial. It's set for a HyperparameterTuningJob's Trial. + + * `state`: Output only. The detailed state of the Trial. + Possible values: + * STATE_UNSPECIFIED + * REQUESTED + * ACTIVE + * STOPPING + * SUCCEEDED + * INFEASIBLE + + * `web_access_uris`: Output only. URIs for accessing [interactive shells](https://cloud.google.com/vertex-ai/docs/training/monitor-debug-interactive-shell) (one URI for each training node). Only available if this trial is part of a HyperparameterTuningJob and the job's trial_job_spec.enable_web_access field is `true`. The keys are names of each node used for the trial; for example, `workerpool0-0` for the primary node, `workerpool1-0` for the first node in the second worker pool, and `workerpool1-1` for the second node in the second worker pool. The values are the URIs for each node's interactive shell. + + * `additional_properties`: + + * `id`: Output only. The identifier of the Trial assigned by the service. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_studies_trials.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_studies_trials.md new file mode 100644 index 0000000..260b760 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_studies_trials.md @@ -0,0 +1,47 @@ ++++ +title = "google_vertex_ai_studies_trials resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_studies_trials" +identifier = "inspec/resources/gcp/google_vertex_ai_studies_trials resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_studies_trials` InSpec audit resource to to test a Google Cloud StudiesTrial resource. + +## Examples + +```ruby + describe google_vertex_ai_studies_trials(parent: "projects/#{gcp_project_id}/locations/#{studies_trial['region']}/studies/#{studies_trial['study']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_studies_trials` resource: + +See [google_vertex_ai_studies_trial](google_vertex_ai_studies_trial) for more detailed information. + + * `measurements`: an array of `google_vertex_ai_studies_trial` measurements + * `start_times`: an array of `google_vertex_ai_studies_trial` start_time + * `end_times`: an array of `google_vertex_ai_studies_trial` end_time + * `parameters`: an array of `google_vertex_ai_studies_trial` parameters + * `names`: an array of `google_vertex_ai_studies_trial` name + * `infeasible_reasons`: an array of `google_vertex_ai_studies_trial` infeasible_reason + * `final_measurements`: an array of `google_vertex_ai_studies_trial` final_measurement + * `client_ids`: an array of `google_vertex_ai_studies_trial` client_id + * `custom_jobs`: an array of `google_vertex_ai_studies_trial` custom_job + * `states`: an array of `google_vertex_ai_studies_trial` state + * `web_access_uris`: an array of `google_vertex_ai_studies_trial` web_access_uris + * `ids`: an array of `google_vertex_ai_studies_trial` id + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_study.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_study.md new file mode 100644 index 0000000..37390b0 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_study.md @@ -0,0 +1,56 @@ ++++ +title = "google_vertex_ai_study resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_study" +identifier = "inspec/resources/gcp/google_vertex_ai_study resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_study` InSpec audit resource to to test a Google Cloud Study resource. + +## Examples + +```ruby +describe google_vertex_ai_study(name: "projects/#{gcp_project_id}/locations/#{study['region']}/studies/#{study['name']}", region: ' value_region') do + it { should exist } + its('name') { should cmp 'value_name' } + its('display_name') { should cmp 'value_displayname' } + its('state') { should cmp 'value_state' } + its('create_time') { should cmp 'value_createtime' } + its('inactive_reason') { should cmp 'value_inactivereason' } + +end + +describe google_vertex_ai_study(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_study` resource: + + + * `study_spec`: Required. Configuration of the Study. + + * `name`: Output only. The name of a study. The study's globally unique identifier. Format: `projects/{project}/locations/{location}/studies/{study}` + + * `display_name`: Required. Describes the Study, default value is empty string. + + * `state`: Output only. The detailed state of a Study. + Possible values: + * STATE_UNSPECIFIED + * ACTIVE + * INACTIVE + * COMPLETED + + * `create_time`: Output only. Time at which the study was created. + + * `inactive_reason`: Output only. A human readable reason why the Study is inactive. This should be empty if a study is ACTIVE or COMPLETED. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard.md new file mode 100644 index 0000000..b06d18e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard.md @@ -0,0 +1,67 @@ ++++ +title = "google_vertex_ai_tensorboard resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_tensorboard" +identifier = "inspec/resources/gcp/google_vertex_ai_tensorboard resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_tensorboard` InSpec audit resource to to test a Google Cloud Tensorboard resource. + +## Examples + +```ruby +describe google_vertex_ai_tensorboard(name: "projects/#{gcp_project_id}/locations/#{tensorboard['region']}/tensorboards/#{tensorboard['name']}", region: ' value_region') do + it { should exist } + its('name') { should cmp 'value_name' } + its('update_time') { should cmp 'value_updatetime' } + its('blob_storage_path_prefix') { should cmp 'value_blobstoragepathprefix' } + its('etag') { should cmp 'value_etag' } + its('create_time') { should cmp 'value_createtime' } + its('display_name') { should cmp 'value_displayname' } + its('description') { should cmp 'value_description' } + +end + +describe google_vertex_ai_tensorboard(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_tensorboard` resource: + + + * `name`: Output only. Name of the Tensorboard. Format: `projects/{project}/locations/{location}/tensorboards/{tensorboard}` + + * `is_default`: Used to indicate if the TensorBoard instance is the default one. Each project & region can have at most one default TensorBoard instance. Creation of a default TensorBoard instance and updating an existing TensorBoard instance to be default will mark all other TensorBoard instances (if any) as non default. + + * `update_time`: Output only. Timestamp when this Tensorboard was last updated. + + * `labels`: The labels with user-defined metadata to organize your Tensorboards. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. No more than 64 user labels can be associated with one Tensorboard (System labels are excluded). See https://goo.gl/xmQnxf for more information and examples of labels. System reserved label keys are prefixed with "aiplatform.googleapis.com/" and are immutable. + + * `additional_properties`: + + * `blob_storage_path_prefix`: Output only. Consumer project Cloud Storage path prefix used to store blob data, which can either be a bucket or directory. Does not end with a '/'. + + * `etag`: Used to perform a consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `create_time`: Output only. Timestamp when this Tensorboard was created. + + * `run_count`: Output only. The number of Runs stored in this Tensorboard. + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `display_name`: Required. User provided name of this Tensorboard. + + * `description`: Description of this Tensorboard. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard_experiment_run.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard_experiment_run.md new file mode 100644 index 0000000..4317889 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard_experiment_run.md @@ -0,0 +1,50 @@ ++++ +title = "google_vertex_ai_tensorboard_experiment_run resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_tensorboard_experiment_run" +identifier = "inspec/resources/gcp/google_vertex_ai_tensorboard_experiment_run resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_tensorboard_experiment_run` InSpec audit resource to to test a Google Cloud TensorboardExperimentRun resource. + +## Examples + +```ruby +describe google_vertex_ai_tensorboard_experiment_run(name: "projects/#{gcp_project_id}/locations/#{tensorboard_experiment_run['region']}/tensorboards/#{tensorboard_experiment_run['tensorboard']}/experiments/#{tensorboard_experiment_run['experiment']}/runs/#{tensorboard_experiment_run['run']}", region: ' value_region') do + it { should exist } + +end + +describe google_vertex_ai_tensorboard_experiment_run(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_tensorboard_experiment_run` resource: + + + * `display_name`: Required. User provided name of this TensorboardRun. This value must be unique among all TensorboardRuns belonging to the same parent TensorboardExperiment. + + * `update_time`: Output only. Timestamp when this TensorboardRun was last updated. + + * `description`: Description of this TensorboardRun. + + * `etag`: Used to perform a consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `labels`: The labels with user-defined metadata to organize your TensorboardRuns. This field will be used to filter and visualize Runs in the Tensorboard UI. For example, a Vertex AI training job can set a label aiplatform.googleapis.com/training_job_id=xxxxx to all the runs created within that job. An end user can set a label experiment_id=xxxxx for all the runs produced in a Jupyter notebook. These runs can be grouped by a label value and visualized together in the Tensorboard UI. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. No more than 64 user labels can be associated with one TensorboardRun (System labels are excluded). See https://goo.gl/xmQnxf for more information and examples of labels. System reserved label keys are prefixed with "aiplatform.googleapis.com/" and are immutable. + + * `additional_properties`: + + * `create_time`: Output only. Timestamp when this TensorboardRun was created. + + * `name`: Output only. Name of the TensorboardRun. Format: `projects/{project}/locations/{location}/tensorboards/{tensorboard}/experiments/{experiment}/runs/{run}` + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard_experiment_run_time_series_resource.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard_experiment_run_time_series_resource.md new file mode 100644 index 0000000..d437ffa --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard_experiment_run_time_series_resource.md @@ -0,0 +1,68 @@ ++++ +title = "google_vertex_ai_tensorboard_experiment_run_time_series_resource resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_tensorboard_experiment_run_time_series_resource" +identifier = "inspec/resources/gcp/google_vertex_ai_tensorboard_experiment_run_time_series_resource resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_tensorboard_experiment_run_time_series_resource` InSpec audit resource to to test a Google Cloud TensorboardExperimentRunTimeSeriesResource resource. + +## Examples + +```ruby +describe google_vertex_ai_tensorboard_experiment_run_time_series_resource(name: "projects/#{gcp_project_id}/locations/#{tensorboard_experiment_run_time_series_resource['region']}/tensorboards/#{tensorboard_experiment_run_time_series_resource['tensorboard']}/experiments/#{tensorboard_experiment_run_time_series_resource['experiment']}/runs/#{tensorboard_experiment_run_time_series_resource['run']}/timeSeries/#{tensorboard_experiment_run_time_series_resource['timeSery']}", region: ' value_region') do + it { should exist } + its('plugin_name') { should cmp 'value_pluginname' } + its('plugin_data') { should cmp 'value_plugindata' } + its('description') { should cmp 'value_description' } + its('etag') { should cmp 'value_etag' } + its('display_name') { should cmp 'value_displayname' } + its('update_time') { should cmp 'value_updatetime' } + its('create_time') { should cmp 'value_createtime' } + its('name') { should cmp 'value_name' } + its('value_type') { should cmp 'value_valuetype' } + +end + +describe google_vertex_ai_tensorboard_experiment_run_time_series_resource(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_tensorboard_experiment_run_time_series_resource` resource: + + + * `plugin_name`: Immutable. Name of the plugin this time series pertain to. Such as Scalar, Tensor, Blob + + * `plugin_data`: Data of the current plugin, with the size limited to 65KB. + + * `description`: Description of this TensorboardTimeSeries. + + * `etag`: Used to perform a consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `display_name`: Required. User provided name of this TensorboardTimeSeries. This value should be unique among all TensorboardTimeSeries resources belonging to the same TensorboardRun resource (parent resource). + + * `update_time`: Output only. Timestamp when this TensorboardTimeSeries was last updated. + + * `create_time`: Output only. Timestamp when this TensorboardTimeSeries was created. + + * `name`: Output only. Name of the TensorboardTimeSeries. + + * `metadata`: Output only. Scalar, Tensor, or Blob metadata for this TensorboardTimeSeries. + + * `value_type`: Required. Immutable. Type of TensorboardTimeSeries value. + Possible values: + * VALUE_TYPE_UNSPECIFIED + * SCALAR + * TENSOR + * BLOB_SEQUENCE + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard_experiment_run_time_series_resources.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard_experiment_run_time_series_resources.md new file mode 100644 index 0000000..09f4598 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard_experiment_run_time_series_resources.md @@ -0,0 +1,45 @@ ++++ +title = "google_vertex_ai_tensorboard_experiment_run_time_series_resources resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_tensorboard_experiment_run_time_series_resources" +identifier = "inspec/resources/gcp/google_vertex_ai_tensorboard_experiment_run_time_series_resources resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_tensorboard_experiment_run_time_series_resources` InSpec audit resource to to test a Google Cloud TensorboardExperimentRunTimeSeriesResource resource. + +## Examples + +```ruby + describe google_vertex_ai_tensorboard_experiment_run_time_series_resources(parent: "projects/#{gcp_project_id}/locations/#{tensorboard_experiment_run_time_series_resource['region']}/tensorboards/#{tensorboard_experiment_run_time_series_resource['tensorboard']}/experiments/#{tensorboard_experiment_run_time_series_resource['experiment']}/runs/#{tensorboard_experiment_run_time_series_resource['run']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_tensorboard_experiment_run_time_series_resources` resource: + +See [google_vertex_ai_tensorboard_experiment_run_time_series_resource](google_vertex_ai_tensorboard_experiment_run_time_series_resource) for more detailed information. + + * `plugin_names`: an array of `google_vertex_ai_tensorboard_experiment_run_time_series_resource` plugin_name + * `plugin_data`: an array of `google_vertex_ai_tensorboard_experiment_run_time_series_resource` plugin_data + * `descriptions`: an array of `google_vertex_ai_tensorboard_experiment_run_time_series_resource` description + * `etags`: an array of `google_vertex_ai_tensorboard_experiment_run_time_series_resource` etag + * `display_names`: an array of `google_vertex_ai_tensorboard_experiment_run_time_series_resource` display_name + * `update_times`: an array of `google_vertex_ai_tensorboard_experiment_run_time_series_resource` update_time + * `create_times`: an array of `google_vertex_ai_tensorboard_experiment_run_time_series_resource` create_time + * `names`: an array of `google_vertex_ai_tensorboard_experiment_run_time_series_resource` name + * `metadata`: an array of `google_vertex_ai_tensorboard_experiment_run_time_series_resource` metadata + * `value_types`: an array of `google_vertex_ai_tensorboard_experiment_run_time_series_resource` value_type + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard_experiment_runs.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard_experiment_runs.md new file mode 100644 index 0000000..acb1e7a --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboard_experiment_runs.md @@ -0,0 +1,42 @@ ++++ +title = "google_vertex_ai_tensorboard_experiment_runs resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_tensorboard_experiment_runs" +identifier = "inspec/resources/gcp/google_vertex_ai_tensorboard_experiment_runs resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_tensorboard_experiment_runs` InSpec audit resource to to test a Google Cloud TensorboardExperimentRun resource. + +## Examples + +```ruby + describe google_vertex_ai_tensorboard_experiment_runs(parent: "projects/#{gcp_project_id}/locations/#{tensorboard_experiment_run['region']}/tensorboards/#{tensorboard_experiment_run['tensorboard']}/experiments/#{tensorboard_experiment_run['experiment']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_tensorboard_experiment_runs` resource: + +See [google_vertex_ai_tensorboard_experiment_run](google_vertex_ai_tensorboard_experiment_run) for more detailed information. + + * `display_names`: an array of `google_vertex_ai_tensorboard_experiment_run` display_name + * `update_times`: an array of `google_vertex_ai_tensorboard_experiment_run` update_time + * `descriptions`: an array of `google_vertex_ai_tensorboard_experiment_run` description + * `etags`: an array of `google_vertex_ai_tensorboard_experiment_run` etag + * `labels`: an array of `google_vertex_ai_tensorboard_experiment_run` labels + * `create_times`: an array of `google_vertex_ai_tensorboard_experiment_run` create_time + * `names`: an array of `google_vertex_ai_tensorboard_experiment_run` name + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboards.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboards.md new file mode 100644 index 0000000..3d54d37 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboards.md @@ -0,0 +1,46 @@ ++++ +title = "google_vertex_ai_tensorboards resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_tensorboards" +identifier = "inspec/resources/gcp/google_vertex_ai_tensorboards resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_tensorboards` InSpec audit resource to to test a Google Cloud Tensorboard resource. + +## Examples + +```ruby + describe google_vertex_ai_tensorboards(parent: "projects/#{gcp_project_id}/locations/#{tensorboard['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_tensorboards` resource: + +See [google_vertex_ai_tensorboard](google_vertex_ai_tensorboard) for more detailed information. + + * `names`: an array of `google_vertex_ai_tensorboard` name + * `is_defaults`: an array of `google_vertex_ai_tensorboard` is_default + * `update_times`: an array of `google_vertex_ai_tensorboard` update_time + * `labels`: an array of `google_vertex_ai_tensorboard` labels + * `blob_storage_path_prefixes`: an array of `google_vertex_ai_tensorboard` blob_storage_path_prefix + * `etags`: an array of `google_vertex_ai_tensorboard` etag + * `create_times`: an array of `google_vertex_ai_tensorboard` create_time + * `run_counts`: an array of `google_vertex_ai_tensorboard` run_count + * `encryption_specs`: an array of `google_vertex_ai_tensorboard` encryption_spec + * `display_names`: an array of `google_vertex_ai_tensorboard` display_name + * `descriptions`: an array of `google_vertex_ai_tensorboard` description + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboards_experiment.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboards_experiment.md new file mode 100644 index 0000000..41fcc10 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboards_experiment.md @@ -0,0 +1,59 @@ ++++ +title = "google_vertex_ai_tensorboards_experiment resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_tensorboards_experiment" +identifier = "inspec/resources/gcp/google_vertex_ai_tensorboards_experiment resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_tensorboards_experiment` InSpec audit resource to to test a Google Cloud TensorboardsExperiment resource. + +## Examples + +```ruby +describe google_vertex_ai_tensorboards_experiment(name: "projects/#{gcp_project_id}/locations/#{tensorboards_experiment['region']}/tensorboards/#{tensorboards_experiment['tensorboard']}/experiments/#{tensorboards_experiment['name']}", region: ' value_region') do + it { should exist } + its('description') { should cmp 'value_description' } + its('source') { should cmp 'value_source' } + its('display_name') { should cmp 'value_displayname' } + its('create_time') { should cmp 'value_createtime' } + its('update_time') { should cmp 'value_updatetime' } + its('name') { should cmp 'value_name' } + its('etag') { should cmp 'value_etag' } + +end + +describe google_vertex_ai_tensorboards_experiment(name: "does_not_exit", region: ' value_region') do + it { should_not exist } +end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_tensorboards_experiment` resource: + + + * `description`: Description of this TensorboardExperiment. + + * `source`: Immutable. Source of the TensorboardExperiment. Example: a custom training job. + + * `display_name`: User provided name of this TensorboardExperiment. + + * `create_time`: Output only. Timestamp when this TensorboardExperiment was created. + + * `update_time`: Output only. Timestamp when this TensorboardExperiment was last updated. + + * `labels`: The labels with user-defined metadata to organize your TensorboardExperiment. Label keys and values cannot be longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. No more than 64 user labels can be associated with one Dataset (System labels are excluded). See https://goo.gl/xmQnxf for more information and examples of labels. System reserved label keys are prefixed with `aiplatform.googleapis.com/` and are immutable. The following system labels exist for each Dataset: * `aiplatform.googleapis.com/dataset_metadata_schema`: output only. Its value is the metadata_schema's title. + + * `additional_properties`: + + * `name`: Output only. Name of the TensorboardExperiment. Format: `projects/{project}/locations/{location}/tensorboards/{tensorboard}/experiments/{experiment}` + + * `etag`: Used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboards_experiments.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboards_experiments.md new file mode 100644 index 0000000..101fccc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_tensorboards_experiments.md @@ -0,0 +1,43 @@ ++++ +title = "google_vertex_ai_tensorboards_experiments resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_tensorboards_experiments" +identifier = "inspec/resources/gcp/google_vertex_ai_tensorboards_experiments resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_tensorboards_experiments` InSpec audit resource to to test a Google Cloud TensorboardsExperiment resource. + +## Examples + +```ruby + describe google_vertex_ai_tensorboards_experiments(parent: "projects/#{gcp_project_id}/locations/#{tensorboards_experiment['region']}/tensorboards/#{tensorboards_experiment['tensorboard']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_tensorboards_experiments` resource: + +See [google_vertex_ai_tensorboards_experiment](google_vertex_ai_tensorboards_experiment) for more detailed information. + + * `descriptions`: an array of `google_vertex_ai_tensorboards_experiment` description + * `sources`: an array of `google_vertex_ai_tensorboards_experiment` source + * `display_names`: an array of `google_vertex_ai_tensorboards_experiment` display_name + * `create_times`: an array of `google_vertex_ai_tensorboards_experiment` create_time + * `update_times`: an array of `google_vertex_ai_tensorboards_experiment` update_time + * `labels`: an array of `google_vertex_ai_tensorboards_experiment` labels + * `names`: an array of `google_vertex_ai_tensorboards_experiment` name + * `etags`: an array of `google_vertex_ai_tensorboards_experiment` etag + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_training_pipeline.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_training_pipeline.md new file mode 100644 index 0000000..f1ac0d4 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_training_pipeline.md @@ -0,0 +1,352 @@ ++++ +title = "google_vertex_ai_training_pipeline resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_training_pipeline" +identifier = "inspec/resources/gcp/google_vertex_ai_training_pipeline resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_training_pipeline` InSpec audit resource to to test a Google Cloud TrainingPipeline resource. + +## Examples + +```ruby + describe google_vertex_ai_training_pipeline(name: "projects/#{gcp_project_id}/locations/#{training_pipeline['region']}/trainingPipelines/#{training_pipeline['name']}", region: ' value_region') do + it { should exist } + end + describe google_vertex_ai_training_pipeline(name: "does_not_exit", region: ' value_region') do + it { should_not exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_training_pipeline` resource: + + + * `end_time`: Output only. Time when the TrainingPipeline entered any of the following states: `PIPELINE_STATE_SUCCEEDED`, `PIPELINE_STATE_FAILED`, `PIPELINE_STATE_CANCELLED`. + + * `error`: The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). + + * `details`: A list of messages that carry the error details. There is a common set of message types for APIs to use. + + * `code`: The status code, which should be an enum value of google.rpc.Code. + + * `message`: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + * `display_name`: Required. The user-defined name of this TrainingPipeline. + + * `name`: Output only. Resource name of the TrainingPipeline. + + * `input_data_config`: Specifies Vertex AI owned input data to be used for training, and possibly evaluating, the Model. + + * `fraction_split`: Assigns the input data to training, validation, and test sets as per the given fractions. Any of `training_fraction`, `validation_fraction` and `test_fraction` may optionally be provided, they must sum to up to 1. If the provided ones sum to less than 1, the remainder is assigned to sets as decided by Vertex AI. If none of the fractions are set, by default roughly 80% of data is used for training, 10% for validation, and 10% for test. + + * `training_fraction`: The fraction of the input data that is to be used to train the Model. + + * `test_fraction`: The fraction of the input data that is to be used to evaluate the Model. + + * `validation_fraction`: The fraction of the input data that is to be used to validate the Model. + + * `persist_ml_use_assignment`: Whether to persist the ML use assignment to data item system labels. + + * `saved_query_id`: Only applicable to Datasets that have SavedQueries. The ID of a SavedQuery (annotation set) under the Dataset specified by dataset_id used for filtering Annotations for training. Only Annotations that are associated with this SavedQuery are used in respectively training. When used in conjunction with annotations_filter, the Annotations used for training are filtered by both saved_query_id and annotations_filter. Only one of saved_query_id and annotation_schema_uri should be specified as both of them represent the same thing: problem type. + + * `annotations_filter`: Applicable only to Datasets that have DataItems and Annotations. A filter on Annotations of the Dataset. Only Annotations that both match this filter and belong to DataItems not ignored by the split method are used in respectively training, validation or test role, depending on the role of the DataItem they are on (for the auto-assigned that role is decided by Vertex AI). A filter with same syntax as the one used in ListAnnotations may be used, but note here it filters across all Annotations of the Dataset, and not just within a single DataItem. + + * `gcs_destination`: The Google Cloud Storage location where the output is to be written to. + + * `output_uri_prefix`: Required. Google Cloud Storage URI to output directory. If the uri doesn't end with '/', a '/' will be automatically appended. The directory is created if it doesn't exist. + + * `bigquery_destination`: The BigQuery location for the output content. + + * `output_uri`: Required. BigQuery URI to a project or table, up to 2000 characters long. When only the project is specified, the Dataset and Table is created. When the full table reference is specified, the Dataset must exist and table must not exist. Accepted forms: * BigQuery path. For example: `bq://projectId` or `bq://projectId.bqDatasetId` or `bq://projectId.bqDatasetId.bqTableId`. + + * `stratified_split`: Assigns input data to the training, validation, and test sets so that the distribution of values found in the categorical column (as specified by the `key` field) is mirrored within each split. The fraction values determine the relative sizes of the splits. For example, if the specified column has three values, with 50% of the rows having value "A", 25% value "B", and 25% value "C", and the split fractions are specified as 80/10/10, then the training set will constitute 80% of the training data, with about 50% of the training set rows having the value "A" for the specified column, about 25% having the value "B", and about 25% having the value "C". Only the top 500 occurring values are used; any values not in the top 500 values are randomly assigned to a split. If less than three rows contain a specific value, those rows are randomly assigned. Supported only for tabular Datasets. + + * `training_fraction`: The fraction of the input data that is to be used to train the Model. + + * `test_fraction`: The fraction of the input data that is to be used to evaluate the Model. + + * `key`: Required. The key is a name of one of the Dataset's data columns. The key provided must be for a categorical column. + + * `validation_fraction`: The fraction of the input data that is to be used to validate the Model. + + * `annotation_schema_uri`: Applicable only to custom training with Datasets that have DataItems and Annotations. Cloud Storage URI that points to a YAML file describing the annotation schema. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). The schema files that can be used here are found in gs://google-cloud-aiplatform/schema/dataset/annotation/ , note that the chosen schema must be consistent with metadata of the Dataset specified by dataset_id. Only Annotations that both match this schema and belong to DataItems not ignored by the split method are used in respectively training, validation or test role, depending on the role of the DataItem they are on. When used in conjunction with annotations_filter, the Annotations used for training are filtered by both annotations_filter and annotation_schema_uri. + + * `predefined_split`: Assigns input data to training, validation, and test sets based on the value of a provided key. Supported only for tabular Datasets. + + * `key`: Required. The key is a name of one of the Dataset's data columns. The value of the key (either the label's value or value in the column) must be one of {`training`, `validation`, `test`}, and it defines to which set the given piece of data is assigned. If for a piece of data the key is not present or has an invalid value, that piece is ignored by the pipeline. + + * `filter_split`: Assigns input data to training, validation, and test sets based on the given filters, data pieces not matched by any filter are ignored. Currently only supported for Datasets containing DataItems. If any of the filters in this message are to match nothing, then they can be set as '-' (the minus sign). Supported only for unstructured Datasets. + + * `validation_filter`: Required. A filter on DataItems of the Dataset. DataItems that match this filter are used to validate the Model. A filter with same syntax as the one used in DatasetService.ListDataItems may be used. If a single DataItem is matched by more than one of the FilterSplit filters, then it is assigned to the first set that applies to it in the training, validation, test order. + + * `test_filter`: Required. A filter on DataItems of the Dataset. DataItems that match this filter are used to test the Model. A filter with same syntax as the one used in DatasetService.ListDataItems may be used. If a single DataItem is matched by more than one of the FilterSplit filters, then it is assigned to the first set that applies to it in the training, validation, test order. + + * `training_filter`: Required. A filter on DataItems of the Dataset. DataItems that match this filter are used to train the Model. A filter with same syntax as the one used in DatasetService.ListDataItems may be used. If a single DataItem is matched by more than one of the FilterSplit filters, then it is assigned to the first set that applies to it in the training, validation, test order. + + * `timestamp_split`: Assigns input data to training, validation, and test sets based on a provided timestamps. The youngest data pieces are assigned to training set, next to validation set, and the oldest to the test set. Supported only for tabular Datasets. + + * `test_fraction`: The fraction of the input data that is to be used to evaluate the Model. + + * `training_fraction`: The fraction of the input data that is to be used to train the Model. + + * `validation_fraction`: The fraction of the input data that is to be used to validate the Model. + + * `key`: Required. The key is a name of one of the Dataset's data columns. The values of the key (the values in the column) must be in RFC 3339 `date-time` format, where `time-offset` = `"Z"` (e.g. 1985-04-12T23:20:50.52Z). If for a piece of data the key is not present or has an invalid value, that piece is ignored by the pipeline. + + * `dataset_id`: Required. The ID of the Dataset in the same Project and Location which data will be used to train the Model. The Dataset must use schema compatible with Model being trained, and what is compatible should be described in the used TrainingPipeline's training_task_definition. For tabular Datasets, all their data is exported to training, to pick and choose from. + + * `parent_model`: Optional. When specify this field, the `model_to_upload` will not be uploaded as a new model, instead, it will become a new version of this `parent_model`. + + * `update_time`: Output only. Time when the TrainingPipeline was most recently updated. + + * `state`: Output only. The detailed state of the pipeline. + Possible values: + * PIPELINE_STATE_UNSPECIFIED + * PIPELINE_STATE_QUEUED + * PIPELINE_STATE_PENDING + * PIPELINE_STATE_RUNNING + * PIPELINE_STATE_SUCCEEDED + * PIPELINE_STATE_FAILED + * PIPELINE_STATE_CANCELLING + * PIPELINE_STATE_CANCELLED + * PIPELINE_STATE_PAUSED + + * `labels`: The labels with user-defined metadata to organize TrainingPipelines. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information and examples of labels. + + * `additional_properties`: + + * `training_task_definition`: Required. A Google Cloud Storage path to the YAML file that defines the training task which is responsible for producing the model artifact, and may also include additional auxiliary work. The definition files that can be used here are found in gs://google-cloud-aiplatform/schema/trainingjob/definition/. Note: The URI given on output will be immutable and probably different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `start_time`: Output only. Time when the TrainingPipeline for the first time entered the `PIPELINE_STATE_RUNNING` state. + + * `create_time`: Output only. Time when the TrainingPipeline was created. + + * `training_task_metadata`: Output only. The metadata information as specified in the training_task_definition's `metadata`. This metadata is an auxiliary runtime and final information about the training task. While the pipeline is running this information is populated only at a best effort basis. Only present if the pipeline's training_task_definition contains `metadata` object. + + * `training_task_inputs`: Required. The training task's parameter(s), as specified in the training_task_definition's `inputs`. + + * `model_id`: Optional. The ID to use for the uploaded Model, which will become the final component of the model resource name. This value may be up to 63 characters, and valid characters are `[a-z0-9_-]`. The first character cannot be a number or hyphen. + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `model_to_upload`: A trained machine learning Model. + + * `model_source_info`: Detail description of the source information of the model. + + * `copy`: If this Model is copy of another Model. If true then source_type pertains to the original. + + * `source_type`: Type of the model source. + Possible values: + * MODEL_SOURCE_TYPE_UNSPECIFIED + * AUTOML + * CUSTOM + * BQML + * MODEL_GARDEN + * GENIE + + * `name`: The resource name of the Model. + + * `metadata`: Immutable. An additional information about the Model; the schema of the metadata can be found in metadata_schema. Unset if the Model does not have any additional information. + + * `update_time`: Output only. Timestamp when this Model was most recently updated. + + * `etag`: Used to perform consistent read-modify-write updates. If not set, a blind "overwrite" update happens. + + * `description`: The description of the Model. + + * `deployed_models`: Output only. The pointers to DeployedModels created from this Model. Note that Model could have been deployed to Endpoints in different Locations. + + * `deployed_model_id`: Immutable. An ID of a DeployedModel in the above Endpoint. + + * `endpoint`: Immutable. A resource name of an Endpoint. + + * `create_time`: Output only. Timestamp when this Model was uploaded into Vertex AI. + + * `explanation_spec`: Specification of Model explanation. + + * `parameters`: Parameters to configure explaining for Model's predictions. + + * `output_indices`: If populated, only returns attributions that have output_index contained in output_indices. It must be an ndarray of integers, with the same shape of the output it's explaining. If not populated, returns attributions for top_k indices of outputs. If neither top_k nor output_indices is populated, returns the argmax index of the outputs. Only applicable to Models that predict multiple outputs (e,g, multi-class Models that predict multiple classes). + + * `examples`: Example-based explainability that returns the nearest neighbors from the provided dataset. + + * `presets`: Preset configuration for example-based explanations + + * `modality`: The modality of the uploaded model, which automatically configures the distance measurement and feature normalization for the underlying example index and queries. If your model does not precisely fit one of these types, it is okay to choose the closest type. + Possible values: + * MODALITY_UNSPECIFIED + * IMAGE + * TEXT + * TABULAR + + * `query`: Preset option controlling parameters for speed-precision trade-off when querying for examples. If omitted, defaults to `PRECISE`. + Possible values: + * PRECISE + * FAST + + * `neighbor_count`: The number of neighbors to return when querying for examples. + + * `example_gcs_source`: The Cloud Storage input instances. + + * `gcs_source`: The Google Cloud Storage location for the input content. + + * `uris`: Required. Google Cloud Storage URI(-s) to the input file(s). May contain wildcards. For more information on wildcards, see https://cloud.google.com/storage/docs/gsutil/addlhelp/WildcardNames. + + * `data_format`: The format in which instances are given, if not specified, assume it's JSONL format. Currently only JSONL format is supported. + Possible values: + * DATA_FORMAT_UNSPECIFIED + * JSONL + + * `nearest_neighbor_search_config`: The full configuration for the generated index, the semantics are the same as metadata and should match [NearestNeighborSearchConfig](https://cloud.google.com/vertex-ai/docs/explainable-ai/configuring-explanations-example-based#nearest-neighbor-search-config). + + * `xrai_attribution`: An explanation method that redistributes Integrated Gradients attributions to segmented regions, taking advantage of the model's fully differentiable structure. Refer to this paper for more details: https://arxiv.org/abs/1906.02825 Supported only by image Models. + + * `smooth_grad_config`: Config for SmoothGrad approximation of gradients. When enabled, the gradients are approximated by averaging the gradients from noisy samples in the vicinity of the inputs. Adding noise can help improve the computed gradients. Refer to this paper for more details: https://arxiv.org/pdf/1706.03825.pdf + + * `feature_noise_sigma`: Noise sigma by features. Noise sigma represents the standard deviation of the gaussian kernel that will be used to add noise to interpolated inputs prior to computing gradients. + + * `noise_sigma`: Noise sigma per feature. No noise is added to features that are not set. + + * `name`: The name of the input feature for which noise sigma is provided. The features are defined in explanation metadata inputs. + + * `sigma`: This represents the standard deviation of the Gaussian kernel that will be used to add noise to the feature prior to computing gradients. Similar to noise_sigma but represents the noise added to the current feature. Defaults to 0.1. + + * `noise_sigma`: This is a single float value and will be used to add noise to all the features. Use this field when all features are normalized to have the same distribution: scale to range [0, 1], [-1, 1] or z-scoring, where features are normalized to have 0-mean and 1-variance. Learn more about [normalization](https://developers.google.com/machine-learning/data-prep/transform/normalization). For best results the recommended value is about 10% - 20% of the standard deviation of the input feature. Refer to section 3.2 of the SmoothGrad paper: https://arxiv.org/pdf/1706.03825.pdf. Defaults to 0.1. If the distribution is different per feature, set feature_noise_sigma instead for each feature. + + * `noisy_sample_count`: The number of gradient samples to use for approximation. The higher this number, the more accurate the gradient is, but the runtime complexity increases by this factor as well. Valid range of its value is [1, 50]. Defaults to 3. + + * `step_count`: Required. The number of steps for approximating the path integral. A good value to start is 50 and gradually increase until the sum to diff property is met within the desired error range. Valid range of its value is [1, 100], inclusively. + + * `blur_baseline_config`: Config for blur baseline. When enabled, a linear path from the maximally blurred image to the input image is created. Using a blurred baseline instead of zero (black image) is motivated by the BlurIG approach explained here: https://arxiv.org/abs/2004.03383 + + * `max_blur_sigma`: The standard deviation of the blur kernel for the blurred baseline. The same blurring parameter is used for both the height and the width dimension. If not set, the method defaults to the zero (i.e. black for images) baseline. + + * `top_k`: If populated, returns attributions for top K indices of outputs (defaults to 1). Only applies to Models that predicts more than one outputs (e,g, multi-class Models). When set to -1, returns explanations for all outputs. + + * `integrated_gradients_attribution`: An attribution method that computes the Aumann-Shapley value taking advantage of the model's fully differentiable structure. Refer to this paper for more details: https://arxiv.org/abs/1703.01365 + + * `step_count`: Required. The number of steps for approximating the path integral. A good value to start is 50 and gradually increase until the sum to diff property is within the desired error range. Valid range of its value is [1, 100], inclusively. + + * `smooth_grad_config`: Config for SmoothGrad approximation of gradients. When enabled, the gradients are approximated by averaging the gradients from noisy samples in the vicinity of the inputs. Adding noise can help improve the computed gradients. Refer to this paper for more details: https://arxiv.org/pdf/1706.03825.pdf + + * `feature_noise_sigma`: Noise sigma by features. Noise sigma represents the standard deviation of the gaussian kernel that will be used to add noise to interpolated inputs prior to computing gradients. + + * `noise_sigma`: Noise sigma per feature. No noise is added to features that are not set. + + * `name`: The name of the input feature for which noise sigma is provided. The features are defined in explanation metadata inputs. + + * `sigma`: This represents the standard deviation of the Gaussian kernel that will be used to add noise to the feature prior to computing gradients. Similar to noise_sigma but represents the noise added to the current feature. Defaults to 0.1. + + * `noise_sigma`: This is a single float value and will be used to add noise to all the features. Use this field when all features are normalized to have the same distribution: scale to range [0, 1], [-1, 1] or z-scoring, where features are normalized to have 0-mean and 1-variance. Learn more about [normalization](https://developers.google.com/machine-learning/data-prep/transform/normalization). For best results the recommended value is about 10% - 20% of the standard deviation of the input feature. Refer to section 3.2 of the SmoothGrad paper: https://arxiv.org/pdf/1706.03825.pdf. Defaults to 0.1. If the distribution is different per feature, set feature_noise_sigma instead for each feature. + + * `noisy_sample_count`: The number of gradient samples to use for approximation. The higher this number, the more accurate the gradient is, but the runtime complexity increases by this factor as well. Valid range of its value is [1, 50]. Defaults to 3. + + * `blur_baseline_config`: Config for blur baseline. When enabled, a linear path from the maximally blurred image to the input image is created. Using a blurred baseline instead of zero (black image) is motivated by the BlurIG approach explained here: https://arxiv.org/abs/2004.03383 + + * `max_blur_sigma`: The standard deviation of the blur kernel for the blurred baseline. The same blurring parameter is used for both the height and the width dimension. If not set, the method defaults to the zero (i.e. black for images) baseline. + + * `sampled_shapley_attribution`: An attribution method that approximates Shapley values for features that contribute to the label being predicted. A sampling strategy is used to approximate the value rather than considering all subsets of features. + + * `path_count`: Required. The number of feature permutations to consider when approximating the Shapley values. Valid range of its value is [1, 50], inclusively. + + * `metadata`: Metadata describing the Model's input and output for explanation. + + * `feature_attributions_schema_uri`: Points to a YAML file stored on Google Cloud Storage describing the format of the feature attributions. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML tabular Models always have this field populated by Vertex AI. Note: The URI given on output may be different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `latent_space_source`: Name of the source to generate embeddings for example based explanations. + + * `outputs`: Required. Map from output names to output metadata. For Vertex AI-provided Tensorflow images, keys can be any user defined string that consists of any UTF-8 characters. For custom images, keys are the name of the output field in the prediction to be explained. Currently only one key is allowed. + + * `additional_properties`: Metadata of the prediction output to be explained. + + * `inputs`: Required. Map from feature names to feature input metadata. Keys are the name of the features. Values are the specification of the feature. An empty InputMetadata is valid. It describes a text feature which has the name specified as the key in ExplanationMetadata.inputs. The baseline of the empty feature is chosen by Vertex AI. For Vertex AI-provided Tensorflow images, the key can be any friendly name of the feature. Once specified, featureAttributions are keyed by this key (if not grouped with another feature). For custom images, the key must match with the key in instance. + + * `additional_properties`: Metadata of the input of a feature. Fields other than InputMetadata.input_baselines are applicable only for Models that are using Vertex AI-provided images for Tensorflow. + + * `encryption_spec`: Represents a customer-managed encryption key spec that can be applied to a top-level resource. + + * `kms_key_name`: Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created. + + * `pipeline_job`: Optional. This field is populated if the model is produced by a pipeline job. + + * `predict_schemata`: Contains the schemata used in Model's predictions and explanations via PredictionService.Predict, PredictionService.Explain and BatchPredictionJob. + + * `instance_schema_uri`: Immutable. Points to a YAML file stored on Google Cloud Storage describing the format of a single instance, which are used in PredictRequest.instances, ExplainRequest.instances and BatchPredictionJob.input_config. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML Models always have this field populated by Vertex AI. Note: The URI given on output will be immutable and probably different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `parameters_schema_uri`: Immutable. Points to a YAML file stored on Google Cloud Storage describing the parameters of prediction and explanation via PredictRequest.parameters, ExplainRequest.parameters and BatchPredictionJob.model_parameters. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML Models always have this field populated by Vertex AI, if no parameters are supported, then it is set to an empty string. Note: The URI given on output will be immutable and probably different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `prediction_schema_uri`: Immutable. Points to a YAML file stored on Google Cloud Storage describing the format of a single prediction produced by this Model, which are returned via PredictResponse.predictions, ExplainResponse.explanations, and BatchPredictionJob.output_config. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML Models always have this field populated by Vertex AI. Note: The URI given on output will be immutable and probably different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `version_update_time`: Output only. Timestamp when this version was most recently updated. + + * `supported_export_formats`: Output only. The formats in which this Model may be exported. If empty, this Model is not available for export. + + * `exportable_contents`: Output only. The content of this Model that may be exported. + + * `id`: Output only. The ID of the export format. The possible format IDs are: * `tflite` Used for Android mobile devices. * `edgetpu-tflite` Used for [Edge TPU](https://cloud.google.com/edge-tpu/) devices. * `tf-saved-model` A tensorflow model in SavedModel format. * `tf-js` A [TensorFlow.js](https://www.tensorflow.org/js) model that can be used in the browser and in Node.js using JavaScript. * `core-ml` Used for iOS mobile devices. * `custom-trained` A Model that was uploaded or trained by custom code. + + * `original_model_info`: Contains information about the original Model if this Model is a copy. + + * `model`: Output only. The resource name of the Model this Model is a copy of, including the revision. Format: `projects/{project}/locations/{location}/models/{model_id}@{version_id}` + + * `metadata_artifact`: Output only. The resource name of the Artifact that was created in MetadataStore when creating the Model. The Artifact resource name pattern is `projects/{project}/locations/{location}/metadataStores/{metadata_store}/artifacts/{artifact}`. + + * `supported_input_storage_formats`: Output only. The formats this Model supports in BatchPredictionJob.input_config. If PredictSchemata.instance_schema_uri exists, the instances should be given as per that schema. The possible formats are: * `jsonl` The JSON Lines format, where each instance is a single line. Uses GcsSource. * `csv` The CSV format, where each instance is a single comma-separated line. The first line in the file is the header, containing comma-separated field names. Uses GcsSource. * `tf-record` The TFRecord format, where each instance is a single record in tfrecord syntax. Uses GcsSource. * `tf-record-gzip` Similar to `tf-record`, but the file is gzipped. Uses GcsSource. * `bigquery` Each instance is a single row in BigQuery. Uses BigQuerySource. * `file-list` Each line of the file is the location of an instance to process, uses `gcs_source` field of the InputConfig object. If this Model doesn't support any of these formats it means it cannot be used with a BatchPredictionJob. However, if it has supported_deployment_resources_types, it could serve online predictions by using PredictionService.Predict or PredictionService.Explain. + + * `metadata_schema_uri`: Immutable. Points to a YAML file stored on Google Cloud Storage describing additional information about the Model, that is specific to it. Unset if the Model does not have any additional information. The schema is defined as an OpenAPI 3.0.2 [Schema Object](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject). AutoML Models always have this field populated by Vertex AI, if no additional metadata is needed, this field is set to an empty string. Note: The URI given on output will be immutable and probably different, including the URI scheme, than the one given on input. The output URI will point to a location where the user only has a read access. + + * `container_spec`: Specification of a container for serving predictions. Some fields in this message correspond to fields in the [Kubernetes Container v1 core specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `predict_route`: Immutable. HTTP path on the container to send prediction requests to. Vertex AI forwards requests sent using projects.locations.endpoints.predict to this path on the container's IP address and port. Vertex AI then returns the container's response in the API response. For example, if you set this field to `/foo`, then when Vertex AI receives a prediction request, it forwards the request body in a POST request to the `/foo` path on the port of your container specified by the first value of this `ModelContainerSpec`'s ports field. If you don't specify this field, it defaults to the following value when you deploy this Model to an Endpoint: /v1/endpoints/ENDPOINT/deployedModels/DEPLOYED_MODEL:predict The placeholders in this value are replaced as follows: * ENDPOINT: The last segment (following `endpoints/`)of the Endpoint.name][] field of the Endpoint where this Model has been deployed. (Vertex AI makes this value available to your container code as the [`AIP_ENDPOINT_ID` environment variable](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables).) * DEPLOYED_MODEL: DeployedModel.id of the `DeployedModel`. (Vertex AI makes this value available to your container code as the [`AIP_DEPLOYED_MODEL_ID` environment variable](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables).) + + * `image_uri`: Required. Immutable. URI of the Docker image to be used as the custom container for serving predictions. This URI must identify an image in Artifact Registry or Container Registry. Learn more about the [container publishing requirements](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#publishing), including permissions requirements for the Vertex AI Service Agent. The container image is ingested upon ModelService.UploadModel, stored internally, and this original path is afterwards not used. To learn about the requirements for the Docker image itself, see [Custom container requirements](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#). You can use the URI to one of Vertex AI's [pre-built container images for prediction](https://cloud.google.com/vertex-ai/docs/predictions/pre-built-containers) in this field. + + * `env`: Immutable. List of environment variables to set in the container. After the container starts running, code running in the container can read these environment variables. Additionally, the command and args fields can reference these variables. Later entries in this list can also reference earlier entries. For example, the following example sets the variable `VAR_2` to have the value `foo bar`: ```json [ { "name": "VAR_1", "value": "foo" }, { "name": "VAR_2", "value": "$(VAR_1) bar" } ] ``` If you switch the order of the variables in the example, then the expansion does not occur. This field corresponds to the `env` field of the Kubernetes Containers [v1 core API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `name`: Required. Name of the environment variable. Must be a valid C identifier. + + * `value`: Required. Variables that reference a $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. + + * `args`: Immutable. Specifies arguments for the command that runs when the container starts. This overrides the container's [`CMD`](https://docs.docker.com/engine/reference/builder/#cmd). Specify this field as an array of executable and arguments, similar to a Docker `CMD`'s "default parameters" form. If you don't specify this field but do specify the command field, then the command from the `command` field runs without any additional arguments. See the [Kubernetes documentation about how the `command` and `args` fields interact with a container's `ENTRYPOINT` and `CMD`](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#notes). If you don't specify this field and don't specify the `command` field, then the container's [`ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#cmd) and `CMD` determine what runs based on their default behavior. See the Docker documentation about [how `CMD` and `ENTRYPOINT` interact](https://docs.docker.com/engine/reference/builder/#understand-how-cmd-and-entrypoint-interact). In this field, you can reference [environment variables set by Vertex AI](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables) and environment variables set in the env field. You cannot reference environment variables set in the Docker image. In order for environment variables to be expanded, reference them by using the following syntax: $( VARIABLE_NAME) Note that this differs from Bash variable expansion, which does not use parentheses. If a variable cannot be resolved, the reference in the input string is used unchanged. To avoid variable expansion, you can escape this syntax with `$$`; for example: $$(VARIABLE_NAME) This field corresponds to the `args` field of the Kubernetes Containers [v1 core API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `command`: Immutable. Specifies the command that runs when the container starts. This overrides the container's [ENTRYPOINT](https://docs.docker.com/engine/reference/builder/#entrypoint). Specify this field as an array of executable and arguments, similar to a Docker `ENTRYPOINT`'s "exec" form, not its "shell" form. If you do not specify this field, then the container's `ENTRYPOINT` runs, in conjunction with the args field or the container's [`CMD`](https://docs.docker.com/engine/reference/builder/#cmd), if either exists. If this field is not specified and the container does not have an `ENTRYPOINT`, then refer to the Docker documentation about [how `CMD` and `ENTRYPOINT` interact](https://docs.docker.com/engine/reference/builder/#understand-how-cmd-and-entrypoint-interact). If you specify this field, then you can also specify the `args` field to provide additional arguments for this command. However, if you specify this field, then the container's `CMD` is ignored. See the [Kubernetes documentation about how the `command` and `args` fields interact with a container's `ENTRYPOINT` and `CMD`](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#notes). In this field, you can reference [environment variables set by Vertex AI](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables) and environment variables set in the env field. You cannot reference environment variables set in the Docker image. In order for environment variables to be expanded, reference them by using the following syntax: $( VARIABLE_NAME) Note that this differs from Bash variable expansion, which does not use parentheses. If a variable cannot be resolved, the reference in the input string is used unchanged. To avoid variable expansion, you can escape this syntax with `$$`; for example: $$(VARIABLE_NAME) This field corresponds to the `command` field of the Kubernetes Containers [v1 core API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `ports`: Immutable. List of ports to expose from the container. Vertex AI sends any prediction requests that it receives to the first port on this list. Vertex AI also sends [liveness and health checks](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#liveness) to this port. If you do not specify this field, it defaults to following value: ```json [ { "containerPort": 8080 } ] ``` Vertex AI does not use ports other than the first one listed. This field corresponds to the `ports` field of the Kubernetes Containers [v1 core API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core). + + * `container_port`: The number of the port to expose on the pod's IP address. Must be a valid port number, between 1 and 65535 inclusive. + + * `health_route`: Immutable. HTTP path on the container to send health checks to. Vertex AI intermittently sends GET requests to this path on the container's IP address and port to check that the container is healthy. Read more about [health checks](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#health). For example, if you set this field to `/bar`, then Vertex AI intermittently sends a GET request to the `/bar` path on the port of your container specified by the first value of this `ModelContainerSpec`'s ports field. If you don't specify this field, it defaults to the following value when you deploy this Model to an Endpoint: /v1/endpoints/ENDPOINT/deployedModels/ DEPLOYED_MODEL:predict The placeholders in this value are replaced as follows: * ENDPOINT: The last segment (following `endpoints/`)of the Endpoint.name][] field of the Endpoint where this Model has been deployed. (Vertex AI makes this value available to your container code as the [`AIP_ENDPOINT_ID` environment variable](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables).) * DEPLOYED_MODEL: DeployedModel.id of the `DeployedModel`. (Vertex AI makes this value available to your container code as the [`AIP_DEPLOYED_MODEL_ID` environment variable](https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#aip-variables).) + + * `version_id`: Output only. Immutable. The version ID of the model. A new version is committed when a new model version is uploaded or trained under an existing model id. It is an auto-incrementing decimal number in string representation. + + * `artifact_uri`: Immutable. The path to the directory containing the Model artifact and any of its supporting files. Not present for AutoML Models or Large Models. + + * `training_pipeline`: Output only. The resource name of the TrainingPipeline that uploaded this Model, if any. + + * `display_name`: Required. The display name of the Model. The name can be up to 128 characters long and can consist of any UTF-8 characters. + + * `supported_deployment_resources_types`: Output only. When this Model is deployed, its prediction resources are described by the `prediction_resources` field of the Endpoint.deployed_models object. Because not all Models support all resource configuration types, the configuration types this Model supports are listed here. If no configuration types are listed, the Model cannot be deployed to an Endpoint and does not support online predictions (PredictionService.Predict or PredictionService.Explain). Such a Model can serve predictions by using a BatchPredictionJob, if it has at least one entry each in supported_input_storage_formats and supported_output_storage_formats. + + * `supported_output_storage_formats`: Output only. The formats this Model supports in BatchPredictionJob.output_config. If both PredictSchemata.instance_schema_uri and PredictSchemata.prediction_schema_uri exist, the predictions are returned together with their instances. In other words, the prediction has the original instance data first, followed by the actual prediction content (as per the schema). The possible formats are: * `jsonl` The JSON Lines format, where each prediction is a single line. Uses GcsDestination. * `csv` The CSV format, where each prediction is a single comma-separated line. The first line in the file is the header, containing comma-separated field names. Uses GcsDestination. * `bigquery` Each prediction is a single row in a BigQuery table, uses BigQueryDestination . If this Model doesn't support any of these formats it means it cannot be used with a BatchPredictionJob. However, if it has supported_deployment_resources_types, it could serve online predictions by using PredictionService.Predict or PredictionService.Explain. + + * `version_aliases`: User provided version aliases so that a model version can be referenced via alias (i.e. `projects/{project}/locations/{location}/models/{model_id}@{version_alias}` instead of auto-generated version id (i.e. `projects/{project}/locations/{location}/models/{model_id}@{version_id})`. The format is a-z{0,126}[a-z0-9] to distinguish from version_id. A default version alias will be created for the first version of the model, and there must be exactly one default version alias for a model. + + * `version_create_time`: Output only. Timestamp when this version was created. + + * `version_description`: The description of this version. + + * `labels`: The labels with user-defined metadata to organize your Models. Label keys and values can be no longer than 64 characters (Unicode codepoints), can only contain lowercase letters, numeric characters, underscores and dashes. International characters are allowed. See https://goo.gl/xmQnxf for more information and examples of labels. + + * `additional_properties`: + + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_training_pipelines.md b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_training_pipelines.md new file mode 100644 index 0000000..32a154e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-gcp/docs-chef-io/content/google_vertex_ai_training_pipelines.md @@ -0,0 +1,52 @@ ++++ +title = "google_vertex_ai_training_pipelines resource" + +draft = false + + +[menu.gcp] +title = "google_vertex_ai_training_pipelines" +identifier = "inspec/resources/gcp/google_vertex_ai_training_pipelines resource" +parent = "inspec/resources/gcp" ++++ + +Use the `google_vertex_ai_training_pipelines` InSpec audit resource to to test a Google Cloud TrainingPipeline resource. + +## Examples + +```ruby + describe google_vertex_ai_training_pipelines(parent: "projects/#{gcp_project_id}/locations/#{training_pipeline['region']}", region: ' value_region') do + it { should exist } + end +``` + +## Properties + +Properties that can be accessed from the `google_vertex_ai_training_pipelines` resource: + +See [google_vertex_ai_training_pipeline](google_vertex_ai_training_pipeline) for more detailed information. + + * `end_times`: an array of `google_vertex_ai_training_pipeline` end_time + * `errors`: an array of `google_vertex_ai_training_pipeline` error + * `display_names`: an array of `google_vertex_ai_training_pipeline` display_name + * `names`: an array of `google_vertex_ai_training_pipeline` name + * `input_data_configs`: an array of `google_vertex_ai_training_pipeline` input_data_config + * `parent_models`: an array of `google_vertex_ai_training_pipeline` parent_model + * `update_times`: an array of `google_vertex_ai_training_pipeline` update_time + * `states`: an array of `google_vertex_ai_training_pipeline` state + * `labels`: an array of `google_vertex_ai_training_pipeline` labels + * `training_task_definitions`: an array of `google_vertex_ai_training_pipeline` training_task_definition + * `start_times`: an array of `google_vertex_ai_training_pipeline` start_time + * `create_times`: an array of `google_vertex_ai_training_pipeline` create_time + * `training_task_metadata`: an array of `google_vertex_ai_training_pipeline` training_task_metadata + * `training_task_inputs`: an array of `google_vertex_ai_training_pipeline` training_task_inputs + * `model_ids`: an array of `google_vertex_ai_training_pipeline` model_id + * `encryption_specs`: an array of `google_vertex_ai_training_pipeline` encryption_spec + * `model_to_uploads`: an array of `google_vertex_ai_training_pipeline` model_to_upload + +## Filter criteria + +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP permissions diff --git a/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/_index.md b/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/_index.md new file mode 100644 index 0000000..6a7eafc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/_index.md @@ -0,0 +1,115 @@ ++++ +title = "About the Chef InSpec Habitat resource pack" + +draft = false + +linkTitle = "Habitat resource pack" +summary = "Chef InSpec resources for auditing Habitat packages and services." + +[cascade] + [cascade.params] + platform = "habitat" + +[menu.habitat] + title = "About Habitat resources" + identifier = "inspec/resources/habitat/About" + parent = "inspec/resources/habitat" + weight = 10 ++++ + +The Chef InSpec Habitat resources allow you to audit and test Chef Habitat packages and services in your infrastructure. You can verify package installations, check service configurations, and validate the operational state of your Habitat-managed applications. + +{{< note >}} + +This resource pack is in the early stages of development. Functionality may be defective, incomplete, or be withdrawn in the future. If you are interested in helping this project mature, please join the conversation or contribute code at the [inspec-habitat project](https://github.com/inspec/inspec-habitat). + +{{< /note >}} + +## Prerequisites + +- Chef InSpec v4.7.3 or later +- A running Habitat Supervisor that you can access using SSH, the HTTP API, or (ideally) both. + +## Connecting to Habitat + +The `inspec-habitat` resources connect to Habitat using two methods: + +- **SSH connection with `hab` CLI**: Required for package information and some service data +- **HTTP API connection**: Provides access to the Habitat Supervisor API for real-time service status + +For the most comprehensive testing capabilities, configure both connection methods. If only one method is available, InSpec will use the available connection and skip tests that require the unavailable method. + +### Configure Habitat connections + +Configure your Habitat connections in the [InSpec configuration file](https://docs.chef.io/inspec/config/) at `~/.inspec/config.json`. You can create multiple connection profiles for different environments (for example, development, staging, and production). + +Use the following format in your configuration file: + +```json +{ + "file_version": "1.1", + "credentials": { + "habitat": { + "": { + "api_url": "http://dev-hab.example.com", + "api_auth_token": "", + "cli_ssh_host": "dev-hab.example.com", + "cli_ssh_user": "username", + "cli_ssh_key_files": "~/.ssh/KEYNAME" + } + } + } +} +``` + +Habitat Supervisor API options: + +`api_url` +: The URL to the Habitat Supervisor API. InSpec defaults to port 9631 if a port isn't specified. + +`api_auth_token` +: The bearer token for API authentication. This is required only if your Habitat Supervisor is configured to expect a token. + +SSH connection options: + +`cli_ssh_host` +: The IP or hostname of the machine to connect to. If omitted, it is assumed that the CLI interface isn't available. + +`cli_ssh_user` +: The SSH username. It defaults to the current OS user if a value isn't specified. + +`cli_ssh_key_files` +: The SSH key file paths for authentication. This can be a single string or an array of paths. + +{{< note >}} + +The `train-habitat` driver has many additional connection options. For further details, see the [`train-habitat` documentation](https://github.com/inspec/train-habitat#using-train-habitat-from-ruby). + +{{< /note >}} + +### Run InSpec profiles against Habitat + +Execute your InSpec profiles against Habitat using the `--target` option to specify your configured Habitat connection: + +```sh +inspec exec --target habitat:// +``` + +In this command: + +- `habitat://` tells InSpec to use the [train-habitat driver](https://github.com/inspec/train) to connect to Habitat +- `` references the connection configuration defined in your InSpec configuration file + +For example, to run a profile using a configuration named "production": + +```sh +inspec exec profile-name --target habitat://production +``` + +## Habitat resources + +{{< inspec_resources_filter >}} + +The following Chef InSpec Habitat resources are available in this resource pack. + +{{< inspec_resources section="habitat" platform="habitat" >}} diff --git a/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/habitat_package.md b/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/habitat_package.md new file mode 100644 index 0000000..2ba2d27 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/habitat_package.md @@ -0,0 +1,209 @@ ++++ +title = "habitat_package resource" +draft = false + + +[menu.habitat] + title = "habitat_package" + identifier = "inspec/resources/habitat/habitat_package.md habitat_package resource" + parent = "inspec/resources/habitat" ++++ + +Use the `habitat_package` InSpec audit resource to test properties of a single Habitat package. + +## Availability + +### Status: EXPERIMENTAL + +This resource, like all of the inspec-habitat resource pack, is in the early stages of research and development. Functionality may be defective, incomplete, or be withdrawn in the future. If you are interested in helping this project mature, please join the conversation or contribute code at the [inspec-habitat project](https://github.com/inspec/inspec-habitat). + +### Connect to Habitat + +To configure `inspec` to be able to communicate with Chef Habitat, be sure [to follow the instructions](https://github.com/inspec/inspec-habitat#configuring-inspec-to-reach-habitat) regarding configuring the connection options. This will prevent 'unsupported platform' errors. + +### Installation + +This resource is in the `inspec-habitat` resource pack. You can use the resource by setting an InSpec profile dependency on this resource pack. See [inspec-habitat instructions](https://github.com/inspec/inspec-habitat#installation) + +### Version + +This resource was first available in version 0.1.0 of the resource pack. + +## Examples + +### Check for core/httpd package + +```ruby +describe habitat_package(origin: 'core', name: 'httpd') do + it { should exist } + its('version') { should eq '2.4.35'} + its('release') { should eq '20190307151146'} +end +``` + +## Limitations + +### API versus CLI access + +Habitat exposes certain data via the CLI, and other data via the HTTP Gateway API. + +This resource is **only** available using CLI credentials. + +If you use the API interface without the CLI, instances of this resource will behave as if the sought-after package was not found. + +### Behavior when not found + +If the package is not found, then this resource behaves as follows: + +- `it { should exist }` will be a failing test. Check this test if you are unsure if the resource will exist; it is guaranteed to be reliable in the future. +- `name`, `origin`, `version`, and `release` will continue to return their values as set in the resource parameters. This allows output messaging to refer to the missing package clearly. +- `identifier` will return as much information as it can assemble from `name`, `origin`, `version`, and `release`. +- All other single-value properties will return `nil`. +- All array- and hash-valued properties will return empty objects. +- All matchers will return `false`. + +### Behavior when multiple packages match + +A system can have multiple versions of the same-named package installed (or even multiple releases of the same version of the same named package). For this reason, if you under-specify the resource parameters, you may match with multiple packages. Under these conditions, this resource will throw an `ArgumentError` exception, and the resource test will be recorded as a failure. + +To avoid this possibility, fully specify the resource parameters, including `version` and `release`. + +To list all installed versions and releases of a named package, use the plural resource `habitat_packages`. + +## Resource parameters + +Use [resource parameters](https://docs.chef.io/inspec/glossary/#resource-parameter) to identify the particular package you wish to test. + +`habitat_package` can accept a single resource parameter, a `String` package identifier; or it can accept a `Hash` of identifier components. + +### As a single `String` + +Using this approach, you pass the package identifier as a single `String`. It should consist of `///`, though `version` and `release` are optional. + +```ruby +describe habitat_package('core/httpd') do + it { should exist } +end +``` + +### Using individual identifier components as a `Hash` + +This approach can make it easier to write resource tests that use InSpec inputs or Ruby variables. + +#### origin + +`String`. The name of the `origin` (distribution facility) that provides the package. + +```ruby +# Most common origin is 'core', publicly distributed packages created by Chef +describe habitat_package(origin: 'core', name: 'httpd') do + it { should exist } +end + +# Your company might run a private origin +describe habitat_package(origin: 'mycorp', name: 'secret-sauce') do + it { should exist } +end +``` + +#### name + +`String`. The name (unique within the namespace of the origin) of the package. This may match more than one package; see [Behavior when multiple packages match](#behavior-when-multiple-packages-match). + +```ruby +describe habitat_package(origin: 'core', name: 'httpd') do + it { should exist } +end +``` + +#### release + +`String`, a 14-digit timestamp of the form 'YYYMMDDHHmmSS'. The release number of the package as determined by the packager of the software. If you provide this, you must also provide the version; with all four components, the match is guarenteed to be unique. + +```ruby +describe habitat_package(origin: 'core', name: 'httpd', version: '2.3.5', release: '20190307151146') do + it { should exist } +end +``` + +#### version + +`String`, typically of the form `1.2.3` but formats vary. The version of the package as determined by the author of the software. This may match more than one package, because multiple releases of the same version may be co-installed; see [Behavior when multiple packages match](#behavior-when-multiple-packages-match). + +```ruby +describe habitat_package(origin: 'core', name: 'httpd', version: '2.3.5') do + it { should exist } +end +``` + +## Properties + +Use [properties](https://docs.chef.io/inspec/glossary/#property) to create tests that compare an expected value to the actual value. + +### identifier + +`String`. The origin, name, version (if known) and release (if known) concatenated with `/`, to create the package identifier. + +```ruby +describe habitat_package(origin: 'core', name: 'httpd') do + its('identifier') { should eq 'core/httpd/2.4.35/20190307151146' } +end +``` + +### name + +`String`. The name of the package, as passed in via the resource parameter. Always available, even if the resource was not found. See also [origin](#origin) and [version](#version). + +```ruby +describe habitat_package(origin: 'core', name: 'httpd') do + its('name') { should cmp 'httpd' } +end +``` + +### origin + +`String`. The origin name of the package, as passed in via the resource parameter. Always available, even if the resource was not found. See also [name](#name) and [version](#version). + +```ruby +describe habitat_package(origin: 'core', name: 'httpd') do + its('origin') { should cmp 'core' } +end +``` + +### pkg_id + +`String`. The full package identifier of the package, in the form `origin/name/version/release`. See also [name](#name) and [version](#version). + +```ruby +describe habitat_package(origin: 'core', name: 'httpd') do + its('pkg_id') { should cmp 'core/httpd/2.4.35/20190307151146' } +end +``` + +### release + +`String`. The release number of the package, as assigned by the packager. These values are always strings, but are 14-digit timestamps. See also [version](#version). + +```ruby +describe habitat_package(origin: 'core', name: 'httpd') do + its('release') { should be >= '20190307151146' } +end +``` + +### version + +`String`. The version of the package, as assigned by the maintainer of the package project. While many versions are of the 3-digit form, there is no set rule, and exceptions are common. See also [release](#release). + +```ruby +describe habitat_package(origin: 'core', name: 'httpd') do + its('version') { should be >= '2.2' } +end +``` + +## Matchers + +Use [matchers](https://docs.chef.io/inspec/glossary/#matcher) to create tests that test a true or false question. + +InSpec includes a number of [universal matchers](https://docs.chef.io/inspec/matchers/). See below for matchers specific to this resource. + +This resource does not provide any resource-specific matchers. diff --git a/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/habitat_packages.md b/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/habitat_packages.md new file mode 100644 index 0000000..900d81b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/habitat_packages.md @@ -0,0 +1,200 @@ ++++ +title = "habitat_packages resource" +draft = false + + +[menu.habitat] + title = "habitat_packages" + identifier = "inspec/resources/habitat/habitat_packages.md habitat_packages resource" + parent = "inspec/resources/habitat" ++++ + +Use the `habitat_package` (singular) InSpec audit resource to perform in-depth auditing of a single package. + +Use the `habitat_packages` (plural) InSpec audit resource to list Habitat packages, and perform bulk operations. + +## Availability + +### Status: EXPERIMENTAL + +This resource, like all of the inspec-habitat resource pack, is in the early stages of research and development. Functionality may be defective, incomplete, or be withdrawn in the future. If you are interested in helping this project mature, please join the conversation or contribute code at the [inspec-habitat project](https://github.com/inspec/inspec-habitat). + +### Connect to Habitat + +To configure `inspec` to be able to communicate with Chef Habitat, be sure [to follow the instructions](https://github.com/inspec/inspec-habitat#configuring-inspec-to-reach-habitat) regarding configuring the connection options. This will prevent 'unsupported platform' errors. + +### Installation + +This resource is in the `inspec-habitat` resource pack. You can use this resource by setting an InSpec profile dependency on the resource pack. See [inspec-habitat instructions](https://github.com/inspec/inspec-habitat#installation). + +### Version + +This resource was first available in version 0.1.0 of the resource pack. + +## Examples + +### Ensure httpd and memcached are installed + +```ruby +describe habitat_packages do + its('names') { should include 'httpd' } + its('names') { should include 'memcached' } +end +``` + +### Ensure all packages were updated since January 1, 2018 + +```ruby +describe habitat_packages.where { release <= '20180101000000' } do + it { should_not exist } +end +``` + +### Search for packages, then examine them in detail using `habitat_package` + +```ruby +# Use the plural resource as a data lookup (not as a test)... +habitat_packages.where { origin != 'core' }.habitat_package_params.each do |params| + # ... then use the singular resource to do in-depth testing + describe habitat_package(params) do + # ... + end +end +``` + +## Limitations + +### API versus CLI access + +Habitat exposes certain data via the CLI, and other data via the HTTP Gateway API. This resource is not available via the API; you must provide CLI credentials to use the resource. See the [train-habitat](https://github.com/inspec/train-habitat) documentation for more details. + +If you use this resource without the CLI, this resource will always return zero matches. + +## Resource parameters + +[Resource parameters](https://docs.chef.io/inspec/glossary/#resource-parameter) are arguments passed to the resource in the control code. + +This resource does not accept resource parameters, which is typical for plural resources. + +## Filter criteria + +[Filter criteria](https://docs.chef.io/inspec/glossary/#filter-criteria) are used to select which packages you wish to examine. If no filter criteria are used, all packages are selected. + +### name + +String. The (unqualified) name of the package under consideration. + +```ruby +# No packages named *ftp* permitted +describe habitat_packages.where(name: /ftp/) do + it { should_not exist } +end +``` + +### origin + +String. The name of the origin that created the package under consideration. + +```ruby +# Examine only packages released by Chef +describe habitat_packages.where(origin: 'bad-origin') do + it { should_not exist } +end +``` + +### release + +String. A 14-digit timestamp, in the format `YYYYMMDDHHMmmSS`. The timestamp reflects the time at which the package backing the package was released. These strings are sortable and comparable. + +```ruby +# Examine packages older than Jan 1 2018 +describe habitat_packages.where { release < '20180101000000' } do + it { should_not exist } +end + +# Examine packages older than 1 year +describe habitat_packages.where { Date.parse(release[0..7]) < Date.today - 365 } do + it { should_not exist } +end + +# Another way +describe habitat_packages.where { release < (Date.today - 365).strftime('%Y%m%d000000') } do + it { should_not exist } +end + +``` + +## Properties + +Use [properties](https://docs.chef.io/inspec/glossary/#property) to create tests that compare an expected value to the actual value. + +### count + +Number. The count of packages that matched the filter criteria. + +```ruby +# Expect 12 total +describe habitat_packages do + its(count) { should cmp 12 } +end +``` + +### habitat_package_params + +`Array` of `Hash`es. Returns a list of a set of options that can be passed directly to `habitat_package` (singular) to load an individual package for in-depth analysis. + +```ruby +# Use the plural resource as a data lookup (not as a test)... +habitat_packages.where { origin != 'core' }.habitat_package_params.each do |params| + # ... then use the singular resource to do in-depth testing + describe habitat_package(params) do + its('release') { should_not be < '201904090000' } + end +end +``` + +### names + +Array of strings. The unqualified name of the package, such as 'httpd'. This list is de-duplicated, though a name is almost always unique anyway. + +```ruby +describe habitat_packages do + its('names') { should include 'httpd' } + its('names') { should include 'memcached' } + its('names') { should_not include 'telnetd' } +end +``` + +### origins + +Array of strings. The names of the origins that created the matched packages. +This list is de-duplicated. + +```ruby +# Only allow core and mycorp-packaged packages +describe habitat_packages do + its('origins') { should include 'core' } + its('origins') { should include 'mycorp' } + # Advanced usage - count an array-valued property + its('origins', 'count') { should cmp 2 } +end +``` + +### releases + +Array of strings. Each string is a 14-digit timestamp, in the format `YYYYMMDDHHMmmSS`. The timestamp reflects the time at which the package backing the package was released. These strings are sortable and comparable. This list is de-duplicated. + +```ruby +# We had a bad Monday +describe habitat_packages do + its('releases') { should_not include '20180325000000' } +end +``` + +## Matchers + +Use [matchers](https://docs.chef.io/inspec/glossary/#matcher) to create tests that test a true or false question. + +InSpec includes a number of [universal matchers](https://docs.chef.io/inspec/matchers/). + +This resource does not define any resource-specific matchers. diff --git a/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/habitat_service.md b/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/habitat_service.md new file mode 100644 index 0000000..cc08851 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/habitat_service.md @@ -0,0 +1,235 @@ ++++ +title = "habitat_service resource" +draft = false + + +[menu.habitat] + title = "habitat_service" + identifier = "inspec/resources/habitat/habitat_service.md habitat_service resource" + parent = "inspec/resources/habitat" ++++ + +Use the `habitat_service` InSpec audit resource to test properties of a single Habitat service. + +## Availability + +### Status: EXPERIMENTAL + +This resource, like all of the inspec-habitat resource pack, is in the early stages of research and development. Functionality may be defective, incomplete, or be withdrawn in the future. If you are interested in helping this project mature, please join the conversation or contribute code at the [inspec-habitat project](https://github.com/inspec/inspec-habitat). + +### Connect to Habitat + +To configure `inspec` to be able to communicate with Chef Habitat, be sure [to follow the instructions](https://github.com/inspec/inspec-habitat#configuring-inspec-to-reach-habitat) regarding configuring the connection options. This will prevent 'unsupported platform' errors. + +### Installation + +This resource is in the `inspec-habitat` resource pack. You can use the resource by setting an InSpec profile dependency on the resource pack. See [inspec-habitat instructions](https://github.com/inspec/inspec-habitat#installation) + +### Version + +This resource was first available in version 0.1.0 of the resource pack. + +## Examples + +### Check for core/httpd service + +```ruby +describe habitat_service(origin: 'core', name: 'httpd') do + it { should exist } + its('version') { should eq '2.4.35'} + its('topology') { should eq 'standalone' } + its('update_strategy') { should eq 'none' } +end +``` + +## Limitations + +### API versus CLI access + +Habitat exposes certain data via the CLI, and other data via the HTTP Gateway API. To enjoy the full functionality of this resource, use a set of credentials that includes the API. Limited data is available by CLI. See the [train-habitat](https://github.com/inspec/train-habitat) documentation for more details. + +If you use the CLI interface without the API, unavailable properties will behave as if the resource was not found (see below). + +### Behavior when not found + +If the service is not found, then this resource behaves as follows: + +- `it { should exist }` will be a failing test. Check this test if you are unsure if the resource will exist; it is guaranteed to be reliable in the future. +- `name` and `origin` will continue to return their values as set in the resource parameters. This allows output messaging to refer to the missing service clearly. +- All other single-value properties will return nil. +- All array and hash-valued properties will return empty objects. +- All matchers will return false. + +## Resource parameters + +Use [resource parameters](https://docs.chef.io/inspec/glossary/#resource-parameter) to identify the particular service you wish to test. + +### origin + +Required string. The name of the `origin` (distribution facility) of the package that provides the service. + +```ruby +# Most common origin is 'core', publicly distributed packages created by Chef +describe habitat_service(origin: 'core', name: 'httpd') do + it { should exist } +end + +# Your company might run a private origin +describe habitat_service(origin: 'mycorp', name: 'secret-sauce') do + it { should exist } +end +``` + +### name + +Required string. The name (unique within the namespace of the origin) of the package that provides the service. + +```ruby + +describe habitat_service(origin: 'core', name: 'httpd') do + it { should exist } +end + +``` + +## Properties + +Use [properties](https://docs.chef.io/inspec/glossary/#property) to create tests that compare an expected value to the actual value. + +### dependency_names + +Array of strings. A list of the packages that this service depends on, in the form of `dep_origin/dep_name`. This property does not contain version information; see `dependency_ids` for that. + +Requires API connection; not available via CLI. + +```ruby +describe habitat_service(origin: 'core', name: 'httpd') do + its('dependency_names') { should include 'core/pcre' } + its('dependency_names') { should_not include 'core/nginx' } +end +``` + +### dependency_ids + +Array of strings. A list of the packages that this service depends on, in the form of `dep_origin/dep_name/1.2.3/20190325123456`. This value may be difficult to compare, because the version identifier (`1.2.3`, the third component) may be formatted in any way the maintainer of the project chooses; they need not be of the form `1.2.3`. + +Requires API connection; not available via CLI. + +```ruby +describe habitat_service(origin: 'core', name: 'httpd') do + # Suppose this version was unwanted, for example + its('dependency_names') { should_not include 'core/pcre/8.42/20190115012526' } +end +``` + +### name + +The name of the service, as passed in via the resource parameter. Always available, even if the resource was not found. See also [origin](#origin) and [version](#version). + +```ruby +describe habitat_service(origin: 'core', name: 'httpd') do + its('name') { should cmp 'httpd' } +end +``` + +### origin + +The origin name of the service, as passed in via the resource parameter. Always available, even if the resource was not found. See also [name](#name) and [version](#version). + +```ruby +describe habitat_service(origin: 'core', name: 'httpd') do + its('origin') { should cmp 'core' } +end +``` + +### pkg_id + +String. The full package identifier of the package that supports the service, in the form `origin/name/version/release`. See also [name](#name) and [version](#version). + +```ruby +describe habitat_service(origin: 'core', name: 'httpd') do + its('pkg_id') { should cmp 'core/httpd/2.4.35/20190307151146' } +end +``` + +### release + +String. The release number of the package that supports the service, as assigned by the packager. These values are always strings, but are 14-digit timestamps. See also [version](#version). + +```ruby +describe habitat_service(origin: 'core', name: 'httpd') do + its('release') { should be >= '20190307151146' } +end +``` + +### version + +The version of the package that supports the service, as assigned by the maintainer of the package project. While many versions are of the 3-digit form, there is no set rule, and exceptions are common. See also [release](#release). + +```ruby +describe habitat_service(origin: 'core', name: 'httpd') do + its('version') { should be >= '2.2' } +end +``` + +## Matchers + +Use [matchers](https://docs.chef.io/inspec/glossary/#matcher) to create tests that test a true or false question. + +InSpec includes a number of [universal matchers](https://docs.chef.io/inspec/matchers/). See below for matchers specific to this resource. + +### have_standalone_topology + +This matcher returns `true` if the service is configured in a [`standalone`](https://www.habitat.sh/docs/using-habitat/#standalone) topology. + +```ruby +describe habitat_service(origin: 'core', name: 'httpd') do + it { should have_standalone_topology } +end +``` + +### have_leader_follower_topology + +This matcher returns `true` if the service is configured in a [`leader-follower`](https://www.habitat.sh/docs/using-habitat/#leader-follower-topology) topology. + +```ruby +describe habitat_service(origin: 'core', name: 'httpd') do + it { should have_leader_follower_topology } +end +``` + +### be_updated_by_none + +This matcher returns `true` if the update strategy for the service is [`none`](https://www.habitat.sh/docs/using-habitat/#none-strategy). + +Requires API connection; not available via CLI. + +```ruby +describe habitat_service(origin: 'core', name: 'postgresql') do + it { should be_updated_by_none } +end +``` + +### be_updated_by_rolling + +This matcher returns `true` if the update strategy for the service is [`rolling`](https://www.habitat.sh/docs/using-habitat/#rolling-strategy). + +Requires API connection; not available via CLI. + +```ruby +describe habitat_service(origin: 'core', name: 'postgresql') do + it { should be_updated_by_rolling } +end +``` + +### be_updated_at_once + +This matcher returns `true` if the update strategy for the service is [`at once`](https://www.habitat.sh/docs/using-habitat/#at-once-strategy). + +Requires API connection; not available via CLI. + +```ruby +describe habitat_service(origin: 'core', name: 'nginx') do + it { should be_updated_at_once } +end +``` diff --git a/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/habitat_services.md b/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/habitat_services.md new file mode 100644 index 0000000..52927ff --- /dev/null +++ b/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/content/habitat_services.md @@ -0,0 +1,291 @@ ++++ +title = "habitat_services resource" +draft = false + + +[menu.habitat] + title = "habitat_services" + identifier = "inspec/resources/habitat/habitat_services.md habitat_services resource" + parent = "inspec/resources/habitat" ++++ + +Use the `habitat_service` (singular) InSpec audit resource to perform in-depth auditing of a single service. + +Use the `habitat_services` (plural) InSpec audit resource to list Habitat services, and perform bulk operations. + +## Availability + +### Status: EXPERIMENTAL + +This resource, like all of the inspec-habitat resource pack, is in the early stages of research and development. Functionality may be defective, incomplete, or be withdrawn in the future. If you are interested in helping this project mature, please join the conversation or contribute code at the [inspec-habitat project](https://github.com/inspec/inspec-habitat). + +### Connect to Habitat + +To configure `inspec` to be able to communicate with Chef Habitat, be sure [to follow the instructions](https://github.com/inspec/inspec-habitat#configuring-inspec-to-reach-habitat) regarding configuring the connection options. This will prevent 'unsupported platform' errors. + +### Installation + +This resource is in the `inspec-habitat` resource pack. You can use the resource by setting an InSpec profile dependency on the resource pack. See [inspec-habitat instructions](https://github.com/inspec/inspec-habitat#installation). + +### Version + +This resource was first available in version 0.1.0 of the resource pack. + +## Examples + +### Ensure there are 2 services, with the expected names + +```ruby +describe habitat_services do + its('count') { should cmp 2 } + its('names') { should include 'httpd' } + its('names') { should include 'memcached' } +end +``` + +### Ensure all running services were updated since January 1, 2018 + +```ruby +describe habitat_services.where { release <= '20180101000000' } do + it { should_not exist } +end +``` + +### Ensure gcc is not a dependency of any service + +```ruby +# One way - list all services, insist none have a dependency on gcc +describe habitat_services do + its('dependency_names') { should_not include 'core/gcc' } +end + +# Another way - list all services with a dependency on gcc, insist there are none +describe habitat_services.where { dependency_names.include?('core/gcc') } do + it { should_not exist } +end +``` + +### Search for services, then examine them in detail using `habitat_service` + +```ruby +# Use the plural resource as a data lookup (not as a test)... +habitat_services.where { origin != 'core' }.habitat_service_params.each do |params| + # ... then use the singular resource to do in-depth testing + describe habitat_service(params) do + its('release') { should_not be_standalone } + end +end +``` + +## Limitations + +### API versus CLI access + +Habitat exposes certain data via the CLI, and other data via the HTTP Gateway API. To enjoy the full functionality of this resource, use a set of credentials that includes the API. Limited data is available by CLI. See the [train-habitat](https://github.com/inspec/train-habitat) documentation for more details. + +If you use the CLI interface without the API, unavailable properties will return empty arrays or `nil`, and unavailable filter criteria will never match. See each property and filter criteria for details. + +## Resource parameters + +[Resource parameters](https://docs.chef.io/inspec/glossary/#resource-parameter) are arguments passed to the resource in the control code. + +This resource does not accept resource parameters, which is typical for plural resources. + +## Filter criteria + +[Filter criteria](https://docs.chef.io/inspec/glossary/#filter-criteria) are used to select which services you wish to examine. If no filter criteria are used, all services are selected. + +### dependency_names + +An array of strings in the form `origin/name`. Each string is the qualified name of a dependency of a service that is being filtered. + +Requires API connection; not available (never matches) via CLI. + +```ruby +describe habitat_services.where { dependency_names.include?('core/gcc') } do + it { should_not exist } +end +``` + +### name + +String. The (unqualified) name of the service under consideration. + +```ruby +# No services named *ftp* permitted +describe habitat_services.where(name: /ftp/) do + it { should_not exist } +end +``` + +### origin + +String. The name of the origin that created the package that backs the service under consideration. + +```ruby +# Examine only services released by Chef +describe habitat_services.where(origin: 'chef') do + its('topologies') { should_not include 'standalone' } +end +``` + +### release + +String. A 14-digit timestamp, in the format `YYYYMMDDHHMmmSS`. The timestamp reflects the time at which the package backing the service was released. These strings are sortable and comparable. + +```ruby +# Examine packages older than Jan 1 2018 +describe habitat_services.where { release < '20180101000000' } do + its('update_strategies' ) { should_not include 'none' } +end + +# Examine packages older than 1 year +describe habitat_services.where { Date.parse(release[0..7]) < Date.today - 365 } do + its('update_strategies' ) { should_not include 'none' } +end + +# Another way +describe habitat_services.where { release < (Date.today - 365).strftime('%Y%m%d000000') } do + its('update_strategies' ) { should_not include 'none' } +end + +``` + +### topology + +String reflecting the topology of the service. Values include `standalone` and `leader` (for leader-follower). See [the Habitat docs](https://www.habitat.sh/docs/using-habitat/#topologies) for implications of these values. + +```ruby +# HA or the highway +describe habitat_services.where(topology: 'standalone') do + it { should_not exist } +end +``` + +### update_strategy + +String reflecting how the software package backing the service should be updated. Values include `none`, `rolling`, and `at-once`. See [the Habitat docs](https://www.habitat.sh/docs/using-habitat/#using-updates) for implications of these values. + +Requires API connection; not available (never matches) via CLI. + +```ruby +# No YOLO +describe habitat_services.where(update_strategy: 'at-once') do + it { should_not exist } +end +``` + +## Properties + +Use [properties](https://docs.chef.io/inspec/glossary/#property) to create tests that compare an expected to value to the actual value. + +### count + +Number. The count of services that matched the filter criteria. + +```ruby +# Expect 12 total +describe habitat_services do + its(count) { should cmp 12 } +end + +describe habitat_services.where(update_strategy: 'at-once') do + it { should_not exist } + its(count) { should cmp 0 } # Same as `should_not exist` +end +``` + +### dependency_names + +Array of strings in the form `origin/name`. Each string is the qualified name of a dependency of a service that was selected by the filter criteria. This list is de-duplicated. + +Requires API connection; not available (always an empty array) via CLI. + +```ruby +describe habitat_services do + its('dependency_names') { should_not include 'core/gcc' } +end +``` + +### habitat_service_params + +Hash. Returns a set of options that can be passed directly to `habitat_service` (singular) to load an individual service for in-depth analysis. + +```ruby +# Use the plural resource as a data lookup (not as a test)... +habitat_services.where { origin != 'core' }.habitat_service_params.each do |params| + # ... then use the singular resource to do in-depth testing + describe habitat_service(params) do + its('release') { should_not be_standalone } + end +end +``` + +### names + +Array of strings. The unqualified name of the service, such as 'httpd'. This list is de-duplicated, though a name is almost always unique anyway. + +```ruby +describe habitat_services do + its('names') { should include 'httpd' } + its('names') { should include 'memcached' } + its('names') { should_not include 'telnetd' } +end +``` + +### origins + +Array of strings. The names of the origins that created the packages that backs the services that were matched. +This list is de-duplicated. + +```ruby +# Only allow core and mycorp-packaged services +describe habitat_services do + its('origins') { should include 'core' } + its('origins') { should include 'mycorp' } + # Advanced usage - count an array-valued property + its('origins', 'count') { should cmp 2 } +end +``` + +### releases + +Array of strings. Each string is a 14-digit timestamp, in the format `YYYYMMDDHHMmmSS`. The timestamp reflects the time at which the package backing the service was released. These strings are sortable and comparable. This list is de-duplicated. + +```ruby +# We had a bad Monday +describe habitat_services do + its('releases') { should_not include '20180325000000' } +end +``` + +### topologies + +Array of strings reflecting the topology of the matched services. Values include `standalone` and `leader` (for leader-follower). See [the Habitat docs](https://www.habitat.sh/docs/using-habitat/#topologies) for implications of these values. This list is de-duplicated. + +```ruby +describe habitat_services do + its('topologies') { should_not include 'standalone' } +end +``` + +### update_strategies + +Array of strings reflecting how the software package backing the services that matched the filter should be updated. Values include `none`, `rolling`, and `at-once`. See [the Habitat docs](https://www.habitat.sh/docs/using-habitat/#using-updates) for implications of these values. This list is de-duplicated. + +Requires API connection; not available (never matches) via CLI. + +```ruby +# No YOLO +describe habitat_services do + its('update_strategies') { should_not include 'at-once' } +end +``` + +## Matchers + +Use [matchers](https://docs.chef.io/inspec/glossary/#matcher) to create tests that test a true or false question. + +InSpec includes a number of [universal matchers](https://docs.chef.io/inspec/matchers/). + +This resource does not define any resource-specific matchers. diff --git a/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/hugo.toml b/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/hugo.toml new file mode 100644 index 0000000..2ddac04 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-habitat/docs-chef-io/hugo.toml @@ -0,0 +1,4 @@ +# [params.inspec-habitat] +# gh_path = "https://github.com/inspec/inspec-habitat/tree/main/docs-chef-io/content/" + +# This feature isn't working with this deployment pattern. I'll fix it later. diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/_index.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/_index.md new file mode 100644 index 0000000..efea76f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/_index.md @@ -0,0 +1,59 @@ ++++ +title = "About the Chef InSpec Kubernetes resource pack" +draft = false +linkTitle = "Kubernetes resource pack" +summary = "Chef InSpec resources for auditing Kubernetes." + +[cascade] + [cascade.params] + platform = "k8s" + +[menu.k8s] + title = "About Kubernetes resources" + identifier = "inspec/resources/k8s/about" + parent = "inspec/resources/k8s" + weight = 10 ++++ + +Chef InSpec Kubernetes resources allow you to audit and validate the configuration, security, and compliance of your Kubernetes clusters. + +## Requirements + +- Inspec 3.7 or greater +- InSpec K8s train/backend plugin [train-kubernetes](https://github.com/inspec/train-kubernetes) + +## Usage + +To create and run a profile against a Kubernetes cluster, follow these steps: + +1. Ensure your `KUBECONFIG` environment variable or `~/.kube/config` file has a valid configuration and credentials for the target cluster. + +1. Define the platform and this resource pack as a dependency in your profile's `inspec.yml` file: + + ```yml + supports: + platform: k8s + depends: + - name: inspec-k8s + url: https://github.com/inspec/inspec-k8s/archive/main.tar.gz + ``` + +1. Define controls using the resources listed below. + +1. Execute the profile against your cluster: + + ```sh + inspec exec profile -t k8s:// + ``` + +## Example + +For an example profile, see the [inspec-k8s-sample example repository](https://github.com/inspec/inspec-k8s-sample). + +## Kubernetes resources + +{{< inspec_resources_filter >}} + +The following Chef InSpec Kubernetes resources are available in this resource pack. + +{{< inspec_resources section="k8s" platform="k8s" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_api_resources.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_api_resources.md new file mode 100644 index 0000000..b8707c5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_api_resources.md @@ -0,0 +1,89 @@ ++++ +title = "k8s_api_resources resource" +draft = false + +[menu.k8s] +title = "k8s_api_resources" +identifier = "inspec/resources/k8s/K8s API Resources" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_api_resources` Chef InSpec audit resource to test the configurations of all resources under the specified API. + +## Syntax + +```ruby +describe k8s_api_resources(api: 'apps/v1') do + it { should exist } + its('name') { should include 'daemonsets' } + its('singularName') { should include '' } + its('namespaced') { should include true } + its('group') { should include 'autoscaling' } + its('version') { should include 'v1' } + its('kind') { should include 'DaemonSet' } + its('shortNames') { should include 'ds' } + its('categories') { should include 'all' } +end +``` + +## Parameter + +`api` +: API available for Kubernetes (default is **v1**). + +## Properties + +`name` +: Name of the resource available under the specified API. + +`singularName` +: Singular name of the resource available under the specified API. + +`namespaced` +: returns a boolean value if the resources under the api is namespaced. + +`group` +: group of the resources under the specified API. + +`version` +: version of the specified API. + +`shortNames` +: Short names for resources under the specified API. + +`categories` +: Categories for resources under the specified API. + +`kind` +: Type of resources under the specified API. + +## Examples + +Resources under default API must exist: + +```ruby +describe k8s_api_resources do + it { should exist } + its('kind') { should include 'ConfigMap' } +end +``` + +Resources under specified API must exist and test its properties: + +```ruby +describe k8s_api_resources(api: 'apps/v1') do + it { should exist } + its('name') { should include 'daemonsets' } + its('singularName') { should include '' } + its('namespaced') { should include true } + its('group') { should include 'autoscaling' } + its('version') { should include 'v1' } + its('kind') { should include 'DaemonSet' } + its('shortNames') { should include 'ds' } + its('categories') { should include 'all' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_config_map.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_config_map.md new file mode 100644 index 0000000..77cd60f --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_config_map.md @@ -0,0 +1,66 @@ ++++ +title = "k8s_config_map resource" +draft = false + +[menu.k8s] +title = "k8s_config_map" +identifier = "inspec/resources/k8s/K8s Config Map" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_config_map` Chef InSpec audit resource to test the configuration of a specific Configuration Maps in a namespace. + +## Syntax + +```ruby +describe k8s_config_maps(namespace: "NAMESPACE", name: "NAME") do + #... +end +``` + +## Parameters + +`namespace` +: Namespace of the resource. + +## Properties + +`uid` +: UID of the resource. + +`name` +: Name of the resource. + +`namespace` +: Namespace of the resource. + +`resource_version` +: Resource version of the resource. + +`kind` +: Resource type. + +`metadata` +: Metadata for the resource. + +## Examples + +Configuration map for default namespace must exist: + +```ruby + describe k8s_config_map(name: 'NAME') do + it { should exist } +end +``` + +Configuration map for specified namespace must exist: + +```ruby +describe k8s_config_map(namespace: 'NAMESPACE', name: 'NAME') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_config_maps.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_config_maps.md new file mode 100644 index 0000000..8346379 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_config_maps.md @@ -0,0 +1,66 @@ ++++ +title = "k8s_config_maps resource" +draft = false + +[menu.k8s] +title = "k8s_config_maps" +identifier = "inspec/resources/k8s/K8s Config Maps" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_config_maps` Chef InSpec audit resource to test all the Configuration Maps in a namespace. + +## Syntax + +```ruby +describe k8s_config_maps do + #... +end +``` + +## Parameters + +`namespace` +: Namespace of the resource. + +## Properties + +`uid` +: UID of the resource. + +`name` +: Name of the resource. + +`namespace` +: Namespace of the resource. + +`resource_version` +: Resource version of the resource. + +`kind` +: Resource type. + +`metadata` +: Metadata for the resource. + +## Examples + +Configuration maps for default namespace must exist: + +```ruby + describe k8s_config_maps do + it { should exist } +end +``` + +Configuration maps must exists for specified namespace: + +```ruby +describe k8s_config_maps(namespace: 'kube-system') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_container.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_container.md new file mode 100644 index 0000000..c54609d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_container.md @@ -0,0 +1,92 @@ ++++ +title = "k8s_container resource" +draft = false + +[menu.k8s] +title = "k8s_container" +identifier = "inspec/resources/k8s/K8s Container" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_container` Chef InSpec audit resource to test the configuration of a specific Container in the specified namespace. + +## Syntax + +```ruby +describe k8s_container(namespace: "NAMESPACE", pod_name: 'POD_NAME', name: "NAME") do + #... +end +``` + +## Parameter + +`namespace` +: Namespace of the resource. + +`pod_name` +: Pod Name of the resource + +`container_name` +: Container Name of the resource + +## Properties + +`name` +: Name of the Container. + +`image` +: Container image name. + +`command` +: Entrypoint array. + +`arg` +: Arguments to the entrypoint. + +`resource` +: Compute Resources required by this container. + +`volumeMount` +: Pod volumes to mount into the container's filesystem + +`livenessProbe` +: Periodic probe of container liveness + +`readinessProbe` +: Periodic probe of container service readiness + +`imagePullPolicy` +: Image pull policy, One of Always, Never, IfNotPresent + +`securityContext` +: Security options the pod should run with + +## Examples + +Container for default namespace must exist: + +```ruby + describe k8s_container(pod_name: 'POD_NAME', name: 'NAME') do + it { should exist } +end +``` + +Container for a specified namespace must exist: + +```ruby +describe k8s_container(namespace: 'NAMESPACE', name: 'NAME', pod_name: 'POD_NAME') do + it { should exist } +end +``` + +Check for presence of specific commands in Entrypoint array: + +```ruby + describe k8s_container(pod_name: 'POD_NAME', name: 'NAME') do + it { should_have_command?('COMMAND') } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_containers.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_containers.md new file mode 100644 index 0000000..87b812b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_containers.md @@ -0,0 +1,87 @@ ++++ +title = "k8s_containers resource" +draft = false + +[menu.k8s] +title = "k8s_containers" +identifier = "inspec/resources/k8s/K8s Containers" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_containers` Chef InSpec audit resource to test the configurations of all Containers in a namespace. + +## Syntax + +```ruby +describe k8s_containers do + #... +end +``` + +## Parameter + +`namespace` +: Namespace of the resource. + +## Properties + +`names` +: Name of the Container. + +`images` +: Container image name. + +`commands` +: Entrypoint array. + +`args` +: Arguments to the entrypoint. + +`resources` +: Compute Resources required by this container. + +`volumeMounts` +: Pod volumes to mount into the container's filesystem + +`livenessProbes` +: Periodic probe of container liveness + +`readinessProbes` +: Periodic probe of container service readiness + +`imagePullPolicies` +: Image pull policy, One of Always, Never, IfNotPresent + +`securityContexts` +: Security options the pod should run with + +## Examples + +Containers for default namespace must exist: + +```ruby + describe k8s_containers do + it { should exist } +end +``` + +Containers for specified namespace must exist: + +```ruby +describe k8s_containers(namespace: 'kube-system') do + it { should exist } +end +``` + +Containers with readOnlyRootFilesystem exists: + +```ruby +describe k8s_containers(namespace: 'kube-system').where{ securityContext && securityContext[:readOnlyRootFilesystem] == true } do + it { should exist } +end + +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_cronjob.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_cronjob.md new file mode 100644 index 0000000..a2fd60d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_cronjob.md @@ -0,0 +1,87 @@ ++++ +title = "k8s_cronjob resource" +draft = false + +[menu.k8s] +title = "k8s_cronjob" +identifier = "inspec/resources/k8s/K8s Cronjob" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_cronjob` Chef InSpec audit resource to test the configuration of a specific CronJob in the specified namespace. + +## Syntax + +```ruby +describe k8s_cronjob(name: 'hello') do + it { should exist } +end +``` + +## Parameter + +`name` +: Name of the CronJob. + +`namespace` +: Namespace of the resource (default: **default**). + +## Properties + +`uid` +: UID of the CronJob. + +`name` +: Name of the CronJob. + +`namespace` +: Namespace of the CronJob. + +`resource_version` +: Resource version of the Cronjob. This is an alias of `resourceVersion`. + +`labels` +: Labels associated with the CronJob. + +`annotations` +: Annotations associated with the CronJob. + +`kind` +: Resource type of the CronJob. + +`creation_timestamp` +: Creation time of the CronJob. This is an alias of `creationTimestamp`. + +`metadata` +: Metadata for the CronJob. + +## Examples + +Cronjob for default namespace must exist and test its properties: + +```ruby +describe k8s_cronjob(name: 'HELLO') do + it { should exist } + its('uid') { should eq '378c1a39-cddc-4df6-bf5a-593779eb26fc' } + its('resource_version') { should eq '70517' } + its('labels') { should be_empty } + its('annotations') { should_not be_empty } + its('name') { should eq 'HELLO' } + its('namespace') { should eq 'default' } + its('kind') { should eq 'CronJob' } + its('creationTimestamp') { should eq '2022-07-27T12:54:44Z' } + its('metadata') { should_not be_nil } +end +``` + +Cronjob for a specified namespace must exist: + +```ruby +describe k8s_cronjob(name: 'HELLO-WORLD', namespace: 'Namespace') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_cronjobs.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_cronjobs.md new file mode 100644 index 0000000..a749712 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_cronjobs.md @@ -0,0 +1,77 @@ ++++ +title = "k8s_cronjobs resource" +draft = false + +[menu.k8s] +title = "k8s_cronjobs" +identifier = "inspec/resources/k8s/K8s Cronjobs" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_cronjobs` Chef InSpec audit resource to test the configurations of all CronJobs in a namespace. + +## Syntax + +```ruby +describe k8s_cronjobs do + it { should exist } +end +``` + +## Parameter + +`namespace` +: Namespace of the resource (default: **default**). + +## Properties + +`uids` +: UID of the CronJobs. + +`names` +: Name of the CronJobs. + +`namespaces` +: Namespace of the CronJobs. + +`resource_versions` +: Resource version of the CronJobs. + +`labels` +: Labels associated with the CronJobs. + +`annotations` +: Annotations associated with the CronJobs. + +`kinds` +: Resource type of the CronJobs. + +## Examples + +Cronjobs for default namespace must exist and test its properties: + +```ruby +describe k8s_cronjobs do + it { should exist } + its('names') { should include 'HELLO' } + its('uids') { should include '378c1a39-cddc-4df6-bf5a-593779eb26fc' } + its('namespaces') { should include 'default' } + its('resource_versions') { should include '70517' } + its('kinds') { should include 'CronJob' } + its('labels') { should be_empty } + its('annotations') { should_not be_empty } +end +``` + +Cronjobs for specified namespace must exist: + +```ruby +describe k8s_cronjobs(namespace: 'Namespace') do + it { should exist } + its('names') { should include 'HELLO-WORLD' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_daemon_set.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_daemon_set.md new file mode 100644 index 0000000..94395c5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_daemon_set.md @@ -0,0 +1,86 @@ ++++ +title = "k8s_daemon_set resource" +draft = false + +[menu.k8s] +title = "k8s_daemon_set" +identifier = "inspec/resources/k8s/K8s DaemonSet" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_daemon_set` Chef InSpec audit resource to test the configuration of a specific DaemonSet in the specified namespace. + +## Syntax + +```ruby +describe k8s_daemon_set(namespace: 'kube-system', name: 'fluentd-elasticsearch') do + it { should exist } +end +``` + +## Parameter + +`name` +: Name of the DaemonSet. + +`namespace` +: Namespace of the resource (default: **default**). + +## Properties + +`uid` +: UID of the DaemonSet. + +`name` +: Name of the DaemonSet. + +`namespace` +: Namespace of the DaemonSet. + +`resource_version` +: Resource version of the DaemonSet. This is an alias of `resourceVersion`. + +`labels` +: Labels associated with the DaemonSet. + +`annotations` +: Annotations associated with the DaemonSet. + +`kind` +: Resource type of the DaemonSet. + +`creation_timestamp` +: Creation time of the DaemonSet. This is an alias of `creationTimestamp`. + +`metadata` +: Metadata for the DaemonSet. + +## Examples + +DaemonSet for default namespace must exist and test its properties: + +```ruby +describe k8s_daemon_set(name: 'fluentd-elasticsearch') do + it { should exist } + its('uid') { should eq '406b569d-d4f9-4537-b047-cf35b00e88b4' } + its('resource_version') { should eq '101377' } + its('labels') { should eq 'k8s-app':'fluentd-logging' } + its('annotations') { should_not be_empty } + its('name') { should eq 'fluentd-elasticsearch' } + its('namespace') { should eq 'default' } + its('kind') { should eq 'DaemonSet' } + its('creation_timestamp') { should eq '2022-07-31T16:41:21Z' } +end +``` + +DaemonSet for a specified namespace must exist: + +```ruby +describe k8s_daemon_set(namespace: 'kube-system', name: 'fluentd-elasticsearch') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_daemon_sets.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_daemon_sets.md new file mode 100644 index 0000000..eb88267 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_daemon_sets.md @@ -0,0 +1,77 @@ ++++ +title = "k8s_daemon_sets resource" +draft = false + +[menu.k8s] +title = "k8s_daemon_sets" +identifier = "inspec/resources/k8s/K8s DaemonSets" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_daemon_sets` Chef InSpec audit resource to test the configurations of all DaemonSets in a namespace. + +## Syntax + +```ruby +describe k8s_daemon_sets(namespace: 'kube-system') do + it { should exist } +end +``` + +## Parameter + +`namespace` +: Namespace of the resource (default: **default**). + +## Properties + +`uids` +: UID of the DaemonSets. + +`names` +: Name of the DaemonSets. + +`namespaces` +: Namespace of the DaemonSets. + +`resource_versions` +: Resource version of the DaemonSets. + +`labels` +: Labels associated with the DaemonSets. + +`annotations` +: Annotations associated with the DaemonSets. + +`kinds` +: Resource type of the DaemonSets. + +## Examples + +DaemonSets for default namespace must exist: + +```ruby +describe k8s_daemon_sets do + it { should exist } + its('names') { should include 'fluentd-elasticsearch' } +end +``` + +DaemonSets for specified namespace must exist and test its properties: + +```ruby +describe k8s_daemon_sets(namespace: 'kube-system') do + it { should exist } + its('names') { should include 'fluentd-elasticsearch' } + its('resource_versions') { should include '101377' } + its('labels') { should include 'k8s-app':'fluentd-logging' } + its('annotations') { should_not be_empty } + its('uids') { should include '406b569d-d4f9-4537-b047-cf35b00e88b4' } + its('namespaces') { should include 'kube-system' } + its('kinds') { should include 'DaemonSet' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_deployment.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_deployment.md new file mode 100644 index 0000000..60e6c8e --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_deployment.md @@ -0,0 +1,87 @@ ++++ +title = "k8s_deployment resource" +draft = false + +[menu.k8s] +title = "k8s_deployment" +identifier = "inspec/resources/k8s/K8s Deployment" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_deployment` Chef InSpec audit resource to test the configuration of a specific Deployment in the specified namespace. + +## Syntax + +```ruby +describe k8s_deployment(name: 'coredns', namespace: 'kube-system') do + it { should exist } +end +``` + +## Parameter + +`name` +: Name of the Deployment. + +`namespace` +: Namespace of the resource (default: **default**). + +## Properties + +`uid` +: UID of the Deployment. + +`name` +: Deployment name. + +`namespace` +: Namespace of the Deployment. + +`resource_version` +: Resource version of the Deployment. This is an alias of `resourceVersion`. + +`labels` +: Labels associated with the Deployment. + +`annotations` +: Annotations associated with the Deployment. + +`kind` +: Resource type of the Deployment. + +`creation_timestamp` +: Creation time of the Deployment. This is an alias of `creationTimestamp`. + +`metadata` +: Metadata for the Deployment. + +## Examples + +Deployment for default namespace must exist and test its properties: + +```ruby +describe k8s_deployment(name: 'NEW-DEPLOYMENT') do + it { should exist } + its('uid') { should eq 'e948355b-adc2-4db8-af16-34f5aa38d6ec' } + its('resource_version') { should eq '8107' } + its('labels') { should eq :app=>'NEW-DEPLOYMENT' } + its('annotations') { should_not be_empty } + its('name') { should eq 'NEW-DEPLOYMENT' } + its('namespace') { should eq 'default' } + its('kind') { should eq 'DEPLOYMENT' } + its('creation_timestamp') { should eq '2022-07-21T18:54:43Z' } + its('metadata') { should_not be_nil } +end +``` + +Deployment for a specified namespace must exist: + +```ruby +describe k8s_deployment(namespace: 'kube-system', name: 'coredns') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_deployments.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_deployments.md new file mode 100644 index 0000000..3527ea9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_deployments.md @@ -0,0 +1,77 @@ ++++ +title = "k8s_deployments resource" +draft = false + +[menu.k8s] +title = "k8s_deployments" +identifier = "inspec/resources/k8s/K8s Deployments" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_deployments` Chef InSpec audit resource to test the configurations of all Deployments in a namespace. + +## Syntax + +```ruby +describe k8s_deployments(namespace: 'kube-system') do + it { should exist } +end +``` + +## Parameter + +`namespace` +: Namespace of the resource (default: **default**). + +## Properties + +`uids` +: UID of the Deployments. + +`names` +: Name of the Deployments. + +`namespaces` +: Namespace of the Deployments. + +`resource_versions` +: Resource version of the Deployments. + +`labels` +: Labels associated with the Deployments. + +`annotations` +: Annotations associated with the Deployments. + +`kinds` +: Resource type of the Deployments. + +## Examples + +Deployments for the default namespace must exist: + +```ruby +describe k8s_deployments do + it { should exist } + its('names') { should include 'nginx-deployment' } +end +``` + +Deployments for specified namespace must exist and test its properties: + +```ruby +describe k8s_deployments(namespace: 'kube-system') do + it { should exist } + its('uids') { should include 'eeb07afc-2f45-4d52-9fda-aa362f7c536c' } + its('resource_versions') { should include '7944' } + its('labels') { should include :'k8s-app' => 'kube-dns' } + its('annotations') { should_not be_empty } + its('names') { should include 'coredns' } + its('namespaces') { should include 'kube-system' } + its('kinds') { should include 'DEPLOYMENT' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_exec_file.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_exec_file.md new file mode 100644 index 0000000..2dc141c --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_exec_file.md @@ -0,0 +1,91 @@ ++++ +title = "k8s_exec_file resource" +draft = false + +[menu.k8s] +title = "k8s_exec_file" +identifier = "inspec/resources/k8s/K8s Exec File" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_exec_file` Chef InSpec audit resource to test the properties of all files within in a pod/container. + +## Syntax + +```ruby +describe k8s_exec_file(path: '/etc/e2scrub.conf', pod: 'shell-demo', namespace: 'default') do + it { should exist } +end +``` + +## Parameter + +`namespace` +: Namespace of the resource (default: **default**). + +`pod` +: Name of the pod + +`path` +: Fully Qualified path of the file + +`container` +: Name of the container + +## Properties + +`content` +: content of the files. + +`size` +: size of the file. + +`basename` +: basename of the file. + +`owner` +: owner of the file. + +`group` +: File group. + +`type` +: file type. + +`symlink` +: symlink directory + +`mode` +: file mode + +`uid` +: UID of the file + +## Examples + +Check if path exists and it is a file: + +```ruby +describe k8s_exec_file(path: '/etc/e2scrub.conf', pod: 'shell-demo', namespace: 'default') do + it { should exist } + it { should be_file } +end +``` + +check if we have full rights on the file: + +```ruby +describe k8s_exec_file(path: '/etc/e2scrub.conf', pod: 'shell-demo', namespace: 'default') do + it { should exist } + it { should be_file } + it { should be_readable } + it { should be_writable } + it { should be_executable.by_user('root') } + it { should be_owned_by 'root' } + its('mode') { should cmp '0644' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_job.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_job.md new file mode 100644 index 0000000..0422375 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_job.md @@ -0,0 +1,86 @@ ++++ +title = "k8s_job resource" +draft = false + +[menu.k8s] +title = "k8s_job" +identifier = "inspec/resources/k8s/K8s Job" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_job` Chef InSpec audit resource to test the configuration of a specific Job in the specified namespace. + +## Syntax + +```ruby +describe k8s_job(name: 'HELLO') do + it { should exist } +end +``` + +## Parameter + +`name` +: Name of the Job. + +`namespace` +: Namespace of the resource (default: **default**). + +## Properties + +`uid` +: UID of the Job. + +`name` +: Name of the Job. + +`namespace` +: Namespace of the Job. + +`resource_version` +: Resource version of the Job. This is an alias of `resourceVersion`. + +`labels` +: Labels associated with the Job. + +`annotations` +: Annotations associated with the Job. + +`kind` +: Resource type of the Job. + +`creation_timestamp` +: Creation time of the Job. This is an alias of `creationTimestamp`. + +`metadata` +: Metadata for the Job. + +## Examples + +Job for default namespace must exist and test its properties: + +```ruby +describe k8s_job(name: 'pi') do + it { should exist } + its('uid') { should eq 'a31e4d72-816d-4678-8cda-34973bc7808b' } + its('resource_version') { should eq '818' } + its('labels') { should_not be_empty } + its('annotations') { should_not be_empty } + its('name') { should eq 'pi' } + its('namespace') { should eq 'default' } + its('kind') { should eq 'JOB' } + its('creation_timestamp') { should eq '2022-08-02T12:05:40Z' } +end +``` + +Job for a specified namespace must exist: + +```ruby +describe k8s_job(name: 'HELLO-WORLD', namespace: 'Namespace') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_jobs.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_jobs.md new file mode 100644 index 0000000..9acb4ba --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_jobs.md @@ -0,0 +1,77 @@ ++++ +title = "k8s_jobs resource" +draft = false + +[menu.k8s] +title = "k8s_jobs" +identifier = "inspec/resources/k8s/K8s Jobs" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_jobs` Chef InSpec audit resource to test the configurations of all Jobs in a namespace. + +## Syntax + +```ruby +describe k8s_jobs do + it { should exist } +end +``` + +## Parameter + +`namespace` +: Namespace of the resource (default: **default**). + +## Properties + +`uids` +: UID of the Jobs. + +`names` +: Name of the Jobs. + +`namespaces` +: Namespace of the Jobs. + +`resource_versions` +: Resource version of the Jobs. + +`labels` +: Labels associated with the Jobs. + +`annotations` +: Annotations associated with the Jobs. + +`kinds` +: Resource type of the Jobs. + +## Examples + +Jobs for default namespace must exist and test its properties: + +```ruby +describe k8s_jobs do + it { should exist } + its('names') { should include 'HELLO' } + its('uids') { should include '378c1a39-cddc-4df6-bf5a-593779eb26fc' } + its('namespaces') { should include 'default' } + its('resource_versions') { should include '70517' } + its('kinds') { should include 'JOB' } + its('labels') { should_not be_empty } + its('annotations') { should_not be_empty } +end +``` + +Jobs for specified namespace must exist: + +```ruby +describe k8s_jobs(namespace: 'Namespace') do + it { should exist } + its('names') { should include 'HELLO-WORLD' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_namespace.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_namespace.md new file mode 100644 index 0000000..45c6ce2 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_namespace.md @@ -0,0 +1,68 @@ ++++ +title = "k8s_namespace resource" +draft = false + +[menu.k8s] +title = "k8s_namespace" +identifier = "inspec/resources/k8s/K8s Namespace" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_namespace` Chef InSpec audit resource to test the configuration of a specific namespace. + +## Syntax + +```ruby +describe k8s_namespace(name: 'default') do + it { should exist } +end +``` + +## Parameter + +`name` +: Name of the namespace. + +## Properties + +`uid` +: UID of the namespace. + +`name` +: Name of the namespace. + +`resource_version` +: Resource version of the namespace. This is an alias of `resourceVersion`. + +`labels` +: Labels associated with the namespace. + +`kind` +: Resource type of the namespace. + +`creation_timestamp` +: Creation time of the namespace. This is an alias of `creationTimestamp`. + +`metadata` +: Metadata for the namespace. + +## Examples + +Specified namespace must exist and test its properties: + +```ruby +describe k8s_namespace(name: 'kube-node-lease') do + it { should exist } + its('uid') { should eq '5ed76d62-838b-45cb-b41f-789b567a2fa2' } + its('name') { should eq 'kube-node-lease' } + its('kind') { should eq 'Namespace' } + its('resource_version') { should eq '6' } + its('creationTimestamp') { should eq '2022-07-21T10:47:49Z' } + its('labels') { should eq 'kubernetes.io/metadata.name': 'kube-node-lease' } + its('metadata') { should_not be_nil } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_namespaces.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_namespaces.md new file mode 100644 index 0000000..936f6f7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_namespaces.md @@ -0,0 +1,56 @@ ++++ +title = "k8s_namespaces resource" +draft = false + +[menu.k8s] +title = "k8s_namespaces" +identifier = "inspec/resources/k8s/K8s Namespaces" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_namespaces` Chef InSpec audit resource to test the configurations of all namespaces. + +## Syntax + +```ruby +describe k8s_namespaces do + it { should exist } + its('names') { should include 'DEFAULT' } +end +``` + +## Properties + +`uids` +: UID of the namespaces. + +`names` +: Name of the namespaces. + +`resource_versions` +: Resource version of the namespaces. + +`labels` +: Labels associated with the namespaces. + +`kinds` +: Resource type of the namespaces. + +## Examples + +Namespaces must exist and test their properties: + +```ruby +describe k8s_namespaces do + it { should exist } + its('uids') { should include '5ed76d62-838b-45cb-b41f-789b567a2fa2' } + its('names') { should include 'default' } + its('resource_versions') { should include '6' } + its('kinds') { should include 'Namespace' } + its('labels') { should include 'kubernetes.io/metadata.name': 'default' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_network_policies.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_network_policies.md new file mode 100644 index 0000000..19027fc --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_network_policies.md @@ -0,0 +1,79 @@ ++++ +title = "k8s_network_policies resource" +draft = false + +[menu.k8s] +title = "k8s_network_policies" +identifier = "inspec/resources/k8s/K8s NetworkPolicies" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_network_policies` Chef InSpec audit resource to test the configurations of all network policies in a namespace. + +## Syntax + +```ruby +describe k8s_network_policies do + it { should exist } + its('names') { should include 'Network-Policy' } +end +``` + +## Parameter + +`namespace` +: Namespace of the resource (default: **default**). + +## Properties + +`uids` +: UID of the network policies. + +`names` +: Name of the network policies. + +`namespaces` +: Namespace of the network policies. + +`resource_versions` +: Resource version of the network policies. + +`labels` +: Labels associated with the network policies. + +`annotations` +: Annotations associated with the network policies. + +`kinds` +: Resource type of the network policies. + +## Examples + +Network policies for default namespace must exist: + +```ruby +describe k8s_network_policies do + it { should exist } + its('names') { should include 'Network-Policy' } +end +``` + +Network policies for specified namespace must exist and test its properties: + +```ruby +describe k8s_network_policies(namespace: 'NAMESPACE') do + it { should exist } + its('names') { should include 'Network-Policy' } + its('uids') { should include '0beb1fc6-8af7-4607-b3c0-2bff65d4abd6' } + its('resource_versions') { should include '129558' } + its('labels') { should_not be_empty } + its('annotations') { should_not be_empty } + its('namespaces') { should include 'Namespace' } + its('kinds') { should include 'Network-Policy' } + its('metadata') { should_not be_nil } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_network_policy.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_network_policy.md new file mode 100644 index 0000000..e352997 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_network_policy.md @@ -0,0 +1,87 @@ ++++ +title = "k8s_network_policy resource" +draft = false + +[menu.k8s] +title = "k8s_network_policy" +identifier = "inspec/resources/k8s/K8s Network Policy" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_network_policy` Chef InSpec audit resource to test the configuration of a specific network policy in the specified namespace. + +## Syntax + +```ruby +describe k8s_network_policy(name: 'coredns', namespace: 'kube-system') do + it { should exist } +end +``` + +## Parameter + +`name` +: Name of the network policy. + +`namespace` +: Namespace of the resource (default: **default**). + +## Properties + +`uid` +: UID of the network policy. + +`name` +: Name of the network policy. + +`namespace` +: Namespace of the network policy. + +`resource_version` +: Resource version of the network policy. This is an alias of `resourceVersion`. + +`labels` +: Labels associated with the network policy. + +`annotations` +: Annotations associated with the network policy. + +`kind` +: Resource type of the network policy. + +`creation_timestamp` +: Creation time of the network policy. This is an alias of `creationTimestamp`. + +`metadata` +: Metadata for the network policy. + +## Examples + +Network policy for default namespace must exist and test its properties: + +```ruby +describe k8s_network_policy(name: "TEST-NETWORK-POLICY") do + it { should exist } + its('uid') { should eq '0beb1fc6-8af7-4607-b3c0-2bff65d4abd6' } + its('resource_version') { should eq '129558' } + its('labels') { should be_empty } + its('annotations') { should_not be_empty } + its('name') { should eq 'Network-Policy' } + its('namespace') { should eq 'default' } + its('kind') { should eq 'Network-Policy' } + its('creation_timestamp') { should eq '2022-08-02T09:47:56Z' } + its('metadata') { should_not be_nil } +end +``` + +Network Policy for a specified namespace must exist: + +```ruby +describe k8s_network_policy(namespace: 'Namespace', name: 'Network-Policy') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_node.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_node.md new file mode 100644 index 0000000..46b3687 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_node.md @@ -0,0 +1,74 @@ ++++ +title = "k8s_node resource" +draft = false + + + +[menu] + [menu.inspec] + title = "k8s_node" + identifier = "inspec/resources/k8s/K8s Node" + parent = "inspec/resources/k8s" ++++ + +Use the `k8s_node` Chef InSpec audit resource to test the configuration of the K8s node. + +## Syntax + +```ruby +describe k8s_node(name: "NAME") do + #... +end +``` + +## Parameters + +`name` +: Node name. + +## Properties + +`uid` +: UID of the node. + +`kind` +: Resource type of the node. + +`resource_version` +: Resource version of the node. + +`labels` +: Labels attached to the node. + +`annotations` +: Annotations of the node. + +## Examples + +Test to verify that the node with the specified name exists: + +```ruby +describe k8s_node(name: "NODE_NAME") do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +have_label: + +The `have_label` matcher verifies if the specified key and value are present in the node labels. + +```ruby +it { should have_label('foo', 'bar') } +``` + +have_annotation: + +The `have_annotation` matcher verifies if the specified key and value are present in the node annotations. + +```ruby +it { should have_annotation('foo', 'bar') } +``` diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_nodes.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_nodes.md new file mode 100644 index 0000000..33ee71b --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_nodes.md @@ -0,0 +1,49 @@ ++++ +title = "k8s_nodes resource" +draft = false + +[menu.k8s] +title = "k8s_nodes" +identifier = "inspec/resources/k8s/K8s Nodes" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_nodes` Chef InSpec audit resource to test the configuration of all nodes. + +## Syntax + +```ruby +describe k8s_nodes do + #... +end +``` + +## Properties + +`uids` +: UID of the nodes. + +`names` +: Name of the nodes. + +`resource_versions` +: Resource version of the nodes. + +`kinds` +: Resource type of the nodes. + +## Examples + +Test to verify nodes include a node with a specified name and UID: + +```ruby + describe k8s_nodes do + it { should exist } + its('names') { should include 'NODE_NAME' } + its('uids') { should include 'NODE_UID' } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_object.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_object.md new file mode 100644 index 0000000..cda47a5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_object.md @@ -0,0 +1,97 @@ ++++ +title = "k8sobject resource" +draft = false + + + +[menu] + [menu.inspec] + title = "k8sobject" + identifier = "inspec/resources/k8s/K8s Object" + parent = "inspec/resources/k8s" ++++ + +Use the `k8sobject` Chef InSpec audit resource is a generic InSpec resource to test any Kubernetes object. + +## Syntax + +```ruby +describe k8sobject(type: K8s_RESOURCE_TYPE, namespace: NAMESPACE, name: RESOURCE_NAME) do + #... +end +``` + +## Parameters + +`type` +: type of the K8s resource that is for a query. + +`namespace` +: namespace of the resource. + +`name` +: Name of the resource. + +## Properties + +`uid` +: UID of the resource. + +`name` +: Name of the resource. + +`namespace` +: Namespace of the resource. + +`resource_version` +: Resource version of the resource. + +`kind` +: Resource type. + +`metadata` +: Metadata for the resource. + +`labels` +: Labels of the resource. + +`annotations` +: Annotations of the resource. + +## Examples + +Test to ensure kube-system, kube-public, and default namespaces exist: + +```ruby +describe k8sobject(api: 'v1', type: 'namespaces', name: 'kube-system') do + it { should exist } +end +``` + +Test to ensure kube-system pods exist: + +```ruby +k8sobject(api: 'v1', type: 'pods', namespace: 'kube-system', labelSelector: 'k8s-app=kube-proxy') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +have_label: + +The `have_label` matcher verifies if the specified key and value are present in the resource lables. + +```ruby +it { should have_label('foo', 'bar') } +``` + +have_annotation: + +The `have_annotation` matcher verifies if the specified key and value are present in the resource annotations. + +```ruby +it { should have_annotation('foo', 'bar') } +``` \ No newline at end of file diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_objects.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_objects.md new file mode 100644 index 0000000..a0c6fa9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_objects.md @@ -0,0 +1,69 @@ ++++ +title = "k8sobjects resource" +draft = false + +[menu.k8s] +title = "k8sobjects" +identifier = "inspec/resources/k8s/K8s Objects" +parent = "inspec/resources/k8s" ++++ + +Use the `k8sobjects` Chef InSpec audit resource to test the configuration of all K8s resources. + +## Syntax + +```ruby +describe k8sobjects(type: K8s_RESOURCE_TYPE, namespace: NAMESPACE, name: RESOURCE_NAME) do + #... +end +``` + +## Parameters + +`type` +: type of the K8s resource that is for a query. + +`namespace` +: namespace of the resource. + +## Properties + +`uids` +: UID of the resource. + +`names` +: Name of the resource. + +`namespaces` +: Namespace of the resource. + +`resource_versions` +: Resource version of the resource. + +`kinds` +: Resource type. + +`metadatas` +: Metadata for the resource. + +## Examples + +Test to ensure kube-system, kube-public, and default namespaces exist: + +```ruby + describe k8sobjects(api: 'v1', type: 'namespaces', name: 'kube-system') do + it { should exist } +end +``` + +Test to ensure kube-system pods exist: + +```ruby +k8sobjects(api: 'v1', type: 'pods', namespace: 'kube-system', labelSelector: 'k8s-app=kube-proxy') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_pod.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_pod.md new file mode 100644 index 0000000..766a1a6 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_pod.md @@ -0,0 +1,66 @@ ++++ +title = "k8s_pod resource" +draft = false + +[menu.k8s] +title = "k8s_pod" +identifier = "inspec/resources/k8s/K8s Pod" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_pod` Chef InSpec audit resource to test the configuration of a specific Pod in the specified namespace. + +## Syntax + +```ruby +describe k8s_pod(namespace: "NAMESPACE", name: "NAME") do + #... +end +``` + +## Parameter + +`namespace` +: Namespace of the resource. + +## Properties + +`uid` +: UID of the Pod. + +`name` +: Name of the Pod. + +`namespace` +: Namespace of the Pod. + +`resource_version` +: Resource version of the Pod. + +`kind` +: Resource type of the Pod. + +`metadata` +: Metadata for the Pod. + +## Examples + +Pod for default namespace must exist: + +```ruby + describe k8s_pod(name: 'NAME') do + it { should exist } +end +``` + +Pod for a specified namespace must exist: + +```ruby +describe k8s_pod(namespace: 'NAMESPACE', name: 'NAME') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_pods.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_pods.md new file mode 100644 index 0000000..e070cd9 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_pods.md @@ -0,0 +1,66 @@ ++++ +title = "k8s_pods resource" +draft = false + +[menu.k8s] +title = "k8s_pods" +identifier = "inspec/resources/k8s/K8s Pods" +parent = "inspec/resources/k8s" ++++ + +Use the `k8s_pods` Chef InSpec audit resource to test the configurations of all Pods in a namespace. + +## Syntax + +```ruby +describe k8s_pods do + #... +end +``` + +## Parameter + +`namespace` +: Namespace of the resource. + +## Properties + +`uid` +: UID of the Pod. + +`name` +: Name of the Pod. + +`namespace` +: Namespace of the Pod. + +`resource_version` +: Resource version of the Pod. + +`kind` +: Resource type of the Pod. + +`metadata` +: Metadata for the Pod. + +## Examples + +Pods for default namespace must exist: + +```ruby + describe k8s_pods do + it { should exist } +end +``` + +Pods for specified namespace must exist: + +```ruby +describe k8s_pods(namespace: 'kube-system') do + it { should exist } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_rbac_cluster_role.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_rbac_cluster_role.md new file mode 100644 index 0000000..203addf --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_rbac_cluster_role.md @@ -0,0 +1,91 @@ ++++ +title = "k8s_rbac_cluster_role resource" +draft = false + + + +[menu] + [menu.inspec] + title = "k8s_rbac_cluster_role" + identifier = "inspec/resources/k8s/K8s Rbac Cluster Role" + parent = "inspec/resources/k8s" ++++ + +Use the `k8s_rbac_cluster_role` Chef InSpec audit resource to test the Role-based access control (RBAC) cluster role settings. + +## Syntax + +```ruby +describe k8s_rbac_cluster_role(name: "NAME") do + #... +end +``` + +## Parameters + +`name` +: Cluster role name. + +## Properties + +`uid` +: UID of the cluster role. + +`kind` +: Resource type of the cluster role. + +`resource_version` +: Resource version of the cluster role. + +`labels` +: Labels attached to the cluster role. + +`annotations` +: Annotations of the cluster role. + +`rules` +: List of rules set for the cluster role. + +`aggregation_rule` +: Aggregation rule set for the cluster role. + +`cluster_role_selectors` +: List of aggregation rule cluster role selectors set for the cluster role. + +`metadata` +: Metadata of the cluster role. + +`creation_timestamp` +: Creation timestamp of the cluster role. + +## Examples + +Test to verify that the RBAC cluster role with the specified name exists: + +```ruby +describe k8s_rbac_cluster_role(name: "CLUSTER_ROLE_NAME") do + it { should exist } +end +``` + +Test to verify rules set for the specified cluster role: + +```ruby +describe k8s_rbac_cluster_role(name: "pod-reader") do + it { should exist } + its('rules') { should include apiGroups: [""], resources: ["pods"], verbs: ["get", "list", "watch"] } +end +``` + +Test to verify aggregation rule is not empty and cluster role selectors have the specified value: + +```ruby +describe k8s_rbac_cluster_role(name: "monitoring") do + its("aggregation_rule") { should_not be_empty } + its("cluster_role_selectors") { should include matchLabels: { "rbac.example.com/aggregate-to-monitoring": "true" } } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_rbac_cluster_roles.md b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_rbac_cluster_roles.md new file mode 100644 index 0000000..ff5e557 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/content/k8s_rbac_cluster_roles.md @@ -0,0 +1,85 @@ ++++ +title = "k8s_rbac_cluster_roles resource" +draft = false + + + +[menu] + [menu.inspec] + title = "k8s_rbac_cluster_roles" + identifier = "inspec/resources/k8s/K8s Rbac Cluster Roles" + parent = "inspec/resources/k8s" ++++ + +Use the `k8s_rbac_cluster_roles` Chef InSpec audit resource to test all the Role-based access control (RBAC) cluster roles. + +## Syntax + +```ruby +describe k8s_rbac_cluster_roles do + #... +end +``` + +## Properties + +`uids` +: UID of the cluster roles. + +`kinds` +: Resource type of the cluster roles. + +`resource_versions` +: Resource version of the cluster roles. + +`labels` +: Labels attached to the cluster roles. + +`annotations` +: Annotations of the cluster roles. + +`rules` +: List of rules set for the cluster roles. + +`aggregation_rules` +: Aggregation rule set for the cluster roles. + +`cluster_role_selectors` +: List of aggregation rule cluster role selectors set for the cluster roles. + +`metadata` +: Metadata of the cluster roles. + +`creation_timestamps` +: Creation timestamp of the cluster roles. + +## Examples + +Test to verify that the RBAC cluster roles: + +```ruby +describe k8s_rbac_cluster_roles do + it { should exist } +end +``` + +Test to verify rules set for the specified cluster role: + +```ruby +describe k8s_rbac_cluster_roles do + its('rules') { should include apiGroups: [''], resources: ['pods'], verbs: ['get', 'list', 'watch'] } +end +``` + +Test to verify aggregation rules and aggregation rule cluster role selectors: + +```ruby +describe k8s_rbac_cluster_roles do + its("aggregation_rules") { should_not be_empty } + its("cluster_role_selectors") { should include matchLabels: { "rbac.example.com/aggregate-to-monitoring": 'true' } } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/hugo.toml b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/hugo.toml new file mode 100644 index 0000000..7e4bb38 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-k8s/docs-chef-io/hugo.toml @@ -0,0 +1,4 @@ +# [params.inspec-k8s] +# gh_path = "https://github.com/inspec/inspec-k8s/tree/main/docs-chef-io/content/" + +# This doesn't work right now. I'll fix it later. \ No newline at end of file diff --git a/_vendor/github.com/inspec/inspec-mongodb-resources/docs-chef-io/content/_index.md b/_vendor/github.com/inspec/inspec-mongodb-resources/docs-chef-io/content/_index.md new file mode 100644 index 0000000..4f41783 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-mongodb-resources/docs-chef-io/content/_index.md @@ -0,0 +1,43 @@ ++++ +title = "About the Chef InSpec MongoDB resource pack" +draft = false +linkTitle = "MongoDB resource pack" +summary = "Chef InSpec resources for auditing MongoDB databases and configurations." + +[cascade] + [cascade.params] + platform = "mongodb" + +[menu.mongodb] + title = "About MongoDB resources" + identifier = "inspec/resources/mongodb/about" + parent = "inspec/resources/mongodb" + weight = 10 ++++ + +The Chef InSpec MongoDB resources allow you to audit MongoDB database configurations, user permissions, and security settings. + +## Support + +The InSpec MongoDB resources are supported in the following InSpec versions: + +- InSpec 6 and earlier: MongoDB resources were included in the InSpec core installation +- InSpec 7 and later: MongoDB resources are distributed as the separate `inspec-mongodb-resources` gem + +### Add to your InSpec profile + +To add this resource pack to an InSpec profile, add the `inspec-mongodb-resources` gem as a dependency in your `inspec.yml` file: + +```yaml +depends: + - name: inspec-mongodb-resources + gem: inspec-mongodb-resources +``` + +## MongoDB resources + +{{< inspec_resources_filter >}} + +The following Chef InSpec MongoDB resources are available in this resource pack. + +{{< inspec_resources section="mongodb" platform="mongodb" >}} diff --git a/_vendor/github.com/inspec/inspec-mongodb-resources/docs-chef-io/content/mongodb_conf.md b/_vendor/github.com/inspec/inspec-mongodb-resources/docs-chef-io/content/mongodb_conf.md new file mode 100644 index 0000000..19d4f41 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-mongodb-resources/docs-chef-io/content/mongodb_conf.md @@ -0,0 +1,60 @@ ++++ +title = "mongodb_conf resource" +draft = false + + +[menu.mongodb] + title = "mongodb_conf" + identifier = "inspec/resources/mongodb/mongodb_conf.md mongodb_conf resource" + parent = "inspec/resources/mongodb" ++++ + +Use the `mongodb_conf` Chef InSpec audit resource to test the contents of the configuration file for MongoDB, typically located at `/etc/mongod.conf` or `C:\Program Files\MongoDB\Server\\bin\mongod.cfg`, depending on the platform. + +## Syntax + +A `mongodb_conf` resource block declares one (or more) settings in the `mongodb.conf` file, and then compares the setting in the configuration file to the value stated in the test: + +```ruby +describe mongodb_conf('path') do + its('setting') { should eq 'value' } +end +``` + +where + +- `'setting'` specifies a setting in the `mongodb.conf` file +- `('path')` is the non-default path to the `mongodb.conf` file (optional) +- `should eq 'value'` is the value that is expected + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +Test the key management configuration options: + +```ruby +describe mongodb_conf do + its(["security", "enableEncryption"]) { should eq true } +end +``` + +Test the port on which MongoDB listens: + +```ruby +describe mongodb_conf do + its(["net", "port"]) { should eq 27017 } +end +``` + +Test the security configuration options: + +```ruby +describe mongodb_conf do + its(["security", "authorization"]) { should eq "enabled" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-mongodb-resources/docs-chef-io/content/mongodb_session.md b/_vendor/github.com/inspec/inspec-mongodb-resources/docs-chef-io/content/mongodb_session.md new file mode 100644 index 0000000..9bf02f1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-mongodb-resources/docs-chef-io/content/mongodb_session.md @@ -0,0 +1,114 @@ ++++ +title = "mongodb_session resource" +draft = false + +[menu.mongodb] + title = "mongodb_session" + identifier = "inspec/resources/mongodb/mongodb_session.md mongodb_session resource" + parent = "inspec/resources/mongodb" ++++ + +Use the `mongodb_session` Chef InSpec audit resource to run MongoDB command against a MongoDB Database. + +## Syntax + +A `mongodb_session` resource block declares the `user`, `password`, and `database` to use for the session and then the command to be run: + +```ruby +describe mongodb_session(user: "username", password: "password", database: "test").query(key: value) do + its("params") { should match(/expected-result/) } +end +``` + +where + +- `mongodb_session` declares a user, password, and database, connecting locally, with permission to run the query. +- `query` contains the query to be run. +- `its("params") { should eq(/expected-result/) }` compares the results of the query against the expected result in the test + +### Optional Parameters + +The `mongodb_session` InSpec resource accepts `user`, `password`, `host`, `port`, `auth_source`, `auth_mech`, `ssl`, `ssl_cert`, `ssl_ca_cert`, and `auth_mech_properties` parameters. + +In Particular: + +#### `host` + +The server host IP address. Default value: `127.0.0.1`. + +#### `port` + +The server port. Default value: `27017`. + +#### `auth_mech` + +The authentication mechanism. The available options are: `:scram`, `:scram256`, `:mongodb_x509`, and `:aws`. Default value: `:scram`. + +See the MongoDB documentation on [Ruby driver authentication](https://docs.mongodb.com/ruby-driver/current/reference/authentication/) for more information. + +#### `auth_source` + +The database where the user’s authentication credentials are stored. The default value is the database name that is passed as a parameter to the resource. + +#### `ssl` + +Whether to use the SSL security protocol or not. Set to `true` to use SSL transport, default value: `false`. See the MongoDB documentation on [Ruby Driver authentication](https://docs.mongodb.com/ruby-driver/current/reference/authentication/#client-certificate-x-509) for more information. + +#### 'ssl_cert' + +Path to the SSL certificate file. + +#### `ssl_ca_cert` + +Path to the SSL Certificate Authority (CA) certificate file. + +#### `ssl_key` + +Path to SSL key file. + +#### `auth_mech_properties` + +A hash of the authentication mechanism properties. This option is generally used with the AWS authentication mechanism. See the MongoDB documentation on [Ruby Driver authentication using AWS](https://docs.mongodb.com/ruby-driver/current/reference/authentication/#aws) for more information. + +### MongoDB Query Reference Documentation + +This resource uses the [MongoDB Ruby Driver](https://docs.mongodb.com/ruby-driver/current/reference/authentication/) to fetch the data. + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +Test the roles information using the `rolesInfo` command in MongoDB: + +```ruby +describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin").params["roles"].first do + its(["role"]) { should eq "dbAdmin" } +end +``` + +Test the MongoDB user role: + +```ruby +describe mongodb_session(user: "foo", password: "bar", database: "test").query(usersInfo: "foo").params["users"].first["roles"].first do + its(["role"]) { should eq "readWrite" } +end +``` + +Test the database parameters: + +```ruby +describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin") do + its("params") { should_not be_empty } + its("params") { should include "roles" } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### params + +The `params` contains all the query data. diff --git a/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/_index.md b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/_index.md new file mode 100644 index 0000000..dd37285 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/_index.md @@ -0,0 +1,41 @@ ++++ +title = "About the Chef InSpec Podman resource pack" +draft = false +linkTitle = "Podman resource pack" +summary = "Chef InSpec resources for auditing Podman." + +[cascade] + [cascade.params] + platform = "podman" + +[menu.podman] + title = "About Podman resources" + identifier = "inspec/resources/podman/about" + parent = "inspec/resources/podman" + weight = 10 ++++ + +The InSpec Podman resources allow you to test and validate the state of Podman containers, images, pods, networks, and volumes. + +## Support + +The InSpec Podman resources were part of InSpec core through InSpec 6. +Starting in InSpec 7, they're released separately as a Ruby gem. + +## Usage + +To add this resource pack to an InSpec profile, add the `inspec-podman-resources` gem as a dependency in your `inspec.yml` file: + +```yaml +depends: + - name: inspec-podman-resources + gem: inspec-podman-resources +``` + +## Podman resources + +{{< inspec_resources_filter >}} + +The following Chef InSpec Podman resources are available in this resource pack. + +{{< inspec_resources section="podman" platform="podman" >}} diff --git a/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman.md b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman.md new file mode 100644 index 0000000..2d45819 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman.md @@ -0,0 +1,192 @@ ++++ +title = "podman resource" +draft = false + + +[menu.podman] + title = "podman" + identifier = "inspec/resources/podman/podman.md podman resource" + parent = "inspec/resources/podman" ++++ + +Use the `podman` Chef InSpec audit resource to test the configuration of Podman resources. + +## Syntax + +Use the `podman` Chef InSpec audit resource to test multiple Podman containers. + +```ruby +describe podman.containers do + its('ids') { should include "591270d8d80d26671fd6ed622f367fbe19004d16e3b519c292313feb5f22e7f7" } + its('images') { should include "docker.io/library/ubuntu:latest" } +end +``` + +Or, if you want to query a specific container: + +```ruby +describe podman.containers.where(id: "591270d8d80d26671fd6ed622f367fbe19004d16e3b519c292313feb5f22e7f7") do + its('status') { should include "Up 44 hours ago" } +end +``` + +where: + +- `.where()` specifies a specific item and value to which the resource parameters are compared. +- `commands`, `created_at`, `ids`, `images`, `names`, `status`, `image_ids`, `labels`, `mounts`, `networks`, `pods`, `ports`, `running_for`, and `sizes` are valid parameters for `containers`. + +You can also use the `podman` resource block to test many images. + +```ruby +describe podman.images do + its('repositories') { should_not include 'docker.io/library/nginx' } +end +``` + +Or, if you want to query a specific `image`: + +```ruby +describe podman.images.where(id: "c7db653c4397e6a4d1e468bb7c6400c022c62623bdb87c173d54bac7995b6d8f") do + it { should exist } +end +``` + +where: + +- `.where()` specifies a specific filter and expected value, against which parameters are compared. +- `repositories`, `tags`, `sizes`, `digests`, `history`, `created_at`, `history`, and`created_since` are valid parameters for `images`. + +You can also use the `podman` resource block to test multiple networks. + +```ruby +describe podman.networks do + its("names") { should include "podman" } +end +``` + +Or, if you want to query a specific network: + +```ruby +describe podman.networks.where(id: "c7db653c4397e6a4d1e468bb7c6400c022c62623bdb87c173d54bac7995b6d8f") do + it { should exist } +end +``` + +where: + +- `.where()` specifies a specific filter and expected value, against which parameters are compared. +- `ids`, `names`, `drivers`, `network_interfaces`, `created`, `subnets`, `ipv6_enabled`, `internal`, `dns_enabled`, `options`, `labels`, and `ipam_options` are valid parameters for `networks`. + +You can use the `podman` resource block to test many pods. + +```ruby +describe podman.pods do + its("names") { should include "cranky_allen" } +end +``` + +Or, if you want to query a specific pod: + +```ruby +describe podman.pods.where(id: "95cadbb84df71e6374fceb3fd89ee3b8f2c7e1a831062cd9cea7d0e3e4b1dbcc") do + it { should exist } +end +``` + +where: + +- `.where()` may specify a specific filter and expected value, against which parameters are compared. +- `ids`, `cgroups`, `containers`, `created`, `infraids`, `names`, `namespaces`, `networks`, `status`, and `labels` are valid parameters for `pods`. + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +Return all running containers: + +```ruby +podman.containers.running?.ids.each do |id| + describe podman.object(id) do + its('State.Health.Status') { should eq 'healthy' } + end +end +``` + +Return information about containers as returned by [podman ps -a](https://docs.podman.io/en/latest/markdown/podman.1.html): + +```ruby +describe podman.containers do + its("ids") { should include "591270d8d80d26671fd6ed622f367fbe19004d16e3b519c292313feb5f22e7f7" } + its("labels") { should include "maintainer" => "NGINX Docker Maintainers \u003cdocker-maint@nginx.com\u003e" } + its('names') { should include "sweet_mendeleev" } + its("images") { should include "docker.io/library/nginx:latest" } +end +``` + +Return information about a Podman image as returned by [podman images -a](https://docs.podman.io/en/latest/markdown/podman-images.1.html): + +```ruby +describe podman.images do + its('ids') { should include 'sha256:c7db653c4397e6a4d1e468bb7c6400c022c62623bdb87c173d54bac7995b6d8f ' } + its('sizes') { should_not include '80.3 GB' } + its('repositories") { should include "docker.io/library/nginx"} +end +``` + +Return information about pods as returned by [podman pod ps](https://docs.podman.io/en/latest/markdown/podman-pod-ps.1.html). + +```ruby +describe podman.pods do + its("ids") { should include "95cadbb84df71e6374fceb3fd89ee3b8f2c7e1a831062cd9cea7d0e3e4b1dbcc" } + its("containers") { should eq [{ "Id" => "a218dfc58fa28e0c58c55e508e5b57084876b42e894b98073c69c45dea06cbb2", "Names" => "95cadbb84df7-infra", "Status" => "running" } ]} + its("names") { should include "cranky_allen" } +end +``` + +Return information about a Podman network as returned by [podman network ls](https://docs.podman.io/en/latest/markdown/podman-network-ls.1.html): + +```ruby +describe podman.networks do + its("names") { should include "podman" } + its("ids") { should include "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9" } + its("ipv6_enabled") { should eq [false] } +end +``` + +Return information about a Podman volume as returned by [podman volume ls](https://docs.podman.io/en/latest/markdown/podman-volume-ls.1.html): + +```ruby +describe podman.volumes do + its('names') { should include 'ae6be9ba838b9b150de47657229bb9b67142dbdb3d1ddbc5efa245cf1e95536a' } + its('drivers') { should include 'local' } +end +``` + +Return the parsed result of [podman info](https://docs.podman.io/en/latest/markdown/podman-info.1.html). + +```ruby +describe podman.info do + its("host.os") { should eq "linux" } +end +``` + +Return the parsed result of [podman version](https://docs.podman.io/en/latest/markdown/podman-version.1.html): + +```ruby +describe podman.version do + its("Client.Version") { should eq "4.1.0"} + its('Server.Version') { should eq '4.1.0'} +end +``` + +Return low-level information about Podman objects as returned by [podman inspect](https://docs.podman.io/en/latest/markdown/podman-inspect.1.html): + +```ruby +describe podman.object(id) do + its('State.Running') { should eq true } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_container.md b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_container.md new file mode 100644 index 0000000..2835239 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_container.md @@ -0,0 +1,139 @@ ++++ +title = "podman_container resource" +draft = false + + +[menu.podman] + title = "podman_container" + identifier = "inspec/resources/podman/podman_container.md podman_container resource" + parent = "inspec/resources/podman" ++++ + +Use the `podman_container` Chef InSpec audit resource to test the configuration of Podman containers. + +## Syntax + +Use the `podman_container` Chef InSpec audit resource to test the properties of a Podman container. + +```ruby +describe podman_container("sweet_mendeleev") do + it { should exist } + it { should be_running } + its("id") { should eq "591270d8d80d26671fd6ed622f367fbe19004d16e3b519c292313feb5f22e7f7" } + its("image") { should eq "docker.io/library/nginx:latest" } + its("labels") { should include "maintainer"=>"NGINX Docker Maintainers " } + its("ports") { should eq nil } +end +``` + +## Resource Parameter Examples + +### name + +The container name can be provided with the `name` resource parameter. + +```ruby +describe podman_container(name: 'an-echo-server') do + it { should exist } + it { should be_running } +end +``` + +### container ID + +Alternatively, you can pass the container ID. + +```ruby +describe podman_container(id: '71b5df59442b') do + it { should exist } + it { should be_running } +end +``` + +## Properties + +## Property Examples + +The following examples show how to use this Chef InSpec resource. + +### id + +The `id` property tests the container ID. + +```ruby +its('id') { should eq '71b5df59...442b' } +``` + +### image + +The `image` property tests the value of the container image. + +```ruby +its('image') { should eq 'docker.io/library/nginx:latest' } +``` + +### labels + +The `labels` property tests the value of container image labels. + +```ruby +its('labels') { should eq "maintainer" => "NGINX Docker Maintainers " } +``` + +### ports + +The `ports` property tests the value of the Podmans ports. + +```ruby +its('ports') { should eq '0.0.0.0:1234->1234/tcp' } +``` + +### command + +The `command` property tests the value of the container run command. + +```ruby +its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' } +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +The specific matchers of this resource are: `exist` and `be_running`. + +### exist + +The `exist` matcher specifies if the container exists. + +```ruby +it { should exist } +``` + +### be_running + +The `be_running` matcher checks if the container is running. + +```ruby +it { should be_running } +``` + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +Ensure the container `sweet_mendeleev` exists as part of the Podman instances: + +```ruby +describe podman_container('sweet_mendeleev') do + it { should exist } +end +``` + +Ensure the container `sweet_mendeleev` exists as part of the Podman instances and the status is running: + +```ruby +describe podman_container('sweet_mendeleev') do + it { should be_running } +end +``` diff --git a/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_image.md b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_image.md new file mode 100644 index 0000000..aff99be --- /dev/null +++ b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_image.md @@ -0,0 +1,183 @@ ++++ +title = "podman_image resource" +draft = false + + +[menu.podman] + title = "podman_image" + identifier = "inspec/resources/podman/podman_image.md podman_image resource" + parent = "inspec/resources/podman" ++++ + +Use the `podman_image` Chef InSpec audit resource to test the properties of a container image on Podman. + +## Syntax + +Use the `podman_image` Chef InSpec audit resource to test the properties of a container image on Podman. + +```ruby +describe podman_image("docker.io/library/busybox") do + it { should exist } + its("id") { should eq "3c19bafed22355e11a608c4b613d87d06b9cdd37d378e6e0176cbc8e7144d5c6" } + its("repo_tags") { should include "docker.io/library/busybox:latest" } + its("size") { should eq 1636053 } + its("os") { should eq "linux" } +end +``` + +where: + +- `id`, `repo_tags`, `size`, and `os` are properties of this resource to fetch the respective value of the container image. +- `exist` is a matcher of this resource. + +### Resource Parameter Examples + +The resource allows you to pass an image name. If the tag is missing for an image, `latest` is assumed as default. + +```ruby +describe podman_image("docker.io/library/busybox") do + it { should exist } +end +``` + +The resource allows you to pass the repository and tag values as separate values. + +```ruby +describe podman_image(repo: "docker.io/library/busybox", tag: "latest") do + it { should exist } +end +``` + +- The resource allows you to pass with an image ID. + +```ruby +describe podman_image(id: "8847e9bf6df8") do + it { should exist } +end +``` + +## Properties + +### id + +The `id` property returns the full image ID. + +```ruby +its("id") { should eq "3c19bafed22355e11a608c4b613d87d06b9cdd37d378e6e0176cbc8e7144d5c6" } +``` + +### repo_tags + +The `repo_tags` property tests the value of the repository name. + +```ruby +its("repo_tags") { should include "docker.io/library/busybox:latest" } +``` + +### size + +The `size` property tests the size of the image in bytes + +```ruby +its("size") { should eq 1636053 } +``` + +### digest + +The `digest` property tests the value of the image digest. + +```ruby +its("digest") { should eq "sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83" } +``` + +### created_at + +The `created_at` property tests the time of the image creation. + +```ruby +its("created_at") { should eq "2022-06-08T00:39:28.175020858Z" } +``` + +### version + +The `version` property tests the version of the image. + +```ruby +its("version") { should eq "20.10.12" } +``` + +### names_history + +The `names_history` property tests the names history of the image. + +```ruby +its("names_history") { should include "docker.io/library/busybox:latest" } +``` + +### repo_digests + +The `repo_digests` tests the digest of the repository of the given image. + +```ruby +its("repo_digests") { should include "docker.io/library/busybox@sha256:2c5e2045f35086c019e80c86880fd5b7c7a619878b59e3b7592711e1781df51a" } +``` + +### architecture + +The `architecture` tests the architecture of the given image. + +```ruby +its("architecture") { should eq "arm64" } +``` + +### os + +The `os` property tests the operating system of the given image. + +```ruby +its("os") { should eq "linux" } +``` + +### virtual_size + +The `virtual_size` property tests the virtual size of the given image. + +```ruby +its("virtual_size") { should eq 1636053 } +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The `exist` matcher tests if the image is available on Podman. + +```ruby +it { should exist } +``` + +## Examples + +Test if an image exists on Podman and verify the various image properties: + +```ruby +describe podman_image("docker.io/library/busybox") do + it { should exist } + its("id") { should eq "3c19bafed22355e11a608c4b613d87d06b9cdd37d378e6e0176cbc8e7144d5c6" } + its("repo_tags") { should include "docker.io/library/busybox:latest" } + its("size") { should eq 1636053 } + its("digest") { should eq "sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83" } + its("created_at") { should eq "2022-06-08T00:39:28.175020858Z" } + its("version") { should eq "20.10.12" } + its("names_history") { should include "docker.io/library/busybox:latest" } + its("repo_digests") { should include "docker.io/library/busybox@sha256:2c5e2045f35086c019e80c86880fd5b7c7a619878b59e3b7592711e1781df51a" } + its("architecture") { should eq "arm64" } + its("os") { should eq "linux" } + its("virtual_size") { should eq 1636053 } + its("resource_id") { should eq "docker.io/library/busybox:latest" } +end +``` diff --git a/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_network.md b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_network.md new file mode 100644 index 0000000..88190a7 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_network.md @@ -0,0 +1,183 @@ ++++ +title = "podman_network resource" +draft = false + + +[menu.podman] + title = "podman_network" + identifier = "inspec/resources/podman/podman_network.md podman_network resource" + parent = "inspec/resources/podman" ++++ + +Use the `podman_network` Chef InSpec audit resource to test the properties of existing Podman networks. + +## Syntax + +Use the `podman_network` Chef InSpec audit resource to test the properties of a Podman network. + +```ruby +describe podman_network("minikube") do + it { should exist } + its("id") { should eq "3a7c94d937d5f3a0f1a9b1610589945aedfbe56207fd5d32fc8154aa1a8b007f" } + its("name") { should eq "minikube" } + its("ipv6_enabled") { should eq false } + its("network_interface") { should eq "podman1" } +end +``` + +where: + +- `id`, `name`, `ipv6_enabled`, and `network_interface` are properties of this resource to fetch the respective value of the Podman network. +- `exist` is a matcher of this resource. + +### Resource Parameter Examples + +The resource allows you to pass a network name. + +```ruby +describe podman_network("minikube") do + it { should exist } +end +``` + +The resource allows you to pass with a Network ID. + +```ruby +describe podman_network("3a7c94d937d5") do + it { should exist } +end +``` + +## Properties + +### id + +The `id` property returns the full Podman Network ID. + +```ruby + its("id") { should eq "3c19bafed22355e11a608c4b613d87d06b9cdd37d378e6e0176cbc8e7144d5c6" } +``` + +### name + +The `name` property tests the value of the Podman network name. + +```ruby +its("name") { should eq "minikube" } +``` + +### ipv6_enabled + +The `ipv6_enabled` property tests whether ipv6 is enabled on the Podman network. + +```ruby +its("ipv6_enabled") { should eq true } +``` + +### network_interface + +The `network_interface` property tests the value of the network interface settings on the Podman network. + +```ruby +its("network_interface") { should eq "podman0" } +``` + +### created + +The `created` property tests the timestamp when the Podman network was created. + +```ruby +its("created") { should eq "2022-07-06T08:51:11.735432521+05:30" } +``` + +### subnets + +The `subnets` property tests the list of subnets on the Podman network. + +```ruby +its("subnets") { should inclue "gateway"=>"192.168.49.1", "subnet"=>"192.168.49.0/24" } +``` + +### dns_enabled + +The `dns_enabled` property tests whether the Podman network has DNS enabled. + +```ruby +its("dns_enabled") { should be false } +``` + +### internal + +The `internal` property tests whether the specified Podman network is internal. + +```ruby +its("internal") { should eq true } +``` + +### ipam_options + +The `ipam_options` property tests the IPAM options of the given Podman network. + +```ruby +its("ipam_options") { should eq "driver" => "host-local" } +``` + +### labels + +The `labels` property tests the labels set for the specified Podman network. + +```ruby +its("labels") { should eq "created_by.minikube.sigs.k8s.io"=>"true", "name.minikube.sigs.k8s.io"=>"minikube" } +``` + +### driver + +The `driver` property tests the value of the Podman network driver. + +```ruby +its("driver") { should eq "bridge" } +``` + +### options + +The `options` property tests the network options for the specified Podman network. + +```ruby +its("options") { should eq nil } +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The `exist` matcher tests if the specified network is available on Podman. + +```ruby +it { should exist } +``` + +## Examples + +Test if a given Podman network exists and verifies the various network properties: + +```ruby +describe podman_network("minikube") do + it { should exist } + its("id") { should eq "3a7c94d937d5f3a0f1a9b1610589945aedfbe56207fd5d32fc8154aa1a8b007f" } + its("name") { should eq "minikube" } + its("ipv6_enabled") { should eq false } + its("network_interface") { should eq "podman1" } + its("subnets") { should include "gateway"=>"192.168.49.1", "subnet"=>"192.168.49.0/24" } + its("dns_enabled") { should eq true } + its("internal") { should eq false } + its("created") { should eq "2022-07-06T08:51:11.735432521+05:30" } + its("ipam_options") { should eq "driver" => "host-local" } + its("labels") { should eq "created_by.minikube.sigs.k8s.io"=>"true", "name.minikube.sigs.k8s.io"=>"minikube" } + its("driver") { should eq "bridge" } + its("options") { should eq nil } +end +``` diff --git a/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_pod.md b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_pod.md new file mode 100644 index 0000000..8db214d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_pod.md @@ -0,0 +1,204 @@ ++++ +title = "podman_pod resource" +draft = false + + +[menu.podman] + title = "podman_pod" + identifier = "inspec/resources/podman/podman_pod.md podman_pod resource" + parent = "inspec/resources/podman" ++++ + +Use the `podman_pod` Chef InSpec audit resource to test the properties of a pod on Podman. + +## Syntax + +Use the `podman_pod` Chef InSpec audit resource to test the properties of a pod on Podman. + +```ruby +describe podman_pod("nginx-frontend") do + it { should exist } + its("id") { should eq "fcfe4d471cfface0d1b39bce23af7d31ab8736cd68c0360ade0b4afe364f79d4" } + its("name") { should eq "nginx-frontend" } + its("created_at") { should eq "2022-07-14T15:47:47.978078124+05:30" } + its("create_command") { should include "new:nginx-frontend" } + its("state") { should eq "Running" } +end +``` + +where: + +- `'nginx-frontend'` is the name of the pod. Pod ID and Pod names are valid parameters accepted by `podman_pod`. +- `'id'`, `'name'`, `'created_at'`, `'create_command'`, and `'state'`, are properties of this resource to fetch the respective value of the podman pod. +- `exist` is a matcher of this resource. + +## Properties + +Properties of the resources are: `'id'`, `'name'`, `'created_at'`, `'create_command'`, `'state'`, `'hostname'`, `'create_cgroup'`, `'cgroup_parent'`, `cgroup_path`, `'create_infra'`, `'infra_container_id'`, `'infra_config'`, `'shared_namespaces'`, `'num_containers'`, and `'containers'` + +### `id` + +The `id` property returns the id of the pod. + +```ruby +its("id") { should eq "fcfe4d471cfface0d1b39bce23af7d31ab8736cd68c0360ade0b4afe364f79d4" } +``` + +### `name` + +The `name` property returns the name of the pod. + +```ruby +its("name") { should eq "nginx-frontend" } +``` + +### `created_at` + +The `created_at` property returns the creation date of the pod. + +```ruby +its("created_at") { should eq "2022-07-14T15:47:47.978078124+05:30" } +``` + +### `create_command` + +The `create_command` property returns an array of commands used to create the pod. + +```ruby +its("create_command") { should include "new:nginx-frontend" } +``` + +### `state` + +The `state` property returns the state of the pod. + +```ruby +its("state") { should eq "Running" } +``` + +### `hostname` + +The `hostname` property returns the hostname of the pod. + +```ruby +its("hostname") { should eq "" } +``` + +### `create_cgroup` + +The `create_cgroup` property returns a boolean value for cgroup creation of the pod. + +```ruby +its("create_cgroup") { should eq true } +``` + +### `cgroup_parent` + +The `cgroup_parent` property returns the name of the cgroup parent of the pod. + +```ruby +its("cgroup_parent") { should eq "user.slice" } +``` + +### `cgroup_path` + +The `cgroup_path` property returns the path of the cgroup parent of the pod. + +```ruby +its("cgroup_path") { should eq "user.slice/user-libpod_pod_fcfe4d471cfface0d1b39bce23af7d31ab8736cd68c0360ade0b4afe364f79d4.slice" } +``` + +### `create_infra` + +The `create_infra` property returns a boolean value for the pod infra creation. + +```ruby +its("create_infra") { should eq true } +``` + +### `infra_container_id` + +The `infra_container_id` property returns the infra container ID of the pod. + +```ruby +its("infra_container_id") { should eq "727538044b32a165934729dc2d47d9d5e981b6496aebfad7de470f7e76ea4251" } +``` + +### `infra_config` + +The `infra_config` property returns a hash of the infra configuration of the pod. + +```ruby +its("infra_config") { should include "DNSOption" } +``` + +### `shared_namespaces` + +The `shared_namespaces` property returns an array of shared namespaces of the pod. + +```ruby +its("shared_namespaces") { should include "ipc" } +``` + +### `num_containers` + +The `num_containers` property returns the number of containers in the pod. + +```ruby +its("num_containers") { should eq 2 } +``` + +### `containers` + +The `containers` property returns an array of hashes about the information of containers in the pod. + +```ruby +its("containers") { should_not be nil } +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The `exist` matcher tests if the pod is available on Podman. + +```ruby +it { should exist } +``` + +## Examples + +Test if a pod exists on Podman and verifies pod properties: + +```ruby +describe podman_pod("nginx-frontend") do + it { should exist } + its("id") { should eq "fcfe4d471cfface0d1b39bce23af7d31ab8736cd68c0360ade0b4afe364f79d4" } + its("name") { should eq "nginx-frontend" } + its("created_at") { should eq "2022-07-14T15:47:47.978078124+05:30" } + its("create_command") { should include "new:nginx-frontend" } + its("state") { should eq "Running" } + its("hostname") { should eq "" } + its("create_cgroup") { should eq true } + its("cgroup_parent") { should eq "user.slice" } + its("cgroup_path") { should eq "user.slice/user-libpod_pod_fcfe4d471cfface0d1b39bce23af7d31ab8736cd68c0360ade0b4afe364f79d4.slice" } + its("create_infra") { should eq true } + its("infra_container_id") { should eq "727538044b32a165934729dc2d47d9d5e981b6496aebfad7de470f7e76ea4251" } + its("infra_config") { should include "DNSOption" } + its("shared_namespaces") { should include "ipc" } + its("num_containers") { should eq 2 } + its("containers") { should_not be nil } +end +``` + +Test if a pod doesn't exist on Podman: + +```ruby +describe podman_pod("non_existing_pod") do + it { should_not exist } +end +``` diff --git a/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_volume.md b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_volume.md new file mode 100644 index 0000000..31d0ae1 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-podman-resources/docs-chef-io/content/podman_volume.md @@ -0,0 +1,149 @@ ++++ +title = "podman_volume resource" +draft = false + + +[menu.podman] + title = "podman_volume" + identifier = "inspec/resources/podman/podman_volume.md podman_volume resource" + parent = "inspec/resources/podman" ++++ + +Use the `podman_volume` Chef InSpec audit resource to test the properties of a volume on Podman. + +## Syntax + +Use the `podman_volume` Chef InSpec audit resource to test the properties of a volume on Podman. + +```ruby +describe podman_volume("my_volume") do + it { should exist } + its("name") { should eq "my_volume" } + its("driver") { should eq "local" } + its("mountpoint") { should eq "/var/home/core/.local/share/containers/storage/volumes/my_volume/_data" } + its("created_at") { should eq "2022-07-14T13:21:19.965421792+05:30" } +end +``` + +where: + +- `'name'`, `'driver'`, `'mountpoint'`, and `'created_at'` are properties of this resource to fetch the respective value of the podman volume. +- `exist` is a matcher of this resource. + +## Properties + +Properties of the resources: `name`, `driver`, `mountpoint`, `created_at`, `labels`, `scope`, `options`, `mount_count`, `needs_copy_up`, and `needs_chown`. + +### name + +The `name` property returns the name of the volume. + +```ruby +its("name") { should eq "my_volume" } +``` + +### driver + +The `driver` property returns the value for the volume's driver environment. + +```ruby +its("driver") { should eq "local" } +``` + +### mountpoint + +The `mountpoint` property returns the value for the volume's mount path. + +```ruby +its("mountpoint") { should eq "/var/home/core/.local/share/containers/storage/volumes/my_volume/_data" } +``` + +### created_at + +The `created_at` property returns the creation date of the volume. + +```ruby +its("created_at") { should eq "2022-07-14T13:21:19.965421792+05:30" } +``` + +### labels + +The `labels` property returns the labels associated with the volume. + +```ruby +its("labels") { should eq({}) } +``` + +### scope + +The `scope` property returns the scope of the volume. + +```ruby +its("scope") { should eq "local" } +``` + +### options + +The `options` property returns the options associated with the volume. + +```ruby +its("options") { should eq({}) } +``` + +### mount_count + +The `mount_count` property returns the **MountCount** value from the volume's inspect information. + +```ruby +its("mount_count") { should eq 0 } +``` + +### needs_copy_up + +The `needs_copy_up` property returns the **NeedsCopyUp** value from the volume's inspect information. + +```ruby +its("needs_copy_up") { should eq true } +``` + +### needs_chown + +The `needs_chown` property returns the **NeedsChown** value from the volume's inspect information. + +```ruby +its("needs_chown") { should eq true } +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} + +This resource has the following special matchers. + +### exist + +The `exist` matcher tests if the volume is available on Podman. + +```ruby +it { should exist } +``` + +## Examples + +Test if a volume exists on Podman and verifies volume properties: + +```ruby +describe podman_volume("my_volume") do + it { should exist } + its("name") { should eq "my_volume" } + its("driver") { should eq "local" } + its("mountpoint") { should eq "/var/home/core/.local/share/containers/storage/volumes/my_volume/_data" } + its("created_at") { should eq "2022-07-14T13:21:19.965421792+05:30" } + its("labels") { should eq({}) } + its("scope") { should eq "local" } + its("options") { should eq({}) } + its("mount_count") { should eq 0 } + its("needs_copy_up") { should eq true } + its("needs_chown") { should eq true } +end +``` diff --git a/_vendor/github.com/inspec/inspec-rabbitmq-resources/docs-chef-io/content/_index.md b/_vendor/github.com/inspec/inspec-rabbitmq-resources/docs-chef-io/content/_index.md new file mode 100644 index 0000000..e8c0958 --- /dev/null +++ b/_vendor/github.com/inspec/inspec-rabbitmq-resources/docs-chef-io/content/_index.md @@ -0,0 +1,41 @@ ++++ +title = "About the Chef InSpec RabbitMQ resource pack" +draft = false +linkTitle = "RabbitMQ resource pack" +summary = "Chef InSpec resources for auditing RabbitMQ." + +[cascade] + [cascade.params] + platform = "rabbitmq" + +[menu.rabbitmq] +title = "About RabbitMQ resources" +identifier = "inspec/resources/rabbitmq/about" +parent = "inspec/resources/rabbitmq" +weight = 10 ++++ + +The Chef InSpec RabbitMQ resources allow you to audit a RabbitMQ cluster. + +## Support + +The InSpec RabbitMQ resources were part of InSpec core through InSpec 6. +Starting in InSpec 7, they're released separately as a Ruby gem. + +## Usage + +To add this resource pack to an InSpec profile, add the `inspec-rabbitmq-resources` gem as a dependency in your `inspec.yml` file: + +```yaml +depends: + - name: inspec-rabbitmq-resources + gem: inspec-rabbitmq-resources +``` + +## RabbitMQ resources + +{{< inspec_resources_filter >}} + +The following Chef InSpec RabbitMQ resources are available in this resource pack. + +{{< inspec_resources section="rabbitmq" platform="rabbitmq" >}} diff --git a/_vendor/github.com/inspec/inspec-rabbitmq-resources/docs-chef-io/content/rabbitmq_config.md b/_vendor/github.com/inspec/inspec-rabbitmq-resources/docs-chef-io/content/rabbitmq_config.md new file mode 100644 index 0000000..6ca161d --- /dev/null +++ b/_vendor/github.com/inspec/inspec-rabbitmq-resources/docs-chef-io/content/rabbitmq_config.md @@ -0,0 +1,42 @@ ++++ +title = "rabbitmq_config resource" +draft = false + +[menu.rabbitmq] + title = "rabbitmq_config" + identifier = "inspec/resources/rabbitmq/rabbitmq_config.md rabbitmq_config resource" + parent = "inspec/resources/rabbitmq" ++++ + +Use the `rabbitmq_config` Chef InSpec audit resource to test configuration data for the RabbitMQ daemon located at `/etc/rabbitmq/rabbitmq.config` on Linux and Unix platforms. + +## Syntax + +A `rabbitmq_config` resource block declares the RabbitMQ configuration data to be tested: + +```ruby +describe rabbitmq_config.params('rabbit', 'ssl_listeners') do + it { should cmp 5671 } +end +``` + +where + +- `params` is the list of parameters configured in the RabbitMQ config file +- `{ should cmp 5671 }` tests the value of `rabbit.ssl_listeners` as read from `rabbitmq.config` versus the value declared in the test + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +Test the list of TCP listeners: + +```ruby +describe rabbitmq_config.params('rabbit', 'tcp_listeners') do + it { should eq [5672] } +end +``` + +## Matchers + +{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} diff --git a/_vendor/modules.txt b/_vendor/modules.txt index 130b359..ef9234f 100644 --- a/_vendor/modules.txt +++ b/_vendor/modules.txt @@ -5,3 +5,14 @@ # github.com/swiftype/swiftype-autocomplete-jquery v0.0.0-20190222215504-a90008d64b30 # github.com/swiftype/swiftype-search-jquery v1.1.0 # github.com/ten1seven/what-input v5.2.12+incompatible +# github.com/inspec/inspec-alicloud/docs-chef-io v0.0.0-20250916200856-e0282c7e7e95 +# github.com/inspec/inspec-aws/docs-chef-io v0.0.0-20250916202221-29b643831cd7 +# github.com/inspec/inspec-azure/docs-chef-io v0.0.0-20250916194337-b35304faf432 +# github.com/inspec/inspec-docker-resources/docs-chef-io v0.0.0-20250916163154-00f68530f2fe +# github.com/inspec/inspec-elasticsearch-resources/docs-chef-io v0.0.0-20250916165122-f444af6bce12 +# github.com/inspec/inspec-gcp/docs-chef-io v0.0.0-20250916195958-b9dd2dbe7127 +# github.com/inspec/inspec-habitat/docs-chef-io v0.0.0-20250916192558-02d43679439c +# github.com/inspec/inspec-k8s/docs-chef-io v0.0.0-20250916191115-2364b56676e3 +# github.com/inspec/inspec-mongodb-resources/docs-chef-io v0.0.0-20250916171923-0350a4010119 +# github.com/inspec/inspec-podman-resources/docs-chef-io v0.0.0-20250916182215-3e30d0a84f87 +# github.com/inspec/inspec-rabbitmq-resources/docs-chef-io v0.0.0-20250916175312-e2c5b47479e0 diff --git a/config/_default/hugo.toml b/config/_default/hugo.toml index 98cec99..a381e5d 100644 --- a/config/_default/hugo.toml +++ b/config/_default/hugo.toml @@ -24,7 +24,7 @@ timeZone = 'America/New_York' taskList = true typographer = true [markup.goldmark.parser] - autoDefinitionTermID = false + autoDefinitionTermID = true autoHeadingID = true autoHeadingIDType = "github" wrapStandAloneImageWithinParagraph = true diff --git a/config/_default/menu.toml b/config/_default/menu.toml index 168ec42..9a3dec1 100644 --- a/config/_default/menu.toml +++ b/config/_default/menu.toml @@ -50,3 +50,51 @@ weight = 60 #### ## End Main Menu ## #### + +#### +## Resource pack menus +#### + +[[alicloud]] +title = "Alibaba Cloud" +identifier = "inspec/resources/alicloud" + +[[aws]] +title = "AWS" +identifier = "inspec/resources/aws" + +[[azure]] +title = "Azure" +identifier = "inspec/resources/azure" + +[[docker]] +title = "Docker" +identifier = "inspec/resources/docker" + +[[elasticsearch]] +title = "Elasticsearch" +identifier = "inspec/resources/elasticsearch" + +[[gcp]] +title = "GCP" +identifier = "inspec/resources/gcp" + +[[habitat]] +title = "Habitat" +identifier = "inspec/resources/habitat" + +[[k8s]] +title = "Kubernetes" +identifier = "inspec/resources/k8s" + +[[mongodb]] +title = "MongoDB" +identifier = "inspec/resources/mongodb" + +[[podman]] +title = "Podman" +identifier = "inspec/resources/podman" + +[[rabbitmq]] +title = "RabbitMQ" +identifier = "inspec/resources/rabbitmq" diff --git a/config/_default/module.toml b/config/_default/module.toml index e5bdf63..5f0bd79 100644 --- a/config/_default/module.toml +++ b/config/_default/module.toml @@ -86,4 +86,179 @@ workspace = '' [[mounts]] source = "node_modules/foundation-sites" - target = "assets/sass/foundation-sites" \ No newline at end of file + target = "assets/sass/foundation-sites" + +### +# InSpec Alicloud resource docs +### + +[[imports]] + disable = false + ignoreConfig = false + ignoreImports = false + path = "github.com/inspec/inspec-alicloud/docs-chef-io" + +[[imports.mounts]] + source = "content" + target = "content/alicloud" + +[[imports.mounts]] + source = "layouts" + target = "layouts" + + +### +# InSpec aws resource docs +### + +[[imports]] + disable = false + ignoreConfig = false + ignoreImports = false + path = "github.com/inspec/inspec-aws/docs-chef-io" + +[[imports.mounts]] + source = "content" + target = "content/aws" + +[[imports.mounts]] + source = "assets" + target = "assets" + +[[imports.mounts]] + source = "layouts" + target = "layouts" + +### +# InSpec azure resource docs +### + +[[imports]] + disable = false + ignoreConfig = false + ignoreImports = false + path = "github.com/inspec/inspec-azure/docs-chef-io" + +[[imports.mounts]] + source = "assets" + target = "assets" + +[[imports.mounts]] + source = "content" + target = "content/azure" + +[[imports.mounts]] + source = "layouts" + target = "layouts" + +# ### +# # InSpec docker resource docs +# ### + +[[imports]] + disable = false + ignoreConfig = false + ignoreImports = false + path = "github.com/inspec/inspec-docker-resources/docs-chef-io" + +[[imports.mounts]] + source = "content" + target = "content/docker" + +# ### +# # InSpec elasticsearch resource docs +# ### + +[[imports]] + disable = false + ignoreConfig = false + ignoreImports = false + path = "github.com/inspec/inspec-elasticsearch-resources/docs-chef-io" + +[[imports.mounts]] + source = "content" + target = "content/elasticsearch" + +### +# InSpec GCP resource docs +### + +[[imports]] + disable = false + ignoreConfig = false + ignoreImports = false + path = "github.com/inspec/inspec-gcp/docs-chef-io" + +[[imports.mounts]] + source = "content" + target = "content/gcp" + +### +# InSpec habitat resource docs +### + +[[imports]] + disable = false + ignoreConfig = false + ignoreImports = false + path = "github.com/inspec/inspec-habitat/docs-chef-io" + +[[imports.mounts]] + source = "content" + target = "content/habitat" + +### +# InSpec k8s resource docs +### + +[[imports]] + disable = false + ignoreConfig = false + ignoreImports = false + path = "github.com/inspec/inspec-k8s/docs-chef-io" + +[[imports.mounts]] + source = "content" + target = "content/k8s" + +# ### +# # InSpec mongodb resource docs +# ### + +[[imports]] + disable = false + ignoreConfig = false + ignoreImports = false + path = "github.com/inspec/inspec-mongodb-resources/docs-chef-io" + +[[imports.mounts]] + source = "content" + target = "content/mongodb" + +# ### +# # InSpec podman resource docs +# ### + +[[imports]] + disable = false + ignoreConfig = false + ignoreImports = false + path = "github.com/inspec/inspec-podman-resources/docs-chef-io" + +[[imports.mounts]] + source = "content" + target = "content/podman" + +# ### +# # InSpec rabbitmq resource docs +# ### + +[[imports]] + disable = false + ignoreConfig = false + ignoreImports = false + path = "github.com/inspec/inspec-rabbitmq-resources/docs-chef-io" + +[[imports.mounts]] + source = "content" + target = "content/rabbitmq" diff --git a/config/_default/params.toml b/config/_default/params.toml index 56230fe..9ddf3c3 100644 --- a/config/_default/params.toml +++ b/config/_default/params.toml @@ -6,14 +6,25 @@ # menuOrder = The order of the menus are included in the left nav menu. # Menus are defined in the /config/_default/menu.toml file ####### - -menuOrder = [] +menuOrder = [ + "about", + "alicloud", + "aws", + "azure", + "docker", + "elasticsearch", + "gcp", + "habitat", + "k8s", + "mongodb", + "podman", + "rabbitmq", +] ####### # robots = The default robots config applied to each page in the robots meta tag. # See http://www.robotstxt.org/meta.html ####### - robots = '' ####### @@ -28,8 +39,12 @@ robots = '' breadcrumbs = true [[breadcrumb_base]] -breadcrumb = "Documentation" -url = "https://docs.chef.io" + breadcrumb = "Documentation" + url = "https://docs.chef.io" + +[[breadcrumb_base]] + breadcrumb = "InSpec" + url = "https://docs.chef.io/inspec/" ####### # @@ -52,8 +67,8 @@ url = "https://docs.chef.io" ####### [render_hooks.link] -errorLevel = 'warning' -highlightBroken = true + errorLevel = 'warning' + highlightBroken = true [render_hooks.image] -errorLevel = 'warning' + errorLevel = 'warning' diff --git a/content/_index.md b/content/_index.md index e899591..be4840f 100644 --- a/content/_index.md +++ b/content/_index.md @@ -1,9 +1,13 @@ +++ title = "Chef InSpec resource packs" draft = false -breadcrumbs = true -+++ +list_pages = true +linkTitle = "Resource packs" -Welcome to the Chef InSpec Resource Documentation site. This site is configured as a Hugo site based on the chef-inspec-docs repository. +[cascade] + breadcrumbs = true -This is a blank Hugo site ready for content to be added. +[menu.about] +title = "Resource packs" +identifier = "inspec/resources" ++++ diff --git a/content/reusable/index.md b/content/reusable/index.md new file mode 100644 index 0000000..8df5f65 --- /dev/null +++ b/content/reusable/index.md @@ -0,0 +1,13 @@ ++++ +title = 'Headless section' +headless = true + +[[cascade]] + [cascade.build] + list = 'never' + publishResources = false + render = 'never' + +## https://gohugo.io/content-management/build-options/#example--headless-section +## Content in this directory isn't published but can be included in other pages. ++++ diff --git a/content/reusable/md/inspec_filter_table.md b/content/reusable/md/inspec_filter_table.md new file mode 100644 index 0000000..32d3a45 --- /dev/null +++ b/content/reusable/md/inspec_filter_table.md @@ -0,0 +1 @@ +For information on using filter criteria on plural resources, see the documentation on [FilterTable](https://github.com/inspec/inspec/blob/main/dev-docs/filtertable-usage.md) diff --git a/content/reusable/md/inspec_matchers_link.md b/content/reusable/md/inspec_matchers_link.md new file mode 100644 index 0000000..d9dea05 --- /dev/null +++ b/content/reusable/md/inspec_matchers_link.md @@ -0,0 +1 @@ +For a full list of available matchers, see our [Universal Matchers page](https://docs.chef.io/inspec/matchers/). diff --git a/go.mod b/go.mod index 5661dc1..65aea4b 100644 --- a/go.mod +++ b/go.mod @@ -2,4 +2,17 @@ module github.com/inspec/chef-inspec-resource-docs go 1.23.11 -require github.com/chef/chef-docs-theme v0.0.0-20250910183723-d7eeb21fa4e6 // indirect +require ( + github.com/chef/chef-docs-theme v0.0.0-20250910183723-d7eeb21fa4e6 // indirect + github.com/inspec/inspec-alicloud/docs-chef-io v0.0.0-20250916200856-e0282c7e7e95 // indirect + github.com/inspec/inspec-aws/docs-chef-io v0.0.0-20250916202221-29b643831cd7 // indirect + github.com/inspec/inspec-azure/docs-chef-io v0.0.0-20250916194337-b35304faf432 // indirect + github.com/inspec/inspec-docker-resources/docs-chef-io v0.0.0-20250916163154-00f68530f2fe // indirect + github.com/inspec/inspec-elasticsearch-resources/docs-chef-io v0.0.0-20250916165122-f444af6bce12 // indirect + github.com/inspec/inspec-gcp/docs-chef-io v0.0.0-20250916195958-b9dd2dbe7127 // indirect + github.com/inspec/inspec-habitat/docs-chef-io v0.0.0-20250916192558-02d43679439c // indirect + github.com/inspec/inspec-k8s/docs-chef-io v0.0.0-20250916191115-2364b56676e3 // indirect + github.com/inspec/inspec-mongodb-resources/docs-chef-io v0.0.0-20250916171923-0350a4010119 // indirect + github.com/inspec/inspec-podman-resources/docs-chef-io v0.0.0-20250916182215-3e30d0a84f87 // indirect + github.com/inspec/inspec-rabbitmq-resources/docs-chef-io v0.0.0-20250916175312-e2c5b47479e0 // indirect +) diff --git a/go.sum b/go.sum index cbe27db..8986ea4 100644 --- a/go.sum +++ b/go.sum @@ -1,2 +1,24 @@ github.com/chef/chef-docs-theme v0.0.0-20250910183723-d7eeb21fa4e6 h1:xVfUSt79EKoPAlXC6hpHQQABnOk9qcLzahGHCKovd/U= github.com/chef/chef-docs-theme v0.0.0-20250910183723-d7eeb21fa4e6/go.mod h1:+Jpnv+LXE6dXu2xDcMzMc0RxRGuCPAoFxq5tJ/X6QpQ= +github.com/inspec/inspec-alicloud/docs-chef-io v0.0.0-20250916200856-e0282c7e7e95 h1:8tuOCVYNEM4s+xbcIQndwVCyxxKijVQKwwHG4J3Onck= +github.com/inspec/inspec-alicloud/docs-chef-io v0.0.0-20250916200856-e0282c7e7e95/go.mod h1:tAazDDBtR5yCl/FNWHnrmkxpfxnOo9B99DyfRE7JH1c= +github.com/inspec/inspec-aws/docs-chef-io v0.0.0-20250916202221-29b643831cd7 h1:g+WE5991Cz5BirERE09XZc60T2518INjDYPZ5ZwO7yI= +github.com/inspec/inspec-aws/docs-chef-io v0.0.0-20250916202221-29b643831cd7/go.mod h1:5rfIsi1/SqSiAXqU94UOcfMnebnuaEmFriU8k8t1Kes= +github.com/inspec/inspec-azure/docs-chef-io v0.0.0-20250916194337-b35304faf432 h1:0yiQig+8YCukhEgyWQZApX5XgEUH81Ii8fU2EyoHDp4= +github.com/inspec/inspec-azure/docs-chef-io v0.0.0-20250916194337-b35304faf432/go.mod h1:93+uw8FTBAWybBZIn45FzO5vnZDBh51lgMwMP1vvIqo= +github.com/inspec/inspec-docker-resources/docs-chef-io v0.0.0-20250916163154-00f68530f2fe h1:q+6/ew2uKVcCDRZQypESj/96ebFngKkRgZWWTdQEQgo= +github.com/inspec/inspec-docker-resources/docs-chef-io v0.0.0-20250916163154-00f68530f2fe/go.mod h1:3fzIdivw/hG5uMTaSjX7wy/awPB9UZwOnqu8CWP7yWc= +github.com/inspec/inspec-elasticsearch-resources/docs-chef-io v0.0.0-20250916165122-f444af6bce12 h1:LzWarSTTlgS5Aa1C3dXFoaoWJ/GHhMTx0JXQyYTCrE8= +github.com/inspec/inspec-elasticsearch-resources/docs-chef-io v0.0.0-20250916165122-f444af6bce12/go.mod h1:/lARzfhh3ayUdfLhOQ69n8FzYNlNY7MN+D5ZZvM3g6M= +github.com/inspec/inspec-gcp/docs-chef-io v0.0.0-20250916195958-b9dd2dbe7127 h1:id+cZ9EvPVx65/l6kHBTl6Sao4JysNYBO0z/yHvNCVQ= +github.com/inspec/inspec-gcp/docs-chef-io v0.0.0-20250916195958-b9dd2dbe7127/go.mod h1:3Ad4LlqDpvhXXkDJ5THGP4Nk2lTvOerNN2PBujr6KRA= +github.com/inspec/inspec-habitat/docs-chef-io v0.0.0-20250916192558-02d43679439c h1:H0pLT1VOhNhk9H7qK0HfHK7jJ0fwySg7k84mjGDTXb8= +github.com/inspec/inspec-habitat/docs-chef-io v0.0.0-20250916192558-02d43679439c/go.mod h1:Q4E7QBY4b7HDE2psfGT9jqvnLq1yfg5e9KWK4VTtI/M= +github.com/inspec/inspec-k8s/docs-chef-io v0.0.0-20250916191115-2364b56676e3 h1:SKXFGe1W5TZUQxCVYullJwGMccBYeG6q+Uz7ZCcD3DY= +github.com/inspec/inspec-k8s/docs-chef-io v0.0.0-20250916191115-2364b56676e3/go.mod h1:JwjkNHKgELWxc9esXuK3ELEGL371pK496OKrK+te3Lk= +github.com/inspec/inspec-mongodb-resources/docs-chef-io v0.0.0-20250916171923-0350a4010119 h1:R97KwsAZ5U0GRqrOVspQG0rPAzm3+CxDkrJ19b7hwf8= +github.com/inspec/inspec-mongodb-resources/docs-chef-io v0.0.0-20250916171923-0350a4010119/go.mod h1:LAo5xmGnmk6pjRvhkotI1OGUccYAGPE1qSpUSC5BZRQ= +github.com/inspec/inspec-podman-resources/docs-chef-io v0.0.0-20250916182215-3e30d0a84f87 h1:+1xipLX4FnVyfDMCCoK6PF5n1CQGqeyjyaUJh76a5iU= +github.com/inspec/inspec-podman-resources/docs-chef-io v0.0.0-20250916182215-3e30d0a84f87/go.mod h1:/YeopCfRICJZWXcL2skXRlVxdEp7Uql/sIR5daMouBU= +github.com/inspec/inspec-rabbitmq-resources/docs-chef-io v0.0.0-20250916175312-e2c5b47479e0 h1:lB/kEv8G8axj8/Mjzm5bbgVSxdk6UgCTWxpgHhOIBiM= +github.com/inspec/inspec-rabbitmq-resources/docs-chef-io v0.0.0-20250916175312-e2c5b47479e0/go.mod h1:TTh+Le+xtHkaVwmLCNoBOE2O7+jEmS4imzyXFL0gI1Y=