alicloud_ram_user Resource
Use the alicloud_ram_user
InSpec audit resource to test properties of a single Alicloud RAM user.
Syntax
An alicloud_ram_user
resource block declares the tests for a single Alicloud RAM user by user name.
describe alicloud_ram_user(user_name: 'psmith') do
it { should exist }
end
Parameters
user_name
(required)This resource accepts a single parameter, the RAM user’s user name which uniquely identifies the user.
This can be passed either as a string or as auser_name: 'value'
key-value entry in a hash.
See also the Alicloud documentation on RAM users.
Properties
user_name
- The RAM user’s username.
user_id
- The RAM user’s unique ID.
display_name
- The RAM user’s display name.
comments
- Comments about the user.
email
- The RAM user’s email address.
mobile_phone
- The RAM user’s mobile phone number.
create_date
- The time when the RAM user was created.
update_date
- The time when the information about the RAM user was last updated.
last_login_date
- The time when the RAM user last logged on to the console using their password.
access_keys
- An array of hashes each containing metadata about the user’s access keys (active and inactive).
active_access_keys
- An array of hashes each containing metadata about the user’s active access keys.
Examples
The following examples show how to use this InSpec audit resource.
Test that a RAM user does not exist.
describe alicloud_ram_user(user_name: 'invalid-user') do
it { should_not exist }
end
Ensure a RAM user has no active access keys.
describe alicloud_ram_user('psmith') do
it { should exist }
it { should not have_active_access_key }
its('active_access_keys.count') { should eq 0 }
end
Ensure a RAM user has 0 or 1 active access keys.
describe alicloud_ram_user('psmith') do
its('active_access_keys.count') { should be <= 1 }
end
Ensure that a RAM user does not have both console access and active access key(s).
describe alicloud_ram_user('psmith') do
it { should_not have_console_and_key_access }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
it { should exist }
has_console_access
This will check whether the requested user has a login profile for console access.
it { should have_console_access }
has_active_access_key
This will check whether the requested user has at least one active access key and secret key.
it { should have_active_access_key }
has_console_and_key_access
This will check whether the requested user has a login profile for console access, as well as at least one active access key/secret key pair.
Alicloud Permissions
Your Principal will need the following permissions action with Effect set to Allow: ram:Getuser
, ram:GetLoginProfile
, ram:ListAccessKeys
.
See the Alibaba Cloud Resource Access Management documentation.