aws_vpc_endpoint Resource
Use the aws_vpc_endpoint
InSpec audit resource to test properties of a single specific AWS VPC Endpoint.
A VPC Endpoint is uniquely identified by the VPC Endpoint ID (e.g vpce-123456abcdef12345)
For additional information, including details on parameters and properties, see the AWS documentation on VPC Endpoints.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
Ensure that a VPC Endpoint exists.
# Find a VPC Endpoint by ID
describe aws_vpc_endpoint('vpce-12345678987654321') do
it { should exist }
end
# Hash syntax for ID
describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do
it { should exist }
end
Ensure that a VPC Endpoint is available.
describe aws_vpc_endpoint('vpce-12345678987654321') do
its('state') { should be 'available' }
end
# Alternative using a matcher
describe aws_vpc_endpoint('vpce-12345678987654321') do
its('state') { should be_available }
end
Confirm that the route table configured to a VPC Endpoint is as expected.
describe aws_vpc_endpoint('vpce-12345678987654321') do
its('route_table_ids') { should include 'rtb-1234456123456abcde' }
end
Confirm that the type of a VPC Endpoint is as expected.
describe aws_vpc_endpoint('vpce-12345678987654321') do
its('vpc_endpoint_type') { should be 'Gateway' }
end
# Alternative using a matcher
describe aws_vpc_endpoint('vpce-12345678987654321') do
its('vpc_endpoint_type') { should be_gateway }
end
Parameters
vpc_endpoint_id
The VPC endpoint ID. This can be passed either as a string or as a
vpc_endpoint_id: 'value'
key-value entry in a hash.
Properties
vpc_endpoint_id
- The ID of the endpoint.
vpc_endpoint_type
- One of “Interface”, “Gateway”.
vpc_id
- The ID of the VPC in which the endpoint resides.
state
- State of the VPC Endpoint. One of “pendingacceptance”, “pending”, “available”, “deleting”, “deleted”, “rejected”, “failed”, “expired”.
route_table_ids
- The route table IDs for the Gateway type endpoint.
subnet_ids
- The subnet IDs for the Interface type endpoint.
groups
- The Security Groups for the Interface type endpoint.
private_dns_enabled
- Boolean value for Private DNS enable status.
network_interface_ids
- The Network Interface IDs for the Interface type endpoint.
dns_entries
- The DNS Entries for the VPC Endpoint.
tags
- The key/value combination of a tag assigned to the resource.
Examples
Ensure a VPC Endpoint is available.
describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do
its('state') { should eq 'available' }
end
Ensure that the endpoint is of Gateway type.
describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do
its('vpc_endpoint_type') { should eq 'Gateway' }
end
Check tags .
describe aws_vpc_endpoint do
its('tags') { should include(:Environment => 'env-name',
:Name => 'vpce-name')}
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
The controls will pass if the describe returns at least one result.
exist
Use should_not
to test the entity should not exist.
describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do
it { should exist }
end
describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do
it { should_not exist }
end
be_available
Checks if the VPC Endpoint is in available state.
Use should_not
to test the entity should not exist.
describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do
it { should be_available }
end
describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do
it { should_not be_available }
end
be_interface
Checks if the VPC Endpoint type is Interface.
Use should_not
to test the entity should not exist.
describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do
it { should be_interface }
end
describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do
it { should_not be_interface }
end
be_gateway
Checks if the VPC Endpoint type is Gateway.
Use should_not
to test the entity should not exist.
describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do
it { should be_gateway }
end
describe aws_vpc_endpoint(vpc_endpoint_id: 'vpce-12345678987654321') do
it { should_not be_gateway }
end
AWS Permissions
Your Principal will need the EC2:Client:DescribeVpcEndpointsResult
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2.