aws_cloudformation_stack Resource
Use the aws_cloudformation_stack
InSpec audit resource to test properties of a single AWS Cloud Formation Stack.
For additional information, including details on parameters and properties, see the AWS documentation on Cloud Formation.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
Ensure that an aws_cloudformation_stack
exists
describe aws_cloudformation_stack('stack-name') do
it { should exist }
end
describe aws_cloudformation_stack(stack_name: 'stack-name') do
it { should exist }
end
Parameters
stack_name
(required)This resource accepts a single parameter, the CloudFormation Stack name which uniquely identifies the stack. This can be passed either as a string or as a
stack_name: 'value'
key-value entry in a hash.
Properties
stack_id
- Unique identifier of the stack.
stack_name
- The name associated with the stack.
change_set_id
- The unique ID of the change set.
description
- A user-defined description associated with the stack.
parameters
- A list of Parameter structures.
creation_time
- The time at which the stack was created.
deletion_time
- The time the stack was deleted.
last_updated_time
- The time the stack was last updated.
rollback_configuration
- The rollback triggers for AWS CloudFormation to monitor during stack creation and updating operations, and for the specified monitoring period afterwards.
stack_status
- Current status of the stack.
stack_status_reason
- Success/failure message associated with the stack status.
drift_information
- Information on whether a stack’s actual configuration differs, or has drifted, from it’s expected configuration, as defined in the stack template and any values specified as template parameters.
disable_rollback
- Boolean to enable or disable rollback on stack creation failures:.
notification_arns
- SNS topic ARNs to which stack related events are published.
timeout_in_minutes
- The amount of time within which stack creation should complete.
capabilities
- The capabilities allowed in the stack.
outputs
- A list of output structures.
role_arn
- The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that is associated with the stack.
tags
- A list of Tags that specify information about the stack.
enable_termination_protection
- Whether termination protection is enabled for the stack.
parent_id
- For nested stacks–stacks created as resources for another stack–the stack ID of the direct parent of this stack.
root_id
- For nested stacks–stacks created as resources for another stack–the stack ID of the the top-level stack to which the nested stack ultimately belongs.
Examples
Test that a CloudFormation Stack has its stack_status configured correctly.
describe aws_cloudformation_stack('stack_name') do
its ('stack_status') { should eq 'CREATE_COMPLETE' }
end
Matchers
This InSpec audit resource has no special matchers. For a full list of available matchers, please visit our Universal Matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
describe aws_cloudformation_stack('AnExistingStack') do
it { should exist }
end
describe aws_cloudformation_stack('ANonExistentStack') do
it { should_not exist }
end
AWS Permissions
Your Principal will need the CloudFormation:Client:DescribeStacksOutput
action with Effect
set to Allow
.
You can find detailed documentation at Authentication and Access Control for CloudFormation