aws_ec2_client_vpn_routes Resource
Use the aws_ec2_client_vpn_routes
InSpec audit resource to test properties of a single specific AWS EC2 Client VPN route.
The AWS::EC2::ClientVpnRoute
specifies a network route to add to a Client VPN endpoint.
For additional information, including details on parameters and properties, see the AWS documentation on AWS EC2 ClientVpnRoute..
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
Ensure that the client VPN endpoint exists.
describe aws_ec2_client_vpn_routes(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do
it { should exist }
end
Parameters
client_vpn_endpoint_id
(required)The ID of the Client VPN endpoint with which the route is associated.
Properties
client_vpn_endpoint_ids
- The ID of the Client VPN endpoint with which the route is associated.
Field:
client_vpn_endpoint_id
destination_cidrs
- The IPv4 address range, in CIDR notation, of the route destination.
Field:
destination_cidr
target_subnets
- The ID of the subnet through which traffic is routed.
Field:
target_subnet
types
- The route type.
Field:
type
origins
- Indicates how the route was associated with the Client VPN endpoint. associate indicates that the route was automatically added when the target network was associated with the Client VPN endpoint.
Field:
origin
status_codes
- The state of the Client VPN endpoint route.
Field:
status.code
status_messages
- A message about the status of the Client VPN endpoint route, if applicable.
Field:
status.message
descriptions
- A brief description of the route.
Field:
carrier_gateway_id
Examples
Ensure a client VPN endpoint ID is available.
describe aws_ec2_client_vpn_routes(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do
its('client_vpn_endpoint_ids') { should include 'CLIENT_VPN_ENDPOINT_ID' }
end
Ensure that the status code is active
.
describe aws_ec2_client_vpn_routes(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do
its('status_codes') { should include 'active' }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
The controls will pass if the describe
method returns at least one result.
exist
Use should
to test that the entity exists.
describe aws_ec2_client_vpn_routes(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do
it { should exist }
end
Use should_not
to test the entity does not exist.
describe aws_ec2_client_vpn_routes(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do
it { should_not exist }
end
be_available
Use should
to check if the entity is available.
describe aws_ec2_client_vpn_routes(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do
it { should be_available }
end
AWS Permissions
Your Principal will need the EC2:Client:DescribeClientVpnRoutesResult
action with Effect
set to Allow
.