Skip to main content

aws_vpcs resource

[edit on GitHub]

Use the aws_vpcs InSpec audit resource to test properties of some or all AWS Virtual Private Clouds (VPCs).

Each VPC is uniquely identified by its VPC ID. In addition, each VPC has a non-unique CIDR IP Address range (such as 10.0.0.0/16) which it manages.

Every AWS account has at least one VPC, the “default” VPC, in every region.

Syntax

An aws_vpcs resource block uses an optional filter to select a group of VPCs and then tests that group.

# Since you always have at least one VPC, this will always pass.
describe aws_vpcs do
  it { should exist }
end

Parameters

This resource does not expect any parameters.

See also the AWS documentation on VPCs.

Properties

PropertyDescription
cidr_blocksThe cidr_blocks property provides a list of the CIDR blocks that the matched VPCs serve as strings.
dhcp_options_idsThe dhcp_option_set_ids property provides a de-duplicated list of the DHCP Option Set IDs that the matched VPCs use when assigning IPs to resources.
vpc_idsThe vpc_ids property provides a list of the IDs of the matched VPCs.
tagsA hash of key-value pairs corresponding to the tags associated with the entity.
entriesProvides access to the raw results of the query, which can be treated as an array of hashes.

Examples

Ensure all VPCs use the same DHCP option set

describe aws_vpcs.where { dhcp_options_id != 'dopt-12345678' } do
  it { should_not exist }
end

Check for a Particular VPC ID

describe aws_vpcs do
  its('vpc_ids') { should include 'vpc-12345678' }
end

Use the VPC IDs to Get a List of Default Security Groups

aws_vpcs.vpc_ids.each do |vpc_id|
  describe aws_security_group(vpc_id: vpc_id, group_name: 'default') do
    it { should_not allow_in(port: 22) }
  end
end

We shun the 10.0.0.0/8 space

describe aws_vpcs.where { cidr_block.start_with?('10') } do
  it { should_not exist }
end

Check tags

describe aws_vpc do
  its('tags') { should include(:Environment => 'env-name',
                               :Name => 'vpc-name')}
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_vpcs do
  it { should exist }
end

describe aws_vpcs.where( <property>: <value>) do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the ec2:DescribeVpcs action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2.

Was this page helpful?