InSpec has two types of resources `plural` and `singular`. When we use a plural resource, we get a collection of a resource type and its details by doing a REST call to the cloud provider. Now, when the GLOBAL: InSpec singular resource is acted on one of the resources from the plural resource, inspec does another REST call to the cloud provider to obtain the details of the which? resource. The drawback of singular resource acting on plural? approach is that, if the Quota constraints are set in the cloud provider, then inspec reaches the maximum limit and is unable to query further resources. To resolve this issue/drawback, we found that there are certain resources in which the inspec plural resource already have all the individual details of the resources and hence we have enabled a way to skip rest API calls for singular resource by passing a cached resource value to the singular resource from the plural response.
Ensuring Every RDS Snapshot has Encryption Enabled
Here, we use inspec `aws_rds_snapshots` resource to collect all resource entries, and we loop in? each entry by passing them over to `aws_rds_snapshot` resourcevia a named argument `resource_data` that binds the attributes to the resource itself and skips
REST call to the cloud provider.
aws_rds_snapshots.entries.each do |snapshot_entry|
describe aws_rds_snapshot(resource_data: snapshot_entry) do
it { should exist }
it { should have_encrypted_snapshot }
end
end
Looping Multiple Network Security Groups and Use the Cached Data to Verify That Each Group Does not Allow Inbound Traffic
azure_network_security_groups.entries.each do|azure_network_security_group_data| describe azure_network_security_group(resource_data:azure_network_security_group_data) do it { should_not allow(destination_ip_range: '10.0.0.0/24', direction: 'inbound') } it { should_not allow_in(ip_range: '10.0.0.0/24') } endend
Following are the list of resources that currently support this feature.
AWS:
aws_security_group
aws_rds_snapshot
aws_rds_instance
aws_eks_cluster
AZURE:
azure_network_security_group
azure_storage_account
For more information or help in using Chef InSpec, kindly reach out to your Customer Success Manager or to the Chef Community on Chef’s Discourse channel: https://discourse.chef.io/