aws_ec2_instance
Use the aws_ec2_instance
InSpec audit resource to test properties of a single AWS EC2 instance.
Syntax
An aws_ec2_instance
resource block declares the tests for a single AWS EC2 instance by either name or instance id.
describe aws_ec2_instance('i-01a2349e94458a507') do
it { should exist }
end
describe aws_ec2_instance(name: 'my-instance') do
it { should exist }
end
Parameters
One of either the EC2 instance’s ID or name must be be provided.
instance_id (required if name
not provided)
The ID of the EC2 instance. This is in the format of i-
followed by 8 or 17 hexadecimal characters.
This can be passed either as a string or as an instance_id: 'value'
key-value entry in a hash.
name (required if `instanceid` not provided)_
If you have a Name
tag applied to the EC2 instance, this can be used to lookup the instance.
This must be passed as a name: 'value'
key-value entry in a hash.
Properties
Property | Description |
---|---|
state | The current state of the EC2 Instance, for example ‘running’. |
image_id | The id of the AMI used to launch the instance. |
role | The IAM role attached to the instance. |
launch_time | The time the instance was launched. |
availability_zone | The availability zone of the instance. |
security_groups | A hash containing the security group ids and names associated with the instance. |
security_group_ids | The security group ids associated with the instance. |
ebs_volumes | A hash containing the names and ids of any EBS volumes associated with the instance. |
tags | A list of hashes with each key-value pair corresponding to an EC2 instance tag, e.g, [{:key=>"Name", :value=>"Testing Box"}, {:key=>"Environment", :value=>"Dev"}] |
tags_hash | A hash, with each key-value pair corresponding to an EC2 instance tag, e.g, {"Name"=>"Testing Box", "Environment"=>"Dev"} . This property is available in InSpec AWS resource pack version 1.12.0 onwards. |
There are also additional properties available. For a comprehensive list, see the API reference documentation
Examples
Test that an EC2 instance is running
describe aws_ec2_instance(name: 'prod-database') do
it { should be_running }
end
Test that an EC2 instance is using the correct AMI
describe aws_ec2_instance(name: 'my-instance') do
its('image_id') { should eq 'ami-27a58d5c' }
end
Test that an EC2 instance has the correct tag
describe aws_ec2_instance('i-090c29e4f4c165b74') do
its('tags') { should include(key: 'Contact', value: 'Gilfoyle') }
end
Test that an EC2 instance has the correct tag (using the tags_hash
property)
describe aws_ec2_instance('i-090c29e4f4c165b74') do
its('tags_hash') { should include('Contact' => 'Gilfoyle') }
its('tags_hash') { should include('Contact') } # Regardless of the value
end
Test that an EC2 instance has no roles
describe aws_ec2_instance('i-090c29e4f4c165b74') do
it { should_not have_roles }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
it { should exist }
it { should_not exist }
has_roles
Test if the EC2 instance has any roles associated with it.
Use should_not
to test the entity does not have roles.
it { should have_roles }
it { should_not have_roles }
be_pending
The be_pending
matcher tests if the described EC2 instance state is pending
. This indicates that an instance is provisioning. This state should be temporary.
it { should be_pending }
be_running
The be_running
matcher tests if the described EC2 instance state is running
. This indicates the instance is fully operational from AWS’s perspective.
it { should be_running }
be_shutting_down
The be_shutting_down
matcher tests if the described EC2 instance state is shutting-down
. This indicates the instance has received a termination command and is in the process of being permanently halted and de-provisioned. This state should be temporary.
it { should be_shutting_down }
be_stopped
The be_stopped
matcher tests if the described EC2 instance state is stopped
. This indicates that the instance is suspended and may be started again.
it { should be_stopped }
be_stopping
The be_stopping
matcher tests if the described EC2 instance state is stopping
. This indicates that an AWS stop command has been issued, which will suspend the instance in an OS-unaware manner. This state should be temporary.
it { should be_stopping }
be_terminated
The be_terminated
matcher tests if the described EC2 instance state is terminated
. This indicates the instance is permanently halted and will be removed from the instance listing in a short period. This state should be temporary.
it { should be_terminated }
be_unknown
The be_unknown
matcher tests if the described EC2 instance state is unknown
. This indicates an error condition in the AWS management system. This state should be temporary.
it { should be_unknown }
AWS Permissions
Your Principal will need the ec2:DescribeInstances
, and iam:GetInstanceProfile
actions set to allow.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2, and Actions, Resources, and Condition Keys for Identity And Access Management.