aws_vpc

Use the aws_vpc InSpec audit resource to test properties of a single AWS Virtual Private Cloud (VPC).

Each VPC is uniquely identified by its VPC ID. In addition, each VPC has a non-unique CIDR IP Address range (such as 10.0.0.0/16) which it manages.

Every AWS account has at least one VPC, the “default” VPC, in every region.

Syntax

An aws_vpc resource block identifies a VPC by id. If no VPC ID is provided, the default VPC is used.

# Find the default VPC
describe aws_vpc do
  it { should exist }
end

# Find a VPC by ID
describe aws_vpc('vpc-12345678987654321') do
  it { should exist }
end

# Hash syntax for ID
describe aws_vpc(vpc_id: 'vpc-12345678') do
  it { should exist }
end

Parameters

If no parameter is provided, the subscription’s default VPC will be returned.

vpc_id (optional)

This resource accepts a single parameter, the VPC ID. This can be passed either as a string or as a vpc_id: 'value' key-value entry in a hash.

See also the AWS documentation on VPCs.

Properties

Property Description
cidr_block The IPv4 address range that is managed by the VPC.
dhcp_options_id The ID of the set of DHCP options associated with the VPC (or default if the default options are associated with the VPC).
instance_tenancy The allowed tenancy of instances launched into the VPC.
state The state of the VPC (pending
vpc_id The ID of the VPC.
tags The tags of the VPC.

Examples

The following examples show how to use this InSpec audit resource.

Test the CIDR of a named VPC
describe aws_vpc('vpc-87654321') do
  its('cidr_block') { should cmp '10.0.0.0/16' }
end

Test the state of the VPC

describe aws_vpc do
  its ('state') { should eq 'available' }
  # or equivalently
  it { should be_available }
end
Test the allowed tenancy of instances launched into the VPC.
describe aws_vpc do
  its ('instance_tenancy') { should eq 'default' }
end
Test tags on the VPC
describe aws_vpc do
  its('tags') { should include(:Environment => 'env-name',
                               :Name => 'vpc-name')}
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

be_default

The test will pass if the identified VPC is the default VPC for the region.

describe aws_vpc('vpc-87654321') do
  it { should be_default }
end

AWS Permissions

Your Principal will need the ec2:DescribeVpcs action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2.