I have the following inspec test that uses kitchen terraform to test the properties of a replicated bucket:
title 'Bucket test'
ENV['AWS_REGION'] = "us-east-1"
fixtures = {}
[
'role_name',
'policy_name',
'source_bucket',
'source_bucket_arn',
'dest_bucket',
'dest_bucket_arn'
].each do |fixture_name|
fixtures[fixture_name] = attribute(
fixture_name,
default: "default.#{fixture_name}",
description: 'See ../build/asg.tf',
)
end
role_name = fixtures['role_name']
policy_name = fixtures['policy_name']
source_bucket_name = fixtures['source_bucket']
source_bucket_arn = fixtures['source_bucket_arn']
dest_bucket_name = fixtures['dest_bucket']
dest_bucket_arn = fixtures['dest_bucket_arn']
# Replicated Bucket
control 'check-replicated-bucket-created-successfully' do
impact 0.7
title 'Replicated bucket'
desc 'Test bucket replication'
describe aws_s3_bucket(bucket_name: source_bucket_name) do
it { should exist }
it { should_not be_public }
it { should have_default_encryption_enabled }
its('region') { should eq 'us-east-1'}
end
describe aws_s3_bucket(bucket_name: dest_bucket_name) do
it { should exist }
it { should_not be_public }
it { should have_default_encryption_enabled }
its('region') { should eq 'us-west-2'}
end
describe aws_iam_role(role_name: role_name) do
it { should exist }
end
describe aws_iam_policy(policy_name: policy_name) do
it { should exist }
it { should be_attached }
it { should_not have_statement(Action: 's3:*') }
end
end
The issues I am facing are:
- that the check to see if the replicated bucket is_public in the us-west-2 region test is failing although it passed for the bucket in the us-east-1 region
- the region check
its('region') { should eq 'us-east-1'}fails for both buckets.
Here is the output of the test:
Profile: InSpec Profile (test/verify)
Version: 0.1.0
Target: aws://
× check-replicated-bucket-created-successfully: Replicated bucket (2 failed)
✔ S3 Bucket frgcloud.lab.internal.private.replicated-bucket-us-east-1 should exist
✔ S3 Bucket frgcloud.lab.internal.private.replicated-bucket-us-east-1 should not be public
✔ S3 Bucket frgcloud.lab.internal.private.replicated-bucket-us-east-1 should have default encryption enabled
× S3 Bucket frgcloud.lab.internal.private.replicated-bucket-us-east-1 region should eq "us-east-1"
expected: "us-east-1"
got: ""
(compared using ==)
✔ S3 Bucket frgcloud.lab.internal.private.replicated-bucket-us-west-2 should exist
× S3 Bucket frgcloud.lab.internal.private.replicated-bucket-us-west-2 should not be public
undefined method `any?' for #<String:0x00007fe92ab56ec0>
✔ S3 Bucket frgcloud.lab.internal.private.replicated-bucket-us-west-2 should have default encryption enabled
✔ S3 Bucket frgcloud.lab.internal.private.replicated-bucket-us-west-2 region should eq "us-west-2"
✔ IAM Role replicated-bucket-replication-role should exist
✔ Policy replicated-bucket-bucket-replication-policy should exist
✔ Policy replicated-bucket-bucket-replication-policy should be attached
✔ Policy replicated-bucket-bucket-replication-policy should not have statement {:Action=>"s3:*"}
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 10 successful, 2 failures, 0 skipped
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>> Verify failed on instance <replicated-terraform>. Please see .kitchen/logs/replicated-terraform.log for more details
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration
Kindly let me know if any more information is required because I am really quite puzzled by this error.