Help Document inspec-aws Example

Chef InSpec
1

I'd like to document a real-world example, in the hopes that it's directly useful and that it also serves as a template for other use-cases around AWS. My particular use-case is pretty simple:

I have some EC2 instances behind an ELB. Those instances have a Security Group that allows web traffic from the ELB. I'd like to test this, in line with 'best practice', the style guide and in such a way that no IDs are hard-coded.

Here's an attempt in code to test my use-case. I realise it's not ideal - what can we do to refine it?

  # This bit seems fine to me :-)
  describe aws_elb(load_balancer_name: 'webserver-elb') do
    it { should exist }
    its('availability_zones.count') { should be > 1 }
    its('external_ports.count') { should cmp 1 }
    its('external_ports') { should include 80 }
  end

  # Things go wrong here though :-(
  elb_sg_ids = aws_elb(load_balancer_name: 'webserver-elb').security_group_ids
  ec2_sg_ids = aws_ec2_instance(name: 'webserver-asg').security_group_ids

  ec2_sg_ids.each { |ec2_sg_id|
    sg_group_rules = aws_security_group(ec2_sg_id).inbound_rules.select{|x| x[:user_id_group_pairs].length > 0}

    sg_group_rules.each { |sg_group_rule|
      sg_group_rule[:user_id_group_pairs].each { |user_id_group_pair|
        describe user_id_group_pair[:group_id] do
          it { should be_in elb_sg_ids}
        end
      }
    }
  }

How can this be improved?

2

A slight improvement on the last loop can be made:

  ec2_sg_group_rules.each { |ec2_sg_group_rule|
    describe 'Each SG user_id_group_pair' do
      it "contains at least one entry" do
        expect(ec2_sg_group_rule[:user_id_group_pairs]).not_to be_empty
      end
    end
    ec2_sg_group_rule[:user_id_group_pairs].each { |ec2_user_id_group_pair|
      # Ensure the SG is actually related to the ELB!
      describe 'EC2 Security Group' do
        it "is in the other" do
          expect(elb_sg_ids).to include(ec2_user_id_group_pair[:group_id])
        end
      end
      # Now make sure the SG allows traffic in to the right port from the ELB
      describe aws_security_group(id: ec2_sg_id) do
        it { should allow_in(port: 80, security_group: ec2_user_id_group_pair[:group_id])}
      end
    }
  }

Using a proper aws_security_group resource helps a bit, and I've also used an expect style test so that the test result output is more useful. A couple of extra checks make sure that we definitely fail if something is wrong, which of course tests in loops may not (as they may not run at all).

All that said, this still is a long way from "ideal" in my opinion, so any help to improve it would be much appreciated.