InSpec aws_s3_bucket_object Properties Not Working

Chef InSpec
1

Additional properties as documented in aws_s3_bucket_object Resource do not appear to be available, and I am curious if there is some setup I need to do. When I run the following, I get the following error:

describe aws_s3_bucket_object(bucket_name: "x", key: "x/x/x.zip") do
it { should exist }
its('content_type') { should eq "image/jpeg" }
its('object_acl.count') { should eq 1 }
end

[FAIL] content_type undefined method `content_type' for s3://inseq-lab-cgsweb/Binaries/ServerBuilds/WebgateInstall.zip:#Class:0x00000279f5859bb8

I am also hoping to be able to get the SHA256 checksum for bucket objects but that property is also unavailable.

2

I reviewed the source code for the inspec aws inspec controls and it appears that although the documentation states you can retrieve other properties to test, you cannot in fact do it.

3

There may be permissions issues? I have seen where permissions can allow you to view an object in the console but not allow you to access or manipulate via CLI or code.
Not saying this is the issue, but maybe worth looking into it can only cost you a little time to be sure.

4

You should in fact be able to retrieve other properties than directly implemented in the resource. See where it says in the resource:

@bucket_object = @aws.storage_client.get_object(bucket: @bucket_name, key: @key)

and

create_resource_methods(@bucket_object.first.to_h)

Any key returned by the get_object method should be retrievable because of the create_resource_methods call.

At Class: Aws::S3::Client — AWS SDK for Ruby V3 they give this sample code:

resp = client.get_object({
  bucket: "examplebucket", 
  key: "SampleFile.txt", 
  range: "bytes=0-9", 
})

resp.to_h outputs the following:
{
  accept_ranges: "bytes", 
  content_length: 10, 
  content_range: "bytes 0-9/43", 
  content_type: "text/plain", 
  etag: "\"0d94420ffd0bc68cd3d152506b97a9cc\"", 
  last_modified: Time.parse("Thu, 09 Oct 2014 22:57:28 GMT"), 
  metadata: {
  }, 
  version_id: "null", 
}

As you can see, content_type is one of the returned keys, so it should, in theory, be an accessible property. OTOH, the SHA256 checksum is not a documented option and is not one of the returned keys either.

1 Like