Inspec profile files being ignored


#1

Greetings,

I’m trying to follow the example in https://github.com/chef/inspec/blob/master/docs/profiles.md#profile-files to loop through AWS IAM Roles and Profiles, but it doesn’t appear that the YAML file is getting read.

The error I’m receiving is:

aws_account_profile/controls/iam_spec.rb:4:in `load_with_context': undefined method `each' for nil:NilClass (NoMethodError)`

aws_account_profile/files/roles.yml:

---
- role: adfs-cloudadministrators
  policy: CloudAdministrator
- role: adfs-developers
  policy: Developer
- role: adfs-platformengineers
  policy: PlatformEngineers
- role: adfs-security
  policy: SecOps
- role: adfs-supportadmins
  policy: SupportAdministrator

aws_account_profile/controls/iam_spec.rb:

iam_roles = yaml(content: inspec.profile.file('roles.yml')).params
count = 0

iam_roles.each do |role|
  control "aws-account-1-#{count += 1}" do
    impact 1.0
    title "#{role['role']} role exists"
    desc "Each AWS account needs to have the #{role['role']} role."
    describe aws_iam_role("#{role['role']}") do
      it { should exist }
    end
  end

  control "aws-account-1-#{count += 1}" do
    impact 1.0
    title "#{role['policy']} policy exists"
    desc "Each AWS account needs to have the #{role['policy']} policy."
    describe aws_iam_policy("#{role['policy']}") do
      it { should exist }
    end
  end
end

As a debugging step, I also tried to execute this control:

aws_account_profile/controls/iam2_spec.rb:

iam_roles = yaml(content: inspec.profile.file('roles.yml')).params

puts "Contents of iam_roles:"
puts iam_roles
puts "End of iam_roles."

However, the output of iam_roles is blank. What am I doing wrong?

$ inspec version
2.0.17

#2

We are having the same issue. Any help would be greatly appreciated.


#3

During my research, I found a cross-post on https://stackoverflow.com/questions/49042560/handling-attributes-in-inspec where coderanger referred the author to the #inspec channel on chefcommunity.slack.com. From there, I found a conversation on March 1st, 2018 that contained some sample code. The sample ran successfully against local and SSH targets, but fails to read the YAML file when targeting AWS resources.


#4

Hey all, this is a bug. This seems to work fine with other transports/local mode. I have created:

To track this issue. Thanks for reporting it.


#5

True to your name @jquick. I just opened an issue too and then saw your reply. So, I closed my issue and referenced yours. Thanks for looking into this.


#6

No worries! The issue here is with the YAML resource. This should be addressed in the next release. For now you can use this work around:

iam_roles = YAML.load(inspec.profile.file('roles.yml'))

Which will manually load the YAML and should give you what you need.