Skip to main content

aws_nat_gateway Resource

Use the aws_nat_gateway InSpec audit resource to test the properties of a single AWS NAT gateway.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_nat_gateway resource block declares the tests for a single AWS NAT gateway by id, name, vpc_id or subnet_id.

describe aws_nat_gateway(id: 'nat-abc0123456789deff') do
  it { should exist }
end 
describe aws_nat_gateway(name: 'my-nat-gateway') do
  it { should exist }
end

Multiple parameters can be provided for better granularity.

describe aws_nat_gateway(vpc_id: 'vpc-abc01234', subnet_id: 'subnet-6789deff') do
  it { should exist }
end

Parameters

At least one of the following parameters must be provided.

  • id
  • name
  • subnet_id
  • vpc_id
id

The value of the nat_gateway_id assigned by the AWS after the resource has been created. This should be in the format of nat- followed by 8 or 17 hexadecimal characters and passed as an id: 'value' key-value entry in a hash.

name

If a Name tag is applied to the NAT gateway, this can be used to lookup the resource. This must be passed as a name: 'value' key-value entry in a hash. If there are multiple NAT gateways with the same name, this resource will raise an error.

subnet_id

The ID of the subnet in which the NAT gateway is placed. This should be in the format of subnet- followed by 8 or 17 hexadecimal characters and passed as an subnet_id: 'value' key-value entry in a hash.

vpc_id

The ID of the VPC in which the NAT gateway is located. This should be in the format of vpc- followed by 8 or 17 hexadecimal characters and passed as an vpc_id: 'value' key-value entry in a hash.

Properties

id
The ID of the NAT gateway.
name
The value of the Name tag. It is nil if not defined.
vpc_id
The ID of the VPC in which the NAT gateway is located.
subnet_id
The ID of the subnet in which the NAT gateway is placed.
tags
A hash, with each key-value pair corresponding to a NAT gateway tag.
nat_gateway_address_set
A hash of NatGatewayAddress object that gives information about the IP addresses and network interface associated with the NAT gateway.
state
The sate of the NAT gateway. Valid values are: pending, failed, available, deleting and deleted.

There are also additional properties available. For a comprehensive list, see the API reference documentation

Examples

Test that the NAT gateway is in available state.

describe aws_nat_gateway(name: 'my-nat-gateway') do
  its('state') { should eq 'available' }
end

Test that the ID of the VPC is vpc-1234567890abcdef1.

describe aws_nat_gateway(id: 'nat-abc0123456789deff') do
  its('vpc_id') { should eq `vpc-1234567890abcdef1` }
end

Test that the NAT gateway has a certain tag.

describe aws_nat_gateway(name: 'my-nat-gateway') do
  its('tags') { should include('environment' => 'dev') }
**Regardless of the value.**

end

Test that the private IP address is 10.0.1.68.

describe aws_nat_gateway(vpc_id: 'vpc-abc01234', subnet_id: 'subnet-12345678') do
  its('nat_gateway_address_set') { should include(:private_ip => '10.0.1.68') }
end

For more examples, see the integration tests.

Matchers

This InSpec audit resource has the following special matcher. For a full list of available matchers, visit the InSpec matchers page.

exist

describe aws_nat_gateway(name: 'my-nat-gateway') do
    it { should exist }
end

AWS Permissions

Your Principal will need the EC2:Client:DescribeNatGatewaysResult action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2, and Actions, Resources, and Condition Keys for Identity And Access Management.

Edit this page on GitHub

Thank you for your feedback!

×