Skip to main content

aws_ssm_parameter Resource

Use the aws_ssm_parameter InSpec audit resource to test properties of a ssm parameter.

For additional information, including details on parameters and properties, see the AWS documentation on SSM Parameters.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_ssm_parameter resource block uses the parameter to select a ssm parameter.

describe aws_ssm_parameter(name: 'ssm-parameter-name-1234') do
  it { should exist }
end

Parameters

name (required)

This resource accepts a single parameter, the SSM Parameter Name. This can be passed either as a string or as a aws_ssm_parameter: 'value' key-value entry in a hash.

with_decryption (optional)

This decrypts the value associated with the ssm parameter. This must be passed as a string with_decryption: "true".

Properties

arn
Provides the Amazon Resource Name (ARN) of the parameter.
data_type
Provides the data type of the parameter.
last_modified_date
Provides the date the parameter was last changed or updated and the parameter version was created.
name
Provides the name of the parameter.
selector
Provides the version number or label used to retrieve the parameter value.
source_result
Applies to parameters that reference information in other AWS services.
type
Provides the type of the parameter.
value
Provides the value of the parameter.
version
Provides the version of the parameter.

For a comprehensive list of properties available, see the API reference documentation

Examples

Check the Name of a SSM Parameter.

describe aws_ssm_parameter(name: 'ssm_parameter-name-1234') do
  its('name')  { should eq 'ssm_parameter-name-1234' }
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_ssm_parameter(name: 'ssm_parameter-name-1234') do
  it { should exist }
end
describe aws_ssm_parameter(name: 'ssm_parameter-name-6789') do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the SSM:Client:GetParameterResult action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon Systems Manager.

Edit this page on GitHub

Thank you for your feedback!

×