Skip to main content

aws_transit_gateway_route Resource

Use the aws_transit_gateway_route InSpec audit resource to test the properties of a single AWS transit gateway route.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_transit_gateway_route resource block declares the tests for a single AWS transit gateway route by transit_gateway_route_table_id.

describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do
  it { should exist }
end

Parameters

To set the parameters of the AWS transit gateway route table, ID and CIDR block is required.

transit_gateway_route_table_id (required)

The ID of the AWS transit gateway route table:

  • must contain alphanumeric characters between 1 to 50, or hyphens
  • should start with tgw-rtb-
  • cannot end with a hyphen or contain two consecutive hyphens

The ID of the AWS transit gateway route table should be passed as a transit_gateway_route_table_id: 'value' key-value entry in a hash.

cidr_block (required)

The CIDR block range of the route is associated to the AWS transit gateway route table. It should be passed as a cidr_block: 'value' key-value entry in a hash.

Properties

cidr_block
The CIDR block used for destination matches.
prefix_list_id
The ID of the prefix list used for destination matches.
type
The type of route. Valid values: propagated or static.
state
The state of the route. Valid values: active or blackhole.
attachment_resource_id
The resource ID of the transit gateway attachment. Identifiers of relevant resource type.
attachment_id
The ID of the transit gateway attachment.
attachment_resource_type
The attachment resource type. Valid values are vpc, vpn, direct-connect-gateway, peering, connect.

Examples

Test if a transit gateway route exists for a transit gateway route table and CIDR block range.

describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do
    it { should exist }
end

Test that the ID of the attached VPC is vpc-00727fc4213acee4a.

describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do
    its('attachment_resource_id') { should eq 'vpc-00727fc4213acee4a' }
end

Test that the ID of the Transit Gateway Attachment is tgw-attach-0aab89f748131532e.

describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do
    its('attachment_id') { should eq 'tgw-attach-0aab89f748131532e' }
end

Test that the attachment resource type is vpc.

describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do
    its('attachment_resource_type') { should eq 'vpc' }
end

Test that the prefix list ID is pl-4ca54025.

describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do
    its('prefix_list_id') { should eq 'pl-4ca54025' }
end

Matchers

This InSpec audit resource has the following special matchers. For a complete list of available matchers, visit matchers page.

exist

describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do
    it { should exist }
end

be_static

describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do
    it { should be_static }
end

be_propagated

describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e911', cidr_block: '0.0.0.0/16') do
    it { should be_propagated }
end

be_active

describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do
    it { should be_active }
end

be_blackhole

describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e911', cidr_block: '0.0.0.0/17') do
    it { should be_blackhole }
end

be_vpc_attachment

describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e589', cidr_block: '0.0.0.0/16') do
    it { should be_vpc_attachment }
end

be_vpn_attachment

describe aws_transit_gateway_route(transit_gateway_route_table_id: 'tgw-rtb-08acd74550c99e711', cidr_block: '0.0.0.0/16') do
    it { should be_vpn_attachment }
end

AWS Permissions

Your Principal will need the EC2:Client:DescribeTransitGatewayRouteTablesResult action with Effect set to Allow.

Get the detailed document at Actions, Resources, and Condition Keys for transit gateway route, and Actions, Resources, and Condition Keys for Identity And Access Management.

Edit this page on GitHub

Thank you for your feedback!

×