Skip to main content

aws_vpc_endpoint_service Resource

Use the aws_vpc_endpoint_service InSpec audit resource to test the properties of a single AWS VPC endpoint service.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_vpc_endpoint_service resource block declares the tests for a single AWS VPC endpoint service by service_name.

describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do
  it { should exist }
end

Parameters

service_name (required)

The name of the AWS VPC endpoint service.

The AWS VPC endpoint service name is required. It should be passed as a service_name: 'value' key-value entry in a hash.

Properties

service_name
The Amazon Resource Name (ARN) of the service.
service_id
The ID of the endpoint service.
service_type
The type of service.
availability_zones
The Availability Zones in which the service is available.
owner
The AWS account ID of the service owner.
base_endpoint_dns_names
The DNS names for the service.
private_dns_name
The private DNS name for the service.

Examples

Test whether VPC endpoint service exists.

describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do
    it { should exist }
end

Test whether the ID of the attached VPC is vpce-svc-04deb776dc2b8e67f.

describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do
    its('service_id') { should eq 'vpce-svc-04deb776dc2b8e67f' }
end

Test whether the service_type of the endpoint service is .

describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do
    its('service_type') { should eq 'Interface' }
end

Test whether the availability_zones include a zone of interest.

describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do
    its('availability_zones') { should include 'us-east-2a' }
end

Test whether the base endpoint dns_names include a dns of interest.

describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do
    its('base_endpoint_dns_names') { should eq 'vpce-svc-04deb776dc2b8e67f.us-east-2.vpce.amazonaws.com' }
end

Matchers

This InSpec audit resource has the following special matchers. For the complete list of available matchers,visit matchers page.

exist

describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do
    it { should exist }
end

be_interface

describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do
    it { should be_interface }
end

be_vpc_endpoint_policy_supported

describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do
    it { should be_vpc_endpoint_policy_supported }
end

be_acceptance_required

describe aws_vpc_endpoint_service(service_name: 'tgw-rtb-08acd74550c99e911', cidr_block: '0.0.0.0/16') do
    it { should be_acceptance_required }
end

be_manages_vpc_endpoints

describe aws_vpc_endpoint_service(service_name: 'aws.sagemaker.us-east-2.notebook') do
    it { should be_manages_vpc_endpoints }
end

be_private_dns_name_verified

describe aws_vpc_endpoint_service(service_name: 'tgw-rtb-08acd74550c99e911', cidr_block: '0.0.0.0/17') do
    it { should be_private_dns_name_verified }
end

AWS Permissions

Your Principal will need the EC2:Client:DescribeVpcEndpointServicesResult action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for VPC endpoint services, and Actions, Resources, and Condition Keys for Identity And Access Management.

Edit this page on GitHub

Thank you for your feedback!

×