0

I am testing out basic Chef Inspec code. I am running it from a Mac using the API call:

inspec exec sg-disallow-ftp.rb -t aws://

Here is the Chef code for the profile:

title 'Test AWS Security Groups Across All Regions For an Account Disallow FTP'

control 'aws-multi-region-security-group-ftp-1.0' do

  impact 1.0
  title 'Ensure AWS Security Groups disallow FTP ingress from 0.0.0.0/0.'

  aws_region.region_names.each do |region|
    aws_security_groups(aws_region: region).group_ids.each do |security_group_id|
      describe aws_security_group(aws_region: region, group_id: security_group_id) do
        it { should exist }
        it { should_not allow_in(ipv4_range: '0.0.0.0/0', port: 21) }
      end
    end
  end
end

I am getting this error:

×  aws-multi-region-security-group-ftp-1.0: Ensure AWS Security Groups disallow FTP ingress from 0.0.0.0/0.
     ×  Control Source Code Error sg-disallow-ftp.rb:3 
     undefined local variable or method `aws_region' for #<#<Class:0x00007fc35a095158>:0x00007fc356ebd568>
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Rodney Bizzell
  • 41
  • 4

2 Answers2

1

So finally figured it out I had to run inspect vendor --overwrite in the profile directory and the test executed

Rodney Bizzell
  • 41
  • 4
0

seems that you are missing few configurations.

i will assume that you have created an inspec profile named aws. you can create a profile by leveraging inspec init

$ inspec init profile aws

once you created the profile, you need to specify the dependecy on inspec-aws to use the resources. you will do this in aws/inspec.yml file, which will look something like:

name: aws
title: InSpec Profile
maintainer: The Authors
copyright: The Authors
copyright_email: you@example.com
license: Apache-2.0
summary: An InSpec Compliance Profile
version: 0.1.0
supports:
  platform: aws
inspec_version: '>= 4.6.9'
depends:
  - name: inspec-aws
    url: https://github.com/inspec/inspec-aws/archive/v1.3.2.tar.gz

and you should be ready to go.

you can verify that it works by using inspec shell with conjunction of resource packs, like so:

$ inspec shell --depends aws -t aws://
Mr.
  • 9,429
  • 13
  • 58
  • 82
  • Thanks appreciate this will give it a shot – Rodney Bizzell Nov 10 '19 at 23:10
  • I tried to execute a profile using this command inspec exec rodney-profile -t aws:// and I get this "error/opt/inspec/embedded/lib/ruby/2.6.0/open-uri.rb:378:in `open_http': 404 Not Found (OpenURI::HTTPError)" I am running version of inspec 4.18.24 on MAC OS. I installed Inspec using brew – Rodney Bizzell Nov 11 '19 at 05:01
  • I also tried to run this command and I got inspec shell --depends ${name of profile} -t aws:// and I got this error message No file provider forthe provided path – Rodney Bizzell Nov 11 '19 at 14:30
  • So if I run chef inspec from the controls directory I can get a successful run of inspec test. inspec exec iam.rb -t aws:// and executed fine. But trying to run from a profile doesn't work. inspec exec iam -t aws:// get error 404 Not Found (OpenUIR::HTTPError) – Rodney Bizzell Nov 11 '19 at 16:43
  • I try to run a simple testdescribe aws_regions do its('region_names') { should include 'eu-west-2' } end error undefined local variable or method `aws_regions' for #<#:0x00007f9b39 – Rodney Bizzell Nov 11 '19 at 17:17
  • @RodneyBizzell: please read again my answer and pay attention to the details - i did not change my working directory and every command was executed from the root directory. please try my answer above, to verify that it works for you. – Mr. Nov 11 '19 at 19:08