aws_route_tables resource
Use the aws_route_tables InSpec audit resource to test the properties of all route tables or a group of route tables, and all routes or a group of routes. A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
For additional information, including details on parameters and properties, see the AWS documentation on route tables.
Syntax
describe aws_route_tables do
it { should exist }
end
Parameters
This resource does not require any parameters.
Properties
route_table_ids- The route table IDs.
Field:
route_table_idvpc_ids- The VPC IDs.
Field:
vpc_identries- Provides access to the raw results of the query, which can be treated as an array of hashes.
Field: Not Applicable
routes(carrier_gateway_ids)- The ID of the carrier gateway.
Field:
carrier_gateway_idroutes(destination_cidr_blocks)- The IPv4 CIDR block used for the destination match.
Field:
destination_cidr_blockroutes(destination_ipv_6_cidr_blocks)- The IPv6 CIDR block used for the destination match.
Field:
destination_ipv_6_cidr_blockroutes(destination_prefix_list_ids)- The prefix of the AWS service.
Field:
destination_prefix_list_idroutes(egress_only_internet_gateway_ids)- The ID of the egress-only internet gateway.
Field:
egress_only_internet_gateway_idroutes(gateway_ids)- The ID of a gateway attached to your VPC.
Field:
gateway_idroutes(instance_ids)- The ID of a NAT instance in your VPC.
Field:
instance_idroutes(local_gateway_ids)- The ID of the local gateway.
Field:
instance_owner_idroutes(nat_gateway_ids)- The ID of a NAT gateway.
Field:
nat_gateway_idroutes(network_interface_ids)- The ID of the network interface.
Field:
network_interface_idroutes(transit_gateway_ids)- The ID of a transit gateway.
Field:
transit_gateway_idroutes(vpc_peering_connection_ids)- The ID of a VPC peering connection.
Field:
vpc_peering_connection_idroutes(instance_owner_ids)- The owner ID of a NAT instance in your VPC.
Field:
instance_owner_idroutes(origins)- Describes how the route was created.
Field:
originroutes(states)- The state of the route.
Field:
stateroute_table_association_ids- List of associated route table association IDs.
Field:
route_table_association_idsassociation_subnet_ids- List of all association states(
associated,failed,disassociated) subnet IDs. Field:
association_subnet_idsassociated_subnet_ids- List of associated subnet IDs.
Field:
associated_subnet_idsassociation_gateway_ids- List of all association states(
associated,failed,disassociated) gateway IDs. Field:
association_gateway_idsassociated_gateway_ids- List of associated gateway IDs.
Field:
associated_gateway_idsassociation_states- List of all association states(
associated,failed,disassociated). Field:
association_statesmain- flag to indicate the main route table.
Field:
main
Examples
Confirm that a route table exists:
describe aws_route_tables do
its('vpc_ids') { should include 'VPC_ID' }
end
Confirm a route table exists:
describe aws_route_tables do
its('route_table_ids') { should include 'ROUTE_TABLE_ID' }
end
Confirm a destination_cidr_blocks is there in the routes:
describe aws_route_tables do
its('destination_cidr_blocks') { should include "IPV4_CIDR_BLOCK" }
end
Ensure subnet ID of interest is associated :
describe aws_route_tables do
its('associated_subnet_ids') { should include 'SUBNET_ID' }
end
Filter only main route tables:
describe aws_route_tables.where(main: true) do
it { should exist }
end
Filter all failed associations:
describe aws_route_tables.where{ association_states.include?('associated') } do
it { should exist }
end
Matchers
exist
The control will pass if the describe returns at least one result.
Use should to test the entity should not exist.
describe aws_route_tables do
it { should exist }
end
AWS Permissions
Your AWS principal will need the EC2:Client:DescribeRouteTablesResult action with Effect set to Allow.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2.