Use the aws_api_gateway_v2_authorizer
InSpec audit resource to test the properties of a single specific AWS API Gateway V2 authorizer.
For additional information, including parameters and properties, see the AWS documentation on AWS APIGatewayV2 Authorizer.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
Ensure that the authorizer exists.
describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do
it { should exist }
end
Parameters
api_id
(required)- The API identifier.
authorizer_id
(required)- The authorizer identifier.
Properties
authorizer_credentials_arn
- Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer.
authorizer_id
- The authorizer identifier.
authorizer_result_ttl_in_seconds
- The time to live (TTL) for cached authorizer results in seconds. If it equals 0, authorization caching is disabled. If it is greater than 0, API Gateway caches authorizer responses. The maximum value is 3600, or 1 hour. Supported only for HTTP API Lambda authorizers.
authorizer_type
- The authorizer type. Specify
REQUEST
for a Lambda function using incoming request parameters. SpecifyJWT
to use JSON Web Tokens (supported only for HTTP APIs). authorizer_uri
- The authorizer’s Uniform Resource Identifier (URI).
identity_source
- The identity source for which authorization is requested.
identity_validation_expression
- The validation expression does not apply to the
REQUEST
authorizer. jwt_configuration
- Represents the configuration of a JWT authorizer. Required for the
JWT
authorizer type. Supported only for HTTP APIs. jwt_configuration.audience
- A list of the intended recipients of the
JWT
. A valid JWT must provide anaud
that matches at least one entry in this list. Supported only for HTTP APIs. jwt_configuration.issuer
- The base domain of the identity provider that issues JSON Web Tokens.
name
- The name of the authorizer.
authorizer_payload_format_version
- Specifies the payload format sent to an HTTP API Lambda authorizer. Required for HTTP API Lambda authorizers. Supported values are 1.0 and 2.0.
enable_simple_responses
- Specifies whether a Lambda authorizer returns a response in a simple format.
Examples
Test to ensure an authorizer ID is available
describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do
its('authorizer_id') { should eq 'AUTHORIZER_ID' }
end
Verify the authorizer result
describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do
its('authorizer_result_ttl_in_seconds') { should eq 15 }
end
Verify the authorizer type
describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do
its('authorizer_type') { should eq 'JWT' }
end
Verify the authorizer’s name
describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do
its('name') { should eq 'AUTHORIZER_NAME' }
end
Verify the simple responses enabling status
describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do
its('enable_simple_responses') { should eq true }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
The control passes if the get
method returns at least one result.
exist
Use should
to test that the entity exists.
describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do
it { should exist }
end
not exist
Use should_not
to test that the entity does not exist.
describe aws_api_gateway_v2_authorizer(api_id: 'API_ID', authorizer_id: 'AUTHORIZER_ID') do
it { should_not exist }
end
AWS Permissions
Your Principal will need the APIGatewayv2:Client:GetAuthorizerResponse
action with Effect
set to Allow
.