aws_api_gateway_v2_integration resource
Use the aws_api_gateway_v2_integration
InSpec audit resource to test the properties of a specific AWS API Gateway V2 integration.
For additional information, including parameters and properties, see the AWS documentation on AWS APIGatewayV2 Integration.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
Ensure that the integration exists.
describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do
it { should exist }
end
Parameters
api_id
(required)- The API identifier.
integration_id
(required)- The integration ID.
Properties
api_gateway_managed
- Specifies whether API Gateway manages integration.
connection_id
- The VPC link ID for a private integration. Supported only for HTTP APIs.
connection_type
- The network connection type to the integration endpoint. Specify
INTERNET
for connections through the public routable internet orVPC_LINK
for private connections between API Gateway and resources in a VPC. The default value isINTERNET
. content_handling_strategy
- Supported only for WebSocket APIs. Specifies how to handle response payload content type conversions. Supported values are
CONVERT_TO_BINARY
andCONVERT_TO_TEXT
, with the following behaviors:
CONVERT_TO_BINARY
: Converts a response payload from a Base64-encoded string to the corresponding binary blob.CONVERT_TO_TEXT
: Converts a response payload from a binary blob to a Base64-encoded string.
If this property is not defined, the response payload will be passed through from the integration response to the route response or method response without modification.
credentials_arn
- Specifies the credentials required for the integration, if any.
description
- The description of an integration.
integration_id
- The identifier of an integration.
integration_method
- Specifies the integration’s HTTP method type.
integration_response_selection_expression
- The integration response selection expression for the integration. Supported only for WebSocket APIs.
integration_subtype
- Supported only for HTTP API
AWS_PROXY
integrations. Specifies the AWS service action to invoke. integration_type
- The integration type. One of the following:
AWS
: for integrating the route or method request with an AWS service action, including the Lambda function-invoking action. With the Lambda function-invoking action, this is referred to as the Lambda custom integration. With any other AWS service action, this is known as AWS integration. Supported only for WebSocket APIs.AWS_PROXY
: for integrating the route or method request with a Lambda function or other AWS service action. This integration is also referred to as a Lambda proxy integration.HTTP
: for integrating the route or method request with an HTTP endpoint. This integration is also referred to as the HTTP custom integration. Supported only for WebSocket APIs.HTTP_PROXY
: for integrating the route or method request with an HTTP endpoint, with the client request passed through as-is. This is also referred to asHTTP proxy
integration.MOCK
: for integrating the route or method request with API Gateway as a loopback endpoint without invoking any backend. Supported only for WebSocket APIs.
integration_uri
- For a Lambda integration, specify the URI of a Lambda function.
For an HTTP integration, specify a fully-qualified URL.
For an HTTP API private integration, specify the ARN of an Application Load Balancer listener, Network Load Balancer listener, or AWS Cloud Map service. If you specify the ARN of an AWS Cloud Map service, API Gateway uses DiscoverInstances
to identify resources. You can use query parameters to target specific resources.
passthrough_behavior
- Specifies the pass-through behavior for incoming requests based on the
Content-Type
header in the request, and the available mapping templates specified as therequestTemplates
property on theIntegration
resource. There are three valid values:WHEN_NO_MATCH
,WHEN_NO_TEMPLATES
, andNEVER
. Supported only for WebSocket APIs.
WHEN_NO_MATCH
passes the request body for unmapped content types to the integration backend without transformation.NEVER
rejects unmapped content types with anHTTP 415 Unsupported Media Type
response.WHEN_NO_TEMPLATES
allows pass-through when the integration has no content types mapped to templates. However, if at least one content type defined, unmapped content types will be rejected with the sameHTTP 415 Unsupported Media Type
response.
payload_format_version
- Specifies the format of the payload sent to an integration. Required for HTTP APIs. For HTTP APIs, supported values for Lambda proxy integrations are
1.0
and2.0
. For all other integrations,1.0
is the only supported value. request_parameters
- For WebSocket APIs, a key-value map specifies request parameters passed from the method request to the backend. The key is an integration request parameter name. The associated value is a method request parameter value or static value that must be enclosed within single quotes and pre-encoded as required by the backend. The method request parameter value must match the pattern of
method.request.{location}.{name}
, where{location}
is query string, path, or header; and{name}
must be a valid and unique method request parameter name. response_parameters
- Supported only for HTTP APIs. You use response parameters to transform the HTTP response from a backend integration before returning the response to clients. Specify a key-value map from a selection key to response parameters. The selection key must be a valid HTTP status code within the range of 200-599. Response parameters are a key-value map. The key must match pattern
<action>:<header>.<location>
oroverwrite.statuscode
. The action can beappend
,overwrite
orremove
. The value can be a static value, or map to response data, stage variables, or context variables that are evaluated at runtime. request_templates
- Represents a map of Velocity templates that are applied on the request payload based on the value of the Content-Type header sent by the client. The content type value is the key in this map, and the template (as a String) is the value. Supported only for WebSocket APIs.
template_selection_expression
- The template selection expression for the integration. Supported only for WebSocket APIs.
timeout_in_millis
- Custom timeout between 50 and 29,000 milliseconds for WebSocket APIs and between 50 and 30,000 milliseconds for HTTP APIs. The default timeout is 29 seconds for WebSocket APIs and 30 seconds for HTTP APIs.
tls_config.server_name_to_verify
- The TLS configuration for a private integration. If you specify a TLS configuration, private integration traffic uses the HTTPS protocol. Supported only for HTTP APIs. If you specify a server name, API Gateway uses it to verify the hostname on the integration’s certificate. The server name is also included in the TLS handshake to support Server Name Indication (SNI) or virtual hosting.
Examples
Test to ensure an integration ID is available
describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do
its('integration_id') { should eq 'INTEGRATION_ID' }
end
Verify the connection type
describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do
its('connection_type') { should eq 'INTERNET' }
end
Verify the integration type
describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do
its('integration_type') { should eq 'AWS' }
end
Verify the pass-through behavior
describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do
its('passthrough_behavior') { should eq 'NEVER' }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
The control passes if the get
method returns at least one result.
exist
Use should
to test that the entity exists.
describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do
it { should exist }
end
not exist
Use should_not
to test that the entity does not exist.
describe aws_api_gateway_v2_integration(api_id: 'APP_ID', integration_id: 'INTEGRATION_ID') do
it { should_not exist }
end
AWS Permissions
Your Principal will need the APIGatewayv2:Client:GetIntegrationResult
action with Effect
set to Allow
.