aws_api_gateway_v2_route resource
Use the aws_api_gateway_v2_route
InSpec audit resource to test the properties of a specific AWS API Gateway V2 Route.
For additional information, including parameters and properties, see the AWS documentation on AWS APIGatewayV2 Route.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
Ensure that the route exists.
describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
it { should exist }
end
Parameters
api_id
(required)- The API identifier.
route_id
(required)- The route identifier.
Properties
api_gateway_managed
- Specifies whether a route is managed by API Gateway. If you created an API using quick create, the
$default
route is managed by API Gateway. You cannot modify the$default
route key. api_key_required
- Specifies whether an API key is required for this route. Supported only for WebSocket APIs.
authorization_scopes
- A list of authorization scopes configured on a route. The scopes are used with a JWT authorizer to authorize the method invocation. The authorization works by matching the route scopes against the scopes parsed from the access token in the incoming request. The method invocation is authorized if any route scope matches a claimed scope in the access token. Otherwise, the invocation is not authorized. When the route scope is configured, the client must provide an access token instead of an identity token for authorization purposes.
authorization_type
- The authorization type for the route. For WebSocket APIs, valid values are
NONE
for open access,AWS_IAM
for using AWS IAM permissions, andCUSTOM
for using a Lambda authorizer. For HTTP APIs, valid values areNONE
for open access,JWT
for using JSON Web Tokens,AWS_IAM
for using AWS IAM permissions, andCUSTOM
for using a Lambda authorizer. authorizer_id
- The identifier of the Authorizer resource to be associated with this route. The authorizer identifier is generated by API Gateway when you created the authorizer.
model_selection_expression
- The model selection expression for the route. Supported only for WebSocket APIs.
operation_name
- The operation name for the route.
request_models
- The request models for the route. Supported only for WebSocket APIs.
request_parameters
- The request parameters for the route. Supported only for WebSocket APIs.
route_id
- The route ID.
route_key
- The route key for the route.
route_response_selection_expression
- The route response selection expression for the route. Supported only for WebSocket APIs.
target
- The target for the route.
Examples
Test to ensure an authorizer ID is available
describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
its('authorizer_id') { should eq 'AUTHORIZER_ID' }
end
Test to verify the requirement of the API key
describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
its('api_key_required') { should eq true }
end
Test to verify the authorization type
describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
its('authorization_type') { should eq 'JWT' }
end
Test to verify the operation name
describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
its('operation_name') { should eq 'OPERATION_NAME' }
end
Test to ensure a route key is available
describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
its('route_key') { should eq 'ROUTE_KEY' }
end
Test to verify the target
describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
its('target') { should eq 'ROUTE_TARGET' }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
The control passes if the get
method returns at least one result.
exist
Use should
to test that the entity exists.
describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
it { should exist }
end
not exist
Use should_not
to test that the entity does not exist.
describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
it { should_not exist }
end
AWS Permissions
Your Principal will need the APIGatewayv2:Client:GetRouteResult
action with Effect
set to Allow
.