aws_api_gateway_v2_routes Resource
Use the aws_api_gateway_v2_routes
InSpec audit resource to test the properties of multiple AWS API Gateway V2 Routes.
For additional information, including parameters and properties, see the AWS documentation on AWS APIGatewayV2 Route.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
Ensure that the route exists.
describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do
it { should exist }
end
Parameters
api_id
(required)- The API identifier.
Properties
api_gateway_manageds
- Specifies whether a route is managed by API Gateway. If you created an API using quick create, the
$default
route is managed by API Gateway. You cannot modify the$default
route key. Field:
api_gateway_managed
api_key_requireds
- Specifies whether an API key is required for this route. Supported only for WebSocket APIs.
Field:
api_key_required
authorization_scopes
- A list of authorization scopes configured on a route. The scopes are used with a JWT authorizer to authorize the method invocation. The authorization works by matching the route scopes against the scopes parsed from the access token in the incoming request. The method invocation is authorized if any route scope matches a claimed scope in the access token. Otherwise, the invocation is not authorized. When the route scope is configured, the client must provide an access token instead of an identity token for authorization purposes.
Field:
authorization_scopes
authorization_types
- The authorization type for the route. For WebSocket APIs, valid values are
NONE
for open access,AWS_IAM
for using AWS IAM permissions, andCUSTOM
for using a Lambda authorizer. For HTTP APIs, valid values areNONE
for open access,JWT
for using JSON Web Tokens,AWS_IAM
for using AWS IAM permissions, andCUSTOM
for using a Lambda authorizer. Field:
authorization_type
authorizer_ids
- The identifier of the Authorizer resource to be associated with this route. The authorizer identifier is generated by API Gateway when you created the authorizer.
Field:
authorizer_id
model_selection_expressions
- The model selection expression for the route. Supported only for WebSocket APIs.
Field:
model_selection_expression
operation_names
- The operation name for the route.
Field:
operation_name
request_models
- The request models for the route. Supported only for WebSocket APIs.
Field:
request_models
request_parameters
- The request parameters for the route. Supported only for WebSocket APIs.
Field:
request_parameters
route_ids
- The route ID.
Field:
route_id
route_keys
- The route key for the route.
Field:
route_key
route_response_selection_expressions
- The route response selection expression for the route. Supported only for WebSocket APIs.
Field:
route_response_selection_expression
targets
- The target for the route.
Field:
target
Examples
Test to ensure an authorizer ID is available
describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do
its('authorizer_ids') { should include 'AUTHORIZER_ID' }
end
Test to verify the requirement of the API key
describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do
its('api_key_requireds') { should include true }
end
Test to verify the authorization type
describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do
its('authorization_types') { should include 'JWT' }
end
Test to verify the operation name
describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do
its('operation_names') { should include 'OPERATION_NAME' }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
The control passes if the get
method returns at least one result.
exist
Use should
to test that the entity exists.
describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do
it { should exist }
end
not exist
Use should_not
to test that the entity does not exist.
describe aws_api_gateway_v2_routes(api_id: 'APP_ID') do
it { should_not exist }
end
AWS Permissions
Your Principal will need the APIGatewayv2:Client:GetRoutesResult
action with Effect
set to Allow
.