Skip to main content

aws_elb resource

[edit on GitHub]

Use the aws_elb InSpec audit resource to test properties of a single AWS Elastic Load Balancer (ELB).

Syntax

An aws_elb resource block declares the tests for a single AWS ELB by ELB name. AWS ELB Names are unique per region.

describe aws_elb('my-elb') do
  it { should exist }
end

describe aws_elb(load_balancer_name: 'my-elb') do
  it { should exist }
end

Parameters

load_balancer_name (required)

This resource accepts a single parameter, the ELB Name which uniquely identifies the ELB. This can be passed either as a string or as a load_balancer_name: 'value' key-value entry in a hash.

See also the AWS documentation on Elastic Load Balancing.

Properties

PropertyDescription
load_balancer_nameThe name of the load balancer.
dns_nameThe DNS name of the load balancer.
availability_zonesThe Availability Zones for the load balancer.
instance_idsAn array containing all instance ids associated with the ELB.
external_portsAn array of the external ports exposed on the ELB.
internal_portsAn array of the internal ports exposed on the ELB.
security_group_idsThe security groups for the load balancer. Valid only for load balancers in a VPC.
vpc_idThe ID of the VPC for the load balancer.
subnet_idsThe IDs of the subnets for the load balancer.
listenersA collection of the listeners for the load balancer.
ssl_policiesA collection of the SSL Policies configured in-use for the load balancer (and their policy attributes).
protocolsA list of the protocols configured for the listeners of the load balancer.

Examples

Test that an ELB has its availability zones configured correctly

describe aws_elb('prod_web_app_elb') do
  its('availability_zones.count') { should be > 1 }
  its('availability_zones')       { should include 'us-east-2a' }
  its('availability_zones')       { should include 'us-east-2b' }
end

Ensure an ELB has the correct number of EC2 Instances associated with it

describe aws_elb('prod_web_app_elb') do
  its('instance_ids.count') { should cmp 3 }
end

Ensure the correct DNS is set

describe aws_elb('prod_web_app_elb') do
  its('dns_name') { should cmp 'your-fqdn.com' }
end

Ensure we only expose port 80, both to the public and internal

describe aws_elb('prod_web_app_elb') do
  its('external_ports.count') { should cmp 1 }
  its('external_ports')       { should include 80 }
  its('internal_ports.count') { should cmp 1 }
  its('internal_ports')       { should include 80 }
end

Ensure the correct EC2 Instances are associated

describe aws_elb('prod_web_app_elb') do
  its('instance_ids') { should include 'i-12345678' }
end

Matchers

This InSpec audit resource has no special matchers. For a full list of available matchers, please visit our Universal Matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_elb('AnExistingELB') do
  it { should exist }
end

describe aws_elb('ANonExistentELB') do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the elasticloadbalancing:DescribeLoadBalancers action set to Allow.

You can find detailed documentation at Authentication and Access Control for Your Load Balancers