Skip to main content

aws_api_gateway_v2_route resource

[edit on GitHub]

Use the aws_api_gateway_v2_route InSpec audit resource to test the properties of a specific AWS API Gateway V2 Route.

For additional information, including parameters and properties, see the AWS documentation on AWS APIGatewayV2 Route.

Installation

This resource is available in the Chef InSpec AWS resource pack.

See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.

Syntax

Ensure that the route exists.

describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
  it { should exist }
end

Parameters

api_id (required)
The API identifier.
route_id (required)
The route identifier.

Properties

api_gateway_managed
Specifies whether a route is managed by API Gateway. If you created an API using quick create, the $default route is managed by API Gateway. You cannot modify the $default route key.
api_key_required
Specifies whether an API key is required for this route. Supported only for WebSocket APIs.
authorization_scopes
A list of authorization scopes configured on a route. The scopes are used with a JWT authorizer to authorize the method invocation. The authorization works by matching the route scopes against the scopes parsed from the access token in the incoming request. The method invocation is authorized if any route scope matches a claimed scope in the access token. Otherwise, the invocation is not authorized. When the route scope is configured, the client must provide an access token instead of an identity token for authorization purposes.
authorization_type
The authorization type for the route. For WebSocket APIs, valid values are NONE for open access, AWS_IAM for using AWS IAM permissions, and CUSTOM for using a Lambda authorizer. For HTTP APIs, valid values are NONE for open access, JWT for using JSON Web Tokens, AWS_IAM for using AWS IAM permissions, and CUSTOM for using a Lambda authorizer.
authorizer_id
The identifier of the Authorizer resource to be associated with this route. The authorizer identifier is generated by API Gateway when you created the authorizer.
model_selection_expression
The model selection expression for the route. Supported only for WebSocket APIs.
operation_name
The operation name for the route.
request_models
The request models for the route. Supported only for WebSocket APIs.
request_parameters
The request parameters for the route. Supported only for WebSocket APIs.
route_id
The route ID.
route_key
The route key for the route.
route_response_selection_expression
The route response selection expression for the route. Supported only for WebSocket APIs.
target
The target for the route.

Examples

Test to ensure an authorizer ID is available

describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
  its('authorizer_id') { should eq 'AUTHORIZER_ID' }
end

Test to verify the requirement of the API key

describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
  its('api_key_required') { should eq true }
end

Test to verify the authorization type

describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
  its('authorization_type') { should eq 'JWT' }
end

Test to verify the operation name

describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
  its('operation_name') { should eq 'OPERATION_NAME' }
end

Test to ensure a route key is available

describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
  its('route_key') { should eq 'ROUTE_KEY' }
end

Test to verify the target

describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
  its('target') { should eq 'ROUTE_TARGET' }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

The control passes if the get method returns at least one result.

exist

Use should to test that the entity exists.

describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
  it { should exist }
end

not exist

Use should_not to test that the entity does not exist.

describe aws_api_gateway_v2_route(api_id: 'APP_ID', route_id: 'ROUTE_ID') do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the APIGatewayv2:Client:GetRouteResult action with Effect set to Allow.

Was this page helpful?

×









Search Results