aws_nat_gateway resource
Use the aws_nat_gateway InSpec audit resource to test the properties of a single AWS NAT gateway.
Syntax
An aws_nat_gateway resource block declares the tests for a single AWS NAT gateway by id, name, vpc_id or subnet_id.
describe aws_nat_gateway(id: 'nat-abc0123456789deff') do
it { should exist }
end
describe aws_nat_gateway(name: 'my-nat-gateway') do
it { should exist }
end
Multiple parameters can be provided for better granularity.
describe aws_nat_gateway(vpc_id: 'vpc-abc01234', subnet_id: 'subnet-6789deff') do
it { should exist }
end
Parameters
At least one of the following parameters must be provided.
- id
- name
- subnet_id
- vpc_id
id
The value of the nat_gateway_id assigned by the AWS after the resource has been created.
This should be in the format of nat- followed by 8 or 17 hexadecimal characters and passed as an id: 'value' key-value entry in a hash.
name
If a Name tag is applied to the NAT gateway, this can be used to lookup the resource.
This must be passed as a name: 'value' key-value entry in a hash.
If there are multiple NAT gateways with the same name, this resource will raise an error.
subnet_id
The ID of the subnet in which the NAT gateway is placed.
This should be in the format of subnet- followed by 8 or 17 hexadecimal characters and passed as an subnet_id: 'value' key-value entry in a hash.
vpc_id
The ID of the VPC in which the NAT gateway is located.
This should be in the format of vpc- followed by 8 or 17 hexadecimal characters and passed as an vpc_id: 'value' key-value entry in a hash.
Properties
| Property | Description |
|---|---|
| id | The ID of the NAT gateway. |
| name | The value of the Name tag. It is nil if not defined. |
| vpc_id | The ID of the VPC in which the NAT gateway is located. |
| subnet_id | The ID of the subnet in which the NAT gateway is placed. |
| tags | A hash, with each key-value pair corresponding to a NAT gateway tag. |
| nat_gateway_address_set | A hash of NatGatewayAddress object that gives information about the IP addresses and network interface associated with the NAT gateway. |
| state | The sate of the NAT gateway. Valid values are: pending, failed, available, deleting and deleted. |
There are also additional properties available. For a comprehensive list, see the API reference documentation
Examples
Test that the NAT gateway is in available state
describe aws_nat_gateway(name: 'my-nat-gateway') do
its('state') { should eq 'available' }
end
Test that the ID of the VPC is vpc-1234567890abcdef1
describe aws_nat_gateway(id: 'nat-abc0123456789deff') do
its('vpc_id') { should eq `vpc-1234567890abcdef1` }
end
Test that the NAT gateway has a certain tag
describe aws_nat_gateway(name: 'my-nat-gateway') do
its('tags') { should include('environment' => 'dev') }
its('tags') { should include('delete-at-10-pm') } # Regardless of the value
end
Test that the private IP address is 10.0.1.68
describe aws_nat_gateway(vpc_id: 'vpc-abc01234', subnet_id: 'subnet-12345678') do
its('nat_gateway_address_set') { should include(:private_ip => '10.0.1.68') }
end
For more examples, please check the integration tests.
Matchers
This InSpec audit resource has the following special matcher. For a full list of available matchers, please visit our matchers page.
exist
describe aws_nat_gateway(name: 'my-nat-gateway') do
it { should exist }
end
AWS Permissions
Your Principal will need the ec2:DescribeNatGateways action set to allow.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2, and Actions, Resources, and Condition Keys for Identity And Access Management.