Skip to main content

aws_sns_subscription resource

Use the aws_sns_subscription InSpec audit resource to test detailed properties of a AWS SNS Subscription.

For additional information, including details on parameters and properties, see the AWS documentation on SNS.

Syntax

An aws_sns_subscription resource block uses resource parameters to search for a SNS Subscription, and then tests that subscriptions properties. If no Subscriptions match, no error is raised, but the exists matcher will return false and all properties will be nil.

describe aws_sns_subscription('arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6') do
  it { should exist }
end

Parameters

subscription_arn (required)

This resource accepts a single parameter, the subscription_arn. This can be passed either as a string or as a subscription_arn: 'value' key-value entry in a hash.

Properties

arn
The subscription’s ARN.
owner
The subscription’s owner.
raw_message_delivery
Indicates whether the subscription is raw or JSON.
topic_arn
The ARN of the subscription’s topic.
protocol
The subscription’s protocol.
confirmation_was_authenticated
Indicates whether the subscription confirmation request was authenticated.

Examples

Inspect the endpoint:

describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do
If protocol is 'sms', this should be a phone number::

  its('endpoint') { should cmp '+16105551234' }
If protocol is 'email' or 'email-json', endpoint should be an email address:

  its('endpoint') { should cmp 'myemail@example.com' }
If protocal is 'http', endpoint should be a URL beginning with 'https://':

  its('endpoint') { should cmp 'https://www.exampleurl.com' }
If the protocol is 'lambda', its endpoint should be the ARN of a AWS Lambda function:

  its('endpoint') { should cmp 'rn:aws:lambda:us-east-1:account-id:function:myfunction' }
end

Inspect the owners ID:

describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do
  its('owner') { should cmp '12345678' }
end

Inspect the endpoint:

describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6' ) do
  its('protocol') { should cmp 'sqs' }
end

Matchers

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

it { should exist }

it { should_not exist }

be_confirmation_authenticated

Provides whether or not the subscription confirmation request was authenticated.

describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::NOGOOD:b214aff5-a2c7-438f-a753-8494493f2ff6')
  it { should be_confirmation_authenticated }
end

have_raw_message_delivery

Provides whether or not the original message is passed as is, not formatted as a json or yaml.

describe aws_sns_subscription(subscription_arn: 'arn:aws:sns:us-east-1::NOGOOD:b214aff5-a2c7-438f-a753-8494493f2ff6')
  it { should have_raw_message_delivery }
end

AWS Permissions

Your AWS principal will need the SNS:Client:GetSubscriptionAttributesResponse action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon SNS.

Thank you for your feedback!

×