aws_rds_global_cluster Resource
Use the aws_rds_global_cluster
InSpec audit resource to test properties of a single Amazon Aurora global database cluster.
The AWS::RDS::GlobalCluster
resource creates or updates an Amazon Aurora global database spread across multiple AWS Regions.
For additional information, including details on parameters and properties, see the AWS documentation on the AWS::RDS::GlobalCluster
resource type.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
Ensure that the global cluster exists.
describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER') do
it { should exist }
end
Parameters
global_cluster_identifier
(required)The cluster identifier of the global database cluster.
Properties
global_cluster_identifier
- The list of global clusters returned by this request.
global_cluster_resource_id
- Contains a user-supplied global database cluster identifier. This identifier is the unique key that identifies a global database cluster.
global_cluster_arn
- The Amazon Web Services Region-unique, immutable identifier for the global database cluster.
status
- Specifies the current state of this global database cluster.
engine
- The Aurora database engine used by the global database cluster.
engine_version
- Indicates the database engine version.
database_name
- The default database name within the new global database cluster.
storage_encrypted
- The storage encryption setting for the global database cluster.
deletion_protection
- The deletion protection setting for the new global database cluster.
failover_state.status
- The current status of the Aurora global database ( GlobalCluster ).
failover_state.from_db_cluster_arn
- The Amazon Resource Name (ARN) of the Aurora DB cluster that is currently being demoted, and which is associated with this state.
failover_state.to_db_cluster_arn
- The Amazon Resource Name (ARN) of the Aurora DB cluster that is currently being promoted, and which is associated with this state.
global_cluster_members.db_cluster_arn
- The Amazon Resource Name (ARN) for each Aurora cluster.
global_cluster_members.readers
- The Amazon Resource Name (ARN) for each read-only secondary cluster associated with the Aurora global database.
global_cluster_members.is_writer
- Specifies whether the Aurora cluster is the primary cluster (that is, has read-write capability) for the Aurora global database with which it is associated.
global_cluster_members.global_write_forwarding_status
- Specifies whether a secondary cluster in an Aurora global database has write forwarding enabled, not enabled, or is in the process of enabling it.
Examples
Ensure a DB global cluster is available.
describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do
its('global_cluster_resource_id') { should eq 'GLOBAL_CLUSTER_ID' }
end
Ensure a global cluster engine is available.
describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do
its('engine') { should eq 'ENGINE' }
end
Ensure a status is available
.
describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do
its('status') { should eq 'available' }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
The controls will pass if the describe
method returns at least one result.
exist
Use should
to test that the entity exists.
describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do
it { should exist }
end
Use should_not
to test the entity does not exist.
describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do
it { should_not exist }
end
be_available
Use should
to check if the entity is available.
describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER') do
it { should be_available }
end
AWS Permissions
Your Principal will need the RDS:Client:DescribeGlobalClustersMessage
action with Effect
set to Allow
.