New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: Can this run from kitchen-terraform #44
Comments
@brettcurtis are you specifying the target of GCP by doing |
And yes, this works with kitchen-terraform very nicely. |
Looks like -t isn't an option for check ? |
yeah i meant -t for |
ok yeah I did try that initially but tests didn't run so I went to the "check" to try and figure out what was going on form there. It's pulling the profiles just not running the tests:
|
bah ok this works: So i guess it's just ignoring tests if i don't pass that. So I need to pass my terraform "output" of project_id to a variable of gcp_project_id somehow? I removed all that since i was trying to figure out how it worked and was hoping i would see an error around the missing gcp_project_id but I didn't so figured my problem was elsewhere. |
Let me see if I can ask my question a bit better now that I'm starting to understand this a tiny bit more. How can I pass my terraform output of project_id to your tests that require an input of gcp_project_id ? |
There's a few ways @brettcurtis . Your inspec.yml may have something like |
Would you expect this to work, I'm just trying to understand the inputs: input('gcp_project_id', value: 'my-tf-module-testing')
control 'attr' do
title 'Terraform Outputs'
desc 'Terraform Outputs'
describe input('gcp_project_id') do
it { should eq 'my-tf-module-testing' }
end
end
require_controls 'inspec-gcp-cis-benchmark' do
control 'cis-gcp-3.6-networking'
control 'cis-gcp-3.7-networking'
end Running: My attr control runs fine however not the cis controls. They will only run if I pass the input from the command line: |
@brettcurtis We have previously worked on an automation pipeline for terraform with InSpec compliance validation. Maybe this implementation for the pci on gke blueprint could be interesting for you: https://github.com/GoogleCloudPlatform/pci-gke-blueprint/blob/master/cicd/cloudbuild.yml |
thanks I'll take a look @KonradSchieban. Right now I'm just struggling with the tests running when I try to exclude the --input argument from the command line and add it directly to the profile’s control code. I've read this a few times and have tests case that work with inputs but I suspect they need to be handled differently with My initial question was answered and I guess my question now is just more inspec related so if there are no more suggestions feel free to close this out. |
This docpage should help @brettcurtis https://docs.chef.io/inspec/inputs/#how-can-i-set-inputs |
Yeah, I must still be missing something because I would expect this to work: input('gcp_project_id', value: 'my-tf-module-testing')
# this control passes
control 'attr' do
title 'Terraform Outputs'
desc 'Terraform Outputs'
describe input('gcp_project_id') do
it { should eq 'my-tf-module-testing' }
end
end
require_controls 'inspec-gcp-cis-benchmark' do
# this control fails with the below error.
control 'bla' do
describe input('gcp_project_id') do
it { should eq 'my-tf-module-testing' }
end
end
control 'cis-gcp-3.6-networking'
control 'cis-gcp-3.7-networking'
end Error:
|
sooo, learning out loud here.. :) The only place I can get the input to override so far is in my insepc.yml like this part of the documentation talks about: https://docs.chef.io/inspec/inputs/#using-inputs-with-profile-inheritance inspec.yml name: default-vpc
supports:
- platform: gcp
depends:
- name: inspec-gcp
url: https://github.com/inspec/inspec-gcp/archive/v1.7.0.tar.gz
- name: inspec-gcp-cis-benchmark
url: https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark/archive/v1.1.0-11.tar.gz
inputs:
- name: gcp_project_id
value: my-tf-module-testing
profile: inspec-gcp-cis-benchmark So if that's the only way it will work I'd need to understand if my terrafrom output for the project id can be used here somehow.. |
something like this can work in your wrapper inputs:
- name: gcp_project_id
value : <%= ENV['gcp_project_id'] %> and then after the tf run in your shell, before running inspec $ export gcp_project_id=$(terraform output whatever-the-tf-gcp-project-id-output-is) |
Kitchen-terraform may be useful here?
On Thu, Aug 6, 2020 at 6:33 PM Bakh Inamov ***@***.***> wrote:
something like this can work
in your wrapper inspec.yml
inputs:
- name: gcp_project_id
value : <%= ENV['gcp_project_id'] %>
and then after the tf run in your shell, before running inspec
$ export gcp_project_id=$(terraform output whatever-the-tf-gcp-project-id-output-is)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#44 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AALK42DOYL6P37OSPK725SLR7MVT3ANCNFSM4PV32JMA>
.
--
--------
Aaron Lippold
lippold@gmail.com
260-255-4779
twitter/aim/yahoo,etc.
'aaronlippold'
|
thanks @binamov - yeah @aaronlippold that's what I'm using (removed it from the mix for troubleshooting the inputs) so I'm guessing there is a way to use my outputs in my inspec.yml. |
with kt, tf outputs should be automatically exposed as inspec inputs |
Right, I did read that. I'm just trying to figure out if I can keep my output name of project_id somehow when you guys are expecting gcp_project_id. I'm messing around now to see if I can understand how the outputs work with kt. Thanks for all the help. |
If I add an additional output for gcp_project_id and include the following in my inspec.yml: inputs:
- name: gcp_project_id
profile: inspec-gcp-cis-benchmark Everything works through kt. Not the most elegant solution for me since I have project_id as an output already but good enough for now ! |
you should be able to use KT verifier's |
Perfect! I've got this all working exactly how I want now! We are doing terraform module development and this is perfect to run with kitchen-terrafrom to get fast security feedback related only to the specific resources in that given module. Then in our root modules pipelines our teams consume to build their application infra we run the full suite of CIS tests as describe in your readme. I'll probably write a howto somewhere since I think this all is a bit tricky to put together for someone with a non-developer background. This is great, learned a ton working through this and thanks again for all the guidance!! |
Wonderful. If you have any questions about the inspec-tools libraryOr
integration with kitchen and how that affects your workflow as you write
your article or move out with your testing architecture. Please let us
know. I look forward to the article and will possibly ask for permission to
reference it as demonstrations from the Field
On Fri, Aug 7, 2020 at 8:27 AM Brett Curtis ***@***.***> wrote:
Perfect! I've got this all working exactly how I want now! We are doing
terraform module development and this is perfect to run with
kitchen-terrafrom to get fast security feedback related only to the
specific resources in that given module. Then in our root modules pipelines
our teams consume to build their application infra we run the full suite of
CIS tests as describe in your readme. I'll probably write a howto somewhere
since I think this all is a bit tricky to put together for someone with a
non-developer background. This is great, learned a ton working through this
and thanks again for all the guidance!!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#44 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AALK42D3LYAQTLRZLY4ECB3R7PXK7ANCNFSM4PV32JMA>
.
--
--------
Aaron Lippold
lippold@gmail.com
260-255-4779
twitter/aim/yahoo,etc.
'aaronlippold'
|
Howdy @aaronlippold - I started this series of post here: This is all still very new to me so any suggested edits or things you think would be helpful to others to see let me know and I can add it! The next post will focus more on Github and development practices moving forward, possibly a bit around some struggles we still have as well. |
Hi, very cool. It’s a family weekend so ping me on Slack Tuesday and we can
take a look at what you have.
On Sat, Sep 5, 2020 at 3:35 PM Brett Curtis ***@***.***> wrote:
Howdy @aaronlippold <https://github.com/aaronlippold> - I started this
series of post here:
https://dev.to/brettcurtis/series/8673
This is all still *very* new to me so any suggested edits or things you
think would be helpful to others to see let me know and I can add it! The
next post will focus more on Github and development practices moving
forward, possibly a bit around some struggles we still have as well.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#44 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AALK42CDHFHG2RZNR4JLLM3SEKHJTANCNFSM4PV32JMA>
.
--
--------
Aaron Lippold
lippold@gmail.com
260-255-4779
twitter/aim/yahoo,etc.
'aaronlippold'
|
First all this repo has help me A LOT so thanks for putting in the work! I'm able to hit gcp at a project level and understand exactly what I need to do to address benchmark violations. I'm also able to include it as a test in our infra CD pipelines.
What I'm trying to do is run this from kitchen-terraform in an effort to reduce the feedback loop for infrastructure developers. I'm new to inspec and kitchen so I hope I'm just not understanding what to do here. That being said I've removed the kitchen part out of it and am trying to just get it working using inspec the way kitchen-terraform would "consume it" I guess you could say.
inspec.yaml:
gcp-cis-benchmark.rb:
When I run
inspec check default-vpc
Appreciate any guidance on this one!
The text was updated successfully, but these errors were encountered: