Allow multiple profiles in a git repository

[alexpop]

At the moment, InSpec's dependency management allows only one profile per git repository. This allows tags to be used to version the profile in the repo.

This feature request wants the ability to store multiple profiles in a single repository, under a sub-directory or at root.

Reasons that come to my mind:

• per repo pricing
• grouping of rarely updated profiles

---

Berkshelf example:

cookbook "mykb", git: "https://github.com/example/super_cookbooks.git", rel: "base/linux"

[chris-rock]

This is a great idea. Instead of focusing on git, i would like to focus on a file structure. It should not matter if it is a local file structure or a git structure. It could look like:

.
.
├── README.md
├── apache
│   ├── README.md
│   ├── controls
│   │   └── apache_spec.rb
│   └── inspec.yml
├── linux
│   ├── README.md
│   ├── controls
│   │   ├── filesystem_spec.rb
│   │   ├── sysctl_ipv4_spec.rb
│   │   ├── sysctl_ipv6_spec.rb
│   │   └── sysctl_spec.rb
│   └── inspec.yml
├── mysql
│   ├── README.md
│   ├── controls
│   │   ├── mysql_conf_spec.rb
│   │   └── mysql_spec.rb
│   └── inspec.yml
├── postgres
│   ├── README.md
│   ├── controls
│   │   ├── postgres_conf_spec.rb
│   │   └── postgres_spec.rb
│   └── inspec.yml
├── ssh
│   ├── README.md
│   ├── controls
│   │   ├── ssh_folder_spec.rb
│   │   ├── ssh_spec.rb
│   │   └── sshd_spec.rb
│   ├── inspec.yml
│   └── libraries
│       └── ssh_crypto.rb
└── windows
    ├── README.md
    ├── controls
    │   ├── 01_password_policy_spec.rb
    │   ├── 02_account_lockout_spec.rb
    │   ├── 03_user_rights_spec.rb
    │   ├── 04_audit_spec.rb
    │   ├── 05_ie_spec.rb
    │   ├── 07_rdp_spec.rb
    │   └── 08_access_spec.rb
    └── inspec.yml

Question:

• Do we allow more than one-layer nesting?
• we should allow to have the same structure in a tar
• How do I execute a profile then? inspec exec -l to/path linux?
• It should also work with meta-profiles like https://github.com/chef/inspec/tree/master/examples/meta-profile. The inspec vendor command already allows to store the same.

We may need to distinguish between a profile location and and profiles we execute. Right now, we just run:

inspec exec path/to/profile.tar.gz

Maybe that is the case where we know we just need to execute one profile.

inspec exec -l path/to/profile.tar.gz profile

If we have multiple profiles included in a tar just use:

inspec exec -l path/to/profiles.tar.gz profile1 profile2

We need to ensure that the CLI is backwards compatible with the current approach.

[stevendanna]

👍 Bundler/Gem work this way too. Namely, bundler will search for gemspec's in subdirectories as well, we could do something similar with metadata.rb.

[chris-rock]

As discussed in #1236 we have different locations, where multiple profiles are stored:

• Compliance Server
• Supermarket
• Git (not yet working)

By separating out the profile locations and the profile we are executing, we cover that. Its similar to a run-list in chef, but I still want to make keep the simplicity of the current system. Therefore inspec exec should keep working as long as you just need one profile

inspec exec -l http://compliance-server -l http://supermarket-server -l path/to/profiles.tar.gz profile name

That would also eliminate the need to have

inspec compliance exec profile
inspec supermarket exec profile

Once we logged in to compliance or supermarket, inspec will would load the location implicitly.

Question: How do we deal with profiles that have the same namespace\name in different servers?

[anweiss]

Any updates on this? Particularly when needing to reference multiple profiles in a Git repo?

[reddeppas]

Do we have any update on this?

[jcastillocano]

Hi, any news on this?

[zedtux]

Any news on this please?

[zedtux]

@clintoncwolfe can you please briefly explain how #4217 can be used in order to use multiple profiles?

[clintoncwolfe]

This is the example pasted from #4217:

depends:
  - name: profile-1
    git: https://github.com/myorg/all-my-profiles.git
    relative_path: profiles/my-specific-profile-1
  - name: profile-2
    git: https://github.com/myorg/all-my-profiles.git
    relative_path: profiles/my-specific-profile-2

This would fetch the same repo, and pluck out two profiles from two different paths.

I'm not sure if it fetches the same repo once or twice in this scenario; we could probably optimize that. If that performance aspect is a problem, let's open an issue and we can see about improving caching.

[zedtux]

Thank you @clintoncwolfe. Is there a CLI option to do the same?

[enutrofff]

@clintoncwolfe. Is there a CLI option to do the same?

[clintoncwolfe]

No, at this time there is not a CLI option to fetch a relative path.

[aaronlippold]

I think it would be great to add that ability to the cli - any thoughts on doing that