Nathen Harvey, profile picture
Uploaded byNathen Harvey
PPTX, PDF1,802 views

Testing Terraform

The document discusses how to test Terraform configurations for deploying infrastructure on AWS, advocating for infrastructure as code. It describes specific Terraform resources like EC2 instances and security groups, and emphasizes the importance of continuous compliance through tools like InSpec. Additionally, it outlines the process of using InSpec for auditing security groups and ensuring configurations meet defined policies.

Embed presentation

Downloaded 24 times
Testing Terraform Nathen Harvey Chef
@nathenharvey What am I talking about • Suppose you use a tool like Terraform to create your infrastructure • You're onboard with infrastructure as code • Code should be tested • How can we test Terraform?
@nathenharvey 1. Deploy n-tier cloud infra 2. Deploy some app 3. Profit A Motivational Example Load Balancer VM Instance VM Instance ...
@nathenharvey 1. Deploy n-tier cloud infra 2. Deploy some app ??? 3. Profit A Motivational Example Load Balancer VM Instance VM Instance ...
@nathenharvey So how do you do that in Terraform?
@nathenharvey Terraform on AWS: Define an Instance (VM) resource "aws_instance" "web" { count = 3 instance_type = "t2.micro" ami = "${lookup(var.aws_amis, var.aws_region)}" key_name = "${var.key_name}" subnet_id = "${aws_subnet.default.id}" vpc_security_group_ids = [ "${aws_security_group.lb_to_webservers.id}", "${aws_security_group.ssh_from_office.id}", ] ... }
@nathenharvey Terraform on AWS: Define Load Balancer (ELB) resource "aws_elb" "web" { name = "testing-terraform-elb" subnets = ["${aws_subnet.default.id}"] security_groups = [ "${aws_security_group.world_to_elb.id}", "${aws_security_group.lb_to_webservers.id}", ] instances = ["${aws_instance.web.*.id}"] listener { instance_port = 80 instance_protocol = "http" lb_port = 80 lb_protocol = "http" } }
@nathenharvey Terraform on AWS: Define a Firewall Rule resource "aws_security_group" "ssh_from_office" { name = "testing-terraform-ssh" vpc_id = "${aws_vpc.testing_terraform.id}" # SSH access from special office addresses ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = "${var.ssh_cidrs}" } # outbound internet access egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } }
@nathenharvey Terraform on AWS: Define a Firewall Rule resource "aws_security_group" "ssh_from_office" { name = "testing-terraform-ssh" vpc_id = "${aws_vpc.testing_terraform.id}" # SSH access from special office addresses ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = "${var.ssh_cidrs}" } # outbound internet access egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } variable "ssh_cidrs" { default = [ "173.239.212.22/32", "12.130.117.75/32" ] }
$ What's the plan, Phil? terraform plan -out plan.out Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. ... Plan: 11 to add, 0 to change, 0 to destroy. ------------------------------------------------------------------------ This plan was saved to: plan.out To perform exactly these actions, run the following command to apply: terraform apply "plan.out"
$ Make it so! terraform apply "plan.out" aws_vpc.testing_terraform: Creating... assign_generated_ipv6_cidr_block: "" => "false" cidr_block: "" => "10.0.0.0/16" default_network_acl_id: "" => "<computed>" default_route_table_id: "" => "<computed>" default_security_group_id: "" => "<computed>” ... aws_elb.web: Creation complete after 25s (ID: testing-terraform-elb) Apply complete! Resources: 11 added, 0 changed, 0 destroyed. Outputs: address = testing-terraform-elb-1345186905.us-east-1.elb.amazonaws.com
@nathenharvey It's alive!
@nathenharvey Part of a balanced diet
$ Verify with Terraform terraform plan Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. aws_vpc.testing_terraform: Refreshing state... (ID: vpc-091427c0ca8ed3c29) ... aws_elb.web: Refreshing state... (ID: testing-terraform-elb) ------------------------------------------------------------------------ No changes. Infrastructure is up-to-date. This means that Terraform did not detect any differences between your configuration and real physical resources that exist. As a result, no actions need to be performed.
@nathenharvey And all is well.
@nathenharvey Meanwhile, at Team Shady….
@nathenharvey An Innocent-Seeming Change…
@nathenharvey An Innocent-Seeming Change…
$ Audit with Terraform terraform plan An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: ~ aws_instance.web[0] vpc_security_group_ids.#: "3" => "2" vpc_security_group_ids.1298918294: "sg-01eefd0164f2de498" => "sg-01eefd0164f2de498" vpc_security_group_ids.35497876: "sg-0c6388fa3e956cc15" => "" vpc_security_group_ids.645334896: "sg-03bca2a0e861c01e7" => "sg-03bca2a0e861c01e7” Plan: 0 to add, 1 to change, 0 to destroy.
@nathenharvey Detected the new security group Will detach it Is that enough? Awesome! Terraform found the change!
@nathenharvey It only audits what is known in the Terraform config All change is drift (considered bad) Only express what you want, not what you don't How does terraform plan fall short?
@nathenharvey We need something else.
@nathenharvey
@nathenharvey PART OF A PROCESS OF CONTINUOUS COMPLIANCE Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify A SIMPLE EXAMPLE OF AN INSPEC CIS RULE InSpec ▪ Translate compliance into Code ▪ Clearly express statements of policy ▪ Move risk to build/test from runtime ▪ Find issues early ▪ Write code quickly ▪ Run code anywhere ▪ Inspect machines, data and APIs Turn security and compliance into code control 'cis-1.4.1' do title '1.4.1 Enable SELinux in /etc/grub.conf' desc ' Do not disable SELinux and enforcing in your GRUB configuration. These are important security features that prevent attackers from escalating their access to your systems. For reference see … ' impact 1.0 expect(grub_conf.param 'selinux').to_not eq '0' expect(grub_conf.param 'enforcing').to_not eq '0' end
$ InSpec Shell inspec shell –t aws:// Welcome to the interactive InSpec Shell To find out how to use it, type: help You are currently running on: Name: aws Families: cloud, api Release: aws-sdk-v2.11.50
$ InSpec Shell inspec shell –t aws:// Welcome to the interactive InSpec Shell To find out how to use it, type: help You are currently running on: Name: aws Families: cloud, api Release: aws-sdk-v2.11.50 Targeting AWS!
inspec> InSpec Shell – Tab Completion aws_<TAB> aws_cloudtrail_trail aws_iam_access_keys aws_iam_users aws_security_group aws_cloudtrail_trails aws_iam_group aws_kms_key aws_security_groups aws_cloudwatch_alarm aws_iam_groups aws_kms_keys aws_sns_subscription aws_cloudwatch_log_metric_filter aws_iam_password_policy aws_rds_instance aws_sns_topic aws_config_delivery_channel aws_iam_policies aws_route_table aws_sns_topics aws_config_recorder aws_iam_policy aws_route_tables aws_subnet aws_ec2_instance aws_iam_role aws_s3_bucket aws_subnets aws_ec2_instances aws_iam_root_user aws_s3_bucket_object aws_vpc aws_iam_access_key aws_iam_user aws_s3_buckets aws_vpcs
inspec> Find the shady security group aws_security_group('sg-0c6388fa3e956cc15').group_name => "uat_executive"
inspec> Check the Rules aws_security_group('sg-0c6388fa3e956cc15').inbound_rules => [{:from_port=>22, :ip_protocol=>"tcp", :ip_ranges=>[{:cidr_ip=>"0.0.0.0/0"}], :ipv_6_ranges=>[{:cidr_ipv_6=>"::/0"}], :prefix_list_ids=>[], :to_port=>22, :user_id_group_pairs=>[]}]
inspec> describe aws_security_group('sg-0c6388fa3e956cc15') do inspec> it { should_not allow_in ipv4_range: '0.0.0.0/0' } inspec> end Write a proper test
inspec> describe aws_security_group('sg-0c6388fa3e956cc15') do inspec> it { should_not allow_in ipv4_range: '0.0.0.0/0' } inspec> end Profile: inspec-shell Version: (not specified) EC2 Security Group sg-0c6388fa3e956cc15 × should not allow in {} expected `EC2 Security Group sg-0c6388fa3e956cc15.allow_in?({})` to return false, got true Test Summary: 0 successful, 1 failure, 0 skipped Write a proper test
@nathenharvey An InSpec Control security_groups.rb control 'Make sure unrestricted SSH is not permitted' do # Loop over each of the security group IDs in the region aws_security_groups.group_ids.each do |group_id| # Examine a security group in detail describe aws_security_group(group_id) do # Examine Ingress rules, and complain if # there is unrestricted SSH it { should_not allow_in(port: 22, ipv4_range: '0.0.0.0/0') } end end end
$ InSpec Shell inspec exec –t aws:// secruity_groups.rb Profile: tests from security_groups.rb (tests from security_groups.rb) Version: (not specified) Target: aws:// × Make sure unrestricted SSH is not permitted: EC2 Security Group sg-003262589de21dbf5 (15 failed) ✔ EC2 Security Group sg-003262589de21dbf5 should not allow in {} ✔ EC2 Security Group sg-00f0b54bd7c8d93a1 should not allow in {} × EC2 Security Group sg-0c6388fa3e956cc15 should not allow in {} expected `EC2 Security Group sg-0c6388fa3e956cc15.allow_in?({})` to return false, got true ... Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped Test Summary: 4 successful, 15 failures, 0 skipped
@nathenharvey Where to next?
@nathenharvey What else to validate? Concern Terraform Plan InSpec Number and type of instances requested All instances are part of our app Right security groups created and attached No security group allows in SSH Only security group open to the world should be port 80 for the ELB ELB correctly configured Should only be one ELB
@nathenharvey Check instances instances.rb control "Should only have instances associated with my app" do aws_ec2_instances.instance_ids.each do |instance_id| describe aws_ec2_instance(instance_id) do its('instance_type') { should cmp 't2.micro' } its('tags') { should include(key:'X-Application', value:'Testing Terraform') } end end end
@nathenharvey More Security Groups security_groups.rb control "The only world-open security groups should be on the ELB" do elb_sg_ids = aws_elbs.security_group_ids aws_security_groups.group_ids.each do |sg_id| sg = aws_security_group(sg_id) if sg.allow_in? ipv4_range: '0.0.0.0/0' describe sg do its('group_id') { should be_in elb_sg_ids } it { should allow_in_only port: 80 } end end end end
$ Put it all together with a profile inspec init profile my_app Create new profile at /Users/nathenharvey/projects/nathenharvey/testing- terraform/inspec/profiles/my_app * Create directory libraries * Create file README.md * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create file libraries/.gitkeep
$ Put it all together with a profile inspec exec -t aws:// my_app Profile: tests from security_groups.rb (tests from security_groups.rb) Version: (not specified) Target: aws:// × Make sure unrestricted SSH is not permitted: EC2 Security Group sg-003262589de21dbf5 (15 failed) ✔ EC2 Security Group sg-003262589de21dbf5 should not allow in {} ✔ EC2 Security Group sg-00f0b54bd7c8d93a1 should not allow in {} × EC2 Security Group sg-01b504b800f32e1ff should not allow in {} expected `EC2 Security Group sg-01b504b800f32e1ff.allow_in?({})` to return false, got true ... Profile Summary: 0 successful controls, 3 control failures, 0 controls skipped Test Summary: 43 successful, 65 failures, 0 skipped
@nathenharvey Terraform: A Power Tool for the Cloud! Terraform and InSpec? InSpec: A Verification tool for OS's and API's
@nathenharvey Terraform: A Power Tool for the Cloud! Terraform and InSpec! InSpec: A Verification tool for OS's and API's
@nathenharvey Bonus Round Iggy
$ Install InSpec-Iggy gem install inspec-iggy Successfully installed inspec-iggy-0.2.0 1 gem installed
$ Create a Profile from tfstate file inspec terraform generate --tfstate terraform.tfstate > my_terra.rb
$ Run InSpec inspec exec -t aws:// my_terra.rb inspec exec -t aws:// my_terra.rb Profile: tests from my_terra.rb (tests from my_terra.rb) Version: (not specified) Target: aws:// ✔ aws_ec2_instance::i-03663e4b9cb2858d6: Iggy terraform.tfstate aws_ec2_instance::i-03663e4b9cb2858d6 ✔ EC2 Instance i-03663e4b9cb2858d6 should exist ... Profile Summary: 8 successful controls, 0 control failures, 0 controls skipped Test Summary: 32 successful, 0 failures, 0 skipped
@nathenharvey Join us on Slack! ● http://community-slack.chef.io ● #general (for Chef stuff) ● #inspec
@nathenharvey What questions can I answer for you? https://github.com/nathenharvey/testing-terraform
Testing Terraform

More Related Content

PPTX
Advanced Weapons Training for the Empire
byJeremy Johnson
 
PDF
Gauntlt Rugged By Example
byJames Wickett
 
PDF
Small Python Tools for Software Release Engineering
bypycontw
 
PDF
ruxc0n 2012
bymimeframe
 
PDF
Terraform - Taming Modern Clouds
byNic Jackson
 
PPTX
InSpec Workshop at Velocity London 2018
byMandi Walls
 
PDF
Nessus and Reporting Karma
byn|u - The Open Security Community
 
PDF
Przemysław Iwanek - ABC AWS, budowanie infrastruktury przy pomocy Terraform
byjzielinski_pl
 
Advanced Weapons Training for the Empire
byJeremy Johnson
 
Gauntlt Rugged By Example
byJames Wickett
 
Small Python Tools for Software Release Engineering
bypycontw
 
ruxc0n 2012
bymimeframe
 
Terraform - Taming Modern Clouds
byNic Jackson
 
InSpec Workshop at Velocity London 2018
byMandi Walls
 
Nessus and Reporting Karma
byn|u - The Open Security Community
 
Przemysław Iwanek - ABC AWS, budowanie infrastruktury przy pomocy Terraform
byjzielinski_pl
 

What's hot

PPTX
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
byIvan Piskunov
 
PPTX
How to add a new hypervisor to CloudStack:Lessons learned from Hyper-V effort
byDonal Lafferty
 
PDF
Attacking Oracle with the Metasploit Framework
byChris Gates
 
PDF
FreeBSD: Dev to Prod
bySean Chittenden
 
PPTX
BuildStuff.LT 2018 InSpec Workshop
byMandi Walls
 
PDF
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
byBGA Cyber Security
 
PDF
Threat stack aws
byJen Andre
 
PDF
Embedded software development using BDD
byItamar Hassin
 
PPTX
Security in PHP - 那些在滲透測試的小技巧
byOrange Tsai
 
PDF
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
byDefconRussia
 
PDF
Inspec one tool to rule them all
byKimball Johnson
 
PDF
Terraform Introduction
bysoniasnowfrog
 
PDF
infra-as-code
byItamar Hassin
 
PPTX
2019 Chef InSpec Jumpstart Part 2 of 2
byLarry Eichenbaum
 
PDF
Infrastructure as Code with Terraform
byTim Berry
 
PDF
(Un)safe Python
byIvan Tsyganov
 
PPTX
So you want to be a security expert
byRoyce Davis
 
PPTX
Adventures in Asymmetric Warfare
byWill Schroeder
 
PDF
Node.js vs Play Framework
byYevgeniy Brikman
 
PPT
Defending Your Network
byAdam Getchell
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
byIvan Piskunov
 
How to add a new hypervisor to CloudStack:Lessons learned from Hyper-V effort
byDonal Lafferty
 
Attacking Oracle with the Metasploit Framework
byChris Gates
 
FreeBSD: Dev to Prod
bySean Chittenden
 
BuildStuff.LT 2018 InSpec Workshop
byMandi Walls
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
byBGA Cyber Security
 
Threat stack aws
byJen Andre
 
Embedded software development using BDD
byItamar Hassin
 
Security in PHP - 那些在滲透測試的小技巧
byOrange Tsai
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
byDefconRussia
 
Inspec one tool to rule them all
byKimball Johnson
 
Terraform Introduction
bysoniasnowfrog
 
infra-as-code
byItamar Hassin
 
2019 Chef InSpec Jumpstart Part 2 of 2
byLarry Eichenbaum
 
Infrastructure as Code with Terraform
byTim Berry
 
(Un)safe Python
byIvan Tsyganov
 
So you want to be a security expert
byRoyce Davis
 
Adventures in Asymmetric Warfare
byWill Schroeder
 
Node.js vs Play Framework
byYevgeniy Brikman
 
Defending Your Network
byAdam Getchell
 

Similar to Testing Terraform

PPTX
RIMA-Infrastructure as a code with Terraform.pptx
byMrJustbis
 
PDF
Terraform introduction
byJason Vance
 
PDF
Head in the Clouds: Testing Infra as Code - Config Management 2020
byPeter Souter
 
PDF
Compliance as Code with terraform-compliance
byEmre Erkunt
 
PDF
Getting Started with DevOps on AWS [Mar 2020]
byDhaval Nagar
 
PDF
DevOps Fest 2020. immutable infrastructure as code. True story.
byVlad Fedosov
 
PPTX
Adding Security and Compliance to Your Workflow with InSpec
byMandi Walls
 
PDF
Refactoring Infrastructure Code
byNell Shamrell-Harrington
 
PDF
Terraform Testing with InSpec Demo
byAnnie Hedgpeth
 
PPTX
Effective Testing with Ansible and InSpec
byNathen Harvey
 
PDF
Automating Security in Cloud Workloads with DevSecOps
byKristana Kane
 
PDF
Infrastructure as Code: Manage your Architecture with Git
byDanilo Poccia
 
PPTX
Will hall - Accelerating Infrastructure as Code and Configuration Management ...
byAWSCOMSUM
 
PPTX
Accelerating Infrastructure as Code with CI in AWS.
byWill Hall
 
PDF
AWS DevOps - Terraform, Docker, HashiCorp Vault
byGrzegorz Adamowicz
 
PDF
Refactoring terraform
byNell Shamrell-Harrington
 
PDF
CNCF London: Key Steps To a Good Quality Terraform Infrastructure Code
byStephane Jourdan
 
PDF
Atmosphere 2018: Yury Tsarev - TEST DRIVEN INFRASTRUCTURE FOR HIGHLY PERFORMI...
byPROIDEA
 
PDF
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
byC4Media
 
PPTX
An intro to Docker, Terraform, and Amazon ECS
byYevgeniy Brikman
 
RIMA-Infrastructure as a code with Terraform.pptx
byMrJustbis
 
Terraform introduction
byJason Vance
 
Head in the Clouds: Testing Infra as Code - Config Management 2020
byPeter Souter
 
Compliance as Code with terraform-compliance
byEmre Erkunt
 
Getting Started with DevOps on AWS [Mar 2020]
byDhaval Nagar
 
DevOps Fest 2020. immutable infrastructure as code. True story.
byVlad Fedosov
 
Adding Security and Compliance to Your Workflow with InSpec
byMandi Walls
 
Refactoring Infrastructure Code
byNell Shamrell-Harrington
 
Terraform Testing with InSpec Demo
byAnnie Hedgpeth
 
Effective Testing with Ansible and InSpec
byNathen Harvey
 
Automating Security in Cloud Workloads with DevSecOps
byKristana Kane
 
Infrastructure as Code: Manage your Architecture with Git
byDanilo Poccia
 
Will hall - Accelerating Infrastructure as Code and Configuration Management ...
byAWSCOMSUM
 
Accelerating Infrastructure as Code with CI in AWS.
byWill Hall
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
byGrzegorz Adamowicz
 
Refactoring terraform
byNell Shamrell-Harrington
 
CNCF London: Key Steps To a Good Quality Terraform Infrastructure Code
byStephane Jourdan
 
Atmosphere 2018: Yury Tsarev - TEST DRIVEN INFRASTRUCTURE FOR HIGHLY PERFORMI...
byPROIDEA
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
byC4Media
 
An intro to Docker, Terraform, and Amazon ECS
byYevgeniy Brikman
 

More from Nathen Harvey

PDF
Accelerate Your DevOps Journey
byNathen Harvey
 
PDF
Continuous Delivery - GDG Cloud Baltimore
byNathen Harvey
 
PDF
Using Error Budgets to Prioritize Work
byNathen Harvey
 
PPTX
Introduction to Test Kitchen and InSpec
byNathen Harvey
 
PPTX
Introduction to Test Kitchen
byNathen Harvey
 
PPTX
Effective Testing with Ansible and InSpec
byNathen Harvey
 
PDF
DevOps Days India Keynote
byNathen Harvey
 
PPTX
Compliance Automation with InSpec
byNathen Harvey
 
PDF
Introduction to Infrastructure as Code & Automation / Introduction to Chef
byNathen Harvey
 
PDF
Step AFK: Practical Advice for Career Adavancement
byNathen Harvey
 
PDF
DevOp with Me!
byNathen Harvey
 
PDF
Walk This Way - An Introduction to DevOps
byNathen Harvey
 
PPTX
Mongo db at_customink
byNathen Harvey
 
Accelerate Your DevOps Journey
byNathen Harvey
 
Continuous Delivery - GDG Cloud Baltimore
byNathen Harvey
 
Using Error Budgets to Prioritize Work
byNathen Harvey
 
Introduction to Test Kitchen and InSpec
byNathen Harvey
 
Introduction to Test Kitchen
byNathen Harvey
 
Effective Testing with Ansible and InSpec
byNathen Harvey
 
DevOps Days India Keynote
byNathen Harvey
 
Compliance Automation with InSpec
byNathen Harvey
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
byNathen Harvey
 
Step AFK: Practical Advice for Career Adavancement
byNathen Harvey
 
DevOp with Me!
byNathen Harvey
 
Walk This Way - An Introduction to DevOps
byNathen Harvey
 
Mongo db at_customink
byNathen Harvey
 

Recently uploaded

PDF
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PDF
PCCC25(設立25年記念PCクラスタシンポジウム):エヌビディア合同会社 テーマ2「NVIDIA BlueField-4 DPU」
byPC Cluster Consortium
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PDF
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
PDF
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PDF
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
PPTX
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
PDF
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
PPTX
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PDF
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PCCC25(設立25年記念PCクラスタシンポジウム):エヌビディア合同会社 テーマ2「NVIDIA BlueField-4 DPU」
byPC Cluster Consortium
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 

Testing Terraform

  • 1.
  • 2.
    @nathenharvey What am Italking about • Suppose you use a tool like Terraform to create your infrastructure • You're onboard with infrastructure as code • Code should be tested • How can we test Terraform?
  • 3.
    @nathenharvey 1. Deploy n-tiercloud infra 2. Deploy some app 3. Profit A Motivational Example Load Balancer VM Instance VM Instance ...
  • 4.
    @nathenharvey 1. Deploy n-tiercloud infra 2. Deploy some app ??? 3. Profit A Motivational Example Load Balancer VM Instance VM Instance ...
  • 5.
    @nathenharvey So how doyou do that in Terraform?
  • 6.
    @nathenharvey Terraform on AWS:Define an Instance (VM) resource "aws_instance" "web" { count = 3 instance_type = "t2.micro" ami = "${lookup(var.aws_amis, var.aws_region)}" key_name = "${var.key_name}" subnet_id = "${aws_subnet.default.id}" vpc_security_group_ids = [ "${aws_security_group.lb_to_webservers.id}", "${aws_security_group.ssh_from_office.id}", ] ... }
  • 7.
    @nathenharvey Terraform on AWS:Define Load Balancer (ELB) resource "aws_elb" "web" { name = "testing-terraform-elb" subnets = ["${aws_subnet.default.id}"] security_groups = [ "${aws_security_group.world_to_elb.id}", "${aws_security_group.lb_to_webservers.id}", ] instances = ["${aws_instance.web.*.id}"] listener { instance_port = 80 instance_protocol = "http" lb_port = 80 lb_protocol = "http" } }
  • 8.
    @nathenharvey Terraform on AWS:Define a Firewall Rule resource "aws_security_group" "ssh_from_office" { name = "testing-terraform-ssh" vpc_id = "${aws_vpc.testing_terraform.id}" # SSH access from special office addresses ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = "${var.ssh_cidrs}" } # outbound internet access egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } }
  • 9.
    @nathenharvey Terraform on AWS:Define a Firewall Rule resource "aws_security_group" "ssh_from_office" { name = "testing-terraform-ssh" vpc_id = "${aws_vpc.testing_terraform.id}" # SSH access from special office addresses ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = "${var.ssh_cidrs}" } # outbound internet access egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } variable "ssh_cidrs" { default = [ "173.239.212.22/32", "12.130.117.75/32" ] }
  • 10.
    $ What's the plan,Phil? terraform plan -out plan.out Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. ... Plan: 11 to add, 0 to change, 0 to destroy. ------------------------------------------------------------------------ This plan was saved to: plan.out To perform exactly these actions, run the following command to apply: terraform apply "plan.out"
  • 11.
    $ Make it so! terraformapply "plan.out" aws_vpc.testing_terraform: Creating... assign_generated_ipv6_cidr_block: "" => "false" cidr_block: "" => "10.0.0.0/16" default_network_acl_id: "" => "<computed>" default_route_table_id: "" => "<computed>" default_security_group_id: "" => "<computed>” ... aws_elb.web: Creation complete after 25s (ID: testing-terraform-elb) Apply complete! Resources: 11 added, 0 changed, 0 destroyed. Outputs: address = testing-terraform-elb-1345186905.us-east-1.elb.amazonaws.com
  • 12.
  • 13.
  • 14.
    $ Verify with Terraform terraformplan Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. aws_vpc.testing_terraform: Refreshing state... (ID: vpc-091427c0ca8ed3c29) ... aws_elb.web: Refreshing state... (ID: testing-terraform-elb) ------------------------------------------------------------------------ No changes. Infrastructure is up-to-date. This means that Terraform did not detect any differences between your configuration and real physical resources that exist. As a result, no actions need to be performed.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
    $ Audit with Terraform terraformplan An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: ~ aws_instance.web[0] vpc_security_group_ids.#: "3" => "2" vpc_security_group_ids.1298918294: "sg-01eefd0164f2de498" => "sg-01eefd0164f2de498" vpc_security_group_ids.35497876: "sg-0c6388fa3e956cc15" => "" vpc_security_group_ids.645334896: "sg-03bca2a0e861c01e7" => "sg-03bca2a0e861c01e7” Plan: 0 to add, 1 to change, 0 to destroy.
  • 20.
    @nathenharvey Detected the newsecurity group Will detach it Is that enough? Awesome! Terraform found the change!
  • 21.
    @nathenharvey It only auditswhat is known in the Terraform config All change is drift (considered bad) Only express what you want, not what you don't How does terraform plan fall short?
  • 22.
  • 23.
  • 24.
    @nathenharvey PART OF APROCESS OF CONTINUOUS COMPLIANCE Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify A SIMPLE EXAMPLE OF AN INSPEC CIS RULE InSpec ▪ Translate compliance into Code ▪ Clearly express statements of policy ▪ Move risk to build/test from runtime ▪ Find issues early ▪ Write code quickly ▪ Run code anywhere ▪ Inspect machines, data and APIs Turn security and compliance into code control 'cis-1.4.1' do title '1.4.1 Enable SELinux in /etc/grub.conf' desc ' Do not disable SELinux and enforcing in your GRUB configuration. These are important security features that prevent attackers from escalating their access to your systems. For reference see … ' impact 1.0 expect(grub_conf.param 'selinux').to_not eq '0' expect(grub_conf.param 'enforcing').to_not eq '0' end
  • 25.
    $ InSpec Shell inspec shell–t aws:// Welcome to the interactive InSpec Shell To find out how to use it, type: help You are currently running on: Name: aws Families: cloud, api Release: aws-sdk-v2.11.50
  • 26.
    $ InSpec Shell inspec shell–t aws:// Welcome to the interactive InSpec Shell To find out how to use it, type: help You are currently running on: Name: aws Families: cloud, api Release: aws-sdk-v2.11.50 Targeting AWS!
  • 27.
    inspec> InSpec Shell –Tab Completion aws_<TAB> aws_cloudtrail_trail aws_iam_access_keys aws_iam_users aws_security_group aws_cloudtrail_trails aws_iam_group aws_kms_key aws_security_groups aws_cloudwatch_alarm aws_iam_groups aws_kms_keys aws_sns_subscription aws_cloudwatch_log_metric_filter aws_iam_password_policy aws_rds_instance aws_sns_topic aws_config_delivery_channel aws_iam_policies aws_route_table aws_sns_topics aws_config_recorder aws_iam_policy aws_route_tables aws_subnet aws_ec2_instance aws_iam_role aws_s3_bucket aws_subnets aws_ec2_instances aws_iam_root_user aws_s3_bucket_object aws_vpc aws_iam_access_key aws_iam_user aws_s3_buckets aws_vpcs
  • 28.
    inspec> Find the shadysecurity group aws_security_group('sg-0c6388fa3e956cc15').group_name => "uat_executive"
  • 29.
    inspec> Check the Rules aws_security_group('sg-0c6388fa3e956cc15').inbound_rules =>[{:from_port=>22, :ip_protocol=>"tcp", :ip_ranges=>[{:cidr_ip=>"0.0.0.0/0"}], :ipv_6_ranges=>[{:cidr_ipv_6=>"::/0"}], :prefix_list_ids=>[], :to_port=>22, :user_id_group_pairs=>[]}]
  • 30.
    inspec> describe aws_security_group('sg-0c6388fa3e956cc15')do inspec> it { should_not allow_in ipv4_range: '0.0.0.0/0' } inspec> end Write a proper test
  • 31.
    inspec> describe aws_security_group('sg-0c6388fa3e956cc15')do inspec> it { should_not allow_in ipv4_range: '0.0.0.0/0' } inspec> end Profile: inspec-shell Version: (not specified) EC2 Security Group sg-0c6388fa3e956cc15 × should not allow in {} expected `EC2 Security Group sg-0c6388fa3e956cc15.allow_in?({})` to return false, got true Test Summary: 0 successful, 1 failure, 0 skipped Write a proper test
  • 32.
    @nathenharvey An InSpec Control security_groups.rb control'Make sure unrestricted SSH is not permitted' do # Loop over each of the security group IDs in the region aws_security_groups.group_ids.each do |group_id| # Examine a security group in detail describe aws_security_group(group_id) do # Examine Ingress rules, and complain if # there is unrestricted SSH it { should_not allow_in(port: 22, ipv4_range: '0.0.0.0/0') } end end end
  • 33.
    $ InSpec Shell inspec exec–t aws:// secruity_groups.rb Profile: tests from security_groups.rb (tests from security_groups.rb) Version: (not specified) Target: aws:// × Make sure unrestricted SSH is not permitted: EC2 Security Group sg-003262589de21dbf5 (15 failed) ✔ EC2 Security Group sg-003262589de21dbf5 should not allow in {} ✔ EC2 Security Group sg-00f0b54bd7c8d93a1 should not allow in {} × EC2 Security Group sg-0c6388fa3e956cc15 should not allow in {} expected `EC2 Security Group sg-0c6388fa3e956cc15.allow_in?({})` to return false, got true ... Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped Test Summary: 4 successful, 15 failures, 0 skipped
  • 34.
  • 35.
    @nathenharvey What else tovalidate? Concern Terraform Plan InSpec Number and type of instances requested All instances are part of our app Right security groups created and attached No security group allows in SSH Only security group open to the world should be port 80 for the ELB ELB correctly configured Should only be one ELB
  • 36.
    @nathenharvey Check instances instances.rb control "Shouldonly have instances associated with my app" do aws_ec2_instances.instance_ids.each do |instance_id| describe aws_ec2_instance(instance_id) do its('instance_type') { should cmp 't2.micro' } its('tags') { should include(key:'X-Application', value:'Testing Terraform') } end end end
  • 37.
    @nathenharvey More Security Groups security_groups.rb control"The only world-open security groups should be on the ELB" do elb_sg_ids = aws_elbs.security_group_ids aws_security_groups.group_ids.each do |sg_id| sg = aws_security_group(sg_id) if sg.allow_in? ipv4_range: '0.0.0.0/0' describe sg do its('group_id') { should be_in elb_sg_ids } it { should allow_in_only port: 80 } end end end end
  • 38.
    $ Put it alltogether with a profile inspec init profile my_app Create new profile at /Users/nathenharvey/projects/nathenharvey/testing- terraform/inspec/profiles/my_app * Create directory libraries * Create file README.md * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create file libraries/.gitkeep
  • 39.
    $ Put it alltogether with a profile inspec exec -t aws:// my_app Profile: tests from security_groups.rb (tests from security_groups.rb) Version: (not specified) Target: aws:// × Make sure unrestricted SSH is not permitted: EC2 Security Group sg-003262589de21dbf5 (15 failed) ✔ EC2 Security Group sg-003262589de21dbf5 should not allow in {} ✔ EC2 Security Group sg-00f0b54bd7c8d93a1 should not allow in {} × EC2 Security Group sg-01b504b800f32e1ff should not allow in {} expected `EC2 Security Group sg-01b504b800f32e1ff.allow_in?({})` to return false, got true ... Profile Summary: 0 successful controls, 3 control failures, 0 controls skipped Test Summary: 43 successful, 65 failures, 0 skipped
  • 40.
    @nathenharvey Terraform: A PowerTool for the Cloud! Terraform and InSpec? InSpec: A Verification tool for OS's and API's
  • 41.
    @nathenharvey Terraform: A PowerTool for the Cloud! Terraform and InSpec! InSpec: A Verification tool for OS's and API's
  • 42.
  • 43.
    $ Install InSpec-Iggy gem installinspec-iggy Successfully installed inspec-iggy-0.2.0 1 gem installed
  • 44.
    $ Create a Profilefrom tfstate file inspec terraform generate --tfstate terraform.tfstate > my_terra.rb
  • 45.
    $ Run InSpec inspec exec-t aws:// my_terra.rb inspec exec -t aws:// my_terra.rb Profile: tests from my_terra.rb (tests from my_terra.rb) Version: (not specified) Target: aws:// ✔ aws_ec2_instance::i-03663e4b9cb2858d6: Iggy terraform.tfstate aws_ec2_instance::i-03663e4b9cb2858d6 ✔ EC2 Instance i-03663e4b9cb2858d6 should exist ... Profile Summary: 8 successful controls, 0 control failures, 0 controls skipped Test Summary: 32 successful, 0 failures, 0 skipped
  • 46.
    @nathenharvey Join us onSlack! ● http://community-slack.chef.io ● #general (for Chef stuff) ● #inspec
  • 47.
    @nathenharvey What questions canI answer for you? https://github.com/nathenharvey/testing-terraform

Editor's Notes

  • #21 Config drift is different than scanning for a violation - it could just be here that a real change was intended