Chef InSpec is an open source tool used for automated testing of your infrastructure and applications as code. It can be used to ensure compliance, security, and other policy requirements are being met.

Since you can automate and write your tests as code, inspec can easily be integrated into the CI/CD Pipeline. The examples in this post run against a Google Compute Instance and Google Storage Bucket, however, inspec can be used to run tests on any Cloud Provider (GCP, AWS, Azure) as a step on your pipeline.

Heimdall is a web based visualization server for viewing InSpec results, evaluations and profiles. Inspec results can be uploaded in an automated fashion via a curl command and it also allows for the visualization of the controls and the underlying benchmarks.

To run inspec, I created a docker container that I am sharing on my GitHub Repository. The container has the Google Cloud SDK installed and is able to reach my GCP resources using the Service Account Credentials passed to it via a json credentials file. The docker-compose.yml file contains the configuration for the inspec container, heimdall server, and postgres database for heimdall.

Scripts to Deploy Infrastructure and Test using Inspec on Google Cloud Platform

Using the included Terraform module I created the Google Compute and Storage resources that are being tested via inspec controls in GitHub.

Then using the docker-compose.yml file, I created a docker container locally that ran tests via ssh and using the google credentials file.

The control file is what is used to define the tests to run and are written in Ruby DSL. Here is a sample control ensuring the instance created via terraform is running:

control "gcp-instance-1.0" do
  impact 1.0
  title "Ensure the Instance was created and is running"
  desc "caveat", "If the Instance does not exist - run terraform apply."
  describe google_compute_instance(project: gcp_project_id, zone: zone, name: instance_name) do
    it { should exist }
    its("name") { should eq "panong-test-inspec-instance" }
    its("machine_type") { should match "n1-standard-1" }
    its("cpu_platform") { should match "Intel Haswell" }
    its("status") { should eq "RUNNING" }
  end
end

I took advantage of pre-existing inspec baselines to ensure compliance and only created controls for the GCP resources I wanted to evaluate.

# Generate credentials for Heimdall Server
bash setup-docker-secrets.sh

# Run the Docker Containers
docker-compose up -d

# Create the Heimdall Database
docker-compose run --rm web rake db:create db:migrate

You can access the Heimdall Server by visiting http://localhost:3000 and you should see:

Set up your admin user and create a circle (Group that users can be added to) and make a record of the API Key for your user. The documentation for Heimdall server can be found on the Mitre Github

Then run the profiles and upload to Heimdall:

# Run profiles and push to heimdall
docker exec -it inspec bash /home/root/tests.sh

The tests.sh script will run the gcp, docker, ssh, and linux tests, run the inspec_tools analysis to compare the results of your evaluations to the compliance thresholds set in the thresholds.yml file. Then it will output the summary of each test and then upload the results to Heimdall Server using the email, circle, and API key you set up earlier.

One of the best things about Heimdall server is the ability to compare evaluations and separate permissions to certain circles - this can come in handy when granting access for compliance audits.

The results from your inspec tests will look similar to this:

*Cover Images from plutora.com

DevSecOps using Inspec

Patricia Anong

SOCIAL