Testing the simple stack

Currently, the cloudspin rake library provides support for running Inspec controls (tests) against AWS infrastructure.

The following is based on the basic-stack example project.

Adding the inspec tasks to the Rakefile

You need to declare a Cloudspin::Stack::Rake::InspecTask object in the rakefile, passing it a StackInstance object for the stack instance to test.

include Cloudspin::Stack::Rake

stack = StackTask.new.instance
InspecTask.new(stack_instance: stack)

This looks for the folder ./test/inspec, and if found, adds the inspec task:

$ rake -T
rake down     # Destroy stack test-network
rake dry      # Show command line to be run for stack test-network
rake inspec   # Run inspec tests
rake plan     # Plan changes to stack test-network
rake up       # Create or update stack test-network

Running the inspec tests

In the example project, this simply checks that the VPC with the expected name exists.

$ rake inspec
mkdir -p ./work/inspec
Run inspec
inspec exec ./test/inspec/. --attrs ./work/inspec/attributes-for-stack-test-network.yml --reporter json-rspec:./work/inspec/results-for-stack-test-network-profile-infrastructure.json cli -t aws://eu-west-1/assume-spin_stack_manager-skeleton

Profile: Controls for AWS resources (infrastructure)
Version: 0.1.0
Target:  aws://eu-west-1

  VPCs
     ✔  name should include "vpc-test-network"

Test Summary: 1 successful, 0 failures, 0 skipped

Writing inspec tests

See the inspec documentation for details on organizing and writing Inspec controls. One bit of support that the cloudspin inspec rake task provides is passing parameters to the inspec controls. By default, all of the stack parameters are made available as attributes within the control.

The example uses the stack_instance_id:

title 'vpc'

stack_instance_id = attribute('stack_instance_id', description: 'Which stack to test')

describe aws_vpc_list do
  its('name') { should include "vpc-#{stack_instance_id}" }
end

Another test shows that the region parameter has been set (it’s set in the file stack-instance-defaults.yaml):

aws_region = attribute('region', description: 'aws region')
describe aws_region do
  it 'region attribute should be available' do
    expect(subject).not_to eq('')
  end
end

Running rake inspec in the example project runs these two controls:

$ rake inspec
mkdir -p ./work/inspec
Run inspec
inspec exec ./test/inspec/. --attrs ./work/inspec/attributes-for-stack-test-network.yml --reporter json-rspec:./work/inspec/results-for-stack-test-network-profile-infrastructure.json cli -t aws://eu-west-1/assume-spin_stack_manager-skeleton

Profile: Controls for AWS resources (infrastructure)
Version: 0.1.0
Target:  aws://eu-west-1

  VPCs
     ✔  name should include "vpc-test-network"
  eu-west-1
     ✔  region attribute should be available

Test Summary: 2 successful, 0 failures, 0 skipped

Where stuff is

As mentioned previously, cloudspin copies the source code to an instance folder, by default ./work. The inspec attributes file is automatically generated in ./work/inspec/attributes-for-stack-INSTANCE_NAME.yml. The log output, useful for debugging failed tests, is put in ./work/inspec/results-for-stack-INSTANCE_NAME-profile-PROFILE_NAME.json. PROFILE_NAME is set in the inspec profile files (./test/inspec/inspec.yml).

results matching ""

    No results matching ""