Automatically Generating InSpec Controls from Terraform

InSpec-Iggy, or “Iggy” for short, is a new plugin for InSpec that generates InSpec compliance profiles from Terraform .tfstate files (and eventually AWS CloudFormation and Azure Resource Manager templates). Iggy was originally inspired by Christoph Hartmann’s inspec-verify-provision repository and the associated blog post on testing Terraform with InSpec. With the release of InSpec 2.0 and the addition of AWS and Azure support, automatically generating controls became much more feasible. Let’s see a quick demo of how it works:

inspec terraform generate

This currently generates a set of InSpec Controls based on mapping Terraform to InSpec Resources. The output may be captured as a file (ie. “test.rb“) and used from the command line with InSpec. The demo uses the Terraform Basic Two-Tier AWS Architecture and the following commands:

terraform apply
inspec terraform generate > test.rb
inspec exec test.rb -t aws://us-west-1

With the current versions of InSpec-Iggy (0.2.0) and InSpec (2.1.83) we get the following output:

$ inspec exec test.rb -t aws://us-west-1

Profile: tests from test.rb (tests from test.rb)
Version: (not specified)
Target:  aws://us-west-1

  ✔  aws_ec2_instance::i-0ed224373e440f72b: Iggy terraform.tfstate aws_ec2_instance::i-0ed224373e440f72b
     ✔  EC2 Instance i-0ed224373e440f72b should exist
     ✔  EC2 Instance i-0ed224373e440f72b id should cmp == "i-0ed224373e440f72b"
     ✔  EC2 Instance i-0ed224373e440f72b instance_type should cmp == "t2.micro"
     ✔  EC2 Instance i-0ed224373e440f72b key_name should cmp == "mattray-tf"
     ✔  EC2 Instance i-0ed224373e440f72b subnet_id should cmp == "subnet-fbc7f29c"
  ✔  aws_security_group::sg-7770ba0f: Iggy terraform.tfstate aws_security_group::sg-7770ba0f
     ✔  EC2 Security Group sg-7770ba0f should exist
     ✔  EC2 Security Group sg-7770ba0f description should cmp == "Used in the terraform"
     ✔  EC2 Security Group sg-7770ba0f vpc_id should cmp == "vpc-0eacdb69"
  ✔  aws_security_group::sg-0a70ba72: Iggy terraform.tfstate aws_security_group::sg-0a70ba72
     ✔  EC2 Security Group sg-0a70ba72 should exist
     ✔  EC2 Security Group sg-0a70ba72 description should cmp == "Used in the terraform"
     ✔  EC2 Security Group sg-0a70ba72 vpc_id should cmp == "vpc-0eacdb69"
  ✔  aws_subnet::subnet-fbc7f29c: Iggy terraform.tfstate aws_subnet::subnet-fbc7f29c
     ✔  VPC Subnet subnet-fbc7f29c should exist
     ✔  VPC Subnet subnet-fbc7f29c availability_zone should cmp == "us-west-1a"
     ✔  VPC Subnet subnet-fbc7f29c cidr_block should cmp == ""
     ✔  VPC Subnet subnet-fbc7f29c vpc_id should cmp == "vpc-0eacdb69"
  ✔  aws_vpc::vpc-0eacdb69: Iggy terraform.tfstate aws_vpc::vpc-0eacdb69
     ✔  VPC vpc-0eacdb69 should exist
     ✔  VPC vpc-0eacdb69 cidr_block should cmp == ""
     ✔  VPC vpc-0eacdb69 dhcp_options_id should cmp == "dopt-d76783b2"
     ✔  VPC vpc-0eacdb69 instance_tenancy should cmp == "default"

Profile Summary: 5 successful controls, 0 control failures, 0 controls skipped
Test Summary: 19 successful, 0 failures, 0 skipped

inspec terraform extract

This currently reads the terraform.tfstate file and looks for tagged Resources and extracts commands for executing them against the machines. This is still under development, but the current demo provides the following:

$ inspec terraform extract -t terraform.tfstate
inspec exec -t ssh:// -i mattray-tf
inspec exec -t ssh:// -i mattray-tf
inspec exec -t aws://us-west-2

which needs a small bit of tweaking but it works

inspec exec -t ssh://ubuntu@ -i mattray-tf
Profile Summary: 5 successful controls, 8 control failures, 1 control skipped
Test Summary: 103 successful, 14 failures, 1 skipped

Working with InSpec-Iggy

InSpec-Iggy is available through Rubygems, so you gem install inspec-iggy to get started now. If you want to get involved in development, there are further instructions on GitHub.

Writing InSpec Plugins

Writing InSpec plugins is not yet a documented feature, so I’ve written an example InSpec plugin and pushed it to Rubygems and GitHub if you would like to learn more.

The Future of Iggy

Chef has been working with a leading international banking group to automate cloud compliance for Singapore and Hong Kong. We’ve been gathering requirements and use-cases for integration of InSpec and Terraform and we welcome your feedback too. InSpec-Iggy is open source and Apache-licensed. Iggy is not yet 1.0, we want to build out stronger support for more Terraform resources and build a better inspec terraform extract experience. AWS CloudFormation is also under active development and Azure Resource Manager templates will follow a similar pattern. We look forward to your input, testing, and patches as we work to expand the InSpec coverage of all of your infrastructure and resources.

Author Matt Ray

Matt is Chef's Manager/Solutions Architect for APAC. Currently based in Sydney, Australia. He's been with Chef for 6 years in a wide variety of roles including Director of Partner Integration most recently.