This week brings us into another delightful ChefConf! We’ve made a lot of great announcements about enhancements and features that have been added across our suite of automation tools, and in Chef Automate itself with Automate 2.0. We also announced that Chef Software is now even more tightly integrated with the Microsoft Azure platform. Users can now run InSpec natively as a part of the Azure Cloud Shell experience. This allows everyone using Cloud Shell to easily run InSpec compliance scans right from their browser!
Azure Cloud Shell allows you to connect to Azure using an authenticated, browser-based shell experience that’s hosted in the cloud and accessible from virtually anywhere. Azure Cloud Shell is assigned per unique user account and automatically authenticated with each session. You get a modern command-line experience from multiple access points, including the Azure portal, shell.azure.com, Azure mobile app, Azure docs (e.g., Azure CLI 2.0), and the VS Code Azure Account extension.
Using InSpec in Azure Cloud Shell is super easy! Just call inspec from the bash prompt, and you’re on your way!
InSpec is able to leverage Azure Managed Service Identity system that’s baked into Cloud Shell to give you instantaneous access to your Azure Resources in any subscription you have access to. All the examples in this blog can found on GitHub at: https://github.com/jquick/azure_shell_inspec_demo
In the following use cases we’ve exported our subscription ID to an environment variable.
To scan a resource group in your subscription, just call “
inspec exec [your profile] -t azure://[your subscription id]” with an Azure resource profile.
In this example we first scan for a resource group which we have the wrong name for, so our tests fail. When we provide the correct resource group name we get our other results back.
The next example shows a more detailed scan of a VM resource in a resource group:
We scan the system here for several different VM resource attributes, so that we can verify our deployment is configured to the specifications our team requested. The results of the InSpec scan show that we’ve got some changes to make to this VM resource to get it into compliance.
Finally, this example shows you can still use InSpec in Cloud Shell to do remote scans on systems in your environment by providing the appropriate credentials for a machine.
Here we run the DevSec Linux Baseline against our Ubuntu 16.04 VM. This is an empty VM, and it could use some remediation with a Chef cookbook.
You can get running with Azure Cloud Shell today by visiting https://shell.azure.com!
We hope you enjoy using InSpec inside of Azure Cloud Shell! We’ll be looking to add other tools into Cloud Shell in the near future.
To learn more about how to use InSpec and Azure together, check out these resources: