Using Inspec (Chef) to Validate Infrastructure


InSpec is an open-source testing framework by Chef that enables you to specify compliance, security, and other policy requirements.

Built on the Ruby programming language, InSpec tests are meant to be human-readable. If you’re familiar with testing frameworks such as RSpec and Serverspec, InSpec code will look familiar to you.

InSpec can run on Windows and many Linux distributions. Although you can use InSpec to scan almost any system, in this module you’ll scan Docker containers running Linux to get a sense of how InSpec works. The concepts apply equally to Windows.

Imagine that you are working on an elaborate infrastructure built on Docker containers using SSL certificates, DNS entries.
Though we were able to stand up our complete infrastructure environments from scratch using automated configuration management tools, we weren’t really sure if it was indeed working correctly, or rather the way it was supposed to. The question staring at us was, Is there a way we can declare the desired state of our infrastructure and then validate our infrastructure against it?

Inspec to the Rescue

The open-source tool Inspec has been used with considerable success over the last few years to achieve security compliance for infrastructure. The syntax/constructs happens to be unbelievably simple. For instance, let’s consider the code snippet below. It doesn’t really require a lot of programming knowledge to make sense of it. Isn’t it?

This made us wonder, what if we use Inspec to validate our infrastructure setup? What if we map our infrastructure configurations in an easy-to-read declarative syntax? What if this actually solves our problem?

In line with the best practices of DevOps, we started with a simple experiment; an experiment that could solve a tangible problem. We had a Docker host which was supposed to have a particular docker container running inside it, but it used to fail quite often, for some reason. We decided to write a test in Inspec to check whether this container was running on this host:


… and tried executing the test

This was just what we wanted!

Excited with this success, we started writing a battery of tests that validated each and every component of our infrastructure. Within a single day, we churned out 192 tests. The number of tests wasn’t as important as the scope and breadth of the test coverage. Once the tests were there, we plugged them on to our infrastructure pipeline (which was built using Jenkins) to ensure the components align with the desired state. We called them ‘component-readiness’ tests.

So far so good.

Now that our components match the desired state, are we still confident that our platform would work the way we intended? Perhaps we need some “platform readiness tests” as well. Can we use Inspec for that, too? The answer: Yes!

Now that the platform readiness tests were ready, we extended our infrastructure pipeline to incorporate them as well.

Setting our component and platform readiness tests using Inspec had one more fantastic offering: live documentation for infrastructure. Inspec allows the audit results to be displayed in a variety of report formats, including JUnit, JSON, HTML and others. We used the JUnit report format and displayed them using the Jenkins JUnit Plugin. With this, we were able to have human-readable JUnit reports that doubled as live documentation for our infrastructure.

Needless to say, this infrastructure testing with Inspec provided that (much needed) confidence on our setup and readiness. Our pipeline is designed in such a way that whenever any infrastructure component changes in our ecosystem, the pipeline is triggered which reconfigures and (if required) rebuilds the ecosystem. These Inspec tests are triggered with this infrastructure pipeline and validates the newly configured infrastructure setup. Thanks to this, we are never in a situation in which the client application running on this infrastructure complains or aborts because of incorrect configurations. Moreover, as described above, the living documentation helps document the expected configuration of the environment.

So far, the Inspec implementation I have referred to is using the freely available Inspec tool and the Jenkins platform. Inspec can also be combined with Chef Compliance to produce more descriptive reports and charts. Chef Compliance also comes with out-of-the-box CIS profiles that can be used to jump start an Inspec implementation for security compliance and audits.

Inspec is an easy tool to master with simple and intuitive constructs and one could get up and working quite easily. However, this simplicity has a downside. It’s very easy to speed ahead and gloss over the documentation while missing out on the best practices and tips/techniques to implement the solution in a better way. One way to master this is to have a crack at the newly released Auditing with Inspec certification, which provides the impetus to go through the documentation in detail while preparing for the certification. And, you also get to show off a shiny badge for your efforts!

What is InSpec and what are its top alternatives?

It is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.InSpec is a tool in the Testing Frameworks category of a tech stack.InSpec is an open source tool with 2K GitHub stars and 563 GitHub forks. Here’s a link to InSpec’s open source repository on GitHubTop Alternatives:

What are some alternatives to InSpec?ServerspecWith Serverspec, you can write RSpec tests for checking your servers are configured correctly. Serverspec tests your servers’ actual state by executing command locally, via SSH, via WinRM, via Docker API and so on.RSpecBehaviour Driven Development for Ruby. Making TDD Productive and Fun.JUnitJUnit is a simple framework to write repeatable tests. It is an instance of the xUnit architecture for unit testing frameworks. CucumberCucumber is a tool that supports Behaviour-Driven Development (BDD) – a software development process that aims to enhance software quality and reduce maintenance costs.PHPUnitPHPUnit is a programmer-oriented testing framework for PHP. It is an instance of the xUnit architecture for unit testing frameworks.

What are some alternatives to InSpec?ServerspecWith Serverspec, you can write RSpec tests for checking your servers are configured correctly. Serverspec tests your servers’ actual state by executing command locally, via SSH, via WinRM, via Docker API and so on.RSpecBehaviour Driven Development for Ruby. Making TDD Productive and Fun.JUnitJUnit is a simple framework to write repeatable tests. It is an instance of the xUnit architecture for unit testing frameworks. CucumberCucumber is a tool that supports Behaviour-Driven Development (BDD) – a software development process that aims to enhance software quality and reduce maintenance costs.PHPUnitPHPUnit is a programmer-oriented testing framework for PHP. It is an instance of the xUnit architecture for unit testing frameworks.

In Summary

Infrastructure validation is quite an important step in any DevOps implementation. Apart from being very useful for security compliance testing, Inspec can be used to validate infrastructure using a simple and easy-to-understand declarative syntax. Moreover, it has a small footprint, a vibrant community looking after it and up-to-date and clear documentation. It definitely is a tool with the potential to provide quick and effective results.

source:https://devops.com/infrastructure-validation-with-inspec/#disqus_thread