From e3cd1ed19797410bf13fc2c27d9a1d9083bffbd8 Mon Sep 17 00:00:00 2001 From: Brandon O'Connor Date: Wed, 5 Sep 2018 01:18:57 -0700 Subject: [PATCH] [#1] - Add migrate to GCP inspec resources in tests --- .kitchen.yml | 17 +- Gemfile | 6 +- Gemfile.lock | 146 ++++++++++++------ bin/kitchen.sh | 6 +- test/fixtures/tf_module/main.tf | 12 +- test/integration/kt_suite/controls/default.rb | 16 +- test/integration/kt_suite/inspec.yml | 5 +- variables.tf | 3 +- version | 2 +- 9 files changed, 142 insertions(+), 71 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index fd87047..7e19ad8 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -2,19 +2,24 @@ driver: name: terraform root_module_directory: test/fixtures/tf_module + variables: + gcloud_project: <%= ENV['GCLOUD_PROJECT'] %> provisioner: name: terraform verifier: name: terraform - groups: - - name: default + systems: + - + name: default + backend: gcp controls: - instance -suites: - - name: kt_suite - platforms: - - name: terraform \ No newline at end of file + - name: gcp + +suites: + - + name: kt_suite diff --git a/Gemfile b/Gemfile index 07cee20..7cea391 100644 --- a/Gemfile +++ b/Gemfile @@ -1,3 +1,5 @@ source 'https://rubygems.org/' do - gem 'kitchen-terraform' -end \ No newline at end of file + gem 'inspec', '~> 2.2.35' + gem 'kitchen-google', '~> 1.5' + gem 'kitchen-terraform', '~> 4.0.0' +end diff --git a/Gemfile.lock b/Gemfile.lock index d83271e..2882467 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -3,19 +3,23 @@ GEM specs: addressable (2.5.2) public_suffix (>= 2.0.2, < 4.0) - aws-sdk (2.11.46) - aws-sdk-resources (= 2.11.46) - aws-sdk-core (2.11.46) + aws-sdk (2.11.123) + aws-sdk-resources (= 2.11.123) + aws-sdk-core (2.11.123) aws-sigv4 (~> 1.0) jmespath (~> 1.0) - aws-sdk-resources (2.11.46) - aws-sdk-core (= 2.11.46) - aws-sigv4 (1.0.2) - azure_mgmt_resources (0.16.0) - ms_rest_azure (~> 0.10.0) + aws-sdk-resources (2.11.123) + aws-sdk-core (= 2.11.123) + aws-sigv4 (1.0.3) + azure_graph_rbac (0.17.0) + ms_rest_azure (~> 0.11.0) + azure_mgmt_resources (0.17.0) + ms_rest_azure (~> 0.11.0) builder (3.2.3) coderay (1.1.2) concurrent-ruby (1.0.5) + declarative (0.0.10) + declarative-option (0.1.0) diff-lcs (1.3) docker-api (1.34.2) excon (>= 0.47.0) @@ -27,50 +31,68 @@ GEM dry-container (0.6.0) concurrent-ruby (~> 1.0) dry-configurable (~> 0.1, >= 0.1.3) - dry-core (0.4.5) + dry-core (0.4.7) concurrent-ruby (~> 1.0) dry-equalizer (0.2.1) + dry-inflector (0.1.2) dry-logic (0.4.2) dry-container (~> 0.2, >= 0.2.6) dry-core (~> 0.2) dry-equalizer (~> 0.2) - dry-types (0.12.2) + dry-types (0.13.2) concurrent-ruby (~> 1.0) - dry-configurable (~> 0.1) dry-container (~> 0.3) - dry-core (~> 0.2, >= 0.2.1) + dry-core (~> 0.4, >= 0.4.4) dry-equalizer (~> 0.2) + dry-inflector (~> 0.1, >= 0.1.2) dry-logic (~> 0.4, >= 0.4.2) - inflecto (~> 0.0.0, >= 0.0.2) - dry-validation (0.11.1) + dry-validation (0.12.2) concurrent-ruby (~> 1.0) dry-configurable (~> 0.1, >= 0.1.3) dry-core (~> 0.2, >= 0.2.1) dry-equalizer (~> 0.2) dry-logic (~> 0.4, >= 0.4.0) - dry-types (~> 0.12.0) + dry-types (~> 0.13.1) erubis (2.7.0) excon (0.62.0) - faraday (0.15.0) + faraday (0.15.2) multipart-post (>= 1.2, < 3) faraday-cookie_jar (0.0.6) faraday (>= 0.7.4) http-cookie (~> 1.0.0) - ffi (1.9.23) + faraday_middleware (0.12.2) + faraday (>= 0.7.4, < 1.0) + ffi (1.9.25) + gcewinpass (1.1.0) + google-api-client (~> 0.13) + google-api-client (0.19.8) + addressable (~> 2.5, >= 2.5.1) + googleauth (>= 0.5, < 0.7.0) + httpclient (>= 2.8.1, < 3.0) + mime-types (~> 3.0) + representable (~> 3.0) + retriable (>= 2.0, < 4.0) + googleauth (0.6.6) + faraday (~> 0.12) + jwt (>= 1.4, < 3.0) + memoist (~> 0.12) + multi_json (~> 1.11) + os (>= 0.9, < 2.0) + signet (~> 0.7) gssapi (1.2.0) ffi (>= 1.0.1) gyoku (1.3.1) builder (>= 2.1.2) - hashie (3.5.7) + hashie (3.6.0) htmlentities (4.3.4) http-cookie (1.0.3) domain_name (~> 0.5) httpclient (2.8.3) - inflecto (0.0.2) inifile (3.0.0) - inspec (2.1.68) + inspec (2.2.78) addressable (~> 2.4) faraday (>= 0.9.0) + faraday_middleware (~> 0.12.2) hashie (~> 3.4) htmlentities json (>= 1.8, < 3.0) @@ -86,36 +108,41 @@ GEM sslshake (~> 1.2) thor (~> 0.20) tomlrb (~> 1.2) - train (~> 1.4) + train (~> 1.4, >= 1.4.35) jmespath (1.4.0) json (2.1.0) - kitchen-inspec (0.23.1) - hashie (~> 3.4) - inspec (>= 0.34.0, < 3.0.0) - test-kitchen (~> 1.6) - kitchen-terraform (3.3.1) + jwt (2.1.0) + kitchen-google (1.5.0) + gcewinpass (~> 1.1) + google-api-client (~> 0.19) + test-kitchen + kitchen-terraform (4.0.0) dry-types (~> 0.9) dry-validation (~> 0.10) - kitchen-inspec (~> 0.18) + inspec (>= 2.2.34, < 3) mixlib-shellout (~> 2.2) - test-kitchen (~> 1.16) + test-kitchen (~> 1.23) little-plugger (1.1.4) logging (2.2.2) little-plugger (~> 1.1) multi_json (~> 1.10) + memoist (0.16.0) method_source (0.9.0) - mixlib-install (3.9.3) + mime-types (3.2.2) + mime-types-data (~> 3.2015) + mime-types-data (3.2018.0812) + mixlib-install (3.11.5) mixlib-shellout mixlib-versioning thor mixlib-log (2.0.4) - mixlib-shellout (2.3.2) + mixlib-shellout (2.4.0) mixlib-versioning (1.2.2) ms_rest (0.7.2) concurrent-ruby (~> 1.0) faraday (~> 0.9) timeliness (~> 0.3) - ms_rest_azure (0.10.6) + ms_rest_azure (0.11.0) concurrent-ruby (~> 1.0) faraday (~> 0.9) faraday-cookie_jar (~> 0.0.6) @@ -128,33 +155,44 @@ GEM net-ssh-gateway (1.3.0) net-ssh (>= 2.6.5) nori (2.6.0) + os (1.0.0) parallel (1.12.1) parslet (1.8.2) pry (0.11.3) coderay (~> 1.1.0) method_source (~> 0.9.0) - public_suffix (3.0.2) - rspec (3.7.0) - rspec-core (~> 3.7.0) - rspec-expectations (~> 3.7.0) - rspec-mocks (~> 3.7.0) - rspec-core (3.7.1) - rspec-support (~> 3.7.0) - rspec-expectations (3.7.0) + public_suffix (3.0.3) + representable (3.0.4) + declarative (< 0.1.0) + declarative-option (< 0.2.0) + uber (< 0.2.0) + retriable (3.1.2) + rspec (3.8.0) + rspec-core (~> 3.8.0) + rspec-expectations (~> 3.8.0) + rspec-mocks (~> 3.8.0) + rspec-core (3.8.0) + rspec-support (~> 3.8.0) + rspec-expectations (3.8.1) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.7.0) + rspec-support (~> 3.8.0) rspec-its (1.2.0) rspec-core (>= 3.0.0) rspec-expectations (>= 3.0.0) - rspec-mocks (3.7.0) + rspec-mocks (3.8.0) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.7.0) - rspec-support (3.7.1) + rspec-support (~> 3.8.0) + rspec-support (3.8.0) rubyntlm (0.6.2) - rubyzip (1.2.1) + rubyzip (1.2.2) semverse (2.0.0) + signet (0.9.1) + addressable (~> 2.3) + faraday (~> 0.9) + jwt (>= 1.5, < 3.0) + multi_json (~> 1.10) sslshake (1.2.0) - test-kitchen (1.21.2) + test-kitchen (1.23.2) mixlib-install (~> 3.6) mixlib-shellout (>= 1.2, < 3.0) net-scp (~> 1.1) @@ -166,18 +204,22 @@ GEM winrm-fs (~> 1.1) thor (0.20.0) timeliness (0.3.8) - tomlrb (1.2.6) - train (1.4.4) + tomlrb (1.2.7) + train (1.4.35) aws-sdk (~> 2) + azure_graph_rbac (~> 0.16) azure_mgmt_resources (~> 0.15) docker-api (~> 1.26) + google-api-client (~> 0.19.8) + googleauth (~> 0.6.2) inifile json (>= 1.8, < 3.0) mixlib-shellout (~> 2.0) net-scp (~> 1.2) - net-ssh (>= 2.9, < 5.0) + net-ssh (>= 2.9, < 6.0) winrm (~> 2.0) winrm-fs (~> 1.0) + uber (0.1.0) unf (0.1.4) unf_ext unf_ext (0.0.7.5) @@ -193,7 +235,7 @@ GEM winrm-elevated (1.1.0) winrm (~> 2.0) winrm-fs (~> 1.0) - winrm-fs (1.2.0) + winrm-fs (1.3.0) erubis (~> 2.7) logging (>= 1.6.1, < 3.0) rubyzip (~> 1.1) @@ -203,7 +245,9 @@ PLATFORMS ruby DEPENDENCIES - kitchen-terraform! + inspec (~> 2.2.35)! + kitchen-google (~> 1.5)! + kitchen-terraform (~> 4.0.0)! BUNDLED WITH - 1.16.1 + 1.16.2 diff --git a/bin/kitchen.sh b/bin/kitchen.sh index acaebff..779e226 100755 --- a/bin/kitchen.sh +++ b/bin/kitchen.sh @@ -1,11 +1,13 @@ #!/usr/bin/env bash # Decrypt sensitive files +#XXX even encrypted, this is risky IF PRs are allowed to kick off builds openssl aes-256-cbc -K $encrypted_cfdeb2eb7efd_key -iv $encrypted_cfdeb2eb7efd_iv -in ci.tar.gz.enc -out ci.tar.gz -d # Decompress sensitive files tar -zxf ci.tar.gz rm ci.tar.gz +export GCLOUD_PROJECT=$(jq -r '.project_id' credentials.json) # Add binaries to bin directory mkdir -p vendor/bin @@ -19,7 +21,7 @@ rm google-cloud-sdk-*-linux-x86_64.tar.gz # Authenticate using the credentials.json gcloud auth activate-service-account --key-file credentials.json -gcloud config set project $(jq -r '.project_id' credentials.json) +gcloud config set project ${GCLOUD_PROJECT} gcloud config set compute/zone us-west1-a yes | ssh-keygen -f ubuntu -N '' >/dev/null @@ -31,4 +33,4 @@ KITCHEN_EXIT_CODE=$? # cleanup rm -Rf credentials.json .env ubuntu* -exit $KITCHEN_EXIT_CODE \ No newline at end of file +exit $KITCHEN_EXIT_CODE diff --git a/test/fixtures/tf_module/main.tf b/test/fixtures/tf_module/main.tf index 5d21c4f..5a17857 100644 --- a/test/fixtures/tf_module/main.tf +++ b/test/fixtures/tf_module/main.tf @@ -1,3 +1,13 @@ +variable "gcloud_project" { + description = "The name of the GCP project to deploy against." +} + module "terraform-google-instance" { - source = "../../.." + source = "../../.." + ssh_public_key_filepath = "${path.module}/../../../ubuntu.pub" +} + +output "gcloud_project" { + description = "The name of the GCP project to deploy against. We need this output to pass the value to tests." + value = "${var.gcloud_project}" } diff --git a/test/integration/kt_suite/controls/default.rb b/test/integration/kt_suite/controls/default.rb index 3f20e40..52d0c7b 100644 --- a/test/integration/kt_suite/controls/default.rb +++ b/test/integration/kt_suite/controls/default.rb @@ -1,7 +1,13 @@ +# frozen_string_literal: true + +gcloud_project = attribute('gcloud_project', description="The name of the project where resources are deployed. This should be passed to tk via environment vars.") + control "instance" do - describe command('gcloud compute instances describe database') do - its('stdout') { should match (/name: database/) } - its('stdout') { should match (/- key: sshKeys/) } - its('stdout') { should match (/status: RUNNING/) } + describe google_compute_instance(project: "#{gcloud_project}", zone: 'us-west1-a', name: 'database') do + its('tag_count'){should eq 2} + its('status') { should eq "RUNNING" } + its('machine_type') { should match "n1-standard-2" } + its('first_network_interface_name'){ should eq "external-nat" } + its('disk_count'){should eq 2} end -end \ No newline at end of file +end diff --git a/test/integration/kt_suite/inspec.yml b/test/integration/kt_suite/inspec.yml index ca249e2..0a09296 100644 --- a/test/integration/kt_suite/inspec.yml +++ b/test/integration/kt_suite/inspec.yml @@ -1,2 +1,5 @@ --- -name: default \ No newline at end of file +name: default +depends: + - name: inspec-gcp + url: https://github.com/inspec/inspec-gcp/archive/master.tar.gz diff --git a/variables.tf b/variables.tf index 51b6752..e25b8df 100644 --- a/variables.tf +++ b/variables.tf @@ -1,6 +1,5 @@ variable "ssh_public_key_filepath" { description = "Filepath for the ssh public key" type = "string" - - default = "ubuntu.pub" + default = "ubuntu.pub" } diff --git a/version b/version index 9ff151c..1474d00 100644 --- a/version +++ b/version @@ -1 +1 @@ -v0.1.0 \ No newline at end of file +v0.2.0