I recently implemented couple of GitLab pipelines and I wanted to implement Chef Inspec tests for my AWS resources created in the previous steps. I have used the Inspec/inspec-aws repository to implement this and thought to writeup for my followers.
First, I installed the Inspec on the operating system. Again, I used this in one of the pipelines and I used Ubuntu as the base image, so I installed this on Ubuntu. Below command easily installed the Inspec libraries on the OS.
curl https://omnitruck.chef.io/install.sh | bash -s -- -P inspecTo find out the installation instructions follow this Chef documentation.
Read More:
- Darkbit MKIT – Managed Kubernetes Inspection Tool
- How To Install Kubectl On Windows Using PowerShell
- How To Run VMware Project Octant As A Service For Remote Access
- AWS Systems Manager (SSM) Hybrid Activations With On Premises Virtual Machines
- Start Working With VMware Fusion Project Nautilus
After successful installation if Chef InSpec library, I initialized an Inspec profile as “aws-resources” with the below command. It gave me the code generation output as below.
inspec init profile aws-resources
If it is the first time you run the Inspec commands, it will prompt you to accept the license. Just accept it to create the profile. In order to automate the license acceptance, I set the “CHEF_LICENSE” environment variable to “accept-no-persist” in my pipeline. Otherwise it will expect the user input and lead to a broken pipeline.
Inspec profile will create a folder with the name provided and a basic control and yaml file inside that.
I have modified the “inspec.yml” file as below, here I wanted to show you to accept the input which can be benefitted in many scenarios. My Inspec profile accept the “DEV_BUCKET” variable as an input and added the “inspec-aws” repo as the dependency and platform as “aws”.
Here is my “inspec.yml” file
name: aws-resources
title: InSpec Profile
maintainer: Aruna Lakmal
copyright: TechCrumble
copyright_email: aruna.lakmal@tc.io
license: Apache-2.0
summary: An InSpec Compliance Profile
version: 0.1.0
depends:
- name: inspec-aws
url: https://github.com/inspec/inspec-aws/archive/v1.21.0.tar.gz
supports:
platform: aws
attributes:
- name: bucketname
description: "S3 bucket name"
required: true
value: $DEV_BUCKET
type: stringAlso, I have added couple of controls to check the AWS resources as below.
bucketname = attribute('bucketname')
control "AWS S3" do
impact 0.7
title "Check AWS Backend S3 Buckets"
describe aws_s3_bucket(bucket_name: bucketname) do
it { should exist }
it { should_not be_public }
end
end
control "AWS EC2" do
impact 0.9
title "Check AWS EC2 Node Count"
describe aws_ec2_instances do
its('instance_ids.count') { should cmp 4 }
end
end
control "AWS EC2 AMI" do
impact 0.9
title "Check AWS EC2 Instance AMI"
aws_ec2_instances.instance_ids.each do |instance_id|
describe aws_ec2_instance(instance_id) do
it { should_not have_roles }
its('key_name') { should cmp 'ironman' }
its('image_id') { should eq 'ami-0a887e401f7654935' }
end
end
end
control "AWS Security Group" do
impact 0.9
title "Check Security Group Availability"
describe aws_security_group(group_name: 'tc_kubeadm_sg') do
it { should exist }
end
end
control "SSH Access" do
impact 0.8
title "Check Security Group Access for SSH"
describe aws_security_group(group_name: 'tc_kubeadm_sg') do
it { should allow_in(port: 22, ipv4_range: '0.0.0.0/0') }
end
endThe above Inspec controls will perform below tests:
- Check whether the given S3 bucket (which provided as an input) exists and also it should not be a public one
- Check the EC2 node count
- Check the given AMI, key pair and roles of the EC2 instances
- Check the existence of the the security group
- Check the SSH access rule of the Security group
Before you run the Inspec tests, AWS credentials should be provided as the environment variables or ~/.aws/credentials file should be updated properly, also make sure to update the ~/.aws/config file with the relevant region.
To run the Inspec tests locally, use the below command with the bucket name
inspec exec aws-resources -t aws:// --input bucketname="s3_bucket_name"If you separately created a GitHub repository for the Inspec profile, you can directly run the Inspec checks as below
inspec exec https://github.com/ArunaLakmal/inspec-profile-aws-tc-k8s.git -t aws:// --input bucketname="s3_bucket_name"Your final results will be output as below after the execution of the tests.
I hope this will be useful for anyone who is looking for similar kind of implementation with Chef Inspec tests for AWS resources.
