Terraform + InSpec for automated Infra as Code testing

- 2 mins

Our Infra structure CI / CD pipeline is a key enabler for us failing fast, controlling releases to environments, delivering with agility, ensuring parity between environments. The typical steps include: linting, Terraform validate, plan and apply.

We often face issues with Terraform apply passing and changes being promoted to higher environments, but the cloud account not being in the desired state – “Null Resources” try to avoid them at all costs (not idempotent). Manual testing is also slow and painful. We are also aspiring to Continuous Deployment for infrastructure as code – we need tests to achieve this.

After a brief investigation we discovered a few approaches:

We concluded in using InSpec because:

What did we do:

   inspec detect -t azure://
   inspec vendor test –overwrite
   inspec exec test -t azure://$(AZURE_SUBSCRIPTION_ID) –attrs test/fixtures/development.yml
describe azurerm_virtual_network(resource_group: resource_group, name: vnet_name) do
    it { should exist }
    its(‘location’) { should eq ‘ukwest’ }
    its(‘type’) { should eq ‘Microsoft.Network/virtualNetworks’ }

In my opinion, we are not using this in force, but it’s a great first step to validating our Terraform code and can be used for security compliance. The next steps are to look into CIS benchmark implementations in InSpec.

~ Robert

Robert Northard

Robert Northard

If it compiles it works!

rss facebook twitter github youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora