Integration of robust testing frameworks into infrastructure as code practices is essential for ensuring reliability, security, and compliance. From our experience with speaking to users of Digger, this is on every platform engineers mind!
This blog dives deep into several sophisticated tools designed for testing Terraform configurations — From Clarity’s behavior-driven approach leveraging a standalone binary and Gherkin-style feature files, to Kitchen-Terraform’s application of Test Kitchen plugins for operational verification, and the specialized focus of Rspec-terraform on module interface stability — these frameworks illustrate the methodologies used for enhancing infrastructure code testing. We also explore Terraform-compliance for security-centric testing and Terratest for its extensive automation capabilities across multiple platforms and services.
But before we dive in
Digger is an open source Terraform Cloud Alternative — aiming to be the default orchestration tool for the automation and collaboration of Terraform/OpenTofu.
Under no circumstances do we think this will be an easy undertaking but with your support, we can make it happen.
The best way to show your support is by starring us on GitHub ⭐, we’d love your thoughts & feedback!
Let’s get back to the article now 👇
Clarity
Clarity is a declarative testing framework tailored for Terraform, designed to facilitate unit testing for infrastructure as code. It operates as a standalone binary, eliminating the need for additional Go code or manual step definitions. Users define tests using a declarative Gherkin-style feature file, making it straightforward to specify behavior-driven development tests for HashiCorp Configuration Language (HCL). Clarity integrates a custom HCL parser and specific matchers to assert conditions directly within Terraform environments. It functions as a wrapper over the Godog framework, inheriting its capabilities to provide Terraform-specific testing steps and must be executed in the directory containing the Terraform files to operate effectively.
Kitchen-Terraform
Kitchen-Terraform is a set of Test Kitchen plugins that enable the use of Test Kitchen for converging a Terraform configuration and verifying the resulting infrastructure with InSpec controls. This integration allows automated testing of Terraform scripts by applying Test Kitchen’s framework to infrastructure as code. The plugins facilitate the convergence of infrastructure setups using Terraform and then employ InSpec for compliance and security verification of the provisioned systems. This approach ensures that the infrastructure adheres to defined correctness criteria and security standards, leveraging the strengths of both Test Kitchen and Terraform in a unified testing workflow.
Rspec-terraform
Rspec-terraform is a testing framework designed to enhance the development and deployment of reusable Terraform modules by providing a stable, well-defined interface for each module through basic testing. The framework’s aim is to facilitate the smooth creation and sharing of common infrastructure components by ensuring their reliability and interface clarity. Looking ahead, the envisioned two-tiered testing strategy involves using rspec-terraform for unit testing individual Terraform modules — such as AWS VPCs, ASGs, SGs, and subnet configurations — to verify each module’s functionality and exposed interfaces. The second tier, which remains under development, would involve integrating these tested modules into a comprehensive infrastructure platform, potentially using a methodology akin to serverspec for overall system verification.
Terraform-compliance
Terraform-compliance is a lightweight, security, and compliance-focused test framework for Terraform, designed to facilitate negative testing of infrastructure-as-code. It aims to ensure that Terraform code complies with established security protocols and custom standards prior to deployment. This framework supports behavior-driven development (BDD) approaches for IaC, emphasizing preventive measures in coding practices. It is portable, available for installation via pip or Docker, and integrates seamlessly into continuous integration pipelines or can be hooked into Git to validate code pre-deployment. Terraform-compliance also supports segregation of duties by allowing tests to be maintained in separate repositories, managed by distinct teams.
Terratest
Terratest is a Go library designed to streamline the writing of automated tests for infrastructure code. It offers a comprehensive suite of helper functions and patterns tailored for a wide range of infrastructure testing tasks. Key features of Terratest include capabilities for testing Terraform code, Packer templates, and Docker images. It facilitates the execution of commands over SSH on servers, and provides utilities for interfacing with cloud service APIs from AWS, Azure, and GCP. Additionally, Terratest supports testing within Kubernetes environments, including working with Kubernetes APIs and testing Helm charts. Other functionalities include making HTTP requests and executing shell commands, enhancing the robustness and scope of infrastructure testing.
