Test Driven Infrastructure on GCP

Testing Google Cloud using InSpec

Many by now have heard of Test Driven Development, where tests are written first, and then the code. Some may even know Infrastructure As Code, where we can craft our entire infrastructure using code.

Combining these two we have Test Driven Infrastructure, where we can write tests that inspect and test our very infrastructure, and we are free to chose whatever method to get to our desired state, manually using a web console, or popular cloud trendy provisioning tools, like Cloudformation (AWS only), Ansible, or Terraform.

InSpec has recently added to test cloud resources in Azure, AWS, and GCP. In this article I explore creating a Kubernetes cluster on Google Cloud and testing this with InSpec.

First we’ll tart with a simple test…

Installing The Tools

For this tutorial you will need to fetch the following tools:

You’ll have to create a Google Cloud account and authorize your system to use the Google Cloud tools:

Mac OS X (now macOS) users using Homebrew can grab all of these by creating a small brew bundle:

cat <<-"EOF" > Brewfile
tap 'chef/chef'
cask 'inspec'
cask 'google-cloud-sdk'
brew 'terraform'
EOFbrew bundle --verbose

To make sure google-cloud-sdk and inspec tools are working, we can try the following:

inspec detect -t gcp://== Platform DetailsName:      gcp
Families:  cloud, api
Release:   google-cloud-v

Creating the Tests

Now we need to create a small code structure for our tests for a future cluster we’ll call guestbook:

inspec init profile guestbook-profile
touch attributes.yml
mv guestbook-profile/default.rb \
  guestbook-profile/cluster_test.rb

This should create a structure like this:

.
├── attributes.yml
└── guestbook-profile
    ├── README.md
    ├── controls
    │   └── cluster_test.rb
    ├── inspec.lock
    ├── inspec.yml
    └── libraries

Assuming that you have configured access to GCP with Google Cloud SDK, we can initialize an attributes file used for this test with the following command:

cat <<-"EOF" > attributes.yml
project_name: $(gcloud config list --format 'value(core.project)')
cluster_region: us-east1
cluster_name: guestbook
EOF

We also want to configure this profile to use GCP:

cat <<-"EOF" > guestbook-profile/inspec.yml
name: guestbook-profile
title: InSpec Profile
maintainer: MuadDib
copyright: MuadDib
copyright_email: khaderach@spice.arrakis
license: MIT
summary: InSpec GCP Cluster Demo
version: 0.1.0depends:
  - name: gcp-resources
    url: https://github.com/inspec/inspec-gcp/archive/master.tar.gz
supports:
  - platform: gcp
EOF

Now that we have our environment created, it is time to craft a small test for our cluster by editing cluster_test.rb:

Now we can test this:

inspec exec guestbook-profile -t gcp:// --attrs attributes.yml

This will of course fail, as we have yet to set up our cluster:

Profile: InSpec Profile (guestbook-profile)
Version: 0.1.0
Target:  gcp://764086051850-6gn4p6qla6lp506wb8ikvt83di341hur.apps.googleusercontent.com×  gcp-1: Check Guestbook Cluster
     ×  Cluster guestbook
     The resource "projects/arrakis-dune" was not found.Profile: Google Cloud Platform Resource Pack (inspec-gcp)
Version: 0.2.0
Target:  gcp://764086051850-6gn4p6qla6lp506wb8ikvt83di341hur.apps.googleusercontent.comNo tests executed.Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 1 failure, 0 skipped

Creating the Cluster

Now let’s create a cluster using Terraform. We can do this with terraform. Create a file called cluster.tf with this content:

We will need to initialize some environment variables to use in creating this cluster:

export TF_VAR_project="$(gcloud config list\
   --format 'value(core.project)'
)"
export TF_VAR_region="us-east1"
export TF_VAR_user="admin"
export TF_VAR_password="m8XBWrg2zt8R8JoH"

We’ll need to initialize the Terraform environment, which means downloading the plug-in for google cloud:

terraform init

Now we can run these commands to look at what we will create and then to create the cluster:

terraform plan  # inspect changes that will be made
terraform apply # apply these changes to create cloud resources

Voilà! We have our cluster.

Running the tests

Now we can run our tests:

inspec exec guestbook-profile -t gcp:// --attrs attributes.yml

This will have results like this:

Profile: InSpec Profile (guestbook-profile)
Version: 0.1.0
Target:  gcp://764086051850-6gn4p6qla6lp506wb8ikvt83di341hur.apps.googleusercontent.com✔  gcp-1: Check Guestbook Cluster
     ✔  Cluster guestbook should exist
     ✔  Cluster guestbook name should eq "guestbook"
     ✔  Cluster guestbook status should eq "RUNNING"
     ✔  Cluster guestbook master_auth.username should eq "admin"
     ✔  Cluster guestbook network should eq "default"
     ✔  Cluster guestbook subnetwork should eq "default"
     ✔  Cluster guestbook initial_node_count should eq 3Profile: Google Cloud Platform Resource Pack (inspec-gcp)
Version: 0.2.0
Target:  gcp://764086051850-6gn4p6qla6lp506wb8ikvt83di341hur.apps.googleusercontent.comNo tests executed.Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 7 successful, 0 failures, 0 skipped

And there we have it, we have tests to verify our GCP resource, whether we use Terraform, GCloud SDK, Ansible, or some other method.

References

Google Resouce Pack

Source code and Blog.

Test Driven Infrastructure Articles

Early articles during Iron Age. Recent current articles for Cloud Age yet to be created.

37