Terraform IaaC Compliance testing
Terraform is the defacto tool for infrastructure provisioning which is used to automate the infrastructure provisioning with any of the cloud provider. It uses HCL syntax developed by Hashicorp to create the declarations for the infrastructure.
Terraform configuration is also maintainable with a versioning tool such as GitHub which makes it more easier to find the history of changes to the infrastructure. Any user in an organisation can use these configurations to provision and maintain the infrastructure. Hence, more importance is given to terraform config analysing and compliance testing against cloud best practises.
There are various static analysis tools for terraform like checkcov, terrascan etc. There is another tool which allows users to write custom tests/rules for their infrastructure as a code config called terraform-compliance. It is a light weight compliance testing framework for your infrastructure as a code.
Terraform-compliance provides lets users define policies for their infra using BDD principles, that use simple english sentences to define the policies. A simple policy could be that while creating an IBMCloud VSI, it must always be attached to a user tag, or always use strong encryption algorithms.
Requirements:
python 3.x
terraform
Steps to install
pip install terraform-compliance
To start testing the terraform, we need to create a file where the BDD based policies will be defined. This file is called a feature file with a .feature extension and will contain the scenario that we want to evaluate against our infra code in terraform.
Let’s go over the steps for create this feature file along with an example.
Every policy, i.e. the feature file, will have 3 components.
- Feature
- Scenario/Scenario Outline
- Steps
Feature defines the overall idea of the policy/feature file
Eg: You know your infra needs well and your application will only need a certain capacity even at peak usage. You can define a policy that will allow creation of VSIs only with certain profile in IBMCloud.
Feature: Allow only balanced profiles
Scenario: Ensure that VSI can be created only with balanced profile family
Here we are defining the specific use case for the policy.
Every Scenario is followed by multiple steps which include
GIVEN, WHEN, THEN, AND
In our example, within the scenario to limit the VSI profile, we will have the following steps.
Given I have ibm_is_instance resource configured
Then it must contain profile
And its value must match the “bx2–2x8|bx2–4x16|bx2–8x32” regex
This feature will will evaluate the infrastructure as a code to find if it complies with the policy defined above, allowing only balanced profiles for creating VSIs in IBMCloud.
Save this in a feature file profile.feature
terraform-compliance tool needs a plan output or statefile to run the feature file tests against. So let’s first create the plan output.
Place the feature files in a directory say, ./compliance/feature/files
Define the resource ibm_is_instance with a balanced profile bx2–2x8.
Run the terraform command terraform plan -out=plan.out
Now we can run the feature file against the plan output
terraform-compliance -f ./compliance -p plan.out
This will be the result when the terraform code complies with the user defined policy of using only balanced profiles while creating VSIs. As the VSI is defined with a balanced profile bx2–2x8, the terraform-compliance test succesfully completed with no errors.
Now lets try to create another ibm_is_instance resource with a very high memory profile, eg:- vx2d-2x28
Now when we run the same test against the new plan.out, we get to see some errors.
We can add a second scenario to the same feature file thus extending the test case to other resources. For eg. we can add similar scenario to restrict profiles for dedicated host resources. The entire feature could look like this.
Feature: Allow only balanced profiles
Scenario: Ensure that VSI can be created only with balanced profile family
Given I have ibm_is_instance resource configured
Then it must contain profile
And its value must match the "bx2-2x8|bx2-4x16|bx2-8x32" regex
Scenario: Ensure that Dedicated Hosts can be created only with balanced profile family
Given I have ibm_is_dedicated_host resource configured
Then it must contain profile
And its value must match the "bx2-host-152x608|bx2d-host-152x608" regexAnd when the terraform code complies with this test, we see the results
This way we can define multiple scenarios under a feature and multiple feature files to define various custom compliance policies.