Test your Azure infrastructure compliance with Inspec
This article become part of http://aka.ms/applied-cloud-stories initiative
With the rapid development of DevOps processes and IaC (Infrastucture As Code) tools that are becoming more and more diverse Cloud infrastructures can be deployed and provisioned very quickly and with optimal automation.
The problem that often occurs in these deployments is that automation does not guarantee compliance with requirements and safety and functional compliance.
And so, just as in applications unit tests and integration tests are coded and automatized, it is also necessary to code and automate tests on the infrastructure in order to verify that:
- The infrastructure deployed corresponds well to the architecture and company specifications
- That security policies are properly applied
To write these tests, there are many tools and you can use all the development languages that allow you to interact with your cloud provider.
For Azure you can use for example Azure Cli or Powershell Azure commandLet.
For PowerShell there is a library dedicated to these Azure tests which is Pester.
The problem (in my opinion) with these tools is that they often require a lot of code lines and are agnostic of the cloud provider (here Azure) and of the language.
So I became interested in another tool that is Inspec and we will see how to use it to test an Azure infrastructure.
What is Inspec
Inspec is an command line, open source tool, provided by Chef witch audit and automated testing framework for integration, compliance and security.
It does not require learning a new language, just knowing how to write the desired state of infrastructure resources.
With Inspec we can test the compliance of remotes machines OS , data and since the inspec 2.0 cloud infrastructure like Azure and AWS (with theses API) and since the version 3, GCP resources.
Inspec installation and Azure Cloud shell
Requirement: The only requirement for Inspec is to have Ruby ( >2.3 ) installed.
The installation of Inspec can be done by multiple way:
Since May 2018 Microsoft Azure had integrated Inspec in the Azure Cloud Shell that provide the direct connection with your authentication.
The InSpec Azure Resource Pack
Since the v2, Inspec introduce the Cloud testing , by adding some libraries Azure for test Virtual Machine, Disk and all others resources had be tested by azure_generic_resource library.
Since the version 2.2.7 of Inspec, we have the feature to use a package of Inspec libraries that use Azure RM API and provide the possibility to any Azure resources.
Based on this improvement, the inspec team create a Azure resource pack that contains a lot of libraries for test a large panel of Azure resources like as :
- Azure users
- Azure Key Vault
- Azure Monitor
- Azure network (Vnet, Subnet)
- Azure Sql Server
- Azure Storage
- Azure Virtual Machine
The complete list of available resources is in the Inspec documentation.
Configure Inspec for Azure
Before to write tests for your Azure infrastructure we need to create an Azure Service Principal that have the reader permission to the Azure resources.
For create this Azure Service Principal we can use the Azure portal, or the AzureCli command:
az ad sp create-for-rbac — name="<Sp name> — role=”Reader” — scopes=”/subscriptions/<subscription Id>”
This command return your 3 credentials information:
- The client ID (Application Id)
- The client Secret
- The Tenant ID
Then, use and export this values in specified variables environments on your machine
- AZURE_SUBSCRIPTION_ID => Subscription ID
- AZURE_CLIENT_ID => SP Client ID
- AZURE_CLIENT_SECRET => SP Client Secret
- AZURE_TENANT_ID => SP Tenant ID
By Script with export command or by using .envrc file
export AZURE_SUBSCRIPTION_ID="<Subscription ID"
export AZURE_CLIENT_ID="<Client Id>"
export AZURE_CLIENT_SECRET="<Client Secret>"
export AZURE_TENANT_ID="<Tenant Id>"
Writing Inspec tests
The Inspec profile file
After Inspec installation and authentication configuration we can start to use Inspec.
The first step is to create tests folder structure and Inspec profile that define some metadata and Inspec configuration.
For create structure and profile execute the command:
inspec init profile my-azureTests
This command create a new folder
”my-azureTests” with all necessaries artifacts for inspec tests, with:
- controls (tests)
- profil file inspec.yml with some default metadata
Then, we adapt and update this profil file with personal metadata and adding the information of the Azure Resource pack.
The important information’s are the inspec_version: ‘>= 2.2.7’ and the depends section with the url of the Inspec Azure resource pack.
After updating the profil file we can write tests…
The tests controls
All tests are located in the controls folder and are write in Ruby file (.rb) with very simple syntax.
For illustrate this article we will write tests for check one Resource group, one Virtual machine and one subnet.
In the controls folder create file “resourcegroup.rb” with this content:
This test check that the resource group named MyResourceGroup exist.
For the check of the Virtual Machine, create file “vm.rb” with this content sample
This above sample test of vm check :
- if my vm ‘prod-web-01’ exist in specified resource group,
- some extensions properties
- the region location
- the size of the vm
- the os type that Linux
- the number of the data disk that equal to 1
For the Subnet tests, add file “subnet.rb” with sample content:
The above subnet control check :
- if the subnet “subnet-web” exist in vnet “vnet-prod”
- the address prefix of the subnet is equal to 192.168.0.0/24
- if the subnet is attached to the network security group “my-nsg”
Here I show only 3 examples of Azure resources, the complete list all available Azure resources in inspec pack are in the Inspec documentation.
Execute inspec tests
After writing inspec tests, we need to execute these tests for check the compliance of my Azure infrastructure.
Before running your tests don’t forget to set the environment variables of your Azure credential like in above section “Configure Inspec for Azure”
For run these tests in the root of your main directory, in the terminal , execute the Inspec exec command:
inspec exec <folder path of the inspec.yml> -t azure://
As an example with my Inspec tests:
I execute the command
inspec exec inspec-tests/integration/ -t azure://
The result output of this execution is list of pass tests and failed tests, e.g :
Now with this, I can fix my Azure infrastructure and re-run Inspec tests until all the tests go green exactly like as the test methodology process of TDD.
In this article, that is the 1st of series about inspec for Azure, we talk about how test Azure infrastructure with Inspec, in the next article I will expose how I test a large Azure infrastructure with multiple resources with multiple environments with Inspec.