Test your Azure infrastructure compliance with Inspec

This article become part of http://aka.ms/applied-cloud-stories initiative

With the rapid development of DevOps processes and IaC (Infrastucture As Code) tools that are becoming more and more diverse Cloud infrastructures can be deployed and provisioned very quickly and with optimal automation.

The problem that often occurs in these deployments is that automation does not guarantee compliance with requirements and safety and functional compliance.
And so, just as in applications unit tests and integration tests are coded and automatized, it is also necessary to code and automate tests on the infrastructure in order to verify that:

• The infrastructure deployed corresponds well to the architecture and company specifications
• That security policies are properly applied

To write these tests, there are many tools and you can use all the development languages that allow you to interact with your cloud provider.
For Azure you can use for example Azure Cli or Powershell Azure commandLet.
For PowerShell there is a library dedicated to these Azure tests which is Pester.

The problem (in my opinion) with these tools is that they often require a lot of code lines and are agnostic of the cloud provider (here Azure) and of the language.

So I became interested in another tool that is Inspec and we will see how to use it to test an Azure infrastructure.

What is Inspec

Inspec is an command line, open source tool, provided by Chef witch audit and automated testing framework for integration, compliance and security.
It does not require learning a new language, just knowing how to write the desired state of infrastructure resources.

With Inspec we can test the compliance of remotes machines OS , data and since the inspec 2.0 cloud infrastructure like Azure and AWS (with theses API) and since the version 3, GCP resources.

Inspec installation and Azure Cloud shell

Requirement: The only requirement for Inspec is to have Ruby ( >2.3 ) installed.

The installation of Inspec can be done by multiple way:

• Manually from the download page
• By gem manager or by script , all scripts are located in the GitHub

inspec command line

Since May 2018 Microsoft Azure had integrated Inspec in the Azure Cloud Shell that provide the direct connection with your authentication.

inspec in Azure Cloud Shell

The InSpec Azure Resource Pack

Since the v2, Inspec introduce the Cloud testing , by adding some libraries Azure for test Virtual Machine, Disk and all others resources had be tested by azure_generic_resource library.

Since the version 2.2.7 of Inspec, we have the feature to use a package of Inspec libraries that use Azure RM API and provide the possibility to any Azure resources.

Based on this improvement, the inspec team create a Azure resource pack that contains a lot of libraries for test a large panel of Azure resources like as :

• Azure users
• Azure Key Vault
• Azure Monitor
• Azure network (Vnet, Subnet)
• Azure Sql Server
• Azure Storage
• Azure Virtual Machine
• ….

The complete list of available resources is in the Inspec documentation.

Configure Inspec for Azure

Before to write tests for your Azure infrastructure we need to create an Azure Service Principal that have the reader permission to the Azure resources.

For create this Azure Service Principal we can use the Azure portal, or the AzureCli command:

az ad sp create-for-rbac — name="<Sp name> — role=”Reader” — scopes=”/subscriptions/<subscription Id>”

This command return your 3 credentials information:

• The client ID (Application Id)
• The client Secret
• The Tenant ID

Then, use and export this values in specified variables environments on your machine

• AZURE_SUBSCRIPTION_ID => Subscription ID
• AZURE_CLIENT_ID => SP Client ID
• AZURE_CLIENT_SECRET => SP Client Secret
• AZURE_TENANT_ID => SP Tenant ID

By Script with export command or by using .envrc file

export AZURE_SUBSCRIPTION_ID="<Subscription ID"
export AZURE_CLIENT_ID="<Client Id>"
export AZURE_CLIENT_SECRET="<Client Secret>"
export AZURE_TENANT_ID="<Tenant Id>"

Writing Inspec tests

The Inspec profile file

After Inspec installation and authentication configuration we can start to use Inspec.
The first step is to create tests folder structure and Inspec profile that define some metadata and Inspec configuration.

For create structure and profile execute the command:

inspec init profile my-azureTests

This command create a new folder ”my-azureTests” with all necessaries artifacts for inspec tests, with:

• controls (tests)
• libraries
• profil file inspec.yml with some default metadata

Then, we adapt and update this profil file with personal metadata and adding the information of the Azure Resource pack.

inspec profil with azure pack

The important information’s are the inspec_version: ‘>= 2.2.7’ and the depends section with the url of the Inspec Azure resource pack.

After updating the profil file we can write tests…

The tests controls

All tests are located in the controls folder and are write in Ruby file (.rb) with very simple syntax.
For illustrate this article we will write tests for check one Resource group, one Virtual machine and one subnet.

In the controls folder create file “resourcegroup.rb” with this content:

inspec azure check rg

This test check that the resource group named MyResourceGroup exist.

For the check of the Virtual Machine, create file “vm.rb” with this content sample

inspec azure check vm

This above sample test of vm check :

• if my vm ‘prod-web-01’ exist in specified resource group,
• some extensions properties
• the region location
• the size of the vm
• the os type that Linux
• the number of the data disk that equal to 1

For the Subnet tests, add file “subnet.rb” with sample content:

inspec azure check subnet

The above subnet control check :

• if the subnet “subnet-web” exist in vnet “vnet-prod”
• the address prefix of the subnet is equal to 192.168.0.0/24
• if the subnet is attached to the network security group “my-nsg”

Here I show only 3 examples of Azure resources, the complete list all available Azure resources in inspec pack are in the Inspec documentation.

Execute inspec tests

After writing inspec tests, we need to execute these tests for check the compliance of my Azure infrastructure.

Before running your tests don’t forget to set the environment variables of your Azure credential like in above section “Configure Inspec for Azure”

For run these tests in the root of your main directory, in the terminal , execute the Inspec exec command:

inspec exec <folder path of the inspec.yml> -t azure://

As an example with my Inspec tests:

I execute the command

inspec exec inspec-tests/integration/ -t azure://

The result output of this execution is list of pass tests and failed tests, e.g :

Inspec tests execution

Now with this, I can fix my Azure infrastructure and re-run Inspec tests until all the tests go green exactly like as the test methodology process of TDD.

In this article, that is the 1st of series about inspec for Azure, we talk about how test Azure infrastructure with Inspec, in the next article I will expose how I test a large Azure infrastructure with multiple resources with multiple environments with Inspec.