Infrastructure Testing & Compliance

Testing and Compliance with Chef and Terraforms

Cloud resource provisioning is fast and easy to scale, but in the process of getting everything up and running in a short time, security vulnerabilities are often overlooked. These vulnerabilities usually go undetected until audited, which may happen only a few times a year. When DevOps teams are under constant pressure to increase release velocity, there is a high chance that the software they release into production includes unresolved vulnerabilities. Auditing and fixing all the potential risks can be a slow process.

When done correctly, infrastructure-as-code can greatly simplify provisioning and configuring systems at scale without compromising security. Codifying repeatable processes allows IT teams to manage infrastructure more efficiently and ensure compliance of every IT resource.

Infrastructure as Code to the Rescue (well, partially)

Configuration management and provisioning tools such as Terraform and Chef enable infrastructure automation using the “infrastructure as code” approach. These tools automate the process of infrastructure provisioning, configuration, and maintaining compliance of base systems — VMs and cloud instances — and the applications that run on them.

Chef and Terraform work together to deliver infrastructure automation. Terraform is commonly used by organizations to provision cloud infrastructure using code. Organizations use it to automate cluster deployment in cloud providers like AWS, Google Cloud, or Azure, and Chef offers provisioners and providers for Terraform that can be used to set up how and what runs on those cloud or virtual servers.

Going Beyond Infrastructure as Code with Policy as Code

Policy as code merges infrastructure-as-code and compliance-as-code into a single workflow. Setting company-wide policies for cloud-resource provisioning enables development teams to leverage the power and speed of the cloud and ensure environments are configured correctly and are compliant. Chef’s infrastructure and compliance automation tools allow you to define security and compliance policies using code that is straightforward and human-readable.

Because everything about your systems is outlined in code, policy files can be added to your Git repository for version control and help enforce policies across all the resources in your provisioned environments. Policy as code makes it easier to manage IT resources while maintaining compliance irrespective of scale.

Policy as code can also be applied in the context of provisioning tools like Terraform. You can leverage Terraform in local development, in your automated pipelines, or in runtime environments. Terraform uses descriptive files to define system resources, and Chef InSpec can be used with Terraform in two different ways to confirm compliance:

  • Audit provisioned infrastructure: When developing Terraform code for repos, Chef InSpec can be used to verify that resources have been provisioned/updated to match the tested and approved criteria.
  • Terraform code declaration: Chef InSpec can be used for test-driven development to declare the infrastructure configuration, and Terraform can be used to provision resources accordingly. In this way, Terraform manages provisioning while InSpec ensures the provisioned resources meet the organization’s policy requirements.

Drive Cloud Security with Chef’s Pre-Built Compliance Policies for Terraform

Consider the following example to understand how Chef and Terraform work together. It’s based on the template for a basic two-tier AWS architecture.

In this example, Terraform is used to create the environment by running terraform apply, and then a stateless NGINX server is configured behind an Elastic Load Balancer on AWS. We’ll extend this example to demonstrate how you can eliminate manual testing. The detailed explanation and documentation are available on GitHub.

For some tests, Chef needs data from Terraform. The best hand-over at this point is to use Terraform output variables. These are variables that can be added to the system environment and made available for Chef. Define the variables you need as an output in Terraform, such as this AWS example:

output "vpc_id" { value = "${aws_vpc.default.id}" }

Terraform has a neat built-in command-line feature that creates a JSON file with the output you’ll use in the next step:

$ terraform output --json > test/verify/files/terraform.json

These steps allow you to use any data from Terraform in Chef InSpec. You’re now ready to provision the infrastructure and run InSpec checks afterward.

Originally published at https://www.chef.io on March 18, 2022.

--

--

Chef is automation software for continuous delivery of secure applications and infrastructure. An industry leader in DevOps and DevSecOps trusted by thousands.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Progress Chef

Progress Chef

Chef is automation software for continuous delivery of secure applications and infrastructure. An industry leader in DevOps and DevSecOps trusted by thousands.