Automatically running tests when AWS Stack is build


#1

Not sure how unique of a scenario this is, but I'll try and explain the best I can.

Essentially at my company we use AWS CloudFormation to built Stacks to work on. Chef then provisions the software onto the stacks and downloads everything we need. I have been tasked with building InSpec tests for this newly built infrastructure to ensure that they are all configured properly after the Chef run has finished.

I have built the tests locally and I can use SSH to run the tests remotely. However, is there a way I can add the InSpec to Chef so that I don't have to run them remotely? I.e I want the tests to run automatically when the stack is built so that my colleagues won't moan that they have to run another command to run the tests!

Do I have to add the tests to a cookbook or something like that? I am new to Chef and InSpec so please forgive me if this is a really stupid question. If you need an extra clarity, please let me know. Thanks in advance.


#2

There is the chef audit cookbook which I think is exactly what you are asking for. https://github.com/chef-cookbooks/audit


#3

Add the audit cookbook to your run list

From my mobile ...

Bradley Corner


#4

@calebwhitt You should of course have decent inspec test coverage in the chef cookbooks themselves first, it sounds like you maybe already do.

The audit cookbook that was mentioned will allow you to run compliance profiles and report results back to Chef Automate and if you're looking to generate some compliance controls based on your CFN stacks, maybe this is useful to you:


#5

I need to start working on the docs and other issues, but the InSpec-Iggy plugin supports CloudFormation and will generate coverage for the AWS resources specified in your CFN template.

https://github.com/inspec/inspec-iggy/#icg

I need to put together an example of taking the CFN JSON, creating the profile, uploading it to Automate, and creating a scan job for that via the API. The end result would be automatic scans of your CFN infrastructure.


#6

Yep. This is exactly what we need. Thanks