Terraform infrastructure validator

[dmlb2000]

It would be nice to have a resource validation feature that runs serverspec (http://serverspec.org/) or other infrastructure validation software that would verify the set of resources built and connected they way you want them in your configuration.

[vancluever]

@dmlb2000 not too sure if this helps you 100%, but I was curious so I did the 5 min customary google, and found kitchen-terraform - might want to check it out!

[dmlb2000]

@vancluever that's close but that means building a chef cookbook for your infrastructure and not everyone does that with terraform. I could see folks using serverspec against any method of deploying infrastructure not just chef.

I also realize the terraform guys seem like they are pretty busy with the number of tickets they have, so I'm not expecting traction on this very soon... just figured I'd put in the thought.

[mitchellh]

This has been brought up and I'm supportive of the abstract idea. I think this would be better built on top of Terraform as it currently stands rather than being built into Terraform itself.

You can also simulate much of it using provisioners. If a provisioner fails it will halt the apply and taint the resource. If you have to depend on multiple resources, using a null_resource with a provisioner is possible.

[dmlb2000]

@mitchellh not sure how this idea would be built on top of terraform, as a new resource I can though...

So, right now I currently use terraform to bring up the infrastructure from a given git repository with all the config in it. I then use terraform output to pull out the various IP addresses or names that I need to touch to make sure the infrastructure is working. I then copy that information over to my serverspec repository and then run serverspec against those resources.

There are some duplicate issues that terraform is handling that I also have to handle again in my serverspec repository.

First is using the ssh bastion host, terraform could take care of transferring the serverspec to a temporary directory in the bastion host and running serverspec from there, I'm doing this manually currently.

Second is that just because the provisioner completes doesn't mean the service is quite working as expected. I often have to figure out why part of the infrastructure didn't quite work after the provisioner was done. Since terraform thought it was successful (when it really wasn't) I have to tear things down and start over from that service.

Some more information, I've got access to my serverspec git repository from anywhere so is there a combination of using the null_resource and maybe a local-exec resource that I can't seem to find yet and link everything up with dependencies that I'm not seeing? What I'd like to have happen is that terraform run the serverspec specific bits for that part of the infrastructure when it completes provisioning and then move onto the rest of the plan.

[dmlb2000]

Okay some of those questions are rhetorical as I think that might work.

Yeah, for those that stumble onto this, using a null_resource (https://www.terraform.io/docs/provisioners/null_resource.html) would be able to copy a script over to the remote bastion host then you can run whatever from there... git checkout run ruby to invoke serverspec to validate that part of the infrastructure then have the other resources depend on your null_resource and you should be good... If I'm reading this right.

[vancluever]

@dmlb2000 just a note - Test-Kitchen can be used for more than just Chef... it's mainly the provisioner that matters there. I'm not too sure 100% what's needed to remove Chef from the process completely, but I know that they have Puppet and Ansible provisioners as well, so it should be possible to install the test-kitchen gem and give it a go.

The gem does seem to have examples too, so you could give them a test run yourself to see if cookbooks really are required.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.