Add Examples of InSpec AWS Backend and Kitchen Configuration

[jaloren]

I recently upgraded from terraform kitchen 3.3 to kitchen 4.0. This meant that I could use inspec aws resources (which is great). However, I ran into some difficulties due to sparse documentation around how to use the aws backend and what one should put in the kitchen.yml.

I'd like to submit a PR that adds documentation with this info. However, I am not sure the appropriate place for this doc. If someone could point me to a place, I'll whip up some markdown.

[ncs-alane]

Hi @jaloren.

Thank you for your interest in the project!

Have you reviewed the updated verifier plugin documentation? It discusses each of the configuration attributes that may be of use depending on the systems under test.

The Inspec AWS documentation may also be of use.

[jaloren]

@ncs-alane I have and that's very helpful but it didn't actually address the problem I had. So here's what the verifier documentation says about backends:

The value of the backend key is a scalar which is used to select the InSpec backend for connections to the system.

The scalar must match the name of one the available backends.

So then I went to the inspec backend url provided in the above documentation. That page only mentions this about backends:

-b, --backend=BACKEND
Choose a backend: local, ssh, winrm, docker.

Which led me to believe that only available backends for doing AWS resource testing was either local or SSH. Neither of those backends worked. I finally decided to attach pry debugger and trace through the code and discovered that the connection implementation is this gem:

https://www.rubydoc.info/gems/train/1.4.31/Train/Transports

And then I saw the AWS transport. Once I switched the backend to AWS, everything started working. Its this information about inspec backends and how that affects what inspec resources may use that would have been super helpful here.

[ncs-alane]

I agree that isn't very intuitive. I try to avoid duplicating documentation of the other systems associated with Kitchen-Terraform but it appears that some of the InSpec documentation has not been updated to reflect the latest features. The Using InSpec 2.0 on Cloud Platforms article offers some more details, but it doesn't specifically acknowledge that the platforms being discussed are valid backends.

Do you think that a clarification that InSpec backends and platforms are the same thing and a link to the additional article is sufficient enough to provide guidance for other users?

[henrydobson]

None of the existing examples currently feature aws backends. To avoid duplicating docs, some examples might be enough for the community. I would love to see an example with some dependancies and mixed backends (aws, ssh) as I'm finding it difficult to resolve the issues I have with the docs as they don't have enough context.

[BensamV]

Kitchen Terraform Example for testing aws resources via backend aws https://github.com/BensamV/kitchen-terraform-aws

[wyardley]

Similarly, I've had to do: bundle exec inspec exec -t gcp:// test/integration/default

I have tried setting backend: gcp in both verifier and platforms => verifier, but can't seem to make it work. Is there a way to do this so that it runs terraform locally, but verifies using inspec's gcp provider?

[aaron-lane]

@wyardley: backend needs to be set on a per system basis. Please check the documentation for more details: https://www.rubydoc.info/github/newcontext-oss/kitchen-terraform/Kitchen/Verifier/Terraform#label-backend

[wyardley]

@aaron-lane: I think I tried that. I only have one “system” (that is, I’m not connecting to any systems or running any local tests; just verifying resources via the API, which I assume is “local” in the sense that it’s not doing remote execution). Also, those docs don’t list gcp or aws as valid options? Backend corresponds to the -b flag, so I’m not sure this will work for -t gcp://? I don’t see a “target” option in the config docs (unless it applies to a different resource)?

[aaron-lane]

@wyardley: My understanding is that InSpec's target flag is just a convenience wrapper which combines the backend flag, the user flag, the password flag, the host flag, and the port flag, so using it should not provide any different behaviour than specifying each of those flags separately, which is essentially what Kitchen-Terraform does.

Based on the documentation of inspec-gcp, the project has not yet been incorporated in to InSpec and must be explicitly included in the appropriate Inspec profile file before it will work.

Can you share the Kitchen configuration file of your project?