In my previous article, I provided a simple example of mocking an AWS resource using localstack, and testing with the python terraform-compliance module. In this example, I will provide a more extensive example using kitchen-terraform and terraform-compliance to deploy the following resources in AWS us-east-1 and us-west-2 regions.
To begin this example, you will need the following:
Next, we need to set up a Python3 virtual environment, activate the environment and install the python terraform-compliance module.
Now, we need to create a projects directory and download the sample code from github.
Now we are ready to run our tests, by executing the ‘execute_kitchen_terraform.sh’ file.
This script will perform the following functions:
1. Install bundler
2. Install required gems
3. Create public and private key pair
4. Initialize terraform project
5. Test terraform plan output against terraform-compliance features
6. Execute kitchen test suite
This script will begin by checking if bundler is installed, and then installing the necessary ruby gems.
Next the script will test if the public/private keypair exists in the test/assets directory, if not, it will create the key pair.
Next, the script will test the terraform project, using the python terraform-compliance module, and features located in test/features.
The script begins by testing if the terraform project has been initialized, and if not, initializing the project.
After terraform initialization, the script will execute ‘terraform plan’ and output the plan in json format. It will then test the terraform output against the features in the test directory.
You may be asking, why do we need both terraform-compliance features and kitchen-terraform fixtures for our testing? The purpose of terraform-compliance features is to have a repository of global, enterprise-level features and tests, which get applied to all projects. For example, the test displayed above will test security groups, so only ports 22 and 443 are open. No other ports should be open in the security group.
The kitchen-terraform fixtures and tests are designed for unit testing a single terraform project, and are not to be applied to every terraform project.
Continuing with the script execution, the script will now run the kitchen-terraform tests. It begins by attempting to destroy any existing terraform state in the applicable region.
The script will then initialize the terraform working directory and select a new terraform workspace.
The next step in the script is to run the ‘kitchen converge’. This step will converge the platforms in the kitchen.yml file.
Finally, the script will execute ‘kitchen verify’ to test the deployed project against the test suite.
The last step in the script is the ‘kitchen destroy’. This will destroy all AWS resources instantiated for the test.
Now the scripts will perform the same steps with ubuntu instances in us-west-2 region.
In summary, I hope you have enjoyed this four-part series regarding infrastructure testing. While these articles only covered specific situations and scenarios for infrastructure testing and deployments, I hope it causes your organization to open a discussion about the future direction of infrastructure testing and standards.