Making use of Google InSpec Cloud Resource

Chef InSpec is an open-source testing framework for infrastructure with human as well as machine-readable language for specifying compliance and security policy requirements. Chef InSpec compares the actual state of your system with the desired state expressed as easy-to-read and easy-to-write code. It detects violations and provides detailed reports that offers insights for remediation. 

Chef InSpec has over 500 ready-to-use resources, that include AWS, Azure and GCP (Google Cloud Platform) cloud resources.   

Setting up the Environment

Install Chef Workstation  

Chef Workstation is a collection of developer tools that enable devices in your fleet to interact securely with the Chef Server. It includes Chef Knife, Chef InSpec, Cookstyle, Chef Habitat, and Test Kitchen. Additionally, it includes Ruby and other dependencies, so you don’t have to install anything else to get started with all the Chef tools.    

Chef InSpec is an open-source framework for testing and auditing your applications and infrastructure. Chef InSpec works by comparing the actual state of your system with the desired state that you express in easy-to-read and easy-to-write Chef InSpec code. Chef InSpec detects violations and displays findings in the form of a report but puts you in control of remediation. 

The GCP InSpec resource pack uses the native Google Cloud Platform (GCP) support in InSpec and provides the required resources to write tests for GCP.

Prerequisites:

InSpec GCP resources require a GCP client ID and secret. The easiest way to set up the credentials is via the Google SDK. Install and configure the GCP SDK by downloading the SDK and running the installation via ./google-cloud-sdk/install.sh. Once installed, we are ready to gather the credentials:

Create credentials file:

$ gcloud auth application-default login

When you enter above command there will be few sets of questions where you need to enter details like project_id, type of user, etc. Which will be later populated in application_default_credentials.json

While InSpec can use user accounts for authentication, Google Cloud documentation recommends using service accounts. 

The default name of the credentials file will be
application_default_credentials.json

cat ~/.config/gcloud/application_default_credentials.json 

"client_id": "764086051850
6qr4p6gpi6h.apps.googleusercontent.com", 
"client_secret": "d-FL95Q19q7MQmFpd7hHD0Ty", 
"quota_project_id": "pprdadhan", 
"refresh_token": "1//0g1qk7yeYcl4JCgYIARAAGBASNwF-
L9IraCi6MyOa", 
"type": "authorized_user" 


If you are a first-time GCP user, you may be required to enable GCP APIs like Compute Engine API or Kubernetes Engine API. 

Verify the GCP access with $inspec detect -t gcp://

GCP access
    

Create a new GCP profile:

To create a new profile, use inspec init profile command

$ inspec init profile gcp-example-profile

Update inspec.yml file:

name: gcp-example-profile
title: InSpec Profile
maintainer: Akshay
copyright: Akshay
copyright_email: akshay@chef.com
license: Apache-2.0
summary: An InSpec Compliance Profile
version: 0.1.0
depends: 
  - name: gcp-resources
    url: https://github.com/inspec/inspec-
gcp/archive/master.tar.gz
supports:
  platform: gcp

Edit or add a new control file based on your specific requirement.

title ‘InSpec Profile&rsquo

PROJECT_NUMBER = attribute('project_number', description: 'gcp
project number')

control 'gcp-1' do
  impact 0.7
  title 'Check development project'
  describe google_project(project: PROJECT_NUMBER) do
    it { should exist }
    its('name') { should eq 'ppradhan' }
    its('project_number') { should cmp PROJECT_NUMBER }
    its('lifecycle_state') { should eq 'ACTIVE' }
  end
end


As a best practice, adding variable values in the attributes file are always a good idea.  

For example, you create an attributes.yml that includes the project_number as a value and passes the attribute value to the control file.

project_number: 165434197229

This control file checks if the project ‘ppradhan’ exists and is in an Active state by providing project_ID as a key attribute value. 

To check for any syntax error, enter the command

$ cookstyle -

To check Syntax error


To run the checks against your google account, execute your InSpec profile with google as the target provider.

inspec exec . -t gcp:// --input-file attributes.yml

InSpec Profile


If you do not wish to use the attributes file and want to hardcode the value within the control file, use the command $inspec exec . -t gcp://

InSpec is a fast and easy tool that can help you implement and automate compliance as code.  With support for different platforms, InSpec enables organizations to use one tool for compliance testing throughout their infrastructure landscape. To conclude, it enables continuous testing   using a CI pipeline so that any changes to your (Google) cloud infra are tested in a non-prod environment and then promoted to production.
Tags:

Akshay Parvatikar

Akshay Parvatikar is a Manager of Technical Marketing at Progress. With a career of over ten years and a bachelor's degree in Engineering, Akshay has worked in various roles such as solution engineering, customer consulting, and business development in web performance for Telecom and the e-commerce industry.