mirror of
https://github.com/inspec/inspec
synced 2024-11-10 07:04:15 +00:00
Upgrade Terraform version pins for integration testing (#2968)
* Update terrform to 0.11.7 (latest) and aws plugin to 1.14; upgrade plugins on test startup * TF route table resource doesn't export associations or routes attributes. Which we weren't using anyway. * Downgrade to aws plugin 1.13 to avoid TF panic; suppress deprecation warning for aws_region * Fix incoherent attribute combination on cloudtrail * Add -auto-approve to suppress interactive confirmation * Update version pinning for AWS minimal account * Use a plan file in AWS runs * Pin azure TF run to 0.11 and 1.3; also an autoformatter pass on the TF code. Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
This commit is contained in:
Clinton Wolfe
Jared Quick
parent
768dde71a7
commit
340b6eb4b4
7 changed files with 55 additions and 59 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -33,3 +33,4 @@ profile-1.0.0.tar.gz
|
|||
terraform.tfstate*
|
||||
terraform.tfstate.backup
|
||||
inspec-azure.plan
|
||||
inspec-aws-*.plan
|
||||
|
|
|
|||
8
Rakefile
8
Rakefile
|
|
@ -105,10 +105,10 @@ namespace :test do
|
|||
abort("You must set the environment variable AWS_REGION") unless ENV['AWS_REGION']
|
||||
puts "----> Checking for required AWS profile..."
|
||||
sh("aws configure get aws_access_key_id --profile inspec-aws-test-#{account} > /dev/null")
|
||||
sh("cd #{integration_dir}/build/ && terraform init")
|
||||
sh("cd #{integration_dir}/build/ && terraform init -upgrade")
|
||||
sh("cd #{integration_dir}/build/ && terraform workspace new #{tf_workspace}")
|
||||
sh("cd #{integration_dir}/build/ && AWS_PROFILE=inspec-aws-test-#{account} terraform plan")
|
||||
sh("cd #{integration_dir}/build/ && AWS_PROFILE=inspec-aws-test-#{account} terraform apply")
|
||||
sh("cd #{integration_dir}/build/ && AWS_PROFILE=inspec-aws-test-#{account} terraform plan -out inspec-aws-#{account}.plan")
|
||||
sh("cd #{integration_dir}/build/ && AWS_PROFILE=inspec-aws-test-#{account} terraform apply -auto-approve inspec-aws-#{account}.plan")
|
||||
Rake::Task["test:aws:dump_attrs:#{account}"].execute
|
||||
end
|
||||
|
||||
|
|
@ -158,7 +158,7 @@ namespace :test do
|
|||
tf_workspace = args[:tf_workspace] || ENV['INSPEC_TERRAFORM_ENV']
|
||||
abort("You must either call the top-level test:azure task, or set the INSPEC_TERRAFORM_ENV variable.") unless tf_workspace
|
||||
puts '----> Setup'
|
||||
sh("cd #{integration_dir}/build/ && terraform init")
|
||||
sh("cd #{integration_dir}/build/ && terraform init -upgrade")
|
||||
sh("cd #{integration_dir}/build/ && terraform workspace new #{tf_workspace}")
|
||||
|
||||
# Generate Azure crendentials
|
||||
|
|
|
|||
|
|
@ -1,9 +1,9 @@
|
|||
terraform {
|
||||
required_version = "~> 0.10.0"
|
||||
required_version = "~> 0.11.0"
|
||||
}
|
||||
|
||||
provider "aws" {
|
||||
version = "= 1.1"
|
||||
version = "= 1.13.0"
|
||||
}
|
||||
|
||||
data "aws_caller_identity" "creds" {}
|
||||
|
|
@ -12,10 +12,8 @@ output "aws_account_id" {
|
|||
value = "${data.aws_caller_identity.creds.account_id}"
|
||||
}
|
||||
|
||||
data "aws_region" "region" {
|
||||
current = true
|
||||
}
|
||||
data "aws_region" "current" {}
|
||||
|
||||
output "aws_region" {
|
||||
value = "${data.aws_region.region.name}"
|
||||
value = "${data.aws_region.current.name}"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ resource "aws_iam_role_policy" "cloud_watch_logs_role_policy" {
|
|||
"logs:CreateLogStream"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:logs:${data.aws_region.region.name}:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.trail_1_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.region.name}*"
|
||||
"arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.trail_1_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.current.name}*"
|
||||
]
|
||||
},
|
||||
{
|
||||
|
|
@ -81,7 +81,7 @@ resource "aws_iam_role_policy" "cloud_watch_logs_role_policy" {
|
|||
"logs:PutLogEvents"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:logs:${data.aws_region.region.name}:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.trail_1_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.region.name}*"
|
||||
"arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.trail_1_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.current.name}*"
|
||||
]
|
||||
}
|
||||
]
|
||||
|
|
@ -164,7 +164,7 @@ resource "aws_kms_key" "trail_1_key" {
|
|||
"Resource": "*",
|
||||
"Condition": {
|
||||
"StringEquals": {
|
||||
"kms:ViaService": "ec2.${data.aws_region.region.name}.amazonaws.com",
|
||||
"kms:ViaService": "ec2.${data.aws_region.current.name}.amazonaws.com",
|
||||
"kms:CallerAccount": "${data.aws_caller_identity.creds.account_id}"
|
||||
}
|
||||
}
|
||||
|
|
@ -178,7 +178,7 @@ resource "aws_cloudtrail" "trail_1" {
|
|||
depends_on = ["aws_iam_role_policy.cloud_watch_logs_role_policy"]
|
||||
name = "${terraform.env}-trail-01"
|
||||
s3_bucket_name = "${aws_s3_bucket.trail_1_bucket.id}"
|
||||
include_global_service_events = false
|
||||
include_global_service_events = true
|
||||
enable_logging = true
|
||||
is_multi_region_trail = true
|
||||
enable_log_file_validation = true
|
||||
|
|
|
|||
|
|
@ -2,10 +2,9 @@
|
|||
# Route Tables
|
||||
#===========================================================================#
|
||||
|
||||
|
||||
data "aws_internet_gateway" "default" {
|
||||
filter {
|
||||
name = "attachment.vpc-id"
|
||||
name = "attachment.vpc-id"
|
||||
values = ["${data.aws_vpc.default.id}"]
|
||||
}
|
||||
}
|
||||
|
|
@ -36,18 +35,10 @@ output "route_table_2_id" {
|
|||
value = "${aws_route_table.rtb2.id}"
|
||||
}
|
||||
|
||||
output "route_table_1_associations" {
|
||||
value = "${aws_route_table.rtb.associations}"
|
||||
}
|
||||
|
||||
output "route_table_1_propagating_vgws" {
|
||||
value = "${aws_route_table.rtb.propagating_vgws}"
|
||||
}
|
||||
|
||||
output "route_table_1_routes" {
|
||||
value = "${aws_route_table.rtb.routes}"
|
||||
}
|
||||
|
||||
output "route_table_1_vpc_id" {
|
||||
value = "${aws_route_table.rtb.vpc_id}"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,12 +1,13 @@
|
|||
terraform {
|
||||
required_version = "~> 0.10.0"
|
||||
required_version = "~> 0.11.0"
|
||||
}
|
||||
|
||||
provider "aws" {
|
||||
version = "= 1.1"
|
||||
version = "= 1.13.0"
|
||||
}
|
||||
|
||||
data "aws_caller_identity" "creds" {}
|
||||
|
||||
output "aws_account_id" {
|
||||
value = "${data.aws_caller_identity.creds.account_id}"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# Configure variables
|
||||
variable "storage_account_name" {}
|
||||
|
||||
variable "admin_password" {}
|
||||
|
||||
variable "subscription_id" {}
|
||||
|
|
@ -15,19 +16,24 @@ variable "location" {
|
|||
default = "West Europe"
|
||||
}
|
||||
|
||||
# Output the sub ID so the fixture system has something to chew on
|
||||
output "subscription_id" {
|
||||
value = "${var.subscription_id}"
|
||||
terraform {
|
||||
required_version = "~> 0.11.0"
|
||||
}
|
||||
|
||||
# Configure the Azure RM provider
|
||||
provider "azurerm" {
|
||||
version = "~> 1.3"
|
||||
subscription_id = "${var.subscription_id}"
|
||||
client_id = "${var.client_id}"
|
||||
client_secret = "${var.client_secret}"
|
||||
tenant_id = "${var.tenant_id}"
|
||||
}
|
||||
|
||||
# Output the sub ID so the fixture system has something to chew on
|
||||
output "subscription_id" {
|
||||
value = "${var.subscription_id}"
|
||||
}
|
||||
|
||||
# Create a resource group for the machine to be created in
|
||||
resource "azurerm_resource_group" "rg" {
|
||||
name = "Inspec-Azure"
|
||||
|
|
@ -40,10 +46,10 @@ resource "azurerm_resource_group" "rg" {
|
|||
|
||||
# Create the storage account to be used
|
||||
resource "azurerm_storage_account" "sa" {
|
||||
name = "${var.storage_account_name}"
|
||||
location = "${var.location}"
|
||||
resource_group_name = "${azurerm_resource_group.rg.name}"
|
||||
account_tier = "Standard"
|
||||
name = "${var.storage_account_name}"
|
||||
location = "${var.location}"
|
||||
resource_group_name = "${azurerm_resource_group.rg.name}"
|
||||
account_tier = "Standard"
|
||||
account_replication_type = "LRS"
|
||||
}
|
||||
|
||||
|
|
@ -66,20 +72,20 @@ resource "azurerm_public_ip" "public_ip_1" {
|
|||
|
||||
# Create a network security group so it can be tested
|
||||
resource "azurerm_network_security_group" "nsg" {
|
||||
name = "Inspec-NSG"
|
||||
location = "${var.location}"
|
||||
resource_group_name = "${azurerm_resource_group.rg.name}"
|
||||
name = "Inspec-NSG"
|
||||
location = "${var.location}"
|
||||
resource_group_name = "${azurerm_resource_group.rg.name}"
|
||||
|
||||
security_rule {
|
||||
name = "SSH-22"
|
||||
priority = 100
|
||||
direction = "Inbound"
|
||||
access = "Allow"
|
||||
protocol = "Tcp"
|
||||
source_port_range = "*"
|
||||
destination_port_range = "22"
|
||||
source_address_prefix = "*"
|
||||
destination_address_prefix = "*"
|
||||
name = "SSH-22"
|
||||
priority = 100
|
||||
direction = "Inbound"
|
||||
access = "Allow"
|
||||
protocol = "Tcp"
|
||||
source_port_range = "*"
|
||||
destination_port_range = "22"
|
||||
source_address_prefix = "*"
|
||||
destination_address_prefix = "*"
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -160,9 +166,9 @@ resource "azurerm_virtual_machine" "vm_linux_internal" {
|
|||
|
||||
# Create the OS disk
|
||||
storage_os_disk {
|
||||
name = "Linux-Internal-OSDisk-MD"
|
||||
caching = "ReadWrite"
|
||||
create_option = "FromImage"
|
||||
name = "Linux-Internal-OSDisk-MD"
|
||||
caching = "ReadWrite"
|
||||
create_option = "FromImage"
|
||||
managed_disk_type = "Standard_LRS"
|
||||
}
|
||||
|
||||
|
|
@ -180,7 +186,7 @@ resource "azurerm_virtual_machine" "vm_linux_internal" {
|
|||
# Add boot diagnostics to the machine. These will be added to the
|
||||
# created storage acccount
|
||||
boot_diagnostics {
|
||||
enabled = true
|
||||
enabled = true
|
||||
storage_uri = "${azurerm_storage_account.sa.primary_blob_endpoint}"
|
||||
}
|
||||
}
|
||||
|
|
@ -230,8 +236,9 @@ resource "azurerm_virtual_machine" "vm_linux_external" {
|
|||
|
||||
os_profile_linux_config {
|
||||
disable_password_authentication = true
|
||||
|
||||
ssh_keys {
|
||||
path = "/home/azure/.ssh/authorized_keys"
|
||||
path = "/home/azure/.ssh/authorized_keys"
|
||||
key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOxB7GqUxppqRBG5pB2fkkhlWkWUWmFjO3ZEc+VW70erOJWfUvhzBDDQziAOVKtNF2NsY0uyRJqwaP1idL0F7GDQtQl+HhkKW1gOCoTrNptJiYfIm05jTETRWObP0kGMPoAWlkWPBluUAI74B4nkvg7SKNpe36IZhuA8/kvVjxBfWy0r/b/dh+QEIb1eE8HfELAN8SrvrydT7My7g0YFT65V00A2HVa5X3oZaBXRKbmd5gZXBJXEbgHZqA9+NnIQkZXH0vkYYOQTANB8taVwjNVftpXzf2zEupONCYOOoIAep2tXuv2YmWuHr/Y5rCv2mK28ZVcM7W9UmwM0CMHZE7 azure@inspec.local"
|
||||
}
|
||||
}
|
||||
|
|
@ -254,19 +261,19 @@ resource "azurerm_virtual_machine" "vm_windows_internal" {
|
|||
|
||||
# Create the OS disk
|
||||
storage_os_disk {
|
||||
name = "Windows-Internal-OSDisk-MD"
|
||||
caching = "ReadWrite"
|
||||
create_option = "FromImage"
|
||||
name = "Windows-Internal-OSDisk-MD"
|
||||
caching = "ReadWrite"
|
||||
create_option = "FromImage"
|
||||
managed_disk_type = "Standard_LRS"
|
||||
}
|
||||
|
||||
# Create 1 data disk to be used for testing
|
||||
storage_data_disk {
|
||||
name = "Windows-Internal-DataDisk-1-MD"
|
||||
create_option = "Empty"
|
||||
name = "Windows-Internal-DataDisk-1-MD"
|
||||
create_option = "Empty"
|
||||
managed_disk_type = "Standard_LRS"
|
||||
lun = 0
|
||||
disk_size_gb = "1024"
|
||||
lun = 0
|
||||
disk_size_gb = "1024"
|
||||
}
|
||||
|
||||
# Specify the name of the machine and the access credentials
|
||||
|
|
@ -280,5 +287,3 @@ resource "azurerm_virtual_machine" "vm_windows_internal" {
|
|||
provision_vm_agent = true
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue