Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-26 06:30:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

Upgrade Terraform version pins for integration testing (#2968)

Browse source 
* Update terrform to 0.11.7 (latest) and aws plugin to 1.14; upgrade plugins on test startup
* TF route table resource doesn't export associations or routes attributes.  Which we weren't using anyway.
* Downgrade to aws plugin 1.13 to avoid TF panic; suppress deprecation warning for aws_region
* Fix incoherent attribute combination on cloudtrail
* Add -auto-approve to suppress interactive confirmation
* Update version pinning for AWS minimal account
* Use a plan file in AWS runs
* Pin azure TF run to 0.11 and 1.3; also an autoformatter pass on the TF code.

Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
This commit is contained in:
Clinton Wolfe 2018-04-19 13:01:27 -04:00 committed by Jared Quick
parent 768dde71a7
commit 340b6eb4b4
7 changed files with 55 additions and 59 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -33,3 +33,4 @@ profile-1.0.0.tar.gz
terraform.tfstate* terraform.tfstate*
terraform.tfstate.backup terraform.tfstate.backup
inspec-azure.plan inspec-azure.plan
inspec-aws-*.plan

8
Rakefile
View file

@ -105,10 +105,10 @@ namespace :test do
abort("You must set the environment variable AWS_REGION") unless ENV['AWS_REGION'] abort("You must set the environment variable AWS_REGION") unless ENV['AWS_REGION']
puts "----> Checking for required AWS profile..." puts "----> Checking for required AWS profile..."
sh("aws configure get aws_access_key_id --profile inspec-aws-test-#{account} > /dev/null") sh("aws configure get aws_access_key_id --profile inspec-aws-test-#{account} > /dev/null")
sh("cd #{integration_dir}/build/ && terraform init") sh("cd #{integration_dir}/build/ && terraform init -upgrade")
sh("cd #{integration_dir}/build/ && terraform workspace new #{tf_workspace}") sh("cd #{integration_dir}/build/ && terraform workspace new #{tf_workspace}")
sh("cd #{integration_dir}/build/ && AWS_PROFILE=inspec-aws-test-#{account} terraform plan") sh("cd #{integration_dir}/build/ && AWS_PROFILE=inspec-aws-test-#{account} terraform plan -out inspec-aws-#{account}.plan")
sh("cd #{integration_dir}/build/ && AWS_PROFILE=inspec-aws-test-#{account} terraform apply") sh("cd #{integration_dir}/build/ && AWS_PROFILE=inspec-aws-test-#{account} terraform apply -auto-approve inspec-aws-#{account}.plan")
Rake::Task["test:aws:dump_attrs:#{account}"].execute Rake::Task["test:aws:dump_attrs:#{account}"].execute
end end
@ -158,7 +158,7 @@ namespace :test do
tf_workspace = args[:tf_workspace] || ENV['INSPEC_TERRAFORM_ENV'] tf_workspace = args[:tf_workspace] || ENV['INSPEC_TERRAFORM_ENV']
abort("You must either call the top-level test:azure task, or set the INSPEC_TERRAFORM_ENV variable.") unless tf_workspace abort("You must either call the top-level test:azure task, or set the INSPEC_TERRAFORM_ENV variable.") unless tf_workspace
puts '----> Setup' puts '----> Setup'
sh("cd #{integration_dir}/build/ && terraform init") sh("cd #{integration_dir}/build/ && terraform init -upgrade")
sh("cd #{integration_dir}/build/ && terraform workspace new #{tf_workspace}") sh("cd #{integration_dir}/build/ && terraform workspace new #{tf_workspace}")
# Generate Azure crendentials # Generate Azure crendentials

10
test/integration/aws/default/build/aws.tf
View file

@ -1,9 +1,9 @@
terraform { terraform {
required_version = "~> 0.10.0" required_version = "~> 0.11.0"
} }
provider "aws" { provider "aws" {
version = "= 1.1" version = "= 1.13.0"
} }
data "aws_caller_identity" "creds" {} data "aws_caller_identity" "creds" {}
@ -12,10 +12,8 @@ output "aws_account_id" {
value = "${data.aws_caller_identity.creds.account_id}" value = "${data.aws_caller_identity.creds.account_id}"
} }
data "aws_region" "region" { data "aws_region" "current" {}
current = true
}
output "aws_region" { output "aws_region" {
value = "${data.aws_region.region.name}" value = "${data.aws_region.current.name}"
} }

8
test/integration/aws/default/build/cloudtrail.tf
View file

@ -71,7 +71,7 @@ resource "aws_iam_role_policy" "cloud_watch_logs_role_policy" {
"logs:CreateLogStream" "logs:CreateLogStream"
], ],
"Resource": [ "Resource": [
"arn:aws:logs:${data.aws_region.region.name}:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.trail_1_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.region.name}*" "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.trail_1_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.current.name}*"
] ]
}, },
{ {
@ -81,7 +81,7 @@ resource "aws_iam_role_policy" "cloud_watch_logs_role_policy" {
"logs:PutLogEvents" "logs:PutLogEvents"
], ],
"Resource": [ "Resource": [
"arn:aws:logs:${data.aws_region.region.name}:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.trail_1_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.region.name}*" "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.trail_1_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.current.name}*"
] ]
} }
] ]
@ -164,7 +164,7 @@ resource "aws_kms_key" "trail_1_key" {
"Resource": "*", "Resource": "*",
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"kms:ViaService": "ec2.${data.aws_region.region.name}.amazonaws.com", "kms:ViaService": "ec2.${data.aws_region.current.name}.amazonaws.com",
"kms:CallerAccount": "${data.aws_caller_identity.creds.account_id}" "kms:CallerAccount": "${data.aws_caller_identity.creds.account_id}"
} }
} }
@ -178,7 +178,7 @@ resource "aws_cloudtrail" "trail_1" {
depends_on = ["aws_iam_role_policy.cloud_watch_logs_role_policy"] depends_on = ["aws_iam_role_policy.cloud_watch_logs_role_policy"]
name = "${terraform.env}-trail-01" name = "${terraform.env}-trail-01"
s3_bucket_name = "${aws_s3_bucket.trail_1_bucket.id}" s3_bucket_name = "${aws_s3_bucket.trail_1_bucket.id}"
include_global_service_events = false include_global_service_events = true
enable_logging = true enable_logging = true
is_multi_region_trail = true is_multi_region_trail = true
enable_log_file_validation = true enable_log_file_validation = true

9
test/integration/aws/default/build/route_table.tf
View file

@ -2,7 +2,6 @@
# Route Tables # Route Tables
#===========================================================================# #===========================================================================#
data "aws_internet_gateway" "default" { data "aws_internet_gateway" "default" {
filter { filter {
name = "attachment.vpc-id" name = "attachment.vpc-id"
@ -36,18 +35,10 @@ output "route_table_2_id" {
value = "${aws_route_table.rtb2.id}" value = "${aws_route_table.rtb2.id}"
} }
output "route_table_1_associations" {
value = "${aws_route_table.rtb.associations}"
}
output "route_table_1_propagating_vgws" { output "route_table_1_propagating_vgws" {
value = "${aws_route_table.rtb.propagating_vgws}" value = "${aws_route_table.rtb.propagating_vgws}"
} }
output "route_table_1_routes" {
value = "${aws_route_table.rtb.routes}"
}
output "route_table_1_vpc_id" { output "route_table_1_vpc_id" {
value = "${aws_route_table.rtb.vpc_id}" value = "${aws_route_table.rtb.vpc_id}"
} }

5
test/integration/aws/minimal/build/aws.tf
View file

@ -1,12 +1,13 @@
terraform { terraform {
required_version = "~> 0.10.0" required_version = "~> 0.11.0"
} }
provider "aws" { provider "aws" {
version = "= 1.1" version = "= 1.13.0"
} }
data "aws_caller_identity" "creds" {} data "aws_caller_identity" "creds" {}
output "aws_account_id" { output "aws_account_id" {
value = "${data.aws_caller_identity.creds.account_id}" value = "${data.aws_caller_identity.creds.account_id}"
} }

15
test/integration/azure/build/azure.tf
View file

@ -1,5 +1,6 @@
# Configure variables # Configure variables
variable "storage_account_name" {} variable "storage_account_name" {}
variable "admin_password" {} variable "admin_password" {}
variable "subscription_id" {} variable "subscription_id" {}
@ -15,19 +16,24 @@ variable "location" {
default = "West Europe" default = "West Europe"
} }
# Output the sub ID so the fixture system has something to chew on terraform {
output "subscription_id" { required_version = "~> 0.11.0"
value = "${var.subscription_id}"
} }
# Configure the Azure RM provider # Configure the Azure RM provider
provider "azurerm" { provider "azurerm" {
version = "~> 1.3"
subscription_id = "${var.subscription_id}" subscription_id = "${var.subscription_id}"
client_id = "${var.client_id}" client_id = "${var.client_id}"
client_secret = "${var.client_secret}" client_secret = "${var.client_secret}"
tenant_id = "${var.tenant_id}" tenant_id = "${var.tenant_id}"
} }
# Output the sub ID so the fixture system has something to chew on
output "subscription_id" {
value = "${var.subscription_id}"
}
# Create a resource group for the machine to be created in # Create a resource group for the machine to be created in
resource "azurerm_resource_group" "rg" { resource "azurerm_resource_group" "rg" {
name = "Inspec-Azure" name = "Inspec-Azure"
@ -230,6 +236,7 @@ resource "azurerm_virtual_machine" "vm_linux_external" {
os_profile_linux_config { os_profile_linux_config {
disable_password_authentication = true disable_password_authentication = true
ssh_keys { ssh_keys {
path = "/home/azure/.ssh/authorized_keys" path = "/home/azure/.ssh/authorized_keys"
key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOxB7GqUxppqRBG5pB2fkkhlWkWUWmFjO3ZEc+VW70erOJWfUvhzBDDQziAOVKtNF2NsY0uyRJqwaP1idL0F7GDQtQl+HhkKW1gOCoTrNptJiYfIm05jTETRWObP0kGMPoAWlkWPBluUAI74B4nkvg7SKNpe36IZhuA8/kvVjxBfWy0r/b/dh+QEIb1eE8HfELAN8SrvrydT7My7g0YFT65V00A2HVa5X3oZaBXRKbmd5gZXBJXEbgHZqA9+NnIQkZXH0vkYYOQTANB8taVwjNVftpXzf2zEupONCYOOoIAep2tXuv2YmWuHr/Y5rCv2mK28ZVcM7W9UmwM0CMHZE7 azure@inspec.local" key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOxB7GqUxppqRBG5pB2fkkhlWkWUWmFjO3ZEc+VW70erOJWfUvhzBDDQziAOVKtNF2NsY0uyRJqwaP1idL0F7GDQtQl+HhkKW1gOCoTrNptJiYfIm05jTETRWObP0kGMPoAWlkWPBluUAI74B4nkvg7SKNpe36IZhuA8/kvVjxBfWy0r/b/dh+QEIb1eE8HfELAN8SrvrydT7My7g0YFT65V00A2HVa5X3oZaBXRKbmd5gZXBJXEbgHZqA9+NnIQkZXH0vkYYOQTANB8taVwjNVftpXzf2zEupONCYOOoIAep2tXuv2YmWuHr/Y5rCv2mK28ZVcM7W9UmwM0CMHZE7 azure@inspec.local"
@ -280,5 +287,3 @@ resource "azurerm_virtual_machine" "vm_windows_internal" {
provision_vm_agent = true provision_vm_agent = true
} }
} }