The Hitchhikers Guide to Testing IaC on 2022 A Terraform Use Case

Yevgeniy Brikman Martin Fowler Rosemary Wang

A Terraform Use Case! Testing IaC on 2022 The Hitchhiker's
Guide to

As a DevOps (aka SRE, IaC, Infrastructure) Engineer, our life
is not easy!

Sr. DevOps Eng. Mainly focus on IaC

Are you afraid or do you feel fear executing terraform
apply on PROD? There's a better way to deal with fear: Testing gives you the confidence to make changes. terraform apply

SO YOU ARE TELLING ME... THAT I HAVE TO WRITE
CODE TO CHECK IF THE CODE THAT I WROTE EARLIER WAS RIGHT

TDD Write tests first, then write code (feature) that passes
the tests! In other words: 1. Write the test 2. Make the code fails the test (RED) 3. Make the code passes the test (GREEN) 4. Repeat steps 2 and 3 until the code is stable (REFACTOR)

SO YOU ARE TELLING ME... THAT I HAVE TO WRITE
CODE TO CHECK IF THE CODE THAT I HAVEN'T WRITTEN (BUT I WILL) IT'LL BE OK

Better designed, cleaner, and more extensible code TDD Benefits Code
is built for defined features (less code, less bugs) Confidence to Refactor Good for: teamwork, code review, code sharing, code versioning Code is easier to: Read, understand, maintain, evolve, test, debug, reuse

Is TDD Dead? Long live testing!

A Software Tester Goes To A Bar... Orders one beer
Orders zero beer Orders 999 beers Orders #ad&8d* beer Orders .5 beer Bring his own beer Tries to sell his beer to the bar Orders an empty beer bottle Doesn’t order anything Orders a beer every one minute Tries to grab a beer from someone else

This talk is about how to write IaC tests (Terraform)
in 2022 to get confidence... ...Or at least minimize the risk!

Test Pyramid "The test pyramid is a way of thinking
about how different kinds of automated tests should be used to create a balanced portfolio. Its essential point is that you should have many more low-level UnitTests than high level BroadStackTests running through a GUI." Martin Fowler

Test Pyramid SDLC

Why can testing be challenging?

Tooling Lack of knowledge about testing. No clear way to
test. Slow CI servers, flows, feedback loops, and other bottlenecks Lack of automation Lack of confidence in the testing process (flaky, intermittent, etc.) Why can testing be challenging? Bad architecture/ Code is hard to test Maintenance and evolution We are humans, We Make Assumptions

Two common IaC team scenarios (80% - 20%) AM I
RIGHT?

Test Pyramid IaC! Current!

Makefile Docker containers https://github.com/acactown/terraform-tdd

terraform-aws-network https://github.com/acactown/terraform-tdd terraform-aws-microservice

Static Code Analysis "Static Code Analysis commonly refers to the
running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis." OWASP Style Guide Compiler/Parser/Interpreter Linters Dry-run

Static Code Analysis Style Guide TERRAFORM FMT "Check a set
of conventions (sometimes arbitrary) about how to write code for that project. It is much easier to understand a large codebase when all the code in it is in a consistent style" TERRAFORM-DOCS EDITORCONFIG-CHECKER TERRAFORM-GRAPH-BEAUTIFIER ✅ ✅ ✅ ⚙️ TERRAFORM-VISUAL ⚙️

https://github.com/acactown/terraform-tdd Static Code Analysis Style Guide

Static Code Analysis Compiler/Parser/Interpreter TERRAFORM VALIDATE "Statically check the code
for syntactic and structural issues" ✅

https://github.com/acactown/terraform-tdd Static Code Analysis Compiler/Parser/Interpreter

Static Code Analysis Linters TFLINT / TFSEC "Statically validate your
code to catch common errors. Linters provide crucial information to speed up debugging and save time in your development. Warn about depreciated syntax and unused declarations, enforce best practices and naming conventions" TERRASCAN / CONFTEST SENTINEL TFUPDATE ✅ ✅ ⚙️ COMMIT-LINT / SECRETLINT ⚙️ MISSPELL / GRAMMARCHECK ⚙️ SUPER-LINTER / MEGALINTER ⚙️ ☑️

https://github.com/acactown/terraform-tdd Static Code Analysis Linters

Static Code Analysis Dry-run CHECKOV "Partially execute the code and
validate the plan, but don't actually deploy. It looks for misconfiguration that may lead to security or compliance problems. Changes made by Terraform may alter the status of resources hosted by a cloud provider" TERRAFORM-COMPLIANCE ✅ REGULA / KICS ⚙️ ✅ SENTINEL ☑️ CONFTEST ✅ INFRACOST ⚙️

https://github.com/acactown/terraform-tdd Static Code Analysis Dry-run

Unit Test " Test a single "unit" works in isolation"
" Break your infra code into small modules and unit test those" Yevgeniy Brikman 1. Analyze the code and find the most important things to test. Focus on: Logic, Standards, Architectural Conformance 2. Write a test for each of those things 3. Run the test and see if it passes 4. Repeat steps 2 and 3 until the code is stable 5. Refactor the code to make it easier to test Test Strategy (TDD)

Unit Test CONFTEST CLARITY ✅ ⚙️ SENTINEL ☑️ "There's no
pure unit testing for IaC" Yevgeniy Brikman

https://github.com/acactown/terraform-tdd Unit Test

Contract Test CONFTEST ✅ SENTINEL ☑️ "We know that the
Terraform code works (the Hashi guys are doing a great job). What we don't know is if we put it incorrectly... or if we put it right" Rosemery Wang

Contract Test " In simple words, it is a testing
of integration points in a distributed setup following a common agreement" Martin Fowler 1. Analyze the code and find the most important things to test. Focus on: Check interaction 2 Mods, In & Out, Expected State 2. Write a test for each of those things 3. Run the terraform plan to reflect the desired state 5. Repeat steps 2, 3 and 4 until the code is stable 6. Refactor the code to make it easier to test Test Strategy (TDD) 4. Run the test on the terraform plan output and see if it passes

https://github.com/acactown/terraform-tdd Contract Test

Integration Test "Determine if independently developed units of software work
correctly when they are connected to each other. The point of integration testing, as the name suggests, is to test whether many separately developed modules work together as expected" Martin Fowler 1. Analyze the code and find the most important things to test. Focus on: Confirm interaction 2+ Mods, Executions, Dependencies, Resources, Sections. 2. Write the module examples of those 3. Write a test for each of those examples 5. Run the test directly on the Cloud Provider to validate it works 6. Run terraform destroy to "undeploy" the infra Test Strategy (TDD) 4. Run the terraform apply to deploy real infra

Integration Test TERRATEST ✅ KITCHEN-TERRAFORM "You can test units in
isolation from the outside world. But 99% of infrastructure code is about talking to the outside world" "So you can only test infra code by deploying to the real environment" Yevgeniy Brikman ⚙️

Integration Test TERRATEST ✅ KITCHEN-TERRAFORM "When using Terraform, you can
test the behavior of your infrastructure by deploying it to a real environment" "Using Iac tools Like Terraform, testing de deployment is redundant. Is Covered by Hashi guys" "Focus in your own business interactions (Functional, Policy & Security, Use Cases)" Rosemery Wang ⚙️

https://github.com/acactown/terraform-tdd Integration Test

Pipeline Steps (toolchain)

Do you have any questions? Thx!

The Hitchhikers Guide to Testing IaC on 2022 A Terraform Use Case

The Hitchhikers Guide to Testing IaC on 2022 A Terraform Use Case

More Decks by Andrés Amado

Other Decks in Programming

Featured

Transcript