The Hitchhikers Guide to Testing IaC on 2022 A Terraform Use Case

Transcript

1. Yevgeniy Brikman Martin Fowler Rosemary Wang

2. A Terraform Use Case! Testing IaC on 2022 The Hitchhiker's

   Guide to

3. As a DevOps (aka SRE, IaC, Infrastructure) Engineer, our life

   is not easy!

4. Sr. DevOps Eng. Mainly focus on IaC

5. Are you afraid or do you feel fear executing terraform

   apply on PROD? There's a better way to deal with fear: Testing gives you the confidence to make changes. terraform apply

6. SO YOU ARE TELLING ME... THAT I HAVE TO WRITE

   CODE TO CHECK IF THE CODE THAT I WROTE EARLIER WAS RIGHT

7. TDD Write tests first, then write code (feature) that passes

   the tests! In other words: 1. Write the test 2. Make the code fails the test (RED) 3. Make the code passes the test (GREEN) 4. Repeat steps 2 and 3 until the code is stable (REFACTOR)

8. SO YOU ARE TELLING ME... THAT I HAVE TO WRITE

   CODE TO CHECK IF THE CODE THAT I HAVEN'T WRITTEN (BUT I WILL) IT'LL BE OK

9. Better designed, cleaner, and more extensible code TDD Benefits Code

   is built for defined features (less code, less bugs) Confidence to Refactor Good for: teamwork, code review, code sharing, code versioning Code is easier to: Read, understand, maintain, evolve, test, debug, reuse
10. None

11. Is TDD Dead? Long live testing!

12. A Software Tester Goes To A Bar... Orders one beer

    Orders zero beer Orders 999 beers Orders #ad&8d* beer Orders .5 beer Bring his own beer Tries to sell his beer to the bar Orders an empty beer bottle Doesn’t order anything Orders a beer every one minute Tries to grab a beer from someone else

13. This talk is about how to write IaC tests (Terraform)

    in 2022 to get confidence... ...Or at least minimize the risk!

14. Test Pyramid "The test pyramid is a way of thinking

    about how different kinds of automated tests should be used to create a balanced portfolio. Its essential point is that you should have many more low-level UnitTests than high level BroadStackTests running through a GUI." Martin Fowler

15. Test Pyramid SDLC

16. Why can testing be challenging?

17. Tooling Lack of knowledge about testing. No clear way to

    test. Slow CI servers, flows, feedback loops, and other bottlenecks Lack of automation Lack of confidence in the testing process (flaky, intermittent, etc.) Why can testing be challenging? Bad architecture/ Code is hard to test Maintenance and evolution We are humans, We Make Assumptions

18. Two common IaC team scenarios (80% - 20%) AM I

    RIGHT?

19. Test Pyramid IaC! Current!

20. Makefile Docker containers https://github.com/acactown/terraform-tdd

21. terraform-aws-network https://github.com/acactown/terraform-tdd terraform-aws-microservice

22. Static Code Analysis "Static Code Analysis commonly refers to the

    running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis." OWASP Style Guide Compiler/Parser/Interpreter Linters Dry-run

23. Static Code Analysis Style Guide TERRAFORM FMT "Check a set

    of conventions (sometimes arbitrary) about how to write code for that project. It is much easier to understand a large codebase when all the code in it is in a consistent style" TERRAFORM-DOCS EDITORCONFIG-CHECKER TERRAFORM-GRAPH-BEAUTIFIER ✅ ✅ ✅ ⚙️ TERRAFORM-VISUAL ⚙️

24. https://github.com/acactown/terraform-tdd Static Code Analysis Style Guide

25. https://github.com/acactown/terraform-tdd Static Code Analysis Style Guide

26. https://github.com/acactown/terraform-tdd Static Code Analysis Style Guide

27. Static Code Analysis Compiler/Parser/Interpreter TERRAFORM VALIDATE "Statically check the code

    for syntactic and structural issues" ✅

28. https://github.com/acactown/terraform-tdd Static Code Analysis Compiler/Parser/Interpreter

29. Static Code Analysis Linters TFLINT / TFSEC "Statically validate your

    code to catch common errors. Linters provide crucial information to speed up debugging and save time in your development. Warn about depreciated syntax and unused declarations, enforce best practices and naming conventions" TERRASCAN / CONFTEST SENTINEL TFUPDATE ✅ ✅ ⚙️ COMMIT-LINT / SECRETLINT ⚙️ MISSPELL / GRAMMARCHECK ⚙️ SUPER-LINTER / MEGALINTER ⚙️ ☑️

30. https://github.com/acactown/terraform-tdd Static Code Analysis Linters

31. https://github.com/acactown/terraform-tdd Static Code Analysis Linters

32. https://github.com/acactown/terraform-tdd Static Code Analysis Linters

33. https://github.com/acactown/terraform-tdd Static Code Analysis Linters

34. Static Code Analysis Dry-run CHECKOV "Partially execute the code and

    validate the plan, but don't actually deploy. It looks for misconfiguration that may lead to security or compliance problems. Changes made by Terraform may alter the status of resources hosted by a cloud provider" TERRAFORM-COMPLIANCE ✅ REGULA / KICS ⚙️ ✅ SENTINEL ☑️ CONFTEST ✅ INFRACOST ⚙️

35. https://github.com/acactown/terraform-tdd Static Code Analysis Dry-run

36. https://github.com/acactown/terraform-tdd Static Code Analysis Dry-run

37. https://github.com/acactown/terraform-tdd Static Code Analysis Dry-run

38. https://github.com/acactown/terraform-tdd Static Code Analysis Dry-run

39. Unit Test " Test a single "unit" works in isolation"

    " Break your infra code into small modules and unit test those" Yevgeniy Brikman 1. Analyze the code and find the most important things to test. Focus on: Logic, Standards, Architectural Conformance 2. Write a test for each of those things 3. Run the test and see if it passes 4. Repeat steps 2 and 3 until the code is stable 5. Refactor the code to make it easier to test Test Strategy (TDD)

40. Unit Test CONFTEST CLARITY ✅ ⚙️ SENTINEL ☑️ "There's no

    pure unit testing for IaC" Yevgeniy Brikman

41. https://github.com/acactown/terraform-tdd Unit Test

42. https://github.com/acactown/terraform-tdd Unit Test

43. https://github.com/acactown/terraform-tdd Unit Test

44. Contract Test CONFTEST ✅ SENTINEL ☑️ "We know that the

    Terraform code works (the Hashi guys are doing a great job). What we don't know is if we put it incorrectly... or if we put it right" Rosemery Wang

45. Contract Test " In simple words, it is a testing

    of integration points in a distributed setup following a common agreement" Martin Fowler 1. Analyze the code and find the most important things to test. Focus on: Check interaction 2 Mods, In & Out, Expected State 2. Write a test for each of those things 3. Run the terraform plan to reflect the desired state 5. Repeat steps 2, 3 and 4 until the code is stable 6. Refactor the code to make it easier to test Test Strategy (TDD) 4. Run the test on the terraform plan output and see if it passes

46. https://github.com/acactown/terraform-tdd Contract Test

47. https://github.com/acactown/terraform-tdd Contract Test

48. https://github.com/acactown/terraform-tdd Contract Test

49. Integration Test "Determine if independently developed units of software work

    correctly when they are connected to each other. The point of integration testing, as the name suggests, is to test whether many separately developed modules work together as expected" Martin Fowler 1. Analyze the code and find the most important things to test. Focus on: Confirm interaction 2+ Mods, Executions, Dependencies, Resources, Sections. 2. Write the module examples of those 3. Write a test for each of those examples 5. Run the test directly on the Cloud Provider to validate it works 6. Run terraform destroy to "undeploy" the infra Test Strategy (TDD) 4. Run the terraform apply to deploy real infra

50. Integration Test TERRATEST ✅ KITCHEN-TERRAFORM "You can test units in

    isolation from the outside world. But 99% of infrastructure code is about talking to the outside world" "So you can only test infra code by deploying to the real environment" Yevgeniy Brikman ⚙️

51. Integration Test TERRATEST ✅ KITCHEN-TERRAFORM "When using Terraform, you can

    test the behavior of your infrastructure by deploying it to a real environment" "Using Iac tools Like Terraform, testing de deployment is redundant. Is Covered by Hashi guys" "Focus in your own business interactions (Functional, Policy & Security, Use Cases)" Rosemery Wang ⚙️

52. https://github.com/acactown/terraform-tdd Integration Test

53. Pipeline Steps (toolchain)

54. Do you have any questions? Thx!