Testing Cloud Infrastructure Ladislav Prskavec Ladislav Prskavec - Teststack conference, 6. 6. 2019 1

Who Am I 4 SRE Team leader in Oracle + Apiary (Oracle Cloud Development) 4 Twitter: @abtris 4 Blog and talks: https://blog.prskavec.net/ 4 Golang Prague organizer (@GoMeetupPrague) 4 HiveTalks meetups co-founder 4 PragueJS founder (2012-2016) Ladislav Prskavec - Teststack conference, 6. 6. 2019 2

Approach to get better reliability 4 Testing 4 Automation 4 Prevention Ladislav Prskavec - Teststack conference, 6. 6. 2019 3

Compliance Ladislav Prskavec - Teststack conference, 6. 6. 2019 4

Ladislav Prskavec - Teststack conference, 6. 6. 2019 5

Regulatory Compliance Ladislav Prskavec - Teststack conference, 6. 6. 2019 6

Ladislav Prskavec - Teststack conference, 6. 6. 2019 7

Ladislav Prskavec - Teststack conference, 6. 6. 2019 8

Ladislav Prskavec - Teststack conference, 6. 6. 2019 9

Compliance as Code 4 Defining Policies Upfront 4 Automated Gates and Checks 4 Managing Changes in Continuous Delivery 4 Separation of Duties in the DevOps Audit Toolkit 4 Using the Audit Defense Toolkit 4 Code Instead of Paperwork Ladislav Prskavec - Teststack conference, 6. 6. 2019 10

Chef Inspec framework www.inspec.io Ladislav Prskavec - Teststack conference, 6. 6. 2019 11

Ladislav Prskavec - Teststack conference, 6. 6. 2019 12

Define policies Ladislav Prskavec - Teststack conference, 6. 6. 2019 13

How to start Ladislav Prskavec - Teststack conference, 6. 6. 2019 14

DevSec Hardening Framework Baselines Ladislav Prskavec - Teststack conference, 6. 6. 2019 15

Ladislav Prskavec - Teststack conference, 6. 6. 2019 16

Ladislav Prskavec - Teststack conference, 6. 6. 2019 17

Ladislav Prskavec - Teststack conference, 6. 6. 2019 18

Ladislav Prskavec - Teststack conference, 6. 6. 2019 19

Ladislav Prskavec - Teststack conference, 6. 6. 2019 20

Automate audit Ladislav Prskavec - Teststack conference, 6. 6. 2019 21

Metrics # HELP inspec_checks_total Number of inspec checks # TYPE inspec_checks_total gauge inspec_checks_total{profile="ssl-baseline",status="passed"} 6 inspec_checks_total{profile="ssl-baseline",status="failed"} 0 inspec_checks_total{profile="ssl-baseline",status="skipped"} 0 4 prometheus_inspec_exporter by Dave Cadwallader Ladislav Prskavec - Teststack conference, 6. 6. 2019 22

Ladislav Prskavec - Teststack conference, 6. 6. 2019 23

Infrastructure as Software & Code Ladislav Prskavec - Teststack conference, 6. 6. 2019 24

Infrastructure as Software 4 Pulumi.io - various languages 4 AWS Cloud Development Kit using CloudFormation - various languages Ladislav Prskavec - Teststack conference, 6. 6. 2019 25

$ brew install pulumi $ pulumi version v0.17.14 $ mkdir webserver && cd webserver $ pulumi new aws-javascript ... aws:region: (us-east-1) Ladislav Prskavec - Teststack conference, 6. 6. 2019 26

const aws = require("@pulumi/aws"); let size = "t2.micro"; // t2.micro is available in the AWS free tier let ami = "ami-0ff8a91507f77f867"; // AMI for Amazon Linux in us-east-1 (Virginia) let group = new aws.ec2.SecurityGroup("webserver-secgrp", { ingress: [ { protocol: "tcp", fromPort: 22, toPort: 22, cidrBlocks: ["0.0.0.0/0"] }, ], }); let server = new aws.ec2.Instance("webserver-www", { instanceType: size, securityGroups: [ group.name ], // reference the security group resource above ami: ami, }); exports.publicIp = server.publicIp; exports.publicHostName = server.publicDns; Ladislav Prskavec - Teststack conference, 6. 6. 2019 27

$ pulumi up Previewing update of stack 'webserver-dev' Previewing changes: Type Name Plan Info + pulumi:pulumi:Stack webserver-webserver-dev create + ├─ aws:ec2:SecurityGroup webserver-secgrp create + └─ aws:ec2:Instance webserver-www create info: 3 changes previewed: + 3 resources to create Ladislav Prskavec - Teststack conference, 6. 6. 2019 28

Infrastructure as Code Ladislav Prskavec - Teststack conference, 6. 6. 2019 29

Variety tools for work with infrastructure 4 Chef (ruby) - testing with Kitchen 4 Puppet (DSL based on ruby) - Testing with beaker 4 Redhat Ansible (python) - Testing with molecule 4 Hashicorp Terraform (golang) - testing with Terratest 4 and many others Ladislav Prskavec - Teststack conference, 6. 6. 2019 30

Requirements Ladislav Prskavec - Teststack conference, 6. 6. 2019 31

Requirements 4 using git or another source control system to track changes 4 declarative syntax 4 easy to start 4 possibility extend and fix tools with you knowledge 4 good documentation, support and community Ladislav Prskavec - Teststack conference, 6. 6. 2019 32

Continues Delivery pipelines Ladislav Prskavec - Teststack conference, 6. 6. 2019 33

Ladislav Prskavec - Teststack conference, 6. 6. 2019 34

The Challenge Ladislav Prskavec - Teststack conference, 6. 6. 2019 35

The Solution Ladislav Prskavec - Teststack conference, 6. 6. 2019 36

Ladislav Prskavec - Teststack conference, 6. 6. 2019 37

resource "aws_elb" "frontend" { name = "frontend-load-balancer" listener { instance_port = 8000 instance_protocol = "http" lb_port = 80 lb_protocol = "http" } instances = ["${aws_instance.app.*.id}"] } resource "aws_instance" "app" { count = 5 ami = "ami-408c7f28" instance_type = "t1.micro" } Ladislav Prskavec - Teststack conference, 6. 6. 2019 38

Terratest Ladislav Prskavec - Teststack conference, 6. 6. 2019 39

terraformOptions := &terraform.Options { // The path to where your Terraform code is located TerraformDir: "../examples/terraform-basic-example", } // At the end of the test, run `terraform destroy` to clean up any resources that were created defer terraform.Destroy(t, terraformOptions) // This will run `terraform init` and `terraform apply` and fail the test if there are any errors terraform.InitAndApply(t, terraformOptions) // Validate your code works as expected validateServerIsWorking(t, terraformOptions) Ladislav Prskavec - Teststack conference, 6. 6. 2019 40

--- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: selector: matchLabels: app: nginx replicas: 1 template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.15.7 ports: - containerPort: 80 --- kind: Service apiVersion: v1 metadata: name: nginx-service spec: selector: app: nginx ports: - protocol: TCP targetPort: 80 port: 80 type: NodePort Ladislav Prskavec - Teststack conference, 6. 6. 2019 41

package test import (...) // An example of how to test the Kubernetes resource config in examples/kubernetes-basic-example using Terratest. func TestKubernetesBasicExample(t *testing.T) { t.Parallel() // Path to the Kubernetes resource config we will test kubeResourcePath, err := filepath.Abs("../examples/kubernetes-basic-example/nginx-deployment.yml") require.NoError(t, err) options := k8s.NewKubectlOptions("", "") namespaceName := fmt.Sprintf("kubernetes-basic-example-%s", strings.ToLower(random.UniqueId())) k8s.CreateNamespace(t, options, namespaceName) // Make sure we set the namespace on the options options.Namespace = namespaceName defer k8s.DeleteNamespace(t, options, namespaceName) // At the end of the test, run `kubectl delete -f RESOURCE_CONFIG` to clean up any resources that were created. defer k8s.KubectlDelete(t, options, kubeResourcePath) // This will run `kubectl apply -f RESOURCE_CONFIG` and fail the test if there are any errors k8s.KubectlApply(t, options, kubeResourcePath) service := k8s.GetService(t, options, "nginx-service") require.Equal(t, service.Name, "nginx-service") } Ladislav Prskavec - Teststack conference, 6. 6. 2019 42

$ go test -v -tags kubernetes -run TestKubernetesBasicExample === RUN TestKubernetesBasicExampleServiceCheck === PAUSE TestKubernetesBasicExampleServiceCheck === RUN TestKubernetesBasicExample === PAUSE TestKubernetesBasicExample === CONT TestKubernetesBasicExampleServiceCheck === CONT TestKubernetesBasicExample --- PASS: TestKubernetesBasicExample (6.70s) PASS exit status 0 PASS github.com/gruntwork-io/terratest/test 7.820s Ladislav Prskavec - Teststack conference, 6. 6. 2019 43

Summary 4 Infrastructure as Code 4 Infrastructure as Software 4 Compliance as Code Ladislav Prskavec - Teststack conference, 6. 6. 2019 44

Q & A Or ask on twitter: @abtris Ladislav Prskavec - Teststack conference, 6. 6. 2019 45