https://github.com/chef-boneyard/terraform-provisioner-inspec

Terraform InSpec Provisioner Plugin
https://github.com/chef-boneyard/terraform-provisioner-inspec

inspec terraform terraform-provisioner

Last synced: about 23 hours ago
JSON representation

Terraform InSpec Provisioner Plugin

• Host: GitHub
• URL: https://github.com/chef-boneyard/terraform-provisioner-inspec
• Owner: chef-boneyard
• License: apache-2.0
• Created: 2018-09-17T14:18:09.000Z (over 6 years ago)
• Default Branch: master
• Last Pushed: 2018-10-16T13:31:15.000Z (about 6 years ago)
• Last Synced: 2024-11-16T02:21:07.787Z (about 1 month ago)
• Topics: inspec, terraform, terraform-provisioner
• Language: Go
• Homepage:
• Size: 21.5 KB
• Stars: 68
• Watchers: 7
• Forks: 5
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.md

Awesome Lists containing this project

README

        
# InSpec Terraform Provisioner

The InSpec provisioner executes InSpec during the terraform apply run. It supports verifying:

* instances

* cloud platforms like azure, aws, digitalocean or gcp

Note: This is an early project and is not working on Windows environments yet. Coming soon.

## Installation

*One-Liner Install (Linux)*

```

mkdir -p ~/.terraform.d/plugins/

curl -L -s https://api.github.com/repos/inspec/terraform-provisioner-inspec/releases/latest \

  | grep --color=none browser_download_url \

  | grep --color=none Linux_x86_64 \

  | cut -d '"' -f 4 \

  | xargs curl -L | tar zxv -C ~/.terraform.d/plugins/

```

*One-Liner Install (Mac)*

```

mkdir -p ~/.terraform.d/plugins/

curl -L -s https://api.github.com/repos/inspec/terraform-provisioner-inspec/releases/latest \

  | grep --color=none browser_download_url \

  | grep --color=none Darwin_x86_64 \

  | cut -d '"' -f 4 \

  | xargs curl -L | tar zxv -C ~/.terraform.d/plugins/

```

If you encounter issues during installation, please also have a look at [Terraform Plugin Basics](https://www.terraform.io/docs/plugins/basics.html#installing-a-plugin)

*Linux*

```

mkdir -p ~/.terraform.d/plugins/

curl -L https://github.com/inspec/terraform-provisioner-inspec/releases/download/0.1.0/terraform-provisioner-inspec_0.1.0_Linux_x86_64.tar.gz -o terraform-provisioner-inspec.tar.gz

tar -xvzf terraform-provisioner-inspec.tar.gz -C ~/.terraform.d/plugins/

```

*Mac*

```

mkdir -p ~/.terraform.d/plugins/

curl -L https://github.com/inspec/terraform-provisioner-inspec/releases/download/0.1.0/terraform-provisioner-inspec_0.1.0_Darwin_x86_64.tar.gz -o terraform-provisioner-inspec.tar.gz

tar -xvzf terraform-provisioner-inspec.tar.gz -C ~/.terraform.d/plugins/

```

## Build the provisioner plugin

Clone repository to: `$GOPATH/src/github.com/inspec/terraform-provisioner-inspec`

```sh

$ mkdir -p $GOPATH/src/github.com/inspec; cd $GOPATH/src/github.com/inspec

$ git clone [email protected]:inspec/terraform-provisioner-inspec

```

Enter the provider directory and build the provider

```sh

$ cd $GOPATH/src/github.com/inspec/terraform-provisioner-inspec

$ dep ensure

# build on linux

$ make build/linux

# build on macos

$ make build/darwin

```

## Targets

The provisionier can be uses with any instance. E.g for AWS the following runs InSpec and verifies the security with the [DevSec baselines](https://dev-sec.io/).

**Instances**

```

resource "aws_instance" "web" {

  connection {

    user = "ubuntu"

  }

  instance_type = "t2.micro"

  ami = "${lookup(var.aws_amis, var.aws_region)}"

  key_name = "chartmann"

  vpc_security_group_ids = ["${aws_security_group.default.id}"]

  subnet_id = "${aws_subnet.default.id}"

  # installs inspec and executes the profiles

  provisioner "inspec" {

    profiles = [

      "supermarket://dev-sec/linux-baseline",

      "supermarket://dev-sec/ssh-baseline",

    ]

    # allow pass if compliance errors happen

    on_failure = "continue"

  }

}

```

**Cloud Platform**

InSpec has a wide-support for cloud-platforms. This allows us to verify configuration like security groups. See InSpec [AWS](https://www.inspec.io/docs/reference/resources/#aws-resources), [Azure](https://www.inspec.io/docs/reference/resources/#azure-resources) and [GCP](https://www.inspec.io/docs/reference/resources/#gcp-resources) documentation

```

resource "null_resource" "inspec_aws" {

  // runs inspec profile against aws services

  provisioner "inspec" {

    profiles = [

      "https://github.com/chris-rock/aws-baseline",

    ]

    target {

      backend      = "aws"

      access_key = "${var.aws_access_key}"

      secret_key = "${var.aws_secret_key}"

      region     = "us-east-1"

    }

    reporter {

      name = "json"

    }

    on_failure = "continue"

  }

}

```