I’m starting to play around with kitchen-terraform for Chef Inspec testing and compliance of my Terraform modules. I’m currently using the inspec-gcp resource pack and the inspec-gcp-cis-benchmark profile. This post will focus on the latter. The drivers for doing this are testing code’s self-evident benefits and shifting some reasonable base security standards left.

我开始尝试使用Kitchen -terraform进行Chef Inspec测试和我的Terraform模块的合规性。 我当前正在使用inspec-gcp资源包和inspec-gcp-cis-benchmark配置文件。 这篇文章将重点放在后者上。 这样做的驱动力是测试代码的不言而喻的好处，并向左移一些合理的基本安全标准。

To keep things simple, I wanted to start from what you might do first when you begin building cloud infrastructure out in Google. The base of any Google Cloud Platform service is a project. The module I will be talking about is here for reference and covers building a project. It’s a reasonably opinionated terraform module to fit some use cases I had; however, I think it shows the example of what I’m trying to do without being too complex and confusing. Because honestly, this stuff is hard for non-developer, ex-operational mindset people like me.

为简单起见，当您开始在Google中构建云基础架构时，我想从您可能首先要做的事情开始。 任何Google Cloud Platform服务的基础都是一个项目 。 我将要讨论的模块在这里供参考，涵盖构建项目。 这是一个合理的terraform模块，适合我的一些用例。 但是，我认为它显示了我尝试做的事的示例，但又不会太复杂和令人困惑。 坦白说，对于像我这样的非开发人员，非操作型人员来说，这些东西很难。

NOTE: I’m not going into the basics of setting up Terraform, Ruby, Kitchen-Terraform, Chef Inspec, etc. If that’s interesting, let me know, and maybe I can do another post.

注意：我不介绍设置Terraform，Ruby，Kitchen-Terraform，Chef Inspec等的基础知识。如果这很有趣，请告诉我，也许我可以再发表一篇文章。

“本地”发展： (“Local” Development:)

Learning from the practices of software development, we need to be able to develop “locally.” When I say locally here, we can consider it a sandboxed area in the Google Cloud Platform resource hierarchy where you can create and build infrastructure safely. When you start your Terraform module development, you will most likely end up with something like this in your main.tf:

从软件开发的实践中学习，我们需要能够“本地化”开发。 当我在这里本地发言时，我们可以认为它是Google Cloud Platform 资源层次结构中的一个沙盒区域，您可以在其中安全地创建和构建基础架构。 当您开始Terraform 模块开发时，您很可能最终在main.tf中得到以下内容：

# Project Resource
# https://www.terraform.io/docs/providers/google/r/google_project.htmlresource "google_project" "this" {
  name                = var.project_id
  project_id          = var.project_id
  billing_account     = var.billing_id
  folder_id           = "folders/${var.folder_id}"
}

and a variables.tf file like this:

以及如下的variables.tf文件：

variable "billing_id" {
  description = "Billing ID for the project to use"
  type        = string
}variable "project_id" {
  description = "Project ID (This will be used for the project name as well)"
  type        = string
}variable "folder_id" {
  description = "Folder ID for the project to be created in."
  type        = string
}

We can now run the terraform and create our Google Cloud project:

现在，我们可以运行terraform并创建我们的Google Cloud项目：

terraform initterraform plan -out plan.out \
-var=”billing_id=00000C-AZAZAZ-EFEFEF” \
-var=”project_id=test-del-me-4876des” \
-var=”folder_id=993877078800"terraform apply plan.out

Now you’ve got a project up and running, but you may be surprised that you have already violated a bunch of CIS Benchmarks! Thanks to Google and the work folks have done in the inspec-gcp-cis-benchmark GitHub repository; we can test it!

现在您已经启动并运行了一个项目，但是您可能已经惊讶于您已经违反了许多CIS基准 ！ 感谢Google和人们在inspec-gcp-cis-benchmark GitHub存储库中所做的工作； 我们可以测试一下！

NOTE: This is not an officially supported Google product, but hopefully, they maintain this repo with help from the community.

注意：这不是官方支持的Google产品，但希望他们在社区的帮助下维护此存储库。

The first thing I love about this GitHub project is that it runs directly against a specific Google Cloud project. For me, that’s precisely the level at which I want to run the tests. I’ll get into more details on that later, but for now, lets inspec the project we just built to see what we need to do:

我最喜欢这个GitHub项目的第一件事是它直接针对特定的Google Cloud项目运行。 对我来说，这正是我要运行测试的级别。 稍后，我将进一步详细介绍，但现在，让我们检查一下我们刚刚构建的项目，以了解我们需要做什么：

inspec exec https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark.git \
-t gcp:// — input gcp_project_id=test-del-me-4876des

After running that command, you’re going to see a list of violations. In the spirit of Test Driven Development (TDD), we have our failing test, and now we can code to fix it. We will integrate all this is the next post. For the sake of simplicity, let’s focus on two of them:

运行该命令后，您将看到违规列表。 本着测试驱动开发(TDD)的精神，我们拥有失败的测试，现在我们可以编写代码来修复它。 我们将整合所有这些，是下一篇文章。 为了简单起见，让我们集中讨论其中两个：

× cis-gcp-4.4-vms: [VMS] Ensure oslogin is enabled for a Project
× cis-gcp-3.1-networking: [NETWORKING] Ensure the default network does not exist in a project

The idea here is that we address these issues as far left in the process as possible. I’m still developing “locally.” If you deploy a bunch of stuff on default networks, and three years later, your security team says, we need to get everything CIS compliant; you will have an unruly amount of operational work! Let’s fix these compliance issues now. To do that, we can add a few lines to the Terraform module code. Then, everyone in your organization that consumes it will meet the standard.

这里的想法是，我们尽可能地解决这些问题。 我仍在“本地化”开发。 您的安全团队说，如果您在默认网络上部署大量资源，则三年后，您的安全团队说，我们需要使CIS符合所有条件。 您将进行繁琐的操作！ 让我们现在解决这些合规性问题。 为此，我们可以在Terraform模块代码中添加几行。 然后，组织中使用它的每个人都将符合标准。

# Project Resource
# https://www.terraform.io/docs/providers/google/r/google_project.htmlresource "google_project" "this" {
  name                = var.project_id
  project_id          = var.project_id
  billing_account     = var.billing_id
  folder_id           = "folders/${var.folder_id}"
  auto_create_network = false
}# Project Metadata Resource
# https://www.terraform.io/docs/providers/google/r/compute_project_metadata.htmlresource "google_compute_project_metadata" "this" {
  project = google_project.this.project_id
  metadata = {
    enable-oslogin = true
  }
}

Next, you can destroy your previous project and recreate it using this code, and you will see you’ve passed the tests:

接下来，您可以销毁以前的项目，并使用以下代码重新创建它，您将看到您已经通过了测试：

✔ cis-gcp-3.1-networking: [NETWORKING] Ensure the default network does not exist in a project
✔ cis-gcp-4.4-vms: [VMS] Ensure oslogin is enabled for a Project

Not only that but we went from:

不仅如此，我们还来自：

Profile Summary: 4 successful controls, 16 control failures, 21 controls skippedTest Summary: 12 successful, 40 failures, 79 skipped

to:

至：

Profile Summary: 5 successful controls, 11 control failures, 22 controls skipped
Test Summary: 7 successful, 12 failures, 80 skipped

I feel like the results speak for themselves. In the next post, we will focus on kitchen-terraform.

我觉得结果说明一切。 在下一篇文章中，我们将重点介绍厨房地形。