InSpec for AliCloud

• Project State: Prototyping

This InSpec resource pack uses the AliCloud SDK v0.8.0 and provides the required resources to write tests for resources in AliCloud.

Prerequisites

• Ruby
• Bundler installed
• AliCloud Cloud Account

AliCloud Cloud Account

Your AliCloud Service Principal Account must have a minimum of reader role of the AliCloud roles

Setup the AliCloud account

1. Install the AliCloud CLI
2. Configure the AliCloud credentials

You must have the following pieces of information:

AliCloud Credentials

Valid AliCloud credentials are required.

• ALICLOUD_ACCESS_KEY
• ALICLOUD_SECRET_KEY
• ALICLOUD_REGION

Find the AliCloud credentials

• ALICLOUD_ACCESS_KEY and ALICLOUD_SECRET_KEY

1. Log in to the AliCloud Portal.
2. Go to the Products and Services.
3. Search for Resource Access Management.
4. Click on the Resource Access Management.
5. Click on the Users.
6. Search for your User Logon Name (For Example: [email protected])
7. Click for your User Logon Name
8. Click on Create AccessKey.
9. On a popup you will get the AccessKey ID and the AccessKey Secret.
10. CLick on Download CSV File. A file will get downloaded.
11. Click on OK.

• ALICLOUD_REGION

To see the list of regions, use this Regions and Zones link.

For example, if you are using the Region Singapore, then use the Region ID ap-southeast-1.

Environment Variables

To know how to setup the AliCloud credentials please use this Installation Guide of AliCloud

Set your AliCloud credentials in an .envrc file or export them in your shell. (See example .envrc file)

    # Example AliCloud Configuration
    export ALICLOUD_ACCESS_KEY="<ALICLOUD_ACCESS_KEY>"
    export ALICLOUD_SECRET_KEY="<ALICLOUD_SECRET_KEY>"
    export ALICLOUD_REGION="eu-west-1"

Test whether the setup is successful.

aliyun ecs DescribeInstances --output cols=RequestId

This will return the output in a tabular format. The RequestId will vary.

RequestId
---------
2A76BCCD-A123-123E-CD12-1234567U890

If it returns the result in your terminal then the setup is successful.

List of AliCloud Regions

Region	Location	Region ID
China (Hangzhou)	Hangzhou	cn-hangzhou
China (Shanghai)	Shanghai	cn-shanghai
China (Qingdao)	Qingdao	cn-qingdao
China (Beijing)	Beijing	cn-beijing
China (Zhangjiakou)	Zhangjiakou	cn-zhangjiakou
China (Hohhot)	Hohhot	cn-huhehaote
China (Ulanqab)	Ulanqab	cn-wulanchabu
China (Shenzhen)	Shenzhen	cn-shenzhen
China (Heyuan)	Heyuan	cn-heyuan
China (Guangzhou)	Guangzhou	cn-guangzhou
China (Chengdu)	Chengdu	cn-chengdu
China (Nanjing)	Nanjing	cn-nanjing
China (Hong Kong)	Hongkong	cn-hongkong
Japan (Tokyo)	Tokyo	ap-northeast-1
Singapore	Singapore	ap-southeast-1
Australia (Sydney)	Sydney	ap-southeast-2
Malaysia (Kuala Lumpur)	Kuala Lumpur	ap-southeast-3
Indonesia (Jakarta)	Jakarta	ap-southeast-5
Philippines (Manila)	Manila	ap-southeast-6
India (Mumbai)	Mumbai	ap-south-1
South Korea (Seoul)	Seoul	ap-northeast-2
Thailand (Bangkok)	Bangkok	ap-southeast-7
US (Silicon Valley)	Silicon Valley	us-west-1
US (Virginia)	Virginia	us-east-1
UK (London)	London	eu-west-1
Germany (Frankfurt)	Frankfurt	eu-central-1

Use the Resources

Since this is an InSpec resource pack, it only defines InSpec resources. To use these resources in your controls, you should create your profile:

Create a new profile

inspec init profile --platform alicloud my-alicloud-profile

Example inspec.yml:

name: my-alicloud-profile
title: Ali Cloud InSpec Profile
maintainer: The Authors
copyright: The Authors
copyright_email: [email protected]
license: Apache-2.0
summary: An InSpec Compliance Profile For Ali CLoud
version: 0.1.0
inspec_version: '~> 5'
depends:
  - name: inspec-alicloud
    url: https://github.com/inspec/inspec-alicloud/archive/main.tar.gz
supports:
  - platform: alicloud

Running the AliCloud Sample Profile Test

1. Create a Custom AliCloud Profile.
2. Add the test in the control.
3. Run the profile with the below command.

inspec exec <sample-alicloud-profile> -t alicloud://

Output:

Profile:   Ali Cloud InSpec Profile (my-alicloud-profile)
Version:   0.1.0
Target:    alicloud://eu-west-1

  ActionTrail testtrial
     ✔  is expected to exist

Test Summary: 1 successful, 0 failures, 0 skipped

Resources

This resource pack allows the testing of the following AliCloud resources. If a resource you wish to test is not listed, please feel free to open an Issue. As an open source project, we also welcome public contributions via Pull Request.

Module Name	Singular Resource	Plural Resource
Security	alicloud_actiontrail_trail	alicloud_actiontrail_trails
Database	alicloud_apsaradb_rds_instance	alicloud_apsaradb_rds_instances
Elastic Computing	alicloud_disk	alicloud_disks
	alicloud_ecs_instance	alicloud_ecs_instances
	alicloud_security_group	alicloud_security_groups
	alicloud_vpc	alicloud_vpcs
Management and Governance	alicloud_ims_sso	No Plural Resource
	alicloud_ims_user	No Plural Resource
	alicloud_rd	No Plural Resource
Storage	alicloud_oss_bucket	alicloud_oss_buckets
RAM	alicloud_ram_access_key	alicloud_ram_access_keys
	alicloud_ram_password_policy	No Plural Resource
	alicloud_ram_policy	alicloud_ram_policies
	alicloud_ram_user	alicloud_ram_users
	alicloud_sts_caller_identity	No Plural Resource
Networking & CDN	alicloud_slb	alicloud_slbs
	alicloud_slb_https_listener	No Plural Resource
Others	alicloud_region	alicloud_regions

Examples

Ensure AliCloud Action Trail has the correct properties

describe alicloud_actiontrail_trail(trail_name: 'ACTION_TRAIL_NAME') do
  it { should exist }
  its('oss_bucket_name') { should eq 'OSS_BUCKET_NAME' }
  its('status') { should cmp 'Enable' }
  its('trail_region') { should cmp 'All' }
end

Ensure AliCloud ApsaraDB RDS Instance has the correct properties

describe alicloud_apsaradb_rds_instance(db_instance_id: 'DB_INSTANCE_ID') do
  it { should exist }
  its('instance_id') { should eq 'DB_INSTANCE_ID' }
  its('description') { should eq 'DB_INSTANCE_NAME' }
  its('instance_type') { should eq 'Primary' }
  its('category') { should eq 'Basic' }
  its('engine') { should eq 'DB_ENGINE_NAME' }
  its('engine_version') { should eq 'DB_ENGINE_VERSION' }
  its('storage_type') { should eq 'cloud_ssd' }
  its('memory') { should cmp '1024' }
  its('cpus') { should cmp '1' }
  its('network_type') { should eq 'VPC' }
  its('net_type') { should eq 'Intranet' }
  its('in_default_vpc') { should be false }
  its('security_ips') { should_not cmp '' }
  its('security_ips') { should_not include '0.0.0.0/0' }
  its('security_ip_mode') { should eq 'normal' }
  its('status') { should eq 'Running' }
  its('pay_type') { should eq 'Postpaid' }
end

Verify you have more than 1 disk in the alicloud_disks resource

describe alicloud_disks do
  its('entries.count') { should be > 1 }
end

Test a collection of AliCloud RAM Policies

describe alicloud_ram_policies(type: 'System') do
  it { should exist }
  its('policy_names') { should_not include 'AdministratorAccess' }
  
  # Ensure multiple truncated responses are returned
  its('entries.count') { should be > 200 }
  its('policy_names.count') { should be > 200 }
end

Ensure AliCloud regions plural resource has the correct properties

describe alicloud_regions do
  it { should exist }
  its('count') { should be >= 1 }
  its('region_names') { should include 'eu-west-1' }
  its('endpoints') { should include 'ecs.eu-west-1.aliyuncs.com' }
end

Verifies settings for ApsaraDB RDS instances in bulk

alicloud_apsaradb_rds_instances.db_instance_ids.each do |db_instance_id|
  describe alicloud_apsaradb_rds_instance(db_instance_id) do
    its ('engine') { should eq 'MySQL' }
    its ('engine_version') { should eq '8.0' }
  end
end

Environment and Setup Notes

Train and InSpec Dependencies

InSpec AliCloud depends on version 0.0.4 of the AliCloud SDK that is provided via Train AliCloud. InSpec does not ship with Train AliCloud so this is explicitly listed in the Gemfile here.

Running the unit and integration tests

Run the linting and unit tests via the below:

bundle exec rake

Running RuboCop...
Inspecting 19 files
................

19 files inspected, no offenses detected

To keep things simple the AliCloud credentials can either be supplied via environmental variables.

Running the integration tests requires resources so first setup_integration_tests which uses Terraform:

bundle exec rake test:setup_integration_tests

----> Initializing Terraform
terraform init

Initializing the backend...

Initializing provider plugins...

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
----> Generating Terraform and InSpec variable files
----> Generating the Plan
terraform plan -var-file=inspec-alicloud.tfvars.json -out inspec-alicloud.plan
...
This plan was saved to: inspec-alicloud.plan

To perform exactly these actions, run the following command to apply:
    terraform apply "inspec-alicloud.plan"

----> Applying the plan
terraform apply inspec-alicloud.plan
...
Apply complete! Resources: 24 added, 0 changed, 0 destroyed.

Next, run the integration tests themselves with run_integration_tests

bundle exec rake test:run_integration_tests

----> Running InSpec tests
bundle exec inspec exec test/integration/verify -t alicloud:// --input-file test/integration/build/alicloud-inspec-attributes.yaml --reporter cli json:inspec-output.json html:inspec-output.html --chef-license=accept-silent; rc=$?; if [ $rc -eq 0 ] || [ $rc -eq 101 ]; then exit 0; else exit 1; fi

Profile: AliCloud Resource Pack (inspec-alicloud)
Version: 0.1.0
Target:  alicloud://eu-west-1

  ✔  alicloud-slb-1.0: Ensure AliCloud Server Load Balancer has the correct properties.
     ✔  Server Load Balancer:  in eu-west-1 is expected not to exist
     ✔  Server Load Balancer: ID: lb-f2z9xjgwvww9xwvrl07mv Name: slb-http-lcgieqmyicjcjynbmnnszwfnk  in eu-west-1 is expected to exist
     ✔  Server Load Balancer: ID: lb-f2z9xjgwvww9xwvrl07mv Name: slb-http-lcgieqmyicjcjynbmnnszwfnk  in eu-west-1 https_listeners? is expected to eq false
     ✔  Server Load Balancer: ID: lb-f2z9xjgwvww9xwvrl07mv Name: slb-http-lcgieqmyicjcjynbmnnszwfnk  in eu-west-1 https_only? is expected to eq false
     ✔  Server Load Balancer: ID: lb-f2z91sk3h9qrnvo0vakq0 Name: slb-https-zueiskuwtotbnkhxfhwelwvio  in eu-west-1 is expected to exist
     ✔  Server Load Balancer: ID: lb-f2z91sk3h9qrnvo0vakq0 Name: slb-https-zueiskuwtotbnkhxfhwelwvio  in eu-west-1 https_listeners? is expected to eq true
     ✔  Server Load Balancer: ID: lb-f2z91sk3h9qrnvo0vakq0 Name: slb-https-zueiskuwtotbnkhxfhwelwvio  in eu-west-1 https_only? is expected to eq true
     ✔  Server Load Balancer:  in us-west-1 is expected not to exist
     ✔  https_listener: Load balancer id: lb-f2z91sk3h9qrnvo0vakq0 Port: 443  tls_cipher_policy is expected to eq "tls_cipher_policy_1_2"
  ✔  alicloud-sts-caller-identity-1.0: Ensure AliCloud STS caller identity has the correct properties.
     ✔  AliCloud Security Token Service Caller Identity is expected to exist
     ✔  AliCloud Security Token Service Caller Identity arn is expected not to be nil
  ✔  alicloud-slbs-1.0: Ensure AliCloud server load balancers plural resource has the correct properties.
     ✔  AliCloud SLBs is expected to exist
     ✔  AliCloud SLBs entries.count is expected to be > 1
  ×  alicloud-actiontrail-1.0: Ensure AliCloud Action Trail has the correct properties. (1 failed)
     ✔  ActionTrail at-pxloqgagcismmqfrvdaxvzojp is expected to exist
     ✔  ActionTrail empty response is expected not to exist
     ✔  ActionTrail at-pxloqgagcismmqfrvdaxvzojp is expected to exist
     ✔  ActionTrail at-pxloqgagcismmqfrvdaxvzojp oss_bucket_name is expected to eq "atb-fbqqvzofggorbyrkeeljuvcle"
     ✔  ActionTrail at-pxloqgagcismmqfrvdaxvzojp delivered_logs_days_ago is expected to eq 0
  ✔  alicloud-disk-1.0: Ensure AliCloud Diks has the correct properties.
     ✔  ECS Disk  is expected not to exist
     ✔  ECS Disk ID: d-d7o60wzvfooatqul7zrv Name: d-cdcyfxgcgqmxozvrgtvuppcay  is expected to exist
     ✔  ECS Disk ID: d-d7o60wzvfooatqul7zrv Name: d-cdcyfxgcgqmxozvrgtvuppcay  id is expected to eq "d-d7o60wzvfooatqul7zrv"
     ✔  ECS Disk ID: d-d7o60wzvfooatqul7zrv Name: d-cdcyfxgcgqmxozvrgtvuppcay  name is expected to eq "d-cdcyfxgcgqmxozvrgtvuppcay"
     ✔  ECS Disk ID: d-d7o60wzvfooatqul7zrv Name: d-cdcyfxgcgqmxozvrgtvuppcay  description is expected to cmp == "Test disk for inspec"
     ✔  ECS Disk ID: d-d7o60wzvfooatqul7zrv Name: d-cdcyfxgcgqmxozvrgtvuppcay  size is expected to cmp == "20"
     ✔  ECS Disk ID: d-d7o60wzvfooatqul7zrv Name: d-cdcyfxgcgqmxozvrgtvuppcay  category is expected to cmp == "cloud_efficiency"
     ✔  ECS Disk ID: d-d7o60wzvfooatqul7zrv Name: d-cdcyfxgcgqmxozvrgtvuppcay  encrypted is expected to cmp == false
     ✔  ECS Disk  is expected not to exist
  ✔  alicloud-ram-1.0: Ensure AliCloud RAM password policy has the correct properties
     ✔  AliCloud RAM Password Policy is expected to exist
     ✔  AliCloud RAM Password Policy require_uppercase_characters is expected to eq true
     ✔  AliCloud RAM Password Policy require_lowercase_characters is expected to eq true
     ✔  AliCloud RAM Password Policy require_symbols is expected to eq true
     ✔  AliCloud RAM Password Policy require_numbers is expected to eq true
     ✔  AliCloud RAM Password Policy password_reuse_prevention is expected to be >= 5
     ✔  AliCloud RAM Password Policy minimum_password_length is expected to be >= 8
     ✔  AliCloud RAM Password Policy max_password_age is expected to eq 180
  ✔  alicloud-disks-1.0: Ensure AliCloud disk plural resource has the correct properties.
     ✔  alicloud_disks is expected to exist
     ✔  alicloud_disks entries.count is expected to be > 1
  ✔  alicloud-actiontrails-1.0: Ensure AlicCloud Action Trail plural resource has the correct properties.
     ✔  alicloud_actiontrail_trails is expected to exist
     ✔  alicloud_actiontrail_trails count is expected to be >= 1
     ✔  alicloud_actiontrail_trails names is expected to include "at-pxloqgagcismmqfrvdaxvzojp"
  ✔  alicloud-security-groups-1.0: Ensure AliCloud security group plural resource has the correct properties.
     ✔  alicloud_security_groups is expected to exist
     ✔  alicloud_security_groups entries.count is expected to be > 1
  ✔  alicloud-security-group-1.0: Ensure AliCloud security group has the correct properties.
     ✔  ECS Security Group ID: empty response  is expected not to exist
     ✔  ECS Security Group ID: sg-d7oc67sykxtoi2w78cxx Name: sg-ifmifcolmsjofbrnjzwlewpyd VPC ID: vpc-d7o01mxxscv6fmlhrz7yv  is expected to exist
     ✔  ECS Security Group ID: sg-d7oc67sykxtoi2w78cxx Name: sg-ifmifcolmsjofbrnjzwlewpyd VPC ID: vpc-d7o01mxxscv6fmlhrz7yv  vpc_id is expected to eq "vpc-d7o01mxxscv6fmlhrz7yv"
     ✔  ECS Security Group ID: sg-d7oc67sykxtoi2w78cxx Name: sg-ifmifcolmsjofbrnjzwlewpyd VPC ID: vpc-d7o01mxxscv6fmlhrz7yv  group_name is expected to eq "sg-ifmifcolmsjofbrnjzwlewpyd"
     ✔  ECS Security Group ID: sg-d7oc67sykxtoi2w78cxx Name: sg-ifmifcolmsjofbrnjzwlewpyd VPC ID: vpc-d7o01mxxscv6fmlhrz7yv  description is expected to cmp == "Test security group for inspec"
     ✔  ECS Security Group ID: sg-d7oc67sykxtoi2w78cxx Name: sg-ifmifcolmsjofbrnjzwlewpyd VPC ID: vpc-d7o01mxxscv6fmlhrz7yv  inbound_rules.count is expected to be zero
     ✔  ECS Security Group ID: sg-d7oc67sykxtoi2w78cxx Name: sg-ifmifcolmsjofbrnjzwlewpyd VPC ID: vpc-d7o01mxxscv6fmlhrz7yv  outbound_rules.count is expected to be zero
     ✔  ECS Security Group ID: empty response  is expected not to exist
  ✔  alicloud-region-1.0: Ensure AliCloud region has the correct properties.
     ✔  Region eu-west-1 is expected to exist
     ✔  Region eu-west-1 region_name is expected to eq "eu-west-1"
     ✔  Region eu-west-1 endpoint is expected to eq "ecs.eu-west-1.aliyuncs.com"
     ✔  Region eu-west-1 is expected to exist
     ✔  Region eu-west-1 region_name is expected to eq "eu-west-1"
     ✔  Region eu-west-1 endpoint is expected to eq "ecs.eu-west-1.aliyuncs.com"
     ✔  Region not-a-real-region-1 is expected not to exist
  ✔  alicloud-regions-1.0: Ensure AliCloud regions plural resource has the correct properties.
     ✔  alicloud_regions is expected to exist
     ✔  alicloud_regions count is expected to be >= 1
     ✔  alicloud_regions region_names is expected to include "eu-west-1"
     ✔  alicloud_regions endpoints is expected to include "ecs.eu-west-1.aliyuncs.com"
  ✔  alicloud-ossbucket-1.0: Ensure AliCloud OSS Bucket has the correct properties.
     ✔  OSS Bucket not-there-bucket is expected not to exist
     ✔  OSS Bucket atb-fbqqvzofggorbyrkeeljuvcle is expected to exist
     ✔  OSS Bucket atb-fbqqvzofggorbyrkeeljuvcle is expected not to be public
     ✔  OSS Bucket ossbkt-rxpuubzmptugerrcomxvppxzm is expected to exist
     ✔  OSS Bucket ossbkt-rxpuubzmptugerrcomxvppxzm is expected not to be public
     ✔  OSS Bucket ossbkt-izzhnzzftjkhprxbgtzqcwofn is expected to exist
     ✔  OSS Bucket ossbkt-izzhnzzftjkhprxbgtzqcwofn is expected to have default encryption enabled
     ✔  OSS Bucket ossbkt-izzhnzzftjkhprxbgtzqcwofn bucket_lifecycle_rules is expected to be empty
     ✔  OSS Bucket ossbkt-ovjhudwiyftoqcdpftrgrslhq is expected to exist
     ✔  OSS Bucket ossbkt-ovjhudwiyftoqcdpftrgrslhq is expected not to have default encryption enabled
     ✔  OSS Bucket ossbkt-ovjhudwiyftoqcdpftrgrslhq bucket_lifecycle_rules is expected not to be empty
     ✔  OSS Bucket ossbkt-eeiwcntbikgvecbzogrsifrcn is expected to exist
     ✔  OSS Bucket ossbkt-eeiwcntbikgvecbzogrsifrcn is expected to have access logging enabled
     ✔  OSS Bucket ossbkt-nkeoxljuxkfuzejgmokflboif is expected to exist
     ✔  OSS Bucket ossbkt-nkeoxljuxkfuzejgmokflboif is expected not to have access logging enabled
     ✔  OSS Bucket ossbkt-zcdwvsmmatqwcvtbtqkulbbxl is expected to exist
     ✔  OSS Bucket ossbkt-bdliblqlxytomrstzomllhxwf is expected to exist
     ✔  OSS Bucket ossbkt-bdliblqlxytomrstzomllhxwf is expected to have versioning enabled
     ✔  OSS Bucket ossbkt-ypdzvuykcxloppdwhfnapljqg is expected to exist
     ✔  OSS Bucket ossbkt-ypdzvuykcxloppdwhfnapljqg is expected not to have versioning enabled
     ✔  OSS Bucket ossbkt-ypdzvuykcxloppdwhfnapljqg is expected to have website enabled
  ✔  alicloud-oss-buckets-1.0: Ensure AliCloud OSS Buckets plural resource has the correct properties.
     ✔  alicloud_oss_buckets is expected to exist
     ✔  alicloud_oss_buckets count is expected to be >= 9
     ✔  alicloud_oss_buckets bucket_names is expected to include "atb-fbqqvzofggorbyrkeeljuvcle"
     ✔  alicloud_oss_buckets bucket_names is expected to include "ossbkt-rxpuubzmptugerrcomxvppxzm"
     ✔  alicloud_oss_buckets bucket_names is expected to include "ossbkt-izzhnzzftjkhprxbgtzqcwofn"
     ✔  alicloud_oss_buckets bucket_names is expected to include "ossbkt-ovjhudwiyftoqcdpftrgrslhq"
     ✔  alicloud_oss_buckets bucket_names is expected to include "ossbkt-eeiwcntbikgvecbzogrsifrcn"
     ✔  alicloud_oss_buckets bucket_names is expected to include "ossbkt-nkeoxljuxkfuzejgmokflboif"
     ✔  alicloud_oss_buckets bucket_names is expected to include "ossbkt-zcdwvsmmatqwcvtbtqkulbbxl"
     ✔  alicloud_oss_buckets bucket_names is expected to include "ossbkt-bdliblqlxytomrstzomllhxwf"
     ✔  alicloud_oss_buckets bucket_names is expected to include "ossbkt-ypdzvuykcxloppdwhfnapljqg"
     ✔  alicloud_oss_buckets bucket_names is expected not to include "not-there-hopefully"


Profile: AliCloud Resource Pack (inspec-alicloud)
Version: 0.0.1
Target:  alicloud://eu-west-1

     No tests executed.

Profile Summary: 14 successful controls, 0 control failure, 0 controls skipped
Test Summary: 94 successful, 0 failure, 0 skipped

You should also clean up your Terraform created resources once you are done testing.

bundle exec rake test:cleanup_integration_tests

----> Cleanup
terraform destroy -force -var-file=inspec-alicloud.tfvars.json
...
Destroy complete! Resources: 24 destroyed.