Support GCP backend for Inspec

[gaba-xyz]

Looks like the GCP backend is not supported currently by kitchen-terraform. So it is not possible to use any of the resources in inspec-gcp for the controls.

[ncs-alane]

Hi @Gabology: thanks for your interest in the project!

Support for the new InSpec backends is coming in Kitchen-Terraform v4.0.0, specifically being implemented in #139 .

[walterdolce]

@ncs-alane I'm looking forward to this, too. Please let me know if I can help in any way.

[walterdolce]

BTW @Gabology, I was able to successfully use inspec/inspec-gcp with kitchen-terraform but I had to make a few changes.

• I had to change kitchen-inspec to expose the backend option so that I could then use gcp as a value in it. I raised Add ability to specify 'backend' in runner options inspec/kitchen-inspec#196 for that.
• In order to allow the most up-to-date version of most of the dependencies, I had to fiddle a little bit with gem versions, ultimately ending up with the following:

   source "https://rubygems.org/"
  
  gem 'kitchen-terraform', '3.3.1'
  gem 'kitchen-inspec', '0.23.1'
  gem 'inspec', '2.2.35'
  gem 'train', '1.4.15'
  gem 'google-api-client', '~> 0.19'
  gem 'google-cloud-dns', '0.28.0'
  gem 'google-cloud-resource_manager', '0.29.0'
  gem 'google-cloud-bigquery', '1.5.0'
  gem 'google-cloud-storage', '1.12.0'
  gem 'google-cloud-vision', '0.29.0'
  gem 'google-cloud-dlp', '0.4.0'
  gem 'inspec-gcp', '0.4.0', :git => 'https://github.com/inspec/inspec-gcp'
  

  I raised Up google-api-client Gem version constraint inspec/train#325 for this.

And then, I was able to successfully see kitchen verify using inspec-gcp under the hood, with the following kitchen config:

---
driver:
  name: terraform

provisioner:
  name: terraform

verifier:
  name: terraform
  backend: gcp
  groups:
    - name: master_nodes

platforms:
  - name: terraform

suites:
  - name: default

Example output:

bundle exec kitchen verify                                                                    2479ms
-----> Starting Kitchen (v1.22.0)
$$$$$$ Running command `terraform version`
       Terraform v0.11.7
       + provider.google v1.16.2

$$$$$$ Terraform v0.11.7 is supported
-----> Verifying <default-terraform>...
       Verifying host 'localhost' of group 'master_nodes'
       Loaded default

Profile: default
Version: (not specified)
Target:  gcp://random-string.apps.googleusercontent.com

  ✔  master-nodes-gcp: Verify master nodes on GCP
     ✔  google_projects should exist


Profile: Google Cloud Platform Resource Pack (inspec-gcp)
Version: 0.4.0
Target:  gcp://random-string.apps.googleusercontent.com

     No tests executed.

Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 1 successful, 0 failures, 0 skipped
       Finished verifying <default-terraform> (0m2.13s).
-----> Kitchen is finished. (0m3.85s)

Hope this helps. /cc @ncs-alane

UPDATE
The solution does not really work as InSpec does not currently support multiple targets. As you have to define the gcp target for the specs at hand, the moment you need to use other InSpec resources (such as file, etc) you will find yourself in trouble because the libraries' logics will clash living either one or the other set of tests out of luck due to the underlying assumptions about the target required (i.e. all inspec-gcp related resources assume the gcp target, all core InSpec's ones assume the local or ssh target). So I guess we're back to square one.

[walterdolce]

This is an additional update.

It looks like that as long as resources requiring a specific target are kept in separate suites this could work (but this is a workaround really, not a solution).

Assuming the following .kitchen.yml file:

---
driver:
  name: terraform

provisioner:
  name: terraform

verifier:
  name: terraform

platforms:
  - name: terraform

suites:
  - name: default
    verifier:
      backend: local
      groups:
        - name: local_pre_reqs
  - name: gcp
    verifier:
      backend: gcp
      groups:
        - name: gcp_base_reqs
        - name: master_nodes

And assuming a tests folders structure like so:

kitchen-terraform would be able to run as normal and the GCP-related InSpec resources would be run "in isolation" within the context of their own suite (gcp). Whereby the other suite (default) could use InSpec's core set of resources (such as file, directory, etc).

Again, this is a workaround.

[ncs-alane]

Hello again @walterdolce!
Thanks for the insight!

With #249, the dependency on kitchen-inspec has been dropped in favour of a direct dependency on InSpec in order to facilitate better integration with Terraform states. Each of the Kitchen-Terraform verifier groups will be able to be independently configured with many of the inspec exec options, including backend and target, which should solve the issue that you're seeing with your fork.

[walterdolce]

That's great @ncs-alane. I look forward to seeing that piece of work released. 👍 Happy to help if needed!

[ncs-alane]

This should be fixed with #247 .