kitchen-terraform doesn't pick up InSpec profile. Standalone InSpec executable does.

[walterdolce]

Hi! I'm using the latest version of the library (4.0.0) and I have the following .kitchen.yml file:

driver:
  name: terraform
  root_module_directory: test/fixtures/grafana_fixture_module

provisioner:
  name: terraform

verifier:
  name: terraform

platforms:
- name: debian

suites:
- name: default
  systems:
  - name: k8s_pod
    backend: local
    controls:
    - k8s_pod

The module folder structure is as follows:

kitchen-terraform is able to create and converge. But when I run the verify step, it doesn't pick up the tests. Please see below.

$ bundle exec kitchen verify -l debug                                                                             

-----> Starting Kitchen (v1.23.2)
$$$$$$ Running command `terraform version` in directory /path/to/module
       Terraform v0.11.8

$$$$$$ Terraform v0.11.8 is supported
-----> Verifying <default-debian>...
Option backend_cache is disabled
Resolve {:path=>"/path/to/module/test/integration/default"} into cache /path/to/home_user_folder/.inspec/cache
Dependency does not exist in the cache {:path=>"/path/to/module/test/integration/default"}
Verifying k8s_pod
Starting run with targets: ["Inspec::Profile<k8s_pod>"]
Loading /path/to/module/test/integration/default/controls/k8s_pod.rb into #<Inspec::ProfileContext:0x00007ff630620f60>

Profile: k8s_pod
Version: (not specified)
Target:  local://

     No tests executed.

Test Summary: 0 successful, 0 failures, 0 skipped
       Finished verifying <default-debian> (0m0.66s).
-----> Kitchen is finished. (0m3.64s)

But when I run InSpec in isolation, it does:

$ inspec exec test/integration/default                                                                                  

Profile: k8s_pod
Version: (not specified)
Target:  local://

  ✔  k8s_pod: Checks installation and configuration of the Grafana Kubernetes pod
     ✔  Command: `kubectl get pods` stdout should match /grafana/


Profile Summary: 1 successful control, 0 control failures, 0 controls skipped

Is that expected?

[walterdolce]

In the .kitchen.yml config, using groups instead of systems doesn't make it happier. Also there is no explanation anywhere in the docs around where and why systems or groups should be used.

It seems the documentation should give a more in-dept explanation of all configuration parameters (what they are, why they are there, how to use them, etc). Otherwise this risks only creating confusion.

[walterdolce]

As this is currently a blocker, I ended up using kitchen-inspec as verifier, but even there I'm temporarily using a custom branch because there's also the issue that the verifier does not expose the backend option 😢 inspec/kitchen-inspec#196

[ncs-alane]

Hello again @walterdolce!

I apologize for the frustrating experience.

I believe this problem is caused by an invalid configuration. systems is an attribute of the Kitchen-Terraform verifier plugin. Kitchen supports plugin configuration being defined at the global level, the platform level, and the suite level. The fix below should cause Kitchen-Terraform to run your tests.

suites:
- name: default
  verifier:
    systems:
    - name: k8s_pod
      backend: local
      controls:
      - k8s_pod

The Change Log entry for 4.0.0 mentions the change from groups to systems. groups is now obsolete so using it will certainly not cause any happiness to occur. 😅 I intend on implementing support for Kitchen's doctor command in #212 which will assist with exposing future configuration changes to the user.

Have you reviewed the verifier documentation? It attempts to explain the usage of each configuration attribute and links to relevant InSpec documentation. We know that hosting the usage documentation with the Ruby documentation is awkward and we intend to migrate that content to the GitHub site soon.

[swifthorseman]

Hello,
If I have aws as a backend under verifier, what other values do I add? I see in the console that Target is empty:

Target:  aws://

I understand that if I am invoking InSpec directly, I need to provide the target as follows:

inspec exec -t aws://us-east-1/some_aws_profile_name  some/inspec/profile

I believe some values must be added in order to populate the target values for the aws://.

I have defined verifier under the suites as follows:

suites:
- name: default
  verifier:
    systems: 
    - name: aws_instance
      backend: aws
      controls:
      - aws_instance
      - aws_security_group

[swifthorseman]

Update
I managed to get it working after setting the following environment variables:

AWS_REGION
AWS_ACCESS_KEY_ID
AWS_SECRET_KEY_ID

[walterdolce]

Hey @ncs-alane! Thank you kindly for clarifying that for me. Yes, applying the config structure change it works as normal. I did not peruse the Ruby docs in detail before, I will from now on ;)

I look forward to seeing the doctor feature implemented!

[BensamV]

@swifthorseman It did not work after setting the env variables. Do we have an example?

[BensamV]

@swifthorseman It did not work after setting the env variables. Do we have an example?

It worked.. Thanks @swifthorseman

[BensamV]

Kitchen Terraform Example for testing aws resources
https://github.com/BensamV/kitchen-terraform-aws