Test Deployed Azure Resources Using InSpec-Azure

What is Inspec
Inspec is an command line, open source tool, provided by Chef witch audit and automated testing framework for integration, compliance and security.

In this post I will explain how to use InSpec for compliance automation of your Azure infrastructure

It does not require learning a new language, just knowing how to write the desired state of infrastructure resources

Prerequisites

• InSpec is installed
• an Azure service principal with contributor rights (CLI: az ad sp create-for-rbac --name ServicePrincipalName --role reader)
• a .azure/credentials file in your home directory (see "SETTING UP THE AZURE CREDENTIALS FILE")
• Ruby
• Bundler installed

Note: Microsoft Azure had integrated Inspec in the Azure Cloud Shell that provide the direct connection with your authentication

Connect with Azure
Either to store the below variables on environment variables or  execute the run like below

AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \ AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \ AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W"  \
AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3"  \
inspec exec my-profile -t azure://

How to Use it?

Step #1:  Create InSpec Profile

inspec init profile --platform azure AnyName

This command create a new folder ”My-Profile” with all necessaries artifacts for inspec tests, with:

• controls (tests)
• libraries
• profil file inspec.yml with some default metadata

Then, we adapt and update this profil file with personal metadata and adding the information of the Azure Resource pack.

Step #2:  Create InSpec Test, inside contols directory

Step #2: Let's create new testing scenario

vm.rb

rg = 'MyResourceGroup'
vmname = 'MyVmName'

describe azure_virtual_machine(resource_group: rg , name: vmname ) do
  it { should exist }
  it { should have_monitoring_agent_installed }
  it { should have_only_approved_extensions(['ApprovedExtension', 'OtherApprovedExtensions']) }
        its('location') { should eq('westeurope') }
        its('name') { should eq('azl73627') }
        its('type') { should eq 'Microsoft.Compute/virtualMachines' }
        its('installed_extensions_types') { should include('OmsAgentForLinux') }
        its('installed_extensions_names') { should include('OmsAgentForLinux') }

Step #3: Execute the test

inspec exec . -t azure://
or
inspec exec my-profile -t azure://

Inspec is a fast and easy tool that can help you on the field of automated compliance as a code. By supporting many different platforms it enables organizations to use one tool for compliance testing throughout their infrastructure landscape. In the end it might be an option to have tests running in a continuous fashion using a CI pipeline so that any changes to your (Azure) cloud infra is tested in a non-prod environment and then promoted to production