Infrastructure Code Testing in CICD Pipelines

Transcript

1. Infrastructure Code Testing in CI/CD Pipelines Chuck Meyer, Sr. Dev

   Advocate AWS CloudFormation 1 / 15

2. Agenda 1. Who I am 2. Infrastructure as code 3.

   Automating infrastructure 4. Layering in testing 5. Putting it all together 2 / 15

3. Who I am Chuck Meyer [email protected] Sr Developer Advocate, AWS

   CloudFormation 5 years at AWS Infrastructure as Code and DevOps Security Automation / DevSecOps 20+ Years in Technology Recent Ohio boomerang @chuckm 3 / 15

4. Infrastructure as Code Declarative or imperative statements describing hardware, software

   and services and their relationships. 4 / 15

5. Infrastructure as Code Declarative or imperative statements describing hardware, software

   and services and their relationships. Resource: MyWebServer Class: Server Type: ExtraBig Ports: - 443 4 / 15

6. Infrastructure as Code Declarative or imperative statements describing hardware, software

   and services and their relationships. Resource: MyWebServer Class: Server Type: ExtraBig Ports: - 443 (or maybe) server_names = [ 'Red', 'Blue', 'Green'] for name in server_names: launch_server(name, 'web') 4 / 15

7. Infrastructure as Code Flavors Declarative Chef/Puppet/Ansible/Salt Terraform CloudFormation (AWS) Azure

   Resource Manager (ARM) Cloud Deployment Manager (GCP) Imperative Pulumi Cloud Development Kit (AWS) 5 / 15

8. Infrastructure as Code Flavors Declarative Chef/Puppet/Ansible/Salt Terraform CloudFormation (AWS) Azure

   Resource Manager (ARM) Cloud Deployment Manager (GCP) Imperative Pulumi Cloud Development Kit (AWS) (we can probably fight about this) 5 / 15

9. Automating Infrastructure Infrastructure is code, so deploy it like code

   Source control Orchestration Permissioning Deployment and Promotion 6 / 15

10. Automating Infrastructure Infrastructure is code, so deploy it like code

    Source control Orchestration Permissioning Deployment and Promotion (So basically, CI/CD) 6 / 15

11. Layering in Testing Infrastructure is code, so test it like

    code Validation/Linting Unit Tests Integration Tests 7 / 15

12. Validation Is my code syntactically viable? Built in validators terraform

    validate aws cloudformation validate-template Linters FoodCritic (Chef) cfn­lint (CloudFormation) terraform­validator 8 / 15

13. Unit Testing Validate the behavior of individual components But you

    can't mock infrastructure... 9 / 15

14. Well, you can... 10 / 15

15. Well, you can... ... but it's not nice. 10 /

    15

16. Unit Testing Validate the behavior of individual components But you

    can't mock infrastructure... Decompose into multiple files and test either statically or in a live account. ChefSpec (static) cfn_nag (static) Terratest (live) 11 / 15

17. Integration Testing Validate the behavior of the complete infrastructure Deploy

    the full infrastructure and test it end­to­end. (Preferably in a controlled test account) TestKitchen (Chef) TaskCat (CloudFormation) Kitchen­Terraform 12 / 15

18. What to test? Resource misconfiguration (Will it deploy?) Software defined

    network (Unexpected ingress or egress?) Permissions (Too many wildcards) Encryption Dependencies (Is everything else there?) Lifecycle (Are you going to delete my database?) 13 / 15

19. Infrastructure CI/CD – DIY Tools 14 / 15

20. @chuckm | [email protected] 15 / 15