Skip to content

Instantly share code, notes, and snippets.

@vinyar

vinyar/compliance_and_delivery.md

Forked from vjeffrey/compliance_and_delivery.md
Created April 6, 2016 06:24
Show Gist options
  • Save vinyar/9c4e90dab6ff3d8c1a9ea93a04e99436 to your computer and use it in GitHub Desktop.
Save vinyar/9c4e90dab6ff3d8c1a9ea93a04e99436 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
compliance_and_delivery.md

How do I set up compliance checks for an application or cookbook pipeline in delivery?

Delivery version: 0.4.109 or higher
Inspec version: 0.16.0 or higher

1) Create a compliance pipeline of a profile you are interested in, or use an existing one.

2) Configure the application or cookbook to depend on that profile.

Dependencies are set in .delivery/config.json. For example,
        `"dependencies": ["audit/ssh-compliance-profile"]`
Dependencies will be reflected in the system once the deliver button is pressed in the Delivery Server UI and the change is promoted to Union. Please see https://docs.chef.io/release/delivery/delivery_manage_dependencies.html for more details.
By telling delivery that your cookbook/application depends on the profile, everytime there is a change to the profile, the tests you set to run in your cookbook/application's union stage (for example, in functional.rb) will run.

3) Configure the application/cookbook to run these compliance tests in union/rehearsal

1. Configure your cookbook's .kitchen.yml with the desired driver, platforms, and suites. In order to view the compliance profile in delivery, you must include format: fulljson in the verifier options, as seen below. To use kitchen-dokken, for example: (note: be sure to shift-tab out those trailing spaces at the beginning of each line)
    ---
    driver:
      name: dokken
      chef_version: 12.5.1
      privileged: true # because Docker and SystemD/Upstart
    
    transport:
      name: dokken
    
    provisioner:
      name: dokken
    
    verifier:
      name: inspec
      sudo: false
      format: fulljson
    
    platforms:
    - name: ubuntu-12.04
      driver:
        image: ubuntu:12.04
        intermediate_instructions:
        - RUN /usr/bin/apt-get update
    - name: ubuntu-14.04
      driver:
        image: ubuntu:14.04
    - name: centos-7
      driver:
        image: centos:7
        pid_one_command: /usr/lib/systemd/systemd
    - name: oracle-7.1
      driver:
        image: oraclelinux:7.1
        pid_one_command: /usr/lib/systemd/systemd
    - name: debian-7
      driver:
        image: debian:7
        intermediate_instructions:
        - RUN /usr/bin/apt-get update
        - RUN /usr/bin/apt-get install -y procps
    suites:
    - name: default
      run_list:
        - recipe[ssh-hardening::unlock]
        - recipe[ssh-hardening::server]
        - recipe[ssh-hardening::client]
2. Make sure you have the following gems in your cookbook's Gemfile:
    gem 'kitchen-dokken'
    gem 'test-kitchen'
    gem 'inspec', git: 'https://github.com/chef/inspec.git'
    gem 'kitchen-inspec', git: 'https://github.com/chef/kitchen-inspec.git', branch: 'profile-metadata-workaround'
3. Set up your .delivery/build-cookbook/metadata.rb.
    name 'build-cookbook'
    maintainer 'The Authors'
    maintainer_email '[email protected]'
    license 'all_rights'
    version '0.1.0'
    
    depends 'delivery-base'
    depends 'fancy_execute'
    depends 'delivery-truck'
    depends 'docker', '~> 2.0'
4. Set up your .delivery/build-cookbook/Berksfile.
    source  'https://supermarket.chef.io'
    metadata
    
    group :delivery do
      cookbook 'delivery_build', git: 'https://github.com/chef-cookbooks/delivery_build'
      cookbook 'delivery-base', git: 'https://github.com/chef-cookbooks/delivery-base'
      cookbook 'test', path: './test/fixtures/cookbooks/test'
      cookbook 'delivery-truck', github: 'chef-cookbooks/delivery-truck'
      cookbook 'delivery-sugar', github: 'chef-cookbooks/delivery-sugar'
    end
5. Set up your .delivery/build-cookbook/recipes/default.rb recipe.
-- Run bundle install:
    execute 'bundle install' do
    	cwd "#{node['delivery']['workspace']['repo']}"
      command "bundle install --without development integration openstack tools"
    end
-- Set up docker (if using kitchen-dokken). Example:
    # ensure we always have a docker group with the build user as a member
    group 'docker' do
      members [node['delivery_builder']['build_user']]
    end
    
    # get docker
    docker_service 'docker' do
      action [:create, :start]
      host 'unix:///var/run/docker.sock'
      group 'docker'
    end
6. Set up your .delivery/build-cookbook/recipes/functional.rb recipe.
-- Delivery clone the compliance profile and move it to test/integration, for example:
    execute 'clone the compliance profile' do
      cwd "#{node['delivery']['workspace']['repo']}"
      command "delivery clone ssh-compliance-profile --ent=chef --org=audit --user=builder --server=delivery.chef.co"
    end
    
    execute 'move compliance profile to test/integration' do
      cwd "#{node['delivery']['workspace']['repo']}"
      command "mkdir test && mkdir test/integration && mv ssh-compliance-profile/* test/integration"
    end
-- Run kitchen test and watch the magic happen!
    execute 'run kitchen test' do
    	cwd "#{node['delivery']['workspace']['repo']}"
    	command "bundle exec kitchen test"
    end
7) When functional.rb runs, you will be able to see a compliance profile where the cli output is displayed. You can use the 'View Log Report' button to view the cli output instead. This feature is currently under a feature-flag.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment