Delivery version: TBA
Inspec version: 0.16.0 or higher
delivery_build version: 0.4.23 or higher
`"dependencies": ["audit/ssh-compliance-profile"]`
Dependencies will be reflected in the system once the deliver button is pressed in the Delivery Server UI and the change is promoted to Union. Please see https://docs.chef.io/release/delivery/delivery_manage_dependencies.html for more details.
By telling delivery that your cookbook/application depends on the profile, everytime there is a change to the profile, the tests you set to run in your cookbook/application's union stage (for example, in functional.rb) will run.
1. Configure your cookbook's .kitchen.yml with the desired driver, platforms, and suites. In order to view the compliance profile in delivery, you must include format: fulljson and output: compliance.json in the verifier options, as seen below. To use kitchen-dokken, for example: (note: be sure to shift-tab out those trailing spaces at the beginning of each line)
---
driver:
name: dokken
chef_version: 12.5.1
privileged: true # because Docker and SystemD/Upstart
transport:
name: dokken
provisioner:
name: dokken
verifier:
name: inspec
sudo: false
format: fulljson
output: compliance.json
platforms:
- name: ubuntu-12.04
driver:
image: ubuntu:12.04
intermediate_instructions:
- RUN /usr/bin/apt-get update
- name: ubuntu-14.04
driver:
image: ubuntu:14.04
- name: centos-7
driver:
image: centos:7
pid_one_command: /usr/lib/systemd/systemd
- name: oracle-7.1
driver:
image: oraclelinux:7.1
pid_one_command: /usr/lib/systemd/systemd
- name: debian-7
driver:
image: debian:7
intermediate_instructions:
- RUN /usr/bin/apt-get update
- RUN /usr/bin/apt-get install -y procps
suites:
- name: default
run_list:
- recipe[ssh-hardening::unlock]
- recipe[ssh-hardening::server]
- recipe[ssh-hardening::client]
gem 'kitchen-dokken'
gem 'test-kitchen'
gem 'inspec', git: 'https://github.com/chef/inspec.git'
gem 'kitchen-inspec', git: 'https://github.com/chef/kitchen-inspec.git', branch: 'profile-metadata-workaround'
name 'build-cookbook'
maintainer 'The Authors'
maintainer_email '[email protected]'
license 'all_rights'
version '0.1.0'
depends 'delivery-base'
depends 'delivery-truck'
depends 'docker', '~> 2.0'
4. Set up your .delivery/build-cookbook/Berksfile. ** Need delivery_build version 0.4.23 or higher **
source 'https://supermarket.chef.io'
metadata
group :delivery do
cookbook 'delivery_build', git: 'https://github.com/chef-cookbooks/delivery_build'
cookbook 'delivery-base', git: 'https://github.com/chef-cookbooks/delivery-base'
cookbook 'test', path: './test/fixtures/cookbooks/test'
cookbook 'delivery-truck', github: 'chef-cookbooks/delivery-truck'
cookbook 'delivery-sugar', github: 'chef-cookbooks/delivery-sugar'
end
5. Set up your .delivery/build-cookbook/recipes/default.rb recipe. Note: by including these in your default recipe, they will run in every phase. Alternative: name this recipe _default.rb and call it wherever you need to use it. <-- a little piece of wisdom provided by lupo :)
execute 'bundle install' do
cwd "#{node['delivery']['workspace']['repo']}"
command "bundle install --without development integration openstack tools"
end
# ensure we always have a docker group with the build user as a member
group 'docker' do
members [node['delivery_builder']['build_user']]
end
# get docker
docker_service 'docker' do
action [:create, :start]
host 'unix:///var/run/docker.sock'
group 'docker'
end
execute 'clone the compliance profile' do
cwd "#{node['delivery']['workspace']['repo']}"
command "delivery clone ssh-compliance-profile --ent=chef --org=audit --user=builder --server=delivery.chef.co"
end
execute 'move compliance profile to test/integration' do
cwd "#{node['delivery']['workspace']['repo']}"
command "mkdir test && mkdir test/integration && mv ssh-compliance-profile/* test/integration"
end
execute 'run kitchen test' do
cwd "#{node['delivery']['workspace']['repo']}"
command "bundle exec kitchen test"
end