Featured image symboling a software bug

Testing Infrastructure as Code (IaC): The Definitive Guide 2020

In this blog post we're going to explain if and how Infrastructure as Code should be tested. We'll illustrate 5 examples with Terraform - the tool we use here at meshcloud - and tell you what to look for in IaC test tooling.

Here are the topics we will touch on. Let's dive right in:

1. What is Infrastructure as Code?

2. Do I Even Need to Test IaC?

3. The IaC Testing Usefulness Formula

4. The Developer Effect

5. The 3 Essential Types of Testing Infrastructure as Code

6. 4 Practical Examples for IaC Testing

7. The 3 Key Factors for Choosing Your Test Tooling

What Exactly is Infrastructure as Code?

To make sure we are starting from the same point: What do we mean by Infrastructure as Code (IaC)? IaC describes the specification of required infrastructure (VMs, storage, networking) in text form. We define a target state, which can be easily adapted, duplicated, deleted and versioned. IaC relies on modern cloud technologies and enables a high degree of automation. With these new trends, infrastructure development has become much more similar to application development. This raises the interesting question if and how you can test infrastructure code?

Do I Need to Test IaC at All?

The question is more relevant than you might think. Modern IaC tools like terraform or pulumi already have a lot of checks built-in and respond with detailed error messages. In order to better asses the usefulness of IaC testing for you, consider these factors:

  1. Number of components (e.g. vms, managed services, loadbalancers, etc.)
  2. Number of environments (e.g. dev, stg, prod)
  3. Number of Rollouts which affect Infrastructure (daily releases vs. monthly)

The IaC Testing Usefulness Formula

We believe all three factors - components, enviroments and number of rollouts - are equally important, which results our IaC Testing Usefulness Formula:

Usefulness of IaC Testing = Components x Environments x Rollouts

The Developer Effect

In practice we observed another effect which significantly increases the number of rollouts. Lovingly dubbed the "devEffect" at meshcloud it occurs during the initial set-up of IaC or the modification of existing components. Because developing new IaC is often done in a trial and error manner, developers will rollout their changes around 100 times more often. For this reason alone it can be worth it to write IaC tests.

The 3 Essential Types of Testing Infrastructure as Code

  1. Static and local checks
  2. Apply and destroy tests
  3. Imitations tests

1. Static and Local Checks

Strictly speaking these are not tests, but simple checks. However we still want to include them in this list as they are an easy and fast way to ensure the correct set-up of your infrastructure.

Idea: Analyze configurations and dependencies before execution.

Goal: Fast detection of static errors. Errors that occur dynamically during execution are not covered.

Examples: Completeness check, field validation, reference analysis.

But everything is better with code examples, so let's have a look. Consider the following terraform file to create a small VM.

resource google_compute_instance test {
  name         = "hello-terratest"
  machine_type = "f1-micro"

  boot_disk {
    initialize_params {
      image = "ubuntu-1804-lts"
    }
  }

  network_interface {
    network = "default"
    access_config {}
  }
}

The alert reader already noticed the absence of the machine_type field. You didn't? That is exactly our point: You don't have to. Terraform automatically informs us about the missing field.

Example of a Terraform Error Message: Missing required argument. The argument "machine_type" is required, but no definition was found.
Terraform nicely outputs an error message.

This can be taken even a step further in the form of autocomplete. Using the terraform language server and VSCode for example, it automatically prompts me to enter the missing field and its type.

Screenshot showing the terraform autocomplete feature in VSCode.
Using the terraform language server helps avoiding errors.

Additionally we can also check for static dependencies. Consider the following terraform code. We assume this is the only code in the module. It references a google compute target pool which does not exist within the context. This is a total lifesaver in projects with hundreds of dependencies.

resource google_compute_forwarding_rule test {
  name   = "hello-terratest"
  target = google_compute_target_pool.test.self_link
}
Screenshot depicting resulting terraform error: Reference to undeclared resource.
Terraform identifies the undeclared resource.

While static checks are already a big step-up from traditional infrastructure deployments, they do not account for no dynamic fields and dependencies. This is where our next category Apply and Destroy Tests comes into play

2. Apply and Destroy Tests

With Apply and Destroy Tests we can go one step further and also identify dynamic errors.

Idea: Roll out the infrastructure for a short time, test it and destroy it again immediately afterwards.

Goal: Check dynamic fields and dependencies.

Examples: IP addresses, IDs, random generated passwords.

For these type of tests we are currently working with terratest. Terratest is a collection of go libraries that simplify the interaction with IaC providers and well-known cloud providers. For the following example we are using the terraform module. We can see that terratest easily integrates into terraform and is able to send commands and extract output from them.

package test

import (
    "testing"

    "github.com/gruntwork-io/terratest/modules/terraform"
)

func TestApply(t *testing.T) {
    t.Parallel()

    tfOptions := &terraform.Options{
        TerraformDir: "./terraform/apply_test",
    }

    defer terraform.Destroy(t, tfOptions)

    terraform.InitAndApply(t, tfOptions)

    // further validations go here

}

Up- and downsides to consider:

Read more


Shadow IT is a risk in multi cloud managment

Unter dem Radar: Risikofaktor Schatten-IT

Die Forderung von Mitarbeitern an IT ist klar: flexibel, anpassbar und auf die Prozesse der Fachabteilungen zugeschnitten. Dieser Wunsch wird in vielen Unternehmen auf eigene Faust erfüllt - vorbei an der offiziellen Infrastruktur wird das zum unkalkulierbaren Kosten- und Sicherheitsrisiko.

Wer ein Tool entdeckt, das die Arbeit erleichtert, hält sich selten mit den Vorschriften der IT-Abteilung auf. Bei Cloud-Services ist ein Account schnell erstellt und die Kollegen leicht überzeugt. So entsteht eine Infrastruktur von der, so hat eine Umfrage der Cloud Security Alliance ergeben, nur 8% der CIOs glauben sie in ihrem Unternehmen zu kennen. Diese Schatten-IT oder - wie sie auf Englisch treffender auch genannt wird - Stealth IT, verbirgt sich vor dem Radar der IT-Verantwortlichen. Eco, der Verband für Internetwirtschaft, hat 580 Experten deutscher Mittelständler für seinen IT-Sicherheitsreport befragt - das Ergebnis eindeutig wie besorgniserregend: Drei Viertel der Befragten gehen davon aus, dass eine Schatten-IT in ihrem Betrieb existiert. Knapp ein Viertel befürchtet einen “erheblichen Umfang”.

Parallelstrukturen als Damoklesschwert

Nicht ohne Grund ist Schatten-IT Thema eines IT-Sicherheitsreports: Die unmittelbaren Vorteile der Services, die Mitarbeiter parallel zu den offiziellen Strukturen etablieren, treten beim Blick auf die Risiken schnell in den Hintergrund. Nicht genehmigte IT ist unmöglich zu sichern und gefährdet damit Unternehmensdaten und -prozesse. Bei 38% der deutschen Firmen haben nicht genehmigte Hard- und Software bereits zu Datenverlust geführt - das hat eine von Tenable Network Security beauftragte Studie ergeben. Ausfälle und damit verbundene Kosten drohen. Die verborgenen IT-Strukturen schweben wie ein Damoklesschwert über den Unternehmenstätigkeiten. Die große Unsicherheit bezüglich Existenz, Ausmaß und Relevanz führt dazu, dass niemand sagen kann, wie groß und scharf dieses Schwert tatsächlich ist. Die einzige Chance dieses Risiko zu kontrollieren ist ein Abbau der Schatten-IT. Ein geschärftes Bewusstsein für die Ursachen ist dabei besonders wichtig.

 

Schatten-IT als Chance zur Transformation

Die Gründe warum Mitarbeiter auf nicht genehmigte Tools und Cloud-Services zurückgreifen liegen oft im Verhältnis zur eigenen IT-Abteilung. Am Anfang steht der Wunsch nach bestimmten Fähigkeiten der verwendeten IT - unzureichende Abstimmung, fehlendes Know-How und starre Budgets verhindern dabei nicht selten die Abbildung dieses Wunsches in der offiziellen Unternehmens-IT. Eine besondere Rolle kommt hier den Cloud-Services zu. Für jedes noch so spezielle Problem gibt es irgendwo eine Cloud-Lösung. Gegenüber Harmon.ie gaben 48% der befragten “Knowledge Worker” zu, nicht autorisierte Cloud-Dienste zu nutzen. Die meisten dieser so genutzten Dienste fehlen Management-, Security- und Compliance-Features. DSGVO-Konformität ebenfalls Fehlanzeige. Der Aufbau einer Schatten-IT kann an dieser Stelle aber durchaus Motivation und Innovation positiv beeinflussen. Hier sollte sie von den IT-Verantwortlichen als Chance begriffen werden. Wer weiß, was die Fachabteilungen für wichtig genug halten, es an allen Regeln vorbei zu implementieren, der erhält wertvolle Hinweise für die weitere Entwicklung oder gar Transformation der digitalen Infrastruktur im Unternehmen.

Nähe zu den Bedürfnissen der Nutzer ist der Schlüssel zum Abbau der Schatten-IT. Eine Einbeziehung der Schatten-IT ins IT-Management des Unternehmens und eine enge Abstimmung von Fach- und IT-Abteilung ist nötig, um eine Transformation zu gestalten, die Flexibilität und Nutzerfreundlichkeit mit Unternehmensrichtlinien und gesetzlichen Auflagen verbindet.

 

Wir bei meshcloud helfen Unternehmen Schatten-IT zu verhindern, in dem wir die Komplexität ihrer Multi-Cloud-Umgebungen reduzieren. Dafür bietet die meshcloud-Plattform eine Orchestrierungsschicht, die die nahtlose Nutzung verschiedener Cloudinfrastruktur-Plattformen ermöglicht. Sie ermöglicht schlanke, schnelle Prozesse für Entwickler und gleichzeitige Transparenz und Kostenkontrolle für die IT-Leitung.

Sie möchten mehr darüber erfahren? Hinterlassen Sie uns Ihre Kontaktdaten und wir kontaktieren Sie gern.

[contact-form-7 id="4173" title="Contact Form Blogpost"]


Shadow IT is a risk in multi cloud managment

Under the Radar: The Risks of Shadow IT

Shadow IT is a risk in multi cloud managment

The IT requirements of employees are clear: flexible, adaptable and tailored to the processes of the specialist departments. In many companies this requirement is met on their own initiative - past the official infrastructure this becomes an incalculable cost and security risk.

 

Anyone who discovers a tool that makes work easier is seldom in compliance with the rules and regulations of the IT department. With cloud services, an account is created quickly and colleagues are easily convinced. According to a survey by the Cloud Security Alliance, only 8% of the CIOs believe they know about the secret digital infrastructure in their company. This shadow IT, or Stealth IT as it is more aptly referred to, hides from the radar of IT managers. Eco, the Association for the Internet Economy, asked 580 experts from German medium-sized companies for its IT security report - the result is clear and worrying: three quarters of those surveyed assume that a shadow IT exists in their company. Nearly 25% fear a "considerable extent".

 

Parallel structures as the sword of Damocles

It is not by chance that shadow IT is the subject of an IT security report: The direct advantages of the services that employees establish in parallel to the official structures quickly fade when looking at the risks. Unauthorized IT is impossible to secure and endangers business data and processes. A study commissioned by Tenable Network Security has shown that 38% of German companies have already lost data due to unauthorised hardware and software. Failures and associated costs are imminent. The hidden IT structures float above the company's activities like a sword of Damocles. The great uncertainty regarding existence, extent and relevance leads to the fact that nobody can say how big and sharp this sword really is. The only way to control this risk is to reduce shadow IT. A heightened awareness of the causes is essential.

 

Shadow IT as an opportunity for transformation

The reasons why employees use unauthorized tools and cloud services lie often in the relationship to their own IT department. At the outset there is the desire for certain capabilities of the IT used - insufficient coordination, lack of know-how and rigid budgets often prevent this desire from being reflected in the official company IT. Cloud services play a special role here. For every problem, no matter how specific, there is a cloud solution somewhere. In an interview with Harmon.ie, 48% of the "knowledge workers" surveyed admitted using unauthorized cloud services. Most of the services used in this way lack management, security and compliance features. GDPR conformity is also missing. However, the development of shadow IT can certainly have a positive influence on motivation and innovation at this point. In this respect, IT managers should see it as an opportunity. Anyone who knows what the specialist departments consider important enough to implement without following the regulations will receive valuable information for the further development or even transformation of the digital infrastructure in the company.

The key to reducing shadow IT is proximity to the needs of users. Integrating shadow IT into the company's IT management and close coordination between the business and IT departments is necessary to design a transformation that combines flexibility and user-friendliness with company policies and legal requirements. 

 

At meshcloud we are strongly dedicated to help companies avoid shadow IT, by reducing the complexity of their multi-cloud environments. The meshcloud platform provides a single pane of glass to support seamless use of multiple cloud platforms without vendor lock-in or loss of efficiency. We streamline processes by providing self-service-access to developers as well as transparency and cost control to IT leaders.

Do you want to learn more? Please send us a note and we will get in touch with you

[contact-form-7 id="4173" title="Contact Form Blogpost"]