Terraform OpenStack Provider

This is an example of how to utilize Kitchen-Terraform to test OpenStack resources configured with the Terraform OpenStack Provider.

Author: Ewa Czechowska

1. Requirements & Setup 2. Create Terraform code 3. Create Terraform variables 4. Create Terraform outputs 5. Setup provider information 6. Create tests 7. Run tests

We need two OpenStack networks that are accessible from localhost.

To setup the repository, run these commands:

mkdir -p openstack_provider_example/test/integration/example/controls
mkdir -p openstack_provider_example/dummy_keypair

ssh-keygen -f openstack_provider_example/dummy_keypair/cloud.key

cd openstack_provider_example

Create the

Gemfile

to install our dependencies.

source "https://rubygems.org/" do
  gem "kitchen-terraform"
end

Install Kitchen-Terraform and other rubygems, install bundler if not installed yet.

gem install bundler
bundle install

Create this file

.kitchen.yml

which brings together the Terraform module code and Inspec controls.

---
driver:
  name: terraform
  command_timeout: 1000
  variable_files:
    - ./my-variables.tfvars

provisioner:
  name: terraform

transport:
  name: ssh
  ssh_key: ./dummy_keypair/cloud.key
  username: ubuntu

verifier:
  name: terraform
  groups:
    - name: master
      controls:
        - nano_installed
      hostnames: master_address
    - name: workers
      controls:
        - curl_installed
      hostnames: workers_addresses

platforms:
  - name: ubuntu

suites:
  - name: example

The Kitchen-Terraform driver is configured with a command timeout of 1000 seconds and the path to a Terraform variables file.

The Kitchen-Terraform provisioner is enabled.

The Test Kitchen SSH transport is configured to use the dummy_keypair and a static username for SSH authentication with the VMs.

The Kitchen-Terraform verifier is configured with two groups.

The master group is configured to run a control against the master VM by using the master_address output for the value of hostnames.

The workers group is configured to run a control against all of the worker VMs by using the workers_addresses output for the value of hostnames.

The platforms provide arbitrary grouping for the test suite matrix.

The suite name corresponds to the directory containing the Inspec profile:

test/integration/example/

Example Terraform code using the OpenStack provider is below. The resources created by this code is what we'll be testing later on.

Create this file

main.tf

and add each block of code into it.

The configuration is restricted to Terraform versions equal to or greater than 0.10.2 and less than 0.11.0.

terraform {
  required_version = "~> 0.10.2"
}

Enable OpenStack provider to pass in OpenStack information and user authentication.

provider "openstack" {
  auth_url    = "${var.provider_auth_url}"
  password    = "${var.provider_password}"
  region      = "${var.provider_region}"
  tenant_name = "${var.provider_tenant_name}"
  user_name   = "${var.provider_user_name}"
}

Creates a SSH keypair, IP address and Ubuntu server which will act as a master server.

resource "openstack_compute_keypair_v2" "kitchen-terraform" {
  name       = "kitchen-terraform-example"
  public_key = "${file("./dummy_keypair/cloud.key.pub")}"
}

resource "openstack_networking_floatingip_v2" "master" {
  pool = "${var.networking_floatingips_pool}"
}

resource "openstack_compute_instance_v2" "master" {
  flavor_name = "v.c1.m1024.d5.e0"
  floating_ip = "${element(openstack_networking_floatingip_v2.master.*.address, 0)}"
  image_name  = "ubuntu-16.04"
  key_pair    = "${openstack_compute_keypair_v2.kitchen-terraform.name}"
  name        = "kitchen-terraform-example-master"

  connection {
    host        = "${self.floating_ip}"
    private_key = "${file("./dummy/cloud.key")}"
    type        = "ssh"
    user        = "ubuntu"
  }

  metadata = {
    ssh_user = "ubuntu"
  }

  network {
    name = "${var.compute_instances_network_name}"
  }

  provisioner "remote-exec" {
    inline = ["sudo apt-get install --no-install-recommends --yes nano"]
  }
}

Uses the SSH key from above, creates a new IP address and Ubuntu server which will act as a worker server.

resource "openstack_networking_floatingip_v2" "workers" {
  count = 2
  pool  = "${var.networking_floatingips_pool}"
}

resource "openstack_compute_instance_v2" "worker" {
  count       = 2
  flavor_name = "v.c1.m1024.d5.e0"
  floating_ip = "${element(openstack_networking_floatingip_v2.workers.*.address, count.index)}"
  image_name  = "ubuntu-16.04"
  key_pair    = "${openstack_compute_keypair_v2.kitchen-terraform.name}"
  name        = "kitchen-terraform-example-worker-${count.index+1}"

  connection {
    host        = "${self.floating_ip}"
    private_key = "${file("./dummy/cloud.key")}"
    type        = "ssh"
    user        = "ubuntu"
  }

  metadata = {
    ssh_user = "ubuntu"
  }

  network {
    name = "${var.compute_instances_network_name}"
  }

  provisioner "remote-exec" {
    inline = ["sudo apt-get install --no-install-recommends --yes curl"]
  }
}

We also need to setup variables as some networking and provider attributes are required to make the Terraform code work successfully.

Create this file

variable.tf

and add the below block of code into it.

variable "compute_instances_network_name" {
  description = "The human-readable name of the network of the compute instances"
  type        = "string"
}

variable "networking_floatingips_pool" {
  description = "The name of the pool from which to obtain the floating IP addresses"
  type        = "string"
}

variable "provider_auth_url" {
  description = "The identity authentication URL"
  type        = "string"
}

variable "provider_password" {
  description = "The password to login with"
  type        = "string"
}

variable "provider_region" {
  description = "The cloud region to use"
  type        = "string"
}

variable "provider_tenant_name" {
  description = "The name of the tenant to login with"
  type        = "string"
}

variable "provider_user_name" {
  description = "The user ID to login with"
  type        = "string"
}

To assist in testing, Terraform outputs will provide the master and worker server addresses. The Kitchen-Terraform verifier can use these artifacts to validate the Terraform code.

Create this file

output.tf

and add each block of code into it.

output "master_address" {
  value = "${openstack_networking_floatingip_v2.master.address}"
}

output "workers_addresses" {
  value = ["${openstack_networking_floatingip_v2.workers.*.address}"]
}

Refer back to the .kitchen.yml and in the verifier section you will see a reference to the above hostnames output.

Before creating the tests, let's setup our OpenStack provider information. This helps get the URL, user authentication and a couple other provider specific items setup.

Create this file

my-variables.tfvars

and add the block of code into it.

compute_instances_network_name = "<VALUE>"
networking_floatingips_pool    = "<VALUE>"
provider_auth_url              = "<VALUE>"
provider_password              = "<VALUE>"
provider_region                = "<VALUE>"
provider_tenant_name           = "<VALUE>"
provider_user_name             = "<VALUE>"

Refer back to the .kitchen.yml and in the driver section you will see a reference to the above my-variables.tfvars file.

We've created the Terraform code, now it's time to create the Inspec control tests. Please see the Inspec documentation to learn more about profiles and controls.

Create a default profile file

test/integration/example/inspec.yml

---
name: default

Referring back to the .kitchen.yml file and inside the verifier section there is a nano_installed control which we need to create.

Create this file

test/integration/example/controls/nano_installed_spec.rb

# frozen_string_literal: true

control "nano_installed" do
  describe package "nano" do
    it do
      is_expected.to be_installed
    end
  end
end

Let's create the curl_installed control, which will validate curl is installed.

Create this file

test/integration/example/controls/curl_installed_spec.rb

# frozen_string_literal: true

control "curl_installed" do
  describe package "curl" do
    it do
      is_expected.to be_installed
    end
  end
end

Execute Kitchen-Terraform by running these commands

# Create resources from the Terraform code in main.tf
bundle exec kitchen converge

# Run the Inspec controls from the .kitchen.yml verifier section
bundle exec kitchen verify