Inspec Vendor Cannot Upload Profiles With Dependencies
[edit on GitHub]
Chef InSpec supports the creation of complex test and compliance profiles, which organize controls to back up dependency direction and code reuse. Each profile is a standalone structure with its own distribution and execution flow.
Contour Structure
A profile should take the following structure:
examples/profile ├── README.md ├── controls │ ├── example.rb │ └── control_etc.rb ├── libraries │ └── extension.rb |── files │ └── extras.conf └── inspec.yml where:
-
inspec.ymlincludes the profile description (required) -
controlsis the directory in which all tests are located (required) -
librariesis the directory in which all Chef InSpec resource extensions are located (optional) -
filesis the directory with additional files that a contour tin can access (optional) -
README.mdshould be used to explain the contour, its telescopic, and usage
Run into a complete example profile in the Chef InSpec open source repository: Instance Chef InSpec Profile
Also cheque out Explore Chef InSpec resource on Acquire Chef Rally to acquire more about how profiles are structured with hands-on-examples.
inspec.yml
Each profile must have an inspec.yml file that defines the post-obit information:
- Use
proper nameto specify a unique proper name for the profile. Required. - Use
titleto specify a man-readable proper name for the profile. - Use
maintainerto specify the profile maintainer. - Employ
copyrightto specify the copyright holder. - Use
copyright_emailto specify support contact information for the profile, typically an email accost. - Use
licenseto specify the license for the profile. - Use
summaryto specify a one line summary for the profile. - Utilize
descriptionto specify a multiple line description of the contour. - Use
versionto specify the profile version. - Utilize
inspec_versionto place SemVer constraints on the version of Chef InSpec that the profile can run under. - Apply
supportsto specify a listing of supported platform targets. - Apply
dependsto ascertain a list of profiles on which this profile depends. - Apply
inputsto ascertain a list of inputs yous tin can use in your controls. - Employ
gem_dependenciesto specify a list of contour jewel dependencies that is required to be installed for the profile to function correctly.
proper name is required; all other profile settings are optional. For example:
proper noun: ssh title: Basic SSH maintainer: Chef Software, Inc. copyright: Chef Software, Inc. copyright_email: support@chef.io license: Proprietary, All rights reserved summary: Verify that SSH Server and SSH Client are configured deeply version: 1.0.0 supports: - platform-family unit: linux depends: - name: profile path: ../path/to/contour gem_dependencies: - proper name: "precious stone-name" version: ">= ii.0.0" inspec_version: "~> 2.ane" The inspec.yml also supports embedded ERB in the file. For instance:
name: dummy title: InSpec Profile maintainer: The Authors copyright: The Authors copyright_email: yous@example.com license: Apache-ii.0 summary: An InSpec Compliance Contour version: 0.1.0 depends: - proper noun: inherit url: "https://artifactory.com/artifactory/case-repo-local/inspec/0.iv.1.tar.gz" username: <%= ENV['USERNAME'] %> password: <%= ENV['API_KEY'] %> Verify Profiles
Use the inspec check command to verify the implementation of a profile:
inspec check examples/profile Platform Back up
Employ the supports setting in the inspec.yml file to specify one (or more) platforms for which a contour is targeting. The listing of supported platforms may comprise the following:
- Utilise
platform-familyto restrict to a specific platform family. - Use
platform-nameto restrict on a specific platform proper noun.platform-proper namesupports asterisk (*) wildcard use. - Use
releaseto restrict to a specific platform version, and apply together withplatform-name.releasesupports asterisk (*) wildcard use. - Utilize
platformto restrict on either platform-name or platform-family.
For compatibility we support os-proper noun and os-family unit. We recommend all users to change os-name to platform-name and bone-family to platform-family.
With Chef InSpec 2.0, nosotros introduced new families to help distinguish the cloud platforms. The new families can restrict the platform family unit to bone, aws, azure or gcp.
For instance, to target anything running Debian Linux, apply:
proper noun: ssh supports: - platform-name: debian To target merely Ubuntu version 20.04, use:
name: ssh supports: - platform-name: ubuntu release: 20.04 To target the entire release of Ubuntu version xx.10, use:
name: ssh supports: - platform-name: ubuntu release: 20.* To target the Ruddy Hat and derivative platforms such as CentOS and Oracle Linux, use:
name: ssh supports: - platform-family: redhat To target the unabridged Windows 2019 platform family, including Datacenter and Core Servers, use:
name: ssh supports: - platform-name: windows_server_2019* To target anything running on Amazon AWS, use:
proper name: ssh supports: - platform: aws To target all of these examples in a single inspec.yml file, use:
name: ssh supports: - platform-proper noun: debian - platform-proper noun: ubuntu release: twenty.04 - platform-family: redhat - platform: aws Profile Dependencies
A Chef InSpec contour can bring in the controls and custom resources from another Chef InSpec profile. Additionally, when inheriting the controls of another profile, a profile tin can skip or even change those included controls.
For hands-on examples, bank check out Create a custom Chef InSpec contour on Acquire Chef Rally.
Defining the Dependencies
Before a profile can use controls from another profile, the to-be-included profile needs to be specified in the including profile's inspec.yml file in the depends section. For each contour to be included, a location for the profile from where to be fetched and a name for the profile should be included. For example:
depends: - name: linux-baseline url: https://github.com/dev-sec/linux-baseline/archive/master.tar.gz - name: ssh-baseline url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz Chef InSpec supports a number of dependency sources.
path
The path setting defines a profile that is located on disk. This setting is typically used during evolution of profiles and when debugging profiles.
depends: - proper noun: my-contour path: /absolute/path - name: another path: ../relative/path url
The url setting specifies a profile that is located at an HTTP- or HTTPS-based URL. The profile must be attainable via a HTTP Become operation and must exist a valid contour archive (zip, tar, or tar.gz format).
depends: - proper name: my-profile url: https://my.domain/path/to/contour.tgz - name: profile-via-git url: https://github.com/myusername/myprofile-repo/archive/principal.tar.gz url also supports basic hallmark.
depends: - proper noun: my-profile url: https://my.domain/path/to/profile.tgz username: user password: password git
A git setting specifies a profile that is located in a git repository, with optional settings for branch, tag, commit, version, and relative_path. The source location is translated into a URL upon resolution. This type of dependency supports version constraints via semantic versioning as git tags.
depends: - name: git-profile git: http://url/to/repo branch: desired_branch tag: desired_version commit: pinned_commit version: semver_via_tags relative_path: relative/optional/path/to/profile supermarket
A supermarket setting specifies a profile that is located in a cookbook hosted on Chef Supermarket. The source location is translated into a URL upon resolution.
For example:
depends: - name: supermarket-profile supermarket: supermarket-username/supermarket-profile Bachelor Supermarket profiles can be listed with inspec supermarket profiles.
compliance
A compliance setting specifies a profile that is located on the Chef Automate or Chef Compliance server.
For example:
depends: - name: linux compliance: base/linux Gem Dependencies
Any profile with reddish gem dependencies that need to be installed tin can exist specified using the gem_dependencies settings in the inspec.yml metadata file.
For case, if you required any ruby library in a custom resource that needs a specific gem to exist installed, and then you can specify those gems in the metadata file. Chef InSpec will prompt to install the gems to ~/.inspec/gems when you run your profile the start fourth dimension. To skip the prompt and automatically install, pass the --auto-install-gems option to inspec exec.
gem_dependencies: - name: "mongo" version: ">= 2.three.12" Vendoring Dependencies
When you execute a local profile, the inspec.yml file will exist read in order to source whatever contour dependencies. It will so cache the dependencies locally and generate an inspec.lock file.
If you add together or update dependencies in inspec.yml, dependencies may be re-vendored and the lockfile updated with inspec vendor --overwrite
Using Controls from an Included Profile
Once divers in the inspec.yml, controls from the included profiles can be used! Let'southward look at some examples.
Including All Controls from a Contour
With the include_controls command in a profile, all controls from the named profile will be executed every time the including profile is executed.
In the case above, every fourth dimension my-app-profile is executed, all the controls from my-baseline are also executed. Therefore, the following controls would exist executed:
- myapp-1
- myapp-two
- myapp-3
- baseline-one
- baseline-2
This is a great reminder that having a good naming convention for your controls is helpful to avoid confusion when including controls from other profiles!
Skipping a Control from a Profile
What if one of the controls from the included profile does not utilise to your environment? Luckily, it is not necessary to maintain a slightly-modified copy of the included profile simply to delete a control. The skip_control control tells Chef InSpec to not run a item control.
In the above example, all controls from my-app-profile and my-baseline contour volition be executed every time my-app-profile is executed except for control baseline-ii from the my-baseline contour.
Modifying a Control
Let's say a particular control from an included profile should nonetheless exist run, only the touch isn't advisable? Peradventure the exam should still run, simply if it fails, it should be treated as low severity instead of high severity?
When a control is included, it can also exist modified!
In the above example, all controls from my-baseline are executed along with all the controls from the including contour, my-app-profile. However, should command baseline-1 fail, information technology will be raised with an impact of 0.5 instead of the originally-intended affect of 1.0.
Selectively Including Controls from a Profile
If there are only a scattering of controls that should be executed from an included profile, information technology's not necessarily to skip all the unneeded controls, or worse, copy/paste those controls bit-for-fleck into your profile. Instead, employ the require_controls command.
Whenever my-app-profile is executed, in add-on to its own controls, it will run simply the controls specified in the require_controls block. In the case, the following controls would exist executed:
- myapp-1
- myapp-2
- myapp-3
- baseline-2
- baseline-4
Controls baseline-one, baseline-3, and baseline-v would not exist run, just as if they were manually skipped. This method of including specific controls ensures simply the controls specified are executed; if new controls are added to a later version of my-baseline, they would not exist run.
And, merely the way its possible to modify controls when using include_controls, controls can be modified every bit well.
As with the prior example, only baseline-2 and baseline-four are executed, but if baseline-ii fails, information technology volition study with an impact of 0.5 instead of the originally-intended 1.0 impact.
Using Resources from an Included Profile
By default, all of the custom resource from a listed dependency are bachelor for use in your profile. If two of your dependencies provide a resource with the same name, you can employ the require_resource DSL role to disambiguate the two:
require_resource(profile: 'my_dep', resource: 'my_res', as: 'my_res2') This will allow yous to reference the resource my_res from the profile my_dep using the proper noun my_res2.
Profile Inputs
Our documentation regarding Inputs is now on a dedicated page.
Profile files
A Chef InSpec contour may contain additional files that can exist accessed during tests. A profile file enables you to separate the logic of your tests from the data your tests check for, for instance, the list of ports you lot require to exist open up.
To access these files, they must be stored in the files directory at the root of a profile. They are accessed by their name relative to this folder with inspec.profile.file(...).
Here is an instance for reading and testing a list of ports. The folder structure is:
examples/contour ├── controls │ ├── example.rb │── files │ └── services.yml └── inspec.yml With services.yml containing:
- service_name: httpd-alpha port: fourscore - service_name: httpd-beta port: 8080 The tests in example.rb tin can now admission this file:
my_services = yaml(content: inspec.profile.file('services.yml')).params my_services.each practise |s| describe service(due south[ 'service_name' ]) practise information technology { should be_running } end draw port(south[ 'port' ]) do it { should be_listening } end end For a more complete example that uses a contour file, come across Explore Chef InSpec resources on Learn Chef Rally.
"should" vs. "expect" syntax
Users familiar with the RSpec testing framework may know that there are 2 ways to write test statements: should and expect. The RSpec customs decided that await is the preferred syntax. All the same, Chef InSpec recommends the should syntax every bit it tends to read more easily to those users who are not as technical.
Chef InSpec will continue to support both methods of writing tests. Consider this file test:
describe file('/tmp/test.txt') practice it { should be_file } terminate This can be re-written with look syntax
depict file('/tmp/examination.txt') do it 'should be a file' exercise expect(subject).to(be_file) end end The output of both of the above examples looks similar this:
File /tmp/test.txt ✔ should be a file In add-on, you can make use of the subject field keyword to further control your output if yous choose:
describe 'examination file' do subject { file('/tmp/test.txt') } it 'should be a file' do expect(subject field).to(be_file) finish finish … which will render the following output:
exam file ✔ should exist a file Source: https://docs.chef.io/inspec/profiles/
0 Response to "Inspec Vendor Cannot Upload Profiles With Dependencies"
Post a Comment