Tools for Testing Terraform Managed Code and Infrastructure

  • October 20, 2021

Infrastructure as code is the backbone of any cloud-based DevOps system or architecture. In the past, it was not uncommon for testing to be downplayed as unnecessary. Engineers may look at their work and feel there is no real need to test and push to production. However, in the long run, this is a mistake. There is always a chance the system could fail or respond irregularly.

Testing gives the system a sense of reality, and when handled properly, it can help make your system fail-proof. In the past, testing was done manually, which meant it was error-prone. Today’s automated testing protocols are a boon to developers.

Let’s dive into a few of the main tools that are being used to test Infrastructure as Code

1.Terratest

One of the most popular ways of creating automated tests for IAC on Terraform, is Terratest. It makes use of a Go library with different helper functions and patterns to test the APIs, Docker Images, packer templates, and others. Your Terraform code can be tested by defining some parameters to develop a testing framework. Terratest allows for unit testing or testing a section of the code at a time instead of testing the infrastructure. Furthermore, Terratest can perform multiple tests such as tests for credentials and addressing authentications.

2.Terrascan

Terrascan is a static code analysis tool that can scan IAC from Terraform, K8s manifests, etc. Its pre-made policies can be used out of the box. There are some commercial options for bigger organizations. If you have a bucket with private ACL, KMS, resources, and other stuff, you can run Terrascan commands to get results that tell you the status of the IAC about to be deployed.

The test results tell the severity of the code issues based on high, medium, and low, and provide a noticeable result in code form. The engineer is armed with the proper references in the code regardless of how many lines of the code exist. Terrascan goes a long way to handle policy violations and gives the engineer a way to address the issues.

Terrascan can also be used for local testing before deployment. It can be used to generate events for some filtering but not for CI/CD pipeline deployments. Overall, Terrascan is useful for enterprises and organizations who want to utilize proper testing on a large scale.

3.Testinfra

The purpose of writing a test is to look for loopholes from the developer machine and curb the issues in the production system. TestInfra goes a long way to handling this comfortably, especially at the raw infrastructure level. Unlike Terratest, which runs in Go and more Terraform focused, TestInfra runs a pytest framework with modules that test what’s running in compute instances. What stands out about TestInfra is that it is compatible with Nagios, Jenkins, Vagrant, and Docker. Other interesting tests run by TestInfra check if the service you are deploying is running well. The project is still growing, and developers are encouraged to contribute to the repository.

4.Terraform-Compliance

By definition, Terraform-Compliance is a lightweight, security, and compliance-focused test framework against Terraform. It enables the negative testing capability for your IAC. This compliance process can be run against the terraform code, but most importantly, it must have some sort of target process for the required cloud environment in the pipeline. Terraform compliance requires a state file or a plan file to run against, which means there must be some type of terraform initialization and plan command. The beautiful thing about this tool is that it gives clear and concise test results. In a CI/CD pipeline usage, it can produce a non-zero exit code if there are any failed tests, passed or skipped tests. Lastly, it is good to understand that terraform compliance is generally more efficient for negative tests, resources confirmation, tag completions, security checks, and other non-functional tests.

5.Kitchen Terraform

This is a very useful testing tool sponsored by Chef and used by all Chef-managed community workbooks. With Kitchen Terraform, the development cycle can now be completed with a test suite. It enables a test matrix that can vary in platforms, input variables, and even fixture modules. A driver plugin architecture is used to run code on various cloud providers and virtualization technologies such as Vagrant, Amazon EC2, Microsoft Azure, Google Compute Engine, Docker, and more.

In conclusion, after iterating over these tools, it is imperative to use the tools that suit your needs. As Terraform continues to gain popularity amongst developers and in production environments, it is critical for Terraform managed Infrastructure as Code to be thoroughly tested. Simply put, these tools help achieve that.

Credits
Written by: Mariano Rodriguez
General corrections and edition: Diego Woitasen