kitchen-terraform 0.7.0 → 1.0.0

data/lib/kitchen/terraform/client/process_options.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+# Copyright 2016 New Context Services, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "dry/monads"
+require "kitchen/terraform/client"
+
+# Processes Terraform Client function options in to Terraform Command-Line Interface (CLI) flags.
+#
+# @see https://www.terraform.io/docs/commands/index.html Terraform commands
+module ::Kitchen::Terraform::Client::ProcessOptions
+  extend ::Dry::Monads::Either::Mixin
+  extend ::Dry::Monads::Maybe::Mixin
+  extend ::Dry::Monads::List::Mixin
+  extend ::Dry::Monads::Try::Mixin
+
+  OPTIONS_FLAGS = {
+    color: lambda do |value:|
+      "-no-color" if not value
+    end,
+    destroy: lambda do |value:|
+      "-destroy" if value
+    end,
+    input: lambda do |value:|
+      "-input=#{value}"
+    end,
+    json: lambda do |value:|
+      "-json" if value
+    end,
+    out: lambda do |value:|
+      "-out=#{value}"
+    end,
+    parallelism: lambda do |value:|
+      "-parallelism=#{value}"
+    end,
+    state: lambda do |value:|
+      "-state=#{value}"
+    end,
+    state_out: lambda do |value:|
+      "-state-out=#{value}"
+    end,
+    update: lambda do |value:|
+      "-update" if value
+    end,
+    var: lambda do |value:|
+      value.map do |variable_name, variable_value|
+        "-var='#{variable_name}=#{variable_value}'"
+      end
+    end,
+    var_file: lambda do |value:|
+      value.map do |file|
+        "-var-file=#{file}"
+      end
+    end
+  }.freeze
+
+  # Invokes the function.
+  #
+  # @param unprocessed_options [::Hash{::Symbol => TrueClass, FalseClass, #to_s, #map}] underscore delimited option keys
+  #        associated with their values.
+  # @return [::Dry::Monads::Either] the result of the function.
+  def self.call(unprocessed_options:)
+    List(unprocessed_options.to_a).fmap(&method(:Right)).typed(::Dry::Monads::Either).traverse do |member|
+      member.bind do |key, value|
+        Maybe(::Kitchen::Terraform::Client::ProcessOptions::OPTIONS_FLAGS[key]).bind do |processor|
+          Right processor.call value: value
+        end.or do
+          Left ":#{key} is not a supported Terraform Client option"
+        end
+      end
+    end.fmap do |options|
+      options.value.flatten.compact.sort
+    end
+  end
+end

data/lib/kitchen/terraform/client/validate.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+# Copyright 2016 New Context Services, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "kitchen/terraform/client"
+require "kitchen/terraform/client/execute_command"
+
+# Validates the syntax of Terraform configuration files.
+#
+# @see https://www.terraform.io/docs/commands/validate.html Terraform validate command
+module ::Kitchen::Terraform::Client::Validate
+  # Invokes the function.
+  #
+  # @param cli [::String] the path of the Terraform CLI to use to execute the validate command.
+  # @param directory [::String] the directory containing files to validate.
+  # @param logger [#<<] a logger to receive the stdout and stderr of the validate command.
+  # @param timeout [::Integer] the maximum execution time in seconds for the validate command.
+  # @return [::Dry::Monads::Either] the result of the function.
+  def self.call(cli:, directory:, logger:, timeout:)
+    ::Kitchen::Terraform::Client::ExecuteCommand.call cli: cli, command: "validate", logger: logger, target: directory,
+                                                      timeout: timeout
+  end
+end

data/lib/kitchen/terraform/client/version.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+# Copyright 2016 New Context Services, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "dry/monads"
+require "kitchen/terraform/client"
+require "kitchen/terraform/client/execute_command"
+
+# Retrieves the version of the Terraform Command-Line Interface (CLI).
+#
+# @see https://www.terraform.io/docs/commands/index.html Terraform commands
+module ::Kitchen::Terraform::Client::Version
+  extend ::Dry::Monads::Either::Mixin
+
+  extend ::Dry::Monads::Maybe::Mixin
+
+  # Invokes the function.
+  #
+  # @param cli [::String] the path of the Terraform CLI to use to execute the version command.
+  # @param logger [#<<] a logger to receive the stdout and stderr of the version command.
+  # @param timeout [::Integer] the time in seconds to wait for the version command to finish.
+  # @return [::Dry::Monads::Either] the result of the function.
+  def self.call(cli:, logger:, timeout:)
+    ::Kitchen::Terraform::Client::ExecuteCommand
+      .call(cli: cli, command: "version", logger: logger, timeout: timeout)
+      .bind do |output|
+        Maybe output.slice /v(\d+\.\d+)/, 1
+      end.bind do |major_minor_versions|
+        Right Float major_minor_versions
+      end.or do |error|
+        error.nil? and Left "Terraform client version output did not match 'vX.Y'" or Left error
+      end.or do |error|
+        Left "Unable to parse Terraform client version output\n#{error}"
+      end
+  end
+end

data/lib/{terraform/apply_timeout_config.rb → kitchen/terraform/create_directories.rb}

@@ -14,19 +14,26 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'terraform/integer_coercer'
-require 'terraform/simple_config'
+require "dry/monads"
+require "fileutils"
+require "kitchen/terraform"
 
-module Terraform
-  # Behaviour for the [:apply_timeout] config option
-  module ApplyTimeoutConfig
-    include ::Terraform::SimpleConfig
+# Creates directories on the filesystem.
+module ::Kitchen::Terraform::CreateDirectories
+  extend ::Dry::Monads::Either::Mixin
+  extend ::Dry::Monads::Try::Mixin
 
-    def self.extended(configurable_class)
-      configurable_class
-        .configure_required attr: :apply_timeout,
-                            coercer_class: ::Terraform::IntegerCoercer,
-                            default_value: 600
+  # Invokes the function.
+  #
+  # @param directories [::Array<::String>, ::String] the list of directories to create.
+  # @return [::Dry::Monads::Either] the result of the function.
+  def self.call(directories:)
+    Try ::SystemCallError do
+      ::FileUtils.makedirs directories
+    end.to_either.bind do
+      Right "Created directories #{directories}"
+    end.or do |error|
+      Left error.to_s
     end
   end
 end

data/lib/kitchen/terraform/define_config_attribute.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+# Copyright 2016 New Context Services, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "dry-validation"
+require "kitchen"
+require "kitchen/terraform"
+
+# Defines a configuration attribute for a plugin class.
+#
+# @see http://dry-rb.org/gems/dry-validation/ DRY Validation
+module ::Kitchen::Terraform::DefineConfigAttribute
+  # Invokes the function.
+  #
+  # @param attribute [::Symbol] the name of the attribute.
+  # @param initialize_default_value [::Proc] a proc to lazily provide a default value.
+  # @param plugin_class [::Class] the plugin class on which the attribute will be defined.
+  # @param schema [::Proc] a proc to define the validation schema of the attribute.
+  def self.call(attribute:, initialize_default_value:, plugin_class:, schema:)
+    plugin_class.required_config attribute do |_attribute, value, plugin|
+      ::Dry::Validation.Schema(&schema).call(value: value).messages.tap do |messages|
+        raise ::Kitchen::UserError, "#{plugin.class} configuration: #{attribute} #{messages}" if not messages.empty?
+      end
+    end
+    plugin_class.default_config attribute, &initialize_default_value
+  end
+end

data/lib/kitchen/terraform/define_integer_config_attribute.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+# Copyright 2016 New Context Services, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "dry-validation"
+require "kitchen"
+require "kitchen/terraform"
+require "kitchen/terraform/define_config_attribute"
+
+# Defines an integer configuration attribute for a plugin class.
+#
+# @see http://dry-rb.org/gems/dry-validation/ DRY Validation
+module ::Kitchen::Terraform::DefineIntegerConfigAttribute
+  # Invokes the function.
+  #
+  # @param attribute [::Symbol] the name of the attribute.
+  # @param plugin_class [::Class] the plugin class on which the attribute will be defined.
+  # @yieldparam plugin [::Kitchen::Driver::Terraform, ::Kitchen::Provisioner::Terraform, ::Kitchen::Verifier::Terraform]
+  #             an instance of the plugin class.
+  # @yieldreturn [::Object] the default value of the attribute.
+  def self.call(attribute:, plugin_class:, &initialize_default_value)
+    ::Kitchen::Terraform::DefineConfigAttribute.call(
+      attribute: attribute,
+      initialize_default_value: initialize_default_value,
+      plugin_class: plugin_class,
+      schema: lambda do
+        required(:value).filled :int?
+      end
+    )
+  end
+end

data/lib/kitchen/terraform/define_string_config_attribute.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+# Copyright 2016 New Context Services, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "dry-validation"
+require "kitchen"
+require "kitchen/terraform"
+require "kitchen/terraform/define_config_attribute"
+
+# Defines a string configuration attribute for a plugin class.
+#
+# @see http://dry-rb.org/gems/dry-validation/ DRY Validation
+module ::Kitchen::Terraform::DefineStringConfigAttribute
+  # Invokes the function.
+  #
+  # @param attribute [::Symbol] the name of the attribute.
+  # @param plugin_class [::Class] the plugin class on which the attribute will be defined.
+  # @yieldparam plugin [::Kitchen::Driver::Terraform, ::Kitchen::Provisioner::Terraform, ::Kitchen::Verifier::Terraform]
+  #             an instance of the plugin class.
+  # @yieldreturn [::Object] the default value of the attribute.
+  def self.call(attribute:, plugin_class:, &initialize_default_value)
+    ::Kitchen::Terraform::DefineConfigAttribute.call(
+      attribute: attribute,
+      initialize_default_value: initialize_default_value,
+      plugin_class: plugin_class,
+      schema: lambda do
+        required(:value).filled :str?
+      end
+    )
+  end
+end

data/lib/kitchen/verifier/terraform.rb

@@ -14,56 +14,204 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'kitchen/verifier/inspec'
-require 'terraform/configurable'
-require 'terraform/groups_config'
+require "dry/monads"
+require "kitchen"
+require "kitchen/terraform/define_config_attribute"
+require "kitchen/verifier/inspec"
+require "terraform/configurable"
 
-module Kitchen
-  module Verifier
-    # Runs tests post-converge to confirm that instances in the Terraform state
-    # are in an expected state
-    class Terraform < ::Kitchen::Verifier::Inspec
-      extend ::Terraform::GroupsConfig
+# The verifier utilizes the InSpec infrastructure testing framework to verify the behaviour and state of resources in
+# the Terraform state.
+#
+# InSpec profiles are assumed to be located in `test/integration/<suite-name>/`.
+#
+# === Configuration
+#
+# ==== Example .kitchen.yml snippet
+#
+#   verifier:
+#     name: terraform
+#     groups:
+#       - name: group_one
+#         attributes:
+#           foo: bar
+#         controls:
+#           - biz
+#         hostnames: hostnames_output
+#         port: 123
+#         username: test-user
+#       - name: group_two
+#
+# ==== Attributes
+#
+# ===== groups
+#
+# Description:: A collection of maps that configure which InSpec profile will be run against different resources in the
+#               Terraform state.
+#
+# Type:: Array
+#
+# Status:: Optional
+#
+# Default:: +[]+
+#
+# ====== name
+#
+# Description:: A label that is used to identify the group.
+#
+# Type:: String
+#
+# Status:: Required
+#
+# ====== attributes
+#
+# Description:: A map that associates InSpec profile attribute names to Terraform output variable names.
+#
+# Type:: Hash
+#
+# Status:: Optional
+#
+# Default:: +{}+
+#
+# ====== controls
+#
+# Description:: A collection of controls to selectively include from the suite's InSpec profile.
+#
+# Type:: Array
+#
+# Status:: Optional
+#
+# Default:: +[]+
+#
+# ====== hostnames
+#
+# Description:: The name of a Terraform output variable of type String or Array which contains one or more hostnames
+#               from the Terraform state that will be targeted with the suite's InSpec profile.
+#
+# Type:: String
+#
+# Status:: Optional
+#
+# ====== port
+#
+# Description:: The port to use when connecting to the group's hosts with Secure Shell (SSH).
+#
+# Type:: Integer
+#
+# Status:: Optional
+#
+# ====== username
+#
+# Description:: The username to use when connecting to the group's hosts with SSH.
+#
+# Type:: String
+#
+# Status:: Optional
+#
+# @see https://en.wikipedia.org/wiki/Secure_Shell Secure Shell
+# @see https://www.inspec.io/ InSpec
+# @see https://www.inspec.io/docs/reference/dsl_inspec/ InSpec Controls
+# @see https://www.inspec.io/docs/reference/profiles/ InSpec Profiles
+# @see https://www.terraform.io/docs/configuration/outputs.html Terraform Output Variables
+# @see https://www.terraform.io/docs/state/index.html Terraform State
+# @version 2
+class ::Kitchen::Verifier::Terraform < ::Kitchen::Verifier::Inspec
+  kitchen_verifier_api_version 2
 
-      include ::Terraform::Configurable
+  ::Kitchen::Terraform::DefineConfigAttribute.call(
+    attribute: :groups,
+    initialize_default_value: lambda do |_plugin|
+      []
+    end,
+    plugin_class: self,
+    schema: lambda do
+      configure do
+        def self.messages
+          super.merge en: {
+            errors: {
+              keys_are_strings_or_symbols?: "keys must be strings or symbols",
+              values_are_strings?: "values must be strings"
+            }
+          }
+        end
 
-      kitchen_verifier_api_version 2
+        def keys_are_strings_or_symbols?(hash)
+          hash.keys.all? do |key|
+            key.is_a?(::String) | key.is_a?(::Symbol)
+          end
+        end
 
-      def call(state)
-        resolve_groups do |group|
-          self.group = group
-          config[:attributes] = {
-            'terraform_state' => provisioner[:state].to_path
-          }.merge group.attributes
-          info "Verifying #{group.description}"
-          super
+        def values_are_strings?(hash)
+          hash.values.all? do |value|
+            value.is_a? ::String
+          end
+        end
+      end
+      required(:value).each do
+        schema do
+          required(:name).filled :str?
+          optional(:attributes).value :hash?, :keys_are_strings_or_symbols?, :values_are_strings?
+          optional(:controls).each :filled?, :str?
+          optional(:hostnames).value :str?
+          optional(:port).value :int?
+          optional(:username).value :str?
         end
-      rescue ::Kitchen::StandardError, ::SystemCallError => error
-        raise ::Kitchen::ActionFailed, error.message
       end
+    end
+  )
 
-      private
+  include ::Dry::Monads::Either::Mixin
 
-      attr_accessor :group
+  include ::Terraform::Configurable
 
-      def configure_backend(options:)
-        /(local)host/.match group.hostname do |match|
-          options.merge! 'backend' => match[1]
-        end
-      end
+  # The verifier enumerates through each hostname of each group and verifies the associated InSpec controls.
+  #
+  # @example
+  #   `kitchen verify suite-name`
+  # @param state [::Hash] the mutable instance and verifier state.
+  # @raise [::Kitchen::ActionFailed] if the result of the action is a failure.
+  # @return [::Dry::Monads::Either] the result of the action.
+  def call(state)
+    self.class::EnumerateGroupsAndHostnames.call driver: driver, groups: config.fetch(:groups) do |group:, hostname:|
+      state.store :group, group
+      state.store :hostname, hostname
+      info "Verifying host '#{hostname}' of group '#{group.fetch :name}'"
+      super state
+    end.fmap do |success|
+      logger.debug success
+    end.or do |failure|
+      raise ::Kitchen::ActionFailed, failure
+    end
+  end
 
-      def resolve_groups(&block)
-        config[:groups]
-          .each { |group| group.resolve client: silent_client, &block }
-      end
+  private
 
-      def runner_options(transport, state = {}, platform = nil, suite = nil)
-        super.tap do |options|
-          options.merge! controls: group.controls, 'host' => group.hostname,
-                         'port' => group.port, 'user' => group.username
-          configure_backend options: options
+  # Modifies the Inspec Runner options generated by the kitchen-inspec verifier to support the verification of each
+  # group's hosts.
+  #
+  # @api private
+  # @return [::Hash] Inspec Runner options.
+  # @see https://github.com/chef/inspec/blob/master/lib/inspec/runner.rb ::Inspec::Runner
+  # @see https://github.com/chef/kitchen-inspec/blob/master/lib/kitchen/verifier.rb kitchen-inspec verifier
+  def runner_options(transport, state = {}, platform = nil, suite = nil)
+    super(transport, state, platform, suite).tap do |options|
+      self.class::ConfigureInspecRunnerBackend.call hostname: state.fetch(:hostname), options: options
+      self.class::ConfigureInspecRunnerHost.call hostname: state.fetch(:hostname), options: options
+      self.class::ConfigureInspecRunnerPort.call group: state.fetch(:group), options: options
+      self.class::ConfigureInspecRunnerUser.call group: state.fetch(:group), options: options
+      self.class::ConfigureInspecRunnerAttributes
+        .call(driver: driver, group: state.fetch(:group), terraform_state: driver[:state]).bind do |attributes|
+          config.store :attributes, attributes
         end
-      end
+      self.class::ConfigureInspecRunnerControls.call group: state.fetch(:group), options: options
     end
   end
 end
+
+require "kitchen/verifier/terraform/configure_inspec_runner_attributes"
+require "kitchen/verifier/terraform/configure_inspec_runner_backend"
+require "kitchen/verifier/terraform/configure_inspec_runner_controls"
+require "kitchen/verifier/terraform/configure_inspec_runner_host"
+require "kitchen/verifier/terraform/configure_inspec_runner_port"
+require "kitchen/verifier/terraform/configure_inspec_runner_user"
+require "kitchen/verifier/terraform/enumerate_groups_and_hostnames"