-
Transcripted Summary
In this chapter, you will learn about the main building blocks of InSpec.
We will talk about controls, resources and matchers.
# Controls
Let's start with the control.
What is a control?
In the form of so-called Compliance Controls, you can describe your compliance requirements with InSpec in a so-called control file.
A compliance control is using resources to define the expected state of the system.
In our "Hello World" example, we are using the file resource.
You will learn more about resources in the next lesson.
A control defined with the InSpec DSL is an executable specification, and more or less a test that you can execute in your delivery pipeline.
You can group controls into compliance profiles, which is similar to a test suite.
# What will be the ingredients of a control file?
A control block will be defined with the keyword control, followed by the control name.
impact, title and desc are metadata that describe the importance of the control and its purpose.
ref is a reference to an external document which defines the requirements which will be implemented by this control.
These documents are issued by governments, certification bodies, or defined by industry standards like PCI DSS - the Payment Card Security Standard, or Healthcare standard like DICOM.
Later in this course, we will create an InSpec profile for PCI DSS.
A describe block consists of one or more tests for a given resource.
Each line we see in the describe block begins with it or its, and defines a test and assertion.
A control block must contain at least one describe block, but may contain as many as needed.
InSpec is using resources to define the expected state of a system.
The tests we see in the describe block are always bound to a given resource.
In our example, we are using the resource file and expect that the content includes a given stream.
All tests in a describe block begin with a keyword it or its, and is followed by a so-called matcher.
More about matchers in the next lessons.
So, now you know the basics about the control. Let's proceed with resources.
# Resources
Now, we get to the meat of Compliance Control.
The InSpec DSL is made up of resources that provide a variety of building validations for common infrastructure components.
# What is a resource?
InSpec expresses its expectations about the desired state of the system through resources inside of these controls.
For example, to check for the existence and permission of a file, you would use the file resource.
InSpec offers different types of resources.
We have operating systems related, we have software related, and we have cloud related resources.
Of course, we can also create custom resources.
Some examples for operation system related resources are directory, file, user.
Use the directory resource to test if the file type is a directory, or use the file resource to test all system file types including files, directories, symbolic links, name pipes or other things.
Use the user resource to test user profiles for a single known expected local user, including the groups to which that user belongs and other properties.
Then, we have the software related resources.
We have resources for Docker, for Apache, or for NGINX, and we have all the resources for databases like MySQL and Postgres.
Then, we have cloud platform related resources.
Since the introduction of InSpec 2, InSpec is also able to evaluate API based endpoints like the cloud providers AWS, Azure and Google Cloud Platform.
InSpec provides a mechanism for defining custom resources.
It becomes necessary sometimes to make your own resources to help you describe your infrastructure.
# Matchers
Last, but not least, let's talk about matchers.
Each describe block has at least one assertion test which expresses the expected state of the resource.
To implement this assertion, InSpec uses matchers to compare resource actual values to its expectations.
An assertion consists of three parts: first, the universal matcher or resource matcher, then, the expectation, and third, again, a universal matcher or resource matcher.
its is a universal matcher to access properties of a resource.
Universal matchers are available to make numeric comparisons or look for the property value in a list, or look for patterns in text using regular expressions.
it is a resource specific matcher to access resource specific values.
The value depends on the resource.
If you use the help command for the file resource, then you will see that the file resource has six resource specific matchers and one universal matcher.
So, we are at the end of this chapter.
Now, you know the main building blocks of InSpec: controls, resources and matchers.
You learned about the three parts of an assertion and have seen the differences about universal matchers and resource specific matchers.
In the next chapter, you will see how you can use profiles to package controls for a given topic.
