3

What is the idiomatic way to tell Inspec to run test X on OS version A and test Y on OS version B? I'm aware of the technique of dumping the Chef node object to a JSON file in /tmp but that isn't doing it for me as that runs within the Test Kitchen VM whereas Inspec executes on the real host and therefore can't see it.

Gaius
  • 1,076
  • 9
  • 17
  • May I ask why you run the inspec tests from test kitchen instead of during the node run with for exemple the chef-audit cookbook ? From what you describe, inspec run in a temporary VM targetting a real host, why not running inspec on the real host itself ? – Tensibai Sep 24 '18 at 08:27
  • Inspec on a real host targeting a temporary VM in which runs the entire run list – Gaius Sep 24 '18 at 08:37
  • So turn the other way, why not running inspec within the VM ? – Tensibai Sep 24 '18 at 09:04
  • Because in my use cases it needs to see things that the VMs do not/cannot see – Gaius Sep 24 '18 at 11:29
  • At this point you'd better [edit] your question to give more context. I highly suspect this will turn into a XY question and should be asked on #inspec channel on chef's slack instead. the StackExchange format won't help much I think. – Tensibai Sep 24 '18 at 11:56

1 Answers1

3

What I would suggest, like comments under your post, is to take this to the #inspec channel on the Chef Community Slack to ask there. That said, here's how I might attack this:

control 'some-control-slug' do
  title 'My control'
  impact 1.0
  desc 'Example code for Stack Exchange'

  if os.windows? && ::Gem::Version.new(os.release) < ::Gem::Version.new('6.1')
    # Only executed on Windows machines older than 2008r2
    describe directory('C:/Users') do
      it { should exist }
    end

  elsif os.windows? && ::Gem::Version.new(os.release) >= ::Gem::Version.new('10')
    # Only executed on Windows Server 2016 or newer
    describe directory('D:/MyFolder') do
      it { should_not exist }
    end

  end

  # Executed on all host types
  describe sys_info do
    its('hostname') { should match(/SomeAwesomeHost/i) }
  end
end

Additionally, you can limit the entire inspec control with Chef-like hooks, such as only_if. The above example code, as written, may execute on a Linux target. We could limit all of them by placing the following up near the desc or title:

only_if { os.windows? }
TheLonelyGhost
  • 146
  • 3