Forgot that this was the molecule.yml values:
```verifier:
name: inspec
options:
password: vagrant
target: winrm://[email protected]
env:
no_proxy: 192.0.2.133

Hi @mkinney ! I have held off on inspec for few reasons.

• The way one must configure inspec to connect to the instances. It doesn't piggy back on the existing ansible_connection options that Molecule sets up, where Testinfra uses the ansible connection. This means testinfra can simply connect to the instances the same way Ansible does, and supports all the drivers Ansible does.

• Molecule v1 used to support server spec but was removed in v2. Molecule is somewhat biased, and supporting too many verifiers is tricky with limited time and knowledge of such verifiers.

• Ability to target host(s) for a particular test file or group of test files.

I would prefer to hold off on such a feature.

Not going to support inspec at this time.

Example role with inspec support https://github.com/jugatsu/ansible-role-pritunl-server. A lit bit hacky)

Inspec support wil be big win btw.

@retr0h if we were able to work around concerns 1 and 3, would 2 be a blocker?

We can put some time and energy into finding ways to integrate better, but don't want to do it if the intent is to stay away from inspec regardless.

@eshamow why is it you wish to use Inspec vs Goss or Testinfra. What benefit does it provide?

@eshamow inspec is my favourite because of:

1. lots of resources https://www.inspec.io/docs/reference/resources/

2. active development under Chef, Inc. support

3. great for TDD and compliance-as-code

4. supports ssh,winrm,docker connections and doesn't required any dependencies on instance

5. clean syntax compared to testinfra

@eshamow any updates on this issue?

@retr0h Sorry missed the first update on this.

I'd second @jugatsu's arguments, and add that I have a pretty large library of mocks and doubles that are developed in inspec that are non-trivial to port to another language/test suite.

We have used inspec to train our security teams and other groups to communicate requirements with us in terms of test feedback. As a result we have large groups writing tests against all sorts of integrations and doubles written against Inspec, and we use those in our molecule tests to verify compliance.

@retr0h

This would be a great addition. I have been stuck on molecule version 1 because I run both linux and windows servers using the same boiler plate code to stick everything together. The reason I am stuck on version 1 is that once we lost server spec verifier support we lost Windows support (which works great in version 1 btw).

I agree with dropping server spec in the sense that it is old and not that well maintained and I think that adding an inspec verifier would be a fantastic solution to bring unofficial Windows support back to molecule and allow me to upgrade all of our box repositories to molecule v2!!!

Hi @jamesla -

I have some questions about inspec. Currently Goss and testinfra are able to test all of the drivers Molecule supports b/c testinfra simply uses the Ansible connection backend. So anything Ansible can connect to, testinfra can as well. Super simple. Goss, is also able to test all drivers, simply b/c Ansible connects to the instances and installs the binary locally.

My question about inspec, is it's ability to test all drivers Molecule supports. I understand we can use ssh to connect to ec2, gce, azure, openstack, and vagrant. It appears inspec has docker support as well. Does inspec support lxc and lxd testing? Also, can I supply an ssh config file to inspec in the case where Molecule users are using the delegated driver, and simpy wish to provide the connection options on their own.

I do understand your concern, and appreciate your patience.

@jamesla Also, how do you target a specific test file to a subset of hosts?

@retr0h https://github.com/jugatsu/ansible-role-pritunl-server/blob/master/test/test.sh

Just run inspec executable against target hosts.

Guys, i don't understand why we even debated about inspec support :) IMO inspec is must-have for every modern framework especially molecule :)

@jugatsu I have already stated why.

I have an idea.

You guys win :)

Doesn’t that mean that we all win? 😀

How can we help?

Mike Kinney

On Apr 18, 2018, at 7:00 PM, John Dewey notifications@github.com wrote:

You guys win :)

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

Thank you for supporting this!

Reading this thread gave me feels... thanks @retr0h
However... I can't get inspec to be invoked. Is there an issue I should be watching?

I'm an idiot - should have invoked the scenario with --verifier-name inspec

Or change your molecule.yml's verifier.name to inspec.

Yeah, I tried that, but I got

└── inspec
    └── verify

--> Scenario: 'inspec'
--> Action: 'verify'
Skipping, no tests found.

The problem was that no controls could be found (wrong dir).
Inspec goes out of its way to make compliance easy to reproduce across scenarios, distributing them as profiles in the chef supermarket or git repos even. I had naively wanted to have something like:

verifier:
  name: inspec
  profile:
    url: https://github.com/EGI-Foundation/ansible-style-guide
  lint:
    name: rubocop

or something like that. If I find some time, I'll try send a PR for this...

Oh.... now that's cool. You can see my lack of inspec knowledge while implementing this feature.
Would a person ever test multiple profiles along with additional local test files?

Could we do something like:

verifier:
  name: inspec
  profiles:
    - url: https://github.com/EGI-Foundation/ansible-style-guide
    - url: https://...
    - url: https://...
  lint:
    name: rubocop

Also, what is the command inspec would use to execute a remote profile? Must the profile be downloaded before hand or will inspec take care of that?

Yes absolutely the profiles are usually developed by Ops, or the InfoSec team, so they are the ones which are sending the devs the profiles that their applications have to pass. There is a dependency mechanism, just with Ansible roles.
See https://www.inspec.io/docs/reference/profiles/

I have taken a look at the code for generating the verify.yml as well. I have thoughts :face_with_head_bandage: Best open another issue on this to discuss this inspec integration there.

Let's be straight though : adding inspec to molecule is a huge frikkin win for everyone. I don't want to give you the impression that not enough has been done by you the maintainer! On the contrary... I really hope to find some free time soon to send a PR for how I think this should work.

Thanks for the work so far!