3. chef.io
Chef uses it Extensively
Projects are Complementary
Provisioning is Essential
Product, Operations, Development, and Consulting
Servers need Configuration Management
Lots of Shared Users, Integrations, and Events
4. chef.io
What is Chef?
Chef Software (the company)
Our mission is to help the most enduring and transformative
companies use Chef to become fast, efficient, and innovative
software-driven organizations.
Chef Infra (the software)
Infrastructure automation to provision, harden and maintain
configuration state.
5. chef.io
What is Terraform?
Terraform allows you to write simple code to define and provision infrastructure.
Terraform is not a configuration management tool. Using provisioners, Terraform
enables any configuration management tool to be used to setup a resource once
it has been created.
Terraform has many providers that allow you to define resources across any
cloud provider or other services.
8. 8 chef.io
● Manages deployment and on-going
automation
● Define reusable resources and infrastructure
state as code
● Scale elegantly from one to tens of thousands
of managed nodes across multiple complex
environments
● Community, Certified Partner, and Chef
supported content available for all common
automation tasks
Chef Infra
Infrastructure as Code
windows_feature ‘IIS-WebServerRole’ do
action :install
end
windows_feature ‘IIS-ASPNET’ do
action :install
end
iis_pool FooBarPool do
runtime_version “4.0”
action :add
end
package "apache" do
action :install
end
template “/etc/httpd/https.conf” do
source “httpd.conf.erb”
mode 0075
owner “root”
group “root”
end
service “apache2” do
action :start
end
10. chef.io
Chef Provisioner
Uses the Chef Infra Server, requires Connection
SSH, WinRM
All Bootstrap Options Available
Versions, secrets, proxies, etc.
Assign Run List to the Node
Policyfiles or Roles and Environments
Documentation
https://www.terraform.io/docs/provisioners/chef.html
13. chef.io
Chef Provider
Missing Features
Cookbooks, Policyfiles, Clients, ACLs
Documentation
https://www.terraform.io/docs/providers/chef/index.html
Code
https://github.com/terraform-providers/terraform-provider-chef
Manages Chef resources on the Chef Server
Environments, Roles, Data Bags, Nodes
15. 16 chef.io
● Application automation that enables modern application teams to build, deploy, and
manage any application in any environment - from traditional to containerized
microservices.
● Explicit dependency declarations
● Automated container builds
● Immutable build artifacts
● Release channels for CD workflow
● Consistent management of any application on any platform
Chef Habitat
Applications as Code
16. Application-Centric Operations with Habitat
Habitat splits the platform-independent part of the application from the platform-dependent part
BUILD DEPLOY MANAGE
Ring
Supervisor
Platform-Independent Build Export Platform-Dependent Deploy
17. Building Applications with Habitat
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
USER ARTIFACT
Packaging Applications
Running Applications
PLAN DEPOT
DEPOT ARTIFACT
BARE METAL
CONTAINERS
IMAGES
VM
18. What's Different about Habitat?
●Traditional applications ●Habitat packages
Libraries
Operating System
Application
Application Libraries Application &
Libraries
OS
20. chef.io
Chef Habitat Provisioner
Install and Load Supervisor and Services
Hab supervisor deploys and manages applications
Configures peers and rings for the supervisor
Service Configuration
Settings for services, topologies and upgrade strategies
Bindings with other applications
Documentation
https://www.terraform.io/docs/provisioners/habitat.html
21. 22 chef.io
● Clearly express statements of policy
● Move risk to build/test from runtime
● Find issues early
● Write code quickly
● Run code anywhere
● Inspect machines, data, and APIs
● 100s of Resources
Chef InSpec
Compliance and Security as Code
PART OF A PROCESS OF CONTINUOUS COMPLIANCE
Scan for
Compliance
Build & Test
Locally
Build & Test
CI/CD Remediate Verify
A SIMPLE EXAMPLE OF AN INSPEC CIS RULE
22. chef.io
● Chef is the first CIS Partner Certified on
AWS, Azure, and GCP!
● Write compliance policies for all
aspects of cloud configuration
● Virtual machines
● Security groups
● Block storage security policies
● Networking
● Identity and access management
● Log management
InSpec Cloud Verification
23. chef.io
Kitchen-Terraform
Annie Hedgpeth's HashiTalks Session
Shifting Security and Sanity Left by Testing Terraform with InSpec
http://www.anniehedgie.com/kitchen-terraform-and-inspec
Test Kitchen is a Testing Framework
'terraform apply' with Chef (or other) Providers and resources
InSpec as the Verifier
InSpec profiles are executed against the resources, including cloud APIs
Code
https://github.com/newcontext-oss/kitchen-terraform
24. -----> Starting Kitchen...
$$$$$$ Running command `terraform init...`
...
$$$$$$ Running command `terraform apply...`
...
docker_container.ubuntu: Creation complete after 1s...
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
...
Finished converging <example-ubuntu>...
...
-----> Verifying <example-ubuntu>...
Verifying host 'localhost' of system 'container'
...
✔ operating_system: the operating system is Ubuntu
...Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Example Kitchen-Terraform
25. chef.io
InSpec-Iggy
InSpec plugin for generating compliance controls from Terraform
Maps Terraform resources to InSpec resources and exports a profile
inspec terraform generate
Create InSpec profile from terraform.tfstate file's resources
Inspec terraform negative
InSpec profile for finding infrastructure not managed by Terraform
Code
https://github.com/mattray/inspec-iggy