The introduction of Infrastructure as a Code (IaC) has had a profound impact on the world of Cloud and DevOps. With IaC, the tedious process of manual infrastructure deployment and maintenance is replaced by an automated operation to deploy, destroy, monitor, and replicate your infrastructure as and when required.
Infrastructure as a Code platforms have been on the rise since automated provisioning of infrastructure became in-demand. Today, we have cloud specific IaC tools like CDK and tools with multi-cloud support like Terraform and Pulumi.
As reliability on IaC increases, it is important to ensure that quality coding standards persist. One of the key factors in improving code quality and development efficiency is Testing. Especially for IaC, Testing is an important practice to confirm and check all resources and their configuration before proceeding with deployment.
This article provides a brief overview of different types of tests carried out in AWS CDK.
Table of contents
What is CDK?
From Official AWS Documentation:
The AWS CDK lets you build reliable, scalable, cost-effective applications in the cloud with the considerable expressive power of a programming language.
AWS Cloud Development Kit (CDK) is a framework developed by AWS to specify and provision Cloud Infrastructure in familiar programming languages. Deployment in CDK is carried out through AWS CloudFormation.
AWS CDK supports the following programming languages:
- Typescript
- Javascript
- Python
- Java
- C#
- Go
CDK uses high-level constructs to define resources and their configuration. A CDK deployment synthesizes and deploys a CloudFormation template. CDK also supports importing and exporting of values across Stacks.
With new versions being regularly released, CDK has shown remarkable progress in a short amount of time making it one of the most user-friendly and powerful tools for provisioning AWS cloud infrastructure.
Need for Automated Testing in IaC
Testing is a crucial part of any software development life cycle. And there should be no exception for IaC. But why should we test? Especially when modern IaC tools have auto rollback functionality in case any errors exist in the template.
For AWS, as the cloud architecture scales up, Stacks start piling up in the CloudFormation interface. With the increase in complexity and interdependencies, the code becomes more susceptible to errors. Manual code reviews would capture some issues but would always be prone to human errors.
Negligence in identifying security issues before deployment can cause some major problems. The aftermath might involve possibly sabotaging the currently deployed environment and having unwanted financial impacts as well.
This is where automated tests come into the picture. Even implementation of unit testing in your IaC project can save several man-hours of bug hunting. Some platforms come with a built-in testing framework while some require the usage of third-party tools.
Terratest is an automated testing framework for IaC defined in Go supporting multiple infrastructure provisioning tools like Terraform, Docker, Kubernetes, etc. Sentinel is a policy-as-a-code assessment tool that can help ensure the infrastructure to be deployed is compliant with all regulatory policies. Several such tools exist making developer's life a lot easier!
Testing Strategies in CDK
Automated tests in CDK are implemented using the AWS CDK’s assertion module. In addition, for TypeScript and JavaScript, Jest testing framework is used whereas Pytest is preferred for Python.
Testing strategies in CDK can be essentially categorized into three types:
- Snapshot testing
- Fine-grained assertions
- Validation testing
Snapshot tests include comparing a synthesized AWS CloudFormation template with the master template. A snapshot test can help identify any unnecessary modifications to the template before deployment. If the modifications are intentional, the master template snapshot can be replaced to reflect the latest changes. Snapshots can be easily maintained as they can be updated anytime. However, CDK upgrades can introduce changes in synthesized CloudFormation templates causing tests to fail needlessly.
Fine-grained assertions can be used to test each element of the AWS CloudFormation template in detail. Resource creation, resource properties, resource count, etc. can be easily identified using fine-grained assertion. Details about other template elements like outputs, parameters, and conditions can also be easily compared. Fine-grained assertions are the most preferred type of test as they help test every little detail of the generated template. From a maintenance point of view, tests need to be updated regularly to reflect any intentional updates in the CloudFormation template.
Validation tests check if values passed through props are within the range of values defined for them by the user. Constraints can be set for props passed to the stack. Validation tests validate whether an error is thrown if values passed are uncompliant to defined constraints. These tests are generally applied for testing whether numeric props fall within the defined range of numbers set for them.
Conclusion
The importance of testing in IaC applications cannot be overstated. With rapidly growing complex infrastructures, having any tests for your code is better than having no tests. The CDK testing strategies mentioned in the article can help test all aspects of the CloudFormation template.
Make sure to stick around for upcoming blogs as they would cover each of these tests in detail.
Author:
Rahul Raje
JTP Co., Ltd.
