Chef Infra Best Practices: #2 Serve-up Continuous Compliance with Chef Infra Compliance Phase

Second installment of the Shape-Up Your Infrastructure Webinar Series – “Configure Chef Infra & Compliance Using Built-In Functionality”.    

Today pretty much any IT system used to transact business or store customer data is subject to some level of compliance regulation and needs to be audited.  The responsibility for conducting audits and ensuring systems are compliant has fallen on the shoulders of corporate security and compliance teams. The adoption of DevOps and automation practices like infrastructure as code (IAC) have helped improve compliance by eliminating configuration issues caused by human error and being able to patch and remediate non-compliant systems faster. But still in most organizations DevOps and Security team work independently of each other collaborating via ticket systems and spreadsheets. As a result of this, releases are many times delayed due to compliance and security audits along with fire drills and rework that result from failed audits.  

Just like so many other challenges faced by organizations undergoing digital transformation the solution to eliminating compliance and audit delays is automation. Chef InSpec was one of the first open source and code-based compliance solutions focused on providing Dev, Ops and Security teams with a common platform for automating compliance and security audits across their entire fleet. By combining the power of Chef InSpec with Chef Infra, DevSecOps teams could not only automate audits but could automatically check that compliance status of systems at any time and automatically remediate systems that for some reason became out of compliance.   

This pattern in the Chef world has been come to known as “Detect, Correct and Automate” and prior to the introduction of Chef Infra Compliance Phase the Chef Infra Audit Cookbook. With the introduction of Chef Infra Compliance Phase the Audit Cookbook will no longer be necessary and Chef Client Infra Users can automatically execute compliance audits and view the results in Chef Automate as part of any Chef Infra Client Run.  

Chef Infra Compliance Phase: Overview  

The introduction of Chef Infra Compliance Phase simplifies the workflow needed to implement run compliance audits, view results and do analysis. It extends our policy-based approach to configuration enabling a single agent than can handle the end-to-end workflow from state enforcement to, data aggregation to validation.  

Key Features of the New Chef Infra Compliance Phase available in Chef Infra 17 Include:  

  • Tighter Integration: The first of many steps to better integrate traditional Infra management with compliance 
  • Zero Dependencies: Compliance out of the box without the need for dependency solving or management of cookbook dependencies 
  • Simplified Upgrade: Compliance code upgrades with your Chef Infra Client releases so you always have a working solution 
  • Reduced Server Dependency: No cookbook code to fetch from the server. Perfect for high latency environments 

Currently Chef Infra Compliance Phase is available for beta testing only. If you are interested in joining the early adopter program or have feedback on current functionality, contact Chef Infra Product Manager Tim Smith (@tas50) on the Chef Community Slack Channel.  

The “Shape-up Your Infrastructure Automation” webinar series will continue through 2021. Below is the current list of past and future events:  

Additional useful resources related to Chef Infra Client include: 

Posted in:

Heather Peyton

Heather was a Product Marketing Director at Chef responsible for messaging around the Chef Enterprise Automation Stack. Prior to Chef Heather held DevOps related positions at CA and Worksoft. Heather started her tech career working for CompuCom, a large VAR/SI, where she focused on helping large organizations evaluate and deploy new and transformative technologies.