Infrastructure Testing with Python — Core Concepts

Why infrastructure needs tests

Infrastructure used to be physical servers that rarely changed. Today, infrastructure is code — Terraform files, Ansible playbooks, Kubernetes manifests. Code changes frequently, and frequent changes introduce bugs. Infrastructure bugs are particularly dangerous: a misconfigured firewall can expose sensitive data, a wrong DNS entry can take down a website, a missing backup policy can lose years of data.

Testing infrastructure with Python applies the same rigor that software engineers bring to application code: write tests, run them automatically, and don’t deploy if they fail.

The testing pyramid for infrastructure

Just like application testing, infrastructure testing has layers:

Static analysis (fastest) — lint and validate configuration files before they’re applied. Tools like checkov (written in Python) scan Terraform, CloudFormation, and Kubernetes files for security misconfigurations and best-practice violations.

Unit tests — test individual infrastructure modules in isolation. If your Terraform module creates a VPC, unit tests verify it produces the expected resource configuration without actually creating anything in the cloud.

Integration tests — deploy real infrastructure in a test environment and verify it works. This is where Testinfra shines: after Ansible provisions a server, Testinfra connects via SSH and checks that packages are installed, services are running, and configs are correct.

End-to-end tests — verify the complete system works together. After deploying a full environment, tests check that the web server responds, the database accepts connections, the load balancer distributes traffic, and monitoring alerts fire when they should.

Key Python tools

Testinfra — a pytest plugin for testing actual server state. It connects to servers via SSH, Docker, or locally, and provides assertions for packages, services, files, ports, and more.

Checkov — a static analysis tool for infrastructure-as-code. It scans Terraform, CloudFormation, Kubernetes, and Dockerfile for hundreds of security and compliance rules.

Pulumi testing — if you use Pulumi (infrastructure-as-code in Python), you can write unit tests using standard pytest that verify resource properties without deploying.

Molecule — a testing framework for Ansible roles. It creates temporary environments (Docker containers or VMs), runs your Ansible role, then runs Testinfra tests to verify the result.

What to test

Focus on what hurts most when it breaks:

• Security boundaries — firewalls only allow expected traffic, SSH keys are rotated, encryption is enabled
• Service health — critical services are running and listening on expected ports
• Resource limits — disk space isn’t near capacity, memory limits are set, CPU quotas are in place
• Backup and recovery — backups run on schedule, restore procedures actually work
• DNS and certificates — domains resolve correctly, TLS certificates aren’t expired

Common misconception

“If my Terraform plan succeeds, my infrastructure is correct.” Terraform plan verifies syntax and resource dependencies, but it doesn’t check whether the resulting infrastructure actually does what you need. A security group might be syntactically valid but allow traffic from 0.0.0.0/0. Plan won’t catch that; a test will.

The one thing to remember: Infrastructure testing applies software testing discipline to servers and cloud resources — static analysis catches misconfigurations early, while integration tests verify that deployed infrastructure actually works as expected.