Skip to content
/ terraform-validator Public
forked from GoogleCloudPlatform/terraform-validator

Terraform Validator can run pre-deployment checks on Terraform plans for policy compliance.

github.com/forseti-security/policy-library

License

Apache-2.0 license
0 stars 93 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AdrienWalkowiak/terraform-validator

BranchesTags
 
 

Repository files navigation

Terraform Validator

This tool is used to validate terraform plans before they are applied. Validations are ran using Forseti Config Validator.

Getting Started

To get started with Terraform Validator, please follow the user guide.

Example Usage

See the Auth section first.

Steps similar both for Terraform v0.11 and v0.12 versions

# The example/ directory contains a basic Terraform config for testing the validator.
cd example/

# Set default credentials.
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/your/credentials.json

# Set a project to test with
export TF_VAR_project_id=my-project-id

# Set the local forseti-config-policies repository path.
export POLICY_PATH=/path/to/your/forseti-config-policies/repo

# Generate a terraform plan.
terraform plan --out=terraform.tfplan

Terraform v0.11

# Validate the google resources the plan would create.
terraform-validator validate --policy-path=${POLICY_PATH} ./terraform.tfplan

# Apply the validated plan.
terraform apply ./terraform.tfplan

Terraform v0.12

For 0.12 Terraform release validator required plan exported in JSON format

# Plan JSON representation. 
terraform show -json ./terraform.tfplan > ./terraform.tfplan.json

# Validate the google resources the plan would create.
terraform-validator validate --tf-version 0.12 --policy-path=${POLICY_PATH} ./terraform.tfplan.json

Apply validated plan

# Apply the validated plan.
terraform apply ./terraform.tfplan

Resources

The follow Terraform resources are supported for running validation checks:

  • google_compute_disk
  • google_compute_instance
  • google_compute_firewall
  • google_storage_bucket
  • google_sql_database_instance
  • google_project
  • google_organization_iam_policy
  • google_organization_iam_binding
  • google_organization_iam_member
  • google_folder_iam_policy
  • google_folder_iam_binding
  • google_folder_iam_member
  • google_project_iam_policy
  • google_project_iam_binding
  • google_project_iam_member

Testing

Unit

make test

Integration

First, build the Docker container:

make build-docker

See the Auth section for obtaining a credentials file, then start the Docker container:

export PROJECT_ID=my-project-id
export GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/credentials.json
make run-docker

Finally, run the integration tests inside the container:

make test-integration

Auth

The terraform and the terraform-validator commands need to be able to authenticate to Google Cloud APIs. This can be done by generating a credentials.json file:

https://cloud.google.com/docs/authentication/production

Once you have a credentials file on your local machine, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the credentials file.

Disclaimer

This is not an officially supported Google product.

About

Terraform Validator can run pre-deployment checks on Terraform plans for policy compliance.

github.com/forseti-security/policy-library

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 88.8%
  • HCL 9.3%
  • Makefile 1.4%
  • Dockerfile 0.5%