Skip to content
Terraform Validator can run pre-deployment checks on Terraform plans for policy compliance.
Go HCL Makefile Dockerfile
Branch: master
Clone or download
morgante Merge pull request #82 from yukinying/interface
extract ancestry discovery logic into an interface
Latest commit 1206372 Oct 5, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
ancestrymanager split ancestry manager into online and offline mode Oct 4, 2019
bin Initial public release Mar 29, 2019
cmd add offline flag and coverage test Sep 5, 2019
converters/google extract ancestry discovery logic into a package Oct 3, 2019
example Update example to Terraform 0.12 Aug 28, 2019
test make unit test fixture be deterministic Sep 10, 2019
tfgcv extract ancestry discovery logic into a package Oct 3, 2019
tfplan make the tool support only one selected version of Terraform Sep 4, 2019
vendor update upstream dependencies on terraform, terraform-google-conversio… Sep 4, 2019
version make the tool support only one selected version of Terraform Sep 4, 2019
.dockerignore Update ignorefiles and README Apr 1, 2019
.gitignore Support Terraform 0.12 plan output Jul 30, 2019
CONTRIBUTING.md Initial public release Mar 29, 2019
Dockerfile updating terraform to 0.12.6 in Dockerfile Aug 8, 2019
LICENSE Initial public release Mar 29, 2019
Makefile update version switch procedure Sep 4, 2019
README.md update version switch procedure Sep 4, 2019
cloudbuild-image.yaml Add cloudbuild to publish Docker container May 30, 2019
go.mod update upstream dependencies on terraform, terraform-google-conversio… Sep 4, 2019
go.sum update upstream dependencies on terraform, terraform-google-conversio… Sep 4, 2019
go_tf_0_11.mod make the tool support only one selected version of Terraform Sep 4, 2019
go_tf_0_11.sum also switch go.sum Sep 4, 2019
go_tf_0_12.mod update upstream dependencies on terraform, terraform-google-conversio… Sep 4, 2019
go_tf_0_12.sum update upstream dependencies on terraform, terraform-google-conversio… Sep 4, 2019
main.go Initial public release Mar 29, 2019

README.md

Terraform Validator

This tool is used to validate terraform plans before they are applied. Validations are ran using Forseti Config Validator.

Note: this tool supports Terraform v0.12 by default. To switch to use Terraform v0.11, please see the section Terraform v0.11.

Getting Started

To get started with Terraform Validator, please follow the user guide.

Example Usage

See the Auth section first.

Steps similar both for Terraform v0.11 and v0.12 versions

# The example/ directory contains a basic Terraform config for testing the validator.
cd example/

# Set default credentials.
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/your/credentials.json

# Set a project to test with
export TF_VAR_project_id=my-project-id

# Set the local forseti-config-policies repository path.
export POLICY_PATH=/path/to/your/forseti-config-policies/repo

# Generate a terraform plan.
terraform plan --out=terraform.tfplan

Terraform v0.11

# Switch to use Terraform v0.11 dependencies.
make prepare-v11

# Then run the make command as usual.
make build

# Validate the google resources the plan would create.
terraform-validator validate --policy-path=${POLICY_PATH} ./terraform.tfplan

# Apply the validated plan.
terraform apply ./terraform.tfplan
# Restore to use Terraform v0.12.
make prepare-v12 build

Terraform v0.12

For 0.12 Terraform release validator required plan exported in JSON format

# Plan JSON representation. 
terraform show -json ./terraform.tfplan > ./terraform.tfplan.json

# Validate the google resources the plan would create.
terraform-validator validate --policy-path=${POLICY_PATH} ./terraform.tfplan.json

Apply validated plan

# Apply the validated plan.
terraform apply ./terraform.tfplan

Resources

The follow Terraform resources are supported for running validation checks:

  • google_compute_disk
  • google_compute_instance
  • google_compute_firewall
  • google_storage_bucket
  • google_sql_database_instance
  • google_project
  • google_organization_iam_policy
  • google_organization_iam_binding
  • google_organization_iam_member
  • google_folder_iam_policy
  • google_folder_iam_binding
  • google_folder_iam_member
  • google_project_iam_policy
  • google_project_iam_binding
  • google_project_iam_member

Testing

Unit

make test

Integration

First, build the Docker container:

make build-docker

See the Auth section for obtaining a credentials file, then start the Docker container:

export PROJECT_ID=my-project-id
export GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/credentials.json
make run-docker

Finally, run the integration tests inside the container:

make test-integration

Auth

The terraform and the terraform-validator commands need to be able to authenticate to Google Cloud APIs. This can be done by generating a credentials.json file:

https://cloud.google.com/docs/authentication/production

Once you have a credentials file on your local machine, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the credentials file.

Disclaimer

This is not an officially supported Google product.

You can’t perform that action at this time.