Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

CI/CD to secure and analyse your Terraform code using Amazon ECR, AWS CodeCommit, AWS CodePipeline, AWS CodeBuild and tfsec written in python using CDK!

The purpose of this repository is to demo how can we analyze and securize our Terraform code using a CI/CD Pipeline with a fully AWS services managed.


  • CDK installed: Getting started with the AWS CDK (Ensure the minimal version 1.103.0 to make it works)
  • AWS Account
  • IAM User or IAM role with permissions to create AWS Resources.
  • Git installed: Git installation
  • Clone this repo! : git clone
  • Python CDK required libraries: (install with pip install -r requirements.txt)



Provisioning the infrastructure

First of all, we must to be sure that we have an IAM user or a role that could be assumed with permissions to create AWS Resources to create

We can start deploying the infrastructure using the CDK cli:

git clone
cd aws-cdk-tfsec
pip install -r requirements.txt
cdk bootstrap aws://account_id/eu-west-1
cdk deploy --all

The infrastructure creation takes around 15/20 min due the AWS Codepipelines and references repository creation. In the meantime, you can clone the two new AWS CodeCommit repos that have been already created and push the example code. First one for the custom Docker image and later, for your Terraform code. Like this:

git clone
git checkout -b main
cd awsome-terraform-example-container
cp -aR repos/docker_image/* .
git add .
git commit -am "First commit"
git push origin main

Once our Docker image is built and pushed to the Amazon ECR, we can proceed with our Terraform repo


Like this:

git clone
git checkout -b main
cd awsome-terraform-example
cp -aR repos/terraform_code/* .
git add .
git commit -am "First commit"
git push origin main

Check our Terraform Pipeline

During the pipeline execution, we can check the security checks pased to our tfsec configuration


This configuration is running inside of an AWS Codebuild Container ith the configuration stated at buildspec_tfsec. We highly recommend you to check the tfsec documentation to review the configuration and modify as you need.

Besides this output, AWS Codebuild also exports the result of tfsec report on the Codebuild reports section


Our pipeline have several manual process:

  • Manual process to review the security checks passed via tfsec.
  • Manual process to review the Terraform plan output.


Bear in mind that AWS CodeBuild needs permissions to create AWS Resources. In this example, we have stated ec2:* permissions, but this must be modified based on the resources that we will need to create using Terraform. You can check the CDK code permissions (here)(terraform_pipeline/

Clean up

After completing your demo, delete your stack using the CDK cli:

cdk destroy --all


At AWS, we work in the culture of security. This repository try to demonstrate how to build a CI/CD pipeline using AWS Services to automate and secure your infrastructure as code (IaC) for Terraform using tfsec


See CONTRIBUTING for more information.


This library is licensed under the MIT-0 License. See the LICENSE file.


No description, website, or topics provided.



Code of conduct





No releases published


No packages published