Lab 06: Terraform Security Compliance, Linting, Cost Estimation & Cost Difference
In order to further examine our Terraform code for better re-usability, security & cost estimation we'll add following checks into our Azure Pipeline.
---
checks:
- code: CUS001
description: Custom check to ensure the Name tag is applied to Resources Group Module
impact: By not having Name Tag we can't keep track of our Resources
requiredTypes:
- module
requiredLabels:
- resource_group
severity: MEDIUM
matchSpec:
name: tag_map
action: contains
value: Name
errorMessage: The required Name tag was missing
- code: CUS002
description: Custom check to ensure the Name tag is applied to Resources Group Module
impact: By not having Environment Tag we can't keep track of our Resources
requiredTypes:
- module
requiredLabels:
- resource_group
severity: CRITICAL
matchSpec:
name: tag_map
action: contains
value: Environment
errorMessage: The required Environment tag was missing
- code: CUS003
description: Custom check to ensure Resource Group is going to be created in Australia East region
impact: By not having our resource in Australia East we might get some latency
requiredTypes:
- module
requiredLabels:
- resource_group
severity: MEDIUM
matchSpec:
name: resource_group_location
action: equals
value: "Australia East"
errorMessage: The required "Australia East" location was missing
- code: CUS004
description: Custom check to ensure that suffix applied to All the Resource groups
impact: By not having suffix we can't keep track of our Resources
requiredTypes:
- module
requiredLabels:
- resource_group
severity: MEDIUM
matchSpec:
name: resource_group_name
action: endsWith
value: Opstree-POC
errorMessage: The required suffix "Opstree-POC" was missing
- code: CUS005
description: Custom check to ensure that suffix applied to All the Virtual Networks
impact: By not having suffix we can't keep track of our Virtual Networks
requiredTypes:
- module
requiredLabels:
- vnet
severity: MEDIUM
matchSpec:
name: vnet_name
action: endsWith
value: Opstree-POC
errorMessage: The required suffix "Opstree-POC" was missing
steps:
- bash: 'sudo docker run --rm -v "$(pwd):/src" aquasec/tfsec /src --tfvars-file /src/terraform.tfvars'
displayName: 'Terraform : TFSEC'
condition: succeededOrFailed()
steps:
- bash: |
sudo docker run --rm -v $(pwd):/data -t ghcr.io/terraform-linters/tflint
displayName: 'Terraform : Linting'
condition: succeededOrFailed()
Here we are using a docker image of infracost as a tool to calculate our estimated cost for our terraform code
To generate the API key you need to install infracost in your system using curl -fsSL https://raw.githubusercontent.com/infracost/infracost/master/scripts/install.sh | sh and then run infracost register command to register yourself using your Username & E-mail.
It is a best practice to secure your API's and credentials in a variable while running our pipeline, so we will store our API key into pipeline variable.
steps:
- bash: |
terraform show -json plan.out > plan.json
sudo docker run --rm -e INFRACOST_API_KEY=$(INFRACOST_API_KEY) -v "$(pwd):/src" infracost/infracost breakdown --path /src/plan.json --show-skipped
displayName: 'Terraform : Cost Estimation'
condition: succeededOrFailed()
Using same previous tool infracost to calculate the difference between our present state & desired state of our configuration
steps:
- bash: |
terraform show -json plan.out > plan.json
sudo docker run --rm -e INFRACOST_API_KEY=$(INFRACOST_API_KEY) -v "$(pwd):/src" infracost/infracost diff --path /src/plan.json --show-skipped
displayName: 'Terraform : Cost Difference'
condition: succeededOrFailed()