terraguard helps automate Terraform plan reviews by checking a Terraform plan JSON for problematic resource changes.
terraguard is a minimal alternative to Terraform policy enforcement tools like Open Policy Agent and Sentinel.
terraguard check examines a Terraform plan JSON file for changes to guarded resources.
terraguard check --help
Check if a Terraform plan seeks to modify the specified resources
Usage:
terraguard check [flags]
Flags:
-g, --guard strings A comma-separated list of guarded resource addresses
-h, --help help for check
-p, --plan string The path to a Terraform plan output JSON file
Basic example:
terraguard \
check \
--guard="*foo*" \
--plan="test_fixtures/basic_plan.json"
Error: test_fixtures/basic_plan.json indicates changes to guarded resources:
module.foo.null_resource.aliased
module.foo.null_resource.foo
null_resource.foo
With multiple guarded resources:
terraguard \
check \
--guard="*foo*" \
--guard="*bar*" \
--guard="null_resource.baz[0]" \
--plan="test_fixtures/basic_plan.json"
Error: test_fixtures/basic_plan.json indicates changes to guarded resources:
module.foo.null_resource.aliased
module.foo.null_resource.foo
null_resource.bar
null_resource.baz[0]
null_resource.foo
Tools like Open Policy Agent and its Terraform capabilities arguably offer more robust, extendable, and fully featured means of enforcing Terraform policies. terraguard is comparatively simple, though is far less mature.