This tool validates Terraform Plans it has been developed in golang as a wrapper around TFSEC and OPA to provide guardrails when deploying in CI/CD pipelines. You can find the latest release at the release page
Command | Parameters |
---|---|
check | Check if the plan passes OPA and TFSEC Policy |
checkopa | Check if the plan passes OPA Policy |
opascore | Gets the OPA score report |
tfsec | Outputs TfSec vulnerability report |
sendreport | Sends Terraform validation Report to slack |
cost | Matches Infracost and Budget |
Command | Parameters |
---|---|
tfsec | --tfsecReport "delete-rg-test.json" --tfsecMaxSeverity "CRITICAL" |
check | --repo "https://github.com/basiqio/terraform-template" --commitSha "1234" --developer "bradmccoydev" --planFileName "policies/delete-rg-test.json" --tfsecReportLocation "pkg/tfsec/mock.json" --tfsecMaxSeverity "CRITICAL" --infracostMonthlyBudget "2000" --infracostReportLocation "pkg/infracost/mock.json" --opaConfig "[{"location":"policies/opa-azure-policy.rego","query":"data.terraform.analysis.deny[x]"}]" |
checkopa | --planFileName "policies/delete-rg-test.json" --opaConfig "[{"location":"policies/opa-azure-policy.rego","query":"data.terraform.analysis.authz"}]" |
opascore | --planFileName "delete-rg-test.json" --policyLocation "opa-aws-policy.rego" |
sendreport | --fileName "delete-rg-test.json" --slackWebhook "*" --prNumber "1" --repoFullUrl "x" --tfsecMaxSeverity "MEDIUM" |
cost | --infracostMonthlyBudget "2000" --infracostReportLocation "pkg/infracost/mock.json" |
- /usr/bin/tfsec-analysis-terraform tfsec "$BITBUCKET_PR_ID" "$BITBUCKET_GIT_HTTP_ORIGIN" "tfsec-report.json" "$SLACK_WEBHOOK"
docker pull bradmccoydev/tfval:latest
docker run -p 80:80 bradmccoydev/tfval:latest check --planFileName "delete-rg-test.json" --policyLocation "opa-aws-policy.rego" --tfsecMaxSeverity "CRITICAL" --opaRegoQuery "data.terraform.analysis.authz"
- Brad McCoy (@bradmccoydev), Basiq
- Ben Poh (@benhpoh), Moula
Terraform Plan Validator is released under the Apache 2.0 license. See LICENSE.txt
opa eval --fail-defined --format raw --input policies/delete-rg-test.json --data policies/opa-azure-policy.rego 'data.terraform.analysis.authz'
opa eval --fail-defined --format raw --input policies/delete-rg-test.json --data policies/tags-policy.rego 'data.terraform.common.deny[x]'