Compliance as Code for Terraform
I recently started to write IaC (infrastructure as code). After several breaking changes within my code I searched for a solution how to develop “test-driven” or at least have compliance around my code.
Terraform is around since a few years now. Therefore there are not that much tools surrounding nor extending it.
A good start to find solutions for and around Terraform for me was this collection of Terraform-Tools:
https://github.com/shuaibiyy/awesome-terraform
When you literally have breaking changes within your terraform code you are likely to have compliance in place.
Tools which come to my mind for CaC (compliance as code) are something like the spec family (inspec, rspec, serverspec) or goss. So I started from there my search for a tool that fits for me.
Goss — is a yaml based tool which can even spin up its own webserver to be monitored from a icinga(2)/nagios instance for compliance but I couldnt found something related to terraform.
SpecFamily — is a ruby based family of tools which is widely used across the world. Every spec has its own advantages. Inspec is the youngest amog the family. It can easily extended with plugins. For inspec there is a plugin called “inspec-iggy” which you can use when your on AWS. I think there is no other plattform supported currently. But since we’re not on AWS its not usable for me.
terraform-compliance — So I came across terraform-compliance. A easy small python based tool which fits pretty good for me. You can run all checks without a terraform plan or terraform apply . This fits good into my CI plans later on.
You can start using it right after installing it via PIP in a virtualenv:
$ virtualenv ~/.env$ source ~/.env/bin/active$ pip install terraform-compliance
To verify the installation you can execute — version which in my case is 0.5.3
$ terraform-compliance --version
0.5.3To get started you can take a look at the EXAMPLES or the README.
Here is a first examples on my own:
My main.tf from Terraform:
module "network" {
source = "git::ssh://git@somegit.com/terraform-module-vpc_subnet.git" subnet_name = "mysubnet"
subnet_cidr = "192.168.0.0/24"
subnet_gateway_ip = "192.168.0.1" vpc_id = "QE3GR7Y-IM95LEK-FBEI5UX-4TXVC83A"
}
My keypair.feature file from terraform-compliance:
Feature: This network is the base inside the vpc so it should be correctScenario Outline: MyNetwork
Given I have network module configured
Then it must contain <attributes>Examples:
| attributes |
| source |
| subnet_name |
| subnet_cidr |
| subnet_gateway_ip |
| vpc_id |
Running this code results in:
# Assuming two things:
# 1. your in the dir where your .tf files are
# 2. you have a dir "tf-compliance" where your keypair.feature is
$ terraform-compliance -f tf-compliance/ -t .
Scenario Outline: MyNetwork
Given I have network module configured
Then it must contain <attributes>Examples:
| attributes |
| source |
| subnet_name |
| subnet_cidr |
| subnet_gateway_ip |
| vpc_id |1 features (1 passed)
1 scenarios (1 passed)
5 steps (5 passed)
Run 1550257221 finished within a moment
Cleaning up.
So we got our first compliance check and it was a success!
Perfect! Now we can go on with the syntax…
To be continued in my next post…
Cheers!
Sources:
https://github.com/eerkunt/terraform-compliance
https://github.com/aelsabbahy/goss
https://github.com/mattray/inspec-iggy/blob/master/README.md
https://github.com/shuaibiyy/awesome-terraform