Compliance as Code for Terraform

I recently started to write IaC (infrastructure as code). After several breaking changes within my code I searched for a solution how to develop “test-driven” or at least have compliance around my code.

Terraform is around since a few years now. Therefore there are not that much tools surrounding nor extending it.

A good start to find solutions for and around Terraform for me was this collection of Terraform-Tools:

When you literally have breaking changes within your terraform code you are likely to have compliance in place.

Tools which come to my mind for CaC (compliance as code) are something like the spec family (inspec, rspec, serverspec) or goss. So I started from there my search for a tool that fits for me.

Goss — is a yaml based tool which can even spin up its own webserver to be monitored from a icinga(2)/nagios instance for compliance but I couldnt found something related to terraform.

SpecFamily — is a ruby based family of tools which is widely used across the world. Every spec has its own advantages. Inspec is the youngest amog the family. It can easily extended with plugins. For inspec there is a plugin called “inspec-iggy” which you can use when your on AWS. I think there is no other plattform supported currently. But since we’re not on AWS its not usable for me.

terraform-compliance — So I came across terraform-compliance. A easy small python based tool which fits pretty good for me. You can run all checks without a terraform plan or terraform apply . This fits good into my CI plans later on.

You can start using it right after installing it via PIP in a virtualenv:

$ virtualenv ~/.env

To verify the installation you can execute — version which in my case is 0.5.3

$ terraform-compliance --version

To get started you can take a look at the EXAMPLES or the README.

Image by

Here is a first examples on my own:

My from Terraform:

module "network" {
source = "git::ssh://"

My keypair.feature file from terraform-compliance:

Feature: This network is the base inside the vpc so it should be correct

Running this code results in:

# Assuming two things:
# 1. your in the dir where your .tf files are
# 2. you have a dir "tf-compliance" where your keypair.feature is

So we got our first compliance check and it was a success!

Perfect! Now we can go on with the syntax…

To be continued in my next post…



Working as a IT-Operations engineer at NeXenio, a spin-off by Hasso-Plattner-Institute for products around a digitial workspace.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store