terraform-compliance
is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
- compliance: Ensure the implemented code is following security standards, your own custom standards
- behaviour driven development: We have BDD for nearly everything, why not for IaC ?
- portable: just install it from
pip
or run it viadocker
. See Installation - pre-deploy: it validates your code before it is deployed
- easy to integrate: it can run in your pipeline (or in git hooks) to ensure all deployments are validated.
- segregation of duty: you can keep your tests in a different repository where a separate team is responsible.
- why ?: why not ?
You can use this action in order to run terraform-compliance in your GitHub Actions pipeline. For more information about the tool itself, you can have a look on https://terraform-compliance.com
- Enable and Configure GitHub actions within your respository.
- Use
terraform-compliance/github-action@main
- Supply
plan
andfeatures
required parameters - Supply optional other parameters
terraform-compliance
requires to have access to 2 things in order to execute properly
- terraform plan output (preferably converted to
json
format viaterraform show -json
command) - compliance tests that will run against your terraform plan.
An example CI pipeline for a terraform might look like this ;
jobs:
terraform:
name: terraform CI
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: hashicorp/setup-terraform@v1
- name: terraform plan
id: plan
run: |
terraform init && terraform plan -out=plan.out && terraform show -json plan.out > plan.out.json
- name: terraform-compliance
uses: terraform-compliance/github_action@main
with:
plan: plan.out.json
features: ssh://[email protected]/terraform-compliance/user-friendly-features.git
.. or if you want to install terraform-compliance
in the beginning of the steps and re-use it every time via run
directive ;
jobs:
terraform:
name: terraform CI
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: hashicorp/setup-terraform@v1
- uses: terraform-compliance/github_action@main
- name: terraform plan
id: plan
run: |
terraform init && terraform plan -out=plan.out && terraform show -json plan.out > plan.out.json
- name: terraform-compliance
id: terraform-compliance from remote repo
run: |
terraform-compliance -p /path/to/plan.out.json -f git:ssh://[email protected]/terraform-compliance/user-friendly-features.git
- name: terraform-compliance
id: terraform-compliance from local
run: |
terraform-compliance -p /path/to/plan.out.json -f /path/to/local
Additionaly, in case you want to publish the plan output to the related Pull Request, you can also use this action provided by GitHub as well ;
- uses: actions/[email protected]
if: github.event_name == 'pull_request'
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
<details><summary>GitHub Plan</summary>
\`\`\`${process.env.PLAN}\`\`\`
</details>
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`*`;
github.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
Parameter | Required | Description | Default | Examples |
---|---|---|---|---|
plan | ✅ | The plan file that is generated by terraform | plan.out , plan.out.json |
|
features | ✅ | The feature files that will be run against terraform plan | ./tests/ , `ssh://github.com/<org |
user>/` |
quit-early | Action will fail immediately on the first failure | false | ||
no-failure | Action will not fail even the tests fail | false | ||
silent | Output of the tests will be substantially silenced | false | ||
version | Specific terraform-compliance version that you want to use within the action |
Have a look on setup-git-credentials action for doing it in a better way than providing SSH private keys.
This action will also solve your problems while downloading modules from remote private repositories on terraform init