Skip to content

Latest commit

 

History

History
155 lines (114 loc) · 5.97 KB

README.md

File metadata and controls

155 lines (114 loc) · 5.97 KB

terraform-compliance GitHub Action

terraform-compliance



terraform-compliance is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.

  • compliance: Ensure the implemented code is following security standards, your own custom standards
  • behaviour driven development: We have BDD for nearly everything, why not for IaC ?
  • portable: just install it from pip or run it via docker. See Installation
  • pre-deploy: it validates your code before it is deployed
  • easy to integrate: it can run in your pipeline (or in git hooks) to ensure all deployments are validated.
  • segregation of duty: you can keep your tests in a different repository where a separate team is responsible.
  • why ?: why not ?

You can use this action in order to run terraform-compliance in your GitHub Actions pipeline. For more information about the tool itself, you can have a look on https://terraform-compliance.com

How to use this action ?

  1. Enable and Configure GitHub actions within your respository.
  2. Use terraform-compliance/github-action@main
  3. Supply plan and features required parameters
  4. Supply optional other parameters

terraform-compliance requires to have access to 2 things in order to execute properly

  1. terraform plan output (preferably converted to json format via terraform show -json command)
  2. compliance tests that will run against your terraform plan.

Examples

An example CI pipeline for a terraform might look like this ;

jobs:
    terraform:
        name: terraform CI
        runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
      - uses: hashicorp/setup-terraform@v1

      - name: terraform plan
        id: plan
        run: |
          terraform init && terraform plan -out=plan.out && terraform show -json plan.out > plan.out.json
      
      - name: terraform-compliance
        uses: terraform-compliance/github_action@main
        with:
          plan: plan.out.json
          features: ssh://[email protected]/terraform-compliance/user-friendly-features.git

.. or if you want to install terraform-compliance in the beginning of the steps and re-use it every time via run directive ;

jobs:
    terraform:
        name: terraform CI
        runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
      - uses: hashicorp/setup-terraform@v1
      - uses: terraform-compliance/github_action@main

      - name: terraform plan
        id: plan
        run: |
          terraform init && terraform plan -out=plan.out && terraform show -json plan.out > plan.out.json
      
      - name: terraform-compliance
        id: terraform-compliance from remote repo
        run: |
          terraform-compliance -p /path/to/plan.out.json -f git:ssh://[email protected]/terraform-compliance/user-friendly-features.git

      - name: terraform-compliance
        id: terraform-compliance from local
        run: |
          terraform-compliance -p /path/to/plan.out.json -f /path/to/local

Additionaly, in case you want to publish the plan output to the related Pull Request, you can also use this action provided by GitHub as well ;

      - uses: actions/[email protected]
        if: github.event_name == 'pull_request'
        env:
          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            <details><summary>GitHub Plan</summary>

            \`\`\`${process.env.PLAN}\`\`\`

            </details>

            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`*`;

            github.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            })

What are the parameters I can use ?

Parameter Required Description Default Examples
plan The plan file that is generated by terraform plan.out, plan.out.json
features The feature files that will be run against terraform plan ./tests/, `ssh://github.com/<org user>/`
quit-early Action will fail immediately on the first failure false
no-failure Action will not fail even the tests fail false
silent Output of the tests will be substantially silenced false
version Specific terraform-compliance version that you want to use within the action

What if my feature files are within a private repository ?

Have a look on setup-git-credentials action for doing it in a better way than providing SSH private keys.

This action will also solve your problems while downloading modules from remote private repositories on terraform init