globaldatanetmenu

.Terraform Helpers we love at globaldatanet

Apr 29th 2022-2 min read

Terraform is an open-source infrastructure as a code software tool that enables you to safely and predictably create, change, and improve infrastructure. At globaldatanet we are using Terraform heavily for our clients' IaC codebase.

In this blog post, we will list our favorite open-source tools that supercharge our Terraform codebase development:

terraform-docs

website: terraform-docs

Generate Terraform modules documentation in various formats

terraform-docs markdown . --output-file README.md

tflint

website: tflint

TFLint is a framework and each feature is provided by plugins, the key features are as follows:

  • Find possible errors (like illegal instance types) for Major Cloud providers (AWS/Azure/GCP).
  • Warn about deprecated syntax and unused declarations.
  • Enforce best practices, and naming conventions.

.tflint.hcl file we are using:

# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/module-inspection.md
# borrowed & modified indefinitely from https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust/blob/main/.tflint.hcl

plugin "aws" {
  enabled = true
  version = "0.13.3"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

config {
  module     = false
  force      = false
}

rule "terraform_required_providers" {
  enabled = true
}

rule "terraform_required_version" {
  enabled = true
}

rule "terraform_naming_convention" {
  enabled = true
  format  = "snake_case"
}

rule "terraform_typed_variables" {
  enabled = true
}

rule "terraform_unused_declarations" {
  enabled = true
}

rule "terraform_comment_syntax" {
  enabled = true
}

rule "terraform_deprecated_index" {
  enabled = true
}

rule "terraform_deprecated_interpolation" {
  enabled = true
}

rule "terraform_documented_outputs" {
  enabled = true
}

rule "terraform_documented_variables" {
  enabled = true
}

rule "terraform_module_pinned_source" {
  enabled = true
}

rule "terraform_standard_module_structure" {
  enabled = true
}

rule "terraform_workspace_remote" {
  enabled = true
}
tflint --init
tflint --config=.tflint.hcl --var-file=terraform.tfvars .

tfsec

website: tfsec

tfsec is a static analysis security scanner for your Terraform code.

Features:

  • ☁️ Checks for misconfigurations across all major (and some minor) cloud providers
  • ⛔ Hundreds of built-in rules
  • 🪆 Scans modules (local and remote)
  • ➕ Evaluates HCL expressions as well as literal values
  • ↪️ Evaluates Terraform functions e.g. concat()
  • 🔗 Evaluates relationships between Terraform resources
  • 🧰 Compatible with the Terraform CDK
  • 🙅 Applies (and embellishes) user-defined Rego policies
  • 📃 Supports multiple output formats: CLI, JSON, SARIF, CSV, CheckStyle, and JUnit.
  • 🛠️ Configurable (via CLI flags and/or config file)
  • ⚡ Very fast, capable of quickly scanning huge repositories
tfsec . --tfvars-file terraform.tfvars

infracost

website: infracost

Cloud cost estimates for Terraform in pull requests

Infracost helps engineers see cloud costs before launching resources. Map costs to code directly in pull requests. Take action directly in your workflow.

infracost breakdown --path . --terraform-plan-flags "-var-file=terraform.tfvars"

driftctl

website: driftctl

driftctl is a free and open-source CLI that warns of infrastructure drift and fills in the missing piece in your DevSecOps toolbox.