globaldatanetmenu

.Terraform Helpers we love at globaldatanet

Apr 29th 2022-2 min read

Terraform is an open-source infrastructure as a code software tool that enables you to safely and predictably create, change, and improve infrastructure. At globaldatanet we are using Terraform heavily for our clients' IaC codebase.

In this blog post, we will list our favorite open-source tools that supercharge our Terraform codebase development:

terraform-docs

website: terraform-docs

Generate Terraform modules documentation in various formats

terraform-docs markdown . --output-file README.md

tflint

website: tflint

TFLint is a framework and each feature is provided by plugins, the key features are as follows:

  • Find possible errors (like illegal instance types) for Major Cloud providers (AWS/Azure/GCP).
  • Warn about deprecated syntax and unused declarations.
  • Enforce best practices, and naming conventions.

.tflint.hcl file we are using:

# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/module-inspection.md
# borrowed & modified indefinitely from https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust/blob/main/.tflint.hcl

plugin "aws" {
  enabled = true
  version = "0.13.3"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

config {
  module     = false
  force      = false
}

rule "terraform_required_providers" {
  enabled = true
}

rule "terraform_required_version" {
  enabled = true
}

rule "terraform_naming_convention" {
  enabled = true
  format  = "snake_case"
}

rule "terraform_typed_variables" {
  enabled = true
}

rule "terraform_unused_declarations" {
  enabled = true
}

rule "terraform_comment_syntax" {
  enabled = true
}

rule "terraform_deprecated_index" {
  enabled = true
}

rule "terraform_deprecated_interpolation" {
  enabled = true
}

rule "terraform_documented_outputs" {
  enabled = true
}

rule "terraform_documented_variables" {
  enabled = true
}

rule "terraform_module_pinned_source" {
  enabled = true
}

rule "terraform_standard_module_structure" {
  enabled = true
}

rule "terraform_workspace_remote" {
  enabled = true
}
tflint --init
tflint --config=.tflint.hcl --var-file=terraform.tfvars .

tfsec

website: tfsec

tfsec is a static analysis security scanner for your Terraform code.

Features:

  • ☁ī¸ Checks for misconfigurations across all major (and some minor) cloud providers
  • ⛔ Hundreds of built-in rules
  • đŸĒ† Scans modules (local and remote)
  • ➕ Evaluates HCL expressions as well as literal values
  • â†Ēī¸ Evaluates Terraform functions e.g. concat()
  • 🔗 Evaluates relationships between Terraform resources
  • 🧰 Compatible with the Terraform CDK
  • 🙅 Applies (and embellishes) user-defined Rego policies
  • 📃 Supports multiple output formats: CLI, JSON, SARIF, CSV, CheckStyle, and JUnit.
  • 🛠ī¸ Configurable (via CLI flags and/or config file)
  • ⚡ Very fast, capable of quickly scanning huge repositories
tfsec . --tfvars-file terraform.tfvars

infracost

website: infracost

Cloud cost estimates for Terraform in pull requests

Infracost helps engineers see cloud costs before launching resources. Map costs to code directly in pull requests. Take action directly in your workflow.

infracost breakdown --path . --terraform-plan-flags "-var-file=terraform.tfvars"

driftctl

website: driftctl

driftctl is a free and open-source CLI that warns of infrastructure drift and fills in the missing piece in your DevSecOps toolbox.

driftctl scan

Taskfile

We automate all of the upper tools and their command-line argument using a Taskfile , GitHub repo can be found here

version: "3"

env:
  CONFIG: '{{.CONFIG | default "."}}'

dotenv: [".env", "aws/.env"]

silent: true

tasks:
  banner:
    desc: Banner
    cmds:
      - cowsay $CONFIG  | lolcat
      - echo "✔ī¸  {{.GREETING}} - run 'task -l' for more task list"
      - echo "đŸ’ģ {{OS}} - {{ARCH}}"

  tfdoc:
    desc: ℹī¸ Documentation Task for Terraform
    summary: |
      A utility to generate documentation from Terraform modules in various output formats
    cmds:
      - terraform-docs markdown . --output-file README.md
    ignore_error: true

  access:
    desc: AWS Access with aws-vault
    cmds:
      - aws-vault exec -d 2h gdn-lab --region=eu-central-1

  trunk:
    desc: Trunk
    cmds:
      - task: banner
        vars: { { .CONFIG } }
      - trunk init # ✖ Trunk can only init if it's run at the root of a git repo
      - trunk check -n $CONFIG

  build:
    desc: Terraform Build
    cmds:
      - task: banner
        vars: { { .CONFIG } }
      - terraform -chdir=$CONFIG init
      - terraform -chdir=$CONFIG fmt
      - terraform -chdir=$CONFIG validate
      - terraform -chdir=$CONFIG plan

  deploy:
    desc: Terraform Deploy
    cmds:
      - task: banner
        vars: { { .CONFIG } }
      - terraform -chdir=$CONFIG apply -auto-approve

  destroy:
    desc: Terraform Destroy
    cmds:
      - task: banner
        vars: { { .CONFIG } }
      - terraform -chdir=$CONFIG apply -auto-approve -destroy

  tfcost:
    desc: infracost - Generate cost estimates from Terraform
    cmds:
      - infracost breakdown --usage-file infracost-usage.yml --path . --terraform-plan-flags "-var-file=terraform.tfvars"

  tflint:
    desc: tflint - A Pluggable Terraform Linter
    dir: $STACK
    cmds:
      - tflint --init
      - tflint --config=.tflint.hcl --var-file=terraform.tfvars .

  tfsec:
    desc: tfsec - a simple tool to detect potential security vulnerabilities in your terraformed infrastructure.
    dir: $STACK
    cmds:
      - tfsec . --tfvars-file terraform.tfvars

  tfdrift:
    desc: ℹī¸ Catch infrastructure drift
    summary: |
      driftctl is a free and open-source CLI that warns of infrastructure drift and fills in the missing piece in your DevSecOps toolbox.
    cmds:
      - driftctl scan
    ignore_error: true

Extra tools:

there are quite cool and useful tools beside the upper list, including:

  • pre-commit
  • checkov - cloudrail
  • terragrunt - terraspace - terramate - cluster.dev
  • terratest - inSpec
  • tfenv - tfswitch - tgenv

globaldatanetCloud Development, Optimization & Automation

.Navigation

.Social

  • follow globaldatanet on instagram
  • follow globaldatanet on facebook
  • follow globaldatanet on twitter
  • follow globaldatanet on linkendin
  • follow globaldatanet on twitch
  •  listen to our serverless world podcast
  • follow globaldatanet's tech rss feed
  • follow globaldatanet at github
Š 2022 by globaldatanet. All Right Reserved
Your privacy is important to us!

We use cookies on our website. Some of them are essential,while others help us to improve our online offer.
You can find more information in our Privacy policy