.Terraform Helpers we love at globaldatanet
Apr 29th 2022-2 min read
Terraform is an open-source infrastructure as a code software tool that enables you to safely and predictably create, change, and improve infrastructure. At globaldatanet we are using Terraform heavily for our clients' IaC codebase.
In this blog post, we will list our favorite open-source tools that supercharge our Terraform codebase development:
terraform-docs
website: terraform-docs
Generate Terraform modules documentation in various formats
terraform-docs markdown . --output-file README.mdtflint
website: tflint
TFLint is a framework and each feature is provided by plugins, the key features are as follows:
- Find possible errors (like illegal instance types) for Major Cloud providers (AWS/Azure/GCP).
- Warn about deprecated syntax and unused declarations.
- Enforce best practices, and naming conventions.
.tflint.hcl file we are using:
# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/module-inspection.md
# borrowed & modified indefinitely from https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust/blob/main/.tflint.hcl
plugin "aws" {
enabled = true
version = "0.13.3"
source = "github.com/terraform-linters/tflint-ruleset-aws"
}
config {
module = false
force = false
}
rule "terraform_required_providers" {
enabled = true
}
rule "terraform_required_version" {
enabled = true
}
rule "terraform_naming_convention" {
enabled = true
format = "snake_case"
}
rule "terraform_typed_variables" {
enabled = true
}
rule "terraform_unused_declarations" {
enabled = true
}
rule "terraform_comment_syntax" {
enabled = true
}
rule "terraform_deprecated_index" {
enabled = true
}
rule "terraform_deprecated_interpolation" {
enabled = true
}
rule "terraform_documented_outputs" {
enabled = true
}
rule "terraform_documented_variables" {
enabled = true
}
rule "terraform_module_pinned_source" {
enabled = true
}
rule "terraform_standard_module_structure" {
enabled = true
}
rule "terraform_workspace_remote" {
enabled = true
}tflint --init
tflint --config=.tflint.hcl --var-file=terraform.tfvars .tfsec
website: tfsec
tfsec is a static analysis security scanner for your Terraform code.
Features:
- âī¸ Checks for misconfigurations across all major (and some minor) cloud providers
- â Hundreds of built-in rules
- đĒ Scans modules (local and remote)
- â Evaluates HCL expressions as well as literal values
- âĒī¸ Evaluates Terraform functions e.g.
concat() - đ Evaluates relationships between Terraform resources
- 𧰠Compatible with the Terraform CDK
- đ Applies (and embellishes) user-defined Rego policies
- đ Supports multiple output formats: CLI, JSON, SARIF, CSV, CheckStyle, and JUnit.
- đ ī¸ Configurable (via CLI flags and/or config file)
- ⥠Very fast, capable of quickly scanning huge repositories
tfsec . --tfvars-file terraform.tfvarsinfracost
website: infracost
Cloud cost estimates for Terraform in pull requests
Infracost helps engineers see cloud costs before launching resources. Map costs to code directly in pull requests. Take action directly in your workflow.
infracost breakdown --path . --terraform-plan-flags "-var-file=terraform.tfvars"driftctl
website: driftctl
driftctl is a free and open-source CLI that warns of infrastructure drift and fills in the missing piece in your DevSecOps toolbox.
driftctl scanTaskfile
We automate all of the upper tools and their command-line argument using a Taskfile , GitHub repo can be found here version: "3"
env:
CONFIG: '{{.CONFIG | default "."}}'
dotenv: [".env", "aws/.env"]
silent: true
tasks:
banner:
desc: Banner
cmds:
- cowsay $CONFIG | lolcat
- echo "âī¸ {{.GREETING}} - run 'task -l' for more task list"
- echo "đģ {{OS}} - {{ARCH}}"
tfdoc:
desc: âšī¸ Documentation Task for Terraform
summary: |
A utility to generate documentation from Terraform modules in various output formats
cmds:
- terraform-docs markdown . --output-file README.md
ignore_error: true
access:
desc: AWS Access with aws-vault
cmds:
- aws-vault exec -d 2h gdn-lab --region=eu-central-1
trunk:
desc: Trunk
cmds:
- task: banner
vars: { { .CONFIG } }
- trunk init # â Trunk can only init if it's run at the root of a git repo
- trunk check -n $CONFIG
build:
desc: Terraform Build
cmds:
- task: banner
vars: { { .CONFIG } }
- terraform -chdir=$CONFIG init
- terraform -chdir=$CONFIG fmt
- terraform -chdir=$CONFIG validate
- terraform -chdir=$CONFIG plan
deploy:
desc: Terraform Deploy
cmds:
- task: banner
vars: { { .CONFIG } }
- terraform -chdir=$CONFIG apply -auto-approve
destroy:
desc: Terraform Destroy
cmds:
- task: banner
vars: { { .CONFIG } }
- terraform -chdir=$CONFIG apply -auto-approve -destroy
tfcost:
desc: infracost - Generate cost estimates from Terraform
cmds:
- infracost breakdown --usage-file infracost-usage.yml --path . --terraform-plan-flags "-var-file=terraform.tfvars"
tflint:
desc: tflint - A Pluggable Terraform Linter
dir: $STACK
cmds:
- tflint --init
- tflint --config=.tflint.hcl --var-file=terraform.tfvars .
tfsec:
desc: tfsec - a simple tool to detect potential security vulnerabilities in your terraformed infrastructure.
dir: $STACK
cmds:
- tfsec . --tfvars-file terraform.tfvars
tfdrift:
desc: âšī¸ Catch infrastructure drift
summary: |
driftctl is a free and open-source CLI that warns of infrastructure drift and fills in the missing piece in your DevSecOps toolbox.
cmds:
- driftctl scan
ignore_error: true
Extra tools:
there are quite cool and useful tools beside the upper list, including:
- pre-commit
- checkov - cloudrail
- terragrunt - terraspace - terramate - cluster.dev
- terratest - inSpec
- tfenv - tfswitch - tgenv
Your privacy is important to us!
We use cookies on our website. Some of them are essential,while others help us to improve our online offer.
You can find more information in our Privacy policy
We use cookies on our website. Some of them are essential,while others help us to improve our online offer.
You can find more information in our Privacy policy