terraform-compliance is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
- compliance: Ensure the implemented code is following security standards, your own custom standards
- behaviour driven development: We have BDD for nearly everything, why not for IaC ?
- portable: just install it from
pipor run it viadocker. See Installation - pre-deploy: it validates your code before it is deployed
- easy to integrate: it can run in your pipeline (or in git hooks) to ensure all deployments are validated.
- segregation of duty: you can keep your tests in a different repository where a separate team is responsible.
- why ?: why not ?
terraform-compliance mainly focuses on negative testing instead
of having fully-fledged functional tests that are mostly used for
proving a component of code is performing properly.
Fortunately, terraform is a marvellous abstraction layer for any API
that creates/updates/destroys entities. terraform also provides the
capability
to ensure everything is up-to-date between the local configuration and the remote API(s) responses.
Given the fact, terraform is used mostly against Cloud APIs, what was missing is to ensure
your code against your infrastructure must follow specific policies. Currently HashiCorp provides
Sentinel for Enterprise Products. terraform-compliance is providing a
similar functionality only for terraform while it is free-to-use and it is Open Source.
E.g. a sample policy could be, if you are working with AWS, you should not create an S3 bucket,
without having any encryption. Of course, this is just an example which may or not be applicable
for your case.
terraform-compliance provides a test framework to create these policies that will be executed against
your terraform plan in a context where both
developers and security teams can understand easily while reading it, by applying Behaviour Driven
Development Principles.
As returning back to the example, our example defined above will be translated into a BDD Feature and Scenario, as also seen in below ;
if you are working with AWS, you should not create an S3 bucket, without having any encryption
translates into ;
Given I have AWS S3 Bucket defined
Then it must contain server_side_encryption_configuration
server_side_encryption_configuration is coming from the terraform code, as shown below ;
resource "aws_s3_bucket" "b" {
bucket = "my-bucket"
acl = "private"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "${aws_kms_key.mykey.arn}"
sse_algorithm = "aws:kms"
}
}
}
}
This policy ( Scenario ) will allow all S3 buckets newly created or updated must have encryption configuration set within the code. In an ideal way, this Scenario (among with all other Scenarios) will run on a CI/CD pipeline that will ensure that nothing is deployed by violating your policies.
See Examples for more sample use cases.
Regarding the feature file format - radish is used to parse files with extension .feature - https://radish.readthedocs.io/en/stable/tutorial.html
terraform-compliance only supports terraform 0.12.+. In order to use older versions of terraform,
you can use 0.6.4 of the tool,
but many capabilities will not be supported and maintaining of 0.6.4 version is ended.
Some of the features that you will be missing can be listed as ;
- Complete
terraforminterpolations support terraformmodules, variables and providers support.- Any filtering function for advanced queries
- Many missing resources requires
tagging. - .. and many more ..
You can have a look to the CHANGELOG for further information.