This tool is used to validate terraform plans before they are applied. Validations are ran using Forseti Config Validator.
go install .
See the Auth section first.
# The example/ directory contains a basic Terraform config for testing the validator.
cd example/
# Set default credentials.
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/your/credentials.json
# Set a project to test with
export TF_VAR_project_id=my-project-id
# Set the local forseti-config-policies repository path.
export POLICY_PATH=/path/to/your/forseti-config-policies/repo
# Generate a terraform plan.
terraform plan --out=terraform.tfplan
# Validate the google resources the plan would create.
terraform-validator validate --policy-path=${POLICY_PATH} ./terraform.tfplan
# Apply the validated plan.
terraform apply ./terraform.tfplan
The follow Terraform resources are supported for running validation checks:
google_compute_diskgoogle_compute_instancegoogle_compute_firewallgoogle_storage_bucketgoogle_sql_database_instancegoogle_projectgoogle_organization_iam_policygoogle_organization_iam_bindinggoogle_organization_iam_membergoogle_folder_iam_policygoogle_folder_iam_bindinggoogle_folder_iam_membergoogle_project_iam_policygoogle_project_iam_bindinggoogle_project_iam_member
make test
First, build the Docker container:
make build-docker
See the Auth section for obtaining a credentials file, then start the Docker container:
export PROJECT_ID=my-project-id
export GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/credentials.json
make run-docker
Finally, run the integration tests inside the container:
make test-integration
The terraform and the terraform-validator commands need to be able to authenticate to Google Cloud APIs. This can be done by generating a credentials.json file:
https://cloud.google.com/docs/authentication/production
Once you have a credentials file on your local machine, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the credentials file.
This is not an officially supported Google product.