Open Policy Agent Terraform GCP Cloud Build config


  • Docker
  • Terraform


  • Follow these steps to set up the Google Terraform provider on GCP but don't run terraform apply

Running OPA locally

Generate the plan file.

terraform plan -out=tfplan.binary

Convert to JSON.

terraform show -json tfplan.binary > tfplan.json

Run OPA against a specified rule set.

docker run -v $PWD:/example openpolicyagent/opa eval --fail-defined --format pretty --data example/rules --input example/tfplan.json "data.terraform.validation.rules"

This returns a JSON response showing all the rule violations.

  "pubsub": {
    "must_have_name_less_than_20_characters": [
    "valid": false
  "storage": {
    "must_be_in_eu": [
    "must_have_name_less_than_63_characters": [
    "must_have_team_label": [
    "valid": false

Running using Cloud Build

Enable Cloud Build.

gcloud services enable 

Submit a build. The results will be shown in the console and can also be viewed in the Cloud Console.

gcloud builds submit .
