Table of Contents
Linting
tflint
tflint
Linting refers to the process of automatically checking code for potential errors, bugs, or stylistic inconsistencies. In the context of Terraform or any other programming language, linting tools analyze the code against a set of predefined rules or coding standards. These tools help developers identify issues early in the development process, ensuring code quality, adherence to best practices, and consistency across projects. Linting does not execute the code but provides feedback on potential problems, such as syntax errors, unused variables, or violations of coding conventions, allowing developers to address them before deployment or execution.
It is a terraform linter for detecting errors that cannot be detected by terraform plan.
Features
Installation
Refer the github link - [tflint](https://github.com/terraform-linters/tflint)
Implementation
terraform init
terraform plan
Output of terraform plan
There is no warnings or errors detected by terraform plan.
Output of tflint
There is a warning for unused declarations
Reference:
[tflint in github](https://github.com/terraform-linters/tflint)
Static Analysis
Static analysis tools typically perform a deep examination of the codebase, looking for complex patterns, architectural flaws, security vulnerabilities, and performance bottlenecks.
checkov
tfsec
Static analysis refers to the process of examining code without actually executing it. These tools can identify a wide range of issues beyond simple syntax errors or coding conventions, including design flaws, concurrency issues, memory leaks, and more.
Here we see the working of checkov and tfsec.
checkov
With a wide range of built-in checks and the ability to create custom policies, Checkov facilitates the proactive identification of misconfigurations, reducing the risk of security breaches and compliance violations.
Features
Installation
Refer the github link - [checkov](https://github.com/bridgecrewio/checkov/)
Implementation
terrafotm init
-
Output of checkov
Here the CKV_AWS_24 check is skipped
Output of checkov with multiple skip check
Here the CKV_AWS_24 and CKV_AWS_260 checks are skipped
Why skip-check?
Skipping checks in tools like Checkov might be necessary in certain scenarios, but it's essential to approach this with caution and understanding. Here are some common reasons why you might consider skipping certain checks:
It's important to note that skipping checks should be a conscious decision made based on a thorough understanding of the implications. If you choose to skip certain checks, consider documenting the reasons for doing so and regularly review skipped checks to ensure they are justified.
Reference:
[checkov in github](https://github.com/bridgecrewio/checkov/)
tfsec
It is a static analysis tool specifically designed for Terraform configurations. It supports terraform <0.12 & >=0.12 & directly integrates with HCL parser for better results.
Features
Installation
Refer the github link - [tfsec](https://github.com/aquasecurity/tfsec)
Implementation
terraform init
3. Run the below command to check the code for its correctness.
tfsec
Output of tfsec
Below each check there is a reference link for debugging.
Ignoring Warnings:
To ignore warnings in tfsec during the execution of your Terraform scans, you can add a comment containing tfsec:ignore:<ID> to the line above the block containing the issue, or to the module block to ignore all occurrences of an issue inside the module. This is useful when certain warnings are intentional or not applicable to your specific use case.
ID: you can check in each warning of tfsec output.
You can ignore multiple rules by concatenating the rules on a single line:
#tfsec:ignore:aws-vpc-add-description-to-security-group tfsec:ignore:aws-vpc-no-public-egress-sgr
resource "aws_security_group" "bad_example"
Expiration Date: You can set expiration date for ignore with yyyy-mm-dd format. This is a useful feature when you want to ensure ignored issue won't be forgotten and should be revisited in the future.
#tfsec:ignore:aws-s3-enable-bucket-encryption:exp:2025-01-02
Ignore like this will be active only till 2025-01-02, after this date it will be deactivated.
Disable checks:
You may wish to exclude some checks from running. If you'd like to do so, you can simply add new argument -e check1,check2,etc to your CLI command,
Reference:
[tfsec in github](https://github.com/aquasecurity/tfsec)
Sensitivity Masking
Masking sensitive data or credentials in Terraform configurations to enhance security.
tfmask
A sensitivity masking tool designed to conceal or obfuscate sensitive information, such as passwords, API keys, or other confidential data, within files, databases, or configurations. These tools typically employ encryption, hashing, or tokenization techniques to protect sensitive information from unauthorized access or exposure. Sensitivity masking tools play a crucial role in enhancing data security and compliance with privacy regulations by preventing inadvertent disclosure of sensitive data during development, testing, or deployment processes.
tfmask
It is an open-source utility created by CloudSkiff to enhance the security of Terraform outputs. When you run terraform plan or terraform apply, Terraform generates a plan that includes sensitive information in clear text. This information, if exposed, could pose a security risk. tfmask helps mitigate this risk by masking sensitive values, providing an added layer of security.
Features
Installation
sudo curl -L https://github.com/cloudposse/tfmask/releases/download/0.7.0/tfmask_linux_amd64 -o /usr/bin/tfmask
3. Mark it as executable by running:
sudo chmod +x /usr/bin/tfmask
Implementation
terraform init
terraform plan
3. Run the below command to mask sensitive information.
terraform plan | tfmask
Output of terraform plan
Here no values has been masked.
Output of tfmask
Here, the http_tokens field has been masked. The tfmask utility will replace the "old value" and the "new value" with the masking character (e.g. *).
We can add fields to make it sensitive by below command
export TFMASK_VALUES_REGEX="(?i)^.*[^a-zA-Z](oauth|secret|token|password|key|result|ami).*$"
Here, I have added ami in command
We can change the masking character by export TFMASK_CHAR="#" command.
Reference:
[tfmask in github](https://github.com/cloudposse-archives/tfmask)
Cost Estimation
Predicting the cost of infrastructure changes before applying them using Terraform.
infracost
Tool used to estimate costs for your infrastructure deployments.
infracost
Infracost provides cost estimates for Terraform before deployment. Infracost enables you to easily see cost estimates for your resources and enable the engineering teams to better understand their infrastructure changes from a business perspective.
Features
Installation
Refer the link - [quick-start](https://www.infracost.io/docs/#quick-start)
Implementation
terraform init
3. Run the below command to mask sensitive information.
infracost breakdown --path
Output of infracost
Show cost estimate difference
2. Edit your Terraform project. In main.tf file, change the instance type from t2.micro to t2.medium
3. Generate a diff by comparing the latest code change with the baseline:
infracost diff --path . --compare-to infracost-base.json
See costs and best practices in dashboard
infracost upload --path infracost-base.json
Log in to [Infracost Cloud](https://dashboard.infracost.io/) > Visibility > Repos page to see the cost estimate.
Reference:
[infracost](https://www.infracost.io/docs/#quick-start)
Documentation Generation
Automatically generating documentation for Terraform configurations to enhance clarity and understanding.
infracost
The tools help automate the generation of documentation for Terraform configurations. One popular tool for this purpose is called terraform-docs.
terraform-docs
It is a utility that automates the generation of documentation for Terraform projects. It extracts metadata and descriptions from Terraform configurations and produces consistent and readable documentation in various formats.
Features
Installation
Refer the link - [terraform-docs](https://terraform-docs.io/user-guide/installation/)
Implementation
The terraform-docs configuration file (.terraform-docs.yml) uses the yaml format in order to override any default behaviors. This is a convenient way to share the configuration amongst teammates, CI, or other tooling's.
The default name of the configuration file is .terraform-docs.yml. The path order for locating it is:
To use an alternative configuration file name or path you can use the -c or --config flag.
Or you can use a config file with any arbitrary name as .tfdocs-config.yml, then the command is
terraform-docs -c .tfdocs-config.yml .
Open and copy the below content in a file named .terraform-docs.yml
formatter: "yaml" #This is required field
version: "0.17.0"
output-values:
enabled: false
from: ""
sort:
enabled: true
by: name
settings:
anchor: true
color: true
default: true
description: false
escape: true
hide-empty: false
html: true
indent: 2
lockfile: true
read-comments: true
required: true
sensitive: true
type: true
Output
terraform-docs .
Output file will be generated as given in configuration output.yaml
If the code used has modules for the infrastructure, then in each module there is an output.yaml file generated with their corresponding documentation.
The default configurations and explanations can be found on [terraform-docs_configurations](https://terraform-docs.io/user-guide/configuration/).
Reference:
[terraform-docs](https://terraform-docs.io/user-guide/)
Terraform Version Management
Managing and switching between different versions of Terraform for compatibility and stability.
tfswitch
Terraform Version Management refers to the practice of effectively handling different versions of Terraform, the popular Infrastructure as Code (IaC) tool, within your development environment. As projects evolve and dependencies change, having the ability to switch between Terraform versions becomes essential for maintaining compatibility and ensuring smooth development workflows. One popular tool for this purpose is called tfswitch.
tfswitch
It is a command line tool used to switch between different versions of terraform. If there is no particular version of terraform installed, tfswitch will download the required version. The installation is minimal and easy. Once installed, simply select the version you require from the dropdown and start using terraform.
Features
Installation
Installation for Linux OS:
sudo su
2. Run the below command:
curl -L https://raw.githubusercontent.com/warrensbox/terraform-switcher/release/install.sh | bash
Installation for mac:
Refer [tfswitch_install](https://tfswitch.warrensbox.com/Install/)
Implementation
Commands:
tfswitch
tfswitch 1.7.1 # enter specific version in CLI
tfswitch -l or tfswitch --list-all # Use drop down menu to select version
tfswitch -u or tfswitch --latest # install latest stable version only
export TF_VERSION=1.6.1
tfswitch # switch to version 1.6.1(specified in environment variable)
For more commands refer [tfswitch quick start](https://tfswitch.warrensbox.com/Quick-Start/).
Reference
[tfswitch quick start](https://tfswitch.warrensbox.com/Quick-Start/)
Module Testing
Testing Terraform modules to ensure they function correctly and meet requirements.
terratest
Module testing is a crucial aspect of infrastructure development, ensuring that Terraform modules behave as expected and meet the desired functionality and quality standards. One popular tool for this purpose is called terratest.
terratest
Terratest is an open source Go library that enables automated testing of Terraform code. It allows you to write and execute tests for your infrastructure code, helping to catch potential issues early in the development lifecycle.
Features
Installation
Terratest uses the Go testing framework. To use Terratest, you need to install:
Go (requires version >=1.21.1)
Implementation
Let us take an example of simple hello world in terraform.
terraform
The simplest possible Terraform module: it just outputs "Hello, World!"
output "hello_world"
package test
import (
"testing"
"github.com/gruntwork-io/terratest/modules/terraform"
"github.com/stretchr/testify/assert"
)
func TestTerraformHelloWorldExample(t *testing)
// Clean up resources with "terraform destroy" at the end of the test.
defer terraform.Destroy(t, terraformOptions)
// Run "terraform init" and "terraform apply". Fail the test if there are any errors.
terraform.InitAndApply(t, terraformOptions)
// Run terraform output to get the values of output variables and check they have the expected values.
output := terraform.Output(t, terraformOptions, "hello_world")
assert.Equal(t, "Hello, World!", output)
go test -v
6. Check the output.
Output
This code does all the steps from terraform init, terraform apply, reading the output variable using terraform output, checking its value as we expect, and running terraform destroy to run it at the end of the test, whether the test succeeds or fails. Output truncated for readability:
For more examples, please find the link in reference below.
Reference
[Terratest_quick-start](https://terratest.gruntwork.io/docs/getting-started/quick-start/)
Security Scanning
Identifying security vulnerabilities or misconfigurations in Terraform code to enhance security posture.
terrascan
Security scanning is a critical aspect of ensuring the integrity and security of your infrastructure code and cloud environments. terrascan and pike
terrascan
Terrascan, an open-source tool developed by Accurics, has emerged as a powerful solution for scanning Terraform code and identifying security vulnerabilities and best practice violations.
Features
Installation
Refer the GitHub link - [terrascan](https://github.com/tenable/terrascan?tab=readme-ov-file#scan)
Implementation
terrascan scan to scan the code.
3. Run terrascan scan -v to get the output with rule id which will be used in skip check.
5. For skipping rule checks, use this format#ts:skip=<rule id><skip reason> in the configuration file at required place. In the below example, ingress rule for port 80 is skipped.
rule_id will be in the output of terrascan scan -v command.
Example:
resource "aws_security_group" "example_1"
ingress
Reference
[Terrascan GitHub Link](https://github.com/tenable/terrascan?tab=readme-ov-file#scan)
State Inspection and Visualization
Analyzing and visualizing Terraform state files to understand the current infrastructure configuration.
terraform-visual
terraboard
inframap
prettyplan
State inspection involves examining the current state of provisioned infrastructure resources managed by IaC tools like Terraform. This includes details such as resource attributes, dependencies, configurations, and relationships. State visualization tools offer graphical representations of infrastructure resources, dependencies, and relationships. Visualizations may include diagrams, graphs, or charts that illustrate the structure and topology of deployed resources.
terraform-visual
It is an open-source tool that generates graphical visualizations of Terraform plan. It creates interactive diagrams that illustrate the relationships between resources and modules defined in Terraform code.
Features
Installation
Using Yarn `yarn global add
variables
variable "account_bucket"
variable "aws_region"
variable "profile"
resource "aws_s3_bucket" "example_bucket"
when you run terraform plan or terraform apply for above configuration file, values are asked at runtime as no value is provided for variables.
common.tfvars
account_id = "012365478901"
account_bucket = "my-bucket"
region.tfvars
aws_region = "us-east-1"
profile = "my-profile"
Everytime when running terraform plan commands, use the above variables using the -var-file argument.
terragrunt.hcl configuration:terragrunt
get_terraform_commands_that_need_vars() is a built-in function to automatically get the list of all commands that accept -var-file and -var arguments
terragrunt plan or terragrunt apply commands, Terragrunt will automatically add those arguments.
To try more features, refer the link in reference section.
Reference
[terragrunt in github](https://terragrunt.gruntwork.io/docs/getting-started/quick-start/)
Migration and Import Tools
Tools for migrating existing infrastructure or importing resources into Terraform configurations for management.
tfmigrate
tfmigrator
Migration and Import Tools, such as tfmigrate and tfmigrator , play a crucial role in transitioning existing infrastructure to Terraform-managed environments and importing existing resources into Terraform state.
tfmigrate
Tfmigrate is a Terraform state migration tool. It improves Terraform’s state management by allowing users to write state move (mv), remove (rm), and import commands in HCL, enabling them to plan and apply changes in a structured, version-controlled manner.
Features
Installation
For Linux,
curl -L https://github.com/minamijoyo/tfmigrate/releases/download/v0.3.20/tfmigrate_0.3.20_linux_amd64.tar.gz > tfmigrate.tar.gz
tar -xf tfmigrate.tar.gz tfmigrate && rm tfmigrate.tar.gz
sudo install tfmigrate /usr/local/bin && rm tfmigrate
tfmigrate --version
Implementation
resource "aws_security_group" "changed" terrafotm init
terraform apply
terraform state list command.resource "aws_security_group" "example" terraform plan command.migration "state" "test"
tfmigrate plan tfmigrate_test.hcl
tfmigrate apply tfmigrate_test.hcl
Terraform plan
Terraform state list
Here, there is no change in state file and configuration file, so no change in terraform plan
Reference
[tfmigrate GitHub Link](https://github.com/minamijoyo/tfmigrate/)
tfmigrator
Go library to migrate Terraform Configuration and State with terraform state mv and terraform state rm command and hcledit.
Features
Prior to applying changes, TFMigrator offers a "dry run" mode. This allows users to preview the modifications and assess their impact on the Terraform codebase, minimizing the risk of unintended consequences.
Installation
For Linux,
curl -L https://github.com/tfmigrator/cli/releases/download/v0.2.2/tfmigrator_linux_amd64.tar.gz >tfmigrator.tar.gz
tar -xf tfmigrator.tar.gz tfmigrator && rm tfmigrator.tar.gz
sudo install tfmigrator /usr/local/bin && rm tfmigrator
tfmigrator
Implementation
resource "aws_security_group" "example" terraform init
terraform apply
version: 0.13 # Specify the Terraform version you are migrating to
path: ./
rules:
address: aws_security_group.changed
tfmigrator run main.tf
Output
In main.tf and tfstate files, the resource name aws_security_group.example is changed to aws_security_group.changed
Reference
[tfmigrator](https://github.com/tfmigrator/tfmigrator)
Permission Management Tool
These tools are particularly crucial in modern cloud-based environments where access to resources must be carefully managed to ensure security and compliance.
pike
These tools are particularly crucial in modern cloud-based environments where access to resources must be carefully managed to ensure security and compliance.
pike
Pike is an interesting tool that will analyze the resources you wish to create using Terraform and generate the necessary IAM permissions you need to complete that deployment. It determines the minimum permissions required to run terraform. Pike currently supports Terraform and supports multiple providers (AWS, GCP, AZURE).
Installation
Refer the GitHub link - [pike](https://github.com/jamesWoolfenden/pike?tab=readme-ov-file#install)
Implementation
pike scan
pike scan -d ./modules/terraform-aws-iamNote: For this you need to create the configuration files in the path /modules/terraform-aws-iam
pike scan -w
You can now deploy the policy you need directly (AWS only so far) and in aws console we can see the generated policy.
pike make -d ./modules/folder_name
Reference
[Pike GitHub Link](https://github.com/jamesWoolfenden/pike)
Infrastructure Importer from Cloud Resources
This categorization emphasizes Terraformer's role in streamlining the process of transitioning existing infrastructure into Terraform-managed infrastructure, enabling users to adopt infrastructure as code practices more efficiently.
terraformer
This categorization emphasizes Terraformer's role in streamlining the process of transitioning existing infrastructure into Terraform-managed infrastructure, enabling users to adopt infrastructure as code practices more efficiently.
terraformer
Terraformer is a powerful command-line interface (CLI) tool designed to facilitate the generation of Terraform files (tf/json and tfstate ) from existing infrastructure. (reverse Terraform)
Features
Installation
PROVIDER to one of google, aws or kubernetes if you only need one.export PROVIDER=all
curl -L "https://github.com/GoogleCloudPlatform/terraformer/releases/download/0.8.24/terraformer-$-linux-amd64"
chmod +x terraformer-$-linux-amd64
sudo mv terraformer-$-linux-amd64 /usr/local/bin/terraformer
For other OS, click - [Terraformer_install](https://github.com/GoogleCloudPlatform/terraformer/blob/master/README.md#installation)
Implementation
terraform init against a versions.tf file to install the plugins required for your platform. For example, if you need plugins for the aws provider, versions.tf should contain:terraform
required_version = ">= 0.13"
terraformer import aws --resources=vpc,subnet --connect=true --regions=eu-west-1 --profile=my-profile
terraform init and terraform plan , there will be no difference in current state and resources in cloud providers. Thus, using terraformer we can generate configuration files from existing infrastructure.
To explore more options using aws cloud refer [AWS_Import_options](https://github.com/GoogleCloudPlatform/terraformer/blob/master/docs/aws.md) and for other providers, please refer the reference link below.
Reference
[terraformer in github](https://github.com/GoogleCloudPlatform/terraformer/tree/master)
We highly appreciate your patience and time spent reading this article.
Stay tuned for more Content.
Happing reading !!! Let us learn together !!!