This repo is a simple terraform template to fast track the creation of Terraform repos. It contains various pre-populated config files and a number of .tf
files that you will definitely use. Especially helpful for creation of Terraform modules.
There are some sample providers, input variables and outputs in order to properly exhibit the documentation generation.
README file is autogenerated using terraform-docs!
If you like my work, please consider supporting it!
Cheers!
Purpose | Name | Reference |
---|---|---|
Documentation | terraform-docs | https://github.com/terraform-docs/terraform-docs |
Code Formatting | terraform fmt | https://www.terraform.io/docs/commands/fmt.html |
Validation | terraform validate | https://www.terraform.io/docs/commands/validate.html |
Linting | tflint | https://github.com/terraform-linters/tflint |
Security | tfsec | https://github.com/tfsec/tfsec https://www.tfsec.dev/docs/home/ |
Static code analysis | checkov | https://github.com/bridgecrewio/checkov |
In order to speed up your work, there are a number of Makefile targets. You can see the list by executing make
or make help
.
$ make help
help: Show this help
init: Initializes the Terraform configuration
fmt: Formats the Terraform configuration
validate: Validates the Terraform configuration
docs: Generates the documentation. Creates a README.md file
lint: Runs the dockerized version of tflint
security: Runs the dockerized version of tfsec
checkov: Runs the dockerized version of checkov
Every target runs a dockerized version of the dependency so there is no need to have the dependencies installed on your local machine. You just need docker
!
Below, you can see the variables you can pass to the Makefile and their default values.
DOCKER_TF_VERSION ?= latest
DOCKER_TFLINT_VERSION ?= latest
DOCKER_TFSEC_VERSION ?= latest
DOCKER_TFDOCS_VERSION ?= latest
DOCKER_CHECKOV_VERSION ?= latest
OPTIONS ?= # The options to be passed to the executed command
resource "aws_instance" "foo" {
ami = "ami-0ff8a91507f77f867"
instance_type = "t1.2xlarge" # invalid type!
}
$ OPTIONS="--diff" make fmt
data/main.tf
--- old/data/main.tf
+++ new/data/main.tf
@@ -1,4 +1,4 @@
resource "aws_instance" "foo" {
- ami = "ami-0ff8a91507f77f867"
+ ami = "ami-0ff8a91507f77f867"
instance_type = "t1.2xlarge" # invalid type!
}
By passing the --diff
option to the fmt target, it will also print the fmt difference.
You can configure the behavior in the .tflint.hcl
configuration file.
resource "aws_instance" "foo" {
ami = "ami-0ff8a91507f77f867"
instance_type = "t1.2xlarge" # invalid type! This is going to make the tflint complain!
}
resource "aws_instance" "web" {
ami = "ami-b73b63a0"
instance_type = "t1.micro" # previous instance type!
iam_instance_profile = "app-service"
tags {
Name = "HelloWorld"
}
}
$ make lint
2 issue(s) found:
Error: "t1.2xlarge" is an invalid value as instance_type (aws_instance_invalid_type)
on main.tf line 9:
9: instance_type = "t1.2xlarge" # invalid type! This is going to make the tflint complain!
Warning: "t1.micro" is previous generation instance type. (aws_instance_previous_type)
on main.tf line 14:
14: instance_type = "t1.micro" # previous instance type!
Reference: https://github.com/terraform-linters/tflint/blob/v0.20.2/docs/rules/aws_instance_previous_type.md
make: *** [Makefile:29: lint] Error 3
resource "aws_security_group_rule" "my-rule" {
type = "ingress"
cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006
}
$ make security
1 potential problems detected:
Problem 1
[AWS018][ERROR] Resource 'aws_security_group_rule.my-rule' should include a description for auditing purposes.
/data/main.tf:21-24
18 | Name = "HelloWorld"
19 | }
20 | }
21 | resource "aws_security_group_rule" "my-rule" {
22 | type = "ingress"
23 | cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006
24 | }
See https://github.com/liamg/tfsec/wiki/AWS018 for more information.
make: *** [Makefile:32: security] Error 1
Checkov is a static code analysis tool for infrastructure-as-code.
It scans cloud infrastructure provisioned using Terraform, Cloudformation, Kubernetes, Serverless or ARM Templates and detects security and compliance misconfigurations.
resource "aws_s3_bucket" "foo-bucket" {
region = "us-east-1"
bucket = "test"
force_destroy = true
acl = "public-read"
}
Check: CKV_AWS_20: "S3 Bucket has an ACL defined which allows public READ access."
FAILED for resource: aws_s3_bucket.foo-bucket
File: /main.tf:7-12
Guide: https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone
7 | resource "aws_s3_bucket" "foo-bucket" {
8 | region = "us-east-1"
9 | bucket = "test"
10 | force_destroy = true
11 | acl = "public-read"
12 | }
You can configure the behavior in the .terraform-docs.yml
configuration file. Just empty the contents of this file and you are good to go!
You can use all the above makefile targets as precommit hooks. The only dependency is the pre-commit tool. You can also install it so that it runs automatically on every git commit. The configuration file is here.