Skip to content

Validates Terraform Plans using TFSEC and OPA

License

Notifications You must be signed in to change notification settings

basiq-brad/tfval

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

passing GitHub GitHub release (latest by date)

TFVAL

This tool validates Terraform Plans it has been developed in golang as a wrapper around TFSEC and OPA to provide guardrails when deploying in CI/CD pipelines. You can find the latest release at the release page

Command Description

Command Parameters
check Check if the plan passes OPA and TFSEC Policy
checkopa Check if the plan passes OPA Policy
opascore Gets the OPA score report
tfsec Outputs TfSec vulnerability report
sendreport Sends Terraform validation Report to slack
cost Matches Infracost and Budget

Commands Parameters

Command Parameters
tfsec --tfsecReport "delete-rg-test.json" --tfsecMaxSeverity "CRITICAL"
check --repo "https://github.com/basiqio/terraform-template" --commitSha "1234" --developer "bradmccoydev" --planFileName "policies/delete-rg-test.json" --tfsecReportLocation "pkg/tfsec/mock.json" --tfsecMaxSeverity "CRITICAL" --infracostMonthlyBudget "2000" --infracostReportLocation "pkg/infracost/mock.json" --opaConfig "[{"location":"policies/opa-azure-policy.rego","query":"data.terraform.analysis.deny[x]"}]"
checkopa --planFileName "policies/delete-rg-test.json" --opaConfig "[{"location":"policies/opa-azure-policy.rego","query":"data.terraform.analysis.authz"}]"
opascore --planFileName "delete-rg-test.json" --policyLocation "opa-aws-policy.rego"
sendreport --fileName "delete-rg-test.json" --slackWebhook "*" --prNumber "1" --repoFullUrl "x" --tfsecMaxSeverity "MEDIUM"
cost --infracostMonthlyBudget "2000" --infracostReportLocation "pkg/infracost/mock.json"
  • /usr/bin/tfsec-analysis-terraform tfsec "$BITBUCKET_PR_ID" "$BITBUCKET_GIT_HTTP_ORIGIN" "tfsec-report.json" "$SLACK_WEBHOOK"

Docker

docker pull bradmccoydev/tfval:latest
docker run -p 80:80 bradmccoydev/tfval:latest check --planFileName "delete-rg-test.json" --policyLocation "opa-aws-policy.rego" --tfsecMaxSeverity "CRITICAL" --opaRegoQuery "data.terraform.analysis.authz"

Maintainers:

Thanks to all the contributors ❤️

License

Terraform Plan Validator is released under the Apache 2.0 license. See LICENSE.txt

opa eval --fail-defined --format raw --input policies/delete-rg-test.json --data policies/opa-azure-policy.rego 'data.terraform.analysis.authz'

opa eval --fail-defined --format raw --input policies/delete-rg-test.json --data policies/tags-policy.rego 'data.terraform.common.deny[x]'

About

Validates Terraform Plans using TFSEC and OPA

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 79.3%
  • Open Policy Agent 19.1%
  • Dockerfile 1.3%
  • HCL 0.3%