Today, I’ll explore the most interesting Terraform tools for 2024. These will prove handy in areas like infrastructure testing, linting, identifying security vulnerabilities, ensuring DRY (Don't Repeat Yourself) code principles, and much more.
Code Editing and Enhancement Tools
1.) VSCode Extensions
Two of the most favored extensions for Terraform include the official HashiCorp Terraform extension and the Terraform extension by Anton Kulikov.
These extensions transform VS Code into a powerful IDE for Terraform, providing features like syntax highlighting, auto-completion of code, and integrated debugging, which streamline the development process and increase efficiency.
2.) TFlint
TFLint is a Terraform linter focused on possible errors, best practices, and style conventions in your Terraform code.
When to use TFLint:
You can run TFlint before the terraform plan command to detect issues early.
Major reasons why you should use TFLlint:
- Error detection: Detect errors before running terraform plan or apply
- Best practices: Checks your code against a set of Terraform best practices
- Custom rules support: Write your own custom rules, adhering to organization policies
For example, say you define an AWS EC2 instance in your Terraform configuration and mistakenly refer to an AMI that doesn't exist.
TFLint can flag the AMI ID issue before you execute the terraform plan or terraform apply:
$ tflint main.tf
1 issue(s) found:
Error: "ami-12345678" is an invalid AMI ID. (aws_instance_invalid_ami)
on main.tf line 2:
2: ami = "ami-12345678"
Security and Compliance
3.) Open Policy Agent (OPA)
A popular Policy-as-Code tool for Terraform is OPA, everyone's favorite versatile open-source policy engine that enforces security and compliance policies across your cloud-native stack, making it easier to manage and maintain consistent policy enforcement in complex, multi-service environments.
When to use OPA:
OPA policies are usually run after running terraform plan to validate the policy rules.
Major reasons why you should use OPA:
- Enforce compliance: Ensures adherence to organizational, industry, or legal standards in Terraform configurations
- Shift-left security: Identify security vulnerabilities early in development
- Automate governance: Embed policy checks within CI/CD pipelines to minimize manual governance efforts
Here is an example OPA policy that checks whether an S3 bucket has public access enabled:
package aws.s3
default allow = false
allow {
not bucket_is_public
}
bucket_is_public {
input.bucket_acl == "public-read"
}
bucket_is_public {
input.bucket_policy.allows_public_read
}
For more information, check out this guide for Terraform and OPA or this tutorial for using env0 and OPA for granular policy management.
4.) Terrascan
Terrascan is a static code analysis tool that scans your Infrastructure-as-Code (IaC) for security vulnerabilities and compliance violations. It supports multiple platforms like (AWS, Azure, GCP, K8s, Atlantis, etc), including Terraform. Terrascan allows you to enforce security best practices, compliance policies, and governance across your IaC deployments.
When to use Terrascan:
Terrascan can usually be run locally or in CI/CD before terraform plan to identify security issues.
Here is an example of running Terrascan against an AWS security group defined in Terraform:
$ terrascan scan -t aws -i terraform
Violation Details -
Description: Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols
File: main.tf
Module Name: root
Plan Root: .\
Line: 9
Severity: HIGH
…
Check out this in-depth Terrascan guide for more information.
5.) Checkov
Checkov is another great tool that examines your Terraform files (.tf), parsing the configurations and evaluating them against a comprehensive set of predefined policies. It scans Terraform-managed infrastructure and detects misconfigurations that could lead to security issues or non-compliance with best practices and regulations.
When to use Checkov:
You can run Checkov locally or in CI/CD before running terraform plan to detect potential security issues.
Below is an example of how Checkov detects security violations for an AWS security group, allowing traffic to all ports defined in the Terraform (.tf) file:
$ checkov -f main.tf
Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.allow_all
File: \main.tf:9-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-group-does-not-allow-all-traffic-on-all-ports
Read this guide for Checkov examples, use cases, and best practices.
6.) Tfsec
Tfsec acts as a Terraform scanning tool. It is a security-focused linter for Terraform that scans code for security flaws, offering an additional layer of security assurance and helping to maintain a strong security posture.
Tfsec allows you to create policies in multiple formats like JSON, YAML, and Rego Policies.
When to use Tfsec:
Tfsec can either be run locally or in automated CI/CD environments before terraform plan.
Taking the same example of the AWS S3 bucket with encryption disabled, let's observe how Tfsec detects the vulnerability:
Result #3 HIGH Bucket does not have encryption enabled
.../main.tf:20-32
20 ┌ resource "aws_s3_bucket" "tfsec" {
21 │ bucket = "tfsec-bucket"
22 │ acl = "private"
….
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption
Learn more in this Tfsec guide.
Testing and Verification
7.) Terratest
Terratest is a Go library that provides tools and patterns for testing infrastructure, with first-class support for Terraform, Packer, Docker, Kubernetes, and more. It's used to write automated tests for your infrastructure code.
There are 4 steps to test Terraform IaC using Terratest.
When to use Terratest:
Run Terratest after running terraform apply in your CI/CD or locally to validate your infrastructure's behavior and ensure that your Terraform code functions as expected.
Why use Terratest:
- Automated testing: Embed automated tests in CI/CD pipelines for early issue detection
- Programmatic testing: Use Go for detailed, code-based Terraform resource testing
- Comprehensive test coverage: Offers broad-ranging validation from unit to end-to-end infrastructure tests
Here is a sample test that checks if an AWS EC2 is accessible over SSH:
package test
import (
"testing"
"time"
"github.com/gruntwork-io/terratest/modules/aws"
"github.com/gruntwork-io/terratest/modules/terraform"
"github.com/gruntwork-io/terratest/modules/test-structure"
)
func TestEC2Instance(t *testing.T) {
t.Parallel()
// Define the folder where the Terraform code is located
terraformDirectory := "../examples/aws/ec2"
// At the end of the test, run `terraform destroy` to clean up any resources that were created
defer test_structure.RunTestStage(t, "cleanup", func() {
terraform.Destroy(t, terraformOptions)
})
// Deploy the infrastructure with Terraform
terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
TerraformDir: terraformDirectory,
})
test_structure.RunTestStage(t, "deploy", func() {
terraform.InitAndApply(t, terraformOptions)
})
// Get the public IP of the created EC2 instance
publicIp := terraform.Output(t, terraformOptions, "public_ip")
// Test if the EC2 instance is accessible over SSH
test_structure.RunTestStage(t, "validate", func() {
aws.CanSshToEc2Instance(t, publicIp, "ec2-user", nil)
})
}
8.) Terragrunt
Terragrunt is a thin wrapper that provides extra tools for keeping your Terraform configurations DRY (Don't Repeat Yourself), working with multiple Terraform modules, and managing remote state. It's particularly useful in managing large-scale infrastructure deployments with Terraform.
These are some reasons why to use Terragrunt:
- DRY Terraform configurations: Reduce code redundancy in your Terraform projects
- Manage remote state easily: Centralize and streamline remote state management for modules
- Handle dependencies gracefully: Seamlessly orchestrate module dependencies for orderly operations
For more, check out this in-depth Terragrunt tutorial.
Cost Management and Optimization
9.) Infracost
Infracost is a cost estimation tool that generates cost estimates for Terraform projects, which is crucial for budget planning and cost optimization, especially in cloud environments where resource costs can vary significantly.
When to use Infracost:
Infracost is usually run after you provision your resources through Terraform to detect the cost of resources.
Here is the output generated by Infracost detailing the cost of provisioning an AWS EC2 instance, an RDS instance, and an S3 bucket:
For more about InfraCost, check out this episode of The IaC Podcast featuring co-founder and CEO Hassan Khajeh-Hosseini:
IaC Synchronization and Management
10.) Driftctl
Driftctl is an open-source Terraform drift detection tool that tracks and warns about infrastructure drift. Driftctl scans your infrastructure, compares it with your IaC configurations (like Terraform), and reports discrepancies.
When to use Driftctl:
It's useful to run Driftctl before terraform apply to understand if there are any drifts in your environment.
This output clearly shows that the ‘driftctl-app-bucket’ has drifted. The ACL has changed from private (as defined in Terraform) to public-read (current state in AWS).
$driftctl scan
Scanned resources: (1)
Found unmanaged resources:
aws_s3_bucket:
- driftctl-app-bucket
Found drifted resources:
- aws_s3_bucket.driftctl_bucket:
~ acl: "private" => "public-read"
11.) Terraformer
Terraformer is a CLI tool developed by Google that generates Terraform files from existing infrastructure (reverse Terraform), simplifying the process of adopting Terraform in existing environments and speeding up the initial setup process. Terraformer supports multiple cloud providers, including AWS, Google Cloud, Azure, and others.
When to use Terraformer:
Generally, Terraformer is used in a local environment because it's an initial step to bring unmanaged resources under Terraform management.
Why use Terraformer:
- Save time and effort: Streamline IaC adoption by automating Terraform configurations
- Ensure visibility: Enhance infrastructure visibility by incorporating unmanaged resources into Terraform
For example, you can use Terraformer to import your S3 buckets into Terraform configuration:
terraformer import aws --resources=s3 --regions=us-east-1
Terraformer will scan your AWS account for S3 buckets in the us-east-1 region and generate corresponding .tf files and a terraform.tfstate file.
12.) Pike
Pike is a tool that analyzes Terraform managed resources and automatically generates the necessary IAM permissions, improving security by ensuring that only the minimum necessary permissions are granted.
When to use Pike:
You can run Pike before running the terraform plan locally, in order to generate the least privilege permissions for your infrastructure.
Why use Pike:
- Security: Enhances security by enforcing the least privilege principle in IAM roles
- Efficiency: Streamlines permission management by automating IAM policy creation
You can use Pike to scan a directory containing Terraform files, and it generates the necessary IAM policies.
$pike scan -d /terraform-infra/
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"ec2:MonitorInstances",
"ec2:UnmonitorInstances",
"ec2:DescribeInstances",
"ec2:DescribeTags",
...
13.) Terratag (by env0)
Terratag is a tool designed to assign tags or labels to a complete collection of Terraform or Terragrunt files. It enables applying tags or labels to resources within AWS, GCP, and Azure.
When to use Terratag:
Use Terratag when maintaining your tags becomes challenging through manual work, and you believe in automating this process.
Why use Terratag:
- Scalability: Streamlining tagging across applications at scale.
- Accuracy: Minimizing human error in tag addition.
- Retrospective Tagging: Enabling retrospective tagging of previously deployed IaC resources.
- Management and Reporting: Supporting cost management, organization, and reporting through tagging.
Check out this post to learn more about Terratag.
Visualization and Understanding
14.) Blast Radius
Blast Radius is a tool designed to provide interactive visualizations of Terraform dependency graphs. It's particularly useful for understanding and communicating the architecture and potential impact of changes in Terraform-managed infrastructure.
When should you use Blast Radius:
Run Blast Radius locally when planning or reviewing changes (after running terraform plan) to understand the potential impact before applying the changes with Terraform.
Why should you use Blast Radius:
- Understanding complex dependencies: Visualizes Terraform resource connections for clearer representation
- Risk assessment: Evaluates potential impacts of changes across your infrastructure
- Optimization: Uses visual insights to pinpoint and address inefficiencies in Terraform configurations
Below is a typical graph of Terraform configuration, enough to launch a single EC2 instance (running a web server) and elastic load balancer.
15.) Terraform Visual
Terraform Visual is a tool that generates a visual representation of your terraform plan, making it easier to understand the structure and changes of your Terraform-managed infrastructure.
When to use Terraform Visual:
Use Terraform Visual when reviewing your terraform plan, especially when complex changes in the Terraform codebase are involved.
You can follow the steps on how to use Terraform Visual.
Here is a sample graph of the Terraform visual that depicts AWS EC2, security groups, and an S3 bucket.
16.) InfraMap
Like Blast Radius, InfraMap generates visual graphs of your infrastructure based on Terraform state or configurations, offering a visual overview of your infrastructure, which is especially helpful for large and complex environments.
When to use InfraMap:
Use InfraMap when planning new infrastructure or when reviewing changes to understand the architecture and how resources interrelate.
Learn more about InfraMap here.
Documentation and Workflow Management
17.) Terraform-docs
Terraform-docs is a tool that automatically generates documentation from Terraform modules in various output formats, including markdown, JSON, and others. It's particularly useful for maintaining up-to-date documentation of your Terraform modules' inputs, outputs, providers, and resources.
When to use Terraform-docs:
Run Terraform-docs locally whenever you update your Terraform modules to keep the documentation in sync with your code.
Why use Terraform-docs:
- Automated documentation: Automates the process of generating documentation
- Improved understanding: Clear documentation of modules enhances team collaboration
- Efficiency: Streamlines processes and minimizes errors in large projects with multiple modules
18.) TFSwitch
TFSwitch is a CLI tool that allows easy switching between different Terraform versions, simplifying workflows in environments where multiple Terraform versions are used.
When to use TFSwitch:
Use TFSwitch locally when you're working across multiple Terraform projects that require different Terraform versions.
Why use TFSwitch:
- Ease of use: Effortlessly switch between Terraform versions
- Project-specific versioning: Define Terraform versions per project to maintain consistency
You can run the tfswitch command to display all the versions like so:
$ tfswitch
Use the arrow keys to navigate: ↓ ↑ → ←
? Select Terraform version:
▸ 1.1.7 *recent
1.1.6
1.1.5
1.1.4
1.1.3
…
19.) Terramate
Terramate is an open-source IaC orchestration tool for Terraform, OpenTofu, Pulumi, Cloudformation, and others, that streamlines and scales your IaC workflows.
When to use Terramate:
Use Terramate when managing similar infrastructure across multiple environments (dev, staging, production) to ensure consistency and reduce duplication.
Check out Terramate documentation for more information.
20.) Atlantis
Atlantis automates reviewing and deploying Terraform via pull requests, streamlining collaboration and ensuring consistency across Terraform deployments.
When to use Atlantis:
Whether it’s a local or a CI/CD environment, Atlantis handles the Terraform part, ensuring that plan and apply are executed in response to VCS events.
Why use Atlantis:
- Automated workflows: Streamlines Terraform processes by auto-running terraform plan and apply, with results ready for review
- Collaboration and review: Enhances team collaboration by integrating code changes review into the pull request workflow
- Security and control: Provides a detailed audit trail of who did what and when
Read this Atlantis guide for more information.
21.) Terraform Cloud
Terraform Cloud (TFC) is a HashiCorp-managed service that provides collaboration features, governance, and automated workflow management, making it ideal for teams looking for a scalable, cloud-based Terraform solution.
When to use Terraform Cloud:
Terraform Cloud is useful for enabling teams to collaborate on infrastructure and ensure that everyone works off a consistent set of configurations and that changes are reviewed and applied in a controlled manner.
Why use Terraform Cloud:
- Collaboration and governance: Offers a collaborative platform with access controls, private modules, and shared configurations
- State management: Securely handles Terraform states, offering version history, locking, and drift detection
- Secrets management: Securely stores and manages sensitive data
- Cost estimation: Provides cost estimations for your infrastructure
For more information you can also check out my analysis of Terraform Cloud pricing.
22.) env0
env0 is an advanced IaC management platform designed for seamless collaboration and automation in complex deployments at scale.
When to use env0:
On top of the Terraform Cloud features mentioned above, env0 also provides dynamic cost and access controls, enhanced security features, collaborative tools, and support for multiple frameworks such as OpenTofu, Pulumi, and AWS CF.
Moreover, env0 utilizes a deployment-based pricing structure, making it more suitable for many large-scale operations, compared to TFC’s Resources Under Management (RUM) pricing.
Visit here to see what makes env0 a better Terraform Cloud alternative.
Why use env0:
- IaC-centric pipelines: Seamlessly integrate various tools into env0 using your preferred tooling in custom flows
- Unlimited concurrency: Enables executing unlimited simultaneous runs without extra costs for concurrent executions
- IaC FinOps: Provides cost monitoring dashboard, and the ability to set granular budget thresholds, alerts, and policies
- Flexible workflows: Offers adaptability with PR planning, continuous deployment, and custom policies for team-specific needs
- Managed self-service: Streamlines operations with managed self-service and Policy-as-Code, simplifying infrastructure deployment
- Continuous IaC visibility: Ensures ongoing insight into your infrastructure, featuring automated drift detection
Frequently Asked Questions/FAQs
For additional context, here is a list of questions that will help you understand the need and use cases for the tools I’ve described above.
Q. What is the difference between Terraform lint and validate?
terraform validate checks whether Terraform configurations are syntactically valid and consistent. Meanwhile, linting tools like TFLint extend validation by enforcing best practices and conventions in writing an IaC.
Q. How do you integrate OPA with Terraform?
On a high level, once you’ve installed OPA on your local machine, you write the OPA policy in Rego and generate a JSON output of your terraform plan. After that, you run the OPA policy against that terraform plan JSON to validate the policy rules you defined. You can check the step-by-step tutorial here.
Q. What is the difference between Checkov and Tfsec?
There are a few key differences between the two. The first one is Checkov, which supports a wide range of integrations like Terraform, AWS Cloudformation, Helm Charts, and others, while Tfsec just supports Terraform. To find an in-depth comparison between these two, check out this blog.
Q. Can you run Terragrunt with Terraform Cloud?
Terragrunt indirectly runs Terraform commands, while Terraform Cloud executes them directly, disallowing Terragrunt usage within Terraform Cloud. However, you can use Terragrunt via CLI to trigger Terraform runs on TFC using a remote backend, where runs and state are managed in TFC, but Terragrunt can't be run from the TFC UI.
Q. Can Terraform detect drifts by itself?
Terraform itself does not inherently detect drifts; it primarily manages infrastructure as defined in the IaC. For more robust and automated drift detection, third-party tools like env0, TFC, Terrateam, Driftctl (and others) are designed to track and manage drifts in Terraform-managed resources specifically.
Top comments (0)