Writing Terraform configurations is like writing any programming language; you must ensure your code is formatted correctly, linted, validated, and secure.
Formatting: This is similar to running prettier to adhere to a standard format, making the configurations more readable.
Linting with tflint: The tflint tool will scan for configuration errors and unused resource declarations and enforce naming conventions. There are rulesets for each of the major cloud providers (AWS, GCP, Azure).
Security check with tfsec/trivy: The tfsec tool scans for misconfigurations and, more importantly, to see if secrets such as access keys or tokens are included in the Terraform.
Validation: Before deploying your Terraform configurations, let's make sure everything is in order. This step will check the syntax and whether the configuration is internally consistent.
Designed to work with zsh, this script will run the above steps:
| # Install: | |
| # brew install tflint | |
| # brew install tfsec | |
| # brew install terraform | |
| # nano /path/to/check_tf.sh | |
| # chmod +x /path/to/check_tf.sh | |
| # | |
| # Usage: | |
| # cd /path/to/terraform/tf_files | |
| # tflint --init | |
| # TFLINT_CONFIG=$(realpath ./.tflint.hcl) ./check_tf.sh | |
| # TFLINT_CONFIG=/path/to/.tflint.hcl /path/to/check_tf.sh | |
| if [ "$TFLINT_CONFIG" = '' ]; then | |
| echo 'the TFLINT_CONFIG environment variable must be set' | |
| exit 1 | |
| fi | |
| echo "Checking Terraform configuration..." | |
| echo "Formatting..." | |
| terraform fmt | |
| echo "Linting..." | |
| tflint --config="$TFLINT_CONFIG" --recursive | |
| echo "Checking security..." | |
| tfsec | |
| echo "Validating..." | |
| terraform validate |
You can use it as a git pre-commit hook if you setup the TFLINT_CONFIG variable.
Top comments (0)