tfplan sentinel policies in Terraform

anuj — Wed, 02 Jun 2021 16:05:08 +0000

Terrform policies fall into three broad categories – tfplan based, tfconfig based and tfstate based policies. This post discusses a couple of common tfplan based policies.

A simple tfplan sentinel policy to restrict to certain types of resources

import "tfplan"

# Limit Google Cloud compute resources to stay below compute n1-standard-16 (16 cores)

allowed_machine_types = [
"n1-standard-1",
"n1-standard-2",
"n1-standard-4",
"n1-standard-8",
]

main = rule {
all tfplan.resources as r {
r.attr.machine_type in allowed_machine_types
}
}

Another tfplan policy to restrict regions for resources

import "env"
import "tfplan"

# Only provision staging resources in us-west and production resources in us-east

valid_regions = {"staging": "us-west-1", "production": "us-east-1"}

main = rule {
all tfplan.config.providers as p {
p.type is not "aws" or
p.config.region == valid_regions[env.ENV]
}
}

tfconfig Policies

Coming Soon

tfstate Policies

Coming Soon

The post tfplan sentinel policies in Terraform appeared first on For all your terraform needs.

Reusable Terraform Modules from the public registry

anuj — Tue, 10 Nov 2020 15:39:38 +0000

There’s a wealth of existing modules for AWS, GCP and Azure on registry.terraform.io (Also read, reusable modules in Terraform, getting started )

Look for something of interest to you here : https://registry.terraform.io/browse/modules.

Once you locate the module , there should be a ‘usage’ instruction. Basically, here’s what you need to do to use that module in your own source code.

Explicitly spell out the source of your module – as shown below. (It will automatically reach out over the internet to this public repo)
Pass in values for all the REQUIRED variables, inside the module block, as shown below.

module "project-factory" {

  source  = "terraform-google-modules/project-factory/google"

  version = "9.2.0"

  billing_account = "account id here"

  budget_alert_pubsub_topic = `projects/{project_id}/topics/{topic_id}`

  budget_amount = 20

  name = "test_budget_alerts"

  org_id = "your_org_id here"

  vpc_service_control_perimeter_name = "test_project_permiter"

}

Summary

That’s really all there is to it. Instead of writing all this code from scratch, you simply reference the publicly available module. And pass in the required (and optional ) variable values.

A note on security

If you leverage a module provided by AWS or Google or Microsoft, you can rest assured that they have passed certain security and coding standards. However, there are also ‘unverified’ modules out there on the public registry. Use these with caution.

Next Steps?

Need help with your Terraform or PowerShell or other automation effort? Set up a free consultation – Start the conversation today.

The post Reusable Terraform Modules from the public registry appeared first on For all your terraform needs.

Reusable Terraform Archives - For all your terraform needs

tfplan sentinel policies in Terraform

Reusable Terraform Modules from the public registry