tfplan sentinel policies in Terraform

anuj — Wed, 02 Jun 2021 16:05:08 +0000

Terrform policies fall into three broad categories – tfplan based, tfconfig based and tfstate based policies. This post discusses a couple of common tfplan based policies.

A simple tfplan sentinel policy to restrict to certain types of resources

import "tfplan"

# Limit Google Cloud compute resources to stay below compute n1-standard-16 (16 cores)

allowed_machine_types = [
"n1-standard-1",
"n1-standard-2",
"n1-standard-4",
"n1-standard-8",
]

main = rule {
all tfplan.resources as r {
r.attr.machine_type in allowed_machine_types
}
}

Another tfplan policy to restrict regions for resources

import "env"
import "tfplan"

# Only provision staging resources in us-west and production resources in us-east

valid_regions = {"staging": "us-west-1", "production": "us-east-1"}

main = rule {
all tfplan.config.providers as p {
p.type is not "aws" or
p.config.region == valid_regions[env.ENV]
}
}

tfconfig Policies

Coming Soon

tfstate Policies

Coming Soon

The post tfplan sentinel policies in Terraform appeared first on For all your terraform needs.

tfplan versus tfconfig vs tfstate sentinel policiesv Archives - For all your terraform needs

tfplan sentinel policies in Terraform