Using inspec-iggy with remote .tfstate

[richjamesgreen]

I'm really interested in using this but our state files are located remotely in s3 buckets. Could this plugin have the ability to target the remote state when running: inspec terraform generate --tfstate

[mattray]

This sounds like a pretty valid use case, I'll put it in the queue.

[chris-rock]

@richjamesgreen Just out of interesst, how does terraform handle the case with a remote state file?

[pcanham]

Interested in this as well, but unsure whether this might already be fixed/handled within the inspec provisioner plugin for terraform.

[tbugfinder]

Our state files are stored remotely in Consul.

[tbugfinder]

@richjamesgreen Just out of interesst, how does terraform handle the case with a remote state file?

This is a core element of terraform.

[amitsaha]

hi @mattray - have you been able to look into this? If not, if you have some ideas regarding the implementation, that would be good to now. Would it be as straightforward as:

inspec terraform generate --tfstate s3://<path to tfstate>

And then we read the state file from there similar to the local state file?

[mattray]

This will be supported in the upcoming 0.5.0 release https://github.com/mattray/inspec-iggy/tree/0.5.0.

I'll go through the Terraform and CloudFormation docs and see what the formats they use are (http:, https:, s3:, anything else?). I'm planning on leaving the CLI alone (still -t) and parsing the string for remote sources.

[mattray]

Looking through the Terraform docs for remote state, there are quite a few supported options. https://www.terraform.io/docs/backends/types/index.html

For the 0.5.0 release I'll probably only support http/https/s3 and see what sort of feedback I get. For the other backends of Terraform we'll probably need to either wrap the Terraform command or find an Terraform Ruby SDK we can reuse.

[richjamesgreen]

Yes we use S3 and the Azurerm types most frequently. But trialling in S3 would be really useful!

On 1 Apr 2019, at 06:24, Matt Ray notifications@github.com wrote:

Looking through the Terraform docs for remote state, there are quite a few supported options. https://www.terraform.io/docs/backends/types/index.html

For the 0.5.0 release I'll probably only support http/https/s3 and see what sort of feedback I get. For the other backends of Terraform we'll probably need to either wrap the Terraform command or find an Terraform Ruby SDK we can reuse.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[asimonrose]

I’d definitely like to see the S3 remote state file supported - that’d be great.

On 1 Apr 2019, at 08:11, richjamesgreen notifications@github.com wrote:

Yes we use S3 and the Azurerm types most frequently. But trialling in S3 would be really useful!

On 1 Apr 2019, at 06:24, Matt Ray notifications@github.com wrote:

Looking through the Terraform docs for remote state, there are quite a few supported options. https://www.terraform.io/docs/backends/types/index.html

For the 0.5.0 release I'll probably only support http/https/s3 and see what sort of feedback I get. For the other backends of Terraform we'll probably need to either wrap the Terraform command or find an Terraform Ruby SDK we can reuse.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mattray/inspec-iggy/issues/3#issuecomment-478462472, or mute the thread https://github.com/notifications/unsubscribe-auth/AbZUWZvdPGTLt7QqRXbjCiNKz7zWblUtks5vcbEkgaJpZM4UNihr.

[samuelmoneill]

Has this been resolved? is it possible to run inspec terraform generate --tfstate s3://path/to/terraform.tfstate --name myprofile It would be great to see this!

[tbugfinder]

We use CONSUL for storing the state.

[mattray]

I'm trying to finish 0.5.0, which will support http/https/s3 but not Consul. I'm open to suggestions for an easy way to support all the Terraform backends in the next release.

[mattray]

0.5.0 supports http/https/s3 but not Consul. I'm open to suggestions for an easy way to support all the Terraform backends in the next release.