terraform-compliance GitHub Action

terraform-compliance

terraform-compliance is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.

compliance: Ensure the implemented code is following security standards, your own custom standards
behaviour driven development: We have BDD for nearly everything, why not for IaC ?
portable: just install it from pip or run it via docker. See Installation
pre-deploy: it validates your code before it is deployed
easy to integrate: it can run in your pipeline (or in git hooks) to ensure all deployments are validated.
segregation of duty: you can keep your tests in a different repository where a separate team is responsible.
why ?: why not ?

You can use this action in order to run terraform-compliance in your GitHub Actions pipeline. For more information about the tool itself, you can have a look on https://terraform-compliance.com

How to use this action ?

Enable and Configure GitHub actions within your respository.
Use terraform-compliance/github-action@main
Supply plan and features required parameters
Supply optional other parameters

terraform-compliance requires to have access to 2 things in order to execute properly

terraform plan output (preferably converted to json format via terraform show -json command)
compliance tests that will run against your terraform plan.

Examples

An example CI pipeline for a terraform might look like this ;

jobs:
    terraform:
        name: terraform CI
        runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
      - uses: hashicorp/setup-terraform@v1

      - name: terraform plan
        id: plan
        run: |
          terraform init && terraform plan -out=plan.out && terraform show -json plan.out > plan.out.json

      - name: terraform-compliance
        uses: terraform-compliance/github_action@main
        with:
          plan: plan.out.json
          features: ssh://git@github.com/terraform-compliance/user-friendly-features.git

.. or if you want to install terraform-compliance in the beginning of the steps and re-use it every time via run directive ;

jobs:
    terraform:
        name: terraform CI
        runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
      - uses: hashicorp/setup-terraform@v1
      - uses: terraform-compliance/github_action@main

      - name: terraform plan
        id: plan
        run: |
          terraform init && terraform plan -out=plan.out && terraform show -json plan.out > plan.out.json

      - name: terraform-compliance
        id: terraform-compliance from remote repo
        run: |
          terraform-compliance -p /path/to/plan.out.json -f git:ssh://git@github.com/terraform-compliance/user-friendly-features.git

      - name: terraform-compliance
        id: terraform-compliance from local
        run: |
          terraform-compliance -p /path/to/plan.out.json -f /path/to/local

Additionaly, in case you want to publish the plan output to the related Pull Request, you can also use this action provided by GitHub as well ;

      - uses: actions/github-script@0.9.0
        if: github.event_name == 'pull_request'
        env:
          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            <details><summary>GitHub Plan</summary>

            \`\`\`${process.env.PLAN}\`\`\`

            </details>

            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`*`;

            github.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            })

What are the parameters I can use ?

Parameter	Required	Description	Default	Examples
plan	:white_check_mark:	The plan file that is generated by terraform		`plan.out`, `plan.out.json`
features	:white_check_mark:	The feature files that will be run against terraform plan	`./tests/`, `ssh://github.com/<org\|user>/<repo>`
quit-early		Action will fail immediately on the first failure	false
no-failure		Action will not fail even the tests fail	false
silent		Output of the tests will be substantially silenced	false
version		Specific `terraform-compliance` version that you want to use within the action

What if my feature files are within a private repository ?

Have a look on setup-git-credentials action for doing it in a better way than providing SSH private keys.

This action will also solve your problems while downloading modules from remote private repositories on terraform init