{"id":13505785,"url":"https://github.com/terraform-compliance/cli","last_synced_at":"2025-05-15T13:08:03.975Z","repository":{"id":37650528,"uuid":"86997096","full_name":"terraform-compliance/cli","owner":"terraform-compliance","description":"a lightweight, security focused, BDD test framework against terraform.","archived":false,"fork":false,"pushed_at":"2025-03-04T11:03:38.000Z","size":23100,"stargazers_count":1382,"open_issues_count":100,"forks_count":153,"subscribers_count":35,"default_branch":"master","last_synced_at":"2025-04-11T22:35:21.095Z","etag":null,"topics":["bdd","bdd-style","compliance","hashicorp","infrastructure","terraform","testing","testing-framework"],"latest_commit_sha":null,"homepage":"https://terraform-compliance.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/terraform-compliance.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"eerkunt"}},"created_at":"2017-04-02T15:53:29.000Z","updated_at":"2025-04-11T07:50:29.000Z","dependencies_parsed_at":"2024-01-03T02:28:20.639Z","dependency_job_id":"a4d9803b-4684-49ec-a73d-d0e081cc1079","html_url":"https://github.com/terraform-compliance/cli","commit_stats":{"total_commits":965,"total_committers":48,"mean_commits":"20.104166666666668","dds":"0.28186528497409324","last_synced_commit":"c252fe91a9324224533d1595dc7e8504875c5408"},"previous_names":["eerkunt/terraform-compliance"],"tags_count":186,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-compliance%2Fcli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-compliance%2Fcli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-compliance%2Fcli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-compliance%2Fcli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/terraform-compliance","download_url":"https://codeload.github.com/terraform-compliance/cli/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254346624,"owners_count":22055808,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bdd","bdd-style","compliance","hashicorp","infrastructure","terraform","testing","testing-framework"],"created_at":"2024-08-01T00:01:13.672Z","updated_at":"2025-05-15T13:07:58.956Z","avatar_url":"https://github.com/terraform-compliance.png","language":"Python","readme":"\u003cimg src='https://github.com/eerkunt/terraform-compliance/blob/master/logo.png' align=right height=100 valign=top\u003e\u003ch1 align=\"center\"\u003eterraform-compliance\u003c/h1\u003e\n\n\u003cdiv align=\"center\"\u003e\n  \u003c!-- Website --\u003e\n  \u003ca href=\"https://terraform-compliance.com\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/website-https%3A%2F%2Fterraform--compliance.com-blue\" alt=\"Website\" /\u003e\n  \u003c/a\u003e\n  \n  \u003c!-- Docker Ready --\u003e\n  \u003ca href=\"https://hub.docker.com/r/eerkunt/terraform-compliance/\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/docker-ready-blue.svg?longCache=true\u0026style=flat\" alt=\"docker version is ready\" /\u003e\n  \u003c/a\u003e\n\n  \u003c!-- License --\u003e\n  \u003ca href=\"https://pypi.org/project/terraform-compliance/\"\u003e\n    \u003cimg src=\"https://img.shields.io/pypi/l/terraform-compliance.svg\" alt=\"License\" /\u003e\n  \u003c/a\u003e\n\n  \u003c!-- PyPI Version --\u003e\n  \u003ca href=\"https://pypi.org/project/terraform-compliance/\"\u003e\n    \u003cimg src=\"https://img.shields.io/pypi/v/terraform-compliance.svg\" alt=\"Package Version\" /\u003e\n  \u003c/a\u003e\n  \n  \u003ca href=\"https://pepy.tech/project/terraform-compliance\"\u003e\n    \u003cimg src=\"https://pepy.tech/badge/terraform-compliance\" alt=\"Downloads\" /\u003e\n  \u003c/a\u003e\n\u003c/div\u003e\n\n\u003cbr /\u003e\n\u003cbr /\u003e\n\n`terraform-compliance` is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.\n\n\n- __compliance:__ Ensure the implemented code is following security standards, your own custom standards\n- __behaviour driven development:__ We have BDD for nearly everything, why not for IaC ?\n- __portable:__ just install it from `pip` or run it via `docker`. See [Installation](https://terraform-compliance.com/pages/installation/)\n- __pre-deploy:__ it validates your code before it is deployed\n- __easy to integrate:__ it can run in your pipeline (or in git hooks) to ensure all deployments are validated.\n- __segregation of duty:__ you can keep your tests in a different repository where a separate team is responsible. \n- __why ?:__ why not ?\n\n## Performance\n\nIf terraform-compliance is not running quickly enough make sure to check the\noptional faster\\_parsing pip install flag in the [Installation Guide](https://terraform-compliance.com/pages/installation/)\n\n## Idea\n\n`terraform-compliance` mainly focuses on [negative testing](https://en.wikipedia.org/wiki/Negative_testing) instead\nof having fully-fledged [functional tests](https://en.wikipedia.org/wiki/Functional_testing) that are mostly used for\nproving a component of code is performing properly. \n\nFortunately, `terraform` is a marvellous abstraction layer for any API \nthat __creates__/__updates__/__destroys__ entities. `terraform` also provides the \n[capability](https://www.terraform.io/docs/commands/plan.html#detailed-exitcode) \nto ensure everything is up-to-date between the local configuration and the remote API(s) responses. \n\nGiven the fact, `terraform` is used mostly against Cloud APIs, what was missing is to ensure \nyour code against your infrastructure must follow specific policies. Currently HashiCorp provides \n[Sentinel](https://www.hashicorp.com/sentinel/) for Enterprise Products. `terraform-compliance` is providing a \nsimilar functionality only for `terraform` while it is free-to-use and it is Open Source.\n\nE.g. a sample policy could be, if you are working with `AWS`, you should not create an `S3 bucket`, \nwithout having any `encryption`. Of course, this is just an example which may or not be applicable \nfor your case.\n\n`terraform-compliance` provides a test framework to create these policies that will be executed against \nyour [terraform plan](https://www.terraform.io/docs/commands/plan.html) in a context where both \ndevelopers and security teams can understand easily while reading it, by applying [Behaviour Driven \nDevelopment](https://en.wikipedia.org/wiki/Behavior-driven_development) Principles.\n\nAs returning back to the example, our example defined above will be translated into a BDD Feature \nand Scenario, as also seen in below ;\n\n```\nif you are working with AWS, you should not create an S3 bucket, without having any encryption\n```\n\ntranslates into ;\n\n```gherkin\nGiven I have AWS S3 Bucket defined\nThen it must contain server_side_encryption_configuration\n```\n\n`server_side_encryption_configuration` is coming from the terraform code, as shown below ;\n\n```\nresource \"aws_s3_bucket\" \"b\" {\n  bucket = \"my-bucket\"\n  acl    = \"private\"\n\n  server_side_encryption_configuration {\n    rule {\n      apply_server_side_encryption_by_default {\n        kms_master_key_id = \"${aws_kms_key.mykey.arn}\"\n        sse_algorithm     = \"aws:kms\"\n      }\n    }\n  }\n}\n```\n\nThis policy ( Scenario ) will allow all S3 buckets newly created or updated must have encryption configuration set within the code. In an ideal way, this Scenario (among with all other Scenarios) will run on a CI/CD pipeline that will ensure that nothing is deployed by violating your policies.\n\nSee [Examples](https://terraform-compliance.com/pages/Examples/) for more sample use cases.\n\nRegarding the feature file format - `radish` is used to parse files with extension `.feature` - https://radish.readthedocs.io/en/stable/tutorial.html\n\n![Example Run](https://github.com/eerkunt/terraform-compliance/blob/master/terraform-compliance-demo.gif?raw=true)\n\n## Sponsors\n\n* [resmo.com](resmo.com): Discover unmatched insights for Cloud and SaaS assets. Use SQL to ask questions and get real-time notifications for security and compliance violations.\n\n## License\n[MIT](https://tldrlegal.com/license/mit-license)\n","funding_links":["https://github.com/sponsors/eerkunt"],"categories":["Python","Testing","testing"],"sub_categories":["Community providers"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fterraform-compliance%2Fcli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fterraform-compliance%2Fcli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fterraform-compliance%2Fcli/lists"}