https://github.com/bradmccoydev/tfval

Validates Terraform Plans using TFSEC and OPA
https://github.com/bradmccoydev/tfval

Last synced: about 1 year ago
JSON representation

Validates Terraform Plans using TFSEC and OPA

• Host: GitHub
• URL: https://github.com/bradmccoydev/tfval
• Owner: bradmccoydev
• License: apache-2.0
• Created: 2021-10-22T00:33:26.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2023-03-31T06:25:48.000Z (about 3 years ago)
• Last Synced: 2025-03-22T20:45:21.746Z (over 1 year ago)
• Language: Go
• Size: 199 KB
• Stars: 5
• Watchers: 2
• Forks: 4
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE

Awesome Lists containing this project

README

          
![passing](https://github.com/bradmccoydev/tfval/actions/workflows/ci.yml/badge.svg) ![GitHub](https://img.shields.io/github/license/bradmccoydev/tfval) ![GitHub release (latest by date)](https://img.shields.io/github/v/release/bradmccoydev/tfval)

# TFVAL

This tool validates Terraform Plans it has been developed in golang as a wrapper around TFSEC and OPA to provide guardrails when deploying in CI/CD pipelines. You can find the latest release at the release page

### Command Description

| Command | Parameters |

| --- | --- |

| check | Check if the plan passes OPA and TFSEC Policy |

| checkopa | Check if the plan passes OPA Policy |

| opascore | Gets the OPA score report |

| tfsec | Outputs TfSec vulnerability report |

| sendreport | Sends Terraform validation Report to slack |

| cost | Matches Infracost and Budget |

### Commands Parameters

| Command | Parameters |

| --- | --- |

| tfsec | --tfsecReport "delete-rg-test.json" --tfsecMaxSeverity "CRITICAL" |

| check | --repo "https://github.com/basiqio/terraform-template" --commitSha "1234" --developer "bradmccoydev" --planFileName "policies/delete-rg-test.json" --tfsecReportLocation "pkg/tfsec/mock.json" --tfsecMaxSeverity "CRITICAL" --infracostMonthlyBudget "2000" --infracostReportLocation "pkg/infracost/mock.json" --opaConfig "[{\"location\":\"policies/opa-azure-policy.rego\",\"query\":\"data.terraform.analysis.deny[x]\"}]" |

| checkopa | --planFileName "policies/delete-rg-test.json" --opaConfig "[{\"location\":\"policies/opa-azure-policy.rego\",\"query\":\"data.terraform.analysis.authz\"}]" |

| opascore | --planFileName "delete-rg-test.json" --policyLocation "opa-aws-policy.rego" |

| sendreport | --fileName "delete-rg-test.json" --slackWebhook "*" --prNumber "1" --repoFullUrl "x" --tfsecMaxSeverity "MEDIUM"  |

| cost | --infracostMonthlyBudget "2000" --infracostReportLocation "pkg/infracost/mock.json"|

 - /usr/bin/tfsec-analysis-terraform tfsec "$BITBUCKET_PR_ID" "$BITBUCKET_GIT_HTTP_ORIGIN" "tfsec-report.json" "$SLACK_WEBHOOK"

 

### Docker

```bash

docker pull bradmccoydev/tfval:latest

docker run -p 80:80 bradmccoydev/tfval:latest check --planFileName "delete-rg-test.json" --policyLocation "opa-aws-policy.rego" --tfsecMaxSeverity "CRITICAL" --opaRegoQuery "data.terraform.analysis.authz"

```

### Maintainers:

* Brad McCoy ([@bradmccoydev](https://github.com/bradmccoydev)), Basiq

* Ben Poh ([@benhpoh](https://github.com/benhpoh)), Moula

## Thanks to all the contributors ❤️



  



### License

Terraform Plan Validator is released under the Apache 2.0 license. See [LICENSE.txt](https://github.com/bradmccoydev/tfval/blob/main/LICENSE)

opa eval --fail-defined --format raw --input policies/delete-rg-test.json --data policies/opa-azure-policy.rego 'data.terraform.analysis.authz'

opa eval --fail-defined --format raw --input policies/delete-rg-test.json --data policies/tags-policy.rego 'data.terraform.common.deny[x]'