https://github.com/mdb/terraguard

Check a Terraform plan for problematic resource changes.
https://github.com/mdb/terraguard

terraform

Last synced: 30 days ago
JSON representation

Check a Terraform plan for problematic resource changes.

• Host: GitHub
• URL: https://github.com/mdb/terraguard
• Owner: mdb
• Created: 2021-03-14T14:47:18.000Z (about 5 years ago)
• Default Branch: main
• Last Pushed: 2022-04-22T11:27:15.000Z (about 4 years ago)
• Last Synced: 2025-01-14T16:36:14.511Z (over 1 year ago)
• Topics: terraform
• Language: Go
• Homepage:
• Size: 2.17 MB
• Stars: 1
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
[![CI](https://github.com/mdb/terraguard/actions/workflows/ci.yml/badge.svg)](https://github.com/mdb/terraguard/actions/workflows/ci.yml)

# terraguard

`terraguard` helps automate [Terraform plan](https://www.terraform.io/docs/cli/commands/plan.html) reviews by checking a Terraform plan JSON for problematic resource changes.

`terraguard` is a minimal alternative to Terraform policy enforcement tools like [Open Policy Agent](https://www.openpolicyagent.org/) and [Sentinel](https://www.hashicorp.com/sentinel).

## CLI Usage

`terraguard check` examines a Terraform plan JSON file for changes to guarded resources.

```text

terraguard check --help

Check if a Terraform plan seeks to modify the specified resources

Usage:

  terraguard check [flags]

Flags:

  -g, --guard strings   A comma-separated list of guarded resource addresses

  -h, --help            help for check

  -p, --plan string     The path to a Terraform plan output JSON file

```

Basic example:

```text

terraguard \

  check \

    --guard="*foo*" \

    --plan="test_fixtures/basic_plan.json"

Error: test_fixtures/basic_plan.json indicates changes to guarded resources:

module.foo.null_resource.aliased

module.foo.null_resource.foo

null_resource.foo

```

With multiple guarded resources:

```text

terraguard \

  check \

    --guard="*foo*" \

    --guard="*bar*" \

    --guard="null_resource.baz[0]" \

    --plan="test_fixtures/basic_plan.json"

Error: test_fixtures/basic_plan.json indicates changes to guarded resources:

module.foo.null_resource.aliased

module.foo.null_resource.foo

null_resource.bar

null_resource.baz[0]

null_resource.foo

```

## Disclaimer

Tools like [Open Policy Agent](https://www.openpolicyagent.org/) and [its Terraform capabilities](https://www.openpolicyagent.org/docs/latest/terraform/) arguably offer more robust, extendable, and fully featured means of enforcing Terraform policies. `terraguard` is comparatively simple, though is far less mature.