For this example, we are using the following Orbs to illustrate how you might implement Terraform Compliance into your CI/CD pipeline.
We have set up our pipeline to follow this basic workflow:
terraform validate: Using the Job provided by the Terraform Orb
terraform plan: Using a custom Job, we will use the
plancommand that is provided by the Terraform Orb, but we’ll also export that plan to json for
terraform-compliance: Using the Python Orb and Pip to install requirements
terraform apply: Using the Job provided by the Terraform Orb, and only run on the
You will need to add a
requirements.txt to your project. You can rename this file to anything you would like, but be sure to update the name in your
Following Pip requirements format. You can specify any level of requirement that you desire for
terraform-compliance >= 1.3.0
Below is an example of the workflow described above.
version: '2.1' orbs: # Orb used for all of our Terraform related commands/jobs # https://circleci.com/developer/orbs/orb/circleci/terraform for available versions terraform: firstname.lastname@example.org # Orb used for installing and running Terraform Compliance # https://circleci.com/developer/orbs/orb/circleci/python for available versions python: email@example.com parameters: terraform-tag: type: string description: Specify the Terraform Docker image tag for the executor # https://hub.docker.com/r/hashicorp/terraform/tags for available versions # If you also run Terraform locally, then you should use the same version here default: 1.5.7 workspace-root: type: string description: Path of the workspace to persist to relative to workspace-root # Can be updated if you desire. The default specified here matches the default used by the CircleCI's Terraform Orb default: . workspace-path: type: string description: Workspace root path that is either an absolute path or a path relative to the working directory # Can be updated if you desire. The default specified here matches the default used by the CircleCI's Terraform Orb default: . executors: # This default executor is used for our custom job that needs to run Terraform default: docker: # Our default executor should match the tag that the Terraform Orb will use - image: hashicorp/terraform:<< pipeline.parameters.terraform-tag >> jobs: terraform_plan: executor: default steps: - checkout # Invoke the terraform/plan command that is provided by the Terraform Orb - terraform/plan: # And also output that plan out: plan.out # Convert our plan to JSON so that terraform-compliance can run without the use of Terraform - run: command: terraform show -json plan.out > plan.out.json name: Convert Terraform plan to JSON # Persist our workspace so that plan.out.json is available to terraform-compliance - persist_to_workspace: paths: - << pipeline.parameters.workspace-path >> root: << pipeline.parameters.workspace-root >> terraform_compliance: executor: python/default steps: # Attach the workspace so that we have access to plan.out.json from terraform_plan - attach_workspace: at: << pipeline.parameters.workspace-root >> - python/install-packages: # Update requirements.txt to match the location of your requirements file. This is currently referencing a # file in the root of your project pip-dependency-file: requirements.txt pkg-manager: pip - run: command: terraform-compliance -f features -p plan.out.json name: Terraform Compliance workflows: deploy_infra: jobs: # Use the standard validate job that is provided by the CircleCI Orb - terraform/validate: checkout: true # Make sure the CircleCI Orb uses the same version of Terraform as our default executor tag: << pipeline.parameters.terraform-tag >> # For terraform plan we'll use a custom job so that we can run additional commands - terraform_plan: requires: - terraform/validate # For terraform-compliance we'll use another custom job, and this will also be using our Python executor - terraform_compliance: requires: - terraform_plan # Use the standard apply job that is provided by the CircleCI Orb - terraform/apply: attach-workspace: true # Make sure the CircleCI Orb uses the same version of Terraform as our default executor tag: << pipeline.parameters.terraform-tag >> # Update your filters as you require. One provided here as an example filters: branches: only: main requires: - terraform_compliance
Not provided above is the authentication method for AWS.
CircleCI provides authentication through OpenID Connect as well as through AWS user Access Keys.