## Boost your terraform automation :rocket: --- ### Who am I? - Bruno Ferreira 👨‍💻 - Father of one 👨‍👧 - 🌩️ engineer @ [Moteefe](https://moteefe.com/) (we're hiring!) --- ### Terraform workflow ```mermaid graph LR A[terraform fmt --check]-->B[terraform init] B[terraform init]-->C[terraform plan] C[terraform plan]-->ok{ok?} ok--yes-->D[terraform apply] ok--no-->fix fix-->A[terraform fmt --check] ``` ---  --- ## Best practices and possible errors ### [TfLint](https://github.com/terraform-linters/tflint) :mag_right: --- ### [TfLint](https://github.com/terraform-linters/tflint) * Enforces best practices - unused var declarations, module sources through git should be pinned, etc * Catches possible errors that are not detected during plan - invalid amis, instance types, ... * 700+ rules are available * Custom rules (to enforce patterns in s3 bucket names for example) * AWS, Azure and GCP --- ### [TfLint](https://github.com/terraform-linters/tflint)  --- ### Tests #### [Terratest](https://github.com/infracost/infracost) :ballot_box_with_check: :negative_squared_cross_mark: Go library to write automated tests for infrastructure code --- #### Terratest with [Localstack](https://github.com/localstack/localstack) ```hcl provider "aws" { region = "us-east-1" access_key = "mock_access_key" secret_key = "mock_secret_key" skip_credentials_validation = true skip_metadata_api_check = true skip_requesting_account_id = true s3_force_path_style = true endpoints { ec2 = "http://localhost:4566" iam = "http://localhost:4566" s3 = "http://localhost:4566" } } ``` --- #### Terratest with [Localstack](https://github.com/localstack/localstack) ```go terraformOptions := &terraform.Options{ TerraformDir: "../../local", EnvVars: map[string]string{ "AWS_REGION": awsRegion, }, } defer terraform.Destroy(t, terraformOptions) terraform.InitAndApply(t, terraformOptions) actualStatus := aws.GetS3BucketVersioning(t, awsRegion, "awesome-bucket") expectedStatus := "Enabled" assert.Equal(t, expectedStatus, actualStatus) ``` ---  --- ## Terratest with "The Real Thing" * More reliable * Use a sandbox account * Run [aws-nuke](https://github.com/rebuy-de/aws-nuke) or [cloud-nuke](https://github.com/gruntwork-io/cloud-nuke) once in a while :fireworks: --- ## Security ### [Checkov](https://github.com/bridgecrewio/checkov) :lock: --- #### [Checkov](https://github.com/bridgecrewio/checkov) * 400+ rules for security and compliance best practices * AWS, Azure and Google Cloud * Scans Terraform, CloudFormation and Kubernetes, Serverless framework and ARM template files * Detects AWS credentials in EC2 Userdata, Lambda environment variables and Terraform providers --- #### [Checkov](https://github.com/bridgecrewio/checkov)  --- #### [Checkov](https://github.com/bridgecrewio/checkov)  --- #### [Checkov](https://github.com/bridgecrewio/checkov) [](https://docs.bridgecrew.io/docs/s3_13-enable-logging) --- ### Cost Management #### [Infracost](https://github.com/infracost/infracost) :moneybag: A tool to estimate costs automatically in every pull request --- #### [Infracost](https://github.com/infracost/infracost)  ---  [https://github.com/bmbferreira/awesome-terraform-pipeline](https://github.com/bmbferreira/awesome-terraform-pipeline) --- Much more! * **[tfSec](https://github.com/tfsec/tfsec)** - https://github.com/tfsec/tfsec * **[terrascan](https://github.com/accurics/terrascan)** - https://github.com/accurics/terrascan * **[terraform-compliance](https://terraform-compliance.com/)** - https://terraform-compliance.com/ * **[awesome-terraform-repo](https://github.com/shuaibiyy/awesome-terraform)** - https://github.com/shuaibiyy/awesome-terraform --- ### Thank you! :wave: @bmbferreira <p float="left"> <img src="https://i.imgur.com/wUljVvz.png" width="50" style="border-style: none;"/> <img src="https://i.imgur.com/F2I04pA.png" width="50" style="border-style: none;"/> </p>