This tool is used to validate terraform plans before they are applied. Validations are based on policies from the Config Validator Policy Library.
Note: Using Terraform Validator does not require an active installation of Forseti. Terraform Validator is a self-contained binary.
Note: this tool supports Terraform v0.12+.
To get started with Terraform Validator, please follow the user guide.
See the Auth section first.
# The example/ directory contains a basic Terraform config for testing the validator.
cd example/
# Set default credentials.
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/your/credentials.json
# Set a project and org to test with
export TF_VAR_project_id=my-project-id
export TF_VAR_org_id=93392932
# Set the local forseti-config-policies repository path.
export POLICY_PATH=/path/to/your/forseti-config-policies/repo
# Generate a terraform plan.
terraform plan --out=terraform.tfplan
# Plan JSON representation.
terraform show -json ./terraform.tfplan > ./terraform.tfplan.json
# Validate the google resources the plan would create.
terraform-validator validate --policy-path=${POLICY_PATH} ./terraform.tfplan.json
# Apply the validated plan.
terraform apply ./terraform.tfplan
The follow Terraform resources are supported for running validation checks:
google_bigquery_datasetgoogle_compute_diskgoogle_compute_firewallgoogle_compute_instancegoogle_container_clustergoogle_container_node_poolgoogle_folder_iam_bindinggoogle_folder_iam_membergoogle_folder_iam_policygoogle_organization_iam_bindinggoogle_organization_iam_membergoogle_organization_iam_policygoogle_projectgoogle_project_iam_bindinggoogle_project_iam_membergoogle_project_iam_policygoogle_sql_database_instancegoogle_storage_bucketgoogle_storage_bucket_iam_bindinggoogle_storage_bucket_iam_membergoogle_storage_bucket_iam_policy
make test
First, build the Docker container:
make build-docker
See the Auth section for obtaining a credentials file, then start the Docker container:
export PROJECT_ID=my-project-id
export GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/credentials.json
make run-docker
Finally, run the integration tests inside the container:
make test-integration
The terraform and the terraform-validator commands need to be able to authenticate to Google Cloud APIs. This can be done by generating a credentials.json file:
https://cloud.google.com/docs/authentication/production
Once you have a credentials file on your local machine, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the credentials file.
This is not an officially supported Google product.