3. Teams can safely ship
infrastructure in short cycles
Developers are empowered to make
their code 10x better
Issues with infrastructure as code
are detected before they are
shipped to production
Terraform automation and collaboration
for growing teams
a world where
We envision
@cloudskiff
4. A Ton of Great Tools
But tonight we present only a handful of them.
5. Agenda & Key Takeaways
● Terraform is minimalist in this area.
● Basics: Validate & TFenv
● Static Analysis: TFLint, TFSec
● Check the Plan for Compliance & BDD: TF-Compliance
● Validation: InSpec
9. Basics: Using The Right Terraform
Version
A TF configuration can be perfectly correct
but seen as invalid if Terraform is not the
right version.
Maintaining on CI dozens of versions is a
pain.
10. Basics: Using The Right Terraform
Version
A TF configuration can be perfectly correct
but seen as invalid if Terraform is not the
right version.
Maintaining on CI dozens of versions is a
pain.
11. Complex Matrix Now Enabled!
Infra Name Terraform Version Provider Version
dev latest latest
staging 0.12.25 1.2.3
uat 0.12.24 1.2.2
production 0.12.23 1.2.0
Old Customer #1 0.12.5 1.0.0
29. BDD / Cucumber Refresher
Feature: search on Google
Scenario: simple search
Given Enter search term 'CNCF'
When Do search
Then Result is shown for CNCF
30. BDD & Compliance For Terraform
Given I have AWS S3 Bucket defined
Then it must contain server_side_encryption_configuration
Against a terraform plan!
38. InSpec
Goal:
● A Security Group
○ In a VPC
○ With a specific name
● Simple EC2 instance
○ With a dynamic name
○ Inside the above security group
○ Tagged properly
● …
The related Terraform code
● went through all the linters and
checks in the PR
● It’s now been merged or it’s pending
verification in a sandboxed
environment or staging
● Another team (ie. security) wants to
ensure against reality.
39. InSpec
Filled with variables, references,
constructions, data sources: a lot can go
unexpectedly go right … but the wrong way!