You want to automate Terraform plan analysis in CI/CD, offsetting some of the manual toil associated with plan assessment. Tools like OPA offer policy-as-code solutions, but your team prefers to write Go.
Usually, terratest is leveraged as a tool for
authoring Terraform end-to-end tests that make post-
terraform apply assertions on
the correctness of the resulting infrastructure.
terratest can also be used to programmatically analyze Terraform plan
output, effectively offering a Go-based alternative to tools like OPA and similar policy-as-code tools.
Use case examples
fail pull request CI if a Teraform change introduces a destructive action against a production-critical resource
verify the correctness of the planned DNS record modifications during a Terraform-orchestrated DNS-based blue/green deployment
ensure an ECR repository marked for destruction does not home OCI images used by active ECR task definitions
“shift left” on detecting problematic PagerDuty Terraform edits, as some terraform-provider-pagerduty errors don’t reveal themselves at
plantime; they only occur during an attempt to
apply. For example:
Error: DELETE API call to https://api.pagerduty.com/users/12345 failed 400 Bad Request. Code: 0, Errors: [The user cannot be deleted as they have 1 incident. Please resolve the following incident to continue.], Message:
In such instances, a
terratesttest of the Terraform plan produced by a pull request CI build can use the PagerDuty API to evaluate whether a user-to-be-deleted is assigned open incidents, in advance of merging the pull request and applying the plan.
terratest-tf-plan-demo offers an
example of how
terratest could be integrated with a CI/CD pipeline. Its
README.md offers detailed explanation of its GitHub Actions CI/CD pipeline,
as well as instructions for running the tests locally.
Alternatively, OPA may satisfy your needs. Terraform Plan Validation With Open Policy Agent offers more on OPA.