conftest VS terratest

name: tf-plan-apply on: pull_request: branches: [ main ] env: TF_VERSION: 1.0.0 CONFTEST_VERSION: 0.28.3 WORKING_DIR: ./ jobs: terraform: name: aws-eureka-pairs-etc-s3 runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - name: Install conftest run: | wget -O - 'https://github.com/open-policy-agent/conftest/releases/download/v${{ env.CONFTEST_VERSION }}/conftest_${{ env.CONFTEST_VERSION }}_Linux_x86_64.tar.gz' | tar zxvf - ./conftest --version //❶ - name: Setup Terraform uses: hashicorp/setup-terraform@v1 with: terraform_wrapper: false //❷ terraform_version: ${{ env.TF_VERSION }} cli_config_credentials_token: ${{ secrets.YOUR_CRED_NAME}} - name: Terraform Init ${{ env.WORKING_DIR }} working-directory: ${{ env.WORKING_DIR }} run: terraform init - name: Terraform Plan ${{ env.WORKING_DIR }} if: github.event_name == 'pull_request' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} working-directory: ${{ env.WORKING_DIR }} id: plan run: terraform plan -out=tfplan -no-color -lock=false -parallelism=50 - name: Convert terraform plan result to json formmat if: github.event_name == 'pull_request' id: convert working-directory: ${{ env.WORKING_DIR }} run: terraform show -json tfplan > tfplan.json - name: conftest test if: github.event_name == 'pull_request' id: conftest run: ./conftest test --no-color ${{ env.WORKING_DIR }}/tfplan.json //❸

Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

Insert Conftest! As they state in their GitHub description, Conftest tests against structured configuration data using the Open Policy Agent Rego query language. In the case of Terraform, this means we're actually running unit tests against sample JSON and actual tests against the Terraform state JSON.

If you like terraform-compliance, Conftest might also be worth having a look. It has its own DSL to write policies, and allows you to test multiple frameworks. We found this blog post from Lennard Eijsackers very informative, and would thus rather recommend you to check it out.

Can Gatekeeper and Conftest single-source the same set of rules? I'm looking at https://github.com/open-policy-agent/conftest/issues/54#issuecomment-528988831 and not seeing how.

Terratest is a Go library that provides tools and patterns for testing infrastructure, with first-class support for Terraform, Packer, Docker, Kubernetes, and more. It's used to write automated tests for your infrastructure code.

Found this, https://terratest.gruntwork.io/

I think I found it. This is the one right? https://github.com/gruntwork-io/terratest/

What it does in parallel is basically init/plan/show using terratest on every subdirectory on your repository tree or provided paths. The output is either a JSON summary or a custom made Junit XML test file you can ingest into your tests reader. It took it around 8 minutes to map the entirety of our bloated repository.

Once there is a CI pipeline for delivering infra changes you can add static code analysis tools (checkov) and even start testing changes (terratest)

https://github.com/gruntwork-io/terratest/blob/master/test/azure/terraform_azure_example_test.go https://github.com/gruntwork-io/terratest/blob/master/examples/terraform-backend-example/main.tf

Terratest: Framework de testes para Terraform, os testes devem ser escritos em Golang.

Terratest can be used to test infrastructure in real-time.