- Terraform Weekly
- Posts
- Terraform Weekly – Black Lives Matter (#10)
Terraform Weekly – Black Lives Matter (#10)
Black Lives Matter. This should not be a controversial statement, but in America it is and I make it with no reservations.
There are two new-ish features in Sentinel which are useful for those who use Terraform Cloud or Enterprise.
First, Sentinel Modules enables reusing Sentinel policies, helper code and imports. Up until this point sharing was done via the super-rigorous copy-and-paste method. This is a generic Sentinel feature that is useful not just for Terraform, but all services that Sentinel supports.
Here's the thing: policy code is code and as software developers we should be able to apply our experience to increasing quality. I don't know how you do that without being able to re-use code, make it module and write tests. Sentinel has had testing facilities for awhile and now there is modularity.
Second, are Terraform Sentinel v2 imports. One of the patterns that is in need of code reuse is importing data to Sentinel. The v2 imports for Terraform Sentinel are dramatic improvements over the previous.
If you have been using Terraform for awhile you have probably stumbled upon the terraform graph command. This will walk all the resources in your current workspace and build a graph and write it to a file in graphviz's standard dot notation. You can then use a variety of tools, like graphviz, to visualize. There are probably alternatives that I don't know about, but graphviz is state-of-the-art early 2000s technology.
blast-radius takes the same data and uses modern tools to visualize and enable exploration. A great improvement.
Notable Releases
A bug fix heavy release for this round. I don't really have a summary for this one and don't think it is valuable to copy+paste the whole release notes in here, so click through if you use this plugin.
As mentioned last week there is a new kubernetes provider in development. A very-alpha v0.1.0 is available if you would like to take it for a spin.
A nice release for Atlantis–
support for running plans and applies in parallel, but only for multiple workspaces in the same directory #926
support for graceful shutdown (wait for current operations to finish) and a /stats endpoint #1051
support for Github draft PRs #1053
preservation of original Github commit message #1049
This release adds 2 new rules:
AWS023: ensures that ECR repository image scans are enabled. More about ECR scanning in the AWS docs.
AWS024: ensure that kinesis streams are encrypted
This release adds several features which make the tools a bit easier to work with:
Support for JUnit output. JUnit defines a standard xml-based format for test results. tfsec can now output its results in that format.
Fix: Prevent infinite traversal when using local modules. Previously a circular dependency could lead to an infinite loop.
Global exclude flag. This adds an option to exclude certain checks across your whole codebase. As far as I can tell, there was no way to skip checks before, this.
--soft-fail flag: There is now a flag that allows the tool to return 0, even in the case of failures.