- Docker
- Terraform
- Follow these steps to set up the Google Terraform provider on GCP but don't run
terraform apply
Generate the plan file.
terraform plan -out=tfplan.binary
Convert to JSON.
terraform show -json tfplan.binary > tfplan.json
Run OPA against a specified rule set.
docker run -v $PWD:/example openpolicyagent/opa eval --fail-defined --format pretty --data example/rules --input example/tfplan.json "data.terraform.validation.rules"
This returns a JSON response showing all the rule violations.
{
"pubsub": {
"must_have_name_less_than_20_characters": [
"tf-topic-too-long-0123456789"
],
"valid": false
},
"storage": {
"must_be_in_eu": [
"bucket-not-in-eu"
],
"must_have_name_less_than_63_characters": [
"bucket-name-too-long-012345678901234567890123456789012345678901234567890"
],
"must_have_team_label": [
"bucket-missing-team-label"
],
"valid": false
}
}
Enable Cloud Build.
gcloud services enable cloudbuild.googleapis.com
Submit a build. The results will be shown in the console and can also be viewed in the Cloud Console.
gcloud builds submit .