TerraForce

Advanced Policy Enforcement for Terraform - Secure your infrastructure as code with comprehensive policy checks throughout the Terraform lifecycle

Features

🔄

Lifecycle Coverage

Complete policy enforcement across pre-plan, pre-apply, post-apply, and pre-destroy stages

📝

Flexible Policies

Define policies using intuitive YAML format with powerful Go template expressions

🔍

Deep Validation

Comprehensive checks for resource configurations, security settings, and compliance requirements

CI/CD Ready

Seamless integration with GitHub Actions, GitLab CI, Jenkins, and other CI/CD platforms

Downloads

Choose the right version for your platform

Linux Binaries

Linux (amd64)
unzipped binary SHA256: 4c653aeab537adaf6d3d60905e409f258595b65e1163aecd3459d431f9835679

Linux (arm64)
unzipped binary SHA256: 95bf95cd96305fa6d83c21db0b7d77a91181ed25ff5027ada0ecb1b0e0a90c8a

macOS Binaries

macOS (darwin/arm64)
Coming soon

macOS (darwin/amd64)
Coming soon

Docker Images

gallery.ecr.aws/.../terraforce
docker run -it --rm public.ecr.aws/henrybravo/terraforce:latest
hub.docker.com/.../terraforce
docker run -it --rm henrybravo/terraforce:1.0.0
Available for linux amd64/arm64

Usage

% terraforce
 _____                   _____
|_   _|__ _ __ _ __ __ _|  ___|__  _ __ ___ ___
  | |/ _ \ '__| '__/ _` | |_ / _ \| '__/ __/ _ \
  | |  __/ |  | | | (_| |  _| (_) | | | (_|  __/
  |_|\___|_|  |_|  \__,_|_|  \___/|_|  \___\___|

Policy Enforcement for Terraform
----------------------------------------------
Author: Henry Bravo | terraforce@henrybravo.nl
Version: 1.0.0 2025-01

Usage:
terraforce [command] [flags]

Available Commands:
pre-plan         Run pre-plan policy checks
pre-apply        Run pre-apply policy checks
post-apply       Run post-apply policy checks
pre-destroy      Run pre-destroy policy checks
lint             Lint policy file for potential issues
check-expiration Check when the build expires
completion       generate the autocompletion script for the specified shell

Flags:
-d, --debug     Enable debug mode
-h, --help      help for terraforce
-v, --version   Print version information

Use "terraforce [command] --help" for more information about a command.

Example Policy File

pre_plan:
  - name: "Required Tags"
    description: "Ensure all resources have required tags"
    condition: |
      {{- $valid := true -}}
      {{- range $name, $resource := .resource -}}
        {{- if not (index $resource "tags") -}}
          {{- $valid = false -}}
        {{- end -}}
      {{- end -}}
      {{- $valid -}}
    deny_message: "All resources must have tags defined."

  - name: "Allowed Instance Types"
    description: "Restrict EC2 instance types"
    condition: |
      {{- $allowed := list "t3.micro" "t3.small" "t3.medium" -}}
      {{- $valid := true -}}
      {{- range $name, $instance := .resource -}}
        {{- if eq $instance.type "aws_instance" -}}
          {{- if not (contains $allowed $instance.instance_type) -}}
            {{- $valid = false -}}
          {{- end -}}
        {{- end -}}
      {{- end -}}
      {{- $valid -}}
    deny_message: "Only approved instance types are allowed."

Pre-Plan Stage Usage

The pre-plan stage validates your Terraform configuration before planning. (You will need hcl2json). Follow these steps:

# Step 1: Convert your Terraform HCL to JSON format
# Download hcl2json converter from: https://hcl2json.henrybravo.nl

% hcl2json /path/to/terraform/main.tf

# Step 2: Run TerraForce pre-plan validation
# This validates your configuration against defined policies

% terraforce pre-plan /path/to/policies/pre_plan-policy.yml main.tf.json

# Example output:
# ✓ Required Tags policy check passed
# ✓ Allowed Instance Types policy check passed
# Pre-plan validation successful

Pre-Apply Stage Usage

The pre-apply stage validates your Terraform plan before applying changes. Follow these steps:

# Step 1: Create and save Terraform plan
% terraform init
% terraform plan -out=tfplan

# Step 2: Convert plan to JSON format
% terraform show -json tfplan > tfplan.json

# Step 3: Run TerraForce pre-apply validation
% terraforce pre-apply /path/to/policies/pre_apply-policy.yml tfplan.json

# Example output:
# ✓ Production Security Standards check passed
# ✓ Resource Naming Convention check passed
# Pre-apply validation successful

CI/CD Integration

Integrate TerraForce into your CI/CD pipeline to automate policy checks. Here's an example GitHub Actions workflow:

# File: .github/workflows/terraform-policy.yml
name: Terraform Policy Check
on: [push, pull_request]

jobs:
  policy-check:
    runs-on: ubuntu-latest
    steps:
      # Checkout repository
      - uses: actions/checkout@v2
        
      # Setup Terraform
      - name: Setup Terraform
      uses: hashicorp/setup-terraform@v3
        
      # Setup TerraForce
      - name: Setup TerraForce
      run: |

          # Download hcl2json binary
          wget https://hcl2json-builds-henrybravo-nl.s3.eu-west-1.amazonaws.com/hcl2json-1.0.0-arm64-linux.zip
          
          # Unpack and install hcl2json
          unzip -p hcl2json-1.0.0-arm64-linux.zip | sudo tee hcl2json > /dev/null
          chmod +x hcl2json

          # Download TerraForce binary
          wget https://terraforce-builds-henrybravo-nl.s3.eu-west-1.amazonaws.com/linux/arm64/terraforce-1.0.0-arm64-linux.zip
            
          # Unpack and install TerraForce
          unzip -p terraforce-1.0.0-arm64-linux.zip | sudo tee terraforce > /dev/null
          chmod +x terraforce
    
      # Initialize Terraform
      - name: Terraform Init
      run: terraform init
        
      # Create and convert Terraform plan
      - name: Create Terraform Plan
        run: |
            terraform plan -out=tfplan
            terraform show -json tfplan > tfplan.json
        
      # Run TerraForce validations
      - name: Run Policy Checks
        run: |

            # convert the configuration file to json
            hcl2json /path/to/terraform/main.tf
            
            # Run pre-plan validation
            terraforce pre-plan policies/pre-plan.yml main.tf.json
                
            # Run pre-apply validation
            terraforce pre-apply policies/pre-apply.yml tfplan.json

Changelog

Version 1.0.0

First Stable Release

  • Complete policy evaluation engine with enhanced performance:
    • Go template-based condition evaluation
    • Custom function library for policy rules
    • Structured violation reporting
    • Context-aware error messages
  • Full lifecycle stage support:
    • pre-plan: Validate configuration before planning
    • pre-apply: Verify planned changes before applying
    • post-apply: Confirm applied changes meet policies
    • pre-destroy: Check destruction compliance
  • Comprehensive template function library:
    • List operations: create, append, length, index
    • Map operations: dict creation, keys, values
    • Collection handling: length, indexing, iteration
    • Type conversion and comparison functions
  • Policy exemptions support:
    • YAML-based exemption configuration
    • Wildcard resource pattern matching (e.g., aws_instance.*)
    • Time-based expiration tracking
    • fields: approver, reason, ticket reference
    • CLI commands for exemption management
  • Advanced policy linting:
    • Recursive directory scanning for policy files
    • Support for YAML and HCL formats
    • Syntax validation and structure verification
    • Detailed error reporting with line numbers
    • Batch processing capabilities
  • Enhanced documentation:
    • Comprehensive function reference
    • Policy writing guidelines
    • Real-world examples and patterns
    • Integration guides for CI/CD pipelines
  • Developer features:
    • Improved error handling with stack traces
    • Debug mode for detailed logging
    • Test helpers for policy validation
    • Extensible interface for custom functions
Version 0.9.0-beta

Beta Release

  • Core policy evaluation engine implementation
  • Basic lifecycle stage support
  • Initial template function library
  • Command-line interface development
  • Basic documentation and examples

Roadmap

Future Releases

  • Advanced policy templating with custom functions
  • Integration with cloud provider policy frameworks
  • Real-time policy evaluation and monitoring
  • Policy testing and validation framework
  • Enhanced reporting and analytics dashboard
  • Support for custom resource providers
  • Policy sharing and community features
  • Advanced compliance reporting capabilities

Disclaimer

This notice is to clarify the relationship between TerraForce, developed by Henry Bravo, and HashiCorp (https://www.hashicorp.com).

Independence Statement

Key Points

Trademark Notice

HashiCorp and Terraform are registered trademarks of HashiCorp, Inc. The use of these terms in this notice does not imply any endorsement or affiliation.

Contact Information

For any inquiries, support requests, or feedback regarding TerraForce, please contact Henry directly: