CI Pipelines for TerraformβοΈ
EPAM Delivery Platform ensures the implemented Terraform support by adding a separate component type called Infrastructure. The Infrastructure codebase type allows to work with Terraform code that is processed by means of stages in the Code-Review and Build pipelines.
Pipeline Stages for TerraformβοΈ
Under the hood, Infrastructure codebase type, namely Terraform, looks quite similar to other codebase types. The distinguishing characterstic of the Infrastructure codebase type is that there is a stage called terraform-check in both of Code Review and Build pipelines. This stage runs the pre-commit activities which in their turn run the following commands and tools:
-
Terraform fmt - the first step of the stage is basically the
terraform fmt
command. Theterraform fmt
command automatically updates the formatting of Terraform configuration files to follow the standard conventions and make the code more readable and consistent. -
Lock provider versions - locks the versions of the Terraform providers used in the project. This ensures that the project uses specific versions of the providers and prevents unexpected changes from impacting the infrastructure due to newer provider versions.
-
Terraform validate - checks the syntax and validity of the Terraform configuration files. It scans the configuration files for all possible issues.
-
Terraform docs - generates human-readable documentation for the Terraform project.
-
Tflint - additional validation step using the
tflint
linter to provide more in-depth checks in addition to what theterraform validate
command does. -
Checkov - runs the
checkov
command against the Terraform codebase to identify any security misconfigurations or compliance issues. -
Tfsec - another security-focused validation step using the
tfsec
command. Tfsec is a security scanner for Terraform templates that detects potential security issues and insecure configurations in the Terraform code.
Note
The commands and their attributes are displayed in the .pre-commit-config.yaml file.