A strict execution pipeline with Terraform
Combining policies, checksums, and analysis to Terraform deployments
Table Of Contents
Today I Explained
Terraform support the concept of the “plan”, a preview of the speculative actions that Terraform will take to modify your infrastructure. This is used in most Terraform implementations, performing a plan that will be reviewed before being executed by an apply.
If you expand upon this foundation, you can think beyond just the execution of the Terraform, but each of the pieces that are in play when working with Terraform. For a plan & apply, you can have:
- Terraform HCL code
- Dependencies of the terraform code, available within
.terraform
- Measures to make attestations on the HCL & dependencies
- Measures to ensure the Terraform behaves
- Remote state of the terraform
- Any existing outputs from the Terraform
- The Plan, a speculative set of actions that will be taken by Terraform in the apply stage
- Measures to ensure the plan is within expectations
- The Apply, which sees the actions of the plan invoked
- Outputs from the applied Terraform
- Measures on the resultant state of the Terraform
Or instead of phrased as a list of opportunities, this can be described as a pipeline of actions that a Pipeline might take deploying a resource.
- Artifact Check
- Confirming that a bundle of HCL code is accessible, retrievable, and matches with signed checksums
- Analysis
- Executing an invocation of static analysis tooling, to ensure that the artifacts do not fail certain policies, such as those available within
tfsec
, or conftest supported rego policies
- Executing an invocation of static analysis tooling, to ensure that the artifacts do not fail certain policies, such as those available within
- Remote State
- The retrieval of limited access tokens for working with the remote state storage for this Terraform stack
- Capabilities
- Enabling the providers within the Terraform, by making available credentials or authentication mechanisms
- Plan
- Executing Terraform to generate the plan of actions
- Analysis
- Reviewing the proposed set of actions, interrogating it using rego policies
- Persist
- Publishing the results of the proposed actions & inspection efforts to a storage solution
- Approval
- A gated approval for operator review, if appropriate or deemed necessary by the policy interrogation
- Apply
- Executing the published plan, making use of the credentials & authentication mechanisms make available by the Capabilities step
- Inventory
- Collecting the results emitted by the Terraform, making it available to other services
- Verification
- Performing a series of post-deployment verification on the outputs & services operating within the infrastructure