Skip to content

padok-team/guacamole

Repository files navigation

Guacamole 🥑

A CLI tool that runs opinionated quality checks on your IaC codebase.

Check the IaC guild guidelines for more information on the quality checks.

Install

With Homebrew

ℹ️ If you use Linux, you can install Linuxbrew

brew tap padok-team/tap
brew install guacamole

From GitHub

Prerequisites :

  • Golang
  • Terraform
  • Terragrunt

One-liner installer (in /tmp) :

DIR=$(pwd) cd /tmp && git clone [email protected]:padok-team/guacamole.git && cd guacamole && go build && alias guacamole=/tmp/guacamole/guacamole && cd $DIR

For a more permanent installation, just move the /tmp/guacamole/guacamole binary into a directory present in your $PATH.

Usage

Three modes currently exist :

  • Static mode : runs quality checks on the codebase without running Terraform / Terragrunt commands

    guacamole static -p /path/to/your/codebase
    • By default, it will launch module and layer checks
    • To launch layer check use guacamole static layer
    • To launch module check use guacamole static module
  • [EXPERIMENTAL] State mode : runs quality checks based on your layers' state

    We recommend using this command after checking that your codebase has been initialized properly.

    guacamole state -p /path/to/your/codebase
  • [EXPERIMENTAL] Profile mode : creates a detailed report of the contents of your codebase

    We recommend using this command after checking that your codebase has been initialized properly.

    guacamole profile -p /path/to/your/codebase

A verbose mode (-v) exists to add more information to the output.

Skipping individual checks

You can use inline code comments to skip individual checks for a particular resource.

⚠️ Currently only supports static checks on modules for Terraform ⚠️

To skip a check on a given Terraform definition block resource, apply the following comment pattern inside its scope: # guacamole-ignore:<check_id> <suppression_comment>

  • <check_id> is one of the available check scanners.
  • <suppression_comment> is an optional suppression reason.

Example:

The following comment skips the TF_NAM_001 check on the resource identified by network

# guacamole-ignore:TF_NAM_001 We will be creating more rg
resource "azurerm_resource_group" "network" {
  name...

You can also whitelist entire checks in modules by adding them to a .guacamoleignore file at the root of your codebase. The format of the file should be: path of the module - check ID to ignore.

pathtomodule/modules/cloud-run-app TF_MOD_002,TF_MOD_001
pathtomodule/modules/network TF_NAM_001

This is the only way to whitelist the check TF_MOD_002

You can specify the path of the .guacamoleignore file with the -w flag.

List of checks

Static module check for Terraform

Static layer check for Terragrunt

State

Demo

Demo

License

License