A CLI tool that runs opinionated quality checks on your IaC codebase.
Check the IaC guild guidelines for more information on the quality checks.
ℹ️ If you use Linux, you can install Linuxbrew
brew tap padok-team/tap
brew install guacamole
Prerequisites :
- Golang
- Terraform
- Terragrunt
One-liner installer (in /tmp
) :
DIR=$(pwd) cd /tmp && git clone [email protected]:padok-team/guacamole.git && cd guacamole && go build && alias guacamole=/tmp/guacamole/guacamole && cd $DIR
For a more permanent installation, just move the /tmp/guacamole/guacamole
binary into a directory present in your $PATH
.
Three modes currently exist :
-
Static mode : runs quality checks on the codebase without running Terraform / Terragrunt commands
guacamole static -p /path/to/your/codebase
-
[EXPERIMENTAL] State mode : runs quality checks based on your layers' state
We recommend using this command after checking that your codebase has been initialized properly.
guacamole state -p /path/to/your/codebase
-
[EXPERIMENTAL] Profile mode : creates a detailed report of the contents of your codebase
We recommend using this command after checking that your codebase has been initialized properly.
guacamole profile -p /path/to/your/codebase
A verbose mode (-v
) exists to add more information to the output.
You can use inline code comments to skip individual checks for a particular resource.
To skip a check on a given Terraform definition block resource, apply the following comment pattern inside its scope: # guacamole-ignore:<check_id> <suppression_comment>
- <check_id> is one of the available check scanners.
- <suppression_comment> is an optional suppression reason.
Example:
The following comment skips the TF_NAM_001
check on the resource identified by network
# guacamole-ignore:TF_NAM_001 We will be creating more rg
resource "azurerm_resource_group" "network" {
name...
You can also whitelist entire checks in modules by adding them to a .guacamoleignore
file at the root of your codebase.
The format of the file should be: path of the module - check ID
to ignore.
pathtomodule/modules/cloud-run-app TF_MOD_002,TF_MOD_001
pathtomodule/modules/network TF_NAM_001
This is the only way to whitelist the check TF_MOD_002
You can specify the path of the .guacamoleignore
file with the -w
flag.
TF_MOD_001
- Remote module call should be pinned to a specific versionTF_MOD_002
- Provider should be defined by the consumer of the moduleTF_MOD_003
- Required provider versions in modules should be set with ~> operatorTF_NAM_001
- Resources in modules should be named "this" or "these" if their type is uniqueTF_NAM_002
- snake_case should be used for all resource namesTF_NAM_003
- Stuttering in the naming of resourcesTF_NAM_004
- Variable name's number should match its typeTF_NAM_005
- Resources and data sources should not be named "this" or "these" if there are more than 1 of the same typeTF_VAR_001
- Variable should contain a descriptionTF_VAR_002
- Variable should declare a specific type
TG_DRY_001
- No duplicate inputs within a layer