What is it?

PTF, for Policy Terraform, is a Policy as Code framework that I have developed.

The rationale behind it, is to be able to define policies to validate your Terraform code, in the same language used by Terraform (Hashicorp Language Configuration, HCL).

Links

PTF is fully open source. The codebase is available here and the documentation is available here.

Workflow example

PTF comes into play after the terraform plan step in your deployment process.

The Terraform plan file contains all the resources of your Terraform codebase and the changes they will receive.

Once you have the Terraform Plan file created, you can apply your policies on this plan like so: ptf control -p PATH/TO/PLAN.json --chdir PATH/TO/POLICIES/DIR.

Here is an example of a policy that will apply to all Azure Storage Container managed by your Terraform codebase, and make sure they respect a given naming convention:

policy "azure_storage_container_name_pattern" {
  filter {
    type = "azurerm_storage_container"
  }
  condition {
    attribute = "name"
    operator  = "re"
    values    = "([aA-zZ]+)_([aA-zZ]+)_([aA-zZ]+)"
  }
}

PTF also allows you to test deep and nested resources’ attributes.

Roadmap

Currently, PTF is still in alpha. It can test a set of given of static policies against your Terraform Plan.

In the following release, I plan to add the support of variables, to make the policies more dynamic and the support of remote “repositories” to reuse a set of policies (similar to Terraform modules).

I would like to improve the filtering condition and add the support of “meta” policies (policies that are checking the metadata of your Terraform plan, like the number of resources, the actions, …)