This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Before you begin

InstallGoogle Cloud CLI

To usegcloud beta terraform vet you must first install Google Cloud CLI:

1. Install Google Cloud CLI but skip thegcloud init command.

2. Run the following commands to install the terraform-tools component:

   gcloudcomponentsupdategcloudcomponentsinstallterraform-tools

3. Verify that the gcloud CLI is installed by running the following command:

   gcloudbetaterraformvet--help

Get required permissions

The Google Cloud account that you use for validation must have the following permissions:

• getIamPolicy:gcloud beta terraform vet needs to get full Identity and Access Management (IAM)policies and merge them with members and bindings to get an accurate end state to validate.
• resourcemanager.projects.get:gcloud beta terraform vet needs to get project ancestry from the API in order to accurately construct a full CAI Asset Name for any projects that validated resources are related to.
• resourcemanager.folders.get:gcloud beta terraform vet needs to get folder ancestryfrom the API in order to accurately construct a full CAI Asset Name if the validatedresources contain any folder-related resources.

Set up a policy library

You need tocreate a policy library to use this tool.

Validate policies

1. Generate a Terraform plan

gcloud beta terraform vet is compatible with Terraform 0.12+.gcloud beta terraform vet takesterraform plan JSON as its input. You can generate the JSON file by running the following commands in your Terraform directory:

terraform plan -out=tfplan.tfplanterraform show -json ./tfplan.tfplan > ./tfplan.json

2. Rungcloud beta terraform vet

gcloud beta terraform vet lets you validate yourterraform plan JSON against your organization'sPOLICY_LIBRARY_REPO. For example:

git clonePOLICY_LIBRARY_REPOPOLICY_LIBRARY_DIRgcloud beta terraform vet tfplan.json --policy-library=POLICY_LIBRARY_DIR

When you execute this command,gcloud beta terraform vet retrieves project data by using Google Cloud APIs that are necessary for an accurate validation of your plan.

Flags

• --policy-library=POLICY_LIBRARY_DIR - Directory that contains a policy library.
• --project=PROJECT_ID -gcloud beta terraform vet accepts an optional--project flag. This flag specifies thedefault project when building the ancestry (from the Google Cloud resource hierarchy) for any resource that doesn't have an explicit project set.
• --format=FORMAT - The default is yaml. The supported formats are:default,json,none,text,yaml. For more details run $gcloud topic formats.

Exit code and output

• If all constraints are validated, the command returns exit code 0 and does not display violations.
• If violations are found,gcloud beta terraform vet returns exit code 2, and displays a list of violations. For example, JSON output might look like:

[  {    "constraint": "GCPIAMAllowedPolicyMemberDomainsConstraintV2.service_accounts_only",    "constraint_config": {      "api_version": "constraints.gatekeeper.sh/v1alpha1",      "kind": "GCPIAMAllowedPolicyMemberDomainsConstraintV2",      "metadata": {        "annotations": {          "description": "Checks that members that have been granted IAM roles belong to allowlisted domains.",          "validation.gcp.forsetisecurity.org/originalName": "service_accounts_only",          "validation.gcp.forsetisecurity.org/yamlpath": "policies/constraints/iam_service_accounts_only.yaml"        },        "name": "service-accounts-only"      },      "spec": {        "match": {          "target": [            "organizations/**"          ]        },        "parameters": {          "domains": [            "gserviceaccount.com"          ]        },        "severity": "high"      }    },    "message": "IAM policy for //cloudresourcemanager.googleapis.com/projects/PROJECT_ID contains member from unexpected domain: user:me@example.com",    "metadata": {      "ancestry_path": "organizations/ORG_ID/projects/PROJECT_ID",      "constraint": {        "annotations": {          "description": "Checks that members that have been granted IAM roles belong to allowlisted domains.",          "validation.gcp.forsetisecurity.org/originalName": "service_accounts_only",          "validation.gcp.forsetisecurity.org/yamlpath": "policies/constraints/iam_service_accounts_only.yaml"        },        "labels": {},        "parameters": {          "domains": [            "gserviceaccount.com"          ]        }      },      "details": {        "member": "user:me@example.com",        "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID"      }    },    "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",    "severity": "high"  }]

CI/CD example

A bash script for usinggcloud beta terraform vet in a CI/CD pipeline might look likethis:

terraformplan-out=tfplan.tfplanterraformshow-json./tfplan.tfplan>./tfplan.jsongitclonePOLICY_LIBRARY_REPOPOLICY_LIBRARY_DIRVIOLATIONS=$(gcloudbetaterraformvettfplan.json--policy-library=POLICY_LIBRARY_DIR--format=json)retVal=$?if[$retVal-eq2];then# Optional: parse the VIOLATIONS variable as json and check the severity levelecho"$VIOLATIONS"echo"Violations found; not proceeding with terraform apply"exit1fiif[$retVal-ne0];thenecho"Error during gcloud beta terraform vet; not proceeding with terraform apply"exit1fiecho"No policy violations detected; proceeding with terraform apply"terraformapply

Developers can also usegcloud beta terraform vet locally to test Terraform changesprior to running your CI/CD pipeline.