Skip to main content

Use the Styra DAS CLI for Terraform Policy

Before evaluating policy against your Terraform code or plan, first download, install, and authenticate the Styra CLI by following the instructions for your OS in the Styra CLI reference doc.


Ensure your Styra CLI version is up to date to make use of Terraform code scanning and new OPA built-ins used by the latest Styra DAS Terraform system type version.

Terraform Code Scanning

Terraform code files (.tf and .tf.json files) can be scanned for policy violations using the Styra CLI validate check-local command, as well as the validate cl command alias. The Styra CLI transforms each Terraform code file into a standard Terraform plan JSON representation input compatible with rules in the Styra DAS Terraform Policy Library. The resources in a Terraform code file are populated into the resource_changes plan object (other Terraform plan parameters are not generated). Each Terraform file scanned appears in the associated Styra DAS system's decision log as a separate decision with metadata noting the file input's name for each decision.

Styra CLI Code Scanning Configuration

After authenticating the Styra CLI with your Styra DAS tenant, the validate check-local command uses a .styra.yaml file to map a Styra DAS system (using its system ID) to the Terraform files to scan.

The .styra.yaml file follows the format:

system_id: b52e42c6ab574d9ab8bc5e7a86ce72ea
- '*.tf'
- '*.tf.json'
  • policy_check_name is a user-defined name which can be used to distinguish policy checks if defining multiple policy checks.
  • system_id is the ID of the Styra DAS system, which is displayed in the Styra DAS UI under the system's name when viewing system details.
  • files is the list of globs describing the files you want to run policy against.

The files glob matching supports:

{ term }
'*' matches any sequence of non-Separator characters
'?' matches any single non-Separator character
'[' [ '^' ] { character-range } ']'
character class (must be non-empty)
c matches character c (c != '*', '?', '\\', '[')
'\\' c matches character c
c matches character c (c != '\\', '-', ']')
'\\' c matches character c
lo '-' hi matches character c for lo <= c <= hi

Run Policy Checks on Code

Run code scanning from the directory containing the .styra.yaml file by executing the validate check-local Styra CLI command (e.g., styra validate check-local).

When policy violations are found, the CLI reports which files include monitoring errors (for rules in monitor mode) and errors (for rules in enforce mode):

Check `prod_and_staging` failed

Found errors in the following files:

Found monitoring errors in the following files:

Error: 1 Check Failed

To export the policy violation messages for each input file to a JSON file, use the -o output-file.json flag.

Code Scanning Limitations

Due to the Styra CLI transformation of Terraform code files to a JSON plan representation compatible with existing system rules, the following limitations currently apply:

  • Rules which evaluate relationships between Terraform resources (e.g., require aws_s3_bucket resources to have logging defined in a aws_s3_bucket_versioning resource) can not evaluate across files.
  • Terraform HCL reference (e.g., local.<NAME>), operator (e.g., a || b), and function (e.g., count, for_each) values are not resolved, as they may include cross-file references or values which will not be known until plan or apply time.
  • Terraform data source, module, local, variable, output, and provider code blocks are not transformed into the plan representation. Rules which apply to these block types will not return violations during code scanning.

Terraform Plan Scanning

Terraform plans describe the changes Terraform will make to cloud resources and services to match the Terraform code configuration. Policy guardrails can be evaluated against Terraform plan JSON files using the Styra CLI.

Styra CLI Plan Scanning Configuration

The installation instructions for Styra DAS Terraform systems are located in Your System >> Settings >> Install. These instructions include the API call to fetch the system's configuration file for the Styra CLI to use when scanning a Terraform plan.

Once the Styra CLI is downloaded and configured, use the vet command to evaluate Styra DAS policies in an embedded OPA agent against a JSON Terraform plan file on a local machine or in a CI/CD pipeline.

When you provide the vet command a JSON-encoded Terraform plan file, it will:

  1. Fetch your published system policy bundle from Styra DAS (caching it locally for multiple runs).
  2. Evaluate the policies in the bundle against the JSON input.
  3. Display the policy decision results.
  4. Log the decision results to the Styra DAS Decision Log.

Review the decision results in the Styra CLI directly or access your Styra DAS tenant console to view the decision results, replay the decision to step through each evaluated policy, or use the decision input for previewing policy change results and impact analysis.

Generate a JSON Terraform Plan

Using the Terraform CLI, run the following commands to generate a JSON-encoded Terraform plan:

terraform plan --out tfplan.binary && terraform show -json tfplan.binary > tfplan.json

If using Terraform Cloud or Terraform Enterprise as your remote backend, you may encounter the following error:

│ Error: Saving a generated plan is currently not supported

│ The "remote" backend does not support saving the generated execution plan
│ locally at this time.

You can resolve this error by changing your Terraform Cloud workspace execution mode from remote to local as detailed in the Terraform Cloud Workspace Settings documentation.

Using Terraform Cloud

Use the Styra DAS direct integration with Terraform Cloud, which keeps the Terraform Cloud workspace execution mode set to remote. See the Terraform Cloud Setup Instructions for more details.

Evaluate Policies Against the Terraform Plan

With the generated tfplan.json file as an input, run the Styra CLI vet command:

./styra vet tfplan.json

Once evaluation of the plan completes, policy decision details are reported in the Styra CLI and in your Styra DAS system.