Use the Styra DAS CLI for Terraform Policy
Before evaluating policy against your Terraform code or plan, first download, install, and authenticate the Styra CLI by following the instructions for your OS in the Styra CLI reference doc.
Ensure your Styra CLI version is up to date to make use of Terraform code scanning and new OPA built-ins used by the latest Styra DAS Terraform system type version.
Terraform Code Scanning
Terraform code files (.tf
and .tf.json
files) can be scanned for policy violations using the Styra CLI validate check-local
command, as well as the validate cl
command alias. The Styra CLI transforms each Terraform code file into a standard Terraform plan JSON representation input compatible with rules in the Styra DAS Terraform Policy Library. The resources in a Terraform code file are populated into the resource_changes
plan object (other Terraform plan parameters are not generated). Each Terraform file scanned appears in the associated Styra DAS system's decision log as a separate decision with metadata noting the file input's name for each decision.
Styra CLI Code Scanning Configuration
After authenticating the Styra CLI with your Styra DAS tenant, the validate check-local
command uses a .styra.yaml
file to map a Styra DAS system (using its system ID) to the Terraform files to scan.
The .styra.yaml
file follows the format:
checks:
policy_check_name:
system_id: b52e42c6ab574d9ab8bc5e7a86ce72ea
files:
- '*.tf'
- '*.tf.json'
policy_check_name
is a user-defined name which can be used to distinguish policy checks if defining multiple policy checks.system_id
is the ID of the Styra DAS system, which is displayed in the Styra DAS UI under the system's name when viewing system details.files
is the list of globs describing the files you want to run policy against.
The files
glob matching supports:
pattern:
{ term }
term:
'*' matches any sequence of non-Separator characters
'?' matches any single non-Separator character
'[' [ '^' ] { character-range } ']'
character class (must be non-empty)
c matches character c (c != '*', '?', '\\', '[')
'\\' c matches character c
character-range:
c matches character c (c != '\\', '-', ']')
'\\' c matches character c
lo '-' hi matches character c for lo <= c <= hi
Run Policy Checks on Code
Run code scanning from the directory containing the .styra.yaml
file by executing the validate check-local
Styra CLI command (e.g., styra validate check-local
).
When policy violations are found, the CLI reports which files include monitoring errors (for rules in monitor
mode) and errors (for rules in enforce
mode):
Check `prod_and_staging` failed
Found errors in the following files:
* s3.tf
* iam.tf
Found monitoring errors in the following files:
* s3.tf
* iam.tf
Error: 1 Check Failed
To export the policy violation messages for each input file to a JSON file, use the -o output-file.json
flag.
Code Scanning Limitations
Due to the Styra CLI transformation of Terraform code files to a JSON plan representation compatible with existing system rules, the following limitations currently apply:
- Rules which evaluate relationships between Terraform resources (e.g., require
aws_s3_bucket
resources to have logging defined in aaws_s3_bucket_versioning
resource) can not evaluate across files. - Terraform HCL reference (e.g.,
local.<NAME>
), operator (e.g.,a || b
), and function (e.g.,count
,for_each
) values are not resolved, as they may include cross-file references or values which will not be known until plan or apply time. - Terraform data source, module, local, variable, output, and provider code blocks are not transformed into the plan representation. Rules which apply to these block types will not return violations during code scanning.
Terraform Plan Scanning
Terraform plans describe the changes Terraform will make to cloud resources and services to match the Terraform code configuration. Policy guardrails can be evaluated against Terraform plan JSON files using the Styra CLI.
Styra CLI Plan Scanning Configuration
The installation instructions for Styra DAS Terraform systems are located in Your System
>> Settings >> Install. These instructions include the API call to fetch the system's configuration file for the Styra CLI to use when scanning a Terraform plan.
Once the Styra CLI is downloaded and configured, use the vet
command to evaluate Styra DAS policies in an embedded OPA agent against a JSON Terraform plan file on a local machine or in a CI/CD pipeline.
When you provide the vet
command a JSON-encoded Terraform plan file, it will:
- Fetch your published system policy bundle from Styra DAS (caching it locally for multiple runs).
- Evaluate the policies in the bundle against the JSON input.
- Display the policy decision results.
- Log the decision results to the Styra DAS Decision Log.
Review the decision results in the Styra CLI directly or access your Styra DAS tenant console to view the decision results, replay the decision to step through each evaluated policy, or use the decision input for previewing policy change results and impact analysis.
Generate a JSON Terraform Plan
Using the Terraform CLI, run the following commands to generate a JSON-encoded Terraform plan:
terraform plan --out tfplan.binary && terraform show -json tfplan.binary > tfplan.json
If using Terraform Cloud or Terraform Enterprise as your remote backend, you may encounter the following error:
│ Error: Saving a generated plan is currently not supported
│
│ The "remote" backend does not support saving the generated execution plan
│ locally at this time.
You can resolve this error by changing your Terraform Cloud workspace execution mode from remote
to local
as detailed in the Terraform Cloud Workspace Settings documentation.
Use the Styra DAS direct integration with Terraform Cloud, which keeps the Terraform Cloud workspace execution mode set to remote
. See the Terraform Cloud Setup Instructions for more details.
Evaluate Policies Against the Terraform Plan
With the generated tfplan.json
file as an input, run the Styra CLI vet
command:
./styra vet tfplan.json
Once evaluation of the plan completes, policy decision details are reported in the Styra CLI and in your Styra DAS system.