Use Styra DAS with the Terraform CLI
The installation instructions for your Styra DAS Terraform system are located in Your System
>> Settings >> Install. These instructions show you how to install the Terraform CLI along with the Styra CLI.
The Styra CLI's vet
command evaluates your Styra DAS policies in an embedded OPA agent against a JSON plan file on a local machine or in a CI/CD pipeline.
Ensure your Styra CLI version is up to date to make use of new OPA built-ins used by the latest Styra DAS Terraform system type version.
Process Flow Overview
When you provide the vet
command a JSON-encoded Terraform plan, it will:
- Fetch your published policy bundle from Styra DAS (caching it locally for multiple runs).
- Evaluate the policies in the bundle against the JSON input.
- Display the policy decision results.
- Log the decision results to the Styra DAS Decision Log.
Review the decision results in the Styra CLI directly or access your Styra DAS tenant console to view the decision results, replay the decision and step through each evaluated policy, or use the decision input for previewing policy change results and impact analysis.
Generate a JSON Terraform Plan
Using the Terraform CLI, run the following commands to generate a JSON-encoded Terraform plan:
terraform plan --out tfplan.binary
terraform show -json tfplan.binary > tfplan.json
If using Terraform Cloud as your remote backend, you may encounter the following error:
│ Error: Saving a generated plan is currently not supported
│
│ The "remote" backend does not support saving the generated execution plan
│ locally at this time.
You can resolve this error by changing your Terraform Cloud workspace execution mode from remote
to local
as detailed in the Terraform Cloud Workspace Settings documentation.
Use the Styra DAS direct integration with Terraform Cloud, which keeps the Terraform Cloud workspace execution mode set to remote
. See the Terraform Cloud Setup Instructions for more details.
Evaluate Policies Against the Terraform Plan
With the generated tfplan.json
file as an input, run the Styra CLI vet
command:
./styra vet tfplan.json
Once evaluation of the plan completes, policy decision details in the Styra CLI and in your Styra DAS dashboard.