Guacamole 🥑

A CLI tool that runs opinionated quality checks on your IaC codebase.

Check the IaC guild guidelines for more information on the quality checks.

Install

With Homebrew

ℹ️ If you use Linux, you can install Linuxbrew

brew tap padok-team/tap
brew install guacamole

From GitHub

Prerequisites :

• Golang
• Terraform
• Terragrunt

One-liner installer (in /tmp) :

DIR=$(pwd) cd /tmp && git clone git@github.com:padok-team/guacamole.git && cd guacamole && go build && alias guacamole=/tmp/guacamole/guacamole && cd $DIR

For a more permanent installation, just move the /tmp/guacamole/guacamole binary into a directory present in your $PATH.

Usage

Three modes currently exist :

• Static mode : runs quality checks on the codebase without running Terraform / Terragrunt commands

  guacamole static -p /path/to/your/codebase

  • By default, it will launch module and layer checks
  • To launch layer check use guacamole static layer
  • To launch module check use guacamole static module

• [EXPERIMENTAL] State mode : runs quality checks based on your layers' state

  We recommend using this command after checking that your codebase has been initialized properly.

  guacamole state -p /path/to/your/codebase

• [EXPERIMENTAL] Profile mode : creates a detailed report of the contents of your codebase

  We recommend using this command after checking that your codebase has been initialized properly.

  guacamole profile -p /path/to/your/codebase

A verbose mode (-v) exists to add more information to the output.

Skipping individual checks

You can use inline code comments to skip individual checks for a particular resource.

To skip a check on a given Terraform definition block resource, apply the following comment pattern inside its scope: # guacamole-ignore:<check_id> <suppression_comment>

<check_id> is one of the available check scanners.
<suppression_comment> is an optional suppression reason.

Example:

The following comment skips the TF_NAM_001 check on the resource identified by network

# guacamole-ignore:TF_NAM_001 We will be creating more rg
resource "azurerm_resource_group" "network" {
  name...

⚠️ The following checks can't be whitelisted : TF_MOD_002

List of checks

Static module check for Terraform

• TF_MOD_001 - Remote module call should be pinned to a specific version
• TF_MOD_002 - Provider should be defined by the consumer of the module
• TF_MOD_003 - Required provider versions in modules should be set with ~> operator
• TF_NAM_001 - Resources in modules should be named "this" or "these" if their type is unique
• TF_NAM_002 - snake_case should be used for all resource names
• TF_NAM_003 - Stuttering in the naming of resources
• TF_NAM_004 - Variable name's number should match its type
• TF_NAM_005 - Resources and data sources should not be named "this" or "these" if there are more than 1 of the same type
• TF_VAR_001 - Variable should contain a description
• TF_VAR_002 - Variable should declare a specific type

Static layer check for Terragrunt

• TG_DRY_001 - No duplicate inputs within a layer

State

• TF_MOD_004 - Use for_each to create multiple resources of the same type

Demo

License