Adds Terraform validation tests and Terraform resource names match enforcement status

Author: Kinnaird McQuade

.actrc

@@ -0,0 +1 @@
+-P ubuntu-latest=nektos/act-environments-ubuntu:18.04

.github/workflows/ci.yml

@@ -19,6 +19,11 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
 
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: 0.12.28
+
       - name: Install dependencies
         run: |
           make setup-dev
@@ -28,6 +33,10 @@ jobs:
           make security-test
           make test
 
+      - name: Validate Terraform output
+        run: |
+          make terraform-validate
+
       - name: Install the package to make sure nothing is randomly broken
         run: |
           make install

Makefile

@@ -86,10 +86,15 @@ count-loc:
 	echo "Website: https://github.com/XAMPPRocky/tokei#installation'"
 	tokei ./* --exclude --exclude '**/*.html' --exclude '**/*.json' --exclude azure_guardrails/shared/data/ --exclude azure_guardrails/shared/azure-policy --exclude examples --exclude docs --exclude tmp --exclude venv
 
-.PHONY: terraform-demo
-terraform-demo: install
-	azure-guardrails --help
-	azure-guardrails generate-terraform --service all --subscription example --no-params > examples/terraform-demo/main.tf
+.PHONY: github-actions-test
+github-actions-test:
+	act -l
+	# Run the CI job
+	act -j ci
+
+.PHONY: terraform-validate
+terraform-validate: install
+	sh utils/terraform-demo.sh
 
 .PHONY: update-policy-table
 update-policy-table: install

azure_guardrails/terraform/terraform.py

@@ -38,6 +38,8 @@ def _initiative_name(self, subscription_name: str, management_group: str) -> str
         parameter_requirement_str = "NP"
         if self.enforce:
             parameter_requirement_str = "NP-Enforce"
+        else:
+            parameter_requirement_str = f"{parameter_requirement_str}-Audit"
         if subscription_name:
             initiative_name = utils.format_policy_name(subscription_name, parameter_requirement_str)
         else:
@@ -187,6 +189,8 @@ def _initiative_name(self, subscription_name: str, management_group: str, parame
             )
         if self.enforce:
             parameter_requirement_str = f"{parameter_requirement_str}-Enforce"
+        else:
+            parameter_requirement_str = f"{parameter_requirement_str}-Audit"
         if subscription_name:
             initiative_name = utils.format_policy_name(subscription_name, parameter_requirement_str)
         else:

examples/terraform-demo/main.tf renamed to examples/terraform-demo-no-params/main.tf

@@ -0,0 +1,3 @@
+provider "azurerm" {
+  features {}
+}

examples/terraform-demo-with-parameters/provider.tf renamed to examples/terraform-demo-no-params/provider.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12.0"
+}

examples/terraform-demo-with-parameters/terraform.tf renamed to examples/terraform-demo-no-params/terraform.tf

@@ -41,7 +41,7 @@ def setUp(self) -> None:
         )
 
     def test_terraform_key_vault(self):
-        self.assertEqual("example_NP", self.kv_terraform_template.initiative_name)
+        self.assertEqual("example_NP_Audit", self.kv_terraform_template.initiative_name)
         print(self.terraform_template.initiative_name)
         self.assertEqual("no_params", self.kv_terraform_template.label)
         print(self.terraform_template.label)
@@ -67,7 +67,7 @@ def test_terraform_name_length(self):
         )
         print(tmp_terraform_template.initiative_name)
         print(len(tmp_terraform_template.initiative_name))
-        self.assertTrue(tmp_terraform_template.initiative_name == "ThisSubscriptionNameI_NP")
+        self.assertTrue(tmp_terraform_template.initiative_name == "ThisSubscriptio_NP_Audit")
         self.assertTrue(len(tmp_terraform_template.initiative_name) <= 24)
 
     def test_terraform_name_enforcement_enforce(self):

examples/terraform-demo-params-optional/main.tf

@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+set -x
+
+
+# Validate that azure-guardrails tool is installed
+if ! command -v azure-guardrails &> /dev/null
+then
+    echo "azure-guardrails could not be found. Please download and install the tool from https://github.com/salesforce/azure-guardrails/"
+    exit
+fi
+
+
+# Validate that Terraform 0.12 is installed and in use
+is_tf_version_12=$(terraform version | grep -m1 "" | grep -m1 "0\.12\.");
+
+if [[ -z $is_tf_version_12 ]]; then
+  echo "Terraform 0.12.x is NOT used. Let's try to install it with tfenv";
+  # If tfenv is not installed
+  if ! command -v tfenv &> /dev/null
+  then
+      echo "tfenv could not be found. Please download and install the tool from https://github.com/tfutils/tfenv"
+      exit
+  fi
+  # If tfenv exists, install Terraform 0.12.x
+  tfenv install 0.12.28
+  tfenv use 0.12.28
+else
+  echo "Terraform 0.12.x is used. We can leverage that for running terraform validate";
+fi
+
+if ! command -v azure-guardrails &> /dev/null
+then
+    echo "azure-guardrails could not be found. Please download and install the tool from https://github.com/salesforce/azure-guardrails/"
+    exit
+fi
+
+#### Generate the example Terraform files
+# No Parameters
+export no_params_folder="examples/terraform-demo-no-params"
+azure-guardrails generate-terraform --no-params \
+  --service all \
+  --subscription example \
+  --no-summary  > ${no_params_folder}/main.tf
+
+# Optional Parameters
+export params_optional_folder="examples/terraform-demo-params-optional"
+azure-guardrails generate-terraform --params-optional \
+  --service all \
+  --subscription example \
+  --no-summary  > ${params_optional_folder}/main.tf
+
+# Required Parameters
+export params_required_folder="examples/terraform-demo-params-required"
+azure-guardrails generate-terraform --params-required \
+  --service all \
+  --subscription example \
+  --no-summary  > ${params_required_folder}/main.tf
+
+# Run Terraform validate inside there
+echo "Running Terraform validate"
+pwd
+declare -a dirs=( ${no_params_folder} ${params_optional_folder} ${params_required_folder} )
+
+for dir in ${dirs[@]}; do
+  cd ./$dir/
+  echo "Running terraform validate in $${dir}...";
+  terraform init -backend=false
+  terraform validate
+  echo $!
+  cd ../../
+done
+#
+#cd ${no_params_folder}
+#terraform init -backend=false
+#terraform validate
+#cd ../../
+#
+#cd ${params_optional_folder}
+#terraform init -backend=false
+#terraform validate
+#cd ../../
+#
+#cd ${params_required_folder}
+#terraform init -backend=false
+#terraform validate
+#cd ../../