This folder contains a Terraform configuration that deploys an EC2 instance in an Amazon Web Services (AWS) account. The idea is to test this module against the OPA policy in enforce_tagging.rego, which will pass if this module sets the proper tags, and fail otherwise.
For more info, please see Chapter 9, "How to test Terraform code", of Terraform: Up and Running.
- You must have Terraform installed on your computer.
- You must have Open Policy Agent (OPA) installed on your computer.
- You must have an Amazon Web Services (AWS) account.
Please note that this code was written for Terraform 1.x.
Please note that this example will deploy real resources into your AWS account. We have made every effort to ensure all the resources qualify for the AWS Free Tier, but we are not responsible for any charges you may incur.
Configure your AWS access keys as environment variables:
export AWS_ACCESS_KEY_ID=(your access key id)
export AWS_SECRET_ACCESS_KEY=(your secret access key)
Run terraform plan and save the output to a file:
terraform plan -out tfplan.binary
Convert the plan file to JSON:
terraform show -json tfplan.binary > tfplan.json
Run the JSON plan file against the enforce_tagging.rego OPA policy:
opa eval \
--data enforce_tagging.rego \
--input tfplan.json \
--format pretty \
data.terraform.allow
If the module set the required ManagedBy tag, the output will be:
true
If the module is missing that required tag, the output will be:
undefined