Terraform

18 Most Useful Terraform Tools to Use in 2023

How to use custom tools to complement Terraform

By itself, Terraform is an incredibly formidable Infrastructure-as-Code tool, but as you begin to add complexity to your infrastructure, you may find that it occasionally needs a helping hand. Let’s look at some of the most popular tools used in Terraform-managed deployments today.

We will cover:

  1. Native Tools
  2. IDE Tools
  3. Linting Tools
  4. Security Tools
  5. Drift Tools
  6. Costing Tools
  7. Terraform HCL Generation Tools
  8. Documentation Generation Tools
  9. Management Tools
  10. CI/CD Tools

Native Tool

1. Terraform Console

The Terraform Console is probably one of the most overlooked tools in the arsenal. This is surprising because it’s native to Terraform and is packaged within the binary!

The terraform console command provides an interactive console that can be used to test and evaluate any Terraform expressions you may wish to use in your code. Instead of endlessly experimenting, writing awkward outputs, and banging your head against the desk, the Terraform Console allows you to test out complicated expressions before you run your code.

Let’s take a quick look at an example:

$ terraform console
Terraform console version 0.15.1

> 10 + 20
30

> "hello, world"
"hello, world"

> length("hello, world")
12

> substr("hello, world", 0, 5)
"hello"

> exit

As you can see above, it’s useful for experimenting with expressions before you add them to your code. You can also evaluate variables and manipulate anything else in the state that you need.

One thing to note is that the configuration must be able to pass a plan before the terraform console command will work, so make sure you comment out any issues you’re trying to solve before you enter the console to troubleshoot.

IDE Tool

2. Visual Studio Code

I won’t be listing more than this. VS Code has just absolutely eclipsed other IDEs in the development world. There are certainly some great IDEs out there, but the integrations and plugins in VS Code are unparalleled. 

VS Code has two very popular Terraform extensions:

vs code terraform

One is the official HashiCorp Terraform extension. It has more installations but also some pretty iffy reviews. It has seemed pretty stable whenever I’ve used it, but I typically default to the Terraform extension by Anton Kulikov. It has been solid and works very well. Your organization may have some policies around which extensions should be installed, so you should be good with either if they’re allowed.

Linting Tool

3. TFLint

Tflint is an incredibly handy Terraform framework that lets you lint your Terraform code based on a prewritten ruleset or your own custom rules. These rules are added using “plugins.”

Some of the most common issues you may want to uncover using TFLint, as cited from Github, are:

  • Find possible errors, such as invalid instance types, for the major cloud providers, including AWS, GCP, and Azure.
  • Warn about deprecated syntax and unused declarations.
  • Enforce best practices and naming conventions.

An example is below.

# example.tf
provider "aws" {
  version = "2.70.0"
  region  = "us-west-2"
}

resource "aws_instance" "example" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
}
$ tflint

example.tf
  on main.tf line 4:
  4:   version = "2.70.0"
     |     ^ Error: AWS provider version should be specified in the required format: X.Y.Z (e.g. 2.1.0)

Summary:
  Count: 1
  Invalid: 1
  Warnings: 0
  Errors: 1

Security Tools

4. Open Policy Agent

Open Policy Agent isn’t specifically a Terraform framework or tool, but it can be used directly with Terraform. OPA, as it is commonly called, is written in the Rego language, which is inspired by the old Datalog language. It is also used by several tools as their policy language when analyzing Terraform code.

Tools such as Terrascan, Spacelift, Terraform Cloud, and more all support it and use it to varying extents. Spacelift, for instance, uses it for every aspect of the experience. From the time a user logs in to Spacelift to the point where they’re launching stacks, OPA Policies are there, ensuring everything goes according to plan.

Here is an example of a policy that prevents Terraform from deploying AWS IAM access keys:

package spacelift

# Note that the message here is dynamic and captures resource address to provide
# appropriate context to anyone affected by this policy. For the sake of your
# sanity and that of your colleagues, please a
#
# You can read more about plan policies here:
# https://docs.spacelift.io/concepts/policy/terraform-plan-policy

deny[sprintf(message, [resource.address])] {
	message := "Static AWS credentials are evil (%s)"

	resource := input.terraform.resource_changes[_]
	resource.change.actions[_] == "create"

	# This is what decides whether the rule captures a resource.
	# There may be an arbitrary number of conditions, and they all must
	# succeed for the rule to take effect.
	resource.type == "aws_iam_access_key"
}

# Learn more about sampling policy evaluations here:
# https://docs.spacelift.io/concepts/policy#sampling-policy-inputs
sample = true

5. Terrascan

Although the name “Terrascan” leads one to believe that it’s Terraform-specific, it actually works for many IaC providers. Terraform, Kubernetes, Ansible, Cloudformation, and more are supported by Terrascan thanks to its large set of pre-written policies. Of course, you can write your own policies as well for custom use cases.

Terrascan integrates with several CI/CD tools and is extremely flexible when designing your pipelines. 

Here is a basic Terrascan usage example:

$ terrascan scan -t aws
results:
  violations:
  - rule_name: scanOnPushDisabled
    description: Unscanned images may contain vulnerabilities
    rule_id: AWS.ECR.DataSecurity.High.0578
    severity: MEDIUM
    category: Data Security
    resource_name: scanOnPushDisabled
    resource_type: aws_ecr_repository
    file: ecr.tf
    line: 1
  count:
    low: 0
    medium: 1
    high: 0
    total: 1

6. Checkov

Checkov is very similar to Terrascan, but it uses a Python policy-as-code framework instead of the Rego syntax found in OPA. Many engineers may find this more approachable as Python is one of the most popular programming languages today.

Check an example of using Checkov in IaC scanning for vulnerabilities.

Although Python is more approachable for many, the syntax is still a little wordy and can get a little complex, as shown from the official docs below:

from lark import Token

from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories


class S3PCIPrivateACL(BaseResourceCheck):
    def __init__(self):
        name = "Ensure PCI Scope buckets has private ACL (enable public ACL for non-pci buckets)"
        id = "CKV_AWS_999"
        supported_resources = ['aws_s3_bucket']
        # CheckCategories are defined in models/enums.py
        categories = [CheckCategories.BACKUP_AND_RECOVERY]
        guideline = "Follow the link to get more info https://docs.bridgecrew.io/docs"
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, guideline=guideline)

    def scan_resource_conf(self, conf):
        """
            Looks for ACL configuration at aws_s3_bucket and Tag values:
            https://www.terraform.io/docs/providers/aws/r/s3_bucket.html
        :param conf: aws_s3_bucket configuration
        :return: <CheckResult>
        """
        if 'tags' in conf.keys():
            environment_tag = Token("IDENTIFIER", "Scope")
            if environment_tag in conf['tags'][0].keys():
                if conf['tags'][0][environment_tag] == "PCI":
                    if 'acl' in conf.keys():
                        acl_block = conf['acl']
                        if acl_block in [["public-read"], ["public-read-write"], ["website"]]:
                            return CheckResult.FAILED
        return CheckResult.PASSED


check = S3PCIPrivateACL()

The “wordiness” may be completely subjective. Python is an excellent language, and I’m sure people would happily debate Rego vs. Python for hours on end.

Overall, the differences between Terrascan and Checkov come down to the policy language, as most other features are at parity with each other. 

7. Tfsec

The tfsec tool is another Rego-based policy tool that is very similar to Terrascan and Checkov. One of the standout features is its multiple policy creation formats. You can use JSON, YAML, or Rego. Rego will be the most flexible and powerful, but JSON and YAML can create most policies you would need with a much more readable format. Read more in our What is tfsec? article.

Here is an example of a check file in YAML:

checks:
- code: CUS001
  description: Custom check to ensure the CostCentre tag is applied to EC2 instances
  impact: By not having CostCentre we can't keep track of billing
  resolution: Add the CostCentre tag
  requiredTypes:
  - resource
  requiredLabels:
  - aws_instance
  severity: ERROR
  matchSpec:
    name: tags
    action: contains
    value: CostCentre
  errorMessage: The required CostCentre tag was missing
  relatedLinks:
  - http://internal.acmecorp.com/standards/aws/tagging.html

Drift Tool

8. Driftctl

Driftctl allows you to perform one of the most crucial aspects of IaC management, which is to detect resources that have drifted from your desired state. It is capable of finding managed resources that have drifted as well as unmanaged resources that were created outside of driftctl.

An example output is here:

Found missing resources:
  aws_s3_bucket:
    - driftctl-bucket-test-2
Found resources not covered by IaC:
  aws_s3_bucket:
    - driftctl-bucket-test-3
Found changed resources:
  - driftctl-bucket-test-1 (aws_s3_bucket):
    ~ Versioning.0.Enabled: false => true
Found 3 resource(s)
 - 33% coverage
 - 1 covered by IaC
 - 1 not covered by IaC
 - 1 missing on cloud provider
 - 1/1 changed outside of IaC

Costing Tool

9. Infracost

Infracost is probably one of the most popular tools used with Terraform in production deployments. It queries the pricing API of the provider and displays a cost based on what you plan to deploy.

The great thing isn’t only that it shows you what it’s going to cost, but you can use a policy tool, such as Open Policy Agent, to write policies that can block a deployment based on the cost. CI/CD tools, such as Spacelift, can easily add tools like this into the deployment pipeline with very minimal configuration. Talk about a CFO’s dream! The community version is completely free but will require some custom tooling to get functionality like the policies mentioned above. If you choose the paid version, all of that is included. There is even a VS Code extension to make things even more streamlined.

Here is an example of the truncated output:

Project: my-terraform-project
Region: us-west-2

+ aws_ebs_volume.my_volume
    Type: aws_ebs_volume
    Quantity: 1
    Monthly cost: $10.50

+ aws_instance.my_instance
    Type: aws_instance
    Quantity: 1
    Monthly cost: $100.00

Total monthly cost: $110.50

Terraform HCL Generation Tools

10. Terraformer

Terraformer is an extremely cool product that scans your cloud environment and outputs the necessary Terraform code to redeploy it. This is definitely not the preferred route to codify your resources as, by now, most startups should have started with Terraform on day one. Unfortunately, many companies started before Terraform was the great tool it is today, so tools like Terraformer are ideal for getting things under new management.

Terraformer is great in a lot of ways, but you’ll want to be extremely careful how you import resources and that you truly understand the infrastructure that it creates and how you structure it. These types of tools rarely create perfect code at best and create an absolute mess of unreadable code at worst. I would strongly recommend reading ALL of the code that’s created and performing a thorough audit to ensure everything is in a readable and scalable structure.

11. Pike

Pike is an interesting tool that will analyze the resources you wish to create using Terraform and generate the necessary IAM permissions you need to complete that deployment.

An example of this is here:

./pike scan -d .\terraform\
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": [
            "ec2:MonitorInstances",
            "ec2:UnmonitorInstances",
            "ec2:DescribeInstances",
            "ec2:DescribeTags",
            "ec2:DescribeInstanceAttribute",
            "ec2:DescribeVolumes",
            "ec2:DescribeInstanceTypes",
            "ec2:RunInstances",
            "ec2:DescribeInstanceCreditSpecifications",
            "ec2:StopInstances",
            "ec2:StartInstances",
            "ec2:ModifyInstanceAttribute",
            "ec2:TerminateInstances",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:CreateSecurityGroup",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeAccountAttributes",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DeleteSecurityGroup",
            "ec2:RevokeSecurityGroupEgress"
        ],
        "Resource": "*"
    }
}

Like any security-related tool, ensure you audit the permissions afterward to ensure compliance.

Documentation Generation Tool

12. Terraform Docs

Let’s face it, writing documentation isn’t every developer’s dream job. Luckily, there’s an excellent tool to automatically generate your Terraform docs from configuration files. Terraform-docs is extremely useful and simple to use when creating documentation that shows exactly what your users need to know. It exposes variables you can add to a template file, and it will automatically generate the sections for you in an easy-to-read format.

You can find an example of a repository that uses this here.

And an example of the format is below:

content: |-
  Any arbitrary text can be placed anywhere in the content

  {{ .Header }}

  and even in between sections

  {{ .Providers }}

  and they don't even need to be in the default order

  {{ .Outputs }}

  include any relative files

  {{ include "relative/path/to/file" }}

  {{ .Inputs }}

  # Examples

  ```hcl
  {{ include "examples/foo/main.tf" }}
  ```

  ## Resources

  {{ range .Module.Resources }}
  - {{ .GetMode }}.{{ .Spec }} ({{ .Position.Filename }}#{{ .Position.Line }})
  {{- end }}

Management Tools

13. TFSwitch

TFSwitch is a simple utility that helps to manage multiple Terraform versions. You can switch between any available Terraform version. The tool will also download the version you need if required. When working with multiple Terraform code bases, this is absolutely critical to keep pesky syntax errors and other headaches at bay if you’re dealing with code that has deprecated or newer features than your current version. 

To use TFSwitch, you just need to install it using the instructions here, and run the tfswitch command to display all of the available versions: 

tfswitch
Creating directory for terraform binary at: /home/user/.terraform.versions
Use the arrow keys to navigate: ↓ ↑ → ←
? Select Terraform version:
1.3.9
    1.3.8
    1.3.7
    1.3.6
1.3.5

Once you choose the version you need, you are free to use Terraform! 

14. Terramate

Terramate is an interesting tool that can help you manage large Terraform deployments by breaking the code into “stacks.” These stacks have separate states and allow your code to be deployed with a smaller blast radius. It also has features that work with git to deploy automatically on changes. Where Terramate really shines is its ability to keep your code DRY (Do not Repeat Yourself). It is able to share variables, provider configurations, and other data between stacks and automatically generate any code necessary in pure Terraform.

The tool is fairly complex in all of its features, so it’s probably best to read the release blog to let you dive in.

15. Terragrunt

Terragrunt is a very popular Terraform tool that, like Terramate, helps keep your Terraform code DRY, manages multiple stacks, and more. It makes it easier to work with multiple cloud accounts, modules, and more with features that greatly increase the efficiency of your code. Terraform’s latest versions have honestly caught up with a lot of the features in Terragrunt, but definitely not all.

Here is a sample configuration file.

# Indicate where to source the terraform module from.
# The URL used here is a shorthand for
# "tfr://registry.terraform.io/terraform-aws-modules/vpc/aws?version=3.5.0".
# Note the extra `/` after the protocol is required for the shorthand
# notation.
terraform {
  source = "tfr:///terraform-aws-modules/vpc/aws?version=3.5.0"
}

# Indicate what region to deploy the resources into
generate "provider" {
  path = "provider.tf"
  if_exists = "overwrite_terragrunt"
  contents = <<EOF
provider "aws" {
  region = "us-east-1"
}
EOF
}

# Indicate the input values to use for the variables of the module.
inputs = {
  name = "my-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["us-east-1a", "us-east-1b", "us-east-1c"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

  enable_nat_gateway = true
  enable_vpn_gateway = false

  tags = {
    Terraform = "true"
    Environment = "dev"
  }
}

As you can see in the comments, it makes it very easy to generate provider blocks for all modules and inject variables where they’re needed without having to pass them manually all over the place. It’s definitely an interesting project and something worth checking out if you start to juggle a lot of modules.

Check out our Terragrunt vs. Terraform comparison to learn more.

CI/CD Tools

16. Atlantis

Atlantis is a great open-source project for Terraform pull-request automation. While that sounds a little niche, it’s actually incredibly important to nail down your GitOps workflow. When dealing with multiple developers, committing code, creating a pull request, and having a platform inspect that pull request and deploy your code is critical to maintaining deployment velocity. 

Within Atlantis, you can also integrate other tools listed in this article to further enrich your pipeline and add functionality and guardrails to ensure reliable deployments. Atlantis is fairly opinionated about its pull request workflows, but if the workflow fits your GitOps strategy, it’s an excellent open-source option if you use Terraform for your IaC. 

Check out a great comparison of Spacelift and Atlantis.

17. Terraform Cloud

Terraform Cloud is part of the Hashicorp Cloud Platform (HCP) that, like Atlantis, manages Terraform deployments triggered by commits to your VCS.

Terraform Cloud has excellent state management features, and the deployment pipeline can be customized with most of the tools featured in this article. Unfortunately, the ability to integrate external applications currently requires a paid plan. Policy as code with Hashicorp’s proprietary Sentinel engine or with OPA is also possible but requires a paid plan as well. 

Terraform Cloud manages your variables, secrets, resources, and more in its offering. It also allows you to script itself in Terraform, so everything can be automated. While it only supports Terraform, it does so very well. The free version is decent for a small team, but pricing escalates once you scale.

18. Spacelift

Spacelift shares a lot of features with Atlantis, Terraform Cloud, and other “Terraform Automation and Collaboration Software” (TACOS), but keeps developers, policies, and simplicity in mind from the moment you sign in. You can sign into Spacelift using SSO from your VCS provider and get going right away. Spacelift support Terraform as well as Cloudformation, Ansible, Pulumi, and Kubernetes, which sets it apart from other CI/CD tools mentioned in this list. 

Spacelift is built with policies in mind and allows OPA policies to be written that can manage nearly every aspect of the platform. From login, stack access, planning, deployment, and more. You can also integrate any of the tools mentioned in the other sections of this article, such as Infracost and Terrascan, to check your code before deployment (see more examples: Integrating Security Tools With Spacelift). Writing policies based on the findings of these tools is also a really great feature that allows you to manage every aspect of your IaC strategy. 

Spacelift also manages state, secrets, cloud credentials, and more through an intuitive user interface or by scripting everything in Terraform. If you have multiple stacks that need to be run, you can chain those together using stack dependencies. This is helpful if you need to run an Ansible playbook on newly created resources. 

Spacelift has a generous free tier for a single user that covers most of the features. Like Terraform Cloud, you’ll need to upgrade to get more advanced features, such as private workers, stack scheduling, and an incredibly useful Drift Detection feature.

Key Points

That’s a quick run-through of several popular Terraform tools you’ll find in the wild today. New tools come out daily, and the popularity of these tools ebbs and flows frequently. Luckily, most of these tools work in very similar ways and make it very easy to move between them.

Make sure you check them out and especially give Spacelift a go for a fully-featured free trial!

Note: New versions of Terraform will be placed under the BUSL license, but everything created before version 1.5.x stays open-source. OpenTofu is an open-source version of Terraform that will expand on Terraform’s existing concepts and offerings. It is a viable alternative to HashiCorp’s Terraform, being forked from Terraform version 1.5.6. OpenTofu retained all the features and functionalities that had made Terraform popular among developers while also introducing improvements and enhancements. OpenTofu is the future of the Terraform ecosystem, and having a truly open-source project to support all your IaC needs is the main priority.

Manage Terraform Better and Faster

If you are struggling with Terraform automation and management, check out Spacelift. It helps you manage Terraform state, build more complex workflows, and adds several must-have capabilities for end-to-end infrastructure management.

Start free trial
Terraform CLI Commands Cheatsheet

Initialize/ plan/ apply your IaC, manage modules, state, and more.

Share your data and download the cheatsheet