By itself, Terraform is an incredibly formidable Infrastructure-as-Code tool, but as you begin to add complexity to your infrastructure, you may find that it occasionally needs a helping hand. Let’s look at some of the most popular tools used in Terraform-managed deployments today.
We will cover:
1. Spacelift
Spacelift shares a lot of features with Atlantis, Terraform Cloud, and other “Terraform Automation and Collaboration Software” (TACOS), but keeps developers, policies, and simplicity in mind from the moment you sign in. You can sign into Spacelift using SSO from your VCS provider and get going right away. Spacelift support Terraform as well as Cloudformation, Ansible, Pulumi, and Kubernetes, which sets it apart from other CI/CD tools mentioned in this list.
Spacelift is built with policies in mind and allows OPA policies to be written that can manage nearly every aspect of the platform. From login, stack access, planning, deployment, and more. You can also integrate any of the tools mentioned in the other sections of this article, such as Infracost and Terrascan, to check your code before deployment (see more examples: Integrating Security Tools With Spacelift). Writing policies based on the findings of these tools is also a really great feature that allows you to manage every aspect of your IaC strategy.
Spacelift also manages state, secrets, cloud credentials, and more through an intuitive user interface or by scripting everything in Terraform. If you have multiple stacks that need to be run, you can chain those together using stack dependencies. This is helpful if you need to run an Ansible playbook on newly created resources.
Spacelift has a generous free tier for a single user that covers most of the features. Like Terraform Cloud, you’ll need to upgrade to get more advanced features, such as private workers, stack scheduling, and an incredibly useful Drift Detection feature.
2. Atlantis
Atlantis is a great open-source project for Terraform pull-request automation. While that sounds a little niche, it’s actually incredibly important to nail down your GitOps workflow. When dealing with multiple developers, committing code, creating a pull request, and having a platform inspect that pull request and deploy your code is critical to maintaining deployment velocity.
Within Atlantis, you can also integrate other tools listed in this article to further enrich your pipeline and add functionality and guardrails to ensure reliable deployments. Atlantis is fairly opinionated about its pull request workflows, but if the workflow fits your GitOps strategy, it’s an excellent open-source option if you use Terraform for your IaC.
Check out a great comparison of Spacelift and Atlantis.
3. Terraform Cloud
Terraform Cloud is part of the Hashicorp Cloud Platform (HCP) that, like Atlantis, manages Terraform deployments triggered by commits to your VCS.
Terraform Cloud has excellent state management features, and the deployment pipeline can be customized with most of the tools featured in this article. Unfortunately, the ability to integrate external applications currently requires a paid plan. Policy as code with Hashicorp’s proprietary Sentinel engine or with OPA is also possible but requires a paid plan as well.
Terraform Cloud manages your variables, secrets, resources, and more in its offering. It also allows you to script itself in Terraform, so everything can be automated. While it only supports Terraform, it does so very well. The free version is decent for a small team, but pricing escalates once you scale.
4. Terraform Console
The Terraform Console is probably one of the most overlooked tools in the arsenal. This is surprising because it’s native to Terraform and is packaged within the binary!
The terraform console command provides an interactive console that can be used to test and evaluate any Terraform expressions you may wish to use in your code. Instead of endlessly experimenting, writing awkward outputs, and banging your head against the desk, the Terraform Console allows you to test out complicated expressions before you run your code.
Let’s take a quick look at an example:
$ terraform console
Terraform console version 0.15.1
> 10 + 20
30
> "hello, world"
"hello, world"
> length("hello, world")
12
> substr("hello, world", 0, 5)
"hello"
> exit
As you can see above, it’s useful for experimenting with expressions before you add them to your code. You can also evaluate variables and manipulate anything else in the state that you need.
One thing to note is that the configuration must be able to pass a plan before the terraform console command will work, so make sure you comment out any issues you’re trying to solve before you enter the console to troubleshoot.
5. Visual Studio Code
VS Code has just absolutely eclipsed other IDEs in the development world. There are certainly some great IDEs out there, but the integrations and plugins in VS Code are unparalleled.
VS Code has two very popular Terraform extensions:
One is the official HashiCorp Terraform extension. It has more installations but also some pretty iffy reviews. It has seemed pretty stable whenever I’ve used it, but I typically default to the Terraform extension by Anton Kulikov. It has been solid and works very well. Your organization may have some policies around which extensions should be installed, so you should be good with either if they’re allowed.
6. PyCharm
PyCharm is an IDE developed by JetBrains and it is mostly used for Python developers.
It has many free plugins available, and some Terraform plugins offer code auto-completion, syntax highlighting and even error detection.
In addition to this, PyCharm offers an integrated terminal and version control support, streamlining the entire workflow from writing infrastructure as code, making the tool exceptionally beneficial for developers working on infrastructure projects. Unfortunately, all JetBrains tools incur some costs, but these won’t break the bank.
7. TFLint
Tflint is an incredibly handy Terraform framework that lets you lint your Terraform code based on a prewritten ruleset or your own custom rules. These rules are added using “plugins.”
Some of the most common issues you may want to uncover using TFLint, as cited from Github, are:
- Find possible errors, such as invalid instance types, for the major cloud providers, including AWS, GCP, and Azure.
- Warn about deprecated syntax and unused declarations.
- Enforce best practices and naming conventions.
An example is below.
# example.tf
provider "aws" {
version = "2.70.0"
region = "us-west-2"
}
resource "aws_instance" "example" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t2.micro"
}$ tflint
example.tf
on main.tf line 4:
4: version = "2.70.0"
| ^ Error: AWS provider version should be specified in the required format: X.Y.Z (e.g. 2.1.0)
Summary:
Count: 1
Invalid: 1
Warnings: 0
Errors: 18. Open Policy Agent
Open Policy Agent isn’t specifically a Terraform framework or tool, but it can be used directly with Terraform. OPA, as it is commonly called, is written in the Rego language, which is inspired by the old Datalog language. It is also used by several tools as their policy language when analyzing Terraform code.
Tools such as Terrascan, Spacelift, Terraform Cloud, and more all support it and use it to varying extents. Spacelift, for instance, uses it for every aspect of the experience. From the time a user logs in to Spacelift to the point where they’re launching stacks, OPA Policies are there, ensuring everything goes according to plan.
Here is an example of a policy that prevents Terraform from deploying AWS IAM access keys:
package spacelift
# Note that the message here is dynamic and captures resource address to provide
# appropriate context to anyone affected by this policy. For the sake of your
# sanity and that of your colleagues, please a
#
# You can read more about plan policies here:
# https://docs.spacelift.io/concepts/policy/terraform-plan-policy
deny[sprintf(message, [resource.address])] {
message := "Static AWS credentials are evil (%s)"
resource := input.terraform.resource_changes[_]
resource.change.actions[_] == "create"
# This is what decides whether the rule captures a resource.
# There may be an arbitrary number of conditions, and they all must
# succeed for the rule to take effect.
resource.type == "aws_iam_access_key"
}
# Learn more about sampling policy evaluations here:
# https://docs.spacelift.io/concepts/policy#sampling-policy-inputs
sample = true9. Terrascan
Although the name “Terrascan” leads one to believe that it’s Terraform-specific, it actually works for many IaC providers. Terraform, Kubernetes, Ansible, Cloudformation, and more are supported by Terrascan thanks to its large set of pre-written policies. Of course, you can write your own policies as well for custom use cases.
Terrascan integrates with several CI/CD tools and is extremely flexible when designing your pipelines.
Here is a basic Terrascan usage example:
$ terrascan scan -t aws
results:
violations:
- rule_name: scanOnPushDisabled
description: Unscanned images may contain vulnerabilities
rule_id: AWS.ECR.DataSecurity.High.0578
severity: MEDIUM
category: Data Security
resource_name: scanOnPushDisabled
resource_type: aws_ecr_repository
file: ecr.tf
line: 1
count:
low: 0
medium: 1
high: 0
total: 110. Checkov
Checkov is very similar to Terrascan, but it uses a Python policy-as-code framework instead of the Rego syntax found in OPA. Many engineers may find this more approachable as Python is one of the most popular programming languages today.
Check an example of using Checkov in IaC scanning for vulnerabilities.
Although Python is more approachable for many, the syntax is still a little wordy and can get a little complex, as shown from the official docs below:
from lark import Token
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class S3PCIPrivateACL(BaseResourceCheck):
def __init__(self):
name = "Ensure PCI Scope buckets has private ACL (enable public ACL for non-pci buckets)"
id = "CKV_AWS_999"
supported_resources = ['aws_s3_bucket']
# CheckCategories are defined in models/enums.py
categories = [CheckCategories.BACKUP_AND_RECOVERY]
guideline = "Follow the link to get more info https://docs.bridgecrew.io/docs"
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, guideline=guideline)
def scan_resource_conf(self, conf):
"""
Looks for ACL configuration at aws_s3_bucket and Tag values:
https://www.terraform.io/docs/providers/aws/r/s3_bucket.html
:param conf: aws_s3_bucket configuration
:return: <CheckResult>
"""
if 'tags' in conf.keys():
environment_tag = Token("IDENTIFIER", "Scope")
if environment_tag in conf['tags'][0].keys():
if conf['tags'][0][environment_tag] == "PCI":
if 'acl' in conf.keys():
acl_block = conf['acl']
if acl_block in [["public-read"], ["public-read-write"], ["website"]]:
return CheckResult.FAILED
return CheckResult.PASSED
check = S3PCIPrivateACL()The “wordiness” may be completely subjective. Python is an excellent language, and I’m sure people would happily debate Rego vs. Python for hours on end.
Overall, the differences between Terrascan and Checkov come down to the policy language, as most other features are at parity with each other.
11. Tfsec
The tfsec tool is another Rego-based policy tool that is very similar to Terrascan and Checkov. One of the standout features is its multiple policy creation formats. You can use JSON, YAML, or Rego. Rego will be the most flexible and powerful, but JSON and YAML can create most policies you would need with a much more readable format. Read more in our What is tfsec? article.
Here is an example of a check file in YAML:
checks:
- code: CUS001
description: Custom check to ensure the CostCentre tag is applied to EC2 instances
impact: By not having CostCentre we can't keep track of billing
resolution: Add the CostCentre tag
requiredTypes:
- resource
requiredLabels:
- aws_instance
severity: ERROR
matchSpec:
name: tags
action: contains
value: CostCentre
errorMessage: The required CostCentre tag was missing
relatedLinks:
- http://internal.acmecorp.com/standards/aws/tagging.html12. Checkmarx Kics
Checkmarx Keeping Infrastructure as Code Secure (KICS), is responsible for finding vulnerabilities, compliance issues, and infrastructure misconfiguration early in the development cycle. This tool is open-source, and it can be a viable alternative to tfscan/terrascan/checkov.
13. Snyk
Snyk is a security platform that helps software developers find and fix vulnerabilities in their open-source dependencies, container images, code, and also infrastructure as code (IaC), including Terraform.
It has a free tier for individual developers, and it offers a UI in which you can see all the vulnerabilities you have in the repositories you have added as projects inside the application.
14. Driftctl
Driftctl allows you to perform one of the most crucial aspects of IaC management, which is to detect resources that have drifted from your desired state. It is capable of finding managed resources that have drifted as well as unmanaged resources that were created outside of driftctl.
An example output is here:
Found missing resources:
aws_s3_bucket:
- driftctl-bucket-test-2
Found resources not covered by IaC:
aws_s3_bucket:
- driftctl-bucket-test-3
Found changed resources:
- driftctl-bucket-test-1 (aws_s3_bucket):
~ Versioning.0.Enabled: false => true
Found 3 resource(s)
- 33% coverage
- 1 covered by IaC
- 1 not covered by IaC
- 1 missing on cloud provider
- 1/1 changed outside of IaC15. Infracost
Infracost is probably one of the most popular tools used with Terraform in production deployments. It queries the pricing API of the provider and displays a cost based on what you plan to deploy.
The great thing isn’t only that it shows you what it’s going to cost, but you can use a policy tool, such as Open Policy Agent, to write policies that can block a deployment based on the cost. CI/CD tools, such as Spacelift, can easily add tools like this into the deployment pipeline with very minimal configuration. Talk about a CFO’s dream! The community version is completely free but will require some custom tooling to get functionality like the policies mentioned above. If you choose the paid version, all of that is included. There is even a VS Code extension to make things even more streamlined.
Here is an example of the truncated output:
Project: my-terraform-project
Region: us-west-2
+ aws_ebs_volume.my_volume
Type: aws_ebs_volume
Quantity: 1
Monthly cost: $10.50
+ aws_instance.my_instance
Type: aws_instance
Quantity: 1
Monthly cost: $100.00
Total monthly cost: $110.50Read more about InfraCost and how to estimate cloud costs with Terraform.
16. Terraformer
Terraformer is an extremely cool product that scans your cloud environment and outputs the necessary Terraform code to redeploy it. This is definitely not the preferred route to codify your resources as, by now, most startups should have started with Terraform on day one. Unfortunately, many companies started before Terraform was the great tool it is today, so tools like Terraformer are ideal for getting things under new management.
Terraformer is great in a lot of ways, but you’ll want to be extremely careful how you import resources and that you truly understand the infrastructure that it creates and how you structure it. These types of tools rarely create perfect code at best and create an absolute mess of unreadable code at worst. I would strongly recommend reading ALL of the code that’s created and performing a thorough audit to ensure everything is in a readable and scalable structure.
17. Pike
Pike is an interesting tool that will analyze the resources you wish to create using Terraform and generate the necessary IAM permissions you need to complete that deployment.
An example of this is here:
./pike scan -d .\terraform\
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"ec2:MonitorInstances",
"ec2:UnmonitorInstances",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceTypes",
"ec2:RunInstances",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:ModifyInstanceAttribute",
"ec2:TerminateInstances",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:DescribeAccountAttributes",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": "*"
}
}Like any security-related tool, ensure you audit the permissions afterward to ensure compliance.
18. Terracognita
Terracognita is a Terraform code importer, that currently supports AWS, Azure, Google Cloud, and the VMware VSphere providers. It doesn’t support all resource types for all these providers, but it can be a really helpful tool for transitioning from ClickOps to IaC.
The same concerns from Terraformer apply, so you will need to be careful with how you import the resources and be aware that the code it generates won’t respect the best practices.
19. Yor
While Yor is not an HCL generation tool, it adds informative and consistent tags across IaC tools. Yor can automatically add tags to Terraform, CloudFormation, and Serverless Frameworks.
It creates unique tags for your IaC resource code blocks, making it easier to trace code blocks to their respective cloud-provisioned resources without accessing sensitive data such as plan or state files.
20. Terraform Docs
Let’s face it, writing documentation isn’t every developer’s dream job. Luckily, there’s an excellent tool to automatically generate your Terraform docs from configuration files. Terraform-docs is extremely useful and simple to use when creating documentation that shows exactly what your users need to know. It exposes variables you can add to a template file, and it will automatically generate the sections for you in an easy-to-read format.
You can find an example of a repository that uses this here.
An example of the format is below:
content: |-
Any arbitrary text can be placed anywhere in the content
{{ .Header }}
and even in between sections
{{ .Providers }}
and they don't even need to be in the default order
{{ .Outputs }}
include any relative files
{{ include "relative/path/to/file" }}
{{ .Inputs }}
# Examples
```hcl
{{ include "examples/foo/main.tf" }}
```
## Resources
{{ range .Module.Resources }}
- {{ .GetMode }}.{{ .Spec }} ({{ .Position.Filename }}#{{ .Position.Line }})
{{- end }}21. TFSwitch
TFSwitch is a simple utility that helps to manage multiple Terraform versions. You can switch between any available Terraform version. The tool will also download the version you need if required. When working with multiple Terraform code bases, this is absolutely critical to keep pesky syntax errors and other headaches at bay if you’re dealing with code that has deprecated or newer features than your current version.
To use TFSwitch, you just need to install it using the instructions here, and run the tfswitch command to display all of the available versions:
tfswitch
Creating directory for terraform binary at: /home/user/.terraform.versions
Use the arrow keys to navigate: ↓ ↑ → ←
? Select Terraform version:
▸ 1.3.9
1.3.8
1.3.7
1.3.6
↓ 1.3.5Once you choose the version you need, you are free to use Terraform!
22. Terramate
Terramate is an interesting tool that can help you manage large Terraform deployments by breaking the code into “stacks.” These stacks have separate states and allow your code to be deployed with a smaller blast radius. It also has features that work with git to deploy automatically on changes. Where Terramate really shines is its ability to keep your code DRY (Do not Repeat Yourself). It is able to share variables, provider configurations, and other data between stacks and automatically generate any code necessary in pure Terraform.
The tool is fairly complex in all of its features, so it’s probably best to read the release blog to let you dive in.
23. Terragrunt
Terragrunt is a very popular Terraform tool that, like Terramate, helps keep your Terraform code DRY, manages multiple stacks, and more. It makes it easier to work with multiple cloud accounts, modules, and more with features that greatly increase the efficiency of your code. Terraform’s latest versions have honestly caught up with a lot of the features in Terragrunt, but definitely not all.
Here is a sample configuration file.
# Indicate where to source the terraform module from.
# The URL used here is a shorthand for
# "tfr://registry.terraform.io/terraform-aws-modules/vpc/aws?version=3.5.0".
# Note the extra `/` after the protocol is required for the shorthand
# notation.
terraform {
source = "tfr:///terraform-aws-modules/vpc/aws?version=3.5.0"
}
# Indicate what region to deploy the resources into
generate "provider" {
path = "provider.tf"
if_exists = "overwrite_terragrunt"
contents = <<EOF
provider "aws" {
region = "us-east-1"
}
EOF
}
# Indicate the input values to use for the variables of the module.
inputs = {
name = "my-vpc"
cidr = "10.0.0.0/16"
azs = ["us-east-1a", "us-east-1b", "us-east-1c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = false
tags = {
Terraform = "true"
Environment = "dev"
}
}As you can see in the comments, it makes it very easy to generate provider blocks for all modules and inject variables where they’re needed without having to pass them manually all over the place. It’s definitely an interesting project and something worth checking out if you start to juggle a lot of modules.
Check out our Terragrunt vs. Terraform comparison to learn more.
24. Tenv
Tenv is a specialized version manager that helps with managing multiple versions of OpenTofu, Terraform, and Terragrunt. It simplifies development workflows by enabling developers to easily switch between different versions of these tools, ensuring compatibility and efficiency across different project environments. This is very useful, especially if you are working on multiple projects because usually, they won’t be using the same version.
It achieves the same as TFswitch, but it expands on OpenTofu and Terragrunt, too.
That’s a quick run-through of several popular Terraform tools you’ll find in the wild today. New tools come out daily, and the popularity of these tools ebbs and flows frequently. Luckily, most of these tools work in very similar ways and make it very easy to move between them.
Make sure you check them out and especially give Spacelift a go for a fully-featured free trial!
Note: New versions of Terraform will be placed under the BUSL license, but everything created before version 1.5.x stays open-source. OpenTofu is an open-source version of Terraform that will expand on Terraform’s existing concepts and offerings. It is a viable alternative to HashiCorp’s Terraform, being forked from Terraform version 1.5.6. OpenTofu retained all the features and functionalities that had made Terraform popular among developers while also introducing improvements and enhancements. OpenTofu is the future of the Terraform ecosystem, and having a truly open-source project to support all your IaC needs is the main priority.
The Best Terraform Tool
Spacelift is a Terraform tool that helps you manage the complexities and compliance challenges of using Terraform. It supports Git workflows, policy as code, programmatic configuration, context sharing, drift detection, complex multi-IaC workflows, and many more.
Terraform CLI Commands Cheatsheet
Initialize/ plan/ apply your IaC, manage modules, state, and more.
