gcloud beta terraform vet is a replacement for the open-source
terraform-validator
project, with a few minor differences. If you are migrating your CI/CD pipeline
to use gcloud beta terraform vet, you will need to make the following changes.
1. Update the command and args
- Replace
terraform-validator validatewithgcloud beta terraform vet - Replace
--policy-pathwith--policy-library
Basic example:
# Old
terraform-validator validate ./tfplan.json --policy-path=/path/to/policy-library
# New
gcloud beta terraform vet ./tfplan.json --policy-library=/path/to/policy-library
With service account impersonation:
# Old
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=account@project.iam.gserviceaccount.com
terraform-validator validate ./tfplan.json --policy-path=/path/to/policy-library
# New
gcloud beta terraform vet ./tfplan.json --policy-library=/path/to/policy-library \
--impersonate-service-account=account@project.iam.gserviceaccount.com
2. (Optional) Upgrade constraint templates
terraform-validator documentation historically gave instructions on how to
write v1alpha1 Constraint Framework policies; there is a newer format that we
recommend for
writing new policies.
You can also
upgrade existing policies to use the new format
For policies sourced from github.com/GoogleCloudPlatform/policy-library, we recommend staying in sync with the remote repository.