gcloud beta terraform vet is a replacement for the open-source terraform-validator project, with a few minor differences. If you are migrating your CI/CD pipeline to use gcloud beta terraform vet, you will need to make the following changes.
1. Update the command and args
- Replace
terraform-validator validatewithgcloud beta terraform vet - Replace
--policy-pathwith--policy-library
Basic example:
# Old terraform-validator validate ./tfplan.json --policy-path=/path/to/policy-library # New gcloud beta terraform vet ./tfplan.json --policy-library=/path/to/policy-library With service account impersonation:
# Old GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=account@project.iam.gserviceaccount.com terraform-validator validate ./tfplan.json --policy-path=/path/to/policy-library # New gcloud beta terraform vet ./tfplan.json --policy-library=/path/to/policy-library \ --impersonate-service-account=account@project.iam.gserviceaccount.com 2. (Optional) Upgrade constraint templates
terraform-validator documentation historically gave instructions on how to write v1alpha1 Constraint Framework policies; there is a newer format that we recommend for writing new policies. You can also upgrade existing policies to use the new format
For policies sourced from github.com/GoogleCloudPlatform/policy-library, we recommend staying in sync with the remote repository.