Terraformcloud~30 mins

Terraform security scanning tools - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Terraform Security Scanning Tools Setup

📖 Scenario: You are working as a cloud engineer responsible for ensuring your Terraform infrastructure code is secure before deployment. You want to integrate a security scanning tool to automatically check your Terraform files for common security issues.

🎯 Goal: Build a Terraform configuration that sets up a security scanning tool integration using a local-exec provisioner to run terraform-compliance checks on your Terraform files.

📋 What You'll Learn

Create a Terraform resource block for a null_resource named security_scan.

Add a local-exec provisioner inside the resource to run the command terraform-compliance -p plan.out -f features/.

Define a variable scan_command with the exact command string to run the security scan.

Add a depends_on attribute to the resource to depend on terraform_plan resource.

💡 Why This Matters

🌍 Real World

Security scanning tools help catch misconfigurations and vulnerabilities in Terraform code before deployment, reducing risks in cloud infrastructure.

💼 Career

Cloud engineers and DevOps professionals use Terraform security scanning tools to ensure infrastructure as code is safe and compliant with best practices.

Progress0 / 4 steps

Create a null_resource for security scanning

Create a Terraform resource block named security_scan of type null_resource.

Terraform

# Your code here

Need a hint?

Use resource "null_resource" "security_scan" { } to start.

Define a variable for the scan command

Add a Terraform variable named scan_command with the default value "terraform-compliance -p plan.out -f features/".

Terraform

resource "null_resource" "security_scan" {
}

# Your code here

Need a hint?

Use variable "scan_command" { default = "terraform-compliance -p plan.out -f features/" }.

Add local-exec provisioner to run the scan command

Inside the security_scan resource, add a provisioner "local-exec" block that runs the command stored in the variable scan_command.

Terraform

resource "null_resource" "security_scan" {
  # Your code here
}

variable "scan_command" {
  default = "terraform-compliance -p plan.out -f features/"
}

Need a hint?

Use provisioner "local-exec" { command = var.scan_command } inside the resource.

Add depends_on to ensure scan runs after plan

Add a depends_on attribute to the security_scan resource that depends on a resource named terraform_plan.

Terraform

resource "null_resource" "security_scan" {
  provisioner "local-exec" {
    command = var.scan_command
  }
  # Your code here
}

variable "scan_command" {
  default = "terraform-compliance -p plan.out -f features/"
}

Need a hint?

Add depends_on = ["terraform_plan"] inside the resource block.