Skip to content

Commit

Permalink
move exceptions info around in readme
Browse files Browse the repository at this point in the history
  • Loading branch information
@aerickson
aerickson committed Jul 30, 2024
1 parent 1a3374d commit 48a07c2
Showing 1 changed file with 21 additions and 6 deletions.
27 changes: 21 additions & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,9 @@

## Overview

`tfas` performs static analysis on Terraform files to detect the presence of authoritative resources (currently only GCP Terraform resources, but pull requests welcome). It scans a specified directory (and optionally hidden directories to inspect 3rd party modules) for Terraform configuration files (.tf) and identifies lines containing these authoritative resources.
`tfas` performs static analysis on Terraform files to detect the presence of authoritative resources (currently only GCP Terraform resources, but pull requests welcome). It scans a specified directory (and optionally hidden directories to inspect modules) for Terraform configuration files (.tf) and identifies lines containing these authoritative resources.

If such resources are found, it reports their file paths and line numbers, and exits with a non-zero status unless the lines are marked with an exception comment (`# terraform_authoritative_scanner_ok` inline or on the line before).

## Background and Comments
### Background and Comments

Authoritative Terraform resources are extremely dangerous because:
- they can and will remove non-Terraform managed resources
Expand All @@ -16,9 +14,26 @@ Authoritative Terraform resources should be used when setting up new infrastruct

If you're working with existing infrastructure they should only be used once all infrastructure is being managed by Terraform.



## Usage

### Pre-Commit
### Authoritative Resource Exceptions

If you want to allow a specific usage of an authorized resource, add a comment line with `terraform_authoritative_scanner_ok` before the line or inline and `tfas` won't alert on it.

```bash
# terraform_authoritative_scanner_ok
resource "google_project_iam_binding" "binding" {
...
}

resource "google_project_iam_binding" "binding2" { # terraform_authoritative_scanner_ok
...
}
```

### Running via Pre-Commit

Add the following to your `.pre-commit-config.yaml` file.

Expand All @@ -31,7 +46,7 @@ Add the following to your `.pre-commit-config.yaml` file.

Stage the file then run `pre-commit autoupdate` to grab the latest release.

### Interactively
### Running Interactively

#### Normal Usage

Expand Down

0 comments on commit 48a07c2

Please sign in to comment.