> For the complete CircleCI developer hub index, see [llms.txt](https://circleci.com/developer/llms.txt)

# indeni/cloudrail

Scan your Terraform code for security vulnerabilities before applying. With Cloudrail, you catch security mistakes before they ever make it to your cloud environment.


## Jobs

### scan_terraform

A job for running Cloudrail scanning of a Terraform plan which was created in a previous job.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `cloud-account-id` | string |  | The ID of the cloud account you would like to run Cloudrail against. This is generally the same acccount the Terraform plan was created for.
 |
| `cloudrail_api_key` | env_var_name |  | The name of the environment variable containing the Cloudrail API key to use.
 |
| `execution-source-identifier` | string | $CIRCLE_PROJECT_REPONAME - $CIRCLE_BRANCH - $CIRCLE_BUILD_NUM | An identifier that will be passed to the Cloudrail service to help identify this execution in the web user interface.
 |
| `junit-output` | boolean | true | When set to true, the Cloudrail job will save a JUnit-formatted result output. Any rules set to MANDATE that fail will
generate failed tests which are then viewable in the CircleCI Test tab.
 |
| `plan_output_file` | string |  | The plan file that was created with "terraform plan -out=filename".
 |
| `tf_directory` | string |  | The directory where the Terraform code is located, must have a ".terraform" directory directly inside it (that is - a "terraform init" was run there).
 |
| `working_directory` | string | ~/project | Where the Terraform init was done within the code.
 |
| `workspace` | string | . | Where to attach a workspace - this is used to pass a Terraform plan (and any required files) from a previous job into this one.
 |

## Executors

### default

## Examples

### junit-example

An example where Cloudrail is used to produce a JUnit-formatted output file.


```yaml
version: '2.1'
orbs:
  cloudrail: indeni/cloudrail@2.0.0
jobs:
  some_job_that_creates_a_tf_plan:
    docker:
      - image: hashicorp/terraform:latest
    steps:
      - checkout
      - terraform init
      - terraform plan -out terraform.plan
      - persist_to_workspace:
          paths:
            - ./
          root: .
workflows:
  use_cloudrail:
    jobs:
      - some_job_that_creates_a_tf_plan
      - cloudrail/scan_terraform:
          cloud-account-id: '123456789012'
          cloudrail_api_key: CLOUDRAIL_API_KEY
          junit-output: true
          plan_output_file: location_of_tf_plan_file_created_in_previous_job
          pre-steps:
            - some_step_that_loads_tf_directory_and_plan
          requires:
            - some_job_that_creates_a_tf_plan
          tf_directory: directory_where_tf_files_are
```

### simple-example

Simple example where Terraform and Cloudrail are used.


```yaml
version: '2.1'
orbs:
  cloudrail: indeni/cloudrail@2.0.0
jobs:
  some_job_that_creates_a_tf_plan:
    docker:
      - image: hashicorp/terraform:latest
    steps:
      - checkout
      - terraform init
      - terraform plan -out terraform.plan
      - persist_to_workspace:
          paths:
            - ./
          root: .
workflows:
  use_cloudrail:
    jobs:
      - some_job_that_creates_a_tf_plan
      - cloudrail/scan_terraform:
          cloud-account-id: '123456789012'
          cloudrail_api_key: CLOUDRAIL_API_KEY
          plan_output_file: /tmp/workspace/terraform.plan
          pre-steps:
            - attach_workspace:
                at: /tmp/workspace
          requires:
            - some_job_that_creates_a_tf_plan
          tf_directory: /tmp/workspace/
```