Hamburger Cross Icon
Waf Protection
+
Terraform Collector

Waf Protection + Terraform Collector

Guardrail Collector Beta Deployment And Infrastructure

Enforce Waf Protection using data collected by Terraform Collector. Automatically check deployment and infrastructure standards on every PR.

Guardrail: Requires WAF protection for internet-facing services. Checks each IaC module for public resources and verifies WAF is configured.
Data Source: Parse Terraform HCL files to extract configuration data. Writes file validity and full parsed HCL JSON for downstream policy analysis of providers, modules, backends, resources, and infrastructure security posture.
Get Started View on GitHub

How Terraform Collector Powers This Guardrail

The Terraform Collector gathers metadata from your security, orchestration systems. This data flows into Lunar's Component JSON, where the Waf Protection guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
Terraform Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
Waf Protection Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the Terraform Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/terraform@v1.0.5
    # with: ...

# Step 2: Enable the IaC Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/iac@v1.0.5
    include: [waf-protection]
    # with: ...

What Terraform Collector Collects

This collector gathers the following data that the Waf Protection guardrail evaluates.

Collector code

terraform

Parses all Terraform (.tf) files in the repository using hcl2json and collects:

  • File validity and parse errors (.iac.files[])
  • Normalized modules with resources and analysis (.iac.modules[])
  • Full parsed HCL JSON for terraform-specific policy (.iac.native.terraform.files[])
  • Source tool metadata (.iac.source)
Collector ci-before-command

cicd

Records every terraform command executed in CI pipelines along with the Terraform CLI version. Writes command strings and version info to .iac.native.terraform.cicd for audit trails and build reproducibility.

Example Data Flow

Here's an example of the data that Terraform Collector writes to the Component JSON, which Waf Protection then evaluates.

{ } component.json From Terraform Collector 
{
  "iac": {
    "source": {"tool": "hcl2json", "version": "0.6.8"},
    "files": [
      {"path": "deploy/terraform/main.tf", "valid": true},
      {"path": "deploy/terraform/variables.tf", "valid": true}
    ],
    "modules": [
      {
        "path": "deploy/terraform",
        "resources": [
          {"type": "aws_db_instance", "name": "main", "category": "datastore", "has_prevent_destroy": true},
          {"type": "aws_s3_bucket", "name": "logs", "category": "datastore", "has_prevent_destroy": false},
          {"type": "aws_lb", "name": "api", "category": "network", "has_prevent_destroy": false, "internet_facing": true},
          {"type": "aws_instance", "name": "web", "category": "compute", "has_prevent_destroy": false},
          {"type": "aws_wafv2_web_acl", "name": "main", "category": "security"},
          {"type": "aws_wafv2_web_acl_association", "name": "api", "category": "security"}
        ],
        "analysis": {
          "internet_accessible": true,
          "has_waf": true
        }
      }
    ],
    "native": {
      "terraform": {
        "files": [
          {
            "path": "deploy/terraform/main.tf",
            "hcl": {
              "terraform": [{"required_providers": [{"aws": {"source": "hashicorp/aws", "version": "~> 5.0"}}]}],
              "resource": {"aws_db_instance": {"main": [{"engine": "postgres"}]}}
            }
          }
        ],
        "cicd": {
          "cmds": [
            {"cmd": "terraform init", "version": "1.9.8"},
            {"cmd": "terraform plan -out=tfplan", "version": "1.9.8"},
            {"cmd": "terraform apply -auto-approve tfplan", "version": "1.9.8"}
          ],
          "source": {"tool": "terraform", "integration": "ci"}
        }
      }
    }
  }
}

Other Guardrails Using Terraform Collector

Other guardrails in IaC Guardrails that use data from Terraform Collector.

Guardrail + Terraform
Valid

Validates that all IaC configuration files are syntactically correct. Invalid configurations will...
Guardrail + Terraform
Datastore Destroy Protection

Ensures stateful resources (databases, storage buckets, caches) have lifecycle { prevent_destroy =...
Guardrail + Terraform
Resource Destroy Protection

Ensures stateless infrastructure resources (EC2 instances, load balancers, networking) have...

Learn More

Guardrail · IaC Guardrails Waf Protection View all compatible integrations
Collector Terraform Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo