Hamburger Cross Icon
Aws Security Group No Public Postgres
+
Terraform Collector

Aws Security Group No Public Postgres + Terraform Collector

Guardrail Collector Beta Deployment And Infrastructure

Enforce Aws Security Group No Public Postgres using data collected by Terraform Collector. Automatically check deployment and infrastructure standards on every PR.

Guardrail: Requires that no security group allows unrestricted ingress (0.0.0.0/0 or ::/0) to the PostgreSQL port. Databases must never be reachable directly from the public internet.
Data Source: Parse Terraform HCL files to extract configuration data. Writes file validity and full parsed HCL JSON for downstream policy analysis of providers, modules, backends, resources, and infrastructure security posture.
Get Started View on GitHub

How Terraform Collector Powers This Guardrail

The Terraform Collector gathers metadata from your security, orchestration systems. This data flows into Lunar's Component JSON, where the Aws Security Group No Public Postgres guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
Terraform Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
Aws Security Group No Public Postgres Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the Terraform Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/terraform@v1.0.5
    # with: ...

# Step 2: Enable the Terraform Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/terraform@v1.0.5
    include: [aws-security-group-no-public-postgres]
    # with: ...

What Terraform Collector Collects

This collector gathers the following data that the Aws Security Group No Public Postgres guardrail evaluates.

Collector code

terraform

Parses all Terraform (.tf) files in the repository using hcl2json and collects:

  • File validity and parse errors (.iac.files[])
  • Normalized modules with resources and analysis (.iac.modules[])
  • Full parsed HCL JSON for terraform-specific policy (.iac.native.terraform.files[])
  • Source tool metadata (.iac.source)
Collector ci-before-command

cicd

Records every terraform command executed in CI pipelines along with the Terraform CLI version. Writes command strings and version info to .iac.native.terraform.cicd for audit trails and build reproducibility.

Example Data Flow

Here's an example of the data that Terraform Collector writes to the Component JSON, which Aws Security Group No Public Postgres then evaluates.

{ } component.json From Terraform Collector 
{
  "iac": {
    "source": {"tool": "hcl2json", "version": "0.6.8"},
    "files": [
      {"path": "deploy/terraform/main.tf", "valid": true},
      {"path": "deploy/terraform/variables.tf", "valid": true}
    ],
    "modules": [
      {
        "path": "deploy/terraform",
        "resources": [
          {"type": "aws_db_instance", "name": "main", "category": "datastore", "has_prevent_destroy": true},
          {"type": "aws_s3_bucket", "name": "logs", "category": "datastore", "has_prevent_destroy": false},
          {"type": "aws_lb", "name": "api", "category": "network", "has_prevent_destroy": false, "internet_facing": true},
          {"type": "aws_instance", "name": "web", "category": "compute", "has_prevent_destroy": false},
          {"type": "aws_wafv2_web_acl", "name": "main", "category": "security"},
          {"type": "aws_wafv2_web_acl_association", "name": "api", "category": "security"}
        ],
        "analysis": {
          "internet_accessible": true,
          "has_waf": true
        }
      }
    ],
    "native": {
      "terraform": {
        "files": [
          {
            "path": "deploy/terraform/main.tf",
            "hcl": {
              "terraform": [{"required_providers": [{"aws": {"source": "hashicorp/aws", "version": "~> 5.0"}}]}],
              "resource": {"aws_db_instance": {"main": [{"engine": "postgres"}]}}
            }
          }
        ],
        "cicd": {
          "cmds": [
            {"cmd": "terraform init", "version": "1.9.8"},
            {"cmd": "terraform plan -out=tfplan", "version": "1.9.8"},
            {"cmd": "terraform apply -auto-approve tfplan", "version": "1.9.8"}
          ],
          "source": {"tool": "terraform", "integration": "ci"}
        }
      }
    }
  }
}

Configuration Options

Terraform Guardrails Inputs

Input Required Default Description
required_backend_types Required Comma-separated list of approved backend types (empty = any remote backend)
min_provider_versions Optional {} JSON object mapping provider names to minimum versions (e.g., {"aws": "5.0", "random": "3.0"})
ssh_port Optional 22 TCP port treated as SSH for the public-ingress check
postgres_port Optional 5432 TCP port treated as PostgreSQL for the public-ingress check
eks_required_log_types Optional api,audit,authenticator,controllerManager,scheduler Comma-separated EKS control-plane log types that must be enabled
require_cloudtrail_cloudwatch Optional true Whether CloudTrail must also deliver logs to CloudWatch Logs (true/false)
extra_admin_ports Required Additional comma-separated TCP ports to treat as sensitive for the public admin-ports check
min_password_length Optional 14 Minimum IAM account password length required by aws-iam-password-min-length

Other Guardrails Using Terraform Collector

Other guardrails in Terraform Guardrails that use data from Terraform Collector.

Guardrail + Terraform
Provider Versions Pinned

Requires Terraform providers to specify version constraints in required_providers. Unpinned...
Guardrail + Terraform
Module Versions Pinned

Requires Terraform modules to use pinned versions or commit SHAs. Unpinned modules make...
Guardrail + Terraform
Remote Backend

Requires Terraform to use a remote backend for state management. Local state files are fragile and...
Guardrail + Terraform
Min Provider Versions

Enforces minimum version requirements for Terraform providers. Ensures providers meet security and...
View all 33 guardrails in Terraform Guardrails

Learn More

Guardrail · Terraform Guardrails Aws Security Group No Public Postgres View all compatible integrations
Collector Terraform Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo