Enforce Remote Backend using data collected by Terraform Collector. Automatically check deployment and infrastructure standards on every PR.
How Terraform Collector Powers This Guardrail
The Terraform Collector gathers metadata from your security, orchestration systems. This data flows into Lunar's Component JSON, where the Remote Backend guardrail evaluates it against your standards.
When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.
Quick Start Configuration
Add both the collector and policy to your lunar-config.yml to enable this guardrail.
# Step 1: Enable the Terraform Collector
collectors:
- uses: github://earthly/lunar-lib/collectors/terraform@v1.0.0
# with: ...
# Step 2: Enable the Terraform Guardrails
policies:
- uses: github://earthly/lunar-lib/policies/terraform@v1.0.0
include: [remote-backend]
# with: ...What Terraform Collector Collects
This collector gathers the following data that the Remote Backend guardrail evaluates.
terraform
Parses all Terraform (.tf) files in the repository using hcl2json and collects:
- File validity and parse errors (.iac.files[])
- Normalized modules with resources and analysis (.iac.modules[])
- Full parsed HCL JSON for terraform-specific policy (.iac.native.terraform.files[])
- Source tool metadata (.iac.source)
Example Data Flow
Here's an example of the data that Terraform Collector writes to the Component JSON, which Remote Backend then evaluates.
{
"iac": {
"source": {"tool": "hcl2json", "version": "0.6.8"},
"files": [
{"path": "deploy/terraform/main.tf", "valid": true},
{"path": "deploy/terraform/variables.tf", "valid": true}
],
"modules": [
{
"path": "deploy/terraform",
"resources": [
{"type": "aws_db_instance", "name": "main", "category": "datastore", "has_prevent_destroy": true},
{"type": "aws_s3_bucket", "name": "logs", "category": "datastore", "has_prevent_destroy": false},
{"type": "aws_lb", "name": "api", "category": "network", "has_prevent_destroy": false, "internet_facing": true},
{"type": "aws_instance", "name": "web", "category": "compute", "has_prevent_destroy": false},
{"type": "aws_wafv2_web_acl", "name": "main", "category": "security"},
{"type": "aws_wafv2_web_acl_association", "name": "api", "category": "security"}
],
"analysis": {
"internet_accessible": true,
"has_waf": true
}
}
],
"native": {
"terraform": {
"files": [
{
"path": "deploy/terraform/main.tf",
"hcl": {
"terraform": [{"required_providers": [{"aws": {"source": "hashicorp/aws", "version": "~> 5.0"}}]}],
"resource": {"aws_db_instance": {"main": [{"engine": "postgres"}]}}
}
}
]
}
}
}
}Configuration Options
Terraform Guardrails Inputs
| Input | Required | Default | Description |
|---|---|---|---|
required_backend_types |
Required | — | Comma-separated list of approved backend types (empty = any remote backend) |
min_provider_versions |
Optional |
{}
|
JSON object mapping provider names to minimum versions (e.g., {"aws": "5.0", "random": "3.0"}) |
Ready to Automate Your Standards?
See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
Infrastructure conventions
Post-mortem action items
Security & compliance policies
Testing & quality requirements