Hamburger Cross Icon
Terraform Collector - Lunar Collector

Terraform Collector

Collector Beta SecurityOrchestration

Parse Terraform HCL files to extract configuration data. Writes file validity and full parsed HCL JSON for downstream policy analysis of providers, modules, backends, resources, and infrastructure security posture.

Add terraform to your lunar-config.yml:
uses: github://earthly/lunar-lib/collectors/terraform@v1.0.5
Get Started View on GitHub

What This Integration Collects

This integration includes 2 collectors that gather metadata from your systems.

Collector code

terraform

Parses all Terraform (.tf) files in the repository using hcl2json and collects:

  • File validity and parse errors (.iac.files[])
  • Normalized modules with resources and analysis (.iac.modules[])
  • Full parsed HCL JSON for terraform-specific policy (.iac.native.terraform.files[])
  • Source tool metadata (.iac.source)
terraform iac infrastructure hcl aws providers modules backend
Book a demo
Collector ci-before-command

cicd

Records every terraform command executed in CI pipelines along with the Terraform CLI version. Writes command strings and version info to .iac.native.terraform.cicd for audit trails and build reproducibility.

terraform ci terraform version ci commands iac tracking deployment tracking
Book a demo

How Collectors Fit into Lunar

Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.

Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.

Learn How Lunar Works
1
Collectors Gather Data This Integration
Triggered by code changes or CI pipelines, collectors extract metadata from config files, tool outputs, test results, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
Guardrails Enforce Standards
Real-time feedback in PRs and AI workflows

Example Collected Data

This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:

{ } component.json Component JSON 
{
  "iac": {
    "source": {"tool": "hcl2json", "version": "0.6.8"},
    "files": [
      {"path": "deploy/terraform/main.tf", "valid": true},
      {"path": "deploy/terraform/variables.tf", "valid": true}
    ],
    "modules": [
      {
        "path": "deploy/terraform",
        "resources": [
          {"type": "aws_db_instance", "name": "main", "category": "datastore", "has_prevent_destroy": true},
          {"type": "aws_s3_bucket", "name": "logs", "category": "datastore", "has_prevent_destroy": false},
          {"type": "aws_lb", "name": "api", "category": "network", "has_prevent_destroy": false, "internet_facing": true},
          {"type": "aws_instance", "name": "web", "category": "compute", "has_prevent_destroy": false},
          {"type": "aws_wafv2_web_acl", "name": "main", "category": "security"},
          {"type": "aws_wafv2_web_acl_association", "name": "api", "category": "security"}
        ],
        "analysis": {
          "internet_accessible": true,
          "has_waf": true
        }
      }
    ],
    "native": {
      "terraform": {
        "files": [
          {
            "path": "deploy/terraform/main.tf",
            "hcl": {
              "terraform": [{"required_providers": [{"aws": {"source": "hashicorp/aws", "version": "~> 5.0"}}]}],
              "resource": {"aws_db_instance": {"main": [{"engine": "postgres"}]}}
            }
          }
        ],
        "cicd": {
          "cmds": [
            {"cmd": "terraform init", "version": "1.9.8"},
            {"cmd": "terraform plan -out=tfplan", "version": "1.9.8"},
            {"cmd": "terraform apply -auto-approve tfplan", "version": "1.9.8"}
          ],
          "source": {"tool": "terraform", "integration": "ci"}
        }
      }
    }
  }
}

Related

Policy Deployment And Infrastructure
IaC Guardrails

Generic IaC guardrails using this collector's data
Policy Deployment And Infrastructure
Terraform Guardrails

Terraform-specific guardrails using this collector's data

Documentation

View on GitHub

Terraform Collector

Parses Terraform HCL files and collects IaC configuration data for policy analysis.

Overview

This collector finds all .tf files in a repository and parses them using hcl2json. It writes file validity status and the full parsed HCL JSON, enabling downstream policies to analyze providers, modules, backend configuration, resource inventory, and infrastructure security posture.

Collected Data

This collector writes to the following Component JSON paths:

Path Type Description
.iac.source object Tool metadata (tool, version)
.iac.files[] array File validity: {path, valid, error?}
.iac.modules[] array Normalized modules: {path, resources[], analysis}
.iac.native.terraform.files[] array Full parsed HCL per file: {path, hcl}
.iac.native.terraform.cicd object CI command tracking: {cmds[], source}

Collectors

This integration provides the following collectors (use include to select a subset):

Collector Description
terraform Parses .tf files, writes validity and full HCL JSON
cicd Records every terraform command run in CI with the CLI version

Installation

Add to your lunar-config.yml:

collectors:
  - uses: github://earthly/lunar-lib/collectors/terraform@main
    on: ["domain:your-domain"]  # Or use tags like [infra, terraform]

Open Source

This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.

View Repository

Common Use Cases

Explore guardrails that use data from Terraform Collector.

+
Valid + Terraform Collector Validates that all IaC configuration files are syntactically correct. Invalid...
+
Waf Protection + Terraform Collector Requires WAF protection for internet-facing services. Checks each IaC module for...
+
Datastore Destroy Protection + Terraform Collector Ensures stateful resources (databases, storage buckets, caches) have lifecycle {...
+
Resource Destroy Protection + Terraform Collector Ensures stateless infrastructure resources (EC2 instances, load...
+
Provider Versions Pinned + Terraform Collector Requires Terraform providers to specify version constraints in...
+
Module Versions Pinned + Terraform Collector Requires Terraform modules to use pinned versions or commit SHAs. Unpinned...
+
Remote Backend + Terraform Collector Requires Terraform to use a remote backend for state management. Local state...
+
Min Provider Versions + Terraform Collector Enforces minimum version requirements for Terraform providers. Ensures providers...

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo