Azure IaC Guardrail
Review Azure Terraform security, compliance, architecture, and change impact before deployment.
Local static analysis, resolved plan assurance, architecture review,
governed exceptions, and audit evidence inside Visual Studio Code.
Install ·
Quick start ·
Features ·
User guide ·
Contribute
Azure IaC Guardrail never runs terraform apply. Static scans are offline.
Plan scans use your local Terraform executable and the authentication already
configured for the selected workspace.
Public Preview: Guardrail is suitable for evaluation and guarded
engineering review, not as the sole deployment approval control. The Cloud
Canvas catalog contains 237 visual entries; 25 currently have executable
controls, 48 have Terraform mappings, and only governance-approved services
should be treated as supported generation targets.
The workflow stays local and reviewable: open the Terraform root, choose the
appropriate scan, inspect findings and remediation, then export evidence for
the pull request or deployment approval.
Why Guardrail
| Author |
Review |
Govern |
Evidence |
| Detect risky Terraform while editing. |
Inspect resolved plans, dependencies, exposure, and blast radius. |
Apply shared controls, tags, regions, exclusions, and time-bound exceptions. |
Export PDF, JSON, and Markdown artifacts for engineering and assurance workflows. |
Install
From a release VSIX
- Download
azure-iac-guardrail-<version>.vsix from the approved release.
- In VS Code, open Extensions and select Views and More Actions (...) > Install from VSIX....
- Select the downloaded package and reload VS Code when prompted.
The same installation can be performed from a terminal:
code --install-extension .\azure-iac-guardrail-<version>.vsix
For a managed rollout, distribute the approved VSIX through your software
management platform or private extension gallery. Marketplace installation
instructions will be added when the public publisher is configured.
Requirements
- Visual Studio Code
1.100.0 or later.
- Terraform only for plan-based workflows.
- Azure/provider authentication only when the selected Terraform workflow
requires it.
See Installation and Quick Start
for upgrades, uninstalling, and troubleshooting.
Quick Start
- Open the folder containing your Terraform root module.
- Press
Ctrl+Shift+P.
- Run Azure IaC Guardrail: Azure Pre-configuration and select the Terraform
root, approved regions, required tags, and any governed exceptions.
- Run Azure IaC Guardrail: Scan Terraform Files for immediate offline
feedback.
- Run Azure IaC Guardrail: Create and Scan Local Terraform Plan when you
need resolved values, module instances, relationships, and change impact.
- Review findings in Azure IaC Guardrail Results, apply only reviewed
fixes, and export the required evidence.
For the complete operating guide, see USER_GUIDE.md.
Static feedback starts in the editor. A Terraform plan adds authoritative
resolved values and relationships. Reviewers then use the same findings,
architecture context, and exported evidence before approving deployment.
Product View
Illustrative product view. The extension evaluates Terraform; resource
names and findings shown here are representative sample data.
Features
| Feature |
Purpose |
Guide |
| Static Terraform scan |
Offline checks with supported variables, tfvars, locals, and modules |
Static Scanning |
| Plan scan |
Evaluate resolved resources, relationships, and plan-only controls |
Plan Scanning and Review |
| Editor diagnostics |
Problems, hover detail, completions, provenance, and reviewable quick fixes |
Editor Experience |
| Workspace governance |
Configure roots, regions, tags, cost assumptions, exclusions, and exceptions |
Workspace Governance |
| Plan architecture |
Search and filter plan topology, risk, actions, and exposure; export SVG |
Plan Scanning and Review |
| Plan comparison and blast radius |
Compare plans and summarize connected change impact |
Plan Scanning and Review |
| Resource Cost |
Estimate supported retail costs from declared configuration and assumptions |
Resource Cost |
| Cloud Canvas |
Design Azure architectures and generate reviewable Terraform |
Cloud Canvas |
| Evidence export |
Produce a PDF report plus machine-readable JSON and Markdown |
Evidence and Reporting |
Resource Cost and Cloud Canvas are Preview features. Their output requires
human review and is not an Azure bill or deployment approval.
Scan Modes
| Command |
Use it when |
Terraform needed |
| Scan Terraform Files |
You want fast, offline authoring feedback |
No |
| Initialize Modules and Scan Terraform Files |
remote module source has not been downloaded |
Yes |
| Scan Existing Terraform Plan |
CI/CD or another trusted workflow produced a plan |
For binary plans |
| Create and Scan Local Terraform Plan |
You need resolved values, instances, and relationships |
Yes |
Generated local plans are temporary by default. Terraform state, plans,
tfvars, backend configuration, credentials, subscription IDs, and tenant IDs
must not be committed.
Controls and Standards
Built-in service and control definitions live in:
catalog/services/<service-id>.json
Each service file owns its Cloud Canvas metadata, Terraform mapping,
parameters, controls, assurances, remediation, and references. The generated
azure-complete-catalog-vscode.json is consumed by scanning and Cloud Canvas;
do not edit it directly.
To add or change a standard control:
Copy catalog/service-template.json.example when adding a service, or open
the existing service file.
Define a unique control ID, exact Terraform resource type and attribute,
supported operator, expected value, severity, remediation, and authoritative
reference.
Add tests for compliant, non-compliant, and unresolved behavior. Add plan
and related-resource cases when the control requires them.
Run:
npm run catalog:validate
npm run catalog:test
npm run check
npm run lint
npm test
npm run compile
Commit the service file and regenerated
azure-complete-catalog-vscode.json.
Read CONTRIBUTING.md and the
Control and Standard Contribution Guide before
opening a pull request.
Develop
npm install
npm run check
npm run lint
npm test
npm run compile
Press F5 to launch an Extension Development Host. Maintained Terraform
examples are under test/fixtures/, including storage-spa,
three-tier-webapp, remote-module-static-scan, and
intellisense-ux-demo.
Release
Pull requests and pushes to main run identifier checks, type checking,
linting, unit tests, compilation, and VSIX packaging. A semantic version tag
(vX.Y.Z) builds a checksummed release candidate and publishes it through the
protected Marketplace environment.
Release prerequisites and rollback guidance are documented in
Release Management and
docs/RELEASING.md.
Security and Support
License
Released under the MIT License.
