Query Terraform Configurations
Query Terraform HCL, plan, and state files with cnquery
Rely on cnquery to query and analyze HashiCorp Terraform configurations. Explore HCL files, plan files, and state files to understand your infrastructure-as-code.
Requirements
To analyze Terraform configurations with cnquery, you must have:
- cnquery installed on your workstation.
- Terraform HCL files, plan files, or state files to query.
Query Terraform HCL files
To open a cnquery shell and query Terraform HCL configurations:
cnquery shell terraform PATH| For... | Substitute... |
|---|---|
| PATH | The path to a Terraform file or directory |
For example, to query a directory of Terraform files:
cnquery shell terraform ./infrastructure/Or to query a single file:
cnquery shell terraform ./main.tfIgnore .terraform directory
To exclude the .terraform directory (which contains cached provider plugins and modules):
cnquery shell terraform ./infrastructure/ --ignore-dot-terraformQuery Terraform plan files
To query a Terraform plan file (JSON format):
cnquery shell terraform plan PATH_TO_PLAN_JSONFirst, generate a plan JSON file:
terraform plan -out=tfplan
terraform show -json tfplan > tfplan.jsonThen query it:
cnquery shell terraform plan ./tfplan.jsonQuery Terraform state files
To query a Terraform state file:
cnquery shell terraform state PATH_TO_STATE_JSONFor example:
cnquery shell terraform state ./terraform.tfstateExample queries
Query HCL configurations
This query retrieves all Terraform files:
cnquery> terraform.files
terraform.files: [
0: terraform.file path="main.tf"
1: terraform.file path="variables.tf"
...
]This query retrieves all resources defined in the configuration:
cnquery> terraform.resources
terraform.resources: [
0: terraform.resource type="aws_instance" nameLabel="web"
1: terraform.resource type="aws_s3_bucket" nameLabel="data"
...
]This query retrieves all modules:
cnquery> terraform.modules
terraform.modules: [
0: terraform.module name="vpc"
...
]This query retrieves variables from .tfvars files:
cnquery> terraform.tfvars
terraform.tfvars: {
environment: "production"
instance_type: "t3.micro"
...
}Filter resources by type
This query finds all AWS S3 bucket resources:
cnquery> terraform.resources.where(type == "aws_s3_bucket")This query finds all AWS EC2 instance resources with their arguments:
cnquery> terraform.resources.where(type == "aws_instance") { nameLabel arguments }Explore resource blocks
This query retrieves blocks within resources:
cnquery> terraform.resources { nameLabel blocks { type } }Query Terraform plan
When querying a plan file:
cnquery> terraform.plan.resourceChanges
terraform.plan.resourceChanges: [
0: terraform.plan.resourceChange address="aws_instance.web" actions=["create"]
...
]Query Terraform state
When querying a state file:
cnquery> terraform.state.resources
terraform.state.resources: [
0: terraform.state.resource address="aws_instance.web"
...
]Exit the cnquery shell
To exit the cnquery shell, either press Ctrl + D or type exit.
Learn more
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For a list of all the Terraform resources and fields you can query, read the Terraform Resource Pack Reference.
-
For information on scanning Terraform configurations for security issues, read Assess HashiCorp Terraform Code Security with cnspec.