{"id":27631,"library":"c7n-terraform","title":"Cloud Custodian Terraform Provider","description":"Cloud Custodian provider for evaluating Terraform plan/state files against custodian policies. Version 0.1.35, requires Python 3.9-3.12. Part of Cloud Custodian suite, but released separately on PyPI. This is a community-maintained provider with limited updates.","status":"active","version":"0.1.35","language":"python","source_language":"en","source_url":"https://github.com/cloud-custodian/cloud-custodian","tags":["cloud-custodian","terraform","infrastructure-as-code","policy-as-code","compliance"],"install":[{"cmd":"pip install c7n-terraform","lang":"bash","label":"Install from PyPI"}],"dependencies":[{"reason":"Core Cloud Custodian library required for policy execution","package":"c7n","optional":false},{"reason":"Used for policy validation","package":"jsonschema","optional":false}],"imports":[{"note":"Incorrect path; c7n-terraform is a separate package, not part of c7n core.","wrong":"from c7n.providers.terraform import TerraformProvider","symbol":"TerraformProvider","correct":"from c7n_terraform.provider import TerraformProvider"}],"quickstart":{"code":"from c7n_terraform.provider import TerraformProvider\nfrom c7n.policy import Policy, PolicyCollection\nimport json\n\nprovider = TerraformProvider()\n# Load a Terraform plan file (JSON output of terraform plan -out=plan.tfplan)\nwith open('plan.json') as f:\n    resources = provider.parse(json.load(f))\n# Define a policy to check for unencrypted S3 buckets\npolicy_data = {\n    'name': 's3-no-encryption',\n    'resource': 'terraform.aws_s3_bucket',\n    'filters': [{'type': 'value', 'key': 'server_side_encryption_configuration', 'value': None}],\n    'actions': [{'type': 'notify', 'to': ['devnull'], 'subject': 'Compliance', 'message': 'Bucket {} has no encryption'}]\n}\npolicy = Policy(policy_data, {})\nresults = provider.run([policy], resources)\nfor r in results:\n    print(r['resource']['id'])","lang":"python","description":"Example: parse a Terraform plan file and run a custodian policy to find S3 buckets without encryption."},"warnings":[{"fix":"Ensure you generate a plan file with 'terraform plan -out=plan.tfplan' and then convert to JSON with 'terraform show -json plan.tfplan > plan.json'.","message":"c7n-terraform parses Terraform plan files, not live cloud resources. It only evaluates the planned changes in the JSON output from 'terraform show -json plan.tfplan'.","severity":"gotcha","affected_versions":"all"},{"fix":"Check the resource type mapping in the c7n-terraform source or test with your Terraform config. Use 'terraform.aws_*' naming convention.","message":"The provider may not support all Terraform resource types. Unsupported resources are silently ignored.","severity":"gotcha","affected_versions":"0.1.x"},{"fix":"Consider using the built-in 'terraform' provider that was added to c7n core in 0.9.41.0. Import from 'c7n.providers.terraform' if using c7n>=0.9.41.","message":"c7n-terraform is not actively maintained as of 2025. Cloud Custodian core may have breaking changes that affect it.","severity":"deprecated","affected_versions":"0.1.x"}],"env_vars":null,"last_verified":"2026-05-09T00:00:00.000Z","next_check":"2026-08-07T00:00:00.000Z","problems":[{"fix":"pip install c7n-terraform","cause":"Package not installed or installed incorrectly.","error":"ModuleNotFoundError: No module named 'c7n_terraform'"},{"fix":"Ensure resource string starts with 'terraform.' (e.g., 'terraform.aws_s3_bucket'). Also verify c7n-terraform is installed and imported.","cause":"Using wrong resource type prefix or the provider is not registered.","error":"c7n.exceptions.PolicyValidationError: ... Invalid provider terraform.aws_s3_bucket"}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}