Cloud Custodian Terraform Provider

0.1.35 verified Sat May 09 auth: no python

Cloud Custodian provider for evaluating Terraform plan/state files against custodian policies. Version 0.1.35, requires Python 3.9-3.12. Part of Cloud Custodian suite, but released separately on PyPI. This is a community-maintained provider with limited updates.

pip install c7n-terraform

Common errors

error ModuleNotFoundError: No module named 'c7n_terraform' ↓

cause Package not installed or installed incorrectly.

fix

pip install c7n-terraform

error c7n.exceptions.PolicyValidationError: ... Invalid provider terraform.aws_s3_bucket ↓

cause Using wrong resource type prefix or the provider is not registered.

fix

Ensure resource string starts with 'terraform.' (e.g., 'terraform.aws_s3_bucket'). Also verify c7n-terraform is installed and imported.

Warnings

gotcha c7n-terraform parses Terraform plan files, not live cloud resources. It only evaluates the planned changes in the JSON output from 'terraform show -json plan.tfplan'. ↓

fix Ensure you generate a plan file with 'terraform plan -out=plan.tfplan' and then convert to JSON with 'terraform show -json plan.tfplan > plan.json'.

gotcha The provider may not support all Terraform resource types. Unsupported resources are silently ignored. ↓

fix Check the resource type mapping in the c7n-terraform source or test with your Terraform config. Use 'terraform.aws_*' naming convention.

deprecated c7n-terraform is not actively maintained as of 2025. Cloud Custodian core may have breaking changes that affect it. ↓

fix Consider using the built-in 'terraform' provider that was added to c7n core in 0.9.41.0. Import from 'c7n.providers.terraform' if using c7n>=0.9.41.

Imports

TerraformProvider

wrong

from c7n.providers.terraform import TerraformProvider

correct

from c7n_terraform.provider import TerraformProvider

Incorrect path; c7n-terraform is a separate package, not part of c7n core.

Quickstart

Example: parse a Terraform plan file and run a custodian policy to find S3 buckets without encryption.

from c7n_terraform.provider import TerraformProvider
from c7n.policy import Policy, PolicyCollection
import json

provider = TerraformProvider()
# Load a Terraform plan file (JSON output of terraform plan -out=plan.tfplan)
with open('plan.json') as f:
    resources = provider.parse(json.load(f))
# Define a policy to check for unencrypted S3 buckets
policy_data = {
    'name': 's3-no-encryption',
    'resource': 'terraform.aws_s3_bucket',
    'filters': [{'type': 'value', 'key': 'server_side_encryption_configuration', 'value': None}],
    'actions': [{'type': 'notify', 'to': ['devnull'], 'subject': 'Compliance', 'message': 'Bucket {} has no encryption'}]
}
policy = Policy(policy_data, {})
results = provider.run([policy], resources)
for r in results:
    print(r['resource']['id'])