Stay organized with collections
Save and categorize content based on your preferences.
Businesses are shifting towards infrastructure-as-code, and with that change
comes a concern that configuration errors can cause security and governance
violations. To address this, security and cloud administrators need to be able
to set up guardrails that make sure everyone in their organization follows
security best practices. These guardrails are in the form of constraints.
Constraints define your organization's source of truth for security and
governance requirements. The constraints must be compatible with tools across
every stage of the application lifecycle, from development, to deployment, and
even to an audit of deployed resources.
gcloud beta terraform vet is a tool for
enforcing policy compliance as part of an infrastructure CI/CD pipeline. When
you run this tool, gcloud beta terraform vet retrieves project data with Google Cloud
APIs that are necessary for accurate validation of your plan. You can use
gcloud beta terraform vet to detect policy violations and provide warnings or halt
deployments before they reach production. The same set of constraints that you
use with gcloud beta terraform vet can also be used with any other tool that
supports the same framework.
With gcloud beta terraform vet you can:
Enforce your organization's policy at any stage of application development
Remove manual errors by automating policy validation
Reduce learning time by using a single paradigm for all policy management
Support
Until gcloud beta terraform vet is generally available (GA), regular support channels
might not be available. For support with gcloud beta terraform vet,
open a ticket
on the terraform-google-conversion GitHub repository.
Documentation
gcloud beta terraform vet includes the following resources:
Quickstart – How to implement a constraint that throws an error, and then modify the constraint so the validation check passes.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003e\u003ccode\u003egcloud beta terraform vet\u003c/code\u003e is a tool designed to enforce policy compliance within infrastructure CI/CD pipelines, ensuring adherence to security and governance requirements.\u003c/p\u003e\n"],["\u003cp\u003eThe tool enables organizations to define constraints, representing the source of truth for security and governance, compatible across all application lifecycle stages.\u003c/p\u003e\n"],["\u003cp\u003eUsing \u003ccode\u003egcloud beta terraform vet\u003c/code\u003e automates policy validation, minimizes manual errors, and allows consistent policy management at any stage of development.\u003c/p\u003e\n"],["\u003cp\u003eWhile in its pre-GA phase, \u003ccode\u003egcloud beta terraform vet\u003c/code\u003e offers support via a designated GitHub repository, with further documentation available for guidance on creating and validating constraints.\u003c/p\u003e\n"],["\u003cp\u003ePre-GA products and features, like \u003ccode\u003egcloud beta terraform vet\u003c/code\u003e are available "as is" and are subject to the "Pre-GA Offerings Terms", meaning they might have limited support.\u003c/p\u003e\n"]]],[],null,["# Policy validation\n\n| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nBusinesses are shifting towards infrastructure-as-code, and with that change\ncomes a concern that configuration errors can cause security and governance\nviolations. To address this, security and cloud administrators need to be able\nto set up guardrails that make sure everyone in their organization follows\nsecurity best practices. These guardrails are in the form of *constraints*.\n\nConstraints define your organization's source of truth for security and\ngovernance requirements. The constraints must be compatible with tools across\nevery stage of the application lifecycle, from development, to deployment, and\neven to an audit of deployed resources.\n\n[`gcloud beta terraform vet`](/sdk/gcloud/reference/beta/terraform/vet) is a tool for\nenforcing policy compliance as part of an infrastructure CI/CD pipeline. When\nyou run this tool, `gcloud beta terraform vet` retrieves project data with Google Cloud\nAPIs that are necessary for accurate validation of your plan. You can use\n`gcloud beta terraform vet` to detect policy violations and provide warnings or halt\ndeployments before they reach production. The same set of constraints that you\nuse with `gcloud beta terraform vet` can also be used with any other tool that\nsupports the same framework.\n\nWith `gcloud beta terraform vet` you can:\n\n- Enforce your organization's policy at any stage of application development\n- Remove manual errors by automating policy validation\n- Reduce learning time by using a single paradigm for all policy management\n\nSupport\n-------\n\nUntil `gcloud beta terraform vet` is generally available (GA), regular support channels\nmight not be available. For support with `gcloud beta terraform vet`,\n[open a ticket](https://github.com/GoogleCloudPlatform/terraform-google-conversion/issues/new/choose)\non the `terraform-google-conversion` GitHub repository.\n\nDocumentation\n-------------\n\n`gcloud beta terraform vet` includes the following resources:\n\n- [Quickstart](/docs/terraform/policy-validation/quickstart) -- How to implement a constraint that throws an error, and then modify the constraint so the validation check passes.\n- [Create a policy library](/docs/terraform/policy-validation/create-policy-library) -- How to create a centralized policy repository.\n- [Create Terraform constraints](/docs/terraform/policy-validation/create-terraform-constraints) -- How to add Terraform-based constraints.\n- [Create CAI constraints](/docs/terraform/policy-validation/create-cai-constraints) -- How to add CAI-based constraints.\n- [Validate policies](/docs/terraform/policy-validation/validate-policies) -- How to validate policy compliance with `gcloud beta terraform vet`.\n- [Troubleshooting](/docs/terraform/policy-validation/troubleshooting) -- Potential problems and solutions to fix them.\n- [Migrate from terraform-validator](/docs/terraform/policy-validation/migrate-from-terraform-validator) - How to migrate to `gcloud beta terraform vet` from [terraform-validator](https://github.com/GoogleCloudPlatform/terraform-validator)."]]
