Add Terraform configuration
org.openrewrite.terraform.AddConfiguration
If the configuration has a different value, leave it alone. If it is missing, add it.
Recipe source
This recipe is only available to users of Moderne.
This recipe is available under the Moderne Proprietary License.
Options
Type | Name | Description | Example |
---|---|---|---|
String | resourceName | A Terraform resource name, without the quotes. | aws_ebs_volume |
String | content | Terraform to insert if an attribute with the same name or block with the same 'type' is not found. | encrypted = true |
Used by
This recipe is used as part of the following composite recipes:
- Disable Instance Metadata Service version 1
- Disable Kubernetes dashboard
- Enable API gateway caching
- Enable Azure Storage Account Trusted Microsoft Services access
- Enable Azure Storage secure transfer required
- Enable VPC Flow Logs for subnetworks
- Enable VPC flow logs and intranode visibility
- Enable
PodSecurityPolicy
controller on Google Kubernetes Engine (GKE) clusters - Enable geo-redundant backups on PostgreSQL server
- Enable point-in-time recovery for DynamoDB
- Encrypt Aurora clusters
- Encrypt Azure VM data disk with ADE/CMK
- Encrypt CodeBuild projects
- Encrypt DAX storage at rest
- Encrypt DocumentDB storage
- Encrypt EBS snapshots
- Encrypt EBS volume launch configurations
- Encrypt EBS volumes
- Encrypt EFS Volumes in ECS Task Definitions in transit
- Encrypt ElastiCache Redis at rest
- Encrypt ElastiCache Redis in transit
- Encrypt Neptune storage
- Encrypt RDS clusters
- Encrypt Redshift storage at rest
- Ensure AKS policies add-on
- Ensure AKV secrets have an expiration date set
- Ensure AWS CMK rotation is enabled
- Ensure AWS EFS with encryption for data at rest is enabled
- Ensure AWS EKS cluster endpoint access is publicly disabled
- Ensure AWS Elasticsearch domain encryption for data at rest is enabled
- Ensure AWS Elasticsearch domains have
EnforceHTTPS
enabled - Ensure AWS Elasticsearch has node-to-node encryption enabled
- Ensure AWS IAM password policy has a minimum of 14 characters
- Ensure AWS Lambda function is configured for function-level concurrent execution limit
- Ensure AWS Lambda functions have tracing enabled
- Ensure AWS RDS database instance is not publicly accessible
- Ensure AWS S3 object versioning is enabled
- Ensure Amazon EKS control plane logging enabled for all log types
- Ensure Azure App Service Web app redirects HTTP to HTTPS
- Ensure Azure Network Watcher NSG flow logs retention is greater than 90 days
- Ensure Azure PostgreSQL database server with SSL connection is enabled
- Ensure Azure SQL Server threat detection alerts are enabled for all threat types
- Ensure Azure SQL server audit log retention is greater than 90 days
- Ensure Azure SQL server send alerts to field value is set
- Ensure Azure application gateway has WAF enabled
- Ensure Azure key vault is recoverable
- Ensure CloudTrail log file validation is enabled
- Ensure EC2 is EBS optimized
- Ensure ECR repositories are encrypted
- Ensure FTP Deployments are disabled
- Ensure GCP Kubernetes cluster node auto-repair configuration is enabled
- Ensure GCP Kubernetes engine clusters have legacy compute engine metadata endpoints disabled
- Ensure GCP VM instances have block project-wide SSH keys feature enabled
- Ensure GCP cloud storage bucket with uniform bucket-level access are enabled
- Ensure IAM password policy expires passwords within 90 days or less
- Ensure IAM password policy prevents password reuse
- Ensure IAM password policy requires at least one lowercase letter
- Ensure IAM password policy requires at least one number
- Ensure IAM password policy requires at least one symbol
- Ensure IAM password policy requires at least one uppercase letter
- Ensure IP forwarding on instances is disabled
- Ensure Kinesis Stream is securely encrypted
- Ensure MSSQL servers have email service and co-administrators enabled
- Ensure MySQL is using the latest version of TLS encryption
- Ensure MySQL server databases have Enforce SSL connection enabled
- Ensure MySQL server disables public network access
- Ensure MySQL server enables Threat Detection policy
- Ensure MySQL server enables geo-redundant backups
- Ensure PostgreSQL server disables public network access
- Ensure PostgreSQL server enables Threat Detection policy
- Ensure PostgreSQL server enables infrastructure encryption
- Ensure RDS database has IAM authentication enabled
- Ensure RDS instances have Multi-AZ enabled
- Ensure Send email notification for high severity alerts is enabled
- Ensure Send email notification for high severity alerts to admins is enabled
- Ensure VPC subnets do not assign public IP by default
- Ensure Web App has incoming client certificates enabled
- Ensure Web App uses the latest version of HTTP
- Ensure Web App uses the latest version of TLS encryption
- Ensure a security contact phone number is present
- Ensure activity log retention is set to 365 days or greater
- Ensure all keys have an expiration date
- Ensure app service enables HTTP logging
- Ensure app service enables detailed error messages
- Ensure app service enables failed request tracing
- Ensure app services use Azure files
- Ensure binary authorization is used
- Ensure compute instances launch with shielded VM enabled
- Ensure data stored in an S3 bucket is securely encrypted at rest
- Ensure detailed monitoring for EC2 instances is enabled
- Ensure enhanced monitoring for Amazon RDS instances is enabled
- Ensure key vault allows firewall rules settings
- Ensure key vault enables purge protection
- Ensure key vault key is backed by HSM
- Ensure key vault secrets have
content_type
set - Ensure log profile is configured to capture all activities
- Ensure managed identity provider is enabled for app services
- Ensure private cluster is enabled when creating Kubernetes clusters
- Ensure public network access enabled is set to False for mySQL servers
- Ensure respective logs of Amazon RDS are enabled
- Ensure secure boot for shielded GKE nodes is enabled
- Ensure shielded GKE nodes are enabled
- Ensure standard pricing tier is selected
- Ensure storage account uses latest TLS version
- Ensure the GKE metadata server is enabled
- Ensure the S3 bucket has access logging enabled
- Ensure the storage container storing activity logs is not publicly accessible
- Make ECR tags immutable
- Scan images pushed to ECR
- Set Azure Storage Account default network access to deny
- Use HTTPS for Cloudfront distribution
Example
Parameters
Parameter | Value |
---|---|
resourceName | aws_ebs_volume |
content | encrypted = true |
- hcl
- Diff
Before
resource "aws_ebs_volume" {
size = 1
}
resource "aws_ebs_volume" {
# leave this one alone
encrypted = false
}
After
resource "aws_ebs_volume" {
size = 1
encrypted = true
}
resource "aws_ebs_volume" {
# leave this one alone
encrypted = false
}
@@ -2,1 +2,2 @@
resource "aws_ebs_volume" {
- size = 1
+ size = 1
+ encrypted = true
}
Usage
This recipe has required configuration parameters and can only be run by users of Moderne.
To run this recipe, you will need to provide the Moderne CLI run command with the required options.
Or, if you'd like to create a declarative recipe, please see the below example of a rewrite.yml
file:
---
type: specs.openrewrite.org/v1beta/recipe
name: com.yourorg.AddConfigurationExample
displayName: Add Terraform configuration example
recipeList:
- org.openrewrite.terraform.AddConfiguration:
resourceName: aws_ebs_volume
content: encrypted = true
- Moderne CLI
You will need to have configured the Moderne CLI on your machine before you can run the following command.
mod run . --recipe AddConfiguration --recipe-option "resourceName=aws_ebs_volume" --recipe-option "content=encrypted = true"
If the recipe is not available locally, then you can install it using:
mod config recipes jar install org.openrewrite.recipe:rewrite-terraform:3.8.1
See how this recipe works across multiple open-source repositories
Run this recipe on OSS repos at scale with the Moderne SaaS.

The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.
Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.
Data Tables
- SourcesFileResults
- SourcesFileErrors
- RecipeRunStats
Source files that had results
org.openrewrite.table.SourcesFileResults
Source files that were modified by the recipe run.
Column Name | Description |
---|---|
Source path before the run | The source path of the file before the run. null when a source file was created during the run. |
Source path after the run | A recipe may modify the source path. This is the path after the run. null when a source file was deleted during the run. |
Parent of the recipe that made changes | In a hierarchical recipe, the parent of the recipe that made a change. Empty if this is the root of a hierarchy or if the recipe is not hierarchical at all. |
Recipe that made changes | The specific recipe that made a change. |
Estimated time saving | An estimated effort that a developer to fix manually instead of using this recipe, in unit of seconds. |
Cycle | The recipe cycle in which the change was made. |
Source files that errored on a recipe
org.openrewrite.table.SourcesFileErrors
The details of all errors produced by a recipe run.
Column Name | Description |
---|---|
Source path | The file that failed to parse. |
Recipe that made changes | The specific recipe that made a change. |
Stack trace | The stack trace of the failure. |
Recipe performance
org.openrewrite.table.RecipeRunStats
Statistics used in analyzing the performance of recipes.
Column Name | Description |
---|---|
The recipe | The recipe whose stats are being measured both individually and cumulatively. |
Source file count | The number of source files the recipe ran over. |
Source file changed count | The number of source files which were changed in the recipe run. Includes files created, deleted, and edited. |
Cumulative scanning time (ns) | The total time spent across the scanning phase of this recipe. |
99th percentile scanning time (ns) | 99 out of 100 scans completed in this amount of time. |
Max scanning time (ns) | The max time scanning any one source file. |
Cumulative edit time (ns) | The total time spent across the editing phase of this recipe. |
99th percentile edit time (ns) | 99 out of 100 edits completed in this amount of time. |
Max edit time (ns) | The max time editing any one source file. |