ThothCTL Check Project IaC Command¶
Overview¶
The thothctl check project iac command validates Infrastructure as Code source code structure and organization. This command ensures your IaC projects follow defined standards, have required files, and maintain proper folder hierarchies.
Command Structure¶
Usage: thothctl check project iac [OPTIONS]
Check Infrastructure as Code project structure and configuration
Options:
-m, --mode [soft|strict] Validation mode [default: soft]
-t, --check-type [structure|metadata|compliance]
Type of IaC check to perform [default: structure]
-p, --project-type [stack|module]
Project type: stack or module [default: stack]
--org-policy TEXT Organization policy source (Git URL or local path)
--enforcement [soft|hard] Enforcement mode: soft (report) or hard (fail pipeline)
--skip-org-policy Skip organizational policy check (project exceptions)
--help Show this message and exit.
Organization Policy Enforcement¶
ThothCTL can enforce organizational standards that projects cannot override. This ensures all projects in your organization follow the same structure, naming, and tagging rules — regardless of what individual .thothcf.toml files contain.
Policy Resolution Order¶
ThothCTL resolves the org policy source in this order:
| Priority | Source | Example |
|---|---|---|
| 1 | --org-policy flag |
--org-policy https://github.com/myorg/policies.git |
| 2 | THOTH_ORG_POLICY env var |
export THOTH_ORG_POLICY=https://github.com/myorg/policies.git |
| 3 | Active space's governance.policy_repo |
Set via thothctl space update <name> --policy-repo <url> |
| 4 | None (skip org policy) | No org rules applied |
Space Integration¶
When a space is active and has a policy_repo configured, organizational rules are loaded automatically — no flags or env vars needed:
# 1. Configure your space with the org policy repo
thothctl space update platform-team --policy-repo https://github.com/myorg/org-policies.git
# 2. Activate the space
thothctl space activate platform-team
# 3. Run check — org rules load automatically
thothctl check project iac -p stack
# Output:
# 📜 Loading org policy from: /home/user/.thothcf/.policy_cache/abc123
# ✅ Organization policy check passed
Skipping Org Policy (Project Exceptions)¶
Projects that have explicit exceptions from organizational rules can skip the check:
This is useful for: - Experimental/prototype projects not yet conforming to standards - Legacy projects with approved exceptions - Third-party imported projects
How It Works¶
- ThothCTL resolves the policy source (see resolution order above)
- The repo contains
rules/base.toml+rules/<project_type>.toml - ThothCTL merges org rules with project rules — mandatory org rules cannot be weakened
- Violations are reported with enforcement level (mandatory = fail, recommended = warn)
Usage¶
# Automatic via active space (preferred)
thothctl space activate platform-team
thothctl check project iac --enforcement hard
# Via env var (CI/CD)
export THOTH_ORG_POLICY=https://github.com/myorg/org-policies.git
thothctl check project iac --enforcement hard
# Pin to a version
export THOTH_ORG_POLICY=https://github.com/myorg/org-policies.git@v1.0
thothctl check project iac --enforcement hard
# Via flag (explicit override)
thothctl check project iac --org-policy /path/to/org-policies --enforcement hard
Enforcement Levels¶
| Level | Behavior | Project Can Override? |
|---|---|---|
mandatory |
Fails pipeline with --enforcement hard |
❌ No |
recommended |
Warning only | ⚠️ Can opt-out |
informational |
Report only | ✅ Yes |
Org Policy Repo Structure¶
org-policies/
├── rules/ # ThothCTL structural rules
│ ├── base.toml # All project types
│ ├── terraform-terragrunt.toml
│ ├── terraform_module.toml
│ └── cdkv2.toml
├── shared/policy/ # OPA/Rego policies (used by scan iac -t opa)
│ ├── naming.rego
│ ├── tagging.rego
│ └── regions.rego
└── README.md
The same repo serves both:
- thothctl check project iac → reads rules/
- thothctl scan iac -t opa → reads shared/policy/ (auto-discovered via THOTH_ORG_POLICY)
Example Output¶
📜 Loading org policy from: https://github.com/myorg/org-policies.git
❌ Mandatory Violations
┌────────────────────────────────────┬─────────────────┬─────────┐
│ Rule │ Expected │ Found │
├────────────────────────────────────┼─────────────────┼─────────┤
│ project_structure.folders.docs │ docs/ exists │ missing │
│ project_structure.root_files │ .pre-commit... │ missing │
└────────────────────────────────────┴─────────────────┴─────────┘
⚠️ Recommendations
┌────────────────────────────────────┬─────────────────┬─────────┐
│ Rule │ Expected │ Found │
├────────────────────────────────────┼─────────────────┼─────────┤
│ project_structure.folders.common │ common/ exists │ missing │
└────────────────────────────────────┴─────────────────┴─────────┘
CI/CD Integration¶
# GitHub Actions
- name: Check org compliance
run: thothctl check project iac --enforcement hard
env:
THOTH_ORG_POLICY: https://github.com/myorg/org-policies.git@v1.0
Project Types¶
Stack Projects (-p stack)¶
Full infrastructure projects with modules, environments, and complete project structure.
Typical Structure:
project/
├── .gitignore
├── .pre-commit-config.yaml
├── README.md
├── root.hcl
├── modules/
│ ├── networking/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ ├── outputs.tf
│ │ └── README.md
│ └── compute/
├── environments/
│ ├── dev/
│ ├── staging/
│ └── prod/
└── common/
Usage:
Module Projects (-p module)¶
Single reusable Terraform modules with examples and documentation.
Typical Structure:
module/
├── .gitignore
├── .pre-commit-config.yaml
├── README.md
├── main.tf
├── variables.tf
├── outputs.tf
├── docs/
├── examples/
│ └── complete/
│ ├── main.tf
│ ├── variables.tf
│ ├── outputs.tf
│ └── terraform.tfvars
└── test/
Usage:
Check Types¶
Structure Validation (-t structure)¶
Validates folder and file structure against templates.
What it checks: - Required root files exist - Mandatory folders are present - Folder content matches requirements - Parent-child folder relationships
Example:
Metadata Validation (-t metadata)¶
Validates project metadata and configuration files.
What it checks: - Project configuration completeness - Metadata format and validity - Documentation presence
Example:
Compliance Validation (-t compliance)¶
Validates compliance with organizational standards.
What it checks: - Security requirements - Naming conventions - Required documentation - Policy adherence
Example:
Validation Modes¶
Soft Mode (-m soft)¶
Reports issues but doesn't fail the command (exit code 0).
Use cases: - Development workflow - Initial project setup - Informational checks
Strict Mode (-m strict)¶
Reports issues and fails with non-zero exit code if any issues found.
Use cases: - CI/CD pipelines - Pre-deployment validation - Production readiness checks
Configuration¶
Template Files¶
Structure validation uses template files to define requirements:
Stack Template: src/thothctl/common/.thothcf_project.toml
[project_structure]
root_files = [
".gitignore",
".pre-commit-config.yaml",
"README.md",
"root.hcl"
]
[[project_structure.folders]]
name = "modules"
mandatory = true
type = "root"
content = [
"variables.tf",
"main.tf",
"outputs.tf",
"README.md"
]
Module Template: src/thothctl/common/.thothcf_module.toml
[project_structure]
root_files = [
".gitignore",
".pre-commit-config.yaml",
"README.md"
]
[[project_structure.folders]]
name = "examples"
mandatory = true
type = "child"
parent = "modules"
Custom Configuration¶
Override defaults by creating .thothcf.toml in your project root:
[thothcf]
project_type = "stack" # or "module"
[project_structure]
root_files = [
".gitignore",
"README.md",
"custom-file.txt"
]
[[project_structure.folders]]
name = "custom-folder"
mandatory = true
type = "root"
Usage Examples¶
Validate Full Stack Project¶
# Basic validation
thothctl check project iac -p stack
# Strict validation for CI/CD
thothctl check project iac -p stack -m strict
# Check specific aspect
thothctl check project iac -p stack -t compliance
Validate Single Module¶
# Navigate to module directory
cd modules/networking
# Validate module structure
thothctl check project iac -p module
# Strict validation
thothctl check project iac -p module -m strict
Development Workflow¶
# During development (soft mode)
thothctl check project iac -p stack -m soft
# Before committing
thothctl check project iac -p stack -m strict
# Check specific module
cd modules/compute
thothctl check project iac -p module
Output Format¶
The command provides rich formatted output with clear status indicators:
╭─────────────────────────────────────────────────────────────────╮
│ 🏗️ Infrastructure as Code Stack Structure Check │
╰─────────────────────────────────────────────────────────────────╯
🏗️ Root Structure
╭──────────────┬──────┬──────────┬──────────┬─────────────────────╮
│ Item │ Type │ Required │ Status │ Details │
├──────────────┼──────┼──────────┼──────────┼─────────────────────┤
│ modules │ 📁 │ Required │ ✅ Pass │ . │
│ environments │ 📁 │ Required │ ✅ Pass │ . │
│ README.md │ 📄 │ Required │ ✅ Pass │ . │
╰──────────────┴──────┴──────────┴──────────┴─────────────────────╯
📁 Module Structure
╭──────────────┬──────┬──────────┬──────────┬─────────────────────╮
│ Item │ Type │ Required │ Status │ Details │
├──────────────┼──────┼──────────┼──────────┼─────────────────────┤
│ main.tf │ 📄 │ Required │ ✅ Pass │ modules/networking │
│ variables.tf │ 📄 │ Required │ ✅ Pass │ modules/networking │
│ outputs.tf │ 📄 │ Required │ ✅ Pass │ modules/networking │
╰──────────────┴──────┴──────────┴──────────┴─────────────────────╯
╭─────────────────────────────────────────────────────────────────╮
│ ✅ IaC project structure validation passed │
╰─────────────────────────────────────────────────────────────────╯
CI/CD Integration¶
GitHub Actions¶
name: Validate IaC Structure
on: [push, pull_request]
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Install ThothCTL
run: pip install thothctl
- name: Validate Stack Structure
run: thothctl check project iac -p stack -m strict
GitLab CI¶
validate-structure:
stage: validate
script:
- pip install thothctl
- thothctl check project iac -p stack -m strict
only:
- merge_requests
- main
Pre-commit Hook¶
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: thothctl-check-structure
name: Validate IaC Structure
entry: thothctl check project iac -p stack -m strict
language: system
pass_filenames: false
Comparison with check iac¶
| Aspect | check project iac |
check iac |
|---|---|---|
| Focus | Source code structure | Generated artifacts |
| Validates | Folders, files, organization | Plans, costs, dependencies |
| Input | Source .tf files | tfplan.json, graphs |
| When to use | Development, CI/CD | Pre-deployment analysis |
| Output | Structure validation | Analysis reports |
| Validation mode | --mode soft/strict |
N/A (informational only) |
| Exit on failure | Yes (in strict mode) | No (always informational) |
Use both commands together:
# 1. Validate source structure
thothctl check project iac -p stack -m strict
# 2. Generate plan
tofu plan -out=tfplan.bin
tofu show -json tfplan.bin > tfplan.json
# 3. Analyze artifacts
thothctl check iac -type tfplan
thothctl check iac -type cost-analysis
thothctl check iac -type blast-radius
Troubleshooting¶
Missing Required Files¶
Solution: Add the missing file or update your .thothcf.toml configuration.
Invalid Project Type¶
Solution: Use -p stack or -p module option.
Configuration Not Found¶
Solution: This is informational. Create .thothcf.toml for custom configuration.
Best Practices¶
- Use Strict Mode in CI/CD: Enforce structure requirements in pipelines
- Validate Early: Check structure during development, not just before deployment
- Customize Templates: Create
.thothcf.tomlfor project-specific requirements - Module Validation: Always validate modules independently with
-p module - Combine Checks: Use both
check project iacandcheck iacfor comprehensive validation
Related Commands¶
- check iac - Analyze generated artifacts
- init project - Initialize projects with correct structure
- scan - Security scanning for IaC