search
githubEdit

Demo Case: Terraform with DolphinScheduler

Scan and remediate a real Terraform deployment to make an open-source workload production-ready.

Show how Gomboc can take a real, actively maintained open-source Terraform deployment and go from “find problems” to “find and fix” directly in your IDE, then package the changes into a clean PR that your team can review and trust.

You’ll use a real-world open-source deployment (Apache Dolphin Schedulerarrow-up-right) with Terraform to demonstrate production-hardening fixes and guardrails.

hashtag
Prerequisites

  • Gomboc IDE plugin installed and configured. See: VSCode Plugin page.

  • Terraform installed locally (if you plan to run validate/plan/apply)

hashtag
Step 0: Prepare the demo repo

  1. Clone the demo repo and open it in VS Code:

git clone https://github.com/iac-playground/dolphinscheduler.git

  1. Confirm the repo is in a good state:

  • Run terraform fmt -recursive

  • Run terraform validate (or the repo’s documented validate flow)

hashtag
Step 1: Run the first scan (the “wow” moment)

  1. Open the Command Palette (Ctrl/Cmd + Shift + P)

  2. Run: Gomboc: Scan current file or scenario (or scan-on-save, if enabled)

  3. Keep the repo open: this is a multi-file Terraform project, so it should produce findings across the codebase.

circle-info

Traditional tools mostly stop at “here are findings.” Gomboc is built to connect findings to fixes in a consistent, reviewable workflow.

hashtag
Step 2: Review findings

In the IDE results list, pick 3-5 high-signal issues to focus on first. Typical categories for this repo include:

  • Public exposure defaults (public instances / public DB access)

  • Metadata hardening (IMDSv1 not disabled / metadata settings missing)

  • Encryption gaps (S3 / RDS / EBS)

  • Overly permissive IAM (broad actions like s3:*)

  • Monitoring/backup gaps (log export, backup windows, retention)

You can also review this through the Gomboc Reviewer (Webview), which will provide you a single, centralized place to triage the findings, preview deterministic remediations, and apply changes across multiple files.

  1. In the Gomboc results list, select one or more findings (multi-select if supported).

    • Example: select several database-related fixes (multi-AZ, public access off, deletion protection).

  2. Click Review in Webview / Open Webview Reviewer (wording may vary).

    • This opens a Gomboc “web view” inside the IDE that’s optimized for reviewing fixes.

hashtag
Step 3: Inspect finding details

For each selected finding in the Webview Reviewer, review:

  1. Resource reference (which Terraform resource/module is affected)

  2. Rule / policy driver (what guardrail triggered this fix)

  3. Description of what the fix does

  4. (Optional) External mapping fields if present

    • Example: IDs or references that align with other scanners (like Checkov)

hashtag
Step 4: Preview fixes

  1. In the Webview Reviewer, click Preview (or Preview fixes).

  2. Gomboc will:

    • apply the changes in the correct order

    • ensure changes are consistent across dependencies

    • generate a preview of code diffs you can review before applying

  3. Wait for preview generation to complete.

What you should see:

  • A preview list showing exact code changes per resource/finding.

  • A concrete diffs, not just recommendations.

  • A summary of which rules triggered which updates (e.g., enabling metadata service hardening, enabling monitoring, termination protection).

hashtag
Step 5: Review diffs in detail

For a selected previewed fix:

  1. Click Open diff to see the exact Terraform patch.

  2. Use View full resource in context to understand how the change fits into the resource/module.

  3. Confirm the fix is:

    • logically correct for production hardening

    • consistent with your organization’s expectations

    • not introducing unexpected side effects

hashtag
Step 6: Apply fixes from the Webview Reviewer

  1. After reviewing preview diffs, click Apply (or Apply fixes).

  2. Gomboc will apply the selected patches to your working tree.

hashtag
Step 7: Validate changes locally (recommended)

In a terminal at the repo root (or Terraform root):

  1. Format:

    • terraform fmt -recursive

  2. Validate:

    • terraform validate (or run the repo’s documented validation steps if it requires variables/modules)

Checkpoint: Terraform validation passes (or you can clearly explain any missing inputs required by the repo).

hashtag
Step 8: Re-scan to confirm findings are resolved

  1. Run the scan again from the IDE:

    • ScanScan current file or scenario

  2. Confirm the previously selected findings are now:

    • resolved / removed

    • reduced in severity/count

PreviousGomboc Demo CasesNextJava with DolphinScheduler

Last updated