Configuration¶
Cloudrift uses a YAML configuration file to define AWS credentials, region, and scan parameters.
Config File Format¶
aws_profile: default
region: us-east-1
plan_path: ./examples/terraform-plan.json
policy_dir: ./policies # optional
fail_on_violation: false # optional
skip_policies: false # optional
Fields¶
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
aws_profile | string | yes | default | AWS credentials profile name from ~/.aws/credentials |
region | string | yes | us-east-1 | AWS region to scan |
plan_path | string | yes | — | Path to Terraform plan JSON file |
policy_dir | string | no | built-in | Custom OPA policy directory |
fail_on_violation | bool | no | false | Exit with non-zero code when violations are found |
skip_policies | bool | no | false | Skip OPA policy evaluation entirely |
Multiple Service Configs¶
Each AWS service needs its own plan file. Create separate configs:
The Scan screen auto-switches the config path when you change the service selector.
Config Locations¶
Docker¶
The Docker image includes default configs at:
Desktop¶
The app looks for configs relative to the CLI binary's directory:
<cloudrift-repo>/config/cloudrift-s3.yml
<cloudrift-repo>/config/cloudrift-ec2.yml
<cloudrift-repo>/config/cloudrift-iam.yml
Web API¶
Use the config endpoints to read and write configs:
# Read current config
curl http://localhost:8080/api/config?path=/etc/cloudrift/config/cloudrift-s3.yml
# Update config
curl -X PUT http://localhost:8080/api/config?path=/etc/cloudrift/config/cloudrift-s3.yml \
-d 'aws_profile: production
region: eu-west-1
plan_path: /etc/cloudrift/examples/terraform-plan.json'
Plan File Format¶
The plan_path should point to a Terraform plan JSON file generated by:
The plan file contains the full resource graph that Cloudrift uses for drift detection. See the Resource Builder for generating plan files from the UI.