Enforcing Cloud Resource Policy Guardrails for HashiCorp Terraform Cloud
I’m excited to announce the Styra DAS integration with HashiCorp Terraform Cloud via run tasks is now generally available to Styra DAS users! Users can now enforce cloud resource policy guardrails at every step of the DevOps process, including right before Terraform Cloud applies changes to your cloud resources.
Automating Cloud Infrastructure Security
Adoption of Infrastructure-as-Code (IaC) tools like Terraform continues to increase, seeing usage in small startups all the way to the largest enterprises. As the creators of Terraform, HashiCorp’s Terraform Cloud platform provides the simplest path to securely implement Terraform management of your team’s cloud resources.
Given the importance of Terraform to modern infrastructure, companies that use Terraform Cloud need robust security, compliance and operational guardrails to minimize risk while accelerating development. The Styra DAS integration with Terraform Cloud run tasks supplies these cloud guardrails natively — allowing teams to simplify and easily validate every change to Terraform plans against robust authorization policies in their Styra DAS Terraform system. In this context, authorization policies not only govern security of Terraform resources, but also provide guardrails for how your team deploys cloud resource changes via Terraform Cloud to minimize human error. Styra DAS implements these authorization checks with Open Policy Agent (OPA), the open-source policy engine created by Styra, and OPA’s declarative policy language, Rego, to define policy as code. The deployment architecture for the Styra DAS and Terraform Cloud integration is below:
Terraform Cloud Policies
You can set policy guardrails for your Terraform Cloud workspaces in just a few minutes using the Styra DAS Terraform Policy Library to ensure best practices in AWS, Microsoft Azure and Google Cloud. The true power of Styra DAS, however, is in how easily you can extend the policy library and create custom policies to meet your team’s unique requirements. This applies not just to resource-based policies, such as ensuring new AWS S3 buckets are encrypted, but also to the context around your Terraform Cloud configuration and deployments.
One example of enforcing good deployment practices would be codifying the “no Friday deploys” policy most teams already practice. With Styra DAS integrated with your Terraform Cloud workspace, you can ensure Friday deploys in Terraform Cloud are prevented using a simple policy:
Other Styra DAS policy ideas include:
- Govern which team members can deploy to certain environments and cloud provider regions using a Styra DAS LDAP data source.
- Limit expansive resource changes within a single deploy by defining a deploy-level “blast radius” policy.
- Enforce minimum Terraform or provider versions across workspaces.
- Check your cloud provider’s service status and prevent deploys to regions/services experiencing outages.
- Prevent production deploys during active PagerDuty incidents if unrelated to the incident using a Styra DAS HTTP data source.
- Prevent production deploys if a Styra DAS HTTP data source (e.g., calendar) lists a company board meeting or investor event to ensure system stability during important company events.
Integrating Styra DAS Terraform Systems
Integrating a Styra DAS Terraform system with existing Terraform Cloud workspaces takes no more than five minutes, requiring no agents to install and no infrastructure to provision.
Follow our integration setup guide to complete the following steps:
- Generate a temporary Terraform Cloud organization API token for Styra DAS.
- Provide Styra DAS with your Terraform Cloud token for Styra DAS to create your run task.
- Add the run task to a Terraform Cloud workspace.
- Map your Terraform Cloud workspace(s) to Styra DAS Terraform systems and their policies.
- Trigger a new run for your Terraform Cloud workspace via the Terraform Cloud UI or via the `terraform apply` Terraform CLI command.
- View your Styra DAS policy evaluation results in the Terraform Cloud workspace run and in your Styra DAS Terraform system.
Styra DAS Terraform System Features
The Terraform system type in Styra DAS Free supports many additional features, including:
- Create policies in Styra DAS Stacks to apply common policies across multiple systems (e.g., enforce base encryption policies for dev, staging, and production systems).
- Redact sensitive variable values in decision logs.
- Evaluate the impact of policy changes using past decisions.
- Preview policy evaluation results as you build your policies.
- Add data sources to provide additional policy evaluation inputs (e.g., an LDAP data source).
- Use the Terraform CLI and the Styra CLI to evaluate the same Styra DAS policies in your CI/CD pipeline and in Terraform Cloud.
- Add system notifications to provide members of your extended team with real-time policy evaluation results.
Start the Terraform Cloud Tutorial
Follow along with our Terraform Cloud tutorial for a head start on creating policies for a demo Terraform Cloud workspace.
Get started with Styra DAS Free by creating your account at signup.styra.com or trial Styra DAS Teams for more flexibility.
FAQs
Is Terraform Cloud Secure?
Terraform Cloud provides robust security protections by, among other things, encrypting Terraform configurations and state at rest, with unique encryption keys for those resources stored in Vault, while communications between clients and Terraform Cloud are end-to-end encrypted with TLS.
Does Terraform work with private clouds?
While the infrastructure resources Terraform manages are often hosted within public clouds like Amazon AWS, Microsoft Azure and Google Cloud Platform, you can also use it to manage resources within on-premises private clouds that leverage an API, using technologies like VMWare vSphere or OpenStack.
What is Terraform Cloud?
Terraform Cloud is the managed version of the open-source tool Terraform, provided by HashiCorp. Leveraging Terraform and Open Policy Agent (OPA), platform teams can enforce cloud security and DevOps guardrails on their cloud infrastructure — providing both security around Terraform resources and reducing human error when teams make resource changes.