Code Security Integration with Terraform Cloud

Protect your infrastructure by detecting potential issues in your TerraformClosed An infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share. configuration and plan before applying the changes to production. You can integrate Code Security with Terraform Cloud or Terraform Enterprise. This integration is based on an AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. lambda function which is being triggered by the Run Task at the relevant stage.

Terraform Cloud Integration Types

Code Security can be integrated with the Pre-plan stage or the Post-plan stage of the Terraform run:

Pre-plan stage

This stage takes place right before the plan stage.

In this stage,Code Security scans your Terraform configuration deployed in this run for misconfigurations.

Post-plan stage

This stage takes place between the plan and apply stages.

In this stage ,Code Security scans the generated plan of the current run for potential issues before applying the changes to your live infrastructure.

You can read more about run tasks in Terraform Cloud here and here.

Integration Environment Variables

Variable

Required

Description

SPECTRAL_DSN

Yes

Your Spectral DSN retrieved from SpectralOps

CHECK_POLICY

Yes

If Spectral finds issues - how should we handle the run? The policies are based on the Spectral issue severity - critical / high / medium / low / informational (Valid values: "Fail on any issue" / "Fail on low and above" / "Fail on medium and above" / "Fail on high and above" / "Fail on critical only" / "Always Pass")

HMAC_KEY

No

A key that will be used for securing your Run Task by validating the request payload signature, should be identical to the HMAC key you set will set in the Run Task

TERRAFORM_USER_KEY

No

User key created by Terraform (required for pre-plan run task) - can be created here

Configuration

  1. Use one of these methods to create the required AWS resources:

  2. Add all the required environment variables, including SPECTRAL_DSN, CHECK_POLICY and HMAC_KEY.

  3. Optional - If you plan to create a pre-plan Run Task:

    1. Create a user API key in Terraform

    2. Set the user API key in the TERRAFORM_USER_KEY env variable.

  4. Copy the Gateway API URL and keep it in a safe place.

    Note - If you are using the Terraform module , use the rest_api_url output.

  1. In Terraform Cloud, log in to your organization.

  2. From the top menu, click Settings.

  3. From the side menu, in the Integrations section, click Run tasks.

  4. In the Create a Run Task section:

    1. Enter a name for the run task.

    2. In the Endpoint URL field, paste the Gateway API URL you copied from AWS.

    3. Enter a description for the run task.

    4. In the HMAC key field, past the value of the HMAC_key from Code Security.

  5. Click Create run task.

  1. Open the relevant Terraform Cloud Workspace.

  2. Expand Settings > click Run Tasks.

  3. In the Configure Run Task menu, set the Enforcement Level to Mandatory.

  4. Click Save.

In Terraform Cloud, trigger a run to test the Run Task.