Integrating Bridgecrew with Terraform Cloud embeds Bridgecrew's library of hundreds of out-of-the-box policies into every workspace run. Bridgecrew scans the workspace plans you choose and displays the results both in Terraform Cloud Run's page and in the Bridgecrew platform.
There are two ways to integrate Terraform Cloud with Bridgecrew Cloud:
- Via Run Tasks (Recommended)
- Via Sentinel
As of October 2021, Terraform Cloud Run Tasks is enabled by default for Hashicorp Business tier customers. If you are interested in Run Tasks and are not a current Terraform Cloud for Business customer, you can sign up for access here."
When Bridgecrew is integrated with Terraform Run Tasks, a Bridgecrew scan will be run after the Plan stage and before the Apply stage.
Bridgecrew scans the Plan file and sends Terraform Cloud:
- The status of the scan (Pass/Fail)
- A short summary of the scan results which lists the resources scanned and the errors found.
Terraform Cloud uses this status response to determine if a run should proceed, based on the task's enforcement settings within a workspace.
See Terraform Cloud documentation for further details on Run Tasks.
The integration includes steps in both Terraform Cloud and Bridgecrew Cloud.
From the Integrations Catalog, under CI/CD, select Terrafrom (Run Tasks).
- Under User Settings, select Tokens.
- Create a new API token, or use an existing one. Notice you should use a token of a user that has permissions of an organization owner in the organizations you wish to integrate.
- Copy your Terraform Cloud user token and paste it under User Token, then select NEXT
- Select the Terraform Cloud organization for the Run Task, then select NEXT.
Every integration can be associated with only one organization at a time. You can create multiple Bridgecrew integrations with multiple Terraform Cloud organizations from a single Bridgecrew account.
- Select one or more workspaces for the Run Task, then select NEXT.
If you want Bridgecrew's Run Tasks to be mandatory, click on Make Bridgecrew's run tasks mandatory. By default, Run Tasks are set to be "Advisory".
Note: after the next Terraform Cloud scan, the scanned workspace will appear in the Integrations grid; for further details, see here.
A Terraform Cloud run will fail if a Bridgecrew scan reports a failure and if the Run Task for the specific Workspace is configured as Mandatory.
To configure the severity level for which Bridgecrew reports a failure, see the Code Reviews section in the Code Repository Settings.
Whenever a plan update is triggered in Terraform Cloud for the configured workspaces, Bridgecrew Run Task will be run. If the task fails, the number of errors found is displayed. Select Details to go to Bridgecrew Cloud for full information.
Updated 7 days ago