Terraform Cloud (Run Tasks)

Overview

Integrating Bridgecrew with Terraform Cloud embeds Bridgecrew's library of hundreds of out-of-the-box policies into every workspace run. Bridgecrew scans the workspace plans you choose and displays the results both in Terraform Cloud Run's page and in the Bridgecrew platform.

How to Integrate with Terraform Cloud

There are two ways to integrate Terraform Cloud with Bridgecrew Cloud:

  • Via Run Tasks
  • Via Sentinel

Integration via Run Tasks

📘

Notes

  1. As of October 2021, Terraform Cloud Run Tasks is enabled by default for Hashicorp Team & Governance or Business tier customers. Other plans are not supported.
  2. As mentioned below, integration is only supported for user token that has the Manage Run Tasks permission for the organization and the Manage Workspace Run Tasks permission on that particular workspace

Introduction

When Bridgecrew is integrated with Terraform Run Tasks, you can run a Bridgecrew scan either before the Plan stage or after the Plan stage (and before the Apply stage). See step 4 below to learn how to configure this for a selected or all workspaces.

Bridgecrew scans the Plan file and sends Terraform Cloud:

  • The status of the scan (Pass/Fail)
  • A short summary of the scan results with the number of resources scanned and errors found.
    Terraform Cloud uses this status response to determine if a run should proceed, based on the task's enforcement settings within a workspace.
    See Terraform Cloud documentation for further details on Run Tasks.

The integration includes steps in both Terraform Cloud and Bridgecrew Cloud.

How to Integrate

Part 1 - In Bridgecrew Cloud

From the Integrations Catalog, under CI/CD, select Terrafrom (Run Tasks).

939

Part 2 - In Terraform Cloud

  1. Under User Settings, select Tokens.
  2. Create a new API token, or use an existing one. Note that you should use a token of a user that has the Manage Run Tasks permission for the organization and the Manage Workspace Run Tasks permission on that particular workspace.

Part 3 - In Bridgecrew Cloud

  1. Copy your Terraform Cloud user token and paste it under User Token, then select NEXT
918
  1. Select the Terraform Cloud organization for the Run Task, then select NEXT.

📘

Note

Every integration can be associated with only one Terraform Cloud organization at a time. You can create multiple integrations with multiple Terraform Cloud organizations from a single Bridgecrew account.

  1. Select one or more workspaces for the Run Task.
  2. Under Run Stage, select one of the following options:
  • Post-plan - the scan will run after Terraform generates the plan.
  • Pre-plan - the scan will run before Terraform generates the plan.
1014
  1. Select NEXT and then DONE.

📘

Notes

  1. The configuration of a Pre-plan/Post-plan scan does not impact your previous Terraform Cloud configuration, if they exist. You can still review and manage scan results on the Projects page.
  2. After the next Terraform Cloud scan, the scanned workspace will appear in the Integrations grid; for further details, see here.
  3. If you set the Enforcement Settings for IaC Hard Fails to any severity threshold higher than Off, all Run Tasks for this scan type will be mandatory - even for previously configured Terraform Cloud workspaces that were not marked as Mandatory in the previous configuration method. That means that Builds that were passing earlier will now fail when there is a violation above the severity threshold detected in your IaC files.

Whenever a plan update is triggered in Terraform Cloud for the configured workspaces, Bridgecrew Run Task will be run. If the task fails, the number of errors found is displayed. Select Details to go to Bridgecrew Cloud for full information.

1019