Terraform Cloud (Sentinel)


Integrating Bridgecrew with Terraform Cloud embeds Bridgecrew's library of hundreds of out-of-the-box policies into every workspace run. Bridgecrew scans the workspace plans you choose and displays the results both in Terraform Cloud Run's page and in the Bridgecrew platform.

How to Integrate with Terraform Cloud

There are two ways to integrate Terraform Cloud with Bridgecrew Cloud:

  • Via Run Tasks
  • Via Sentinel

Integration via Sentinel

The integration requires setup in Bridgecrew Cloud and Terraform Cloud.

  • In Bridgecrew Cloud, initiate the Integration, then enter the Terraform token and get integration snippets.
  • In Terraform Cloud, create two files in a VCS repository or locally, enter Bridgecrew's integration snippets, and create a new Sentinel Policy

How to Integrate

Part 1 - In Bridgecrew Cloud

  1. From the Integrations Catalog, under CI/CD, select Terraform (Sentinel).

Part 2 In Terraform Cloud

Go to your workspace. Navigate to Settings> General. Under General Settings you should find your Workspace ID and Workspace Name.

Part 3 In Bridgecrew Cloud

  1. Enter the following:
  • Terraform Cloud Workspace ID (as copied from Terraform Cloud)
  • Terraform Cloud Workspace Name (as copied from Terraform Cloud)
  • Terraform Cloud Workspace Description
  • Token - enter a User or Team token (Organization tokens do not work) - see Terraform help for more details about your API Tokens.

Currently the integration requires one policy per workspace.

  1. Press Create Policy.
  2. Create in your VCS, or locally, two new files named ״sentinel.hcl״ and ״bridgecrew.sentinel״.
  3. Copy each of the code snippets that now appear into the new files respectively . Note that {PATH_TO_FILE} should be replaced with the actual path.
922 930

Part 4 In Terrafrom Cloud

  1. Under Settings, Policy sets, press Connect a New Policy Set.
  2. Connect to the VCS and the repository where your new policy files are located or select No VCS connection if they are local .
  3. Enter a policy name and description. Then select the scope of policies to be enforced only on the integrated workspace.
  4. Press Connect policy set.
  5. Once your policy set is connected, go to the settings for that Policy Set and under "Sentinel Parameters", click on "Add parameter". Set the key as "bc_api_key", copy the token below for the value and check the "Sensitive" option.

Create Sentinel Policy in Terraform Cloud

Note: after the next Terraform Cloud scan, the scanned workspace will appear in the Integrations grid; for further details, see here.

Whenever a work plan update is triggered in Terraform Cloud for the configured workspaces, Bridgecrew checks will be run. If the check fails, details are shown including a link to Bridgecrew Cloud for further details.

See Terraform Cloud documentation for further details on Sentinel Policies.