Automate IaC security guardrails directly in Terraform Cloud with Bridgecrew Run Tasks

At HashiConf Europe, HashiCorp unveiled Terraform Cloud Run Tasks—the simplest way for developers to integrate with third parties directly within Terraform Cloud. Now in beta, Run Tasks adds automated partner integration steps, such as policy-as-code or cost estimation checks, between the Terraform plan and Terraform apply steps.

Run Tasks are very user-friendly to fit automation into your existing IaC development workflow. Developers using Terraform Cloud for their CI/CD pipelines can easily automate the things that aren’t typically a part of their expertise such as security.

flow chart of run tasks

We were thrilled to partner with HashiCorp on this announcement as we see this new way to integrate with Terraform Cloud bringing a ton of value to users.

And today we are excited to announce our Run Tasks integration!

Embedding security to your Terraform Cloud workflows

Run Tasks run when a Terraform plan is triggered in Terraform Cloud and create a guardrail step before applying code. Bridgecrew’s Run Tasks integration acts as an admission controller to block misconfigured code from becoming insecure cloud deployments. For example, if you add a new S3 bucket and forget to turn on encryption, Terraform Cloud will build a plan for that code and Bridgecrew’s Run Task will block that code before the apply stage.

In this way, you can ensure that only secure IaC is deployed as secure cloud infrastructure.

Adding the Bridgecrew Run Task

Following HashiCorp’s lead in making this integration as simple as possible, we’ve created a wizard to guide you through setting up Bridgecrew as a Run Task.

First, make sure that you have Run Tasks available in your Terraform Cloud account and that you are an organization owner. Then, go to your Terraform Cloud user settings, create an API token, and copy it into the Terraform Cloud Run Tasks wizard accessible via the Integrations page.

screenshot of integrations

Once you select the organization and workspaces in which you want to include Run Tasks, you can choose whether you want it to be mandatory or not. If the Run Task is mandatory, then Terraform Cloud will only let you apply code that passes Bridgecrew’s checks. If you choose not to make it mandatory, the Run Task will fail in advisory mode, but won’t block users from applying their code.

From here, Bridgecrew makes API calls on your behalf to automatically add the Bridgecrew event hook as a Run Task. You can confirm this by going to your workspace and under Settings, you’ll see Tasks.

screenshot of tasks

You can try it out by triggering a Terraform Cloud run either from your VCS or manually using Queue Plan.

screenshot of yor

Making security guardrails more user friendly

HashiCorp has greatly simplified integrating new tools into developer workflows with Run Tasks. Bridgecrew uses our many CI integrations like our Run Tasks integration to bridge the gap between engineering, DevOps, and security and enable engineering teams to deploy more secure cloud infrastructure autonomously.

As of October 2021, the Terraform Cloud Run Tasks beta is enabled by default for HashiCorp Business tier customers.  If you are interested in Run Tasks and are not a current Terraform Cloud for Business customer, you can sign up for access here.