Terraform Enterprise + Bridgecrew: Secure development at enterprise scale

HashiCorp has been a key partner for Bridgecrew since the beginning. Together, we accelerate and secure customers’ adoption of the cloud as outlined in our Cloud Operating Model. A key part of that is providing policy-as-code for Terraform, where we scan Terraform for misconfigurations and provide security feedback throughout the development lifecycle. That process is simplified when Bridgecrew can act as the guardrails for collaborative infrastructure as code (IaC) tools like Terraform Cloud, where we integrate with Sentinel. Customers can even configure Bridgecrew using Terraform.

Now, we’re excited to announce our latest integration for Terraform Enterprise! Customers who leverage Terraform Enterprise (TFE) for its security and scale can leverage Bridgecrew’s developer-friendly security platform and policies.

“Customers choose Terraform Enterprise as the scale and complexity of their business grow. Having partners like Palo Alto Networks build security integrations with Terraform Enterprise gives our shared customers increased confidence as they move to the cloud and adopt the Cloud Operating Model.” – Burzin Patel, Vice President Global Alliances at HashiCorp

How the integration works

With this integration, TFE users can easily leverage hundreds of built-in security and compliance policies as a run step to prevent misconfigured IaC from being turned into insecure cloud infrastructure. Watch the video below by colleague Taylor Smith, Bridgecrew Product Manager, to see it in action, or keep reading.

To get started, make sure you have a running TFE server. Start by going to your TFE instance user settings. Then go to Tokens and create a new token for later use.

Head over to the Bridgecrew platform and go to the Integrations page and select Add Integration. Scroll down and find Terraform Enterprise (Sentinel). Give your token a name like `tfe_token` and select Next. Copy that API token for later. Enter your TFE URL and the user key generated the step before and select Next.

Next, you’ll need to add the policy file and policy set that calls back to Bridgecrew to perform the compliance checks for the Terraform scans. Head over to your repository with the policy sets and either fork it or manually copy those files into your own repository. Notice in the `sentinel.hcl` file that `enforcement_level` is set to `hard-mandatory`. There are three different options for this setting:

  • `hard-mandatory` means your Terraform cannot be applied until you resolve or suppress all failing Bridgecrew policies.
  • `soft-mandatory` means your Terraform runs are blocked but can be overridden to still apply the IaC.
  • `advisory` means Bridgecrew will report and record policy violations but will not block a Terraform apply.

Additionally, in Bridgecrew, you can always suppress or add custom policies to customize the policies that are run as part of your TFE scans.

Go back to your TFE instance and go to the workspace homepage. From there, select Settings and Connect a new policy set.

Add the repo with the policy set code you forked or copied before. Under Sentinel Parameters, add a new parameter called `bc_api_key` and add the Bridgecrew API token generated earlier. Mark it as Sensitive and save the policy set.

Now every new run performed by TFE will include a Bridgecrew scan of the Terraform plan output. It will block or advise about policy violations so you and your team can leverage the feedback and guardrails to secure your cloud environments.

At the bottom of the scan, you’ll see a link back to the Bridgecrew platform where you can dig into the results of the scan and leverage Bridgecrew’s code to cloud security features such as drift detection.

Better together

Together, HashiCorp TFE and Bridgecrew create a secure way to develop and automatically deploy infrastructure at enterprise scale. TFE makes managing complex architectures across large organizations easier and safer. With Bridgecrew, you add automated policy-as-code checks to ensure adherence to security best practices before any cloud resources are created.

Give the new Terraform Enterprise integration, and others, a try by signing up for a free Bridgecrew trial.