​​Terraform Cloud Run Tasks with Styra DAS Provides OPA Validation

To achieve their security and compliance goals, organizations have to consider input from many business units including security, finance, and legal. That can make it very challenging to implement changes to cloud infrastructure without violating pre-existing policies.

Unsurprisingly, misconfigurations are one of the most significant risks to cloud environments, responsible for up to 70% of security challenges in the cloud. Policy as code allows teams to define security and compliance requirements as part of the code, ensuring that every infrastructure change aligns with pre-existing policies and regulations.

Our customers have been able to define policy as code using the Sentinel policy as code framework, which allows customers to write custom policies. In an effort to provide more options, in May we announced the general availability of run tasks, which open up the Terraform Cloud workflow to third-party security and compliance tools. Today, we are excited to announce the integration of HashiCorp Terraform with Styra Declarative Authorization Service (DAS), allowing users to validate Terraform infrastructure as code with Open Policy Agent (OPA).

»Terraform Cloud Run Tasks for Styra

OPA, the open source project created by Styra in 2016 and donated to the Cloud Native Computing Foundation (CNCF) in 2018, is a general-purpose policy engine that unifies policy enforcement across the stack. Styra built Styra DAS on top of OPA as a declarative by design service that serves as an OPA control plane. Terraform Cloud run tasks for Styra DAS provides detailed policy control over Terraform plans, allowing teams to mitigate risk, reduce human error, and accelerate development.

»How It Works

Styra DAS receives the Terraform plan with resource changes and action context, processes the plan against rules associated with the workspace, and communicates whether or not the plan complies. Data other than the plan itself can also be used (e.g., the user, date, and time) when writing authorization policies. This integration checks that changes made by team members and deployed via Terraform Cloud pass policy checks, eliminating unenforced deploy workflows. Users can take advantage of Styra pre-built policies and policy packs or use the Styra DAS visual policy editor and Rego, the OPA policy language, to create custom policies. With the flexibility of Rego, policies can enforce any type of rules on Terraform resources and user actions in individual or across multiple Terraform workspaces.

Common use cases for Styra DAS and Terraform Cloud include:

• Automatically approving Terraform changes that pass policy evaluation and reduce the burden of code review.
• Creating policies to manage what, when, and by whom Terraform changes can be applied.
• Using Styra DAS policy previews and decision replays to quickly iterate on policies using previous Terraform Cloud run plans.

Example policies include preventing containers from running in privileged mode, preventing users from deploying resources that exceed budgets, preventing specific user groups from modifying production resources, and enforcing cloud resource encryption defaults.

»Getting Started

Combining Styra policy as code with Terraform's infrastructure as code lets developers, DevOps teams, platform engineers, and security teams easily set up and manage policy guardrails to mitigate risks, reduce human error, and accelerate secure application development. To get started, learn more about Terraform Cloud, Styra, and the Terraform Cloud Run Tasks for Styra DAS solution.