The integration of HashiCorp Terraform with OPA-founder Styra allows users to validate Terraform infrastructure as code with Open Policy Agent.
To achieve their security and compliance goals, organizations have to consider input from many business units including security, finance, and legal. That can make it very challenging to implement changes to cloud infrastructure without violating pre-existing policies.
Unsurprisingly, misconfigurations are one of the most significant risks to cloud environments, responsible for up to 70% of security challenges in the cloud. Policy as code allows teams to define security and compliance requirements as part of the code, ensuring that every infrastructure change aligns with pre-existing policies and regulations.
Our customers have been able to define policy as code using the Sentinel policy as code framework, which allows customers to write custom policies. In an effort to provide more options, in May we announced the general availability of run tasks, which open up the Terraform Cloud workflow to third-party security and compliance tools. Today, we are excited to announce the integration of HashiCorp Terraform with Styra Declarative Authorization Service (DAS), allowing users to validate Terraform infrastructure as code with Open Policy Agent (OPA).
OPA, the open source project created by Styra in 2016 and donated to the Cloud Native Computing Foundation (CNCF) in 2018, is a general-purpose policy engine that unifies policy enforcement across the stack. Styra built Styra DAS on top of OPA as a declarative by design service that serves as an OPA control plane. Terraform Cloud run tasks for Styra DAS provides detailed policy control over Terraform plans, allowing teams to mitigate risk, reduce human error, and accelerate development.
Styra DAS receives the Terraform plan with resource changes and action context, processes the plan against rules associated with the workspace, and communicates whether or not the plan complies. Data other than the plan itself can also be used (e.g., the user, date, and time) when writing authorization policies. This integration checks that changes made by team members and deployed via Terraform Cloud pass policy checks, eliminating unenforced deploy workflows. Users can take advantage of Styra pre-built policies and policy packs or use the Styra DAS visual policy editor and Rego, the OPA policy language, to create custom policies. With the flexibility of Rego, policies can enforce any type of rules on Terraform resources and user actions in individual or across multiple Terraform workspaces.
Common use cases for Styra DAS and Terraform Cloud include:
Example policies include preventing containers from running in privileged mode, preventing users from deploying resources that exceed budgets, preventing specific user groups from modifying production resources, and enforcing cloud resource encryption defaults.
Combining Styra policy as code with Terraform's infrastructure as code lets developers, DevOps teams, platform engineers, and security teams easily set up and manage policy guardrails to mitigate risks, reduce human error, and accelerate secure application development. To get started, learn more about Terraform Cloud, Styra, and the Terraform Cloud Run Tasks for Styra DAS solution.
The Terraform integrations ecosystem has reached a new milestone, surpassing 3,000 providers in the registry.
Infrastructure producers and consumers require very different capabilities from their automation tools. Vendors need to provide a flexible infrastructure as code solution that meets users at their different levels of expertise.
Recent Terraform Enterprise releases include powerful new features such as projects, native OPA support, dynamic provider credentials, and drift detection.