The integration of HashiCorp Terraform with OPA-founder Styra allows users to validate Terraform infrastructure as code with Open Policy Agent.
To achieve their security and compliance goals, organizations have to consider input from many business units including security, finance, and legal. That can make it very challenging to implement changes to cloud infrastructure without violating pre-existing policies.
Unsurprisingly, misconfigurations are one of the most significant risks to cloud environments, responsible for up to 70% of security challenges in the cloud. Policy as code allows teams to define security and compliance requirements as part of the code, ensuring that every infrastructure change aligns with pre-existing policies and regulations.
Our customers have been able to define policy as code using the Sentinel policy as code framework, which allows customers to write custom policies. In an effort to provide more options, in May we announced the general availability of run tasks, which open up the Terraform Cloud workflow to third-party security and compliance tools. Today, we are excited to announce the integration of HashiCorp Terraform with Styra Declarative Authorization Service (DAS), allowing users to validate Terraform infrastructure as code with Open Policy Agent (OPA).
OPA, the open source project created by Styra in 2016 and donated to the Cloud Native Computing Foundation (CNCF) in 2018, is a general-purpose policy engine that unifies policy enforcement across the stack. Styra built Styra DAS on top of OPA as a declarative by design service that serves as an OPA control plane. Terraform Cloud run tasks for Styra DAS provides detailed policy control over Terraform plans, allowing teams to mitigate risk, reduce human error, and accelerate development.
Styra DAS receives the Terraform plan with resource changes and action context, processes the plan against rules associated with the workspace, and communicates whether or not the plan complies. Data other than the plan itself can also be used (e.g., the user, date, and time) when writing authorization policies. This integration checks that changes made by team members and deployed via Terraform Cloud pass policy checks, eliminating unenforced deploy workflows. Users can take advantage of Styra pre-built policies and policy packs or use the Styra DAS visual policy editor and Rego, the OPA policy language, to create custom policies. With the flexibility of Rego, policies can enforce any type of rules on Terraform resources and user actions in individual or across multiple Terraform workspaces.
Common use cases for Styra DAS and Terraform Cloud include:
Example policies include preventing containers from running in privileged mode, preventing users from deploying resources that exceed budgets, preventing specific user groups from modifying production resources, and enforcing cloud resource encryption defaults.
Combining Styra policy as code with Terraform's infrastructure as code lets developers, DevOps teams, platform engineers, and security teams easily set up and manage policy guardrails to mitigate risks, reduce human error, and accelerate secure application development. To get started, learn more about Terraform Cloud, Styra, and the Terraform Cloud Run Tasks for Styra DAS solution.
AWS re:Invent 2022 is here. We highlighted what’s new with Terraform and AWS — like Launch Day support for new AWS services in the Terraform AWS Provider.
The HashiCorp Terraform AWS provider has surpassed one billion downloads — here’s how we got there, and what to look for next.
Run tasks can now be accessed from the HashiCorp Terraform Registry, helping developers discover run tasks they can integrate with their existing Terraform workflow.