Cloud Compliance & Management with Terraform - Tracking Infrastructure, Audit Logging

Get a demo showing how Terraform Enterprise provides very robust and granular audit logs


  • Corrigan Neralich
    Corrigan NeralichSolutions Engineer, HashiCorp


Hi, I'm Corrigan Neralich, a solutions engineer at HashiCorp, and I'm here today to talk to you about Terraform Enterprise as a solution for cloud compliance and management.

Specifically, I want to talk about the compliance component.

Many organizations really struggle with understanding exactly what is happening throughout their workflow. When developing with open source, oftentimes you have many disparate workflows. Maybe these deploys are happening on laptops, maybe they're happening in some sort of pipeline, or some combination thereof.

Oftentimes, individuals are still logging directly into these various platforms and managing resources through more legacy methods using those cloud-native toolsets. This reduces visibility and makes it very difficult for you to audit exactly what is going on.

Some of the solutions that I've previously covered have addressed this to a certain degree. By pushing all Terraform configurations to version control, you now have that living record of all changes that have been made over time.

Similarly, by treating your policy sets within version control, you can also version them, you can collaborate upon them, and you have visibility.

Within Terraform Enterprise, I will show you one component of the workspace itself, this "Runs" tab I'm showing on the screen.

State files store records in Terraform Enterprise

Oftentimes, for compliance purposes, you need to see a complete and robust and granular history of all changes or attempted changes to your infrastructure over time. This is provided right here in every single workspace, so you can have an understanding and insights into all changes, all activities, that are happening for a given project or a given underlying Terraform configuration.

The other component is a history of state. As we've talked about, when Terraform deploys based on your configuration files and your resource definitions, it generates a state file, which is ultimately a source of truth. It's a living record of those resources that Terraform can use for ongoing management.

This state file changes every single time you update your configuration and you trigger a new apply. It's a living, breathing thing. What Terraform Enterprise offers is the ability to centrally manage these and record every single point-in-time snapshot of state so that you can easily find what changed, and when it changed.

This is tremendously powerful as well for forensically investigating changes or behaviors in fraud and tying it back to a specific version of state, and when that state changed.

Audit logs for more rigorous recordkeeping

Taking this one step further, oftentimes organizations for compliance reasons need even more granular insights. I don't necessarily need to see just what changes are being made to my infrastructure, but I need to have visibility into and understand exactly what is happening throughout this entire process, and by whom.

What Terraform Enterprise offers are very robust and very granular audit logs.

You can keep track of all of those changes to your infrastructure, but also all of those activities that occur between those changes: Which users are accessing which workspaces or changing which configurations at what time, or from where? Who is accessing, modifying, removing sensitive variables? Which users are changing or attempting to change your policy sets?

All of those critical pieces of information are captured in your centralized audit log and can be used to ensure that your auditors are satisfied and that you're adhering to various compliance requirements.

What that the audit log looks like

I've run a number of different demos through my Terraform Enterprise application, and now I want to see at a glance what those changes were: Who did them? What changes were made? When were they made? Where were they made?

I've connected to the instance that is housing my application and I'm just quickly going to dump some of these logs that represent the activities that have occurred since I started demonstrating these features.

What you'll see on screen are not only additions to what changes I've made in the GUI, which are also exportable; you can see now every single underlying change that I made throughout all of these demonstrations, from triggering plans and applies and specific workspaces to policy failures, to updating and removing variables, etc.

This is also tremendously powerful and beneficial to organizations, because now you have that level of granularity, that level of insight that you need to continue adhering to those compliance requirements, but also to identify areas of improvement when it comes to your organization's access and how to tighten those access controls for adherence to least privilege. And also understand how your users can better interact with this Enterprise solution.

More resources like this one

  • 3/15/2023
  • Presentation

Advanced Terraform techniques

  • 2/3/2023
  • Case Study

Automating Multi-Cloud, Multi-Region Vault for Teams and Landing Zones

  • 2/1/2023
  • Case Study

Should My Team Really Need to Know Terraform?

  • 1/20/2023
  • Case Study

Packaging security in Terraform modules