Terraform Cloud with Run Tasks

Leveraging Terraform Cloud and Run Tasks for Bridgecrew scans

Bridgecrew has a native integration with Terraform Cloud that leverages Run Tasks for policy controls. This means any commit that is pushed to Terraform Cloud will run through a Bridgecrew scan, identifying policy violations, blocking misconfigured builds, and detecting drift, all from the same place that you collaborate on Terraform templates, automate deployments, and store state.

Run Tasks is a paid add-on. If you want to try this out for free, HashiCorp does offer a free trial. If you prefer not to sign up for the trial, feel free to skip this section and the “drift detection” section.

To sign up for the free trial of Terraform Cloud’s Team & Governance plan, go to your Terraform Cloud instance. In the top navigation, select “Settings” and “Plan & Billing.” Choose the “Trial Plan” option. You should see Policies and Policy Sets show up in the left navigation menu.

Terraform Cloud plans

You need to add your TerraGoat repository to Terraform Cloud. Go to “Workspaces” and select “Create one now.”

Terraform Cloud new workspace

Select “Version control workflow”:

Create a version control workflow

Select “GitHub," then “github.com,” authorize access, and choose your TerraGoat repository we previously forked:

Add GitHub

Name the workspace terragoat and open the “Advanced options” and add the directory /terraform/simple_instance/ (we’ll be adding that directory later). This will focus the scans to just the aws templates. Turn on “Automatic speculative plans” to create plans for pull requests. Select “Create workspace”:

Config settings

Select “Configure variables” and under “Workspace variables” add your AWS Account and Access Keys as environment variables called AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. If you are at an AWS event and using Event Engine, include your AWS_SESSION_TOKEN. If you aren’t sure where to find the keys, see this guide.

Add environment variables

For Event Engine, it will look like this:

Add environment variables

Go to the Workspace Settings and select General. From this settings screen, grab your workspace ID for the next step.

If each of the Variables does not say “Env” in the far right of the line, you’ve created the wrong type of variable. This is easy to do as “Terraform” variables are the default option when clicking on “Add environment Variable”. You can delete them and re-create if necessary in the correct format!

Grab your workspace ID

Grab the API token from Terraform Cloud for the integration. Go to the API token menu (User -> Settings -> Tokens) and select “Create an API token.”

Make sure you are in USER settings, there are three different settings tabs within Terraform Cloud, User settings, global org settings and workspace settings. Your screen should look as below, if there are multiple type of API key to chose from, you’re in the wrong place!

Terraform Cloud API token

Copy that API token for the next step.

Next, you’ll add the Bridgecrew integration. Head over to the Integrations screen in the Bridgecrew platform. Scroll down and select Terraform Cloud (Run Tasks). Enter the TFC API token from the previous step and choose “Next.” Enter your Organization name, click “Next”. Enter the Workspace name (terragoat) - you can leave the ‘Make Bridgecrew’s run tasks mandatory’ unchecked for this workshop (NOTE: A Terraform Cloud run will fail if a Bridgecrew scan reports a failure and if the Run Task for the specific Workspace is configured as Mandatory - by default, and for this workshop, we will set run tasks to ‘Advisory’). Click “Next” and upon succesful configuration click “Done”.

Add TFC details to Bridgecrew

Add TFC workspace details to Bridgecrew

Head back to Terraform Cloud. Go to the terragoat workspace settings via the navigation bar and select “Run Tasks”.

View Run Task Configuration

Finally, go to your workspace’s main page and under “Actions” select “Start new plan”; don’t worry if it fails, this just primes the runs to be automated with future GitHub pull requests.

Queue a plan

Your Terraform Cloud integration is ready to go!