TABLE OF CONTENTS

Overview

Terraform Cloud by HarshiCorp enables infrastructure automation for provisioning, compliance, and management of your infrastructure including servers, databases, and firewall policies.


This article explains the process of integrating Terraform Cloud with Aqua to scan Terraform workspaces for misconfigurations.


Once you integrate with Terraform Cloud, the following actions are performed:

  • Scans all the Terraform "Plans" in a specific "Workspace" and code written in these plans, during their execution in Terraform
  • Detects the presence of any misconfigurations in Terraform plans
  • Reports the detected misconfigurations in Aqua's Code Repositories page
  • If any Build Assurance Policies are configured, Aqua passes or fails Terraform plans as per the Policy configurations
  • As per the configuration of enforcement level for a run task in Terraform, if a Terraform plan is not compliant with Aqua, the plan will be treated as a mandatory failure or advisory in Terraform. 


Aqua's task is executed between the plan and apply stages of the Terraform Cloud workflow.


Prerequisites

  • You should have privileges of Owner for Terraform Organization 
  • You should have privileges of Administrator and above for the specific workspace
  • You should have signed up with Aqua. For more information, refer to Sign up with Aqua and navigate to the Integrations page below.
  • Run tasks can only be created on workspaces using Terraform version v0.12 and later


Integrate Terraform Cloud

As part of this integration process, you should integrate Aqua with your Terraform workspace. This integration process includes two steps:

  1. Create a "Run Task" to integrate with Aqua. 
  2. Associate a run task with a specific workspace in an organization.

You should start integration from your Terraform environment and use authentication details from Aqua to complete the integration. 


Create a run task in Terraform organization

  1. In your Terraform environment, navigate to the Settings page of the required organization.
  2. Create a run task by entering these mandatory authentication details from Aqua: "Endpoint URL" and "HMAC key". For more information on how to obtain these authentication details from your Aqua environment, refer to Obtain authentication details from Aqua below.


If you want to sign up with Aqua and continue to obtain authentication details from Aqua, refer to Sign up with Aqua and navigate to the Integrations page below.

If you already have an account in Aqua and want obtain authentication details from Aqua, refer to Obtain authentication details from Aqua below.


For more information on creating a run task, refer to the Terraform documentation Run Tasks.



Associate Aqua run task with workspace

  1. In your Terraform environment, navigate to the required workspace in the specific organization where you want to associate Aqua run task.
  2. In the Settings tab, select Run Tasks. In the Available Run Tasks section, you can see the Aqua run task that you have created earlier.
  3. Click the + button in the Aqua run task. The selected run task is associated with the workspace. 

For more information on associating a run task with workspace, refer to the Terraform documentation Run Tasks.



Sign up with Aqua and navigate to the Integrations page

You should have an account in Aqua to integrate Terraform Cloud with Aqua. To sign up with Aqua and navigate to the Integrations page: 

  1. Sign up with Aqua. For more information, refer to Sign Up for Trial. If you sign up initially with a trial, you can contact Aqua to purchase a license with one of the offered plans for uninterrupted usage.
  2. Sign into your Aqua account.
  3. In the Aqua Welcome page, select Scan my Code.



    4. From the mega menu in the upper left corner of the screen, select Supply Chain Security.



    5. From the left menu, click Integrations. You will access the Integrations page.



Obtain authentication details from Aqua

If you have already signed up with Aqua, you can navigate directly to the Integrations page in the Aqua UI and obtain the authentication details to complete the integration. To obtain the authentication details from Aqua:

  1. In the Integrations page, select Manual CI Integration.
  2. In the Source Code Management menu, select Terraform Cloud.



        3. In the Authentication section, copy "Endpoint URL" and "HMAC Key". These are the authentication details required to complete integration. To continue integrating Terraform Cloud, refer to Integrate Terraform organization with Aqua above.



Configure Build Assurance Policies

You can create Build Assurance Policies to apply to Terraform workspaces. They include controls that are evaluated on the results of Terraform workspace scans. After Build Assurance Policies are applied to Terraform workspaces, Aqua determines whether a workspace is compliant with the applicable Build Assurance Policies.


You can include the following controls in Build Assurance Policies to scan Terraform plans for misconfigurations:

  • Misconfigurations
  • Misconfigurations by Check ID
  • Misconfigurations by Service
  • Misconfigurations by Severity


For more information on the configuration of Build Assurance Policies, refer to Build Assurance Policies.


View scan results of Terraform plans

You can view scan results of Terraform plans in the Aqua's Code Repositories page. This page displays all Terraform plans that have been integrated with Aqua. This page also displays the checks that have been used to scan the Terraform plans. 



If you click any record in this page, a detailed view of Terraform plan appears. Which has the following tabs:

  • Overview: shows details of Terraform plan and misconfigurations distribution widget which shows the number and severities of misconfigurations



  • Misconfigurations: List of all misconfigurations sorted by the resource in which they are detected.


For more information on the detailed view of Terraform plans, refer to Code Repositories and Checks.