Terraform Cloud by HarshiCorp enables infrastructure automation for provisioning, compliance, and management of your infrastructure including servers, databases, and firewall policies.

This article explains the process of integrating Terraform Cloud with Aqua to scan Terraform workspaces for misconfigurations.

Once you integrate with Terraform Cloud, the following actions are performed:

  • Scans all the Terraform "Plans" in a specific "Workspace" and code written in these plans, during their execution in Terraform
  • Detects the presence of any misconfigurations in Terraform plans
  • Reports the detected misconfigurations in the Aqua's Code Repositories page
  • If any Assurance Policies are configured, Aqua passes or fails Terraform plans as per the policy configurations
  • As per the configuration of enforcement level for a run task in Terraform, if a Terraform plan is not compliant with Aqua, the plan will be treated as a mandatory failure or advisory in Terraform. 

Aqua's task is executed between the plan and apply stages of the Terraform Cloud workflow.


  • You should have privileges of "Owner" for Terraform Organization 
  • You should have privileges of "Administrator" or above privileges for the specific workspace
  • You should have already signed up with Aqua. If you want to start using Aqua, please contact Aqua or schedule a demo.
  • Run tasks can only be created on workspaces using Terraform version v0.12 and later

Integrate Terraform Cloud

As part of this integration process, you should integrate Aqua with your Terraform workspace. This integration process includes two steps:

  1. Create a "Run Task" to integrate with Aqua. 
  2. Associate the run task with a specific workspace in an organization.

You should start integration from your Terraform environment and use authentication details from Aqua to complete the integration. 

Create a run task in Terraform organization

  1. In your Terraform environment, navigate to the Settings page of the required organization.
  2. Create a run task by entering these mandatory authentication details from Aqua: "Endpoint URL" and "HMAC key". For more information on how to obtain these authentication details from your Aqua environment, refer to the Obtain authentication details from Aqua section below.

For more information on creating a run task, refer to the Terraform documentation Run Tasks.

Associate Aqua run task with workspace

  1. In your Terraform environment, navigate to the required workspace in the specific organization where you want to associate Aqua run task.
  2. In the Settings tab, select Run Tasks. In the Available Run Tasks section, you can see the Aqua run task that you have created earlier.
  3. Click the + button in the Aqua run task. The selected run task is associated with the workspace. 

For more information on associating a run task with workspace, refer to the Terraform documentation Run Tasks.

Obtain authentication details from Aqua

To obtain the authentication details from Aqua:

  1. From the mega menu in the upper left corner of the screen, select Supply Chain Security.
  2. Navigate to the Integrations page.
  3. At the top right side of the Integrations page, click Connect and select CI Integrations from the dropdown menu.
  4. In the CI Integrations menu, select Terraform Cloud.

        3. In the Authentication section, copy "Endpoint URL" and "HMAC Key". These are the authentication details required to complete integration. To continue integrating Terraform Cloud, refer to Integrate Terraform organization with Aqua above.

Configure Assurance Policies

You can create Assurance Policies to apply to Terraform workspaces. They include controls that are evaluated on the results of Terraform workspace scans. After Assurance Policies are applied to Terraform workspaces, Aqua determines whether a workspace is compliant with the applicable Assurance Policies.

You can include the following controls in Assurance Policies to scan Terraform plans for misconfigurations:

  • IaC Misconfiguration by Service
  • IaC Misconfiguration Severity
  • Specific IaC Misconfiguration

For more information on the configuration of Assurance Policies, refer to Assurance Policies.

View scan results of Terraform plans

You can view scan results of Terraform plans in the Aqua's Code Repositories page. This page displays all Terraform plans that have been integrated with Aqua. This page also displays the checks that have been used to scan the Terraform plans. 

If you click any record in this page, a detailed view of Terraform plan appears which has the following tabs:

  • Overview: shows details of Terraform plan and misconfigurations distribution widget which shows the number and severities of misconfigurations

  • Misconfigurations: List of all misconfigurations sorted by the resource in which they are detected.

For more information on the detailed view of Terraform plans, refer to Code Repositories and Checks.