Terraform Cloud (TFC) Run Task Integration
Configure the Terraform Cloud Run Task to scan Terraform plans with Nirmata Control Hub and Kyverno.
The Terraform Cloud (TFC) Run Task integration enables automatic scanning of Terraform plans using the Nirmata Control Hub (NCH) and Kyverno for policy compliance.
This ensures Terraform infrastructure changes are validated against enterprise policies before being applied.
Prerequisites
Before you begin, ensure that you have:
- A Terraform Cloud (TFC) organization with permissions to create Run Tasks.
- A Nirmata Control Hub (NCH) tenant with administrative access.
- Access to a Git provider (GitHub required for MVP; GitLab and Bitbucket optional for future integrations).
Integration Overview
When a Terraform run reaches the Plan stage, Terraform Cloud triggers a webhook to the Nirmata Terraform Service.
This service evaluates the Terraform plan using NCTL (Nirmata CLI) and policy sets managed within NCH.
The results are returned to TFC as pass/fail compliance checks.
Key Components
| Component | Description |
|---|---|
| NCH Webapp & API | Manages integrations, authentication keys, and displays scan results. |
| Terraform Service | Receives webhooks, fetches policy sets, and invokes NCTL scans. |
| NCTL | CLI tool that evaluates Terraform plans against Nirmata and Kyverno policy sets. |
| TFC Run Task | Executes during Terraform plan runs and triggers compliance scans. |
Step-by-Step Configuration
Step 1: Enable Integration in NCH
- Log in to your Nirmata Control Hub instance.
- Navigate to Integrations → Terraform.
- Copy the generated Webhook URL and Shared HMAC Key.
Step 2: Add a Run Task in Terraform Cloud
- In Terraform Cloud, go to Settings → Run Tasks → Create Run Task.
- Provide a descriptive name (e.g.,
Nirmata Policy Scan). - Paste the Webhook URL from NCH.
- Enter the Shared HMAC Key into the HMAC Secret field.
- Assign the Run Task to one or more workspaces where you want policy scans to run.
Step 3: Trigger a Terraform Run
- Execute a terraform plan or apply in the configured workspace.
- Terraform Cloud sends the plan payload to the Nirmata Terraform Service.
- The service runs compliance scans using default public policy sets.
- The pass/fail status is displayed in the Terraform Cloud run UI.
Step 4: View Results in NCH
- Go to Integrations → Terraform → Runs in NCH to view detailed scan results, violations, and policy summaries.
Architecture Summary
flowchart TD
A[TFC Run Task Triggered] --> B[Nirmata Terraform Service (Webhook)]
B --> C[Policy Fetch (from NCH / Git)]
C --> D[NCTL Policy Scan]
D --> E[Results sent to Terraform Cloud & NCH]
Flow Summary:Terraform Cloud Run → Webhook (Terraform Service) → Policy Fetch (NCH/Git) → NCTL Scan → Results → TFC/NCH
Key Notes:
- Run data, credentials, and findings are securely stored in Nirmata for auditability.
- Observability is available through integrated logs, metrics, and traces.
Next Steps
- Explore custom policy sets in NCH for Terraform security and compliance.
- Visit the Nirmata Documentation Portal for additional configuration and troubleshooting guides.