Documentation
Terraform Integration
Complete guide for integrating PolicyCortex with Terraform for Infrastructure as Code governance. Scan, validate, and enforce policies on Terraform configurations before deployment.
Getting Started with PolicyCortex Terraform Integration
Setup & Configuration
PolicyCortex Terraform Provider
Install and configure the PolicyCortex Terraform provider for policy enforcement.
Terraform Provider Configurationhcl
terraform {
required_providers {
policycortex = {
source = "policycortex/policycortex"
version = "~> 1.0"
}
}
}
provider "policycortex" {
api_key = var.policycortex_api_key
endpoint = "https://api.policycortex.com"
}
resource "policycortex_policy_scan" "infrastructure" {
name = "infrastructure-scan"
sources = [
"./infrastructure/*.tf",
"./modules/**/*.tf"
]
frameworks = ["soc2", "hipaa", "cis"]
fail_on_severity = "HIGH"
exclude_rules = [
"TF_AWS_001",
]
}CI/CD Pipeline Integration
GitHub Actions
GitHub Actions Workflowyaml
name: Infrastructure Security Scan
on:
pull_request:
paths:
- 'infrastructure/**'
- 'modules/**'
jobs:
terraform-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.5.0
- name: PolicyCortex Terraform Scan
uses: policycortex/terraform-scan-action@v1
with:
api-key: ${{ secrets.POLICYCORTEX_API_KEY }}
config-path: './infrastructure'
frameworks: 'soc2,hipaa,cis'
fail-on-severity: 'HIGH'
- name: Upload Scan Results
uses: actions/upload-artifact@v3
if: always()
with:
name: terraform-scan-results
path: policycortex-scan-results.jsonTerraform Cloud Integration
Pre-Plan Hook Configurationbash
#!/bin/bash
curl -fsSL https://cli.policycortex.com/install.sh | sh
policycortex terraform scan \
--path=. \
--frameworks=soc2,hipaa \
--output=json \
--fail-on-high
if [ $? -ne 0 ]; then
echo "Infrastructure policy violations found"
exit 1
fi
echo "Infrastructure passes policy validation"Terraform Policy Examples
AWS Security Group Policy
Restrict SSH Accessyaml
policy:
name: "tf-aws-sg-no-ssh-from-internet"
description: "Security groups must not allow SSH (port 22) from 0.0.0.0/0"
resource_type: "aws_security_group"
rules:
- condition: |
ingress[*].from_port <= 22 and
ingress[*].to_port >= 22 and
ingress[*].cidr_blocks[*] contains "0.0.0.0/0"
effect: "DENY"
message: "Security group must not allow SSH access from the internet"
compliance_mapping:
- framework: "CIS_AWS"
control: "5.2"
- framework: "SOC2"
control: "CC6.1"S3 Bucket Encryption
Require S3 Encryptionyaml
policy:
name: "tf-aws-s3-encryption-required"
description: "S3 buckets must have server-side encryption enabled"
resource_type: "aws_s3_bucket"
rules:
- condition: "server_side_encryption_configuration == null"
effect: "DENY"
message: "S3 bucket must have server-side encryption configured"
- condition: |
server_side_encryption_configuration[*].rule[*].apply_server_side_encryption_by_default[*].sse_algorithm not in ["AES256", "aws:kms"]
effect: "DENY"
message: "S3 bucket encryption must use AES256 or aws:kms"
remediation:
auto_fix: true
terraform_code: |
resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
bucket = aws_s3_bucket.this.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}