Integrate Cortex Cloud Application Security with Terraform Enterprise (Run Tasks) to enable dynamic, automated, and context-specific scans in your Terraform workspace. Cortex Cloud Application Security scans Terraform (TF) frameworks for misconfigurations based on default and custom policies whenever changes are triggered, ensuring seamless security checks. It identifies infrastructure-as-code (IaC) misconfigurations, Software Composition Analysis (SCA ) vulnerabilities*, exposed secrets, and license non-compliance issues, depending on the security scanners that you have subscribed to.
Note
For container image vulnerabilities, Cortex Cloud Application Security performs 'Image Referencer' scans within Terraform Enterprise (Run Tasks), as full SCA scans are not currently supported.
You can monitor and remediate issues directly in the Cortex Cloud Application Security console. Run statuses and violation details can be tracked in both Cortex Cloud Application Security and Terraform Enterprise through streamlined run task reviews. For more information about streamlined tasks, refer to https://www.hashicorp.com/blog/terraform-cloud-adds-streamlined-run-task-reviews.
Prerequisite
Before you begin:
Ensure access to a Terraform Enterprise console to enable you to provide a user or team token that authorizes Cortex Cloud Application Security to access workspaces and helps regulate run configurations
Terraform Enterprise version compatibility: Ensure Run Tasks for workspaces on is compatible with version 1.1.9 and above
Terraform Enterprise user or team permissions: For a workspace integration of run tasks you need to ensure that the token used has the following permissions. These permissions enable Cortex Cloud to configure run tasks in the environment and scan plan files from your runs:
Manage run tasks permissions at the organizational level. These permissions are required to create and manage the run task in the organization
Manage Workspaces permissions at the organization level. These permissions are required to attach and manage the run task on workspaces or:
Administrator permissions on the workspace(s)
Note
For more on Terraform Run Task permissions refer to Manage Run Tasks permissions.
Create a Terraform Organization. For more information, refer to theTerraform documentation
Create a Terraform Workspace: For more information, refer to the Terraform documentation
Onboarding steps
On your Terraform Enterprise platform, create a Terraform api token.
Select your → .
Select the Tokens section from the left side menu.
Click → → .
+.
Note
Skip this step if you plan on using an existing token.
For more information about Terraform API tokens, refer to the Terraform API Tokens documentation.
On the Cortex Cloud console:
Search for and hover over Terraform Enterprise (Run Tasks) and click Add, or Add Another Instance if an instance is already onboarded.
→ .
→ .
On theSelect Workspace step of the wizard:
Select repositories from the Selection Options field.
Permit all existing repositories
Permit all existing and future repositories
Choose from repository list
Select a run plan from the Run Stage field.
Pre-plan: The scan runs before Terraform generates the plan
Post-plan: The scan runs after Terraform generates the plan
Note
Cortex Cloud Application Security performs a scan of Terraform templates on selected workspaces based on the Run Stage.
Click .
Click Save and then Close in the final verification step of the wizard.
Verify integration and confirm that the your integrated Terraform Enterprise (Run Tasks) instance has a status of Connected.
On the Data Sources & Integrations page, search for Terraform Enterprise (Run Tasks) in the search bar.
Hover over and select the resulting entry.
Locate your instance and verify that the status is Connected.
Next step: View scan results and mitigate issues.
Manage data source integrations
Manage integrations to align with evolving requirements and ensure they remain current.
Navigate to → and use the Vendor filter to located the required integration.
Select your vendor from the list.
The integrated instances for the selected vendor are displayed.
Right-click on an instance and select an option:
: Redirects to the Select Repositories step of the integration wizard, where you can modify configurations for the selected instance. For more details, refer to the relevant integration guide
: When confirmed, deletes the instance, including data from previous scans
Copy entire row – Copies all column values for the selected row to the clipboard.
Terraform workflow for Run Tasks enforcement
You can declaratively dictate which infrastructure misconfigurations or exposed secrets will trigger a Run Task failure during the terraform plan phase, blocking insecure infrastructure from being deployed via HCP Terraform.
Prerequisites: The HCP Terraform Run Task integration must already be established, and target Asset Groups must be defined.
Configuration: Use the cortexcloud_appsec_policy resource to define the finding types and conditions.
How it works: When HCP Terraform triggers the Run Task, Cortex Cloud evaluates the plan against the cicd_trigger actions defined in this policy to determine if the plan should be blocked.
For more information, refer to Manage resources.