Use these supported Terraform resources and data sources to programmatically define your Application Security boundaries and guardrails. You can manage asset groups, deploy custom detection rules, configure compliance assessments, and enforce Unified Application Security policies, including HCP Terraform Run Task blocking.
Manage Asset Groups
The Cortex Cloud Terraform provider supports full CRUD (Create, Read, Update, Delete) operations for Asset Groups. By managing these groups as Infrastructure-as-Code, you can programmatically control your inventory lifecycle to dynamically scope policies, rules, and compliance profiles.
Configuration
Use the cortexcloud_asset_group resource and define the membership_predicate to establish boundaries.
# Create and manage a dynamic asset group for AppSec (Code Repositories)
resource "cortexcloud_asset_group" "appsec_frontend_repos" {
name = "Production Frontend Repositories"
type = "Dynamic"
description = "Groups GitHub repositories containing frontend application code for AppSec scanning."
membership_predicate = {
# Group assets that are GitHub Repositories and contain "frontend" in the name
and = [
{
search_field = "xdm.asset.provider"
search_type = "EQ"
search_value = "GitHub"
},
{
search_field = "xdm.asset.type.class"
search_type = "EQ"
search_value = "Repository"
},
{
search_field = "xdm.asset.name"
search_type = "CONTAINS"
search_value = "frontend"
}
]
}
}
For more information on Asset Groups, refer to Asset groups.
Manage Terraform Run Tasks enforcement
Declaratively dictate which infrastructure misconfigurations or exposed secrets will trigger a Run Task failure during the terraform plan phase, blocking insecure infrastructure from being deployed.
Prerequisites
Establish integration: The HCP Terraform Run Task integration must already be configured refer to the user guide link. Refer to Terraform Cloud (Run Tasks) or Terraform Enterprise (Run Tasks)
Asset Groups: Target Asset Groups must be established (refer to Manage Asset Groups) above
Configuration
Use the cortexcloud_appsec_policy resource to define the finding types and conditions When HCP Terraform triggers the Run Task, Cortex Cloud evaluates the plan against the cicd_trigger actions defined in this policy to determine if the plan should be blocked.
# Example: Enforce a Run Task block for Critical IaC misconfigurations
resource "cortexcloud_appsec_policy" "run_task_iac_guardrails" {
name = "HCP Run Task IaC Guardrails"
description = "Blocks Terraform Run Tasks if critical IaC misconfigurations are detected in the plan."
status = "enabled"
# SCOPE: Target the asset group representing your Terraform workspaces
asset_group_ids = [1]
# Conditions: Evaluate severity (Requires uppercase keys per provider schema)
conditions = jsonencode({
AND = [
{
SEARCH_FIELD = "Severity"
SEARCH_TYPE = "EQ"
SEARCH_VALUE = "CRITICAL"
}
]
})
# Actions: The Run Task integration evaluates this block to determine block/pass status
cicd_trigger = {
enabled = true
actions = {
report_issue = true
block_cicd = true # Fails the HCP Terraform Run Task
report_cicd = true
}
}
# Unused triggers required by schema validation
pr_trigger = {
enabled = false
actions = { report_issue = false, report_pr_comment = false, block_pr = false }
}
periodic_trigger = {
enabled = false
actions = { report_issue = false }
}
ci_image_trigger = {
enabled = false
actions = { report_issue = false, report_cicd = false, block_cicd = false }
}
image_registry_trigger = {
enabled = false
actions = { report_issue = false }
}
}
Manage policies
Manage Unified Application Security policies through Terraform in order to programmatically define finding types, evaluation conditions, and enforcement actions. You can bind these policies to specific asset groups to ensure your security guardrails are strictly scoped to the correct environments.
Configuration
Use the cortexcloud_appsec_policy resource to configure the finding types, conditions, and enforcement actions. All trigger blocks and nested actions must be explicitly defined.
# AppSec policy for critical findings
resource "cortexcloud_appsec_policy" "critical_findings" {
name = "Critical Findings on Production"
description = "Alert on critical security issues"
status = "enabled"
# Conditions as JSON (supports up to 10 levels of nesting)
conditions = jsonencode({
AND = [
{
SEARCH_FIELD = "Severity"
SEARCH_TYPE = "EQ"
SEARCH_VALUE = "CRITICAL"
}
]
})
# Each trigger block must be present on CREATE/UPDATE — the API rejects
# requests that omit any of periodic / pr / cicd / ci_image / image_registry
# with HTTP 422 ValidateError.
periodic_trigger = {
enabled = true
actions = {
report_issue = true
}
}
pr_trigger = {
enabled = true
actions = {
report_issue = true
report_pr_comment = true
block_pr = false
}
}
cicd_trigger = {
enabled = false
actions = {
report_issue = false
block_cicd = false
report_cicd = false
}
}
ci_image_trigger = {
enabled = false
actions = {
report_issue = false
report_cicd = false
block_cicd = false
}
}
image_registry_trigger = {
enabled = false
actions = {
report_issue = false
}
}
asset_group_ids = [1]
}For policy schema details, refer to Policies Schema.
For information on Unified Application Security policies, refer to Unified Application Security policies.
Manage custom rules
Deploy and maintain custom detection logic programmatically across multiple tenants via Terraform. This enables you to define the logic directly in HCL via the frameworks block, ensuring identical rule distribution organization-wide.
Configuration
Use the cortexcloud_appsec_rule resource.
# Custom AppSec rule for Terraform
resource "cortexcloud_appsec_rule" "custom_iac_rule" {
name = "Custom Terraform Security Rule"
severity = "CRITICAL"
scanner = "IAC"
category = "NETWORKING"
sub_category = "INGRESS_CONTROLS"
description = "Detect insecure ingress configurations in Terraform"
frameworks {
name = "TERRAFORM"
definition = "resource \"aws_security_group\" \"example\" { ingress { cidr_blocks = [\"0.0.0.0/0\"] } }"
definition_link = "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group"
remediation_description = "Restrict ingress to specific IP ranges"
}
labels = ["production", "networking", "aws"]
}For rule schema details, refer to Rules Schema.
For more information on Application Security rules, refer to Application Security Rules.
Manage compliance assessment profiles
Automate recurring compliance audits for your IaC repositories and CI/CD assets by managing Compliance Assessment Profiles through Terraform. As new Asset Groups are provisioned, Terraform automatically schedules audits and configures report distribution.
Note
For a complete list of supported IaC and CI/CD compliance standards, as well as rule mapping logic and available scan types, refer to Compliance for Cortex Cloud Application Security.
Prerequisite
You must have an existing Asset Group ID (representing your IaC repos or CI/CD pipelines) and the ID of the Compliance Standard you wish to assess against.
Configuration
Use the cortexcloud_compliance_assessment_profile resource to define the target standard, the assets to scan, and the automated reporting schedule using standard Cron syntax.
# Compliance assessment profile for IaC
resource "cortexcloud_compliance_assessment_profile" "monthly_iac_compliance" {
name = "Monthly IaC Compliance Check"
standard_id = cortexcloud_compliance_standard.custom_framework.id
asset_group_id = 1
description = "Monthly compliance assessment for IaC repositories"
report_type = "PDF"
report_targets = ["security@example.com"]
report_frequency = "0 12 1 * *" # First day of month at 12:00
}For compliance schema details, refer to Compliance assessment profile schema.
For more information on Compliance, refer to Compliance for Cortex Cloud Application Security.
Leverage Terraform data sources
Data sources allow you to dynamically look up existing Application Security configurations and reference their IDs or attributes in your new deployments, eliminating the need to copy and paste hardcoded values.
Supported Application Security data sources
Policies and rules
Action | Terraform data source |
|---|---|
Retrieve the configuration details (such as conditions and triggers) of a specific AppSec policy |
|
Fetch a filtered list of AppSec policies (such as all policies currently set to enabled) |
|
Retrieve the YAML definition and severity details of a specific custom rule |
|
Get a filtered list of rules based on scanner type (IaC/Secrets) or category |
|
List the available rule labels currently active in the tenant |
|
Compliance
Action | Terraform data source |
|---|---|
Retrieve details for specific compliance frameworks (such as OWASP Top 10) to fetch a Standard ID |
|
Look up the scheduling and reporting targets for existing automated compliance audits |
|
Retrieve configuration details for individual compliance controls |
|
Reference
For complete schemas, available filtering parameters, and specific examples for every data source listed above, refer to the official Cortex Cloud Terraform Provider Registry documentation.