Full Report
Mutual Wiz and HashiCorp customers can leverage this integration to scan their IaC configuration and enforce security best practices to reduce risk.
Analysis Summary
# Best Practices: Integrating Security Guardrails into Infrastructure as Code (IaC) Pipelines using Terraform Run Tasks
## Overview
These practices detail the implementation of automated security validation within HashiCorp Terraform Cloud/Enterprise workflows using third-party integration (specifically Wiz Run Tasks) to enforce security guardrails on Infrastructure as Code (IaC) deployments. The primary goal is to detect and halt insecure configurations (like secrets exposure or critical misconfigurations) before they reach the cloud environment.
## Key Recommendations
### Immediate Actions
1. **Enable IaC Scanning as a Guardrail:** Integrate a security scanning tool (like Wiz) as a Terraform Run Task in your Terraform Cloud/Enterprise environments.
2. **Configure Task Timing:** Set the Run Task to execute during the **`post-plan`** phase to validate the planned infrastructure changes against security policies before commitment.
3. **Establish Mandatory Failures for Critical Risks:** Configure the integrated security task enforcement level to **`mandatory`** for all production or sensitive workspaces to ensure the Terraform run stops immediately upon detecting critical security violations (e.g., publicly exposed resources).
### Short-term Improvements (1-3 months)
1. **Targeted Policy Rollout:** Define a prioritized set of high-risk security policies (e.g., blocking S3 buckets without encryption, forbidding hardcoded secrets) to be enforced via the Run Task.
2. **Utilize Advisory Enforcement for Feedback:** Set the enforcement level to **`advisory`** for development or staging environments initially. This provides developers with immediate feedback on misconfigurations without blocking the pipeline entirely, facilitating faster learning and remediation integration.
3. **Document Run Task Workflow:** Create clear internal documentation detailing which workspaces utilize Run Tasks, the specific security checks being performed, and the escalation path for mandatory failures.
### Long-term Strategy (3+ months)
1. **Shift-Left Security Adoption:** Mandate that all new IaC modules and workspaces integrate the security Run Task, making automated security validation a prerequisite for infrastructure deployment across the organization.
2. **Feedback Loop Automation:** Establish automated ticketing or notification systems triggered by Run Task failures (especially mandatory ones) to instantly assign remediation tasks to the submitting developer or team.
3. **Continuous Policy Refinement:** Regularly review Run Task failures and successes. Update the security policies enforced by the task to incorporate new cloud provider vulnerabilities or evolving organizational security requirements, ensuring runtime security learnings are consistently applied back into the pipeline.
## Implementation Guidance
### For Small Organizations
- **Focus Standardization:** Standardize on Terraform Cloud/Enterprise settings immediately. If limited resources exist, focus initial integration only on production workspaces using **`mandatory`** enforcement for the top 3 critical security risks.
- **Leverage Existing Integrations:** Utilize simple, pre-built connector configurations provided by the security vendor to minimize setup complexity.
### For Medium Organizations
- **Workspace Segmentation:** Apply different policy enforcement levels based on environment criticality (e.g., Mandatory for Prod, Advisory for Dev/Staging).
- **Introduce Review Gates:** Integrate the Run Task as part of a mandatory pull request review step (if using VCS integration) to validate the plan before it even triggers a standard TFC/E run.
### For Large Enterprises
- **Centralized Governance:** Implement Run Tasks organization-wide via central workspace template configurations, ensuring policy consistency across hundreds or thousands of workspaces.
- **Enforce Policy-as-Code:** Ensure the security policies driving the Run Task are managed via a centralized, version-controlled standard, aligning with broader cloud governance frameworks.
- **Audit Trail Integration:** Ensure that Run Task results (success or failure) are logged and exported to the central SIEM/Audit system for compliance verification.
## Configuration Examples
*Note: Specific commands depend on the integrated tool (e.g., Wiz). The following describes the conceptual configuration points within Terraform Cloud/Enterprise.*
**Conceptual Terraform Run Task Setup within Workspace Settings:**
1. **Location:** Navigate to the specific Terraform Workspace settings in TFC/TFE.
2. **Run Tasks Section:** Locate the "Run Tasks" configuration area.
3. **Task Initialization:** Define or select the pre-configured security scanner task.
4. **Lifecycle Hook:** Set the task to run: **`Post-Plan`** (or `Pre-Apply`).
5. **Enforcement Level:** Set as required:
* `Mandatory`: If the task fails, the Apply stage will be halted.
* `Advisory`: If the task fails, the Apply stage proceeds, but a warning is displayed.
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Directly supports the **Protect** function (specifically PR.IP - Protect Infrastructure Software) and the **Detect** function (DE.CM - Continuous Monitoring).
- **ISO/IEC 27001:** Aligns with A.14 (System acquisition, development, and maintenance) by incorporating security validation early in the SDLC/IaC process.
- **CIS Benchmarks/Controls:** By preventing the deployment of insecure configurations detected via IaC scanning, this practice helps enforce many baseline configurations defined in the CIS Foundations Benchmarks for relevant cloud providers.
## Common Pitfalls to Avoid
1. **Ignoring Advisory Failures:** Setting a task to `advisory` and then ignoring the resulting warnings, which defeats the purpose of gaining early feedback.
2. **Underutilizing Enforcement Levels:** Setting all tasks to `mandatory` immediately blocks developer velocity. Start cautiously to build trust in the automated checks.
3. **Scanning Only Post-Apply:** Relying on runtime security monitoring alone. The benefit of IaC scanning is preventing the deployment entirely, significantly reducing the attack surface exposure window.
4. **Hardcoding Secrets in Initial Scan:** Ensure the configuration being scanned *by the Run Task* is not itself contaminated with credentials that would bypass the scan or cause the initial workflow setup to fail if the scanner requires secrets to operate.
## Resources
- HashiCorp Terraform Cloud Run Tasks Documentation (Refer to official HashiCorp documentation for deep configuration details).
- Wiz Documentation for specific connector setup (Login required for partner-specific implementation guides).