Table of Contents

Add Terraform Cloud (Run Tasks)

Integrate Prisma Cloud with Terraform Cloud (Run Tasks) to scan workspaces in Terraform Cloud. The integration enables Prisma Cloud to use policies and regulate runs in Terraform Cloud. Through the integration, Prisma Cloud manages run-related information of a workspace and communicates the status of the run (either pass or fail) accessible on the Prisma Cloud console.
Run Tasks enable you to integrate third-party tools and services at specific stages in the Terraform Cloud run lifecycle. Each run tasks scan passes through pending, plan, cost estimation, policy check, apply, and completion stage that is viewable on the Prisma Cloud console and Terraform Cloud console. Along with run tasks scan after the Plan phase, where you preview the changes of the infrastructure-as-code policy, and before the Apply phase, when you provision the infrastructure-as-code policy, you can execute the Pre-plan phase and Post-plan phase.
Pre-plan phase includes enabling run tasks to scan for workspaces that have a pre-configuration to begin a scan before the plan phase. While Terraform Cloud performs a run tasks scan for the Post-plan phase after the plan phase is complete, only on workspaces that have run tasks enabled. During both the pre-plan and post-plan phases, Terraform Cloud communicates with the third-party tools and services to determine the run tasks scan status (either pass or fail) to choose if the run can continue with the run, including [speculative plans] that perform scans during editing and code review.
  1. Verify the prerequisites.
    For Terraform Cloud (Run Tasks) integration get the details for enabling authentication to Prisma Cloud.
    • Terraform Cloud Console
      Access to Terraform Cloud console enables you to provide user or team token that authorizes Prisma Cloud to access workspaces and helps regulate run configuration in Terraform Cloud console. Note that if you use Single Sign-On (SSO) with Terraform Cloud, you may not be able to use user tokens, because user tokens cannot be authorized via SSO. You must use a user token that that is not associated with an SSO user, or a team token. See HashiCorp’s docs for more details.
    • Terraform Cloud version
      Run Tasks for workspaces on Terraform Cloud is compatible with version 0.12 and above. Ensure your Terraform Cloud version is compliant with the requirement.
    • Terraform Cloud user or team permission
      For a workspace integration of run tasks you need Manage Run Tasks permissions. The token must also either have the
      Manage workspaces
      permission at the organization level or be granted admin access to the workspace(s) being integrated. This enables Prisma Cloud to configure run tasks in the environment and scan plan files from your runs.
  2. Access User or Team Token on Terraform Cloud console.
    You can choose to use the existing user or team token or generate a new user or team token.
    1. Select
      User Icon > User Settings > Tokens > Create an API token
  3. Integrate Terraform Cloud (Run Tasks) with Prisma Cloud.
    1. Select
      Settings > Repositories > Add Repository
    2. Select
      Terraform Cloud (Run Tasks)
  4. Configure Terraform Cloud (Run Tasks) account on Prisma Cloud.
    1. Add
      User or Team Token
      and then select
  5. Select organization to create event hooks on Prisma Cloud.
    1. Select the organization and then select
      Prisma Cloud currently supports one Terraform Cloud organization for a single integration instance.
      Prisma Cloud creates event hooks for a Terraform Cloud organization to receive run task notification from Terraform Cloud.
  6. Select workspace and Run Stage to scan during Terraform Cloud run lifecycle.
    1. Select workspace to scan during the Terraform Cloud run lifecycle.
      You can select multiple workspaces for Prisma Cloud to scan during the Terraform Cloud run lifecycle.
    2. Select Run Stage for the specific workspace.
      • Post-plan: Choose post-plan run stage to enable a run tasks scan on Prisma Cloud for workspaces after Terraform Cloud creates a plan.
      • Pre-plan: Choose pre-plan run stage to enable a run tasks scan on Prisma Cloud for workspaces before Terraform Cloud creates a plan.
        The enforcement level of the mandatory scans are set to
        , where a scan can not block a run task from completing. If the scan fails, the run will proceed and a notification with a scan result displays in the Prisma Cloud console. The run tasks have a reconfigurable enforcement level that you can access in
        Settings > Application Security Configuration
    3. Select
  7. Verify the Terraform Cloud (Run Tasks) integration with Prisma Cloud.
    1. A
      New integration successfully configured
      message displays after integration is successfully set up and then select
      To view the scan results for the Terraform Cloud (Run Tasks) repository that you added, select
      Application Security > Projects
      to Suppress or Fix the policy misconfigurations.

Support for multiple integrations

Prisma Cloud supports multiple integrations for a Terraform Cloud (Run Tasks). After the initial integration with Prisma Cloud, you can continue to add additional organizations and workspaces using a different or a same user or team token. Multiple integrations from a single Prisma Cloud account enables you to:
  • View a list of integrations on a single console.
  • Update existing integrations by modifying the selection of workspaces.
  • Add additional integrations using user or team tokens.
  • Delete an existing integration.
  1. Add additional integrations to a configured Terraform Cloud (Run Tasks).
    1. Select
      Settings > Repositories > Add Repository
    2. Select
      Terraform Cloud (Run Tasks)
      and then select
      Add an account.
      You are in Step 4 of adding an integration to a Terraform Cloud (Run Tasks) account on Prisma Cloud console. You are required to complete the rest of the steps to see your additional integration on the console.
  2. Select
    to modify an existing integration.
    • Reselect Workspaces
      : You can add or remove existing workspaces from your integrated Terraform Cloud account.
    • Delete integration
      : This removes an integration from the Terraform Cloud account on Prisma Cloud console.

Recommended For You