>
    Strata Copilot
    Onboard a Terraform App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. Onboard a Terraform App to SSPM
    Download PDF
    SaaS Security

    Onboard a Terraform App to SSPM

    Table of Contents

    Onboard a Terraform App to SSPM

    Connect a Terraform instance to SSPM to detect posture and account risks.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Security Posture Management license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    For SSPM to detect posture risks in your Terraform Cloud instance, you must onboard your Terraform instance to SSPM. Through the onboarding process, SSPM connects to a Terraform API by using an Organization API Token that you generate from an Organization Owner account in Terraform. After connecting to the Terraform API, SSPM scans the Terraform organization for misconfigured settings and account risks.
    All Terraform Cloud plans are supported for SSPM scans.
    By following these steps, you onboard only one Terraform organization. If you want SSPM to scan for multiple organizations, you can onboard each organization separately.
    To access your Terraform instance, SSPM requires the following information, which you will specify during the onboarding process.
    ItemDescription
    Organization API Token
    An API token available in Terraform Cloud that provides organization-wide administrative permissions. There is only one Organization API Token for your organization.
    To onboard your Terraform instance, you complete the following actions:
    1. Generate an Organization API Token.
      1. Open a web browser to the Terraform login page, and log in as an Organization Owner for the organization that you want SSPM to scan.
        Required Permissions: To generate an Organization API Token, you must use an account assigned to the Organization Owner role.
      2. If necessary, select the Terraform organization for SPPM to scan.
        If you're a member of multiple Terraform organizations, select the organization that you want SSPM to scan. You can select the organization from the Choose an Organization list, which is located in the lower-left corner of the Terraform page.
      3. In the left-hand navigation pane, select Settings.
      4. Navigate to the organization's API Token settings. In the left-hand navigation pane, select API Tokens.
      5. On the API Tokens page, select the Organization Tokens tab.
      6. Generate an organization token.
        You can have only one active Organization API Token at a time. If your organization already has an API Token, you will need its alphanumeric string to provide to SSPM during onboarding. Terraform displays this string only when the Organization API Token is generated, and you can’t view it later. If you don’t have the Organization API Token saved, you can Regenerate token. However, be aware that Terraform will immediately invalidate the current API token.
      7. In the Generate an organization token dialog, select an expiration period for the token and Generate token.
        Terraform generates the Organization API Token and displays it on the Organization Token page.
      8. Copy the Organization API Token and paste it into a text file.
        Don’t continue to the next step unless you have copied the Organization API Token. You will provide this token to SSPM during the onboarding process.
    2. Connect SSPM to your Terraform instance.
      In SSPM, complete the following steps to enable SSPM to connect to your Terraform instance.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application and click the Terraform tile.
      3. On the Posture Security tab, Add New instance.
      4. Log in with Credentials.
      5. Enter your Organization API Token and Connect.

    © 2026 Palo Alto Networks, Inc. All rights reserved.