HashiCorp has released several new features into Terraform Cloud, their managed service offering for Terraform. The new features include dynamic provider credentials, native OPA support, and the addition of projects as an organization tool.
Dynamic provider credentials provide short-lived, just-in-time credentials for both Vault and the official Terraform providers for AWS, Microsoft Azure, and Google Cloud. These credentials are unique to each Terraform workload and are generated on-demand. As they are ephemeral, they do not require manual rotation or revocation. This provides an alternative to static credentials, which can require additional operational and security considerations.
Once a trust relationship is established between the cloud platform and Terraform Cloud, rules can be configured to define which resources Terraform Cloud can access. From there, the process starts with Terraform Cloud generating a workload identity token that is compliant with the OIDC standard.
When a plan
or apply
starts, this workload identity token is sent to the cloud platform, along with other information needed for authentication. The cloud platform will then leverage Terraform Cloud's public signing key to verify the token. If that succeeds, the cloud platform will return a new set of temporary credentials. After the plan
or apply
concludes, the run environment, along with the temporary credentials, is cleaned up.
Open Policy Agent (OPA) support has been moved into general availability. Originally released as a beta feature in 2022, OPA support works alongside Sentinel to provide enforcement via policy-as-code. Sentinel is HashiCorp's policy-as-code language.
OPA is an open-source policy engine that makes use of a high-level declarative language known as Rego. For example, a policy can be written to ensure that all Kubernetes images from a trusted registry:
package kubernetes.admission
import future.keywords
deny contains msg if {
input.request.kind.kind == "Pod"
some container in input.request.object.spec.containers
image := container.image
not startswith(image, "hooli.com/")
msg := sprintf("image '%s' comes from untrusted registry", [image])
}
OPA native support includes support for editing policies directly in the UI or via version control. Policies can be grouped and can have behaviors declared for when they fail. Role-based access control can be used to control who can manage policies and change overrides.
A new organizational structure known as projects is also generally available within Terraform Cloud. This layer exists below the org level but above the workspace level. It can be used to logically group workspace and create logical boundaries for security or operational needs.
The Workspaces page within Terraform Cloud has been renamed to Projects and Workspaces as part of this change. Within that page, it is possible to create new projects, create workspaces within projects, and move workspaces between projects.
The dynamic provider credentials feature is currently in beta with support for Vault and the Terraform providers for AWS, Microsoft Azure, and Google Cloud. Both OPA support and projects are generally available within Terraform Cloud.