Overview

The Nirmata and HashiCorp Terraform Cloud (TFC) integration enables policy-as-code validation and continuous governance across your entire Infrastructure-as-Code (IaC) lifecycle.

Terraform defines what infrastructure to provision; Nirmata governs how that infrastructure is configured and managed after provisioning. Together, they enable a secure-by-design, fully automated workflow that spans from provision to policy.

This guide explains how to configure, test, and operationalize the Nirmata Terraform Cloud (TFC) Run Task integration for continuous compliance enforcement.

1. Prerequisites

Before configuring the integration, ensure the following components are in place:

• Terraform Cloud (TFC) organization with permission to create Run Tasks.
• Nirmata Control Hub (NCH) tenant with admin access.
• Access to NCTL (Nirmata CLI) for policy evaluations.

2. Architecture Overview

The integration bridges Terraform Cloud’s provisioning workflow with Nirmata’s policy evaluation and governance engine.

Flow Summary:

1. Terraform Cloud initiates a plan or an apply run.
2. A webhook triggers the Nirmata Terraform Service.
3. The service fetches the plan JSON and forwards it to NCTL for validation.
4. NCTL evaluates the plan against policy sets defined in Nirmata Control Hub or Git.
5. The compliance status (pass/fail) is returned to Terraform Cloud and displayed in the NCH dashboard.
6. After provisioning, Nirmata continues to provide runtime governance, enforcing policy compliance and detecting drift across Kubernetes and cloud resources.

 

3. Key Capabilities

 

4. Configuring the Integration

Step 1: Enable Integration in Nirmata Control Hub

1. Log in to Nirmata Control Hub (NCH).
2. Navigate to Integrations → Terraform.
   
   
3. Copy the Webhook URL and Shared HMAC Key — these will authenticate communication between Terraform Cloud and Nirmata.
   

Step 2: Create a Run Task in Terraform Cloud

1. Log in to your Terraform Cloud organization.
2. Go to Settings → Run Tasks → Create Run Task.
3. Set the following fields:
   • Name: Nirmata Policy Scan
   • URL: Paste the NCH Webhook URL.
   • HMAC Secret: Paste the Shared HMAC Key.
4. Scope the Run Task to the desired workspace(s).
5. Save and enable the Run Task.

This setup ensures every Terraform plan in that workspace is validated through Nirmata before it’s applied.

Step 3: Trigger and Validate a Terraform Run

1. In Terraform Cloud, initiate a run (terraform plan or terraform apply).
2. Terraform sends the plan JSON to Nirmata via the Run Task webhook.
3. Nirmata evaluates the plan against Kyverno-based policy sets.
4. Results appear in both:
   • Terraform Cloud UI: Pass/fail status for the run.
   • Nirmata Control Hub: Detailed policy evaluation reports.

5. Continuous Compliance (Post-Provision)

After infrastructure is provisioned, Nirmata maintains compliance through continuous monitoring and drift detection:

• Runtime Scans: Regularly validate live resources against policy sets.
• Drift Alerts: Notify platform teams if configurations deviate from the approved baseline.
• Automated Fixes: Apply corrective actions or open pull requests to restore compliance.

This continuous feedback loop ensures all environments — dev, staging, or production — remain compliant over time.

6. Advanced Use Case: Golden Paths for Secure Self-Service

Platform engineering teams can define golden paths, pre-approved Terraform templates for self-service provisioning.
When developers use these templates to provision Kubernetes clusters or cloud resources:

1. Terraform provisions the infrastructure.
2. Predefined policy sets are immediately applied for compliance and cost management.

This model enables developer autonomy with governance, ensuring every environment starts compliant and remains compliant.

7. Summary

 

Core Value:

Terraform manages what to provision.
Nirmata manages governance — from initial planning to long-term lifecycle compliance.

8. Next Steps

• Set up the Nirmata Terraform Cloud Run Task using your NCH Webhook URL and HMAC Key.
• Explore predefined policy bundles for Terraform governance.
• Learn more at docs.nirmata.io and kyverno.io.