Platform engineers are under constant pressure to move fast and keep cloud environments safe, compliant, and cost-effective. Terraform has become the de facto standard for infrastructure as code (IaC), but governance often still happens after changes are applied.
That gap is where misconfigurations, security risks, and compliance issues slip through.
The Nirmata Terraform Controller (NTC) closes that gap by delivering preventive, policy-as-code governance directly into Terraform workflows, before risky cloud changes ever reach production.
Instead of discovering misconfigurations days or weeks later through CSPM alerts or security tickets, NTC helps platform teams enforce standards at plan time, using the same Kyverno policies they already rely on for Kubernetes.
What Is the Nirmata Terraform Controller?
The Nirmata Terraform Controller is a policy-as-code governance solution that validates Terraform plans against Kyverno policies and can block non-compliant infrastructure changes before they are applied.
It integrates with Terraform Cloud Run Tasks to provide real-time policy evaluation and a clear pass/fail decision within the developer workflow.
Why Cloud Governance Often Happens Too Late
Most cloud governance and security tools focus on post-deployment visibility
- A Terraform apply succeeds
- Cloud resources are created or modified
- CSPM or CNAPP tools detect misconfigurations
- Tickets are filed, dashboards updated, remediation backlogs grow
This approach is valuable, but reactive. By the time issues are found, risky infrastructure is already live.
Platform engineers want something different:
- Prevent misconfigurations before apply
- Give developers fast, clear feedback
- Use policy-as-code, not manual reviews
- Avoid introducing new tools or policy languages
How the Nirmata Terraform Controller Works
The Nirmata Terraform Controller (NTC) adds a preventive control point to Terraform workflows by gating infrastructure changes before they are applied.
NTC integrates directly with Terraform Cloud Run Tasks, validating Terraform plans against Kyverno policies and returning a clear pass/fail decision inside the developer’s existing workflow.
High-level flow
Developer → Terraform Plan → Nirmata Terraform Controller
|
v
Kyverno Policy Evaluation
|
Pass ✅ Fail ❌
Apply Allowed Apply Blocked
This approach brings an admission-control model, long familiar to Kubernetes, into the cloud infrastructure lifecycle.
Preventive Governance, Not Just Cloud Visibility
One of the most important distinctions of NTC is where it operates.
Most CSPM & CNAPP tools answer the question: “What’s wrong in my cloud right now?”
NTC answers a different question: “Should this change be allowed at all?”
By enforcing policies before cloud APIs are called, NTC provides a true guardrail, not just detection and ticketing.
One Policy Language Across Kubernetes and Terraform
If you already use Kyverno for Kubernetes governance, NTC extends that same model to Terraform with the same:
- Policy-as-code approach
- Kyverno syntax and semantics
- GitOps workflow for policy versioning and rollout
This eliminates a common pain point for platform teams: maintaining multiple policy engines for different layers of the stack.
Unified governance model
Kyverno Policies
|
+– Kubernetes Resources (Admission Control)
|
+– Terraform Plans (NTC Validation)
For teams standardizing on Kyverno, NTC dramatically simplifies cloud governance by reusing what already works.
Developer Friendly Feedback in Terraform Cloud
NTC is designed to fit naturally into developer workflows, not interrupt them.
- Terraform Cloud Run Tasks return a clear pass/fail result in the Terraform UI
- Developers immediately know why a plan failed
- Platform and security teams get detailed scan results stored in Nirmata for deeper analysis
This avoids slow, manual review cycles and replaces them with fast, automated feedback.
Audit First, Enforce When Ready
Rolling out governance across a large organization doesn’t happen overnight. NTC supports progressive adoption:
- Audit mode (default):
Measure policy violations without blocking applies - Enforce mode:
Gate Terraform applies once teams are ready
This allows platform teams to build trust, socialize policies, and reduce friction, before enforcement is turned on.
Inline Enforcement & Continuous Scanning
NTC isn’t limited to a single enforcement model. It supports both:
- Inline enforcement
Block or allow changes at create/modify time (admission-style control) - Continuous scanning
Detect drift, legacy resources, and policy violations over time
Together, this provides coverage for both new infrastructure changes and existing cloud estates.
Enterprise-Ready by Design
NTC is built for real-world enterprise environments, not just greenfield projects.
Secure and auditable
- Run data and findings are stored for auditability
- Observability hooks for logs, metrics, and traces
- Dedicated endpoints for different use cases:
- /runtask (HMAC-authenticated)
- /scan (API key-authenticated)
- /healthcheck
What Makes Nirmata Terraform Controller Different
The Nirmata Terraform Controller stands out because it:
- Prevents misconfigurations before cloud changes happen
- Extends Kyverno-style governance beyond Kubernetes
- Uses a single policy engine across infra and apps
- Integrates cleanly into Terraform Cloud workflows
- Supports both inline enforcement and continuous scanning
- Enables safe, phased rollout from audit to enforce
It’s not just another visibility tool, it’s a control plane for cloud governance.
Platform engineering is about enabling teams to move fast safely. The Nirmata Terraform Controller helps achieve that balance by shifting governance left, without adding friction, duplicating policy frameworks, or slowing developers down.
If you’re already using Terraform and Kyverno, NTC feels less like a new tool and more like a natural evolution of your existing platform governance strategy. Ready to dive in? Request a demo.
