Integrate with Terraform Cloud

You can integrate Tenable Cloud Security with Terraform Cloud to scan your Terraform IaC files. For this integration, you must create a Terraform Run Task for Tenable Cloud Security in Terraform Cloud. A Terraform run task for Tenable Cloud Security allows you to scan your workspace within a Terraform run, specifically between the plan and apply stages of the Terraform Cloud workflow.

Note: Tenable Cloud Security supports only Terraform Cloud workspaces that are linked to a version control system (VCS) repository.

In Terraform Cloud, you must first create a run task in the settings of your organization by providing the Tenable Cloud Security URL as the endpoint. Then, you must add this run task to the required Terraform workspaces. When the Terraform Cloud workflow triggers the run task, Tenable Cloud Security scans and returns a passed or failed response back to Terraform Cloud. The status response along with the enforcement setting of the run task determine whether a Terraform run proceeds to the next stage of the workflow. For more information about run tasks, see Run Tasks in the Terraform documentation.

Note: If there is no Terraform Cloud repository onboarded in Tenable Cloud Security when you create run task in Terraform Cloud, Tenable Cloud Security creates a default project automatically for the Terraform Cloud repository.

Before you begin:

  • Ensure the Terraform workspace uses Terraform version 0.12 or later.

  • Ensure you have the correct permissions within Terraform:

    • To create a run task, you must have a user account with organization owner permissions.

    • To associate run tasks to a workspace, you must be at least a workspace administrator.

    For more information, see Permissions in Terraform documentation.

To integrate Terraform Cloud with Tenable Cloud Security:

  1. In the integrations list, click Terraform Cloud.

    The Terraform cloud page appears.

    Tip: You can copy the Endpoint URL and HMAC key values from this page when configuring the run task in Terraform Cloud.
  2. Log in to Terraform Cloud.

  3. In the Terraform Cloud user interface, navigate to the workspace that you want to integrate with Tenable Cloud Security.

  4. Create a run task to scan the Terraform cloud using Tenable Cloud Security by specifying the following options:

    Option Description
    Enabled This option when selected triggers the run task across all associated workspaces. This option is enabled by default for new run tasks.
    Name The name of the run task. Tenable recommends entering tenable_cs as the name of the run task for easy identification.
    Endpoint URL

    The Tenable Cloud Security URL.

    You can copy the URL from the Terraform cloud page in Tenable Cloud Security.

    HMAC key

    A secret key that Tenable Cloud Security uses to authenticate the request.

    You can copy the HMAC key from the Terraform cloud page in Tenable Cloud Security.

    For more information, see Creating a Run Task in the Terraform documentation.

  5. Add the run task created in the previous step to the required workspaces in the Terraform Cloud.

    1. When adding a run task to a workspace, select the Enforcement Level. Enforcement levels control how a run task behaves in a Terraform run. The following enforcement levels are available:

      • Advisory — Does not interrupt the run, and only informs about the failure of the run task.

      • Mandatory — Requires that the run task passes for the run to continue. If a run task fails, the run halts and cannot be applied until you resolve the failure.

    For more information, see Adding Run Tasks to a Workspace in the Terraform documentation.

Terraform executes the run task after the plan stage during a Terraform run.


The following example shows a run task with Mandatory enforcement level. The Terraform run fails because of the scan violations.

The following example shows a run task with the Advisory enforcement level. Although there are violations reported in the scan, the run does not fail.

Note: Click the Details link to view the scan summary and results in Tenable Cloud Security.