Integrate with Terraform Cloud

You can integrate Tenable.cs with Terraform Cloud to scan your Terraform IaC files. For this integration, you must create a Terraform Run Task for Tenable.cs in Terraform Cloud. A Terraform run task for Tenable.cs allows you to scan your workspace within a Terraform run, specifically between the plan and apply stages of the Terraform Cloud workflow.

In Terraform Cloud, you must first create a run task in the settings of your organization by providing the Tenable.cs URL as the endpoint. Then, you must add this run task to the required Terraform workspaces. When the Terraform Cloud workflow triggers the run task, Tenable.cs scans and returns a passed or failed response back to Terraform Cloud. The status response along with the enforcement setting of the run task determine whether a Terraform run proceeds to the next stage of the workflow. For more information about run tasks, see Run Tasks in the Terraform documentation.

Note: If there is no Terraform Cloud repository onboarded in Tenable.cs when you create run task in Terraform Cloud, Tenable.cs creates a default project automatically for the Terraform Cloud repository.

Before you begin:

  • Ensure the Terraform workspace uses Terraform version 0.12 or later.

  • Ensure you have the correct permissions within Terraform:

    • To create a run task, you must have a user account with organization owner permissions.

    • To associate run tasks to a workspace, you must be at least a workspace administrator.

    For more information, see Permissions in Terraform documentation.

To integrate Terraform Cloud with Tenable.cs:

  1. In the integrations list, click Terraform Cloud.

    The Terraform cloud page appears.

    Tip: You can copy the Endpoint URL and HMAC key values from this page when configuring the run task in Terraform Cloud.
  2. Log in to Terraform Cloud.

  3. In the Terraform Cloud user interface, navigate to the workspace that you want to integrate with Tenable.cs.

  4. Create a run task to scan the Terraform cloud using Tenable.cs by specifying the following options:

    Option Description
    Enabled This option when selected triggers the run task across all associated workspaces. This option is enabled by default for new run tasks.
    Name The name of the run task. Tenable recommends entering tenable_cs as the name of the run task for easy identification.
    Endpoint URL

    The Tenable.cs URL.

    You can copy the URL from the Terraform cloud page in Tenable.cs.

    HMAC key

    A secret key that Tenable.cs uses to authenticate the request.

    You can copy the HMAC key from the Terraform cloud page in Tenable.cs.

    For more information, see Creating a Run Task in the Terraform documentation.

  5. Add the run task created in the previous step to the required workspaces in the Terraform Cloud.

    1. When adding a run task to a workspace, select the Enforcement Level. Enforcement levels control how a run task behaves in a Terraform run. The following enforcement levels are available:

      • Advisory — Does not interrupt the run, and only informs about the failure of the run task.

      • Mandatory — Requires that the run task passes for the run to continue. If a run task fails, the run halts and cannot be applied until you resolve the failure.

    For more information, see Adding Run Tasks to a Workspace in the Terraform documentation.

Terraform executes the run task after the plan stage during a Terraform run.


The following example shows a run task with Mandatory enforcement level. The Terraform run fails because of the scan violations.

The following example shows a run task with the Advisory enforcement level. Although there are violations reported in the scan, the run does not fail.

Note: Click the Details link to view the scan summary and results in Tenable.cs.