Increase your productivity with Turbot Guardrails + Terraform

Learn how to interface with Turbot's Guardrails cloud governance platform using the Turbot Terraform Provider.

Turbot Team
5 min. read - Jul 08, 2020
Learn how to interface with Turbot's Guardrails cloud governance platform using the Turbot Terraform Provider.

Turbot Guardrails is a full-stack governance platform that instantly discovers resource changes and automates remediation using a unified policy language across Multi-Cloud, SaaS, OS and Containers. Cloud Teams use Turbot Guardrails Cloud CMDB, Policy & Identity Engine to prevent and repair misconfigurations in real-time providing reduction in operational incidents and increased security posture for enterprises. Turbot Guardrails platform is Cloud Team & developer friendly supporting different use cases from simple point and click interactions in the Turbot Guardrails Console, to managing large scale changes with the Turbot Guardrails GraphQL API or Turbot Terraform Provider.

Example of setting a Turbot Guardrails policy in the UI, API, and Terraform Provider

Example of setting a Turbot Guardrails policy in the UI, API, and Terraform Provider

Turbot Guardrails platform is highly extensible, providing an array of software and tools to support the Cloud Team:

  • Turbot Guardrails is an API service with a complete GraphQL API to query and manage Turbot Guardrails.
  • Turbot Guardrails Console (graphical interface) overlays the API for users to simply visualize and interact through their web or mobile browser.
  • Turbot Terraform Provider provides users tooling to create new Turbot Guardrails resources, manage existing ones, and destroy those which are no longer required - using simple yet effective Terraform scripts.
  • Turbot Guardrails Command Line Interface (Turbot Guardrails CLI) provides developer tooling to initialize, build, test and publish custom mods.

Many of our customers have adopted the Turbot Terraform Provider to manage Turbot Guardrails resources as part of their Terraform workflow to define policy & security posture in code. Turbot Guardrails resources such as folders, directories, permissions, policy settings, etc. can be managed along with shadow resources to mix and integrate with other Terraform providers and resources. The Turbot Terraform Provider is publicly available within HashiCorp's official provider registry. Customer can simply get started:

  1. Download and install Terraform from the official website of HashiCorp.
  2. To install a released provider in your Terraform environment, run terraform init and Terraform will automatically install the provider.
  3. The Turbot Terraform provider uses the same credentials as the Turbot Guardrails CLI which provides quick convenience to get started; however you can always use Turbot Guardrails API keys directly in your existing Terraform profile configurations.
  4. Follow one of our Turbot Terraform 7 minute learning labs to get started. Continue learning with examples from the Turbot Guardrails Samples

As an example of using the Turbot Terraform Provider to manage multiple Turbot Guardrails Policy settings at once, we can set varying Cloud Service Providers (CSP) policy settings at the same time to be applied. Below is an example of setting policies for AWS S3 Buckets, Azure Storage Accounts, and GCP Storage Buckets on a Turbot Folder. As well as setting S3 Bucket Encryption on a specific S3 Bucket, and enforcing VPC Security Group Ingress Rules that are Approved.

Running Terraform Plan / Apply created the policy settings:

Within the Turbot Guardrails Console or API, you can also visualize the audit trail of the policy settings being created by the user and what changed.

As another example of an update, the Terraform was adjusted to 'Enforce: Cool' for Azure Access Tier configurations instead of 'Enforce: Hot' Access Tier configurations. The Terraform Plan below shows the difference; applying the change is successful:

Example in the UI shows the specific configuration change history of the policy shifting from 'Enforce: Hot' to 'Enforce: Cool'. This type of audit configuration drift visualization is similar to any change in Turbot Guardrails or CSP (e.g. VPC Security group rule being updated).

To clean up this example, ran terraform destroy to completely remove the policy settings applied:

Which cleans up the policies effectively and captures the audit trail of the deletion:

Learn more by watching the Turbot Terraform Provider demo and connect with us to get started with a curated demo and a free trial.