How To

Turbot Guardrails Terraform provider

Overview and Demo of Turbot Guardrails Terraform Provider

Turbot Team
3 min. read - Jul 05, 2020
Overview and Demo of Turbot Guardrails Terraform Provider

Disclaimer: Automated Transcript

Hello! In this session we're going to discuss the Turbot Terraform Provider and showcase how it works. In most of our demo videos we've showcased our Turbot console, our graphical interface, and as mentioned in prior sessions we are a GraphQL backend, so anything you've seen in the product you can query or mutate as well as leverage the console or the GUI. We also have a command line interface which we'll showcase in another video. In today's session we're going to showcase how you can interface with Turbot with our Terraform provider.

[00:00:41] Our Terraform provider is public within HashiCorp's website, you can visit the integrations page and browse for Turbot to visualize what we do with Terraform and to get quick access to our website and the documentation. There's also the provider documentation within the HashiCorp website that allows you to browse the types of resources you can manage within Turbot. Also, within our website - - you can view all of our developer tools from our developer kit on github public repository as well as getting access to our Terraform provider, CLI, and API. We also have additional documentation so as you're getting started with Turbot there is more information you can read on from Terraform as well as a 7-minute guide for installing the provider and getting to your first configuration stack.

[00:01:50] I'll now go into the Turbot console and browse to a specific folder within the hierarchy. In this case, it's Chuck's Demo Account folder which consists of an Amazon account, an Azure Subscription and a Google Project, and I'm going to set some policies which will apply to this folder structure and inherit down to my resources. Of course i can use the turbot console like you've seen in other videos, but in this use case I'm going to use Terraform to apply many settings at once. I'll load up an IDE really quickly to show you the demo settings in place that go against Chuck's folder so I'll be setting bucket versioning to be enforced on Amazon S3 buckets as well as for the Azure storage account I'll enforce a hot access tier, and on GCP bucket versioning I'll enforce that to be enabled, and a much more complex policies to enforce, I'll apply varying ingress rules on a VPC security group - this is ia calculated policy that will run if there's a specific tag.

[00:03:04] Any type of configuration for policies or identity management, folder structure, etc, can be managed through Terraform. Here I'm going to enforce this type of configuration - I'll initialize Terraform within this folder structure, I'm then going to run a terraform plan which is taking this stack here, saying all of this is brand new in the environment, it's going to add those five policies. So I can run a terraform apply and it will basically repeat the plan back, ask me if I want to enforce it. There it just gave back the data of each one of those being created and the completion of them, so it added five resources.

Going back to the Turbot console, do a quick refresh, all of those five policies are now set and it captured the actor information that it was Me creating each of those policies. So it's an easy way at scale to deploy policies or changes to policies in that environment. If I go back to that script and say, make a change on Azure to enforce Cool, went back to apply that change in good nature with Terraform it will understand that diff and the update that it's going to apply. I want to apply it, and now it has that one change. If I go back to the Turbot console, do a refresh, I can see that the access tier is enforce-cool and that I completed that update so I can see the activity of those policy changes streaming in.

[00:05:23] If I wanted to go back in and destroy the Terraform and remove those policies, terraform destroy would work just like any other configuration. Now all five of them are destroyed, and similarly that audit trail would be in place in the console. Those settings are gone, and you can see that Bob was the actor who removed the policy settings.

[00:05:56] As another example of what we can use Terraform for - one of the things that Turbot supports is custom metadata in our CMDB this is an example where you can deploy files of any type of information - a dummy example here of Bob's Bagels Applications of the app IDs, the app names, the cost center and the owner. Picture this as information that might be coming from your service catalog and then being added to the CMDB. So you can also manage that through Terraform, as well as GraphQL and other components. This is an example where I might have a file where I want to deploy these cloud app projects as a file within that folder structure. Here I've got Bob's Bagels Applications Version 2 and I can take this to deploy this type of configuration details into Turbot as well. If I just go to that folder structure, then initialize Terraform - here by adding in the custom metadata into the CMDB (very similar to managing policy settings within Turbot), will add this as a file within Turbot. If I go terraform apply, click yes - Great, now I have one file added. Here in the console you can see Bob's Bagels 2, you can see that activity on the Chuck's Demo Account folder that Bob created a file with this type of information. If I go into that file, I can see the metadata within the CMDB and the activity on that very specifically.

[00:08:01] Very similarly to the prior use case, if I were to go in and maybe change the owner from Tom to Gary, changed another one to Chuck, then I re-ran so now it's going ot show me the changes that will happen moving it from Tom and Peter to Gary and Chuck. I'll click yes, see that one change against the file (it's two changes but within the data structure). Refresh the Turbot console, see this change come through and just as with anything in Turbot, I can see the diff history of the changes. I can see the actor and the change that occurred. This would be very similar to if an S3 bucket got updated or a Lambda Function, Azure Storage Account, Google Network, etc - I can see the changes in the diff. This is true for resources in Turbot or data that's being fed into Turbot. Whether it's coming from Terraform, the console here, GraphQL, it's all going to be the same event stream and user activity. Similarly again, I can go back into Terraform, do a terraform destroy, and remove the file.

[00:09:40] Now that's gone from the folder structure and I can see that Bob deleted the file. So these are just quick examples of how you can use Terraform to talk to and manage Turbot resources and configurations . We're happy to give you a more curated demo any time. Please feel free to reach out to us at or for more information. Thank you!

If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!