Announcing CODEOWNERS Enforcement
Today we're announcing CODEOWNERS enforcement in Terrateam, enabling you to integrate directly with your repository's CODEOWNERS file to ensure that infrastructure changes are reviewed and approved by the right teams before they're applied.
This feature bridges the gap between code ownership patterns you already use and infrastructure change management, bringing consistency to your approval workflows across all aspects of your codebase.
Why CODEOWNERS Matter for Infrastructure
As organizations scale, different teams naturally become responsible for different parts of the infrastructure. The networking team owns VPC configurations, the platform team manages Kubernetes clusters, and the security team oversees IAM policies. But enforcing these ownership boundaries during infrastructure changes has traditionally been a manual process prone to oversight.
CODEOWNERS enforcement in Terrateam automates this governance layer. When changes touch infrastructure owned by specific teams, those teams must approve before changes can be applied. No more accidental modifications to critical infrastructure without proper review.
How It Works
Enabling CODEOWNERS enforcement is straightforward. Add the require_completed_reviews option to your apply requirements configuration:
# .terrateam/config.yml
apply_requirements:
checks:
- tag_query: ''
approved:
enabled: true
require_completed_reviews: true
With this configuration:
- Terrateam checks that all CODEOWNERS have approved the pull request
- If any required review is pending or has requested changes, the apply is blocked
- Clear feedback indicates which reviews are still needed
Flexible Enforcement Patterns
Not all environments need the same level of scrutiny. Use tag queries to customize enforcement based on your needs:
apply_requirements:
checks:
# Strict enforcement for production
- tag_query: 'production'
approved:
enabled: true
require_completed_reviews: true
# Relaxed requirements for development
- tag_query: 'development'
approved:
enabled: false
This granular control allows you to maintain velocity in development environments while ensuring production changes receive appropriate oversight.
Real-World Impact
Consider a typical scenario: A developer needs to modify a Terraform module that provisions RDS databases. The database team owns this module according to CODEOWNERS. With enforcement enabled:
- The developer opens a pull request with their changes
- GitHub automatically requests review from the database team
- When
terrateam applyis triggered, Terrateam verifies the database team has approved - Only after approval does the infrastructure change proceed
This workflow prevents well-intentioned but potentially problematic changes from affecting critical infrastructure without proper review.
Integration with Existing Workflows
CODEOWNERS enforcement works alongside your existing Terrateam features:
- Access controls still determine who can run Terrateam commands
- Policy checks continue to validate compliance
- Drift detection operates as normal
The feature simply adds an additional approval gate based on code ownership, integrating naturally with your existing infrastructure workflows.
Getting Started
CODEOWNERS enforcement is available now for all Terrateam users. To enable it:
- Ensure your repository has a CODEOWNERS file configured
- Add
require_completed_reviews: trueto your apply requirements - Test the workflow with a non-critical change first
Full documentation with advanced configuration examples is available at docs.terrateam.io/advanced-workflows/codeowners-enforcement.
What's Next
CODEOWNERS enforcement is part of our broader commitment to making infrastructure governance both powerful and practical. We're continuing to enhance how teams collaborate on infrastructure, with more governance features planned for the coming months.
Questions or feedback? Reach out in our Slack community or through GitHub issues.