Today we're announcing CODEOWNERS enforcement in Terrateam, enabling you to integrate directly with your repository's CODEOWNERS file to ensure that infrastructure changes are reviewed and approved by the right teams before they're applied.

This feature bridges the gap between code ownership patterns you already use and infrastructure change management, bringing consistency to your approval workflows across all aspects of your codebase.

Why CODEOWNERS Matter for Infrastructure

As organizations scale, different teams naturally become responsible for different parts of the infrastructure. The networking team owns VPC configurations, the platform team manages Kubernetes clusters, and the security team oversees IAM policies. But enforcing these ownership boundaries during infrastructure changes has traditionally been a manual process prone to oversight.

CODEOWNERS enforcement in Terrateam automates this governance layer. When changes touch infrastructure owned by specific teams, those teams must approve before changes can be applied. No more accidental modifications to critical infrastructure without proper review.

How It Works

Enabling CODEOWNERS enforcement is straightforward. Add the require_completed_reviews option to your apply requirements configuration:

# .terrateam/config.yml
apply_requirements:
  checks:
    - tag_query: ''
      approved:
        enabled: true
        require_completed_reviews: true

With this configuration:

Terrateam checks that all CODEOWNERS have approved the pull request
If any required review is pending or has requested changes, the apply is blocked
Clear feedback indicates which reviews are still needed

Flexible Enforcement Patterns

Not all environments need the same level of scrutiny. Use tag queries to customize enforcement based on your needs:

apply_requirements:
  checks:
    # Strict enforcement for production
    - tag_query: 'production'
      approved:
        enabled: true
        require_completed_reviews: true
    
    # Relaxed requirements for development
    - tag_query: 'development'
      approved:
        enabled: false

This granular control allows you to maintain velocity in development environments while ensuring production changes receive appropriate oversight.

Real-World Impact

Consider a typical scenario: A developer needs to modify a Terraform module that provisions RDS databases. The database team owns this module according to CODEOWNERS. With enforcement enabled:

The developer opens a pull request with their changes
GitHub automatically requests review from the database team
When terrateam apply is triggered, Terrateam verifies the database team has approved
Only after approval does the infrastructure change proceed

This workflow prevents well-intentioned but potentially problematic changes from affecting critical infrastructure without proper review.

Integration with Existing Workflows

CODEOWNERS enforcement works alongside your existing Terrateam features:

Access controls still determine who can run Terrateam commands
Policy checks continue to validate compliance
Drift detection operates as normal

The feature simply adds an additional approval gate based on code ownership, integrating naturally with your existing infrastructure workflows.

Getting Started

CODEOWNERS enforcement is available now for all Terrateam users. To enable it:

Ensure your repository has a CODEOWNERS file configured
Add require_completed_reviews: true to your apply requirements
Test the workflow with a non-critical change first

Full documentation with advanced configuration examples is available at docs.terrateam.io/advanced-workflows/codeowners-enforcement.

What's Next

CODEOWNERS enforcement is part of our broader commitment to making infrastructure governance both powerful and practical. We're continuing to enhance how teams collaborate on infrastructure, with more governance features planned for the coming months.

Questions or feedback? Reach out in our Slack community or through GitHub issues.

Features

Learn More

Learn

Connect