Back to BlogRSS
August 1, 2025josh-pollara
terrateaminfrastructureterraformsecuritycompliance

Announcing Gatekeeper - Manual Approval Gates

Today we're introducing Gatekeeper, a powerful new feature that adds manual approval gates to your Terrateam workflows, allowing designated users to review and approve infrastructure changes when automated checks raise concerns.

Gatekeeper bridges the gap between strict automation and practical reality, recognizing that human judgment is sometimes needed to determine whether a flagged issue is truly problematic or an acceptable exception.

The Override Dilemma

Every team using automated security scanning or policy enforcement faces the same challenge: false positives and acceptable exceptions. Your security scanner flags a known issue that's already mitigated. Your cost threshold check triggers on a one-time migration. Your compliance policy blocks a change that has executive approval.

Previously, teams faced an impossible choice: disable the check entirely (reducing security), or remain blocked until the tool is updated (reducing velocity). Gatekeeper provides a third option: human review and approval.

How Gatekeeper Works

When a gated workflow step fails—whether it's a security scan, policy check, or custom validation—Gatekeeper pauses the workflow and creates an approval request:

workflows:
  - tag_query: "production"
    plan:
      - type: init
      - type: plan
      - type: checkov
        gate:
          token: "security-override"
          any_of: ["team:security", "team:platform"]

If Checkov detects issues, instead of failing immediately:

  1. Terrateam posts a comment with the failure details and a unique token
  2. Authorized team members review the findings
  3. If acceptable, they approve with: terrateam gate approve security-override
  4. The workflow continues as if the check had passed

Flexible Authorization Models

Gatekeeper supports sophisticated approval patterns to match your organization's needs:

Single Approver

Perfect for straightforward overrides:

gate:
  token: "quick-override"
  any_of: ["user:tech-lead"]

Team-Based Approval

Distribute approval authority across team members:

gate:
  token: "team-override"
  any_of: ["team:platform", "team:sre"]

Multiple Required Approvers

Ensure critical overrides get proper scrutiny:

gate:
  token: "critical-override"
  all_of: ["team:security", "team:compliance"]

N-of-M Approvals

Require multiple approvals without specifying exact individuals:

gate:
  token: "cost-override"
  any_of: ["user:cfo", "user:cto", "user:eng-director", "user:finance-lead"]
  any_of_count: 2

Real-World Scenarios

Security Scan False Positives

Your security scanner flags a vulnerability in a test environment that's isolated from production:

workflows:
  - tag_query: ""
    plan:
      - type: init
      - type: plan
      - type: checkov
        gate:
          token: "checkov-override"
          any_of: ["team:security"]

Security team members can review the context and approve if the risk is acceptable.

Cost Threshold Exceptions

A critical migration temporarily exceeds normal cost thresholds:

workflows:
  - tag_query: "production"
    plan:
      - type: init
      - type: plan
      - type: run
        cmd: ['./scripts/cost-check.sh']
        gate:
          token: "cost-exception"
          any_of: ["team:finance", "user:budget-owner"]
          any_of_count: 1

Finance can review the business justification and approve the temporary increase.

Compliance Policy Overrides

A time-sensitive change needs to proceed despite triggering compliance checks:

workflows:
  - tag_query: "production"
    plan:
      - type: init
      - type: plan
      - type: conftest
        gate:
          token: "compliance-override"
          all_of: ["team:compliance"]
          any_of: ["user:compliance-lead", "user:ciso"]

This requires both general compliance team approval and sign-off from leadership.

Progressive Validation Workflows

Combine multiple gates for sophisticated validation pipelines:

workflows:
  - tag_query: "production"
    plan:
      - type: init
      - type: plan
      
      # Security scanning with override capability
      - type: checkov
        gate:
          token: "security-scan"
          any_of: ["team:security"]
      
      # Policy validation with stricter approval
      - type: conftest
        gate:
          token: "policy-check"
          all_of: ["team:compliance"]
      
      # Custom validation with distributed approval
      - type: run
        cmd: ['./scripts/validate-production.sh']
        gate:
          token: "prod-validation"
          any_of: ["team:platform", "team:sre", "team:devops"]
          any_of_count: 2

Each gate operates independently, allowing different teams to own different aspects of validation.

Getting Started

Gatekeeper is available now for all Terrateam users. To implement it:

  1. Identify which checks occasionally need human override
  2. Determine appropriate approvers for each check type
  3. Add gate configurations to your workflows
  4. Document your override policies for team members

Full documentation with additional examples is available at docs.terrateam.io/advanced-workflows/gatekeeper.

The Human Element

Gatekeeper represents our philosophy that automation should enhance, not replace, human judgment. While automated checks catch the majority of issues, there will always be edge cases requiring human context and decision-making.

By providing a structured way to handle these exceptions, Gatekeeper helps teams maintain both security and velocity, ensuring that automated governance enhances rather than hinders your infrastructure operations.

Questions about implementing Gatekeeper in your workflows? Join our Slack community or open an issue on GitHub.