Security & Compliance Built In
Terrateam helps teams meet audit and compliance requirements without slowing down engineering. GitHub-native access controls, policy enforcement, secrets management, and full audit trails. All built into your workflow.
Security architecture
GitHub-native workflow
All changes flow through GitHub pull requests, leveraging your existing code review and approval processes. No separate security model to manage.
Isolated execution
Run infrastructure operations in isolated environments with scoped credentials. Support for private runners in your own network.
Secure by design
End-to-end security with encrypted storage, secure credential handling, and comprehensive access controls built into every workflow.
Security workflow
GitHub pull request
Trigger a change proposal. All changes start here.
Policy checks
OPA and Conftest policies validate the change against compliance and security rules.
Scoped secrets
Inject only the credentials needed for the directory or resource being modified.
Isolated runners
Execute Terraform in secure, isolated environments with scoped permissions.
Apply with RBAC + approvals
RBAC rules and approval workflows must be satisfied before any changes are applied.
Terrateam enforces security through GitHub-native workflows and fine-grained access controls
Terrateam security architecture
Flexible deployment options
Self-hosted
Deploy Terrateam in your own infrastructure for complete control over data residency and security. Perfect for high-compliance environments.
- Complete data sovereignty
- Air-gapped deployment support
- Custom security controls
Self-hosted deployment
Private cloud
Managed private cloud deployment with dedicated infrastructure and enhanced security controls. The perfect balance of control and convenience.
- Dedicated infrastructure
- Enhanced security controls
- Managed operations
Private cloud deployment
Compliance framework mapping
| Terrateam Feature | SOC 2 | ISO 27001 | HIPAA | PCI DSS | GDPR |
|---|---|---|---|---|---|
| RBAC Access Controls | ✓ | ✓ | ✓ | ✓ | ✓ |
| Policy Enforcement | ✓ | ✓ | ✓ | ✓ | ✓ |
| Audit Logging | ✓ | ✓ | ✓ | ✓ | ✓ |
| Secrets Management | ✓ | ✓ | ✓ | ✓ | ✓ |
| Approval Workflows | ✓ | ✓ | ✓ | ✓ | ✓ |
| Self-Hosted Option | ✓ | ✓ | ✓ | ✓ | ✓ |
Security and speed shouldn't be at odds
Security teams need guardrails
You need traceability, audit trails, and policy enforcement. But most Terraform setups rely on custom glue code and trust.
Manual checks don't scale
Compliance often becomes a bottleneck. Pull requests stall, approvals drift, and shadow changes go untracked.
Fragmented controls add risk
When secrets, approvals, and policies are handled in different systems, no one has the full picture, especially during audits.
Common Security Challenges in Infrastructure Workflows
Traditional infrastructure workflows create security and compliance gaps at each stage
"When you're working on achieving SOC 2 and you're 100% sure that you can control all of the code that's going inside your environment is going through CICD, but your infrastructure, that's a bit of a gap there."
Martin Delisle, Head of Infrastructure and Security at Haus
Compliance guardrails that scale with you
Role-Based Access Control (RBAC)
Define exactly who can do what with your infrastructure, using your existing GitHub identity system.
Define permissions per team, tag, directory, or environment
GitHub-native identity and team-based access
Apply Requirements enforce approvals and superapprovals
RBAC Configuration Example
# .terrateam/config.yml
apply_requirements:
checks:
- tag_query: "dir:environments/production/**"
approved:
enabled: true
any_of: ["team:platform"]
- tag_query: "iam in dir"
approved:
enabled: true
all_of: ["team:security"]
access_control:
policies:
- tag_query: "environments/production/**"
plan: ['team:engineering']
apply: ['team:platform']
- tag_query: "iam in dir"
plan: ['team:platform']
apply: ['team:security']Policy Enforcement
Automatically validate infrastructure changes against your security and compliance policies.
OPA and Conftest policies block unsafe or non-compliant plans
Custom workflows for critical resources
Policy override approvals with full audit trail
OPA Policy Example
# policies/s3_encryption.rego
package terraform.analysis
import input.planned_values as planned
deny[msg] {
resource := planned.root_module.resources[_]
resource.type == "aws_s3_bucket"
not resource.values.server_side_encryption_configuration
msg := sprintf(
"S3 bucket '%v' must have encryption enabled",
[resource.values.bucket]
)
}Secrets and Credential Management
Secure handling of credentials with proper scoping and isolation.
Support for OIDC, static credentials, and per-directory secrets
Scoped to specific resources and runners
No external secrets managers required
OIDC Configuration Example
# .terrateam/config.yml
hooks:
all:
pre:
- type: oidc
provider: aws
role_arn: "arn:aws:iam::123456789012:role/terrateam"Full Audit Trail
Complete visibility into every infrastructure change for compliance and troubleshooting.
Immutable logs of every plan, apply, policy check, and approval
Exportable for SOC2 and ISO compliance
Built-in visibility for your security team
Audit Log Entry Example
{
"event_type": "terraform_apply",
"timestamp": "2023-10-15T14:22:31Z",
"actor": {
"id": "user123",
"name": "Jane Smith",
"email": "jane@example.com"
},
"resource": {
"repository": "org/infrastructure",
"ref": "main",
"path": "environments/production/network"
},
"approvals": [
{
"user": "john@example.com",
"timestamp": "2023-10-15T13:45:12Z"
},
{
"user": "sarah@example.com",
"timestamp": "2023-10-15T14:02:08Z"
}
],
"policy_checks": [
{
"name": "s3_encryption",
"result": "pass"
},
{
"name": "public_access",
"result": "pass"
}
]
}Security built for scale
Meet your compliance and audit needs without reinventing workflows.