Security & Compliance Built In

Terrateam helps teams meet audit and compliance requirements without slowing down engineering. GitHub-native access controls, policy enforcement, secrets management, and full audit trails. All built into your workflow.

Start for Free Request Demo

Security Architecture

GitHub-Native Workflow

All changes flow through GitHub pull requests, leveraging your existing code review and approval processes. No separate security model to manage.

Isolated Execution

Run infrastructure operations in isolated environments with scoped credentials. Support for private runners in your own network.

Secure by Design

End-to-end security with encrypted storage, secure credential handling, and comprehensive access controls built into every workflow.

Security Workflow

GitHub Pull Request

Trigger a change proposal. All changes start here.

Policy Checks

OPA and Conftest policies validate the change against compliance and security rules.

Scoped Secrets

Inject only the credentials needed for the directory or resource being modified.

Isolated Runners

Execute Terraform in secure, isolated environments with scoped permissions.

Apply with RBAC + Approvals

RBAC rules and approval workflows must be satisfied before any changes are applied.

Terrateam enforces security through GitHub-native workflows and fine-grained access controls

Terrateam Security Architecture

GitHub App Integration

Terrateam Core Engine

Isolated Runners

Identity & Access Control

Policy Enforcement

Credential Management

Audit Logging & Reporting

Flexible Deployment Options

Self-Hosted

Deploy Terrateam in your own infrastructure for complete control over data residency and security. Perfect for high-compliance environments.

Complete data sovereignty
Air-gapped deployment support
Custom security controls

Self-Hosted Deployment

# Self-Hosted Architecture
┌─────────────────────────────────────────┐
│ Your Infrastructure                     │
│                                         │
│  ┌─────────────┐      ┌─────────────┐   │
│  │ Terrateam   │      │ PostgreSQL  │   │
│  │ Container   │◄────▶│ Database    │   │
│  └─────────────┘      └─────────────┘   │
│         ▲                               │
│         │                               │
│         ▼                               │
│  ┌─────────────┐      ┌─────────────┐   │
│  │ GitHub      │      │ Private     │   │
│  │ Webhook     │      │ Runners     │   │
│  └─────────────┘      └─────────────┘   │
│                                         │
└─────────────────────────────────────────┘

Private Cloud

Managed private cloud deployment with dedicated infrastructure and enhanced security controls. The perfect balance of control and convenience.

Dedicated infrastructure
Enhanced security controls
Managed operations

Private Cloud Deployment

# Private Cloud Architecture
┌─────────────────────────────────────────┐
│ Dedicated Terrateam Environment         │
│                                         │
│  ┌─────────────┐      ┌─────────────┐   │
│  │ Terrateam   │      │ Dedicated   │   │
│  │ Service     │◄────▶│ Database    │   │
│  └─────────────┘      └─────────────┘   │
│         ▲                               │
│         │                               │
│         ▼                               │
│  ┌─────────────┐      ┌─────────────┐   │
│  │ VPN/Private │      │ Your GitHub │   │
│  │ Connection  │◄────▶│ Organization│   │
│  └─────────────┘      └─────────────┘   │
│                                         │
└─────────────────────────────────────────┘

Compliance Framework Mapping

Terrateam Feature	SOC 2	ISO 27001	HIPAA	PCI DSS	GDPR
RBAC Access Controls	✓	✓	✓	✓	✓
Policy Enforcement	✓	✓	✓	✓	✓
Audit Logging	✓	✓	✓	✓	✓
Secrets Management	✓	✓	✓	✓	✓
Approval Workflows	✓	✓	✓	✓	✓
Self-Hosted Option	✓	✓	✓	✓	✓

Security and speed shouldn't be at odds

Security teams need guardrails

You need traceability, audit trails, and policy enforcement. But most Terraform setups rely on custom glue code and trust.

Manual checks don't scale

Compliance often becomes a bottleneck. Pull requests stall, approvals drift, and shadow changes go untracked.

Fragmented controls add risk

When secrets, approvals, and policies are handled in different systems, no one has the full picture, especially during audits.

Common Security Challenges in Infrastructure Workflows

Developer Changes

Manual PR Review

Terraform Apply

Production Environment

No Policy Enforcement

Bottlenecks & Delays

Credentials Management

No Audit Trail

Traditional infrastructure workflows create security and compliance gaps at each stage

"When you're working on achieving SOC 2 and you're 100% sure that you can control all of the code that's going inside your environment is going through CICD, but your infrastructure, that's a bit of a gap there."

Martin Delisle, Head of Infrastructure and Security at Haus

Compliance guardrails that scale with you

Role-Based Access Control (RBAC)

Define exactly who can do what with your infrastructure, using your existing GitHub identity system.

Define permissions per team, tag, directory, or environment
GitHub-native identity and team-based access
Apply Requirements enforce approvals and superapprovals

RBAC Configuration Example

# .terrateam/config.yml
apply_requirements:
  checks:
    - tag_query: "dir:environments/production/**"
      approved:
        enabled: true
        any_of: ["team:platform"]
    - tag_query: "iam in dir"
      approved:
        enabled: true
        all_of: ["team:security"]

access_control:
  policies:
    - tag_query: "environments/production/**"
      plan: ['team:engineering']
      apply: ['team:platform']

    - tag_query: "iam in dir"
      plan: ['team:platform']
      apply: ['team:security']

Policy Enforcement

Automatically validate infrastructure changes against your security and compliance policies.

OPA and Conftest policies block unsafe or non-compliant plans
Custom workflows for critical resources
Gatekeeper for human overrides with audit trace

OPA Policy Example

# policies/s3_encryption.rego
package terraform.analysis

import input.planned_values as planned

deny[msg] {
    resource := planned.root_module.resources[_]
    resource.type == "aws_s3_bucket"
    not resource.values.server_side_encryption_configuration
    
    msg := sprintf(
        "S3 bucket '%v' must have encryption enabled",
        [resource.values.bucket]
    )
}

Secrets and Credential Management

Secure handling of credentials with proper scoping and isolation.

Support for OIDC, static credentials, and per-directory secrets
Scoped to specific resources and runners
No external secrets managers required

OIDC Configuration Example

# .terrateam/config.yml
hooks:
  all:
    pre:
      - type: oidc
        provider: aws
        role_arn: "arn:aws:iam::123456789012:role/terrateam"

Full Audit Trail

Complete visibility into every infrastructure change for compliance and troubleshooting.

Immutable logs of every plan, apply, policy check, and approval
Exportable for SOC2 and ISO compliance
Built-in visibility for your security team

Audit Log Entry Example

{
  "event_type": "terraform_apply",
  "timestamp": "2023-10-15T14:22:31Z",
  "actor": {
    "id": "user123",
    "name": "Jane Smith",
    "email": "jane@example.com"
  },
  "resource": {
    "repository": "org/infrastructure",
    "ref": "main",
    "path": "environments/production/network"
  },
  "approvals": [
    {"user": "john@example.com", "timestamp": "2023-10-15T13:45:12Z"},
    {"user": "sarah@example.com", "timestamp": "2023-10-15T14:02:08Z"}
  ],
  "policy_checks": [
    {"name": "s3_encryption", "result": "pass"},
    {"name": "public_access", "result": "pass"}
  ]
}

Security built for scale

Meet your compliance and audit needs without reinventing workflows.

Start for Free Request Demo