Security & Compliance Built In

Terrateam helps teams meet audit and compliance requirements without slowing down engineering. GitHub-native access controls, policy enforcement, secrets management, and full audit trails. All built into your workflow.

Security Architecture

GitHub-Native Workflow

All changes flow through GitHub pull requests, leveraging your existing code review and approval processes. No separate security model to manage.

Isolated Execution

Run infrastructure operations in isolated environments with scoped credentials. Support for private runners in your own network.

Secure by Design

End-to-end security with encrypted storage, secure credential handling, and comprehensive access controls built into every workflow.

Security Workflow

1
GitHub Pull Request

Trigger a change proposal. All changes start here.

2
Policy Checks

OPA and Conftest policies validate the change against compliance and security rules.

3
Scoped Secrets

Inject only the credentials needed for the directory or resource being modified.

4
Isolated Runners

Execute Terraform in secure, isolated environments with scoped permissions.

5
Apply with RBAC + Approvals

RBAC rules and approval workflows must be satisfied before any changes are applied.

Terrateam enforces security through GitHub-native workflows and fine-grained access controls

Terrateam Security Architecture

GitHub App Integration
Terrateam Core Engine
Isolated Runners
Identity & Access Control
Policy Enforcement
Credential Management
Audit Logging & Reporting

Flexible Deployment Options

Self-Hosted

Deploy Terrateam in your own infrastructure for complete control over data residency and security. Perfect for high-compliance environments.

  • Complete data sovereignty
  • Air-gapped deployment support
  • Custom security controls
Self-Hosted Deployment
# Self-Hosted Architecture
┌─────────────────────────────────────────┐
│ Your Infrastructure                     │
│                                         │
│  ┌─────────────┐      ┌─────────────┐   │
│  │ Terrateam   │      │ PostgreSQL  │   │
│  │ Container   │◄────▶│ Database    │   │
│  └─────────────┘      └─────────────┘   │
│         ▲                               │
│         │                               │
│         ▼                               │
│  ┌─────────────┐      ┌─────────────┐   │
│  │ GitHub      │      │ Private     │   │
│  │ Webhook     │      │ Runners     │   │
│  └─────────────┘      └─────────────┘   │
│                                         │
└─────────────────────────────────────────┘

Private Cloud

Managed private cloud deployment with dedicated infrastructure and enhanced security controls. The perfect balance of control and convenience.

  • Dedicated infrastructure
  • Enhanced security controls
  • Managed operations
Private Cloud Deployment
# Private Cloud Architecture
┌─────────────────────────────────────────┐
│ Dedicated Terrateam Environment         │
│                                         │
│  ┌─────────────┐      ┌─────────────┐   │
│  │ Terrateam   │      │ Dedicated   │   │
│  │ Service     │◄────▶│ Database    │   │
│  └─────────────┘      └─────────────┘   │
│         ▲                               │
│         │                               │
│         ▼                               │
│  ┌─────────────┐      ┌─────────────┐   │
│  │ VPN/Private │      │ Your GitHub │   │
│  │ Connection  │◄────▶│ Organization│   │
│  └─────────────┘      └─────────────┘   │
│                                         │
└─────────────────────────────────────────┘

Compliance Framework Mapping

Terrateam FeatureSOC 2ISO 27001HIPAAPCI DSSGDPR
RBAC Access Controls
Policy Enforcement
Audit Logging
Secrets Management
Approval Workflows
Self-Hosted Option

Security and speed shouldn't be at odds

Security teams need guardrails

You need traceability, audit trails, and policy enforcement. But most Terraform setups rely on custom glue code and trust.

Manual checks don't scale

Compliance often becomes a bottleneck. Pull requests stall, approvals drift, and shadow changes go untracked.

Fragmented controls add risk

When secrets, approvals, and policies are handled in different systems, no one has the full picture, especially during audits.

Common Security Challenges in Infrastructure Workflows

Developer Changes
Manual PR Review
Terraform Apply
Production Environment
No Policy Enforcement
Bottlenecks & Delays
Credentials Management
No Audit Trail

Traditional infrastructure workflows create security and compliance gaps at each stage

Martin Delisle
"When you're working on achieving SOC 2 and you're 100% sure that you can control all of the code that's going inside your environment is going through CICD, but your infrastructure, that's a bit of a gap there."

Martin Delisle, Head of Infrastructure and Security at Haus

Compliance guardrails that scale with you

Role-Based Access Control (RBAC)

Define exactly who can do what with your infrastructure, using your existing GitHub identity system.

  • Define permissions per team, tag, directory, or environment

  • GitHub-native identity and team-based access

  • Apply Requirements enforce approvals and superapprovals

RBAC Configuration Example
# .terrateam/config.yml
apply_requirements:
  checks:
    - tag_query: "dir:environments/production/**"
      approved:
        enabled: true
        any_of: ["team:platform"]
    - tag_query: "iam in dir"
      approved:
        enabled: true
        all_of: ["team:security"]

access_control:
  policies:
    - tag_query: "environments/production/**"
      plan: ['team:engineering']
      apply: ['team:platform']

    - tag_query: "iam in dir"
      plan: ['team:platform']
      apply: ['team:security']

Policy Enforcement

Automatically validate infrastructure changes against your security and compliance policies.

  • OPA and Conftest policies block unsafe or non-compliant plans

  • Custom workflows for critical resources

  • Gatekeeper for human overrides with audit trace

OPA Policy Example
# policies/s3_encryption.rego
package terraform.analysis

import input.planned_values as planned

deny[msg] {
    resource := planned.root_module.resources[_]
    resource.type == "aws_s3_bucket"
    not resource.values.server_side_encryption_configuration
    
    msg := sprintf(
        "S3 bucket '%v' must have encryption enabled",
        [resource.values.bucket]
    )
}

Secrets and Credential Management

Secure handling of credentials with proper scoping and isolation.

  • Support for OIDC, static credentials, and per-directory secrets

  • Scoped to specific resources and runners

  • No external secrets managers required

OIDC Configuration Example
# .terrateam/config.yml
hooks:
  all:
    pre:
      - type: oidc
        provider: aws
        role_arn: "arn:aws:iam::123456789012:role/terrateam"

Full Audit Trail

Complete visibility into every infrastructure change for compliance and troubleshooting.

  • Immutable logs of every plan, apply, policy check, and approval

  • Exportable for SOC2 and ISO compliance

  • Built-in visibility for your security team

Audit Log Entry Example
{
  "event_type": "terraform_apply",
  "timestamp": "2023-10-15T14:22:31Z",
  "actor": {
    "id": "user123",
    "name": "Jane Smith",
    "email": "jane@example.com"
  },
  "resource": {
    "repository": "org/infrastructure",
    "ref": "main",
    "path": "environments/production/network"
  },
  "approvals": [
    {"user": "john@example.com", "timestamp": "2023-10-15T13:45:12Z"},
    {"user": "sarah@example.com", "timestamp": "2023-10-15T14:02:08Z"}
  ],
  "policy_checks": [
    {"name": "s3_encryption", "result": "pass"},
    {"name": "public_access", "result": "pass"}
  ]
}

Security built for scale

Meet your compliance and audit needs without reinventing workflows.