Integrate security governance mechanisms in your Terraform IAC version control and CI/CD pipelines [ soup to nuts ] - Part 1

A vast majority of organizations have internal and regulatory governance requirements. It's critical to have the right solution in place to enforce and audit for all these governance requirements.

As a DevOps Engineer that is responsible for designing, implementing and managing modern infrastructure deployments for your organization, how do you integrate a governance enforcement mechanism in your infrastructure as code (IAC) projects?

In PART 1 and PART 2 of this blog series , I talk about my favorite tools and techniques for embedding security and compliance controls into your Infrastructure as Code (IAC) version control systems and CI/CD pipelines.

We will build a modern, production-grade IAC project in Azure DevOps that delivers infrastructure in Azure using Terraform, Azure Pipelines, Terraform Cloud, Azure Key Vault and Bridgecrew. Let's get after it!

In order to pull this off, we need the following components;

  • A Terraform Cloud account for terraform state management
  • A Bridgecrew cloud account for IAC security scan
  • An Azure DevOps organization for version control
  • An Azure Key Vault for secret management in Azure Pipelines
  • Terraform scripts that define our infrastructure
  • YAML configuration for our build and release pipelines
  • You must have access to an Azure AD tenant and Subscription
  • You must be assigned a Global Administrator role on the AD tenant
  • You must be Owner on the Azure subscription within the AD tenant

Table of Contents

Sign up for a free Terraform Cloud account

Terraform Cloud is a commercial SaaS product developed by HashiCorp that enables infrastructure automation for provisioning, compliance, and management of any cloud, data center, and service. To create an account, Visit and follow the prompts to create a free Terraform Cloud account.

Sign up for a free Bridgecrew cloud account

Bridgecrew provides DevOps Engineers with much-needed visibility into unresolved infrastructure security errors and enforce cloud security earlier in the development lifecycle to minimize risk and maintain cloud compliance.  To get started for free, head over to

Sign up for a free Azure DevOps Organization

Azure DevOps Server is a Microsoft product that provides version control, reporting, requirements management, project management, automated builds, testing and release management capabilities. If you don't already have an account, sign up for a free at

Create Azure Devops project and repository

In your Azure DevOps organization,

  • Create a project named iac-governance
resource "azuredevops_project" "azdo" {
  name               = "iac-governance"
  visibility         = "private"
  version_control    = "Git"
  work_item_template = "Agile"
  description        = "Terraform IAC Security and Governance"

Setup your Terraform Dev Environment in Visual Studio Code

  • Download and install the latest Visual Studio Code for your OS platform from
  • Install the Azure Terraform VS Code extension
  • Install the HashiCorp Terraform VS code extension

Create Workspaces in Terraform Cloud

Since we want to use Azure DevOps for our CI/CD, we will only use Terraform Cloud for the CLI-driven Run Workflow. The CLI integration offers the best of both worlds to DevOps engineers who are already comfortable with using the Terraform CLI, and it can work with existing CI/CD pipelines in Azure DevOps.

Login to your Terraform cloud account and create the following Workspaces. Ensure to select the CLI-driven run workflow for each.

Putting the pieces together

Now that we have our basic building blocks in place, it's time to call it a day for Part 1. In Part 2, we will pull it all together and ;

  • Write sample Terraform code and commit to our project repo in Azure Devops
  • Enable Azure Defender for enhanced security features on our subscription.
  • Create a set of base Azure Policy assignments to secure our subscription
  • Setup Build and Release Pipelines for our project repo in Azure DevOps
  • Use Azure Key Vault secrets for our Build and Release Pipelines
  • Integrate Bridgecrew IAC scan with our Build and Release Pipelines in Azure DevOps
  • Add Pre and Post Deployment Gates to check for Azure Policy Compliance
  • Perform an IAC Scan on the code in our project repo and check the Bridgecrew platform for scan results
  • Remediate any violations found in our IAC
Jim Musana