Managing IaC Configurations

This section of the documentation outlines managing IaC Security configurations that will be used for scanning. Check out the IaC Overview for high-level details of the IaC feature. Configurations are a critical component for IaC Analyzer scans and allow users to determine what checks to scan for, with regard to resources and Insights. In most scenarios, configurations are added after you have set up your desired scanning setup (to have data coming in you want to analyze).

The Configurations section of the IaC Security interface is available under Security > Infrastructure as Code > Configurations. Each Configuration is listed with: a link to its Insight Pack (Custom Packs or Compliance Packs), whether developer exceptions are enabled, the number of Terraform Cloud/Enterprise (TFC/E) Run Tasks associated with the configuration, various dates regarding usage and creation, and actions.

Create a Configuration

Before Getting Started

Here are a few things to keep in mind when creating your configuration:

  • There are currently no limitations on the number of configurations. However, only a single configuration can be used for scanning at one time.
  • Configurations are limited to a maximum of 300 Insights.
  • Configurations are only available to Domain Admins, Organization Admins, and Editor/Admin-entitled users. See the User Entitlements Matrix for more information.

Steps to Create Your Configuration

First, navigate to Security > Infrastructure as Code > Configurations, then click the + New Configuration button in the top right corner. The Create Configuration form launches from the side of the page.

  1. Provide a Name and optional Description for the new configuration.
  2. Set whether the configuration requires Developer Exceptions using the toggle. Developer Exceptions provide a way for users to not flag resources as having Insight findings during the IaC analysis.
  3. Under Insight Settings, select an Insight Pack to use for your IaC Security analysis.
    • InsightCloudSec provides support for both out-of-the-box Compliance Packs and for Custom Packs (based on user-specific configurations of Insights).
    • Selecting an Insight Pack (custom or otherwise) will expose a list of the Insights included in the specified pack, along with buttons to configure your desired Insight settings.
  4. Select whether to fail, warn, or ignore the Insight upon verification during IaC Security analysis.
    • The level of support is specified under each Insight name in grey text. If no grey text is present, the insight has full resource support.
      • Partial Support - Resources are not supported for certain CSPs; these will be specifically identified.
      • Unsupported - Resources specific to this Insight are not supported on any of the CSPs; these will be hidden by default. Click the Show Unsupported Insights button at the bottom of the Insight Configuration list to display them.
    • Alternatively, click Set All and select a status to use for all Insights.
  5. Optionally, click Notifications to configure notification upon scan.
    Provide a Slack channel and/or email addresses to notify once the scan is complete.
    Note: This requires a previously configured Slack Integration or SMTP (Email Notifications) integration.
  6. When you are satisfied with your settings click Apply. Your completed configuration will be available under the Configurations tab.

Editing Existing Configurations

There are two ways to edit an existing configuration

  • Click the Edit Configuration icon (pencil) next to a finished configuration scan on the Scan List tab.
  • Click the Edit Configuration icon (pencil) next to a configuration on the Configurations tab.

After clicking the Edit Configuration icon, the Manage Configuration window appears, allowing you to edit the name, description, Insight pack & settings, and notifications for the configuration. Click Apply once finished with your edits.