Infrastructure Change Approval — Terraform & Pulumi Gate

Infrastructure Changes Are High-Risk

Terraform apply can delete databases. Pulumi up can expose S3 buckets. CloudFormation can modify IAM roles. These actions are expensive to reverse — often impossible.

TrigGuard authorizes infrastructure changes before they execute. Every apply gets a signed receipt for your audit trail.

Terraform Integration

# CI/CD pipeline with TrigGuard gate
- name: Terraform Plan
  run: terraform plan -out=plan.tfplan

- name: Request Authorization
  uses: trigguard/authorize@v1
  with:
    surface: infra.apply
    action: terraform-apply
    context: |
      workspace: production
      plan_hash: ${{ steps.plan.outputs.hash }}
      resource_changes: ${{ steps.plan.outputs.changes }}

- name: Terraform Apply
  if: steps.trigguard.outputs.decision == 'PERMIT'
  run: |
    echo "Receipt: ${{ steps.trigguard.outputs.receipt_id }}"
    terraform apply plan.tfplan

What Gets Authorized

terraform apply

State-changing applies to any workspace. Block destructive changes.

pulumi up

Stack updates with resource creation, modification, or deletion.

cloudformation deploy

Stack deployments and updates. Nested stacks supported.

crossplane sync

GitOps infrastructure reconciliation with external clusters.

Policy Examples

Block Destructive Changes No deletes in production without approval

Plan Review Required Changes over threshold require human review

Change Windows Allow applies only during maintenance windows

Resource Protection Block modifications to critical resources

Compliance Benefits

Every infrastructure change produces a signed receipt. Export receipts for SOC 2, ISO 27001, FedRAMP, or internal audits.

Audit Trail

Who authorized the change? When? What was the plan hash? Every receipt answers these questions with cryptographic proof.

Protect Your Infrastructure

Add TrigGuard to your IaC pipeline. Gate terraform apply in 10 minutes.

Integration Guide Request Access