Terraform Cloud can be connected to OpenClaw agents via official API with enterprise buildout controls, but it must not be exposed without policy-as-code enforcement. An agent with unconstrained Terraform Cloud access can create, modify, or destroy infrastructure across every workspace it can reach. The execution layer requires Work Policy Contracts (WPC), scoped tokens (CST), and gateway receipts to ensure that every plan and apply is authorized, scoped, and auditable before it touches your state files.
Prompt-level instructions alone cannot prevent a misconfigured or compromised agent from running terraform apply on the wrong workspace. Policy-as-code binds the agent to a signed contract that clawproxy and clawcontrols enforce at the network layer, not at the model's discretion.
Step-by-step runbook
- Create a Terraform Cloud API token with least-privilege scope. Use a team-level or project-scoped token, not an organization token. Restrict it to the specific workspaces the agent needs. Store the token in your secrets manager, never in agent config.
- Author a Work Policy Contract (WPC). Define the allowed Terraform Cloud workspaces, permitted operations (plan-only vs. plan-and-apply), and any resource-type restrictions. Sign and publish the WPC to the clawcontrols registry.
- Issue a scoped token (CST) pinned to the WPC hash. Use clawscope to mint a CST with the policy hash pinned. This ensures the agent can only operate under the exact policy version you approved.
- Route model calls through clawproxy. All model interactions during the Terraform run produce gateway receipts. These receipts record which model was called, what the agent requested, and the timestamp, giving you a verifiable chain of reasoning.
- Gate apply operations on explicit approval. Configure the WPC so that
terraform applyrequires a human approval step or a secondary CST with elevated scope. Plan-only runs can proceed autonomously; state-mutating runs must not. - Collect the proof bundle after each run. The proof bundle aggregates gateway receipts, the WPC hash, CST metadata, and run identifiers into a single auditable artifact. Store it alongside your Terraform state version for traceability.
- Review via Trust Pulse. Publish the proof bundle as a Trust Pulse artifact for your compliance team to inspect without needing direct access to Terraform Cloud or the agent runtime.
Threat model
| Threat | What happens | Control |
|---|---|---|
| Agent applies destructive plan to production workspace | Resources deleted or misconfigured; outage or data loss | WPC restricts allowed workspaces and blocks apply without approval gate |
| Prompt injection tricks agent into changing target workspace | Agent runs plan/apply against unintended infrastructure | CST is pinned to specific workspace identifiers in the WPC; clawproxy rejects out-of-scope calls |
| Stolen Terraform Cloud API token used outside agent context | Unauthorized infrastructure changes with no audit trail | CST job-scoped binding (marketplace anti-replay) ensures the token is only valid within a specific job; gateway receipts provide tamper-evident logs |
| Agent exfiltrates state file containing secrets | Credentials, connection strings, or private keys exposed | WPC denies read access to state endpoints; egress allowlists (planned) can further restrict outbound destinations |
| Model hallucinates valid-looking HCL that passes plan | Subtly wrong infrastructure deployed | Gateway receipts capture the model's reasoning; proof bundle enables post-hoc audit of what the model proposed vs. what was applied |
Policy-as-code example
{
"wpc_version": "1.0",
"name": "terraform-cloud-staging-only",
"tool": "terraform-cloud",
"connection": "official-api",
"permissions": {
"workspaces": ["ws-staging-app", "ws-staging-db"],
"operations": ["plan"],
"apply": {
"allowed": true,
"requires_approval": true,
"approvers": ["infra-lead@example.com"]
},
"state_read": false
},
"cst_constraints": {
"max_ttl_seconds": 1800,
"policy_hash_pin": true,
"job_scoped": true
},
"audit": {
"gateway_receipts": "required",
"proof_bundle": "required"
}
}This WPC limits the agent to two staging workspaces, allows plan freely, requires human approval for apply, and blocks state reads entirely. The CST expires after 30 minutes and is bound to a single job.
What proof do you get?
Every model call the agent makes during a Terraform run produces a gateway receipt from clawproxy. Each receipt is signed and includes the model identifier, request hash, and timestamp. These receipts are not deniable after the fact.
At job completion, receipts are bundled with the WPC hash, CST metadata, and Terraform run ID into a proof bundle. This bundle is a single artifact your auditors can verify independently using clawverify, without needing access to the agent or Terraform Cloud.
The proof bundle can be published as a Trust Pulse artifact for marketplace-level visibility. This gives compliance reviewers a read-only view of what the agent did, what policy it operated under, and which model calls drove its decisions.
Rollback posture
| Action | Safe rollback | Evidence |
|---|---|---|
| Agent runs unauthorized apply | Revert to previous Terraform state version; Terraform Cloud retains state history per workspace | Proof bundle shows which model call triggered the apply; gateway receipts identify the exact reasoning chain |
| CST compromised mid-job | Revoke CST via clawscope; job-scoped binding prevents reuse in any other context | CST revocation event logged; anti-replay binding confirms no parallel usage |
| WPC found to be overly permissive | Publish a new WPC version with tighter constraints; old hash is no longer pinned to new CSTs | WPC registry retains both versions; diff is auditable |
| Agent produces incorrect plan | Discard the plan; no state mutation occurs until apply is approved | Gateway receipts capture the model output that generated the plan; proof bundle preserves the full decision trail |
FAQ
Is Terraform Cloud integration available as a native connector today?
No. Terraform Cloud is connectable via official API with enterprise buildout controls. It is not shipped as a native connector. The integration requires configuring API tokens, WPC policies, and CST scoping as described in the runbook above.
Why can't prompt instructions replace policy-as-code for Terraform runs?
Prompt instructions are advisory. A model can ignore, misinterpret, or be manipulated past them via prompt injection. A WPC is a signed, hash-addressed artifact enforced by clawproxy at the network layer. The agent cannot bypass it regardless of what the model decides to do.
Can the agent be restricted to plan-only with no apply capability?
Yes. Set "operations": ["plan"] in the WPC and omit or disable the apply permission. The CST issued against this WPC will not authorize apply calls through the Terraform Cloud API.
How do gateway receipts help if something goes wrong in production?
Each receipt records the exact model call, including the prompt content hash and model response hash. During incident review, you can reconstruct the full chain of reasoning that led to a Terraform action, identify where the model went wrong, and determine whether the policy should have caught it.
Can I enforce cost budgets on Terraform runs automatically?
Automatic cost budget enforcement is planned but not yet shipped. Today, you can set workspace-level cost estimation in Terraform Cloud itself and use WPC approval gates to require human review before any apply that exceeds your threshold.