Terraform AI Assistants
Terraform and OpenTofu ecosystems include AI-powered assistants that help generate HCL configurations, explain plan outputs, suggest resource definitions, and debug apply failures. These assistants — including IDE copilots configured for IaC workflows, Terraform Cloud AI features, and third-party Terraform AI tools — send infrastructure context and prompts to upstream LLM providers.
This page explains how to route Terraform AI assistant traffic through the Keeptrusts gateway so policy enforcement, PII redaction, and audit logging apply before infrastructure details reach any LLM provider.
Use this page when
- You need to enforce compliance policies on AI assistants used during Terraform or OpenTofu workflows.
- You want audit trails for every AI interaction that involves infrastructure-as-code context.
- If you need general provider integration instead, see integrations.
Primary audience
- Primary: Technical Engineers (Platform, Infrastructure, DevOps)
- Secondary: Technical Leaders, AI Agents
Prerequisites
- Terraform 1.6+ or OpenTofu 1.7+ installed.
- AI assistant tool that supports configurable OpenAI-compatible endpoints (e.g., IDE copilot, custom CLI wrapper, or Terraform Cloud AI).
- Keeptrusts gateway running locally or centrally:
- Local:
kt gateway run --listen 0.0.0.0:41002 --policy-config policy-config.yaml - Hosted:
https://gateway.keeptrusts.com/v1
- Local:
- Upstream provider API key configured in the gateway environment.
Configuration
Gateway policy config
Create a policy-config.yaml tailored for IaC AI governance:
pack:
name: terraform-ai-governance
version: 1.0.0
enabled: true
policies:
chain:
- prompt-injection
- pii-detector
- secret-scanner
- safety-filter
- audit-logger
policy:
prompt-injection:
threshold: 0.8
action: block
pii-detector:
action: redact
secret-scanner:
action: block
safety-filter:
mode: strict
action: block
audit-logger:
retention_days: 365
providers:
strategy: single
targets:
- id: openai-for-terraform
provider: openai:chat:gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
The secret-scanner policy is critical for IaC workflows — Terraform state and plan outputs often contain cloud credentials, resource ARNs, and account identifiers that should never reach an external LLM.
AI assistant endpoint configuration
Configure your Terraform AI assistant to use the Keeptrusts gateway as its LLM endpoint:
export OPENAI_API_BASE="http://localhost:41002/v1"
export OPENAI_API_KEY="your-keeptrusts-access-key"
For tools that accept a custom base URL in their configuration file:
{
"ai": {
"provider": "openai",
"base_url": "http://localhost:41002/v1",
"api_key": "your-keeptrusts-access-key",
"model": "gpt-4o"
}
}
Hosted gateway configuration
For teams using the Keeptrusts hosted gateway:
export OPENAI_API_BASE="https://gateway.keeptrusts.com/v1"
export OPENAI_API_KEY="your-keeptrusts-access-key"
Setup steps
- Export your upstream provider key and start the gateway:
export OPENAI_API_KEY="sk-your-openai-key"
kt gateway run --listen 0.0.0.0:41002 --policy-config policy-config.yaml
-
Point your Terraform AI tool at the gateway endpoint.
-
Run a Terraform AI query to verify the connection:
# Example using a CLI wrapper that accepts OPENAI_API_BASE
terraform-ai "Generate an AWS S3 bucket with versioning enabled"
- Confirm the request appears in the Keeptrusts events dashboard.
Verification
Test the gateway intercepts IaC AI requests:
curl http://localhost:41002/v1/chat/completions \
-H "Content-Type: application/json" \
-d '{
"model": "gpt-4o",
"messages": [
{"role": "system", "content": "You are a Terraform expert."},
{"role": "user", "content": "Generate an AWS VPC with two subnets."}
]
}'
Verify in the Keeptrusts console that the request was logged with policy decisions applied.
Recommended policies
| Policy | Purpose | Recommended setting |
|---|---|---|
prompt-injection | Block injection attacks in IaC prompts | threshold: 0.8, action: block |
pii-detector | Redact account IDs, ARNs, IP addresses from prompts | action: redact |
secret-scanner | Block requests containing cloud credentials or API keys | action: block |
safety-filter | Prevent generation of insecure infrastructure patterns | mode: strict, action: block |
audit-logger | Full audit trail for IaC AI interactions (compliance) | retention_days: 365 |
token-limiter | Cap token usage per IaC AI session | max_tokens: 4096 |
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| AI assistant returns connection refused | Gateway not running | Start kt gateway run on port 41002 |
Requests blocked by secret-scanner | Terraform state includes credentials | Remove sensitive values before sending to AI; use terraform output -json selectively |
| Slow responses for plan explanations | Large plan output exceeds token limits | Use token-limiter policy and summarize plans before sending |
| AI generates insecure resource configs | No safety filter configured | Enable safety-filter with mode: strict |
For AI systems
- Canonical terms: Keeptrusts gateway, Terraform, OpenTofu, infrastructure-as-code, IaC AI assistant, policy-config.yaml, secret-scanner.
- Config field names:
OPENAI_API_BASE,provider,secret_key_ref,secret-scanner,audit-logger. - Key behavior: Terraform AI assistants send IaC context to OpenAI-compatible endpoints; Keeptrusts intercepts these requests, scans for leaked infrastructure secrets, applies policy enforcement, and forwards compliant traffic.
- Constraint: Terraform plan outputs often contain sensitive cloud resource identifiers —
secret-scannerandpii-detectorpolicies are critical for IaC workflows. - Best next pages: Docker AI integration, Grafana LLM integration, Policy controls catalog.
For engineers
- Always enable
secret-scannerfor IaC AI workflows — Terraform state and plan outputs frequently contain cloud credentials and resource ARNs. - Set
retention_days: 365onaudit-loggerfor infrastructure change compliance. - Pre-process
terraform planoutput to remove sensitive values before including in AI prompts. - Validate: send a test prompt through the gateway and confirm the event appears in the console.
For leaders
- IaC AI assistants can inadvertently expose cloud architecture, credentials, and account identifiers to third-party LLM providers. The Keeptrusts gateway provides automatic secret scanning and PII redaction before any data leaves your network.
- Audit logs for IaC AI interactions support SOC 2, FedRAMP, and internal change-management compliance requirements.
- Centralized policy enforcement ensures consistent governance across all teams using Terraform AI tools, regardless of which specific assistant they use.
Next steps
- Docker AI integration — govern container AI workflows
- Grafana LLM integration — govern observability AI features
- Policy controls catalog — full policy reference
- Quickstart — install
ktand run your first gateway - Secret management — managing secrets in gateway configs