Integrations/Terraform Cloud
T

Control what your AI agents do in Terraform Cloud.

Let your team build AI agents for Terraform Cloud. Bollard AI controls what each one can do, workspace by workspace.

TTerraform Cloud
Infra Agent
staging WorkspaceOffReadFull use
production WorkspaceOffReadFull use
security WorkspaceOffReadFull use
Apply runs
What agents can do

Set what each agent can do in every workspace.

Each workspace gets one of three levels: Off, Read, or Full use. Anything not allowed is denied.

Off
No access
The agent can't see the workspace or that it exists.
Read
Read-only
The agent can read runs and state for that workspace. It can't change anything.
Full use
Plan and update
The agent can queue plans and update variables in that workspace.

Some actions stay off until explicitly turned on

Each one changes real infrastructure, removes a workspace for good, or changes its inputs, so it could override the limits set on individual workspaces.

Applying or cancelling runsForce-deleting workspacesChanging variables
Set up & manage

Connect once. Manage everyone from there.

Connect once, then control access person by person. No new keys to hand out.

Step 1 · Set up

Connect once, company-wide

An admin connects your company's Terraform Cloud a single time and chooses which workspaces it covers. Any workspace left out stays out of reach for every agent.

Step 2 · Manage

Control access per person and agent

From one dashboard, set what every person and their agents can reach. Change it any time, with no new keys for anyone.

OffNo access
ReadRead-only
Full useRead, plan, and update variables in a single workspace
Example

An infrastructure planning agent.

An infra agent queues plans in staging and can read production, but it can't open the security workspace or apply a run.

staging WorkspaceOffReadFull use
production WorkspaceOffReadFull use
security WorkspaceOffReadFull use

Manage access

ALLOWEDInfra Agent queued a plan in staging
ALLOWEDInfra Agent read a run in production
BLOCKEDInfra Agent tried to open the security workspace, denied by default

Monitor activity

The security model

Top-tier security.

Bollard AI is access control for AI agents. It sits between your agents and Terraform Cloud, so they never hold your Terraform Cloud keys and never reach Terraform Cloud directly.

Everything runs through Bollard AI

Agents send their requests to Bollard AI, not to Terraform Cloud. Bollard AI checks each one against your rules and passes only the allowed requests through.

Denied by default

Every workspace starts off-limits, and applying changes to real infrastructure is held back on top of that. An agent gets in only where you've allowed it, and anything Bollard AI doesn't recognise is refused and held for review, never waved through on a guess.

Your keys stay sealed

Your Terraform Cloud keys are sealed in a vault unique to your company and never shown again. Bollard AI unlocks them only for the instant an allowed request needs it.

Activity you can read

Every attempt is recorded in plain English: who or which agent, what they tried, which workspace or run, and the decision. The record is readable and can't be edited after the fact.

Questions

Terraform Cloud, answered.

Does connecting Terraform Cloud hand Bollard AI all your workspaces?+
Only what's connected. An admin chooses which workspaces Bollard AI covers, and that sets the most any agent could reach. Bollard AI doesn't browse or copy your infrastructure. It sits in front of it and checks every request the agents make, passing or blocking each one.
Can an agent apply changes to our real infrastructure?+
Not unless you turn it on. Applying and cancelling runs, and force-deleting workspaces, are held off by default, so an agent can queue plans and read where you allow without ever changing real infrastructure, until you explicitly allow it.
Can an agent see more than the person who owns it?+
No. An agent reaches only what its owner reaches. An explicit Off always overrides an inherited permission.
Where do our Terraform Cloud keys live?+
Sealed in an encrypted vault, behind a key unique to your company. It's never shown again once connected, and Bollard AI unseals it only for the instant an allowed request needs it.
What happens when an agent tries something it's not allowed to do?+
Bollard AI blocks the request before it reaches Terraform Cloud, and the blocked attempt lands in the activity record with the reason.
How do we connect Terraform Cloud?+
An admin connects the company's Terraform Cloud once. Bollard AI seals the connection and builds the list of workspaces to set rules for. From then on, all management happens in the Bollard AI dashboard.
Early access

Put your team's agents to work in Terraform Cloud, without the risk.

We're onboarding our first development partners now. Tell us about your setup and we'll be in touch.