Skip to content
Terrateam

Enforcing CODEOWNERS Approval

Terrateam integrates with CODEOWNERS to ensure that infrastructure changes are reviewed and approved by the appropriate teams or individuals before being applied. This is particularly important for maintaining governance and compliance in large organizations where different teams own different parts of the infrastructure.

Configuring CODEOWNERS Enforcement

Section titled “Configuring CODEOWNERS Enforcement”

To enforce CODEOWNERS approval in Terrateam, use the require_completed_reviews option in your apply requirements configuration. This ensures that all required CODEOWNERS have approved the pull request before Terraform changes can be applied.

Basic Configuration

Section titled “Basic Configuration”

Here’s a basic example that enforces CODEOWNERS approval for all infrastructure changes:

apply_requirements:
  checks:
    - tag_query: ''
      approved:
        enabled: true
        require_completed_reviews: true

With this configuration:

  • Terrateam will check that all CODEOWNERS have approved the pull request
  • If any required CODEOWNERS review is pending or has requested changes, the apply will be blocked
  • The apply can only proceed once all CODEOWNERS have approved

Environment-Specific CODEOWNERS Enforcement

Section titled “Environment-Specific CODEOWNERS Enforcement”

You can use tag queries to enforce CODEOWNERS approval only for specific environments:

apply_requirements:
  checks:
    - tag_query: 'production'
      approved:
        enabled: true
        require_completed_reviews: true
    - tag_query: 'staging'
      approved:
        enabled: true
        require_completed_reviews: false
    - tag_query: 'development'
      approved:
        enabled: false

This configuration:

  • Enforces CODEOWNERS approval for production environments
  • Allows applies in staging without completed CODEOWNERS reviews
  • Allows applies in development without any approval requirements

How It Works

Section titled “How It Works”

When require_completed_reviews: true is configured:

  1. A developer opens a pull request with Terraform changes

  2. Your VCS automatically requests reviews from CODEOWNERS based on the files changed

  3. When someone runs terrateam apply, Terrateam checks:

    • Whether approval is required based on your configuration
    • If all CODEOWNERS have approved the pull request
    • If any required reviews are still pending or have requested changes

  4. If all CODEOWNERS have approved, the apply proceeds

  5. If any CODEOWNERS review is incomplete or has requested changes, Terrateam blocks the apply with a message indicating which reviews are still needed