IaCM Security
Harness IaCM integrates security measures to safeguard your infrastructure state. It uses the Harness Platform’s authentication, RBAC, resource groups, pipelines, Audit Trail, connectors, secrets, and licensing, consistent with the practices summarized on Harness Trust & Security. For Infrastructure as Code Management (IaCM), Harness provides the following:
- Data encryption in transit using TLS 1.3.
- Data encryption at rest with AES 256.
- Regular security testing and vulnerability scanning.
- Logical and physical data segmentation.
Addressing common security concerns
Harness protects customer infrastructure and data through access controls, encryption (TLS 1.3 in transit and AES-256 at rest where applicable), and separation of customer data. You can integrate your identity provider, constrain access with RBAC, and use IP allowlisting and delegate networking so outbound and inbound patterns match your enterprise standards. For broader connectivity options (including private access patterns), see Private network connectivity.
During planning and execution, Harness can enforce policy on infrastructure changes (for example via Open Policy Agent (OPA) and plan and cost policies) and maintain copies of plan and state for visibility and controls as described below.
For cost estimation, Harness can use Infracost when the feature is enabled on the workspace; supported behavior and licensing follow that topic and What’s supported in IaCM.
Drift detection and IaC security scanning (STO) are complementary capabilities for ongoing posture and code review — they extend the core plan/apply flow rather than replacing it.
Platform AI and automation features evolve on their own roadmap; they use the same RBAC and pipeline audit patterns as other Harness execution. For current IaCM-specific integrations (for example MCP), see What’s supported in IaCM.
Security components
The operational model is comprised of three components:
- Manage state storage
- Secure Pipeline Execution
- Cloud-Based Security Measures
All executed commands follow your defined backend, dictating where your infrastructure state is stored and managing OpenTofu or Terraform operations like apply and destroy.
If no plan file is specified, IaCM defaults to its own backend implicitly.
IaCM runs OpenTofu or Terraform commands within a pipeline environment, handling setup, variable and secret resolution, execution preparation, and data handling according to Harness Platform security protocols.
- Workspace and configuration setup: Harness IaCM retrieves the workspace configuration and associated files, including dependent IaC modules specified in your settings.
- Variable and secret integration: Variables and secrets defined in the workspace (and via connectors and secret managers) are collected and resolved before execution.
- Execution preparation: Configuration files and dependent modules are brought into the pipeline execution environment. Secrets are available only as needed for your IaC operations.
- Data management: Read-only copies of artifacts such as plan and state files are made available to Harness Cloud so IaCM features (history, UI, policy, and cost steps where enabled) can operate.
IaCM runs OpenTofu/Terraform commands in the pipeline execution environment. When you use an external remote backend, IaCM accesses it with the credentials supplied for that run (for example connector or workspace configuration).
Harness Cloud maintains summary data for workspaces and executions in a secure data store. State and plan files for IaCM are stored in Google Cloud Storage (GCS) with per-customer separation (for example one bucket per customer account) and are accessed over secure channels for product features that depend on them.
Network egress and allowlisting
IaCM execution typically runs on infrastructure you control (for example a Kubernetes delegate). Plan your network so that:
- Delegates meet delegate network requirements (outbound to Harness Manager, and paths to your Git providers, cloud APIs, and remote state endpoints as configured).
- Any IP allowlisting or private connectivity policies you use align with how those delegates reach Harness and your internal systems.
Contact Harness Support for region- and product-specific allowlist guidance if you are locking down egress or ingress.
Audit trail, retention, and export
Harness Audit Trail records many configuration and lifecycle actions (who did what, when, and on which resource). The UI supports filtered views and date ranges; audit data is retained up to two years in Harness. To keep logs longer or feed a SIEM, use audit log streaming.
Pipeline execution events are optional: enable Pipeline Execution Audit Events at account scope if you need start/end and stage events in the audit trail (see the Audit Trail overview). IaCM workspace and module changes appear under the Infrastructure as Code Manager category in audit documentation.
Operational model
In infrastructure management, security depends on controlling who can change state, what runs in the pipeline, and how plans and policies are evaluated before apply.
The diagram below illustrates the high-level operational security flow. Harness continues to add capabilities (additional scanners, drift workflows, policies, and integrations); treat this as the core plan/apply path — refer to Get started with IaCM and What’s supported for the latest feature set.
- Run the
plancommand: The plan runs in your pipeline environment and compares proposed changes with state from your configured backend. - Cost estimation and policy checks: When enabled, plan output can be used for cost estimation (Infracost-based) and evaluated against OPA policies and plan / cost policies on the plan entity.
- Plan storage: A copy of the plan can be stored in Harness Cloud for pipeline history and tracking.
- Confirm apply/destroy parameters: Before mutating infrastructure, IaCM validates the proposed operation against the expected backend state.
- Apply/destroy execution: After checks pass, changes run in the pipeline environment; policies and approvals you configure still apply.
- State storage and historical tracking: State is maintained per your backend; Harness also retains copies as described in Cloud-based security measures for product features.
