Terraform Security Best Practices: Protecting Your Infrastructure as Code

 Terraform Security Best Practices: Protecting Your Infrastructure as Code

Your complete guide to securing Terraform configurations, state files, and CI/CD pipelines—from developer workstations to production cloud environments.

📅 Published: Feb 2026
⏱️ Estimated Reading Time: 28 minutes
🏷️ Tags: Terraform Security, Infrastructure as Code, DevSecOps, Secrets Management, Compliance, Cloud Security

---

🛡️ Introduction: Why Security Must Be Built-In, Not Bolted-On

The Infrastructure as Code Security Paradox

Infrastructure as Code makes your infrastructure programmable, repeatable, and versioned. These are precisely the qualities that make it more secure—or catastrophically less secure, depending on how you implement it.

The paradox:

• ✅ You can now review infrastructure changes before they happen

• ✅ You can automatically scan for misconfigurations

• ✅ You can enforce compliance policies programmatically

• ✅ You can version and roll back infrastructure

BUT:

• ❌ Your entire infrastructure configuration is now in plain text files

• ❌ Secrets can be accidentally committed to Git

• ❌ A compromised CI/CD pipeline can destroy everything

• ❌ State files contain all your resource IDs and possibly secrets

Security cannot be an afterthought with IaC. It must be woven into every stage: development, deployment, and operations.

---

The Terraform Security Pyramid

text

          ⚠️  INCIDENT RESPONSE  ⚠️
          ───────────────────────
         🔒  STATE SECURITY  🔒
        ───────────────────────
       🔑  SECRETS MANAGEMENT  🔑
      ───────────────────────
     🛡️  CONFIGURATION SCANNING  🛡️
    ───────────────────────
   👥  ACCESS CONTROLS & CI/CD  👥
  ───────────────────────
 📚  FOUNDATIONS: VERSION CONTROL  📚

Each layer depends on the layers below it. You cannot secure your state files if you haven't secured your secrets. You cannot respond to incidents if you haven't scanned your configurations.

This guide covers all layers, from foundational Git security to advanced incident response.

---

📚 Layer 1: Version Control Security

The Gateway to Your Infrastructure

Your Git repository is the entry point to your entire infrastructure. If it's compromised, everything else is compromised.

---

Rule 1: Never Commit Secrets

This is the most basic, most violated security rule in Terraform.

hcl

# ❌ NEVER DO THIS
variable "db_password" {
  description = "Database password"
  type        = string
  default     = "SuperSecretPassword123!"  # HARDCODED SECRET!
}

resource "aws_db_instance" "main" {
  password = var.db_password  # Secret in state, secret in config
}

What's wrong:

• Secret is visible in the repository to everyone

• Secret is in Git history forever (even if you remove it later)

• Secret is copied to every developer's machine

• Secret is in Terraform state (plain text)

✅ Instead: Use environment variables or secrets manager

hcl

# variables.tf
variable "db_password" {
  description = "Database password"
  type        = string
  sensitive   = true  # Hides from CLI output
  # NO DEFAULT!
}

bash

# Export environment variable (never committed)
export TF_VAR_db_password="$(aws secretsmanager get-secret-value ...)"
terraform apply

---

Rule 2: Scan for Secrets Pre-Commit

Prevent secrets from ever reaching your repository.

.git/hooks/pre-commit:

bash

#!/bin/bash
# Scan for AWS keys, passwords, tokens before commit

echo "🔍 Scanning for secrets..."

SECRET_PATTERNS=(
  'AKIA[0-9A-Z]{16}'                    # AWS Access Key
  '-----BEGIN RSA PRIVATE KEY-----'     # Private key
  '-----BEGIN OPENSSH PRIVATE KEY-----' # SSH key
  'password\s*=\s*.+'                  # Password assignment
  'secret\s*=\s*.+'                   # Secret assignment
  'token\s*=\s*.+'                   # Token assignment
)

for pattern in "${SECRET_PATTERNS[@]}"; do
  if git diff --cached | grep -qE "$pattern"; then
    echo "❌ Potential secret detected matching pattern: $pattern"
    exit 1
  fi
done

echo "✅ No secrets detected"

Better: Use tools like trufflehog, git-secrets, or detect-secrets

bash

# Install git-secrets
brew install git-secrets  # macOS
apt install git-secrets   # Linux

# Set up patterns
git secrets --add 'password\s*=\s*.+'
git secrets --add 'secret\s*=\s*.+'
git secrets --add 'token\s*=\s*.+'
git secrets --add 'AKIA[0-9A-Z]{16}'

# Scan before commit
git secrets --scan

---

Rule 3: .gitignore for Terraform

Every Terraform repository must have a proper .gitignore:

text

# Local .terraform directories
**/.terraform/*

# .tfstate files
*.tfstate
*.tfstate.*

# Crash log files
crash.log
crash.*.log

# Exclude all .tfvars files, which are likely to contain sensitive data
*.tfvars
*.tfvars.json

# Ignore override files as they are usually used to override resources locally
override.tf
override.tf.json
*_override.tf
*_override.tf.json

# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# Example: *tfplan*
*.tfplan

# Ignore CLI configuration files
.terraformrc
terraform.rc

✅ DO commit:

• .terraform.lock.hcl — Provider version pins

• terraform.tfvars.example — Template with fake values

• backend.tf — State backend configuration (without secrets)

❌ DO NOT commit:

• terraform.tfvars — Actual variable values

• *.tfstate — State files

• .terraform/ — Provider binaries

---

🔑 Layer 2: Secrets Management

The Problem with Secrets in Terraform

Terraform state is plain text JSON. Any value you pass to Terraform—even through variables marked sensitive = true—ends up in the state file in plain text.

hcl

variable "api_key" {
  description = "API key for external service"
  type        = string
  sensitive   = true  # Hides from CLI, BUT STILL IN STATE!
}

resource "external_service" "api" {
  api_key = var.api_key  # Secret now in state file
}

Anyone with access to the state file can read all secrets. This includes:

• Developers with access to the state bucket

• CI/CD systems with state access

• Attackers who compromise any of the above

---

Solution 1: AWS Secrets Manager / Parameter Store

Store secrets in AWS, pass ARNs to Terraform, retrieve at apply time.

hcl

# Store secret (one-time operation)
aws secretsmanager create-secret \
  --name /prod/database/password \
  --secret-string "SuperSecretPassword123"

# Terraform configuration
variable "db_password_secret_arn" {
  description = "ARN of secret containing database password"
  type        = string
}

data "aws_secretsmanager_secret" "db_password" {
  arn = var.db_password_secret_arn
}

data "aws_secretsmanager_secret_version" "db_password" {
  secret_id = data.aws_secretsmanager_secret.db_password.id
}

resource "aws_db_instance" "main" {
  password = data.aws_secretsmanager_secret_version.db_password.secret_string
}

Advantages:

• Secret never appears in configuration files

• Secret is retrieved at apply time, not stored in plan files

• Access controlled via IAM

• Audit trail via CloudTrail

• Automatic rotation possible

Disadvantages:

• Requires IAM permissions to read secrets

• Adds API call during apply

• Secret still appears in state (base64 encoded, but not encrypted)

---

Solution 2: Vault Provider

Hashicorp Vault is purpose-built for secrets management.

hcl

# Configure Vault provider
provider "vault" {
  address = "https://vault.example.com:8200"
  
  # Use token from environment variable
  # VAULT_TOKEN=...
}

# Read secret from Vault
data "vault_generic_secret" "database" {
  path = "secret/data/prod/database"
}

resource "aws_db_instance" "main" {
  password = data.vault_generic_secret.database.data["password"]
}

Advantages:

• Centralized secrets management

• Fine-grained access control

• Audit logging

• Secret rotation

• Lease management (dynamic secrets)

Disadvantages:

• Additional infrastructure to manage

• Requires Vault expertise

• Still ends up in Terraform state

---

Solution 3: AWS KMS Encryption + S3 Backend

Encrypt sensitive data before passing to Terraform, decrypt in user_data or at runtime.

hcl

# Encrypt sensitive data with KMS
data "aws_kms_alias" "parameter_store" {
  name = "alias/parameter_store_key"
}

resource "aws_kms_ciphertext" "db_password" {
  key_id = data.aws_kms_alias.parameter_store.target_key_id
  plaintext = var.db_password_plaintext  # Still a problem!
}

# Pass encrypted blob to instance
resource "aws_instance" "app" {
  user_data = <<-EOF
    #!/bin/bash
    DB_PASSWORD=$(aws kms decrypt \
      --ciphertext-blob fileb://<(echo "${aws_kms_ciphertext.db_password.ciphertext_blob}" | base64 -d) \
      --query Plaintext \
      --output text | base64 -d)
    # Use DB_PASSWORD
  EOF
}

This keeps the secret out of state—but at the cost of complexity.

---

Solution 4: External Secrets Operator (Kubernetes)

For Kubernetes workloads, use ESO to sync secrets from external sources.

yaml

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secretsmanager
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-west-2
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: database
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secretsmanager
    kind: SecretStore
  target:
    name: database-credentials
  data:
    - secretKey: password
      remoteRef:
        key: prod/database/password

Now your application reads from a Kubernetes secret, never from Terraform state.

---

Secrets Management Decision Matrix

Approach	State Exposure	Complexity	Infrastructure	Best For
Environment variables	Secret in state	Low	None	Local development, quick scripts
AWS Secrets Manager	Secret in state (base64)	Medium	AWS	AWS-native deployments
Vault	Secret in state	High	Vault cluster	Multi-cloud, centralized secrets
KMS Encryption	Encrypted in state	High	AWS KMS	User_data scripts, avoiding state exposure
External Secrets Operator	Not in Terraform state	Medium	Kubernetes	Kubernetes workloads

No perfect solution exists. Each approach has tradeoffs. The key is to understand the risks and choose the least-bad option for your context.

---

🛡️ Layer 3: Configuration Scanning

Shift Left: Scan Before Apply

Finding security issues in production is expensive and embarrassing. Finding them in pull requests is cheap and safe.

---

Tool 1: Checkov - Comprehensive Policy Scanning

bash

# Install Checkov
pip install checkov

# Scan Terraform configuration
checkov -d .

# Scan with specific framework
checkov -d . --framework terraform

# Output formats
checkov -d . --output junitxml > checkov-report.xml
checkov -d . --output sarif > checkov-report.sarif

Example Checkov policies:

python

# CKV_AWS_18: Ensure S3 bucket has access logging enabled
# CKV_AWS_21: Ensure S3 bucket versioning is enabled
# CKV_AWS_23: Ensure every security group rule has a description
# CKV_AWS_40: Ensure IAM policy does not allow full "*" privileges
# CKV_AWS_53: Ensure S3 bucket has block public ACLs enabled

Pre-commit integration:

yaml

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/bridgecrewio/checkov
    rev: master
    hooks:
      - id: checkov
        args: [-d, .]

---

Tool 2: tfsec - Fast, Focused Scanner

bash

# Install tfsec
brew install tfsec  # macOS
apt install tfsec   # Linux

# Scan directory
tfsec .

# Scan with custom checks
tfsec --config-file tfsec.yaml

# Output formats
tfsec . --format json > tfsec-report.json
tfsec . --format sarif > tfsec-report.sarif

Example violations:

text

aws_instance.example[0] 
  [aws-instance-no-public-ip][HIGH] Instance does not have a public IP address blocked.
  
aws_s3_bucket.data 
  [aws-s3-enable-bucket-logging][MEDIUM] Bucket does not have logging enabled.

Custom policy example (tfsec.yaml):

yaml

checks:
  - code: CUSTOM001
    description: "Require specific tags on all resources"
    required_types: ["resource"]
    required_labels: ["aws_*"]
    severity: HIGH
    match_spec:
      by: tags
      predicate:
        key: Environment
        value: "^(dev|staging|prod)$"

---

Tool 3: Terrascan - Multi-Provider

bash

# Install Terrascan
brew install terrascan

# Scan
terrascan scan -i terraform -d .

# Scan with specific policies
terrascan scan -p ./custom-policies -i terraform -d .

---

CI/CD Integration (GitHub Actions Example)

yaml

name: Terraform Security Scan

on:
  pull_request:
    branches: [ main ]
    paths:
      - '**.tf'
      - '**.tfvars'

jobs:
  security-scan:
    runs-on: ubuntu-latest
    
    steps:
    - uses: actions/checkout@v3
    
    - name: Run tfsec
      uses: aquasecurity/tfsec-action@v1.0.0
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
        working_directory: ./
    
    - name: Run Checkov
      id: checkov
      uses: bridgecrewio/checkov-action@master
      with:
        directory: ./
        framework: terraform
        soft_fail: false
        output_format: cli
    
    - name: Upload SARIF to GitHub Code Scanning
      uses: github/codeql-action/upload-sarif@v2
      if: always()
      with:
        sarif_file: results.sarif

---

Critical Security Policies to Enforce

Category	Policy	Checkov ID	tfsec ID	Severity
S3	Block public ACLs	CKV_AWS_53	aws-s3-block-public-acls	CRITICAL
S3	Enable encryption	CKV_AWS_19	aws-s3-enable-bucket-encryption	HIGH
S3	Enable versioning	CKV_AWS_21	aws-s3-enable-versioning	MEDIUM
EC2	No public IP	CKV_AWS_8	aws-ec2-no-public-ip	HIGH
RDS	Enable encryption	CKV_AWS_16	aws-rds-enable-encryption	HIGH
RDS	Enable deletion protection	CKV_AWS_28	aws-rds-deletion-protection	MEDIUM
IAM	No full admin	CKV_AWS_62	aws-iam-no-policy-wildcard	CRITICAL
Security Group	No 0.0.0.0/0 to port 22	CKV_AWS_24	aws-vpc-no-public-egress-sgr	HIGH
Security Group	All rules have description	CKV_AWS_23	aws-security-group-rule-description	LOW
CloudTrail	Enable log validation	CKV_AWS_36	aws-cloudtrail-log-validation	MEDIUM

---

👥 Layer 4: Access Control & CI/CD

The Principle of Least Privilege

Terraform should run with the minimum permissions necessary—never with administrative access.

---

IAM Roles for Terraform Execution

✅ DO create dedicated IAM roles for each component:

hcl

# Terraform execution role for networking component
resource "aws_iam_role" "terraform_networking" {
  name = "terraform-networking-${var.environment}"
  
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${var.account_id}:root"
        }
        Action = "sts:AssumeRole"
        Condition = {
          StringEquals = {
            "sts:ExternalId" = var.terraform_external_id
          }
        }
      }
    ]
  })
}

# Network-specific permissions
resource "aws_iam_role_policy" "networking" {
  name = "networking-permissions"
  role = aws_iam_role.terraform_networking.id
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "ec2:CreateVpc",
          "ec2:DeleteVpc",
          "ec2:DescribeVpcs",
          "ec2:CreateSubnet",
          "ec2:DeleteSubnet",
          "ec2:DescribeSubnets",
          # ... only what networking needs
        ]
        Resource = "*"
      }
    ]
  })
}

❌ DO NOT use a single, permissive role for everything:

hcl

# ❌ BAD - Too permissive, no separation of duties
resource "aws_iam_role" "terraform_full_admin" {
  name = "terraform-admin"
  
  assume_role_policy = jsonencode({
    Statement = [
      {
        Effect = "Allow"
        Action = "sts:AssumeRole"
        Principal = {
          AWS = "*"  # ❌ ANYONE can assume this?!
        }
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "admin" {
  role       = aws_iam_role.terraform_full_admin.name
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"  # ❌ FAR too permissive
}

---

Service Control Policies (SCP) for Guardrails

In AWS Organizations, use SCPs to enforce security baselines:

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyPublicS3Buckets",
      "Effect": "Deny",
      "Action": [
        "s3:CreateBucket",
        "s3:PutBucketAcl",
        "s3:PutBucketPolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "public-read",
          "s3:x-amz-acl": "public-read-write"
        }
      }
    },
    {
      "Sid": "DenyLeavingOrganization",
      "Effect": "Deny",
      "Action": [
        "organizations:LeaveOrganization"
      ],
      "Resource": "*"
    }
  ]
}

SCPs apply to ALL principals in the account—including Terraform roles.

---

CI/CD Pipeline Security

The CI/CD system is a prime attack vector. Secure it aggressively.

GitHub Actions Example:

yaml

name: Terraform Apply

on:
  push:
    branches: [ main ]

permissions:  # ✅ Explicit permissions
  contents: read
  id-token: write
  pull-requests: write

jobs:
  terraform:
    runs-on: ubuntu-latest
    
    # ✅ Use OIDC instead of long-lived secrets
    permissions:
      id-token: write
      contents: read
    
    steps:
    - uses: actions/checkout@v3
    
    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v2
      with:
        role-to-assume: arn:aws:iam::123456789012:role/terraform-github-actions
        aws-region: us-west-2
    
    - name: Terraform Init
      run: terraform init
    
    - name: Terraform Plan
      run: terraform plan -no-color
    
    - name: Terraform Apply
      if: github.ref == 'refs/heads/main'
      run: terraform apply -auto-approve

Key security practices:

1. ✅ Use OIDC instead of long-lived access keys

2. ✅ Set explicit permissions (least privilege)

3. ✅ Require manual approval for production applies

4. ✅ Scan for secrets in CI logs

5. ✅ Pin action versions by commit SHA, not tags

6. ✅ Never store secrets in workflow files

---

🔒 Layer 5: State Security

Why State Is Sensitive

Terraform state is a complete inventory of your infrastructure. It contains:

• Resource IDs, ARNs, and configuration

• Possibly secrets (even if you tried to avoid them)

• Network topology information

• IAM role names and policies

• Database endpoints and names

Protect your state files like you protect your production data. Because it IS your production data.

---

Secure Remote State Configuration

✅ DO: Encrypt everything, restrict access, enable versioning

hcl

terraform {
  backend "s3" {
    bucket         = "company-terraform-state-prod"
    key            = "networking/terraform.tfstate"
    region         = "us-west-2"
    
    # ✅ REQUIRED: Encryption at rest
    encrypt        = true
    kms_key_id     = "arn:aws:kms:us-west-2:123456789012:key/terraform-state-key"
    
    # ✅ REQUIRED: State locking
    dynamodb_table = "terraform-state-locks"
    
    # ✅ REQUIRED: Versioning for rollback
    # (Enable on S3 bucket, not in backend config)
    
    # ✅ RECOMMENDED: Access logging
    # (Enable on S3 bucket)
    
    # ✅ RECOMMENDED: Block public access
    # (Enable on S3 bucket)
  }
}

❌ NEVER:

hcl

terraform {
  backend "s3" {
    bucket = "my-tf-state"  # ❌ No encryption?
    key    = "state"        # ❌ No environment/component separation
    region = "us-west-2"
    # No dynamodb_table ❌ No state locking
  }
}

---

S3 Bucket Policy for State Access

hcl

resource "aws_s3_bucket_policy" "terraform_state" {
  bucket = aws_s3_bucket.terraform_state.id
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "EnforceTLS"
        Effect = "Deny"
        Principal = "*"
        Action = "s3:*"
        Resource = [
          aws_s3_bucket.terraform_state.arn,
          "${aws_s3_bucket.terraform_state.arn}/*"
        ]
        Condition = {
          Bool = {
            "aws:SecureTransport" = "false"
          }
        }
      },
      {
        Sid    = "DenyNonKMSWrites"
        Effect = "Deny"
        Principal = "*"
        Action = "s3:PutObject"
        Resource = "${aws_s3_bucket.terraform_state.arn}/*"
        Condition = {
          StringNotEquals = {
            "s3:x-amz-server-side-encryption": "aws:kms"
          }
        }
      }
    ]
  })
}

---

DynamoDB Table for State Locking

hcl

resource "aws_dynamodb_table" "terraform_locks" {
  name         = "terraform-state-locks"
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "LockID"
  
  attribute {
    name = "LockID"
    type = "S"
  }
  
  # ✅ Point-in-time recovery for accident recovery
  point_in_time_recovery {
    enabled = true
  }
  
  # ✅ Encryption at rest
  server_side_encryption {
    enabled = true
  }
}

---

State Access Auditing

Enable CloudTrail to monitor state access:

bash

# Monitor state file access
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=ResourceName,AttributeValue=terraform.tfstate \
  --start-time $(date -v-7d +%Y%m%d) \
  --end-time $(date +%Y%m%d)

# Monitor DynamoDB lock table access
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=ResourceName,AttributeValue=terraform-state-locks

Set up CloudWatch alarms:

hcl

resource "aws_cloudwatch_metric_alarm" "state_access" {
  alarm_name          = "terraform-state-access"
  comparison_operator = "GreaterThanThreshold"
  evaluation_periods  = "1"
  metric_name         = "BucketAccessEvents"
  namespace           = "AWS/CloudTrail"
  period              = "300"
  statistic           = "Sum"
  threshold           = "0"
  alarm_description   = "Terraform state accessed outside normal hours"
  
  alarm_actions = [var.sns_topic_arn]
}

---

🚨 Layer 6: Incident Response

When Terraform Security Fails

Assume compromise will happen. Plan for it.

---

Scenario 1: Secret Committed to Git

You accidentally committed a file containing AWS credentials. It's now in the repository history.

Immediate actions:

bash

# 1. ROTATE THE SECRET IMMEDIATELY
# Delete the IAM access key
# Rotate the database password
# Revoke the API token

# 2. Remove secret from Git history (LAST RESORT - disrupts all collaborators)
git filter-branch --force --index-filter \
  "git rm --cached --ignore-unmatch terraform.tfvars" \
  --prune-empty --tag-name-filter cat -- --all

# Better: Use BFG Repo-Cleaner
java -jar bfg.jar --delete-files terraform.tfvars

# 3. Force push (requires team coordination!)
git push --force --all
git push --force --tags

# 4. Rotate any other secrets that might be related

Prevention:

• ✅ Pre-commit hooks

• ✅ Secret scanning in CI

• ✅ Use git secrets or trufflehog

• ✅ Never store secrets in code, ever

---

Scenario 2: State File Exposed Publicly

Your S3 bucket was misconfigured, and your state file was publicly readable.

Immediate actions:

bash

# 1. LOCK THE STATE IMMEDIATELY
# Remove public access policies
# Block all public access
# Rotate bucket keys

# 2. ASSUME COMPROMISE
# Every secret in that state file is now public
# Rotate ALL secrets in the state file
# Rotate ALL IAM credentials
# Regenerate ALL API keys

# 3. AUDIT ACCESS
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=ResourceName,AttributeValue=terraform.tfstate \
  --start-time $(date -v-30d +%Y%m%d)

# 4. NOTIFY
# Security team
# Legal/Compliance
# Affected stakeholders

Prevention:

• ✅ Block public access by default

• ✅ Enable CloudTrail logging

• ✅ Regular policy validation

• ✅ SCP to prevent public buckets

---

Scenario 3: CI/CD Pipeline Compromised

An attacker gained access to your GitHub Actions workflow and modified your Terraform code.

Immediate actions:

bash

# 1. STOP THE PIPELINE
# Disable all GitHub Actions workflows
# Revoke all GitHub tokens
# Remove AWS role assumption from workflows

# 2. AUDIT ALL CHANGES
# Review all commits in the last 7 days
# Review all workflow runs
# Check for unauthorized `terraform apply`

# 3. REVERT
# Roll back infrastructure to last known good state
# Restore state from versioned backup
# Redeploy clean infrastructure

Prevention:

• ✅ Use OIDC instead of static credentials

• ✅ Require manual approval for production

• ✅ Pin action versions

• ✅ Separate build and deploy stages

• ✅ Environment-specific workflows

---

📋 Terraform Security Checklist

Development Environment

• Git pre-commit hooks scan for secrets

• IDE plugins (tfsec, Checkov) provide real-time feedback

• No secrets in .tfvars files committed

• .gitignore properly configured

• Terraform version pinned in required_version

Configuration

• All variables have sensitive = true where appropriate

• No hardcoded secrets in any .tf files

• Secrets fetched from external source (Secrets Manager, Vault)

• Provider versions pinned in required_providers

• .terraform.lock.hcl committed to version control

• State backend configured with encryption and locking

Policy as Code

• Checkov/tfsec run locally before commit

• Security scanning integrated into CI pipeline

• Custom policies for organization-specific requirements

• Compliance scanning for SOC2, PCI-DSS, HIPAA

• SARIF reports uploaded to GitHub Code Scanning

Access Control

• Dedicated IAM roles per component/environment

• No use of root credentials anywhere

• OIDC used instead of long-lived access keys

• AssumeRole with ExternalId for cross-account access

• SCPs enforce security baselines

• State bucket access restricted via IAM and bucket policies

State Security

• S3 backend with encryption enabled

• DynamoDB table for state locking

• S3 versioning enabled on state bucket

• State bucket access logging enabled

• CloudTrail monitoring for state access

• Regular backups of state files

CI/CD

• No secrets stored in CI/CD variables

• OIDC used for cloud provider authentication

• Manual approval required for production

• Plan output reviewed before apply

• Failed applies generate alerts

• Pipeline actions pinned by commit SHA

Incident Response

• Documented procedure for secret rotation

• State recovery drill performed quarterly

• Access to state bucket logged and monitored

• Incident response plan for infrastructure compromise

---

🎓 Summary: Security Is a Journey, Not a Destination

Terraform security is not a one-time configuration—it's a continuous process.

Phase	Focus	Tools	Cadence
Develop	Prevent secrets, validate config	pre-commit, IDE plugins	Every commit
Build	Scan for misconfigurations	tfsec, Checkov, Terrascan	Every PR
Deploy	Least privilege, audit	OIDC, IAM roles, CloudTrail	Every apply
Operate	Monitor state access, rotate secrets	CloudWatch, Secrets Manager	Continuous
Recover	Incident response drills	Versioning, backups	Quarterly

The most important security control is not a tool—it's culture.

• ✅ Security reviews are part of every PR, not an afterthought

• ✅ Developers understand why secrets must never be committed

• ✅ Operations teams have clear incident response procedures

• ✅ Everyone assumes they will make mistakes and builds safety nets

---

🔗 Master Terraform Security with Hands-on Labs

Theory is essential, but security skills are built through practice—and failure—in safe environments.

👉 Practice Terraform security hardening, secret management, and incident response in our interactive labs at:
https://devops.trainwithsky.com/

Our platform provides:

• Secret scanning and remediation exercises

• State file hardening challenges

• IAM role design workshops

• Compliance policy implementation

• Incident response simulations

• Multi-account security architectures

---

Frequently Asked Questions

Q: Can I ever completely prevent secrets from appearing in state?

A: Not with pure Terraform. Any value you pass to a resource will be stored in state. The best you can do is:

1. Use external data sources that retrieve secrets at apply time

2. Accept that state contains references (ARNs, IDs) but not the actual secrets

3. Encrypt state at rest and restrict access severely

Q: Is it safe to store secrets in environment variables?

A: Environment variables are more secure than hardcoded values, but they still appear in state. They're also visible in /proc to other processes on the same machine. For production, use a dedicated secrets manager.

Q: How often should I rotate Terraform state access keys?

A: If you're using IAM users with long-lived keys, rotate them every 30-90 days. Better: don't use long-lived keys at all—use OIDC for CI/CD and IAM roles for local development.

Q: Should I encrypt sensitive data in Terraform state?

A: Yes, always enable encryption at rest on your state backend. This protects state files if the underlying storage is compromised. It does not protect secrets in state from users who have legitimate access to read the state file.

Q: What's the most common Terraform security mistake?

A: Committing terraform.tfvars with real secrets to version control. It happens to everyone, at least once. The solution is pre-commit hooks, secret scanning, and assuming it will happen again so you have a rotation plan.

Q: How do I audit who changed what in Terraform?

A:

• State changes: Enable CloudTrail on your state bucket

• Configuration changes: Git history

• Resource changes: CloudTrail on resource APIs

• Terraform applies: CI/CD logs

Q: Can I use Terraform to manage security tools?

A: Yes! This is called "security as code" or "DevSecOps":

• Configure AWS Config rules with Terraform

• Deploy GuardDuty, Security Hub, Inspector

• Set up CloudTrail and organization trails

• Enable VPC Flow Logs

• Configure AWS WAF, Shield Advanced

---

Have you experienced a Terraform security incident? Successfully recovered? Still confused about secret management? Share your story or question in the comments below—real experiences help everyone learn! 💬