Terraform Security

Secure state management, secrets handling, and policy enforcement

Language / Topic

Terraform

Rules

Terraform Security · balanced balanced

- Never store secrets in Terraform state or variable defaults — use vault references or data sources

- Enable encryption at rest and versioning on the S3 state backend bucket; block public access

- Use DynamoDB state locking to prevent concurrent modifications that could corrupt state

- Mark sensitive variables and outputs with sensitive = true to prevent values appearing in logs

- Run tfsec or checkov in CI to catch security misconfigurations before applying

- Never store secrets in .tf files or tfvars — reference secrets from Vault, SSM, or Secrets Manager via data sources

- State backend security: S3 bucket with encryption (AES-256 or KMS), versioning, block all public access, access logging

- Use DynamoDB table for state locking with encryption; restrict access to the lock table via IAM

- Mark variables and outputs as sensitive = true; Terraform redacts these from CLI output and logs

- Run security scanners in CI: tfsec, checkov, or Snyk IaC to catch misconfigurations before plan/apply

- Restrict who can run terraform apply: use CI/CD pipelines with approval gates, not developer laptops

- Use separate state files per environment — a compromised dev state shouldn't expose production secrets

- Review terraform plan output carefully: look for resource replacements that could cause downtime

- Use provider assume_role to limit Terraform's AWS permissions per workspace/environment

- Enable AWS Config rules to detect drift from Terraform-managed desired state