Terraform makes infrastructure automation easy, but if you’re not careful, it can also open the door to security risks—misconfigured permissions, exposed secrets, and unintended data leaks.
Let’s talk about how to secure your Terraform deployments so you don’t end up as the next cloud security horror story. In this post, we’ll cover:
- Keeping secrets safe (no hardcoded passwords!)
- Enforcing least privilege access
- Securing your Terraform state
- Using security tools to catch vulnerabilities
Let’s lock it down!
1. Never, Ever Hardcode Secrets
One of the biggest Terraform mistakes? Hardcoding API keys, passwords, or credentials directly in your .tf files`.
Imagine this:
resource "aws_instance" "web" {
ami = "ami-123456"
instance_type = "t2.micro"
user_data = "export DB_PASSWORD='supersecret123'"
}
Oops. Now, anyone with access to this file (or its Git history) has your database password.
How to Store Secrets Securely
Use environment variables:
export TF_VAR_db_password="supersecret123"
Use Terraform Vault, AWS Secrets Manager, or Azure Key Vault:
data "azurerm_key_vault_secret" "db_password" {
name = "db-password"
key_vault_id = azurerm_key_vault.example.id
}
Use sensitive = true in Terraform outputs to hide secrets in logs:
output "db_password" {
value = azurerm_key_vault_secret.db_password.value
sensitive = true
}
Pro Tip: Add *.tfstate and terraform.tfvars to your .gitignore file to avoid committing secrets by accident!
2. Secure Your Terraform State
Terraform state files contain sensitive data, including resource IDs, credentials, and network configurations. If an attacker gets access to your terraform.tfstate file, they own your infrastructure.
Best Practices for Securing Terraform State
- Use remote state storage (Azure Blob Storage, AWS S3) instead of local files.
- Enable encryption for state files.
- Use state locking to prevent multiple users from overwriting changes.
Example: Secure State Storage in Azure Blob Storage
terraform {
backend "azurerm" {
resource_group_name = "myResourceGroup"
storage_account_name = "mystorageaccount"
container_name = "tfstate"
key = "terraform.tfstate"
}
}
Pro Tip: If you’re using Terraform Cloud, enable state access control to restrict who can view and edit state files.
3. Enforce Least Privilege Access
Terraform needs access to cloud resources, but it shouldn’t have god-mode permissions. Following the principle of least privilege (PoLP) ensures Terraform only has access to what it absolutely needs.
Best Practices for Least Privilege Access
- Use IAM roles & service accounts instead of personal credentials.
- Limit scope (avoid giving Terraform full admin rights).
- Rotate access keys regularly.
Example: Least Privilege Role in Azure
resource "azurerm_role_assignment" "terraform_role" {
scope = azurerm_resource_group.example.id
role_definition_name = "Contributor"
principal_id = azuread_service_principal.example.id
}
Pro Tip: Avoid using root/admin accounts for Terraform deployments—create a dedicated Terraform service principal instead!
4. Use Security Scanners to Catch Misconfigurations
Even the best Terraform developers make mistakes. That’s why you should automate security checks with tools like:
- Tfsec – Scans Terraform code for security vulnerabilities.
- Checkov – Policy-as-code tool that enforces security rules.
- Terraform Cloud Sentinel – Enforces security policies before applying changes.
Example: Run tfsec to Scan for Security Risks
tfsec .
Output:
WARNING: Hardcoded credentials found in main.tf
Pro Tip: Add security scanning to your CI/CD pipeline to catch security issues before deployment!
5. Implement Role-Based Access Control (RBAC)
If multiple team members are using Terraform, you don’t want everyone making changes. RBAC lets you control who can apply, plan, or modify Terraform configurations.
Best Practices for Terraform RBAC
- Developers: Can run
terraform plan, but not apply changes. - Admins: Can approve and apply infrastructure changes.
- Security Teams: Can audit and review configurations.
Example: Enforcing RBAC in Terraform Cloud
Terraform Cloud lets you set role-based permissions per team:
- Dev Team: "Plan Only" - Ops Team: "Apply and Manage Workspaces" - Security Team: "Read-Only Access"
Pro Tip: Always enable audit logs to track who made changes in Terraform Cloud.
6. Use Multi-Factor Authentication (MFA) for Cloud Access
Terraform deployments require API keys and cloud credentials. If those get compromised, attackers can take control of your infrastructure.
How to Protect Cloud Credentials
- Enable MFA for AWS, Azure, and GCP accounts.
- Rotate API keys every 90 days.
- Use short-lived access tokens instead of long-lived keys.
Example: AWS Session-Based Authentication with MFA
aws configure set aws_session_token $(aws sts get-session-token --serial-number arn:aws:iam::123456789012:mfa/user --token-code 123456)
Pro Tip: Store secrets in HashiCorp Vault instead of environment variables.
7. Secure Network Configurations
Terraform provisions cloud networking resources, but if you’re not careful, you could accidentally expose databases, VMs, or Kubernetes clusters to the public internet.
Best Practices for Secure Network Configurations
- Use private subnets instead of public subnets for sensitive resources.
- Restrict inbound/outbound traffic with security groups.
- Limit access to Terraform servers (only trusted IPs).
Example: Lock Down an Azure VM with a Security Group
resource "azurerm_network_security_group" "example" {
name = "nsg-example"
resource_group_name = "myResourceGroup"
location = "East US"
security_rule {
name = "allow-ssh"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "192.168.1.0/24"
destination_address_prefix = "*"
}
}
Pro Tip: Use VPC peering and private endpoints for secure cloud networking.
Wrapping Up
Terraform security isn’t optional—it’s essential. By following these best practices, you’ll keep your infrastructure secure, resilient, and breach-proof.
Quick Recap:
- Never hardcode secrets—use Vault or Key Management Systems.
- Secure Terraform state with encryption and remote storage.
- Enforce least privilege access—no over-permissioned Terraform accounts!
- Scan Terraform code for security issues before deployment.
- Use MFA, API key rotation, and RBAC for better cloud security.
Now, go Terraform safely!
What’s Next?
Now that you’ve locked down Terraform, it’s time to integrate it with Azure DevOps for automated deployments. In the next post, “Using Terraform with Azure DevOps,” we’ll walk through setting up Terraform pipelines in Azure DevOps, automating deployments, and managing infrastructure with version-controlled CI/CD workflows.