Auditing Terraform Infrastructure for Security

When to Use

• When integrating security scanning into CI/CD pipelines for Terraform deployments
• When reviewing Terraform plans and modules for security best practices before applying
• When building policy-as-code guardrails for cloud infrastructure provisioning
• When auditing existing Terraform state files to identify deployed misconfigurations
• When enforcing organizational security standards across multiple Terraform projects

Do not use for runtime security monitoring (use CSPM tools), for application security testing (use SAST/DAST tools), or for cloud configuration drift detection (use AWS Config or Azure Policy after deployment).

Prerequisites

• Checkov installed (pip install checkov)
• tfsec installed (brew install tfsec or binary from GitHub)
• Terrascan installed (brew install terrascan)
• Terraform v1.0+ for plan generation
• OPA (Open Policy Agent) for custom policy enforcement