terraform

Terraform Code Review Rules

Security (Critical)

• Never hardcode secrets, credentials, or API keys
• Use environment variables or secret managers for sensitive values
• Mark sensitive variables and outputs with sensitive = true
• Enable encryption at rest for storage resources
• Apply least privilege IAM policies
• Use private subnets and security groups appropriately
• Never use ${} or {{}} template syntax with unvalidated user input
• Never use HTML comments (<!-- -->) in Terraform files
• All variables and locals must be declared before use; flag undeclared references