{"id":45947,"date":"2021-02-17T23:11:54","date_gmt":"2021-02-18T04:11:54","guid":{"rendered":"https:\/\/www.checkmarx.com\/?p=45947"},"modified":"2026-04-10T20:30:37","modified_gmt":"2026-04-10T18:30:37","slug":"terraform","status":"publish","type":"glossary","link":"https:\/\/checkmarx.com\/glossary\/terraform\/","title":{"rendered":"Terraform"},"content":{"rendered":"<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">What is Terraform?<\/h2>\n\n\n\n<p><strong>Terraform<\/strong> is an infrastructure as code (IaC) tool that lets teams define, provision, and manage cloud and on\u2011prem resources using declarative configuration files. It relies on a human\u2011readable language (HCL), a broad provider ecosystem (AWS, Azure, GCP, and many more), and a <strong>state<\/strong> model to reconcile your desired infrastructure with what actually exists.<\/p>\n\n\n\n<p><strong>Related on Checkmarx:<\/strong> IaC Security (<a href=\"https:\/\/checkmarx.com\/product\/iac-security\/\">https:\/\/checkmarx.com\/product\/iac-security\/<\/a>), DevSecOps (<a href=\"https:\/\/checkmarx.com\/solutions\/devsecops\/\">https:\/\/checkmarx.com\/solutions\/devsecops\/<\/a>), CI\/CD Security (<a href=\"https:\/\/checkmarx.com\/learn\/devsecops\/what-is-cicd-security\/\">https:\/\/checkmarx.com\/glossary\/what-is-cicd-security\/<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">Why Terraform matters to AppSec and Platform teams<\/h2>\n\n\n\n<p>Terraform moves infrastructure changes into code review and CI\/CD. That improves speed and consistency, but also increases the blast radius of <strong>misconfigurations<\/strong>\u2014for example, public storage buckets, overly permissive security groups, weak IAM roles, or leaked secrets.<br>Treat Terraform code like application code: <strong>scan early, enforce policy, and gate releases on risk.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">How Terraform works (developer view)<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<strong>Write<\/strong> HCL configuration (providers, resources, modules, variables).<\/li>\n\n\n\n<li>\n<strong>Plan<\/strong> to preview changes against the current state.<\/li>\n\n\n\n<li>\n<strong>Apply<\/strong> to converge actual resources to the desired configuration and update state.<\/li>\n<\/ol>\n\n\n\n<p>Teams often add <strong>policy as code<\/strong> (OPA\/Rego or Sentinel) to enforce guardrails for cost, compliance, and security before any change reaches production.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">Common Terraform security risks<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>State exposure:<\/strong> Plans\/state can contain identifiers and sometimes secrets.<\/li>\n\n\n\n<li>\n<strong>Unverified modules\/providers:<\/strong> Unpinned versions or untrusted sources.<\/li>\n\n\n\n<li>\n<strong>Overly permissive defaults:<\/strong> Wide\u2011open security groups, public buckets, weak KMS\/IAM policies.<\/li>\n\n\n\n<li>\n<strong>No policy enforcement:<\/strong> Missing OPA\/Sentinel checks in PRs\/pipelines.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\">Terraform security best practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1) Control state and secrets<\/h3>\n\n\n\n<p>Use encrypted <strong>remote backends<\/strong> with RBAC; never commit state; integrate a dedicated secrets manager; restrict workspace access.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2) Verify modules &amp; providers<\/h3>\n\n\n\n<p>Pin versions, verify sources and checksums, and treat modules as third\u2011party code you review and approve.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3) Enforce policy as code<\/h3>\n\n\n\n<p>Add OPA\/Rego or Sentinel rules to <strong>fail fast<\/strong> when configurations violate security or compliance requirements.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4) Scan IaC early &amp; often<\/h3>\n\n\n\n<p>Shift left by scanning locally, in PRs, and in CI\/CD with <strong><a href=\"https:\/\/checkmarx.com\/product\/iac-security\/\">Checkmarx IaC Security<\/a><\/strong> (and open\u2011source <strong><a href=\"https:\/\/checkmarx.com\/product\/kics\/\">KICS<\/a><\/strong>).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5) Integrate with CI\/CD &amp; the SDLC<\/h3>\n\n\n\n<p>Run scans as a quality gate; correlate findings, and fix in the IDE via <strong><a href=\"https:\/\/checkmarx.com\/product\/application-security-platform\/\">Checkmarx One<\/a><\/strong>. <\/p>\n\n\n\n<section class=\"section-accordion\">\n    <div class=\"main-wrapper section-accordion__wrapper\">\n        <h2 class=\"section-title article-anchor\" id=\"article-anchor-6\">FAQs<\/h2>\n        <div class=\"fag-accordion__wrapper\">\n            <div class=\"js-accordion fag-accordion\">\n                <div>\n\n                                            <div class=\"js-accordion__item fag-accordion__item \">\n                            <h3 class=\"js-accordion__btn fag-accordion__btn\">\n                                <svg width=\"34px\" height=\"23px\" viewbox=\"0 0 34 23\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                                    <g id=\"Page-1\" stroke=\"none\" stroke-width=\"1\" fill=\"none\" fill-rule=\"evenodd\">\n                                        <g id=\"Shape\" transform=\"translate(0.939453, 1.530000)\" stroke-width=\"3\">\n                                            <path d=\"M19.810947,20.4179 L31.029947,9.14 M30.029947,10.1989 L0,10.1989 M31.029947,11.26 L19.810947,0\"><\/path>\n                                        <\/g>\n                                    <\/g>\n                                <\/svg>\n                                Is Terraform secure?                            <\/h3>\n                            <div class=\"js-accordion-content fag-accordion__content\">\n                                <p>Yes &#8211; when you secure state, verify modules\/providers, enforce policy as code (OPA\/Sentinel), and scan continuously across local dev, PRs, and CI\/CD.<\/p>\n                            <\/div>\n                        <\/div>\n                                                <div class=\"js-accordion__item fag-accordion__item \">\n                            <h3 class=\"js-accordion__btn fag-accordion__btn\">\n                                <svg width=\"34px\" height=\"23px\" viewbox=\"0 0 34 23\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                                    <g id=\"Page-1\" stroke=\"none\" stroke-width=\"1\" fill=\"none\" fill-rule=\"evenodd\">\n                                        <g id=\"Shape\" transform=\"translate(0.939453, 1.530000)\" stroke-width=\"3\">\n                                            <path d=\"M19.810947,20.4179 L31.029947,9.14 M30.029947,10.1989 L0,10.1989 M31.029947,11.26 L19.810947,0\"><\/path>\n                                        <\/g>\n                                    <\/g>\n                                <\/svg>\n                                How do I scan Terraform?                            <\/h3>\n                            <div class=\"js-accordion-content fag-accordion__content\">\n                                <p>Use <strong data-start=\"6543\" data-end=\"6551\">KICS<\/strong> locally and in CI; add <strong data-start=\"6575\" data-end=\"6601\">Checkmarx IaC Security<\/strong> as a PR\/pipeline gate to prevent risky merges and applies.<\/p>\n                            <\/div>\n                        <\/div>\n                        <\/div>\n<div>                        <div class=\"js-accordion__item fag-accordion__item \">\n                            <h3 class=\"js-accordion__btn fag-accordion__btn\">\n                                <svg width=\"34px\" height=\"23px\" viewbox=\"0 0 34 23\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                                    <g id=\"Page-1\" stroke=\"none\" stroke-width=\"1\" fill=\"none\" fill-rule=\"evenodd\">\n                                        <g id=\"Shape\" transform=\"translate(0.939453, 1.530000)\" stroke-width=\"3\">\n                                            <path d=\"M19.810947,20.4179 L31.029947,9.14 M30.029947,10.1989 L0,10.1989 M31.029947,11.26 L19.810947,0\"><\/path>\n                                        <\/g>\n                                    <\/g>\n                                <\/svg>\n                                Where can I learn Terraform?                            <\/h3>\n                            <div class=\"js-accordion-content fag-accordion__content\">\n                                <p>Start with the official Terraform docs and tutorials; then codify and enforce your org\u2019s security baselines with policy as code.<\/p>\n                            <\/div>\n                        <\/div>\n                                        <\/div>\n            <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n\n\n<script type=\"application\/ld+json\">{\"@context\":\"https:\/\/schema.org\",\"@type\":\"FAQPage\",\"url\":\"https:\/\/checkmarx.com\/glossary\/terraform\/\",\"mainEntity\":[{\"@type\":\"Question\",\"name\":\"Is Terraform secure?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes &#8211; when you secure state, verify modules\/providers, enforce policy as code (OPA\/Sentinel), and scan continuously across local dev, PRs, and CI\/CD.\"}},{\"@type\":\"Question\",\"name\":\"How do I scan Terraform?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Use KICS locally and in CI; add Checkmarx IaC Security as a PR\/pipeline gate to prevent risky merges and applies.\"}},{\"@type\":\"Question\",\"name\":\"Where can I learn Terraform?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Start with the official Terraform docs and tutorials; then codify and enforce your org\u2019s security baselines with policy as code.\"}}]}<\/script>","protected":false},"excerpt":{"rendered":"<p>What is Terraform? Terraform is an infrastructure as code (IaC) tool that lets teams define, provision, and manage cloud and on\u2011prem resources using declarative configuration files. It relies on a human\u2011readable language (HCL), a broad provider ecosystem (AWS, Azure, GCP, and many more), and a state model to reconcile your desired infrastructure with what actually [&hellip;]<\/p>\n","protected":false},"author":11,"featured_media":721,"template":"","glossary-tags":[],"class_list":["post-45947","glossary","type-glossary","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Terraform Security: Definition, Best Practices &amp; Developer Examples | Checkmarx Glossary<\/title>\n<meta name=\"description\" content=\"Terraform is an IaC tool from HashiCorp. Learn what Terraform is, the top Terraform security risks, best practices, and developer examples - plus how to scan Terraform with Checkmarx IaC Security and KICS.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/glossary\/terraform\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Terraform Security: Definition, Best Practices &amp; Developer Examples | Checkmarx Glossary\" \/>\n<meta property=\"og:description\" content=\"Terraform is an IaC tool from HashiCorp. Learn what Terraform is, the top Terraform security risks, best practices, and developer examples - plus how to scan Terraform with Checkmarx IaC Security and KICS.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/glossary\/terraform\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-10T18:30:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/IaC-\u2013-RR02.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1170\" \/>\n\t<meta property=\"og:image:height\" content=\"591\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/glossary\/terraform\/\",\"url\":\"https:\/\/checkmarx.com\/glossary\/terraform\/\",\"name\":\"Terraform Security: Definition, Best Practices & Developer Examples | Checkmarx Glossary\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/glossary\/terraform\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/glossary\/terraform\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/IaC-\u2013-RR02.png\",\"datePublished\":\"2021-02-18T04:11:54+00:00\",\"dateModified\":\"2026-04-10T18:30:37+00:00\",\"description\":\"Terraform is an IaC tool from HashiCorp. Learn what Terraform is, the top Terraform security risks, best practices, and developer examples - plus how to scan Terraform with Checkmarx IaC Security and KICS.\",\"breadcrumb\":{\"@id\":\"https:\/\/checkmarx.com\/glossary\/terraform\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/glossary\/terraform\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/glossary\/terraform\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/IaC-\u2013-RR02.png\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/IaC-\u2013-RR02.png\",\"width\":1170,\"height\":591,\"caption\":\"Iac Security cover Image\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/checkmarx.com\/glossary\/terraform\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Glossary\",\"item\":\"https:\/\/checkmarx.com\/glossary\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Terraform\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Terraform Security: Definition, Best Practices & Developer Examples | Checkmarx Glossary","description":"Terraform is an IaC tool from HashiCorp. Learn what Terraform is, the top Terraform security risks, best practices, and developer examples - plus how to scan Terraform with Checkmarx IaC Security and KICS.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/glossary\/terraform\/","og_locale":"en_US","og_type":"article","og_title":"Terraform Security: Definition, Best Practices & Developer Examples | Checkmarx Glossary","og_description":"Terraform is an IaC tool from HashiCorp. Learn what Terraform is, the top Terraform security risks, best practices, and developer examples - plus how to scan Terraform with Checkmarx IaC Security and KICS.","og_url":"https:\/\/checkmarx.com\/glossary\/terraform\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-04-10T18:30:37+00:00","og_image":[{"width":1170,"height":591,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/IaC-\u2013-RR02.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/glossary\/terraform\/","url":"https:\/\/checkmarx.com\/glossary\/terraform\/","name":"Terraform Security: Definition, Best Practices & Developer Examples | Checkmarx Glossary","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/glossary\/terraform\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/glossary\/terraform\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/IaC-\u2013-RR02.png","datePublished":"2021-02-18T04:11:54+00:00","dateModified":"2026-04-10T18:30:37+00:00","description":"Terraform is an IaC tool from HashiCorp. Learn what Terraform is, the top Terraform security risks, best practices, and developer examples - plus how to scan Terraform with Checkmarx IaC Security and KICS.","breadcrumb":{"@id":"https:\/\/checkmarx.com\/glossary\/terraform\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/glossary\/terraform\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/glossary\/terraform\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/IaC-\u2013-RR02.png","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/IaC-\u2013-RR02.png","width":1170,"height":591,"caption":"Iac Security cover Image"},{"@type":"BreadcrumbList","@id":"https:\/\/checkmarx.com\/glossary\/terraform\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Glossary","item":"https:\/\/checkmarx.com\/glossary\/"},{"@type":"ListItem","position":2,"name":"Terraform"}]},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/glossary\/45947","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/glossary"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/glossary"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/11"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/glossary\/45947\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/721"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=45947"}],"wp:term":[{"taxonomy":"glossary-tags","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/glossary-tags?post=45947"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}