auditing-terraform-infrastructure-for-security

# Auditing Terraform Infrastructure for Security ## When to Use - When integrating security scanning into CI/CD pipelines for Terraform deployments - When reviewing Terraform plans and modules for security best practices before applying - When building policy-as-code guardrails for cloud infrastructure provisioning - When auditing existing Terraform state files to identify deployed misconfigurations - When enforcing organizational security standards across multiple Terraform projects **Do not use** for runtime security monitoring (use CSPM tools), for application security testing (use SAST/DAST tools), or for cloud configuration drift detection (use AWS Config or Azure Policy after deployment). ## Prerequisites - Checkov installed (`pip install checkov`) - tfsec installed (`brew install tfsec` or binary from GitHub) - Terrascan installed (`brew install terrascan`) - Terraform v1.0+ for plan generation - OPA (Open Policy Agent) for custom policy enforcement - Git repository with Terraform code to audit ## Workflow ### Step 1: Scan Terraform Code with Checkov Run Checkov for comprehensive IaC security scanning with built-in and custom policies. ```bash # Scan a Terraform directory checkov -d ./terraform/ --framework terraform # Scan with specific check categories checkov -d ./terraform/ --check CKV_AWS_18,CKV_AWS_19,CKV_AWS_20,CKV_AWS_21 # Scan and output results in JSON checkov -d ./terraform/ --output json > checkov-results.json # Scan a Terraform plan file for mo...