On DevOps — 22. Security in Infrastructure as Code with Terraform — Everything You Need to Know

Tiexin Guo
4th Coffee
Published in
9 min readJun 26, 2021

1. Infrastructure Security and Infrastructure Code Security

With DevOps, we try to manage our infrastructure using pure code. It’s automated, making it easier to manage, faster to deploy, and possibly can be reused too, hence reducing human labor and eliminating errors.

Since all our infrastructure is managed by code, the security of the code that actually manages the infrastructure is crucial.

We often say that security is job zero; when it comes to infrastructure, it’s even more so. If, for example, the database password is included in the code, and someone else gets access to the code, the infrastructure might be compromised, simple as that.

So, while adding security group rules to make sure only the least-privilege access is allowed to your database helps to improve the security around the infrastructure, handling the code properly (for example, not storing the database password directly in the code) to improve the security around the code is also one of our top priorities.

Today, we will have a look at possible security leaks and enhancements in the infrastructure code.

Nowadays, Terraform is so popular that it is basically the de facto tool when you are talking about orchestrating your infrastructure as code. So, we will use Terraform as an example. Still, most of the principles we will talk about also apply to other Infrastructure as Code tools, like CloudFormation, AWS CDK, etc.

2. Securely Managing and Separating Multiple Environments

When working on real-world projects, unless you are working with a simple personal project or a start-up at a very early phase, the chance is, you run some tests before you actually deploy your code in a production environment. The same goes for infrastructure code. You test it first in some other places like a “develop” or a “staging” environment.

Different environments are separated from each other, and the separation makes your production environment more secure. There will be no access coming in from other ENVs to the production ENV, and the…

Tiexin Guo
4th Coffee

ex-AWS Sr. DevOps Consultant, CNCF Ambassador