Infrastructure as Code Security: Terraform, Pulumi, and the Privacy of Your Architecture

A technical examination of Infrastructure as Code security practices covering Terraform state file exposure, secret management in IaC pipelines, policy-as-code enforcement, drift detection, and the privacy implications of treating infrastructure definitions as sensitive architectural blueprints.

In 2023, a security researcher discovered 1,500 exposed Terraform state files in public S3 buckets. These state files contained database passwords, API keys, private IP addresses, and detailed architectural blueprints for the organizations’ cloud infrastructure. The discovery was not exceptional. Terraform state file exposure is one of the most common and most underappreciated security risks in modern cloud operations — because the state file contains the complete truth about what you have built, how it is configured, and what secrets it uses.

Infrastructure as Code (IaC) transformed cloud operations from manual, error-prone provisioning into reproducible, version-controlled infrastructure management. Terraform, Pulumi, AWS CloudFormation, and Google Cloud Deployment Manager allow engineers to define infrastructure in code, review it in pull requests, and deploy it through automated pipelines. This is a genuine improvement over clicking through cloud consoles.

But IaC introduces its own category of security and privacy risks — risks that are fundamentally different from the infrastructure it manages. The code that defines your infrastructure is a map of your security posture. The state files that track your infrastructure contain your secrets. The pipeline that deploys your infrastructure has permissions to modify everything. Securing IaC is not a devops concern. It is a privacy architecture concern.

Terraform State: The Crown Jewels Problem

Terraform state is a JSON file that maps the resources defined in your Terraform configuration to the real resources in your cloud provider. It contains:

Resource identifiers: Every resource’s cloud-provider ID, enabling direct API access
Configuration attributes: Including sensitive values like database passwords, API tokens, and private keys
Dependency graph: The complete relationship map between all infrastructure components
Provider metadata: Account IDs, regions, and endpoint configurations

A Terraform state file for a production environment is, in effect, a complete dossier of the organization’s cloud infrastructure. An attacker with access to the state file knows every resource, every configuration, and every secret — without ever touching the cloud environment itself.

The Sensitive Value Problem

Terraform stores sensitive values in state in plaintext by default. When you create an AWS RDS database with Terraform, the master password is recorded in the state file. When you provision a Cloudflare Worker with an API token, that token is in the state file. Terraform’s sensitive = true attribute prevents values from being displayed in CLI output but does not encrypt them in state.

HashiCorp’s own documentation acknowledges this: “Terraform state can contain sensitive data… you should treat state files as sensitive.” The recommended mitigation is encrypted remote state storage (S3 + KMS, Azure Blob + Key Vault, GCS + Cloud KMS). But according to a 2025 survey by Spacelift, 23% of organizations still store Terraform state locally or in unencrypted remote storage.

For privacy architecture, the state file exposure risk means that your infrastructure’s privacy properties — encryption configurations, network ACLs, IAM policies, key management settings — are documented in a single file that, if exposed, reveals every privacy control and every gap in those controls simultaneously.

State File as Architectural Blueprint

Beyond secrets, the state file reveals architectural patterns that are privacy-sensitive:

Which services communicate with which databases (data flow mapping)
Which network segments have access to which resources (trust boundary mapping)
Which encryption keys protect which data stores (encryption dependency mapping)
Which IAM roles have which permissions (access control mapping)

An attacker studying a Terraform state file does not need to probe the live infrastructure for weaknesses. The state file is the vulnerability map, annotated with the keys to exploit each one.

Secrets Management in IaC Pipelines

The pipeline that applies Terraform, Pulumi, or CloudFormation templates needs credentials: cloud provider API keys, Terraform Cloud tokens, state backend access credentials, and any secrets referenced by the infrastructure code. These credentials are the most privileged in the organization — they can create, modify, or destroy any cloud resource.

Common Anti-Patterns

Environment variables in CI/CD: GitHub Actions secrets, GitLab CI variables, and Jenkins credentials stores are the most common approach to providing pipeline credentials. These are encrypted at rest and masked in logs, but:

They are accessible to anyone who can modify the CI/CD pipeline configuration
They persist across pipeline runs (not scoped to a single deployment)
A compromised CI/CD system exposes all stored secrets simultaneously

Hardcoded secrets in code: Despite being the most widely warned-against anti-pattern, hardcoded secrets in IaC files remain common. GitGuardian’s 2025 State of Secrets Sprawl report found that Terraform files were the third most common file type containing exposed secrets in public repositories, behind Docker Compose files and .env files.

Shared credentials: Teams that use a single set of cloud credentials for the IaC pipeline — rather than scoped, short-lived credentials per deployment — create a blast radius problem. If the shared credentials are compromised, the attacker has the same permissions as the pipeline: full infrastructure control.

Better Approaches

Dynamic credentials: HashiCorp Vault, AWS STS, and similar systems issue short-lived credentials for each pipeline run. The credentials expire after use. No long-lived secrets are stored in the CI/CD system.

OIDC federation: GitHub Actions and GitLab CI support OIDC token exchange with AWS, Azure, and GCP. The CI/CD system proves its identity to the cloud provider via OIDC, and the cloud provider issues temporary credentials. No cloud API keys are stored in the CI/CD system at all.

Secret references, not secret values: Instead of storing the database password in Terraform code, reference it from a secrets manager:

data "aws_secretsmanager_secret_version" "db_password" {
  secret_id = "production/database/master-password"
}

resource "aws_db_instance" "primary" {
  password = data.aws_secretsmanager_secret_version.db_password.secret_string
}

The Terraform code contains a reference, not a value. The state file still contains the resolved value — which is why encrypted state storage remains necessary — but the code itself can be safely stored in version control without exposing secrets.

Policy as Code: Guardrails for Privacy

IaC enables policy-as-code — automated validation of infrastructure configurations against security and privacy policies before deployment. This is the enforcement layer that prevents misconfigurations from reaching production.

Open Policy Agent (OPA) and Terraform

OPA evaluates Terraform plans against Rego policies. Before terraform apply executes, the plan is submitted to OPA, which checks it against organizational policies:

package terraform.privacy

# Deny S3 buckets without encryption
deny[msg] {
    resource := input.planned_values.root_module.resources[_]
    resource.type == "aws_s3_bucket"
    not has_encryption(resource)
    msg := sprintf("S3 bucket '%s' must have server-side encryption enabled", [resource.name])
}

# Deny databases without encryption at rest
deny[msg] {
    resource := input.planned_values.root_module.resources[_]
    resource.type == "aws_db_instance"
    resource.values.storage_encrypted != true
    msg := sprintf("RDS instance '%s' must have storage encryption enabled", [resource.name])
}

# Deny resources outside approved regions
deny[msg] {
    resource := input.planned_values.root_module.resources[_]
    provider_config := input.configuration.provider_config.aws
    not approved_region(provider_config.expressions.region.constant_value)
    msg := sprintf("Region '%s' is not approved for deployment", [provider_config.expressions.region.constant_value])
}

approved_region(region) { region == "eu-central-1" }
approved_region(region) { region == "eu-west-1" }

These policies catch privacy violations before they reach production: unencrypted storage, databases without encryption at rest, resources deployed to non-compliant regions. The enforcement is automated — no human review required for known-bad patterns.

Sentinel and Terraform Cloud

HashiCorp Sentinel provides built-in policy enforcement for Terraform Cloud and Terraform Enterprise. Sentinel policies can enforce hard-mandatory rules (deployment is blocked), soft-mandatory rules (deployment requires override approval), or advisory rules (warnings only).

For privacy-sensitive infrastructure, hard-mandatory policies should enforce:

All data stores encrypted at rest with customer-managed keys
All network traffic encrypted in transit
No public access to storage buckets or databases
Data residency constraints on resource placement
Logging and audit trail requirements

Checkov, tfsec, and KICS

Open-source IaC scanning tools provide pre-deployment security analysis:

Checkov (Bridgecrew/Palo Alto Networks): 1,000+ built-in checks across Terraform, CloudFormation, Kubernetes, and ARM templates. Checks include encryption-at-rest verification, public access detection, and compliance framework mapping (CIS, NIST, HIPAA).
tfsec (Aqua Security): Terraform-specific static analysis with 200+ checks. Integrates with IDE plugins for inline feedback.
KICS (Checkmarx): Multi-framework scanner supporting Terraform, Kubernetes, Docker, CloudFormation, and Ansible.

Bridgecrew’s 2025 State of IaC Security report found that the average Terraform codebase has 42 security misconfigurations per 1,000 lines of code. The most common: overly permissive IAM policies (18%), unencrypted resources (15%), and publicly accessible storage (12%). Automated scanning catches these before deployment. Manual review does not scale.

Drift Detection: When Reality Diverges from Code

IaC defines the intended state. But the actual state can diverge — through manual console changes, API calls outside the IaC pipeline, or provider-side modifications. This drift is a privacy risk because the IaC policies that were validated at deployment time no longer reflect reality.

How Drift Occurs

Console cowboys: An engineer makes a “quick fix” through the cloud console — modifying a security group rule, changing a bucket policy, or adjusting an IAM role. The change bypasses the IaC pipeline, the policy checks, and the code review process.

Out-of-band API calls: Incident response scripts, migration tools, or third-party integrations modify resources outside the IaC workflow. The resources are now in a state that no Terraform configuration describes.

Provider-side changes: Cloud providers occasionally modify resource defaults or deprecate configurations. A security group rule that was valid when deployed may behave differently after a provider update.

Detecting and Remediating Drift

Terraform’s terraform plan command detects drift by comparing the state file to the actual cloud state. Running terraform plan regularly (daily or hourly) and alerting on unexpected differences provides continuous drift detection.

Purpose-built drift detection tools (Driftctl, env0, Spacelift) provide more granular monitoring:

Real-time detection: Monitoring cloud API events for changes outside the IaC pipeline
Attribution: Identifying who made the out-of-band change and through what mechanism
Auto-remediation: Automatically reverting unauthorized changes by re-applying the IaC configuration

For privacy, drift detection is especially critical for:

Encryption configurations: A drifted encryption setting (disabled encryption, changed key) is an immediate privacy exposure
Network policies: Added firewall rules or security group changes that expand access beyond the intended privacy boundary
IAM policies: Permission changes that grant broader data access than the IaC-defined baseline
Logging configurations: Disabled audit logs or modified log retention that creates compliance gaps

Pulumi: Imperative IaC and Security Implications

Pulumi differs from Terraform by using general-purpose programming languages (TypeScript, Python, Go, C#) instead of a domain-specific language (HCL). This flexibility enables more complex infrastructure logic but introduces security considerations unique to imperative IaC.

Advantages for Privacy

Type safety: TypeScript and Go’s type systems catch configuration errors at compile time that would be runtime errors in Terraform
Testing: Standard unit testing frameworks (Jest, pytest, Go test) can test infrastructure logic, including privacy-relevant configurations
Abstraction: Custom components can encapsulate privacy requirements, ensuring that every database created through the organization’s Pulumi components has encryption enabled, customer-managed keys configured, and audit logging active

Risks Specific to Imperative IaC

Arbitrary code execution: Pulumi programs can execute arbitrary code during deployment — HTTP calls, file system access, subprocess execution. A compromised Pulumi program has broader capabilities than a compromised Terraform configuration.
Dependency chain: Pulumi programs import npm packages, pip packages, or Go modules. Each dependency is a potential supply chain attack vector. A malicious package in the dependency tree could exfiltrate secrets from the deployment environment.
Complexity: The expressiveness of general-purpose languages makes it harder to statically analyze Pulumi programs for security issues compared to Terraform’s more constrained HCL.

The Architecture Exposure Problem

IaC code itself — separate from state files and secrets — is a privacy-relevant artifact. The Terraform or Pulumi code that defines your infrastructure is a blueprint that reveals:

Your network architecture (VPC layout, subnet structure, routing)
Your security boundaries (security groups, NACLs, firewall rules)
Your encryption strategy (KMS keys, encryption configurations)
Your trust model (IAM roles, cross-account access, service accounts)
Your compliance posture (which frameworks your infrastructure is designed to satisfy)

This blueprint, in the wrong hands, is a penetration testing guide. It tells an attacker exactly where the defenses are, what they protect, and where the gaps might be.

Organizations should treat IaC code with the same sensitivity as the infrastructure it describes. Access should be restricted to engineers who need it. Version control repositories should require authentication and audit access. Code reviews for privacy-sensitive infrastructure changes should involve security-qualified reviewers.

The 2025 GitGuardian report found that 11% of organizations with public GitHub repositories had inadvertently exposed IaC configurations — not just secrets within the configurations, but the architectural definitions themselves. Even without secrets, these configurations provide a detailed map of the organization’s cloud infrastructure.

The Stealth Cloud Perspective

Infrastructure as Code is a necessary tool for building reproducible, auditable cloud infrastructure. But IaC introduces its own privacy surface: state files that contain secrets and architectural blueprints, pipelines that hold god-mode credentials, and code that maps your entire security posture.

Stealth Cloud addresses the IaC privacy surface by minimizing the infrastructure that needs to be defined. A zero-persistence architecture built on Cloudflare Workers has no databases to configure, no VPCs to architect, no security groups to manage. The infrastructure is the edge runtime, and the edge runtime is managed by Cloudflare. The Stealth Cloud IaC surface is a Worker configuration and a KV namespace definition — not a 10,000-line Terraform monorepo with 47 provider-specific services.

This minimalism is not a limitation. It is a privacy feature. Every line of IaC is a line that can contain a secret, reveal an architecture, or drift from its intended state. Every resource defined in code is a resource that must be encrypted, monitored, and defended. Fewer lines, fewer resources, fewer secrets, fewer risks.

The principle extends beyond Stealth Cloud: the most secure infrastructure is the infrastructure that does not exist. IaC security best practices — encrypted state, dynamic credentials, policy enforcement, drift detection — are necessary for the infrastructure you must have. The most effective privacy strategy is to need as little of it as possible.