A comprehensive guide to auditing Terraform infrastructure covering four dimensions: code, run, state, and backend. Walks through a 9-step audit process including version control setup, static analysis with tools like Checkov and Trivy, policy-as-code with OPA, state file evaluation, access control review, secrets management, and module version pinning. Also covers what Terraform state can and cannot reveal, popular auditing tools, and best practices like continuous auditing, shift-left security, and protecting state files. Spacelift is highlighted as a platform that consolidates these capabilities with built-in audit trails.
Table of contents
What is a Terraform audit?What can (and can’t) be learned from Terraform state?How to run a Terraform audit step by stepTerraform auditing toolsTerraform audit best practicesKey pointsFrequently asked questionSort: