- Are you storing your Terraform Code in a version control system (Git or similar)?
- Is Terraform using a separate service account in your cloud infrastructure?
- Are you using one Terraform workspace for each environment of a given infrastructure component?
- Are you using Terraform modules to increase reusability of your infrastructure code?
- Terraform state:
- Are your Terraform state files encrypted at rest?
- How are your Terraform state files protected against accidental disclosure?
- How are your Terraform state files protected against corruption?
- How do you handle sensitive information in your Terraform scripts?
- How are the credentials of a service account used by Terraform secured?
- Where are these credentials stored?
- Is your Terraform integrated with a secret management tool (HashiCorp’s Vault or similar)?
- Are the permissions of a service account used by Terraform restricted to minimum?
- What is the list of permissions given to the service account used by Terraform?
- Are there any separate roles and policies attached?
- Are you using Terraform Cloud?
- How are you running it? SaaS hosted by HashiCorp or a private instance?
- Did you assign Terraform Cloud workspace ownership and permissions to your teams?
- Did you restrict the Non-Terraform access to cloud provider UIs and APIs to avoid manual infrastructure modifications?
For general advices on how to use Terraform check Terraform Recommended Practices.