Smart Learning/Terraform Learning Journey/Foundations

IaC Basics and Terraform Tooling

Learn why infrastructure as code improves consistency and how Terraform, Checkov, and TFSec fit into a safer delivery workflow.

TrackTerraform Learning Journey
Current SectionFoundations
Progress3 of 12

Why IaC is Needed

  • Consistency & reproducibility: The same code can create identical environments (dev, QA, prod), reducing configuration drift and “works on my machine” issues.
  • Speed & automation: Provisioning becomes automated and repeatable, so environments can be created, changed, or destroyed in minutes via CI/CD instead of days of manual work.
  • Auditability & collaboration: IaC lives in Git, so every change is versioned, reviewable (PRs), and auditable, which supports compliance and rollback.
  • Reduced human error & cost: Scripts replace manual steps, lowering misconfigurations and operational overhead.

You can explain it simply: infrastructure becomes software, so teams apply the same discipline (version control, testing, code review, CI/CD) to infra as they do to application code.

Terraform – Core IaC Engine

  • Terraform is an IaC tool that uses declarative configuration files (HCL) to describe desired infrastructure across many providers (Azure, AWS, GCP, Kubernetes, etc.).
  • Key capabilities:
    • Plan → Apply workflow: terraform plan shows the diff, terraform apply makes changes, enabling safe, reviewable modifications.
    • State management: Terraform tracks resources in a state file so it knows what exists and can detect drift or out‑of‑band changes.
    • Modules: Reusable building blocks (VPC module, AKS module, etc.) to standardize patterns across teams.

Typical uses

  • Provisioning complete environments: networks, VMs, AKS clusters, databases, load balancers.
  • Creating “landing zones” or baseline setups for new subscriptions/accounts with consistent security, logging, and tagging policies.

Checkov – Policy & Security Scanner for IaC

  • Checkov is an open‑source static analysis tool that scans Terraform and other IaC (CloudFormation, Kubernetes, etc.) for security, compliance, and best‑practice violations.
  • It comes with many built‑in policies (e.g., encryption required, logging enabled, no public storage buckets) and supports custom rules.

How it is used

  • Local or CI command such as: checkov -d path/to/terraform.
  • Typical findings:
    • Open security groups / public ingress.
    • Unencrypted data at rest.
    • Missing logging or weak IAM policies.
  • In pipelines, teams configure Checkov to fail the build if severe issues (e.g., HIGH/CRITICAL) are detected, enforcing guardrails early.

TFSec – Terraform-Focused Security Scanner

  • TFSec is a Terraform‑specific static analysis tool that scans HCL to flag insecure or non‑compliant configurations before terraform apply.
  • It focuses on Terraform first, with checks for:
    • Open security groups / firewalls.
    • Public S3/buckets/storage.
    • Missing encryption, logging, or HTTPS-only access.

How it is used

  • CLI usage: tfsec path/to/terraform/code or tfsec . --format json/sarif in CI for reporting and gating.
  • Integrates with CI tools like Jenkins, GitHub Actions, Azure DevOps so every PR or commit gets scanned automatically.

How Terraform, Checkov, and TFSec Work Together

  • Terraform defines and provisions the infrastructure as code.
  • Checkov and TFSec statically analyze that Terraform code before apply, catching misconfigurations, security issues, and policy violations in the review/CI stages.

A simple story you can use:

  1. Developer edits Terraform to add a new subnet and VM.
  2. CI runs tfsec and checkov; if any rule (e.g., public VM without NSG, unencrypted disk) fails, the pipeline blocks the change.
  3. Only when IaC passes security checks does the pipeline run terraform plan and terraform apply to update real infrastructure.

References

https://aws.amazon.com/what-is/iac/

Previous TopicWhy Terraform Matters
Next TopicWhat Is Terraform?