Compliance & SecOps

Terraform is Your Auditor's Best Friend

How to use Infrastructure-as-Code to prove immutability and traceability for ISO and SOC2 audits — automatically.

·2 min read·
#Terraform#IaC#Compliance#ISO27001

The hardest part of an ISO 27001 audit isn't being compliant. It's proving you were compliant on the 14th of February at 03:42 UTC when the change happened.

Terraform, used correctly, hands the auditor the evidence on a plate.

The three properties auditors want

  1. Immutability — no human SSH'd in and changed it.
  2. Traceability — every change links to a ticket and a reviewer.
  3. Reproducibility — you can rebuild the exact same environment.

How IaC gives you all three for free

Auditor questionThe Terraform answer
"Who changed this firewall rule?"git blame on the .tf file
"Was it reviewed?"PR with approving reviewer
"When did it go live?"Atlantis / Spacelift apply log, tied to the PR merge
"Can you restore Feb-14's state?"terraform state pull from the versioned S3 bucket

The OPA layer

Terraform alone doesn't prevent a developer from opening port 22 to 0.0.0.0/0. Add Open Policy Agent (Conftest) in CI:

package terraform.security

deny[msg] {
  resource := input.resource.aws_security_group_rule[name]
resource.cidr_blocks[_] == "0.0.0.0/0"
resource.from_port <= 22
  resource.to_port >= 22
  msg := sprintf("SSH open to the world: %s", [name])
}

Now the auditor's question "how do you prevent insecure firewall changes?" has a one-line answer: we can't merge them.

The evidence package

The audit-ready version of Terraform includes more than HCL. Keep the plan output, apply log, pull request, reviewer, ticket, and state backend configuration together. That gives the auditor a chain from intent to approved change to deployed resource.

HashiCorp's Terraform documentation covers the mechanics. The compliance value comes from connecting those mechanics to evidence: who changed it, who approved it, when it applied, and whether policy checks passed before apply.

This also changes incident response. When a risky rule appears, the team can trace it to a commit, identify the approval path, compare it with policy output, and revert through the same controlled pipeline. Evidence is no longer a spreadsheet exercise. It is a property of the delivery workflow.

Closing thought

The auditor does not love Terraform. The auditor loves evidence. Terraform is the cheapest, cleanest way to produce that evidence repeatedly without humans copying values between systems. Wire plan output, policy results, approvers, and ticket links into the same workflow, and audit becomes a query instead of a scramble.

Evidence artifacts worth keeping for every apply

  • terraform plan output, archived
  • Policy check results (OPA, Sentinel, or tfsec)
  • PR link with named reviewer
  • Linked change ticket
  • Apply log with state backend version
  • Drift detection result for the affected resources
Public profile lookup

Ask AI About the Author

Open this query in ChatGPT, Claude, or Perplexity.

Comments

Comments are open to confirmed email subscribers. Use the email you subscribed with. To edit a comment, delete it and post a new one.

0/2000
Verify:

    Get new field notes by email

    Field notes from someone who ships before they write about it. Sovereign AI, AI-SDLC, DevOps, and what 59 production deployments teach you. No spam. Unsubscribe anytime.

    Related field notes