Terraform

NIST SSDF PS.3.1: "Store all forms of code—including source code, executable code, and configuration-as-code—based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access." PO.3.2: "Collect, safeguard, maintain, and share provenance data for all components of each software release." PW.6.1: "Create secure configurations for software development processes, tools, and infrastructure, including at least secure configuration of source code repository, security features of the development IDEs, and secrets management." Terraform state files should be secured following SSDF PS.3.1 principles.

Official HashiCorp guidance: "Terraform state and plan files contain detailed information about your infrastructure, including resource attributes and metadata that can contain sensitive values. Treat your state file as sensitive data by excluding it from Git workflows and following security recommendations."

CIS provides benchmarks for cloud platforms (AWS, Azure, GCP) that can be enforced through Terraform configurations. Terraform enables consistent deployment of CIS-compliant infrastructure.

SOC 2 CC8.1: "The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives." Terraform provides Infrastructure as Code with version control, plan/apply workflows, and state management that directly support CC8.1 change management requirements. Source: AICPA Trust Services Criteria.

ISO 27001:2022 A.8.9: "Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed." Terraform enables declarative infrastructure configuration management with version control and drift detection, implementing A.8.9 requirements. Source: ISO/IEC 27001:2022 Annex A.