Skip to main content

Infrastructure as Code Review Checklist

A review of infrastructure-as-code that prioritizes safe remote state (encrypted, locked, secret-free), reviewed-plan change control, pre-apply security scanning, and least-privilege execution roles. It also checks versioned modules, pinned providers, and drift detection for reproducibility.

Estimated Time
4-8 hours
Type
security audit
Category
Infrastructure
Steps
12

When to Use This Checklist

Use this checklist when reviewing infrastructure-as-code before it provisions production resources, when migrating between IaC tools, or when auditing an existing IaC codebase. IaC turns infrastructure into reviewable, repeatable code, but it also means a single bad apply can damage production at scale. This review balances safety, security, and maintainability.

How to Use This Checklist

Start with state, because state is where IaC most dangerously goes wrong. Remote state must be encrypted and locked so concurrent applies cannot corrupt it, and it must never contain plaintext secrets. Then review the change process: every apply to production should follow a reviewed, approved plan, never an ad-hoc local apply. Scan the code for misconfigurations and confirm the execution role itself follows least privilege, since an over-privileged IaC role is a prime target.

For maintainability, check that modules are versioned and parameterized, and that provider versions are pinned so applies are reproducible.

What Good Looks Like

All infrastructure lives in version control, and changes flow through reviewed plans rather than manual console clicks. Remote state is encrypted, locked, and free of secrets. Modules are reusable and parameterized per environment, with pinned provider and module versions for reproducible results. IaC security scanning runs before apply and catches misconfigurations early. The execution role is least-privilege, resources are tagged for ownership and cost, and drift detection flags when reality diverges from code. Where practical, changes replace resources immutably rather than mutating them in place.

Common Pitfalls

The most dangerous pitfall is mishandled state: unencrypted state files containing secrets, or unlocked state corrupted by concurrent applies. Applying changes manually outside the reviewed pipeline reintroduces the very drift and unpredictability IaC was meant to remove. Unpinned provider versions cause surprising changes when a provider updates. Over-privileged execution roles and hardcoded secrets are common security findings, and missing drift detection lets manual hotfixes silently diverge from the code.

Related Resources

Use Terraform module design patterns and configuration-as-code for maintainability, the IaC security playbook for misconfiguration defense, and immutable infrastructure for safer change. Run IaC through pipeline-as-code with least-privilege execution roles.