Raw Terraform resources create governance risk because they allow infrastructure to be created outside the standardised module lifecycle. That bypass can produce untagged assets, inconsistent security settings, and configuration differences that are difficult to fix later. In IaC, creation-time consistency is part of the control, not an optional enhancement.
Why This Matters for Security Teams
Raw Terraform resources are not just a style preference issue. They weaken governance because they let teams create infrastructure outside the controls encoded in standard modules, where tagging, encryption, network boundaries, and logging are usually enforced. That creates drift at the point of creation, which is much harder to remediate than a review failure. NIST Cybersecurity Framework 2.0 frames this as a control consistency problem, not an aesthetics problem, and NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs treats lifecycle standardisation as a governance requirement rather than a convenience.
The practical risk is that raw resources often bypass the assumptions security teams rely on when they approve infrastructure modules. A module can encode default tags for ownership, required KMS settings, subnet placement, and IAM boundaries; a one-off resource can omit any of these without immediately failing a pipeline. That is how undocumented assets, policy exceptions, and inconsistent exposure accumulate across environments. In practice, many security teams encounter the control gap only after audit evidence is incomplete or a misconfigured workload has already been deployed.
For a wider risk framing, NHIMG’s Top 10 NHI Issues shows how unmanaged creation paths repeatedly become governance blind spots across identity and infrastructure alike.
How It Works in Practice
Governance usually depends on standard Terraform modules because they act as a control layer. They can enforce required tags, approved security groups, baseline logging, secret handling, and naming conventions before infrastructure ever reaches the cloud provider. Raw resources bypass that layer and leave control enforcement to review discipline, which is much weaker and less reliable than policy encoded in code.
A workable model combines module-first development with policy checks at multiple stages:
- Use modules for all common infrastructure patterns so the secure baseline is reused, not recreated.
- Apply policy-as-code checks in CI to detect raw resources where a standard module should have been used.
- Require exceptions to be explicit, time-bound, and reviewed, rather than allowing ad hoc drift.
- Track ownership, cost, and environment tags at creation time so assets remain discoverable and auditable.
That approach aligns with the intent of NIST Cybersecurity Framework 2.0, which expects repeatable governance and risk treatment, not just point-in-time technical validation. It also fits NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives, where the evidence trail matters as much as the deployed resource.
The key operational question is whether teams can prove that every infrastructure object was created through an approved path or an approved exception. If they cannot, then the environment may be secure in places but not governable end to end. These controls tend to break down in fast-moving multi-account environments where teams can merge infrastructure changes directly into deployment pipelines without a central module review step.
Common Variations and Edge Cases
Tighter module enforcement often increases delivery friction, so organisations have to balance standardisation against legitimate speed and experimentation needs. That tradeoff is real, especially in platform teams supporting many application owners. Current guidance suggests handling this with tiered controls rather than a binary allow or deny model.
Some environments intentionally permit raw resources for edge cases such as provider limits, temporary migrations, or experimental workloads. The governance question is not whether raw resources are ever allowed, but whether they are visible, reviewed, and constrained. Best practice is evolving, but the common pattern is to require stronger exception approval, shorter review windows, and automated detection of any resource that does not map back to a standard module.
Another edge case is when modules themselves are poorly designed. A bad module can create a false sense of safety if it bakes in weak defaults or hides critical settings. In that situation, raw resources are not the only risk. Security teams should treat module quality as part of governance and keep a review path for module changes, not just consumer code. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks is useful here because it frames drift, ownership gaps, and lifecycle inconsistency as systemic issues rather than isolated mistakes.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Raw resources create unmanaged identity and config drift for workloads. |
| NIST CSF 2.0 | PR.AC-4 | Module bypass weakens least-privilege and access governance at deployment. |
| NIST AI RMF | AI RMF supports accountable, repeatable governance for automated change paths. |
Document ownership, review, and exception handling for every automated provisioning workflow.
