What breaks is the assumption that captured state equals controlled state. A successful import can still leave console changes, pipeline edits, and mismatched approvals outside the governance model. Without ongoing reconciliation, the organisation gains code representation but loses certainty that CloudFront still matches the approved baseline.
Why This Matters for Security Teams
terraform import is often treated as a finish line because the resource now appears in code and the migration looks complete. That is exactly where governance gaps begin. Import only captures the current object into state; it does not prove the baseline is approved, the surrounding pipeline is aligned, or the resource has stopped changing elsewhere. For edge services such as CloudFront, that distinction matters because configuration drift can alter security, routing, and exposure without changing the import status.
Security teams tend to overread infrastructure-as-code coverage as operational control. Current guidance from the NIST Cybersecurity Framework 2.0 emphasizes ongoing governance, not one-time inventory capture. NHIMG research on Ultimate Guide to NHIs shows why this matters: 96% of organisations store secrets outside secrets managers, and only 5.7% have full visibility into their service accounts. In practice, many security teams encounter post-import drift only after a console edit or pipeline bypass has already changed production behaviour.
How It Works in Practice
The safer model is to treat import as the start of control alignment, not the end. After the resource is imported, teams should reconcile three layers: the live cloud configuration, the Terraform code, and the approval trail that authorises future change. If any of those disagree, the migration is incomplete from a security perspective.
For CloudFront and similar managed services, that usually means validating distribution settings, origin access paths, headers, certificates, and logging after import, then enforcing a process that prevents ad hoc console edits from becoming the new baseline. The point is not merely to preserve state files. It is to ensure that the declared configuration, the deployed configuration, and the change process remain synchronized over time.
- Compare imported state to the actual cloud object and flag unmanaged fields.
- Review whether the pipeline can still apply changes outside the intended review path.
- Require drift detection so console changes surface before the next release window.
- Revalidate access controls, especially where service accounts or automation tokens can mutate the resource.
This aligns with the control discipline described in the Ultimate Guide to NHIs, where visibility, rotation, and lifecycle governance are treated as continuous obligations rather than one-time events. It also fits the NIST CSF 2.0 emphasis on identify, protect, detect, and respond as linked functions rather than isolated tasks. These controls tend to break down when multiple teams retain parallel ownership of the same service and console edits are still allowed as an emergency shortcut because reconciliation loses authority in day-to-day operations.
Common Variations and Edge Cases
Tighter post-import governance often increases operational overhead, requiring organisations to balance delivery speed against the cost of continuous reconciliation. That tradeoff becomes sharper when teams inherit legacy cloud estates, because the imported resource may depend on undocumented defaults, inherited permissions, or older deployment tooling that Terraform does not fully express.
Best practice is evolving, and there is no universal standard for this yet, but several edge cases recur. Some platforms expose fields that are not fully supported in provider schemas, which means an imported resource can look compliant in code while still being partially unmanaged in the console. In other environments, teams intentionally permit a narrow set of console-only changes for break-glass operations, but those exceptions must be time-bound and logged or they become shadow governance.
The practical test is simple: if a future incident could be caused by a configuration change that never passes through Terraform, then import has not finished the migration. Mature teams pair import with drift detection, ownership assignment, and a defined reconciliation cadence so the code and the live service stay aligned.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM | Asset management requires continuous inventory, not just import-time capture. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle governance for NHI-linked automation depends on ongoing control, not one-time migration. |
| NIST AI RMF | Governance must keep configuration and accountability aligned across the AI-assisted delivery chain. |
Verify that service accounts and automation secrets tied to imported resources are rotated and tracked after migration.
Related resources from NHI Mgmt Group
- What breaks when separation of privilege is treated as a role design exercise only?
- What breaks when access governance is treated as a purely technical problem?
- What breaks when service accounts are treated like low-priority identities?
- What breaks when MFA and SSO are treated as full identity governance?
