TL;DR: Untagged resources, inconsistent naming, and security gaps can result when Terraform module bypass lets raw resource blocks evade approved infrastructure standards, according to ControlMonkey. The core issue is not provisioning speed but whether cloud governance can still hold when teams can sidestep policy by writing directly against resources.
At a glance
What this is: This is a ControlMonkey analysis of enforcing module-only Terraform provisioning, with the key finding that bypassing approved modules creates governance drift, security gaps, and inconsistent cloud infrastructure.
Why it matters: It matters because IAM, NHI, and cloud security teams all depend on consistent lifecycle controls, and infrastructure drift often becomes the upstream cause of access, tagging, and compliance failures.
👉 Read ControlMonkey's analysis of module-only Terraform provisioning
Context
Terraform module enforcement is a governance control for infrastructure as code, not just a developer preference. The problem appears when teams can create cloud resources outside approved modules, because the organisation loses the standardised enforcement point for tagging, security settings, and compliance defaults.
For identity and access teams, this is a familiar pattern: when the approved path can be bypassed, policy stops being durable. The same governance logic that applies to service accounts and other non-human identities also applies to provisioning workflows, where consistency is the control boundary and drift is the failure mode.
Key questions
Q: What breaks when teams can bypass approved Terraform modules?
A: When teams can bypass approved Terraform modules, the organisation loses its enforcement point for security defaults, tagging, naming, and compliance settings. Raw resource blocks create a second provisioning path that is harder to audit and easier to misuse. The result is governance drift, where policy exists on paper but not in the deployed infrastructure state.
Q: Why do raw Terraform resources create governance risk?
A: Raw Terraform resources create governance risk because they allow infrastructure to be created outside the standardised module lifecycle. That bypass can produce untagged assets, inconsistent security settings, and configuration differences that are difficult to fix later. In IaC, creation-time consistency is part of the control, not an optional enhancement.
Q: How do security teams know if module-only provisioning is working?
A: Module-only provisioning is working when every designated resource type is created through the approved module path and exceptions are rare, logged, and time-bound. If production inventories show direct resource blocks, shadow templates, or inconsistent tags, the control is not being enforced. The best signal is a stable match between approved modules and deployed assets.
Q: Should organisations block all non-module Terraform resource creation?
A: Organisations should block non-module Terraform resource creation for resource types where standardisation, tagging, and security settings are mandatory. If a team needs an exception, it should be explicit, reviewed, and monitored. The point is not to eliminate flexibility everywhere, but to prevent uncontrolled parallel provisioning paths.
Technical breakdown
Module-only Terraform provisioning and policy enforcement
Module-only provisioning means specific infrastructure resources can only be created through approved Terraform modules rather than direct resource blocks or external templates. In practice, the module becomes the control point where security settings, naming conventions, tags, and compliance defaults are encoded once and reused many times. The technical risk is not simply inconsistency, but control bypass. When engineers use raw resources, the organisation loses the assurance that every deployed object inherited the same guardrails. That creates a split between intended policy and actual infrastructure state.
Practical implication: enforce module usage at pull request time and in continuous scans so direct resource creation cannot slip into production.
Terraform drift, raw resources, and governance gaps
Drift happens when what is deployed no longer matches the intended standard. In module-governed environments, drift is often caused by out-of-band changes or by developers choosing raw resource definitions instead of the sanctioned module path. That breaks the governance model because the control is no longer attached to the act of provisioning. Once raw resources exist, they can miss mandatory tags, encryption settings, or policy hooks, and those gaps are harder to detect later than at creation time.
Practical implication: treat unapproved resource blocks as a governance exception and block them before they become persistent infrastructure state.
IaC compliance as a lifecycle control
Infrastructure as code governance works best when compliance is enforced at the point of creation, not after the fact. Module-only policy is a lifecycle control because it shapes how resources are born, which determines whether later review, inventory, and remediation are reliable. If resources are created outside the approved lifecycle, downstream controls such as auditing, cost allocation, and configuration review inherit bad data. This is why module enforcement is more than code style. It is a prerequisite for dependable cloud governance.
Practical implication: align provisioning policy, inventory, and audit controls so every resource enters the environment through the same governed lifecycle.
Breaches seen in the wild
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
- ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Module bypass is a governance failure, not a syntax preference. The real issue is not whether Terraform modules are cleaner, but whether the organisation can prove that every cloud resource entered the environment through an approved control path. Once engineers can create raw resources, the policy boundary moves from enforcement to review, and review is always weaker than prevention. Practitioners should treat bypassable module standards as a broken governance model.
Approved modules are the cloud equivalent of a lifecycle checkpoint. They are the place where security defaults, tags, and compliance settings can be made consistent before resources exist. When that checkpoint is optional, the organisation inherits ungoverned exceptions at scale, which makes later remediation expensive and incomplete. The practitioner conclusion is that creation-time controls matter more than post-deploy cleanup.
Terraform module enforcement exposes the identity principle behind infrastructure governance. The question is not just who can deploy, but which identities are allowed to bypass the sanctioned provisioning path. That is the same control logic used in broader NHI governance: if an actor can evade the approved lifecycle, the policy framework no longer describes reality. Practitioners should view module-only enforcement as access control for infrastructure creation.
Policy without technical enforcement becomes advisory, and advisory controls do not survive busy delivery pipelines. Teams can document secure module usage all day, but if raw resources remain available, the shortcut will be taken eventually. This is the same failure pattern seen in other identity programmes where the allowed path and the easy path diverge. The implication is simple: governance must be embedded where the resource is created.
Named concept: module bypass drift. This is the state where approved Terraform modules define the standard, but raw resources or external templates quietly become a parallel provisioning channel. The result is not just configuration inconsistency, but a fragmented governance surface that weakens every downstream control. Practitioners should recognise this as a structural control gap, not a one-off coding issue.
From our research:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- 52% of respondents see AI security decision-making power shifting toward platform and infrastructure teams rather than the executive suite, according to The 2026 Infrastructure Identity Survey.
- For a broader governance lens, review NHI Lifecycle Management Guide for how lifecycle controls make policy enforceable across creation, rotation, and offboarding.
What this signals
Module-only provisioning is the same governance problem NHI teams face when sanctioned paths are easy to bypass. Once a parallel creation channel exists, the control surface fragments and policy becomes partial rather than absolute. With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, per the 2026 Infrastructure Identity Survey, the broader lesson is that convenience routinely outruns governance unless enforcement is embedded in the path of execution.
Module bypass drift: this is the point at which approved infrastructure standards exist, but production reality starts to diverge because raw resources or shadow templates remain available. That drift should be monitored the way identity teams monitor privilege creep, because it creates inventory gaps that later look like compliance failures rather than provisioning choices. The relevant operating model is NIST Cybersecurity Framework 2.0: identify, protect, detect, and respond must all see the same asset state.
As cloud teams push more provisioning responsibility toward platform engineering, the control question shifts from who writes code to who can bypass the governed path. That means module enforcement should be measured as a lifecycle control, not just a DevOps preference, and reviewed alongside Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs because enforceable lifecycle checkpoints are what keep standards real.
For practitioners
- Block direct resource creation paths Require approved Terraform modules for designated resource types and reject raw resource blocks or external templates at pull request review and continuous scanning.
- Map module policy to security defaults Embed tagging, encryption, naming, and baseline policy into the module so every accepted resource inherits the same controls before deployment.
- Treat module bypass as a governance exception Alert on any attempt to provision outside the standard module path and route it through the same exception handling used for policy overrides.
- Audit for drift between intended and deployed state Compare deployed resources against module-approved inventory to identify uncatalogued resources, inconsistent settings, and missing governance hooks.
Key takeaways
- Bypassing approved Terraform modules creates governance drift because the organisation loses the control point that applies security and compliance defaults at creation time.
- The core risk is not just inconsistency, but the emergence of a parallel provisioning path that makes inventory, audit, and remediation less reliable.
- Practitioners should enforce module-only creation for in-scope resources, then monitor exceptions and drift as lifecycle failures rather than one-off code issues.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Module enforcement controls who can create approved infrastructure patterns. |
| NIST Zero Trust (SP 800-207) | Zero trust requires explicit control over every provisioning path and identity. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle governance for non-human identities parallels enforcing approved infrastructure creation paths. |
Use NHI lifecycle discipline to keep creation, review, and exception handling tied to one governed process.
Key terms
- Module-only Provisioning: A governance model where certain infrastructure resources can only be created through approved Terraform modules. It centralises security defaults, tagging, and compliance settings so that every deployment inherits the same baseline controls and cannot silently diverge through raw resource definitions.
- Terraform Drift: The gap between intended infrastructure state and what is actually deployed. In module-governed environments, drift often appears when teams bypass the sanctioned module path or make changes outside the standard lifecycle, weakening auditability and downstream remediation.
- Provisioning Lifecycle Control: A control that enforces rules at the moment a resource is created, not only after it exists. For infrastructure as code, lifecycle control is the difference between policy that shapes the environment and policy that merely describes it after the fact.
Deepen your knowledge
Terraform governance and lifecycle enforcement are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are designing controls for infrastructure creation paths and policy enforcement, it is worth exploring.
This post draws on content published by ControlMonkey: Enforce Module-Only Resource Provisioning in Terraform. Read the original.
Published by the NHIMG editorial team on 2026-01-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
