Terraform code describes the intended configuration, while Terraform state records the managed relationship between that code and real resources. Governance depends on both. Code without state cannot reliably support import, drift detection or recovery, and state without discipline can quickly become stale or misleading.
Why This Matters for Security Teams
Terraform code and terraform state answer different governance questions, and confusing them creates real control gaps. Code is the desired blueprint, but state is the evidence of what Terraform is actually managing right now. That distinction matters for NIST Cybersecurity Framework 2.0 style governance because review, accountability, and recovery all depend on knowing whether the recorded system matches the intended system.
For NHI and infrastructure teams, this is not just an IaC hygiene issue. State can contain sensitive secrets, resource bindings, and remote references that reveal how identities, permissions, and workloads are connected. NHIMG research in the State of Non-Human Identity Security shows how often organisations struggle with visibility and confidence across machine identities, which is the same governance blind spot that appears when state files are unmanaged or scattered. Code review alone cannot detect drift, imported resources, or orphaned infrastructure. In practice, many security teams discover state problems only after a failed change, a broken import, or an access review that cannot reconcile the live environment with the repository.
How It Works in Practice
Governance works best when code and state are treated as separate control surfaces. Terraform code should define policy-relevant intent: provider versions, modules, resource patterns, tagging rules, and approved relationships. Terraform state should be treated as an operational ledger that maps that intent to actual resources, which makes it essential for drift detection, import, destroy operations, and recovery workflows. The Ultimate Guide to NHIs is useful here because lifecycle discipline for non-human identities depends on knowing what exists, who manages it, and whether it should still exist at all.
Current guidance suggests these governance practices:
- Keep code in version control with mandatory review, so intended changes are traceable.
- Store state remotely with access controls, encryption, locking, and audit logging, because state often becomes sensitive metadata.
- Use policy checks on both plan output and state-backed operations, especially where secrets or privileged service identities are involved.
- Reconcile state against live cloud resources regularly, because drift can hide shadow changes or manual hotfixes.
- Separate duties for code authors, approvers, and operators when the environment supports regulated change control.
For broader governance framing, Regulatory and Audit Perspectives are especially relevant because auditors usually want evidence that the system of record, change trail, and live deployment all align. These controls tend to break down when multiple teams share the same backend state, because concurrent edits, stale locks, and manual cloud changes can make the state file authoritative in name only.
Common Variations and Edge Cases
Tighter Terraform governance often increases operational overhead, requiring organisations to balance deployment speed against auditability and recovery confidence. That tradeoff is real, especially in environments with dozens of workspaces, ephemeral test stacks, or teams that import legacy resources after the fact.
Best practice is evolving for a few edge cases. A fresh state import may be necessary when pre-existing resources are brought under Terraform control, but that state can be incomplete until owners reconcile every attribute that matters for governance. In some regulated environments, teams split state by boundary, such as account, application, or environment, to reduce blast radius. That helps, but it can also complicate cross-stack dependencies and make drift harder to detect consistently.
State also deserves special handling when secrets or NHI metadata are embedded in resource attributes. Even when Terraform code is clean, the state file can expose tokens, connection strings, or identity relationships that create lateral movement opportunities. The Top 10 NHI Issues page is a useful reminder that weak lifecycle controls and poor visibility often travel together. Where organisations run shared backends, cross-account federation, or manual break-glass changes, there is no universal standard for perfect state governance yet, so the practical answer is strict access control, immutable history, and routine reconciliation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Terraform state access must be restricted to preserve governance evidence. |
| OWASP Non-Human Identity Top 10 | NHI-01 | State often stores sensitive NHI-related data and managed relationships. |
| NIST AI RMF | State and code together support traceability and accountability in automated systems. |
Establish traceability, monitoring, and human oversight for infrastructure changes driven by automation.
Related resources from NHI Mgmt Group
- What is the difference between attack surface management and NHI governance?
- What is the difference between role-based access and API key governance for NHI security?
- What is the difference between human IAM controls and NHI governance?
- What is the difference between endpoint management and access governance?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
