← All Posts
DevOps6 min read

Infrastructure as Code with Terraform: A Practitioner's Guide for 2026

Afocal Solutions·

In March 2026, attackers compromised Checkmarx KICS — an infrastructure-as-code security scanner embedded in thousands of CI/CD pipelines — and used it to exfiltrate credentials from AWS, Azure, and GCP environments. This is the breach that should keep every AppSec and DevSecOps team awake. Attackers trojanized Checkmarx KICS, an infrastructure-as-code security scanner embedded in CI/CD pipelines across thousands of organizations, pushing malicious images to DockerHub, VS Code extensions, and GitHub Actions simultaneously. The irony: the security tool designed to scan Terraform configurations became the attack vector.

HashiCorp's Terraform remains the most widely used Infrastructure as Code tool in the world, with over 70% market share in the sector. If your team manages cloud infrastructure, you're almost certainly running it. The question isn't whether to use IaC — it's how to use it without exposing your entire environment to configuration drift, state file leaks, or supply chain compromise.

Why SMBs Need Infrastructure as Code in 2026

Manual cloud provisioning doesn't scale. Anyone who's tried to recreate a "working" AWS environment from memory after an incident knows this. Infrastructure as Code solves the reproducibility problem: your VPCs, IAM roles, S3 buckets, and security groups exist as version-controlled configuration files that any team member can read, modify, and deploy.

As of 2026, Terraform supports over 3,000 providers through its public registry, making it the most broadly compatible IaC tool available. The core workflow is straightforward: write HCL files describing your desired infrastructure, run terraform plan to preview changes, then terraform apply to provision resources. Terraform maintains a state file that maps your configuration to real-world resources, enabling it to detect drift between your declared infrastructure and what actually exists in the cloud. This plan-apply cycle gives teams a clear audit trail and reduces the risk of accidental changes.

For regulated industries — HIPAA, CMMC, SOC 2 — this audit trail is non-negotiable. Every infrastructure change is a commit. Every deployment is traceable.

Terraform vs OpenTofu: The Fork That Matters

In August 2023, HashiCorp changed Terraform's licence from MPL to BSL. In December 2024, IBM bought HashiCorp for $6.4 billion. These two decisions reshaped the IaC landscape.

Today in April 2026, OpenTofu has approximately 12% adoption among IaC practitioners, with 27% of teams planning to evaluate or expand its use. Terraform still commands the largest market share at 33–62% depending on how you measure it.

Here's what actually changed:

Terraform is developed by HashiCorp, and newer releases are under the Business Source License (BSL), while OpenTofu is a community-governed fork that stays open source under MPL 2.0 and is stewarded under neutral governance (Linux Foundation).

Every Terraform provider works with OpenTofu. Every .tf file is valid. The state format is compatible. Teams switching from terraform to tofu typically do so in a single PR that updates CI pipeline commands.

The practical decision: Cases where staying on Terraform makes sense in 2026 include HCP Stacks dependencies, IBM Cloud Pak environments, and procurement structures that specifically require HashiCorp as a vendor. If you're an SMB without an existing HashiCorp enterprise contract, OpenTofu is worth evaluating for new projects — especially if your legal team has flagged BSL concerns.

New Terraform Features Worth Knowing

Ephemeral resources are used during a Terraform run but never written to state. The canonical example is a Vault-issued AWS credential that exists only for the duration of terraform apply. The credential never appears in terraform.tfstate. If your state file is compromised, temporary credentials from past runs are not exposed. This addresses a real attack surface with no clean prior solution.

This matters because the state file contains a lot of sensitive information about the environment. If it falls into the wrong hands, it can be exploited to gain information about misconfigured and vulnerable assets, and attackers can use it to exfiltrate data.

Native state encryption is a game-changer. This is the feature that gets security and compliance engineers excited. OpenTofu 1.7 shipped native encryption for state files and plan files — a long-requested feature that Terraform never delivered.

Support dynamic module sources, a new feature shipped in Terraform 1.15. This allows module sources to be computed at plan time — useful for organizations that version modules by environment or region.

IaC Security: The Supply Chain Problem

The KICS compromise wasn't an isolated incident. TeamPCP is a cyber threat group that has rapidly gained notoriety for large-scale software supply chain attacks, particularly against open-source ecosystems and security-adjacent tools. The group has repeatedly compromised widely used projects such as Aqua Security's Trivy vulnerability scanner and Checkmarx's KICS infrastructure-as-code analyzer via attacks on GitHub Actions and other software development components.

The trouble in 2026 is that the assumption underneath IaC security — that infrastructure is created through code in repositories you control — is increasingly only partly true. IaC security tools scan the code they're configured to scan.

Practical steps:

  1. Pin provider and module versions explicitly. Provider version management, not provider selection, is the recurring cost at scale: a major release such as the AWS provider's v6.0 (June 2025) can introduce breaking changes across many workspaces at once.

  2. Lock your dependency files. The .terraform.lock.hcl file is your friend — commit it, review it on PRs.

  3. Scan before apply. Integrate tools like Checkov, tfsec, or KICS (from trusted sources) into your CI pipeline. Pre-merge scanning catches misconfigurations before they hit production.

  4. Encrypt state at rest. If you're on OpenTofu, enable native state encryption. If you're on Terraform, ensure your S3 backend has server-side encryption enabled and restrict access via IAM.

Getting Started: A Representative SMB Scenario

A 75-person healthcare SaaS company needs to manage HIPAA-compliant infrastructure across AWS. Their current state: manual AWS Console changes, undocumented EC2 instances, and an S3 bucket that may or may not have public access blocked.

Phase 1 is import, not refactor. Use terraform import or the new -generate-config-out flag to bring existing resources into state without recreating them. The -generate-config-out flag writes HCL for existing resources during terraform plan. Generated configs need manual cleanup but significantly reduce the friction of bringing unmanaged resources into state.

Phase 2 is modularize incrementally. Don't rewrite everything. Start with the VPC and IAM modules — the foundational pieces that every other resource depends on. Build a module library that encodes your compliance requirements (encryption defaults, logging enabled, public access blocked).

Phase 3 is automate the pipeline. Connect your Terraform repo to your CI system. Every PR runs terraform plan. Every merge to main triggers terraform apply to a dev environment. Production deploys require manual approval. Organizations that treat adoption as purely a technical exercise fail. The ones that succeed recognize it as a change management challenge that happens to involve technology.

Key Takeaways

  • Terraform and OpenTofu are both production-ready in 2026. The choice depends on licensing posture and existing HashiCorp contracts — not technical capability.

  • Ephemeral resources and native state encryption address real security gaps. If your state files contain credentials, these features should be on your upgrade radar.

  • Supply chain attacks now target IaC security tools directly. Pin versions, verify sources, and assume your dependencies are potential attack vectors.

  • Start with import, not rewrite. Bringing existing infrastructure under IaC management is more valuable than perfectly architected greenfield modules you'll never finish.

If your team is navigating Terraform adoption, OpenTofu evaluation, or CI/CD pipeline integration for infrastructure automation, Afocal's Managed DevOps practice can help you move from manual provisioning to repeatable, auditable deployments.

Want to learn more about how Afocal can help your business?

Book a Free Audit

Your next breach is preventable.

Let's talk about your security posture. No commitment, just a conversation with a practitioner.