
Infrastructure as Code (IaC) deployments need a different CI/CD approach than regular software. This guide assumes you have already chosen your engine; if you are still deciding, start with OpenTofu vs Terraform. Teams using Terraform and OpenTofu need pipeline strategies built around state management, security, and environment promotion, without giving up reliability. The implementations that work combine testing frameworks like Terratest with policy-as-code guardrails, secure state storage, and environment-specific approval workflows, all while balancing speed and safety. More teams are picking up ephemeral environments, state-aware caching, and automated drift detection whether they run on a commercial CI/CD platform like GitHub Actions or an open-source one.
Infrastructure as Code automation brings security challenges that a lot of teams overlook. A compromised IaC pipeline can compromise your entire cloud environment. An application security bug might hit a single service, but an IaC security failure has amplified consequences:
What sets infrastructure automation apart from regular application deployment is state awareness. Application deployments are stateless, but infrastructure changes carry persistent state you have to manage carefully across pipeline runs. That state buys you consistency, and it bites you if you mishandle it.
Good Terraform and OpenTofu pipelines follow principles that look pretty different from regular application CI/CD:
State Awareness: Unlike stateless application deployments, infrastructure changes maintain persistent state that must be carefully managed across pipeline runs.
Separation of Concerns: Good IaC pipelines authenticate to backend providers before doing anything else. Most strong teams split plan and apply completely, treating the plan output as an immutable artifact that gets approved before it's applied. That prevents the "planning twice" problem, where the applied changes differ from what was reviewed.
Principle of Least Privilege: Pipeline service accounts should get narrowly-scoped permissions for exactly the resources they manage, nothing more. If you run multiple environments, you also need a solid promotion strategy.
Environment Promotion Strategies: Teams running multiple environments usually follow one of two models:
Each model has tradeoffs between deployment speed, safety, and operational complexity.
Project structure has a big effect on how fast and maintainable your pipeline is. For medium to large deployments, the structure that works best is a modular mono-repo with environment-specific configuration directories:
terraform-infrastructure/
├── modules/ # Reusable infrastructure components
│ ├── networking/
│ ├── compute/
│ └── database/
├── environments/ # Environment-specific configurations
│ ├── dev/
│ ├── staging/
│ └── production/
└── pipelines/ # CI/CD workflow definitions
Larger organizations tend to go with a composition-based approach: small, focused repositories for individual modules, composed through a separate environments repository. That lets specialized teams work independently without losing deployment cohesion.
The Terraform pipeline pattern that works best keeps plan and apply in separate stages, with human approval in between:
This way changes get reviewed before they run, and you avoid "planning twice" where the applied changes differ from what was reviewed.
For large deployments where performance matters, the bigger teams reach for:
Google reports 89% faster Terraform CI/CD pipelines by implementing these optimization techniques at scale.
Before any of that, profile the pipeline. A team Scalr helped migrate off Terraform Cloud hit plans dying with The operation was cancelled after reaching the timeout of 15 minutes and assumed the runner was memory-starved, so their first request was for more RAM. A TF_LOG=trace breakdown said otherwise. Init was cheap: all 10 providers came from cache, plugin initialization took 17.3 seconds, and 31 modules resolved in 1.7 seconds, with zero memory pressure anywhere. The time went to two places nobody had looked: a pre-plan validate integration eating 189.6 seconds (about 3.2 minutes), a step Terraform Cloud had never run for them, and roughly 10.4 minutes of plan time refreshing live data sources across all ten providers (AWS, PagerDuty, Sentry, Coralogix, Checkly, Vercel, and others). Raising the timeout and disabling the redundant validate step brought the run in around 9m40s. The plan had been correct the whole time: 10 to add, 10 to change, 3 to destroy. The instinct to throw hardware at a slow pipeline is usually wrong until a trace log says otherwise. Data-source refresh and bolted-on validation steps are the usual cost, and neither one cares how much RAM you give it.
GitOps changes how you manage infrastructure: Git becomes the single source of truth for both application configuration and infrastructure state. For IaC tools like Terraform and OpenTofu, GitOps workflows give you:
Merge-Before-Apply Pattern:
Apply-Before-Merge Pattern (Plan-and-Apply on PR):
Modern GitOps platforms support multiple trigger mechanisms:
The biggest vulnerability in Terraform and OpenTofu deployments is the state file, which stores sensitive information in plaintext by default. State files contain:
Best Practice: Remote backend with encryption and access controls
Remote state storage with encryption-at-rest is standard practice now, with versioning and access logging turned on. Most major cloud providers offer their own state storage options:
State files should be segmented by environment and bounded context, not by geographic region or arbitrary divisions. This segmentation should align with team boundaries to reduce cross-team dependencies during deployments.
The consensus is to keep sensitive values out of Terraform variables entirely. Instead, most teams inject them at runtime through:
OIDC removes long-lived secrets from the pipeline, but short-lived tokens interact badly with the long pauses built into plan-approve-apply workflows. A Scalr customer running an AzureRM workspace on OIDC had a custom hook calling az login --federated-token $ARM_OIDC_TOKEN, and it worked for so long nobody remembered the hook existed, until the token environment variable came up empty (echo "${#ARM_OIDC_TOKEN}" printed 0). The platform had moved to file-based token delivery on purpose: handing scripts a path (ARM_OIDC_TOKEN_FILE_PATH) instead of a value means the token is re-read fresh at execution time rather than expiring while a plan sits waiting for a human to approve it. The provider handles the file transparently; the custom hook did not. The fix was one line, --federated-token "$(cat $ARM_OIDC_TOKEN_FILE_PATH)", but the lesson generalizes: any script that captures identity material directly inherits the token-lifetime problem the platform already solved.
On the cloud side, pin OIDC trust policies to immutable identifiers. An enterprise customer building AWS IAM trust policies asked how to match claims on IDs rather than names; the JWT carries claims like "...:scalr_environment_id": "env-xxxx" and "...:scalr_workspace_id": "ws-xxxx" for exactly this reason. Scope trust conditions to those IDs and a workspace rename can no longer widen or break the trust boundary.
Hard-coded credentials represent a critical security risk:
# Dangerous: Hard-coded credentials
provider "aws" {
access_key = "AKIAIOSFODNN7EXAMPLE" # Never do this!
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
# Better: Use environment variables or IAM roles
provider "aws" {
# Uses environment variables or instance profile
}Modern IaC management platforms provide:
GitHub Actions plugs straight into your repositories, makes secret management easy, and has a deep marketplace of Terraform-specific actions. It's a great fit if you're already on GitHub Enterprise.
name: Terraform CI/CD
on:
pull_request:
paths:
- 'terraform/**'
push:
branches:
- main
paths:
- 'terraform/**'
jobs:
plan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v2
- run: terraform init
- run: terraform plan -out=tfplan
- uses: actions/upload-artifact@v3
with:
name: tfplan
path: tfplan
apply:
needs: plan
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
environment: production
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v2
- uses: actions/download-artifact@v3
with:
name: tfplan
- run: terraform init
- run: terraform apply -auto-approve tfplan
GitLab CI has stronger built-in branch protection rules and approval workflows. Its directed acyclic graph (DAG) pipeline architecture really helps with complex infrastructure deployments that have a lot of interdependencies.
GitLab handles both merge-before-apply and apply-before-merge patterns through its merge request pipeline system. You can run speculative plans on every MR and show the results right in the MR interface so reviewers can see them.
For more detailed information, see our guides on using Terraform with GitLab and managing GitLab itself with Terraform.
If you're already deep in the Microsoft ecosystem, Azure DevOps makes authentication simpler and ties in tightly with Azure infrastructure.
Azure DevOps uses YAML-based multi-stage pipelines with native support for Terraform. A few things it does well:
A production-ready pipeline typically implements:
The critical pattern separates plan and apply into distinct stages with human approval between them, preventing accidental changes and ensuring auditability.

Jenkins still earns its place for teams with complex, custom deployment needs. It's as flexible as anything out there, but you pay for that in maintenance.
Drone CI takes a container-native approach that makes Terraform version management and plugin handling simpler. Being stateless, it fits well with immutable infrastructure principles.
Tekton is a Kubernetes-native pipeline that scales very well for big infrastructure deployments.
Concourse CI is good at complex resource dependencies and has a strong Terraform community with a lot of shared pipelines.
A compromised IaC pipeline is one of the most dangerous attack vectors in modern infrastructure, so you want defense in depth.
| Security Need | Open-Source Option | Enterprise Solution | Key Capabilities |
|---|---|---|---|
| Static Analysis | tfsec, Checkov | Scalr, Terraform Cloud | Scan IaC templates for vulnerabilities before deployment |
| Policy Enforcement | Open Policy Agent | Scalr, Terraform Enterprise | Prevent non-compliant resources from being created |
| State Management | Remote backends | Scalr, Terraform Cloud | Encrypted state storage with access controls |
| Drift Detection | terraform plan | Scalr, Prisma Cloud | Identify unauthorized infrastructure changes |
| Secrets Management | HashiCorp Vault | Scalr, AWS Secrets Manager | Secure credential management without exposure |
Secure CI/CD Pipeline Configuration:
Principle of Least Privilege:
Enforce Security Policies as Code:
Continuous Monitoring and Verification:
Scalr is a platform designed specifically for Terraform and OpenTofu operations. While not a general CI/CD tool, Scalr provides extensive CI/CD-like features for infrastructure automation.
Scalr automates standard Terraform and OpenTofu commands (init, plan, apply), reducing manual intervention and potential errors. It integrates with version control systems, supporting GitOps workflows through two primary models:
Merge-Before-Apply: Changes proposed via PR, reviewed, then applied after merge.
Apply-Before-Merge: Teams validate changes from feature branches before mainline integration, similar to Atlantis.
Standard IaC workflows often require steps beyond automated plans and applies. Scalr's custom hooks allow integration of custom scripts at various stages:
Infrastructure components often have dependencies requiring coordinated provisioning. Scalr's run triggers manage these:
This cross-workspace run triggering is comparable to features in Terraform Cloud for managing infrastructure dependencies.

Scalr supports native integrations for building sophisticated automation:
AWS EventBridge:
Datadog Integration:
Slack & Teams Integration:
Scalr supports both managed execution and self-hosted agents:
Self-hosted agents add no platform cost: Scalr's per-run pricing includes private agents at no extra charge.
Self-hosted execution comes with failure modes of its own, mostly around container images and isolation semantics. A platform team we worked with at Scalr, running Docker agents on ECS, watched every module pull from public GitHub fail with fatal: unable to access 'https://github.com/...': Problem with the SSL CA cert (path? access rights?), git exit code 128, on every run. Their workaround, GIT_SSL_NO_VERIFY=true, is a flare rather than a fix, and the failures traced to two real bugs: the 1.0.0 Kubernetes agent ran tasks in an execution environment that had no CA certificates, and the slim agent image shipped without the ca-certificates package entirely. The fuller image had the certs, but its bundled tooling tripped the team's security scanners. The tension between slim images and kitchen-sink images bites from both directions. Both bugs were patched in 1.0.1, released the next day. If you build custom runner images, treat the CA bundle as a first-class dependency rather than something the base image probably includes.
Isolation is the other recurring surprise. A Scalr customer customizing self-hosted runners needed runs to read and write a host directory, and found that volume mounts into the agent container never appeared inside runs: with the Docker driver, each operation executes in its own per-run container, by design. Switching the agent to SCALR_AGENT_DRIVER=local runs operations inside the agent container itself, so mounts work, at the cost of a shared environment between runs. If you take that route, the isolation-preserving pattern is concurrency of 1 per agent, scaling out with replicas, so no two runs ever share a filesystem mid-flight. Sandboxed runs versus a shared environment is an explicit trade-off; know which one you have chosen.
Terraform testing has come a long way, and a multi-layered approach is now the accepted best practice.
1. Static Validation: Syntax checking, formatting validation, lint rules
2. Unit Testing: Individual module validation with mock providers
terraform test command (v1.6+) provides native module testing3. Integration Testing: Actual resource creation in isolated environments
4. End-to-End Testing: Complete environment provisioning tests
Teams balancing speed and safety tend to tier their tests:
The key insight: validate behavior, not syntax alone. Testing should verify that infrastructure actually behaves as expected: networks properly segment traffic, security groups enforce proper isolation, and data stores apply correct encryption.
More teams now spin up temporary environments for testing and validation, then tear them down afterward. Doing this:
Teams managing large infrastructure lean on smart caching:
Continuous verification pipelines regularly check for drift between defined and actual infrastructure state. These checks:
Mature GitOps implementations use:
Monitoring infrastructure deployments calls for different metrics than application deployments. The ones that tell you the most:
The teams that do this well wire Terraform outputs straight into their monitoring platforms, so infrastructure metrics feed back into future deployment decisions.
The pipelines that hold up over time treat every Terraform and OpenTofu run as a state transition with privileged credentials, not as a stateless code deploy. That single fact drives the rest of the design. Plan and apply get separated by a human approval gate so the applied change matches what was reviewed. State lives in an encrypted remote backend with locking. Service accounts get scoped down so a compromise can't reach the whole account. Tests run in tiers to keep feedback fast, and scheduled drift detection catches changes that arrive outside the pipeline.
Those patterns work the same on GitHub Actions, GitLab CI, Azure DevOps, Jenkins, Scalr, or an open-source alternative. Separating plan from apply gives you auditability and control. Scoping service-account permissions tightly keeps the blast radius of a compromise small. Layered testing catches problems early, security policy enforced as code blocks non-compliant changes automatically, and continuous drift detection keeps the running infrastructure aligned with your code over time.
Which platform fits depends on your existing ecosystem and how much deployment complexity you have to manage. The architectural patterns and security practices here carry over regardless of that choice, and the diagnostic stories above, the timed-out plan that needed a trace rather than more RAM, the empty OIDC token after a long approval wait, the missing CA bundle in a slim agent image, show what they look like when they break and how to fix each one.
✓ CI/CD for IaC requires state-aware architecture different from application deployment pipelines
✓ Separate plan and apply stages with mandatory human review to prevent accidental changes
✓ Implement defense-in-depth security including state encryption, credential management, policy enforcement, and drift detection
✓ Choose your platform based on ecosystem fit: GitHub Actions for GitHub shops, GitLab CI for GitLab, Azure DevOps for Microsoft environments, or platform-agnostic tools like Scalr
✓ Multi-layer testing strategies (static → unit → integration → E2E) catch issues early and prevent production incidents
✓ Implement comprehensive observability to track deployment metrics, drift percentage, and approval times
✓ GitOps principles (Git as source of truth, declarative configuration, automatic reconciliation) scale infrastructure automation across teams
✓ Continuous drift detection maintains infrastructure integrity over time regardless of manual changes
