Modern organizations are moving fast. Their infrastructure isn’t confined to on-prem data centers anymore. It’s spread across AWS, Azure, GCP, Kubernetes clusters, and CI/CD pipelines. That means red teams need to think beyond endpoint access and lateral movement. They now need to simulate cloud-native attacks operating inside AWS, Azure, GCP, and beyond.

That’s where Terraform comes in. Originally a DevOps tool, Terraform enables defining infrastructure using code.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

Speed: From minutes to seconds

One of the most immediate benefits of using Terraform as a red teamer is the ability to spin up disposable attack infrastructure in minutes.

Let’s say you need:

• A redirector server

• A domain to point to it

• SSL enabled for HTTPS phishing

• And automation to do it fast

Doing this manually? That’s 15–30 minutes of clicking. With Terraform, the whole setup can be defined in a few lines of code and deployed in seconds (the following code is for representational purpose only and may not be accurate):

provider "aws" {
  region = "us-east-1"
}

resource "aws_instance" "redirector" {
  ami                    = "ami-0a0b913ef3249b655" # Amazon Linux 2 or Ubuntu
  instance_type          = "t2.micro"
  key_name               = "my-redteam-key"
  associate_public_ip_address = true

  tags = {
    Name = "Redirector"
  }

  provisioner "remote-exec" {
    inline = [
      "sudo yum install -y nginx",
      "echo 'return 301 https://example.com;' > /etc/nginx/conf.d/redirect.conf",
      "sudo systemctl enable nginx",
      "sudo systemctl start nginx"
    ]

    connection {
      type        = "ssh"
      user        = "ubuntu"
      private_key = file("~/.ssh/my-redteam-key.pem")
      host        = self.public_ip
    }
  }
}

resource "aws_route53_record" "redirector_record" {
  zone_id = "Z3PAABBCFAKEID"
  name    = "redirector.example.com"
  type    = "A"
  ttl     = 300
  records = [aws_instance.redirector.public_ip]
}

Stealth: Disposable infrastructure with minimal footprint

Red team infrastructure often needs to disappear fast.

Terraform allows red teams to:

• Spin up infrastructure for a campaign

• Use it just long enough for the objective

• Tear it down instantly, leaving no trace

Since it’s code-based it ensures consistency every time.

Realism: Clone target environments

Another powerful use case is infrastructure cloning. Suppose a target organization has public S3 buckets, EC2 instances, or IAM roles that are visible to external users. With Terraform, red teams can replicate those exact conditions in their own sandbox.

Why does this matter?

• Red teams can practice exploitation safely

• Fine-tune tools or payloads

• Better understand target architecture

This is incredibly useful for building realistic adversary simulations.

Persistence and cloud tradecraft

Let’s not forget about cloud persistence. More advanced operators are already using Terraform to hide in plain sight:

• Embedding malicious IAM roles

• Backdooring infrastructure modules

• Leveraging CI/CD pipelines to maintain persistence

This kind of infrastructure-based persistence is difficult to detect and is often overlooked by blue teams.

Collaboration: Speak the language of DevOps

Learning Terraform puts red team in a stronger position to collaborate with other teams. DevOps, SecOps, and engineering teams are already using tools like Terraform daily.

By learning Terraform, they can:

• Read production infrastructure like a DevOps engineer

• Write offensive Terraform modules that simulate attacker behavior

• Build in detections or evasion directly into IaC pipelines

This is key for working alongside detection engineering and purple team efforts.

TL;DR
Red teams should learn Terraform because they can use it to automate attack infrastructure, clone cloud environments, simulate real-world misconfigurations, and even embed persistence. It can be a force multiplier for them. It isn’t just for DevOps.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.