Terraform Fundamentals - Why red teams should learn Terraform?
Why red teams should learn Terraform and how Infrastructure as Code (IaC) can supercharge red team operations?
Modern organizations are moving fast. Their infrastructure isn’t confined to on-prem data centers anymore. It’s spread across AWS, Azure, GCP, Kubernetes clusters, and CI/CD pipelines. That means red teams need to think beyond endpoint access and lateral movement. They now need to simulate cloud-native attacks operating inside AWS, Azure, GCP, and beyond.
That’s where Terraform comes in. Originally a DevOps tool, Terraform enables defining infrastructure using code.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
Speed: From minutes to seconds
One of the most immediate benefits of using Terraform as a red teamer is the ability to spin up disposable attack infrastructure in minutes.
Let’s say you need:
A redirector server
A domain to point to it
SSL enabled for HTTPS phishing
And automation to do it fast
Doing this manually? That’s 15–30 minutes of clicking. With Terraform, the whole setup can be defined in a few lines of code and deployed in seconds (the following code is for representational purpose only and may not be accurate):
provider "aws" {
region = "us-east-1"
}
resource "aws_instance" "redirector" {
ami = "ami-0a0b913ef3249b655" # Amazon Linux 2 or Ubuntu
instance_type = "t2.micro"
key_name = "my-redteam-key"
associate_public_ip_address = true
tags = {
Name = "Redirector"
}
provisioner "remote-exec" {
inline = [
"sudo yum install -y nginx",
"echo 'return 301 https://example.com;' > /etc/nginx/conf.d/redirect.conf",
"sudo systemctl enable nginx",
"sudo systemctl start nginx"
]
connection {
type = "ssh"
user = "ubuntu"
private_key = file("~/.ssh/my-redteam-key.pem")
host = self.public_ip
}
}
}
resource "aws_route53_record" "redirector_record" {
zone_id = "Z3PAABBCFAKEID"
name = "redirector.example.com"
type = "A"
ttl = 300
records = [aws_instance.redirector.public_ip]
}Stealth: Disposable infrastructure with minimal footprint
Red team infrastructure often needs to disappear fast.
Terraform allows red teams to:
Spin up infrastructure for a campaign
Use it just long enough for the objective
Tear it down instantly, leaving no trace
Since it’s code-based it ensures consistency every time.
Realism: Clone target environments
Another powerful use case is infrastructure cloning. Suppose a target organization has public S3 buckets, EC2 instances, or IAM roles that are visible to external users. With Terraform, red teams can replicate those exact conditions in their own sandbox.
Why does this matter?
Red teams can practice exploitation safely
Fine-tune tools or payloads
Better understand target architecture
This is incredibly useful for building realistic adversary simulations.
Persistence and cloud tradecraft
Let’s not forget about cloud persistence. More advanced operators are already using Terraform to hide in plain sight:
Embedding malicious IAM roles
Backdooring infrastructure modules
Leveraging CI/CD pipelines to maintain persistence
This kind of infrastructure-based persistence is difficult to detect and is often overlooked by blue teams.
Collaboration: Speak the language of DevOps
Learning Terraform puts red team in a stronger position to collaborate with other teams. DevOps, SecOps, and engineering teams are already using tools like Terraform daily.
By learning Terraform, they can:
Read production infrastructure like a DevOps engineer
Write offensive Terraform modules that simulate attacker behavior
Build in detections or evasion directly into IaC pipelines
This is key for working alongside detection engineering and purple team efforts.
TL;DR
Red teams should learn Terraform because they can use it to automate attack infrastructure, clone cloud environments, simulate real-world misconfigurations, and even embed persistence. It can be a force multiplier for them. It isn’t just for DevOps.Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.