Originally published on kuryzhev.cloud

Copilot just autocompleted your security group with port 0–65535 open to the world — and terraform validate said it was fine. That's the GitHub Copilot Terraform security problem in one sentence: the suggestions are syntactically valid, pass every local check, and still destroy your security posture on first apply. We've seen it happen across three separate teams in the last six months, and the pattern is always the same: nobody noticed until a compliance scan flagged it post-deploy.

Symptoms

The signs aren't loud. That's what makes this dangerous. Here's what we actually observed before we locked things down.

Security group rules open to the world. Copilot autocompletes resource "aws_security_group" blocks with ingress { from_port = 0, to_port = 0, cidr_blocks = ["0.0.0.0/0"] }. It's valid HCL. It passes terraform validate. The first terraform plan shows a clean diff. Then on the second apply — after your existing state has been modified — you get a conflict you can't easily roll back.