Managing access as code through Terraform has become a standard for security and engineering teams. It brings access decisions into the same pipelines used for infrastructure, creating consistency and automation developers actually want to use. But as enterprises scale, new challenges tend to emerge – from coordinating across hundreds of accounts, to governing non-human identities (NHIs), to enforcing least privilege without slowing developers down.

How well those challenges are addressed depends heavily on the provider. Terraform itself is just the framework; the provider is what ultimately defines whether it can drive real governance at enterprise scale or merely support basic provisioning. This post highlights the patterns our team has seen in deployments across some of the fastest-growing enterprises – and how Opal’s provider makes them achievable.

Download metrics reveal concentrated market dynamics

The IAM market itself has grown to $19.15 billion in 2025, with projected expansion to $34.22 billion by 2030 at a 12.31% CAGR. This growth created a significant market opportunity for Opal, as we were one of the first identity vendors to address specific enterprise needs around cloud-native access management and developer-centric workflows. Today we serve a growing segment of technically sophisticated enterprises – approximately 45 enterprises, ranging from the Fortune 500 to hypergrowth startups.

Opal's Terraform provider surpasses 1M downloads.

Comprehensive capabilities surpass traditional IAM providers

Opal's Terraform provider enables unprecedented control over access management infrastructure through its distinctive architecture. The provider manages 19 core resource types including access rules, resources, groups, bundles, owners, and configuration templates, complemented by 35+ data sources for querying existing infrastructure state. This comprehensive coverage enables organizations to implement sophisticated access patterns entirely through code.

The provider's bundle architecture represents a unique innovation absent from competitors, allowing organizations to group related access configurations together for simplified management. For example, development teams can create a single bundle containing all AWS accounts, GitHub repositories, and SaaS tools needed for a project, then assign access to the entire bundle rather than managing individual resources. This approach significantly reduces configuration complexity while maintaining granular control.

Advanced governance capabilities distinguish Opal from traditional IAM providers. The platform implements machine learning-powered risk scoring that automatically prioritizes identity risks based on historical patterns, resource sensitivity, and behavioral intelligence. These AI capabilities integrate directly with Terraform workflows, enabling automated remediation of access risks through infrastructure-as-code practices. The provider also supports sophisticated approval workflows, with multi-stage approvals and on-call schedule integration that competitors typically handle through separate systems.

Opal's support for non-human identities and AI agents positions it uniquely for the emerging era of autonomous systems. While competitors focus primarily on human user management, Opal's Terraform provider natively handles service accounts, AI agents, and automated workloads with the same governance rigor applied to human identities. This capability proves increasingly critical as enterprises deploy AI agents requiring programmatic access to sensitive systems.

Enterprise adoption validates production scalability

Sophos represents the most comprehensive Terraform implementation case study, with their Principal Cloud Architect Guy Davies stating: "Opal fills the sweet spot of being a developer-friendly tool that we can drive solely through APIs and the Terraform provider, while giving us the features we need." Sophos manages 1,500+ developers across hundreds of AWS accounts and thousands of roles entirely through Opal's Terraform provider, generating configurations programmatically from YAML files and automating account creation through GitHub workflows. This implementation eliminated the need for additional headcount despite exponential growth in managed resources.

Elastic, the multi-billion dollar search and analytics company, orchestrates authorization directly through Terraform, with CISO Mandy Andress emphasizing how "Whether we're speeding up workflows with Slack, orchestrating authorization directly from Terraform, or using the API, Opal has helped us do more with less." This enterprise-scale deployment demonstrates the provider's capability to handle complex, distributed systems at significant scale.

Additional enterprise adopters include Databricks (using Opal in FedRAMP High environments), Grammarly (migrating 150+ applications and hundreds of production services), CoinList (managing cryptocurrency platform compliance), and Obsidian Security (protecting 25M+ users). These customers span diverse industries including cybersecurity, financial services, and technology platforms, validating the provider's flexibility across different regulatory and technical requirements.

Infrastructure-as-code delivers unique advantages

Opal's infrastructure-as-code philosophy extends beyond basic Terraform support to enable comprehensive GitOps workflows. Organizations implement policy-as-code practices where access policies undergo the same version control, code review, and testing processes as application code. This approach creates immutable audit trails through Git history, satisfying compliance requirements while maintaining development velocity.

The platform's event-driven architecture enables real-time synchronization across 200+ integrations, unlike batch-processed updates common in legacy systems. When infrastructure changes occur, access policies automatically adjust without manual intervention. This automation proves critical for organizations practicing continuous deployment, where traditional access management becomes a bottleneck.

Declarative access management through Terraform ensures predictable outcomes and enables drift detection. Security teams define desired access states rather than imperative procedures, with Opal's provider automatically reconciling actual state with declared intentions. This approach reduces configuration errors and simplifies troubleshooting compared to traditional GUI-based access management.

Opal's Terraform provider’s API-first design ensures every capability remains accessible programmatically, enabling custom integrations and automated workflows beyond standard Terraform usage. Sophos exemplifies this flexibility by generating Terraform configurations programmatically from YAML files, creating a multi-layered automation strategy that scales beyond traditional infrastructure-as-code practices.

Learn how to use Terraform to configure AWS resources, and manage Opal with infrastructure-as-code.

Conclusion

Opal's focused approach to developer-centric access management and infrastructure-as-code delivers clear advantages for technically sophisticated enterprises prioritizing automation, governance, and modern DevOps practices, like supporting JIT, break-glass, and separation-of-duties access. Learn how to use Opal’s Terraform provider in our documentation.