Security Primer Flashcards
Can you take a single TF file and have resources being deployed to different regions?
Yes, there can be a requirement that multiple resource types in the same TF need to be deployed in separate regions.
What is an alias meta-argument?
Each provider can have one default config, and any number of alternate configurations that include an extra name segment (or “alias”)
Ex: provider “aws”
region = ap-southeast-1
provider aws
alias = mumbai
region = ap-south-1
How do you associate a specific resource with a specific region?
Add the provider line to reference the specific region/alias
resource “resource_type” “name”
provider = aws.alias
name = “name”
What are sensitive parameters?
Sensitive parameters ensure that you do not accidentally expose data in CLI output, log output.
How do you redact/use sensitive parameters to hide text from being displayed in clear text?
Add the line:
sensitive = “true”
What is another way that you can redact information for an entire file?
Use resource “local_sensitive_file”
Ex:
resource “local_sensitive_file” “foo”
content = “text”
filename = “filename.txt”
Can you reference sensitive information in output values?
No, terraform will immediately give an error.
What are some of the benefits with mature providers when it comes to sensitive information?
Various providers like AWS will automically consider the password argument for any DB instance as sensitive and will redact it as a sensitive value.
Ex: one of the resources that does this is “aws_db_instance”.
Whats the Hashicorp Vault?
Hashicorp vault allows orgs to securely store dynamic secrets like tokens, pw’s, certs along with access mgmt for protecting secrets.
One command channels nowadays is “secret mgmt”
Secrets can include DB pws, AWS access/secret keys, API tokens, encryption keys, and others
Can vault send credentials to user’s requesting them?
Yes, this can happen and all major aspects related to access management can be taken up by vault.
Whats an important note with interacting with Vault from terraform?
It can cause any secrets that you can read/write to be persisted in both Terraform’s state file.
You will need to ensure that your Terraform state file is secure.
What are challenges with version of plugins/terraform
They are updated independently and may not work with other versions.
Solution: version constraints
What are version constraints as a refresher?
They are constraints with the config itself determine which versions of dependencies are potentially compatible.
After selecting a specific version of each dependency Terraform remembers the decisions it made in a dependency lock file so that it can (by default) make the same decisions in the future.
Whats the name of the dependency lock file?
.terraform.lock.hcl
After the dependency lock file is generated based on the constraints of say ~> 4.0 (greater than 4.0 but not 5.0 and above) and the current version is 4.62.0 and a newer version, 4.72.0 will it download that version?
No, it will only contraint to the version in the lock file, 4.62.0, for example.
How do you upgrade to a specific version of the provider plugin
terraform init -upgrade
What is also added to the lock file when installing a particular provider for the first time?
Terraform will pre-populate the hash values with any checksums that are covered by the provider developer’s cryptographic signature, which usualy covers all of the available packages for that provider version across all supported platforms.
Does the dependency lock file remember version selections for remote modules?
No, it only tracks provider dependencies.
Terraform will always select the newest available module version that meets the specified version constraints.
