Problem
If someone gains access to a public registry, they can publish any publicly available module to a private registry, which may compromise security and safety.
Expected Outcome
Users should not be able to publish modules available in the public registry to the private registry.
Procedure
To prevent modules from being published from the public registry to a private registry, follow the steps outlined below:
1. Create a Dedicated Team for Registry Management
- Create a team specifically responsible for managing the registry. Even if the team doesn't have actual members, it should have the necessary permissions to handle module and provider publishing in the registry.
2. Configure the tfe
Provider in Your Terraform Configuration
- Set up the Terraform provider to interact with the TFE (Terraform Enterprise) API, enabling you to manage registry modules and providers programmatically. Example:
provider "tfe" {
hostname = "Your TFE instance URL"
token = "your-api-token"
}
3. Publish a Module/Provider to the Registry
- Define a resource to publish a module or provider, such as:
resource "tfe_registry_module" "test" {
name = "my-module"
registry_name = "private-registry"
vcs_repo = "github.com/my-org/my-module-repo"
visibility = "private" # or "public", depending on your use case
}
4. Use a CI/CD Pipeline for Automation
- Integrate a CI/CD pipeline (e.g., GitLab CI, GitHub Actions) to automatically trigger the publishing process once a module or provider is ready. This will ensure that the module is automatically published to the TFE registry.
5. Create a Sentinel Policy
- Create a Sentinel policy to enforce security controls. This policy will block the publishing of modules/providers that reference public repositories, ensuring that only private sources are used for module publishing.
6. Configure TFE Permissions
- Set up permissions within Terraform Enterprise (TFE) to restrict access. Ensure that the dedicated team can publish modules but does not have direct access to manage or modify the source code of modules/providers. This can be managed via teams and roles in TFE.
By following this procedure, you will ensure that only authorized modules from private sources can be published in the private registry, maintaining the integrity and security of your registry environment.