How-to restrict publishing of public available modules/providers in private registry

Introduction

In a Terraform Enterprise private registry, you may want to prevent users from publishing modules that are already available in the public Terraform Registry. This restriction helps maintain security and ensures that only approved, private modules are used within your organization.

This guide outlines the procedure for using a combination of team permissions, the tfe provider, and Sentinel policies to enforce this control.

Expected Outcome

After completing this procedure, you will have a system in place that programmatically blocks the publishing of modules from public sources to your private registry, allowing only modules from private, authorized repositories.

Prerequisites

• Administrative access to your Terraform Enterprise instance.
• A Terraform Enterprise API token with appropriate permissions.
• A version control system (VCS) integrated with Terraform Enterprise.
• Familiarity with Sentinel policy-as-code.

Procedure

Follow these steps to restrict the publishing of public modules to your private registry.

1. Create a Dedicated Team for Registry Management

   Create a team in Terraform Enterprise specifically for managing the registry. This team will be granted permissions to publish modules and providers. Even if the team has no human members and is used only by an automation pipeline, it serves as a dedicated principal for these actions.

2. Configure the tfe Provider

   Set up the tfe provider in your Terraform configuration to interact with the Terraform Enterprise API. This enables you to manage registry modules and providers programmatically.

   Create a configuration file, such as main.tf, with the following content.

   terraform {
     required_providers {
       tfe = {
         source  = "hashicorp/tfe"
         version = ">= 0.41.0"
       }
     }
   }
   
   provider "tfe" {
     hostname = "<TFE_HOSTNAME>"
     token    = "<TFE_API_TOKEN>"
   }

3. Define a Module for Publishing

   In your configuration, define a tfe_registry_module resource to manage a module in your private registry.

   resource "tfe_registry_module" "example" {
     organization  = "<YOUR_ORG_NAME>"
     name          = "my-module"
     provider      = "my-provider"
     namespace     = "my-namespace"
     registry_name = "private"
     vcs_repo {
       identifier     = "<YOUR_VCS_ORG>/my-module-repo"
       oauth_token_id = "<OAUTH_TOKEN_ID>"
     }
   }

4. Use a CI/CD Pipeline for Automation

   Integrate your Terraform configuration into a CI/CD pipeline (e.g., GitLab CI, GitHub Actions). The pipeline should automatically trigger terraform apply when a new module version is ready for release, ensuring it is published to the Terraform Enterprise registry without manual intervention.

5. Create a Sentinel Policy

   Author a Sentinel policy to enforce security controls. This policy should inspect the module source and block any attempts to publish modules that reference public VCS repositories, ensuring that only private sources are used.

6. Configure Terraform Enterprise Permissions

   In your Terraform Enterprise organization settings, configure permissions to restrict access. Ensure that only the dedicated team created in step 1 has manage-modules permissions. This prevents other users from publishing modules directly and forces all changes through your automated, policy-checked pipeline.

By following this procedure, you can ensure that only authorized modules from private sources are published to your private registry, maintaining the integrity and security of your environment.

Additional Information

• Publishing Modules to the Private Registry