Introduction
Terraform Enterprise (TFE) requires adherence to specific security and operational best practices. Misconfiguration of certain system-level features can lead to degraded functionality, compromised performance, or an unsupported state. This article outlines critical security practices and compliance considerations for maintaining a secure and operational Terraform Enterprise environment.
Scenario
When securing your Terraform Enterprise installation, it is essential to balance system hardening with operational requirements. Several system configurations are critical for Docker and Terraform Enterprise to function correctly. Review the following best practices to avoid common security-related issues.
Security and Compliance Recommendations
Recommendation 1: Maintain IPv4 Forwarding for Docker Networking
Docker relies on IPv4 forwarding to enable container networking. This is a core requirement for Docker, not specific to Terraform Enterprise.
If IPv4 forwarding is disabled, Docker logs may show the following warning, and networking will not function correctly.
level=warning msg="IPv4 forwarding is disabled. Networking will not work"
Disabling this setting can disrupt the Terraform Enterprise Admin UI and other networking functionalities.
Recommendation 2: Set Correct File Permissions for Docker
The /var/lib/docker directory and its subdirectories require 777 permissions. Setting these permissions to a more restrictive value, such as 755, will break container operations and cause multiple containers to restart continuously. You should maintain 777 permissions unless explicitly advised otherwise by the vendor.
Recommendation 3: Enable SUID and SGID Bits
Ensure that the SUID and SGID bits are enabled on /var/lib/docker. Removing these bits is not a tested or supported configuration and may cause unpredictable behavior in Terraform Enterprise.
Recommendation 4: Understand Credential Transmission Security
When you log into Terraform Enterprise using a username and password, the credentials may appear visible in browser developer tools during the form submission. However, these credentials are not sent in plaintext. They are encrypted in transit using Transport Layer Security (TLS). Using TLS for encryption is the accepted industry standard for securing credentials during transmission.
Recommendation 5: Acknowledge Content Security Policy (CSP) Limitations
Terraform Enterprise does not currently support the Content-Security-Policy HTTP header. While this does not inherently make the application insecure, it may not meet the stringent CSP requirements of some compliance frameworks.