Best Security Practices / Compliance Points for Terraform Enterprise

Avatar
Konica Sethi
  • Updated

 

Introduction

Terraform Enterprise (TFE) requires adherence to specific security and operational best practices. Misconfiguration of certain system-level features can lead to degraded functionality, compromised performance, or unsupported states. This article outlines critical security practices and compliance considerations for maintaining a secure and operational Terraform Enterprise environment.

 

Scenario

While securing your Terraform Enterprise setup, it is essential to understand the balance between hardening the system and maintaining its operational requirements. Several system configurations are critical for Docker and Terraform Enterprise to function properly. Below are common security-related scenarios and best practices you should be aware of:

 

1. IPv4 Forwarding Requirement

  • Why it matters: Docker relies on IPv4 forwarding to enable container networking. This is not unique to TFE but a core requirement for Docker itself.
  • What happens if it's disabled: When IPv4 forwarding is disabled, you may see the following warning in Docker logs:
    level=warning msg="IPv4 forwarding is disabled. Networking will not work"
  • Impact: Disabling this setting can disrupt Terraform Enterprise's Admin UI and general networking functionalities.

 

2. ARP Protocol Should Not Be Disabled

  • Warning: Disabling ARP (Address Resolution Protocol) on TFE hosts is not supported.
  • Support limitation: If you disable ARP, the Terraform support team will not be able to assist with issues arising from this configuration.
  • Reason: ARP is essential for basic networking operations. Disabling it may cause TFE to fail unpredictably.

 

3. File Permissions on /var/lib/docker

  • Required Permissions: The directory /var/lib/docker and its subdirectories must be set to 777.
  • Do not set to 755: Doing so breaks container operations, causing multiple containers to restart continuously.
  • Recommendation: Maintain 777 permissions unless explicitly advised otherwise by the vendor.

 

4. SUID and SGID Bit Settings

  • Recommendation: Ensure that the SUID and SGID bits are enabled on /var/lib/docker.
  • Impact of disabling: Removing these bits is not tested or supported and may cause unpredictable behavior in TFE.

 

5. Credentials and Plain Text Transmission

  • Observation: When logging into TFE using "Username or email" and "Password", the credentials appear visible in browser developer tools.
  • Clarification: These credentials are encrypted via TLS upon transmission and not actually sent in plaintext.
  • Industry standard: Client-side encryption of passwords is not considered best practice; using TLS is the accepted standard.

 

6. Content Security Policy (CSP)

  • Current Limitation: TFE does not currently support the Content-Security-Policy HTTP header.
  • Security implication: While this doesn’t make TFE insecure, it may fall short of some stringent CSP requirements in certain compliance frameworks.

 

Recommendation

  • Follow Terraform Enterprise's official system requirements and hardening guides.
  • Do not alter core networking or file permission configurations without verifying impact on Docker and Terraform Enterprise.
  • Implement network-level encryption (TLS) and control access via firewalls and proper authentication mechanisms.
  • Avoid unsupported customizations such as disabling ARP or modifying SUID/SGID bits unless explicitly directed by support.

 

Additional Information

Articles in this section

See more