How to Block Remote Worker Access to Instance Metadata Endpoint in Terraform Enterprise Flexible Deployment Options

Problem

By default, Terraform Enterprise Flexible Deployment Options (FDO) do not prevent remote workers from accessing the Instance Metadata Service (IMDS). In legacy Replicated deployments, the restrict_worker_metadata_access setting managed this by creating an iptables rule that disallowed traffic to 169.254.169.254 from the worker's Docker network.

This setting is not available in FDO. Instead, Terraform Enterprise provides the necessary configuration primitives for you to implement this restriction directly.

HashiCorp recommends blocking Terraform operations from accessing the instance metadata endpoint, unless your workspaces rely on the instance profile to provide credentials to runs.

Solutions

This guide provides procedures for blocking remote worker access to the IMDS for both Docker/Podman and Kubernetes deployments.

Solution 1: For Docker or Podman Deployments

Follow these steps to configure the access block in a Docker or Podman deployment.

1. Create a user-defined Docker bridge network on each Terraform Enterprise node for the remote agent containers. For Podman, refer to these instructions.
2. Add the TFE_RUN_PIPELINE_DOCKER_NETWORK option to your Terraform Enterprise configuration. Set its value to the name of the user-defined bridge network you created.

3. Create an iptables rule on each node to block traffic to the IMDS from any source IP on this new network. Replace <CUSTOM_DOCKER_NETWORK_NAME> with the name of your network.

   $ cidr=$(docker network inspect <CUSTOM_DOCKER_NETWORK_NAME> -f '{{range.IPAM.Config}}{{.Subnet}}{{end}}') && \
     iptables -I DOCKER-USER \
     -s ${cidr} \
     -d 169.254.169.254 \
     -m comment \
     --comment "block terraform workers from connecting to IMDS" \
     -j DROP

Solution 2: For Kubernetes Deployments

In Kubernetes, you can implement one of the following solutions to block IMDS access.

• Use a Cloud Provider Setting: If you use a cloud provider-managed Kubernetes service, enable any available cluster settings to block access. For example, Azure Kubernetes Service (AKS) provides the --enable-imds-restriction setting.
• Configure a Network Policy: Create a Kubernetes Network Policy that blocks egress traffic to the IMDS endpoint (169.254.169.254) from the agents namespace.

Important Considerations

After implementing these changes, any workspaces that rely on sourcing credentials from the IMDS will no longer function correctly. You must reconfigure these workspaces with an alternative authentication method.

Additional Information

• Restrict Terraform Build Worker Metadata Access
• Terraform Enterprise configuration reference
• For more information on instance metadata services, refer to the documentation for AWS, Azure, or Google Cloud.