Problem
Network security scanners or analytics engines may report that a Terraform Enterprise instance is making an outbound connection to the following endpoint:
https://cdn.segment.com/analytics.js/v1/segment-dev/analytics.min.js
This can raise security concerns for organizations that require all outbound network traffic to be approved.
Cause
This behavior occurs because Terraform Enterprise shares a common codebase with HCP Terraform.
- HCP Terraform uses Segment for product analytics to improve the user experience.
- Terraform Enterprise does not collect or send any analytics data.
The setting that includes the analytics script is configured at build-time, not run-time. As a result, the script is loaded in Terraform Enterprise, but it remains inactive and non-functional.
Solution
Although the analytics script is present in the codebase, it is non-functional in Terraform Enterprise. No data is sent to segment.io, and the endpoint is configured to be inaccessible, often returning a 404 status. This is expected behavior and does not pose a security risk.
Additional Information
For more details on Terraform Enterprise security and architecture, please refer to the official documentation.