Tootfinder

Infosec game: what is obviously wrong with this #Terraform provider?

https://registry.terraform.io/providers/tenstad/remote/latest/docs/resources/file<…

Yet another gotcha when implementing a #Terraform resource with a WriteOnly attribute: since there is no state kept between runs, you cannot require replacement of the resource if the configured value changes because there is nothing to compare it to 🙃
In my case, the WriteOnly attribute contains a file content, so the WriteOnly attribute value is hashed and the hash is stored as part o…

I just published an update to my #terraform #opentofu provider "remotefs": https://registry.terrafo…

Many #Terraform providers using SSH do not check the SSH host key... they just run with ssh.InsecureIgnoreHostKey...
And to be honest, it is partly the fault of the SSH standard library which makes it super easy to ignore the host key and does not provide any useful builtin key verification function. People are lazy. ssh.FixedHostKey is niche.
So I implemented a small library to v…

sshhostkey
Provides a SSH HostKeyCallback builder to check keys with known_hosts files, entries or SSHFP (over classic DNS, DoT and DoH)

Around 20% of my TerraForm are GitHub Actions Secrets 🤯
#TerraForm #GitHub #Actions #Secrets

Oops, #Terraform datasources cannot contain write-only attributes, which means you cannot use a sensitive value in a secure way when configuring a datasource... Which leaves us with ephemeral resources which are not always what we want or passing the sensitive value to the provider (assuming the provider can take that value and pass it along to the datasource), which is not always possible...…

You are an experienced Dev(Sec)Ops. How do you run #Terraform or #OpenTofu in production?
#devops #iac

Yes, I am like this: I publish Terraform/Opentofu providers and I have no choice but to use Github to host the releases (this is a requirement of Hashicorp #Terraform registry and #Opentofu registry), BUT I develop on @…

Tomorrow, I'll be publishing a #WebDAV provider for #Terraform
It handles HTTP Basic, TLS and mTLS authentication.
It supports write-only attributes to deploy secrets, including deployment of ephemeral secrets.
In a few weeks, I expect to publish another version implementing…