@x_cli@infosec.exchangeOops, #Terraform datasources cannot contain write-only attributes, which means you cannot use a sensitive value in a secure way when configuring a datasource... Which leaves us with ephemeral resources which are not always what we want or passing the sensitive value to the provider (assuming the provider can take that value and pass it along to the datasource), which is not always possible...…
@wyri@toot-toot.wyrihaxim.usAround 20% of my TerraForm are GitHub Actions Secrets 🤯
#TerraForm #GitHub #Actions #Secrets
@x_cli@infosec.exchangeI just published an update to my #terraform #opentofu provider "remotefs": https://registry.terrafo…
@x_cli@infosec.exchangeInfosec game: what is obviously wrong with this #Terraform provider?
https://registry.terraform.io/providers/tenstad/remote/latest/docs/resources/file<…
@x_cli@infosec.exchangeYes, I am like this: I publish Terraform/Opentofu providers and I have no choice but to use Github to host the releases (this is a requirement of Hashicorp #Terraform registry and #Opentofu registry), BUT I develop on @…
@x_cli@infosec.exchangeTomorrow, I'll be publishing a #WebDAV provider for #Terraform
It handles HTTP Basic, TLS and mTLS authentication.
It supports write-only attributes to deploy secrets, including deployment of ephemeral secrets.
In a few weeks, I expect to publish another version implementing…
@x_cli@infosec.exchangeYet another gotcha when implementing a #Terraform resource with a WriteOnly attribute: since there is no state kept between runs, you cannot require replacement of the resource if the configured value changes because there is nothing to compare it to 🙃
In my case, the WriteOnly attribute contains a file content, so the WriteOnly attribute value is hashed and the hash is stored as part o…
@x_cli@infosec.exchangeMany #Terraform providers using SSH do not check the SSH host key... they just run with ssh.InsecureIgnoreHostKey...
And to be honest, it is partly the fault of the SSH standard library which makes it super easy to ignore the host key and does not provide any useful builtin key verification function. People are lazy. ssh.FixedHostKey is niche.
So I implemented a small library to v…
@x_cli@infosec.exchangeYou are an experienced Dev(Sec)Ops. How do you run #Terraform or #OpenTofu in production?
#devops #iac
