Add support for encryption of Terraform Reports
Release notes
Terraform users know that sensitive information is stored un-encrypted in the Terraform state or plan artifacts. Still the recommended approach for CI based Terraform setups is to store the Terraform plan output as an artifact and pass it to Terraform aply after the merge request has been approved. Until now, Terraform plan artifacts were stored as regular artifacts, thus they were un-encrypted. The current GitLab release provides encryption at rest of Terraform plan artifacts to improve the security of GitLab's Terraform workflows.
Problem to solve
As a user of the Terraform Reports feature who knows that secrets are visible in my terraform plan, I want my terraform artifacts encrypted at rest, so I can safely leverage the features being developed around them.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
- Cameron (Compliance Manager)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
- Priyanka (Platform Engineer)
User experience goal
The user should be able to use the artifacts.reports.terraform key in .gitlab-ci.yml with GitLab to artifact a terraform report without exposing secrets.
Proposal
Use the same pattern for encryption at rest that was implemented for Terraform::State, using the Lockbox gem, to add optional encryption to Ci::JobArtifact, and to enable that encryption by default for Ci::JobArtifact instances with report type terraform.
Further details
We plan to introduce features around the Terraform Reports that will require us to change from storing the small subset of data that we store currently, to storing the entire report, which may contain secrets, and will need to be guaranteed to be encrypted at rest.