Skip to content

Draft: Add Terraform auth and security best practices

Jeff Martin requested to merge jmartin-add-terraform-usage-guide-to-docs into master

What does this MR do?

This MR adds comprehensive security best practices documentation for users who are using GitLab CI for running Terraform commands.

The risks with source code and traditional DevOps CI jobs are minimal since it uses ephemeral environments for testing purposes and any variables or credentials do not usually pose a risk to production infrastructure or sensitive data.

When using GitLab for managing infrastructure with our recently released Terraform features, it is important to take a closer look at security and adopt a least privilege and private access mentality. Since GitLab Inc. is an open and transparent company and many aspects of the GitLab product are visible to most project contributors, this documentation allows users to evaluate the best approach for configuring the security of infrastructure-as-code projects.

This documentation shows how different keys, values, credentials, and generated outputs are accessible in GitLab. You can use this as a baseline for penetration testing and exposure risk analysis.

Screenshots (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by James Sandlin

Merge request reports