weekly.tf - Issue #42 - Terraform security (again) and dependency updates

Terraform Plan RCE — alex.kaskaso.li

Alex Kaskasoli describes how running a Terraform plan on untrusted code can lead to RCE and credential exfiltration. Not very new for some.

This article highlights some of the reasons why you should be careful with using provisioners, data sources "external" and "archive" (which creates files during planning, surprised?)

Think about how this can be applied to your setup and with your CI/CD.

Offensive Terraform — offensive-terraform.github.io

Automated multi-step offensive attack Terraform modules created by Itgel Ganbold. Check the source code to broaden an understanding of various ways how Terraform can be misconfigured or misused (btw, order a pizza with Terraform is 2 years old already).

Default Tags in the Terraform AWS Provider — www.hashicorp.com

Great addition by the Terraform AWS Provider team! Define default tags at the provider level will simplify tag management.

Be aware that some updates to Terraform configurations may still be required to achieve idempotency during sequential applies with "tags" and "tags_all". It is a very solid improvement worth implementing.

Dependabot supports Terraform 0.15 — github.com

Dependabot by GitHub now supports HCL2! Hooray! It makes it possible to automatically open PRs and update versions of Terraform modules in your configurations.

Renovatebot: Automated Dependency Updates for Terragrunt — docs.renovatebot.com

Terragrunt users have an alternative solution to manage dependency updates automatically.

HashiConf Europe 2021 — hashiconf.com

An interactive digital experience organized for the HashiCorp community. Hear keynotes and product updates, dive deep with workshops and technical sessions and make connections around the world.

PS: You can also submit a lightning talk there.

PS: If you find something good or bad you want me to mention in this newsletter, please let me know (just hit reply).