Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AB#2533 Pin terraform provider hashes #361

Merged
merged 1 commit into from
Oct 25, 2022
Merged

AB#2533 Pin terraform provider hashes #361

merged 1 commit into from
Oct 25, 2022

Conversation

malt3
Copy link
Contributor

@malt3 malt3 commented Oct 24, 2022

Proposed change(s)

  • Pin terraform provider hashes

Additional info

Manually created using:

terraform providers lock -platform=linux_arm64 -platform=linux_amd64 -platform=darwin_arm64 -platform=darwin_amd64 -platform=windows_amd64

Checklist

  • Link to Milestone

@malt3 malt3 added this to the v2.2.0 milestone Oct 24, 2022
@netlify
Copy link

netlify bot commented Oct 24, 2022
edited

Deploy Preview for constellation-docs canceled.

Name Link
🔨 Latest commit 8d6c9e2
🔍 Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/63568547dfa8e5000841f399

@malt3 malt3 changed the title Pin terraform provider hashes AB#2531 Pin terraform provider hashes Oct 24, 2022
daniel-weisse
daniel-weisse reviewed Oct 24, 2022
View reviewed changes
Copy link
Member

@daniel-weisse daniel-weisse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we also talked about pinning the terraform binary version, not sure if we can provide a hash, though

cli/internal/terraform/loader.go Show resolved Hide resolved
cli/internal/terraform/terraform/aws/.terraform.lock.hcl Outdated Show resolved Hide resolved
@malt3 malt3 force-pushed the feat/terraform-provider-hash-pinning branch from a58fd61 to 8d6c9e2 Compare October 24, 2022 12:29
@malt3
Copy link
Contributor Author

malt3 commented Oct 24, 2022

I think we also talked about pinning the terraform binary version, not sure if we can provide a hash, though

I looked through the source of terraform-exec. Our installation method already verifies the hashes of the terraform binary. The hashes are not pinned but signed by hashicorp instead.

Installer.Ensure calls Downloader.DownloadAndUnpack which internally performs the verification.

@Nirusu
Copy link
Contributor

Nirusu commented Oct 24, 2022

Signed vs. pinned hashes has the issue though that supply chain attacks by Hashicorp are possible. If the signing key is compromised, someone can upload a maliciously signed hash and achieve unintended code execution.

Of course it's a more advanced attack, but this issue exists with signed hashes.

@malt3
Copy link
Contributor Author

malt3 commented Oct 24, 2022

There is no option for hash pinning in terraform-exec so I don't believe that this is feasible for now. I can open an issue on their Git and ask if such a feature can be added.

@Nirusu
Copy link
Contributor

Nirusu commented Oct 24, 2022

True... We could build a wrapper but that's likely going to be ugly, especially since the terraform-exec / install package also checks for already existing installations so execution paths can vary.

Maybe we can ask. The Terraform package also already supports defining your own PGP key for verification, which is something we could (ab)use for that but would mean we also would need to redistribute their packages signed by us.

But if they have this option, it shows that they might care about providing a list of pinned hashes, too.

Another question related, do we want to pin the used Terraform version here?:

constellation/cli/internal/terraform/terraform.go

Line 27 in 8d6c9e2

tfVersion = ">= 1.2.0"

@malt3
Copy link
Contributor Author

malt3 commented Oct 24, 2022

Another question related, do we want to pin the used Terraform version here?:

As long as we don't pin hashes it is not required to pin this version. Hashicorp can always modify existing or future binaries to include malware. From all other perspectives, a newer terraform version should fix bugs and security vulnerabilities.

@malt3
Copy link
Contributor Author

malt3 commented Oct 24, 2022

Tracking: hashicorp/hc-install#72

@malt3 malt3 requested a review from Nirusu October 24, 2022 14:56
@malt3 malt3 changed the title AB#2531 Pin terraform provider hashes AB#2533 Pin terraform provider hashes Oct 25, 2022
@malt3
Copy link
Contributor Author

malt3 commented Oct 25, 2022
edited by azure-boards bot

I moved hash validation of the terraform binary into a separate ticket AB#2534 to unblock this PR.

@malt3 malt3 merged commit 52f140a into main Oct 25, 2022
@malt3 malt3 deleted the feat/terraform-provider-hash-pinning branch October 25, 2022 08:10
derpsteb pushed a commit that referenced this pull request Nov 9, 2022
@malt3 @derpsteb
Pin terraform provider hashes (#361)
dc29483
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Nirusu Nirusu Nirusu approved these changes

@daniel-weisse daniel-weisse daniel-weisse approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.2.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@malt3 @Nirusu @daniel-weisse