The Module CI workflows should verify the providers that will be installed and used before any installation or usage occurs. If this step fails due to an unknown or untrusted Terraform provider, the workflow should fail immediately, and terraform init should not be run at any point in the process.
Terraform provides a JSON output of the defined providers, which can be leveraged to identify unknown or untrusted providers.
It may also be helpful to allow certain namespaces, such as hashicorp and azure. Additionally, we should restrict providers to those from registry.terraform.io only.
rswrz
commented
1 day ago
The Module CI workflows should verify the providers that will be installed and used before any installation or usage occurs. If this step fails due to an unknown or untrusted Terraform provider, the workflow should fail immediately, and
terraform initshould not be run at any point in the process.Terraform provides a JSON output of the defined providers, which can be leveraged to identify unknown or untrusted providers.
Example output:
It may also be helpful to allow certain namespaces, such as
hashicorpandazure. Additionally, we should restrict providers to those fromregistry.terraform.ioonly.