Open hamishrcatalyst opened 4 years ago
I am also seeing this same issue. We are getting flagged by PCI audits because of world writable files being left in /tmp by terraform.
Hi @macksburg
Same problem here, but we use a chmod command to reduce the permissions. For example:
provisioner "remote-exec" {
connection {
type = "ssh"
host = var.host
user = var.ssh_username
password = var.ssh_password
timeout = var.timeout
}
inline = ["mkdir -p /tmp/example", "chmod 700 /tmp/terraform_*.sh"]
on_failure = fail
}
}
See also :
👋 Is there still a plan to address this or is there a work-around you would recommend so that we can remove the empty file?
Current Terraform Version
Use-cases
PCI compliance require world-writable files to not exist but the remote-exec provisioner leaves behind a script file with 0777 permissions.
Attempted Solutions
Proposal
After the remote-exec provisioner is run, an empty world writable (0777) file is left at /tmp/terraform_xxx.sh
Instead of uploading a blank file, can the file simply be removed instead? Alternatively the script could be created with less permissible permissions.
References
find / -xdev -perm -o+w -type f -exec /bin/ls -ld {} \;