search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.55k stars 9.53k forks source link

Remove instead of upload empty file after remote-exec provisioner #24324

Open hamishrcatalyst opened 4 years ago

hamishrcatalyst commented 4 years ago

Current Terraform Version

Terraform v0.12.21

Use-cases

PCI compliance require world-writable files to not exist but the remote-exec provisioner leaves behind a script file with 0777 permissions.

Attempted Solutions

Proposal

After the remote-exec provisioner is run, an empty world writable (0777) file is left at /tmp/terraform_xxx.sh

Instead of uploading a blank file, can the file simply be removed instead? Alternatively the script could be created with less permissible permissions.

References

find / -xdev -perm -o+w -type f -exec /bin/ls -ld {} \;

macksburg commented 4 years ago

I am also seeing this same issue. We are getting flagged by PCI audits because of world writable files being left in /tmp by terraform.

mclavel commented 4 years ago

Hi @macksburg

Same problem here, but we use a chmod command to reduce the permissions. For example:

  provisioner "remote-exec" {
    connection {
      type     = "ssh"
      host     = var.host
      user     = var.ssh_username
      password = var.ssh_password
      timeout  = var.timeout
    }
    inline     = ["mkdir -p /tmp/example", "chmod 700 /tmp/terraform_*.sh"]
    on_failure = fail
  }
}
frntn commented 4 years ago

See also :

jherns commented 3 months ago

👋 Is there still a plan to address this or is there a work-around you would recommend so that we can remove the empty file?