Closed dduportal closed 2 years ago
Challenge: It means WAY more credentials to manage if we do 1:1 mapping (either in Jenkins and for the terraform init command)
Could you provide an example of why this is a lot more credentials? What information you're trying to hide here?
In the case of Azure the sensitive value is the ARM_ACCESS_KEY. You can even do away with that by using a managed identity or service principal
Challenge: It means WAY more credentials to manage if we do 1:1 mapping (either in Jenkins and for the terraform init command)
Could you provide an example of why this is a lot more credentials? What information you're trying to hide here?
In the case of Azure the sensitive value is the ARM_ACCESS_KEY. You can even do away with that by using a managed identity or service principal
The backend configuration have the following settings currently (all are part of the backend config)
S3 backends (Terraform projects aws
and digitalocean
):
AzureRM backends (Terraform projects azure
and datadog
):
You should not be using AWS API keys. Either use instance identity, if the whole controller can be trusted to act as a logical unit of security; or https://plugins.jenkins.io/oidc-provider/#plugin-content-accessing-aws if you need something finer-grained or are just not running the controller in AWS or on a system which can easily support AWS identities at the infrastructure level.
which relates to https://github.com/jenkins-infra/helpdesk/issues/2922#issuecomment-1120893431 for Azure
What happened?
terraform init -backend-config=<secret file>
with the secret file having an incorrect (syntax error) content, its content was exposed by terraform on the stderr.What could be the impacts?
How to avoid this from happening again?
Exchanges with different community members, through public and private channels, led to the following list of counter measure to avoid this problem to happen:
Short Term
What can we do right now?
[x] Of course fix the PR so that it uses the correct credentials
[x] Change the GitHub status check configuration on infra.ci.jenkins.io
[x] #2841
[x] #2840
[x] Slapping my face for such a dumb copy-and-paste error.
[x] Regenerate the AWS API keys
Long Term
What should be think about to fix this in a better way?
Avoid usage of file credential in Jenkins: the "string"-like usual credentials are automatically hidden by Jenkins in the console output
Move the credentials to a Vault/KMs and delegate the authorization to this system (instead of Jenkins)
Use the Terraform Cloud Saas to store our backends
Links