General guidance : terraform deployment without disclosing the code

Hi, I have created modules for creating different resources on azure and snowflake. I can create the resources successfully from that modules. Now, what I want is, creating the same set of resources on client environment but I don’t want to disclose my terraform module code. Can anyone please suggest how can I achieve that ?

Hi @SejalParmar8796,

I cannot think of any solution that would guarantee that your module source code is unavailable to your client. The source code is input to terraform apply and so whoever runs terraform apply must have access to the source code.

You could potentially provide a remote execution environment which runs Terraform on your customer’s behalf. However, that would be something you would need to implement outside of Terraform rather than within Terraform.

An important thing to consider is that a Terraform configuration is essentially arbitrary code written in a domain-specific programming language, and so it won’t be possible in general to provide an execution environment that can access both your private module source code and some source code written by your client, because there is no way to prevent their module from including code that retrieves the source code of your module from disk and sends it to some other location that they can access.

I am not a lawyer and this is not legal advice, but in your situation I would consider legal approaches such as licensing instead of technical approaches. As the author of your module source code you probably have the right to define the terms under which your client is allowed to use your module, although the details of that will vary depending on what laws you and your client are subject to, so you may need to consult an intellectual property lawyer to understand what rights you have over your module source code and to construct a suitable licensing contract.

Thanks for the quick response @apparentlymart . Another question is, can I use terraform cloud for the same. If I publish my module on terraform cloud private registry, then also the behavior is same ?

Using Terraform Cloud could help only if the workspace were under your control and your client is not able to push any new code into the workspace without your approval.

It is possible to write a Terraform module that would collect up the entire contents of the source tree into an archive and send that file to somewhere else like an Amazon S3 bucket, so if your client is able to use modules they control in conjunction with the modules you are providing then there is no security boundary between the two sets of code and a malicious client could obtain the code using logic implemented in their own module.

I can’t think of any way to achieve what you want as a purely technical solution. Terraform is not designed to isolate modules from one another in the same configuration.