Bulletin ID: HCSEC-2024-04
Affected Products / Versions: Terraform Registry (https://registry.terraform.io/)
Unaffected Products / Versions: Terraform Cloud and Terraform Enterprise’s private registry
Publication Date: February 15, 2024
Summary
The public Terraform Registry operated by HashiCorp recently incorporated security-related improvements to strengthen supply chain security for Terraform modules published in the Registry. There is no action necessary to take advantage of these improvements.
Background
The public Terraform Registry, https://registry.terraform.io/, is an interactive resource for discovering a wide selection of integrations (providers), configuration packages (modules), and security rules (policies) for use with Terraform. The Registry includes solutions developed by HashiCorp, third-party vendors, and the Terraform community.
Publication to the Registry is done by configuring the Registry to source a new artifact from a connected GitHub-hosted profile and repository (e.g. Publishing Modules). Registry artifact updates are sourced from that same profile and repository.
Details
A combination of external reports and internal testing had identified supply chain-related concerns associated with Terraform modules published via the public Terraform Registry.
There were two issues of specific note:
-
Terraform module trust verification mechanism: Terraform modules published to the Registry used mutable Git tags for versioning and did not have a trust verification mechanism (Terraform’s dependency lock file only covers providers). A mitigation was available (using the GitHub or other VCS repository source to pin to a module version / commit directly), but that had the undesirable side effect of bypassing the Registry.
-
Published Terraform modules repository hijacking: Terraform modules published to the Registry were exposed to dependency repository hijacking (“repo jacking”), in the event that an underlying GitHub profile or repository was renamed or removed.
Other Registry artifact types (providers and policies) are unaffected by these issues, due to differences in how they are published and consumed by Terraform and Sentinel respectively.
Terraform Cloud and Terraform Enterprise’s private registry functionality is also unaffected, due to a difference in how modules are consumed.
Remediation
In January 2024, HashiCorp completed the implementation of a series of changes within the Terraform Registry that address these issues.
Specifically:
-
The public Registry has implemented a trust verification mechanism. When a module is requested from the Registry, trust is maintained via reference to an immutable and non-reproducible Git commit SHA / hash stored at publication time, rather than a mutable tag.
-
The public Registry has remediated the identified repository hijacking vectors. Registry authentication is now tied to an immutable GitHub profile ID rather than the profile name. Additionally, module publication is now tied to an immutable GitHub repository ID rather than the repository name. Module publication is disabled if a new version is available but the repository ID does not match.
There is no action necessary to take advantage of these improvements. The Registry changes that have been introduced are backwards compatible, and are expected to be transparent to the Terraform version in use.
Acknowledgement
Related GitHub issue creators and commenters.
François Proulx from the BoostSecurity. io Supply Chain Research Team
Wilson de Carvalho and Justin Rich at Cyral.
The Security Labs team at Snyk.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.