Is it safe to run Terraform on a public CI/CD tool?


I have some Terraform that deploys an app to AWS ECS.

My question is, is it safe to run Terraform on a CI/CD tool where the logs are open to the public (for example, or GitLab CI/CD with public repos).

In my pipelines I am run a plan and deploy stage and I cannot see any sensitive outputs in logs, however I wanted to check if this it’s possible to safely run the projects publicly?

For a public project, the pipeline as such will always be visible, but you can disable guest access to the logs:

You also need to ensure that the credentials used by the pipeline are not exposed. My gut feeling is “don’t do this”.

1 Like

You can safely do this, at least with GitHub Actions. Here’s what I’ve done:

  • Keep the AWS creds as secret vars, stored in the repo settings
  • Trigger the deploy job only from master or develop on push
  • Protect the master and develop branches (Git Flow)

In GitHub Actions, with this scenario :arrow_up:, it will use the AWS creds stored in the repo only when the job is run against the repo. If the job is run against a PR, it uses the AWS creds stored in the forked repo, thus not using your credentials, but instead using the contributor’s. So if the contributor is malicious and tries to print your creds by changing the job (workflow) and submitting a PR, they will only shoot themselves in the foot because it would print their own.

I haven’t tested this in GitLab yet, but I expect it would run the same. You can run a test to see how secret/protected variables are handled in GitLab, and if they get printed, which vars get printed. If the job gets triggered on a MR, it should expect those variables to be declared in the fork. if they are not, the job should fail. Be careful though, this last statement is a two edged blade. Do some experiments before you go to prod.

1 Like

Thanks both for responding, really appreciate it… I have been making use of the protected variables available on GitLab.

Now that I know it’s possible make projects public but pipelines private, I feel a lot better about running Terraform this way. Combined with protected variables, I think it’s pretty safe.

Thank you both, appreciate your responses!

1 Like