As per this blog, the registry is made more secure by mitigating the potential issues.
Is it possible to store the terraform modules and repositories in to a privately owned repository owned by organizations to make sure, the same module/provider is used at the the time of deployment which was used during build process.
I understand that the mitigations made handle this, but still the artifacts are pulled from public repository which is not in organizations control.
For providers, lockfiles will help if you’re using them.
For modules:
Assuming licenses allow, of course, you can absolutely make public or private forks of repos, or vendor modules into your terraform codebase (i.e., check the code into a vendor directory in the same repo you’re using, or use git submodules if you are so inclined ), if you’re really paranoid and have the time / energy for maintenance. Just keep in mind there’s a lot of work involved with any of these approaches.
If you’re using a third party repo especially, you can pin to specific commit hashes vs. using tags, which should make supply chain attacks much more difficult.
Limit how many third party modules you’re using. In particular, while modules can be very useful, if you’re doing something very simple, maybe you don’t need a very complicated and frequently updated third party module.
There have been proposals to use a lockfile for modules. IIRC OpenTofu has discussed adding this support.
), if you’re really paranoid and have the time / energy for maintenance. Just keep in mind there’s a lot of work involved with any of these approaches.