Protect the terraform source code file

Dear All,

How to encrypt or protect the terraform source code file. I dont want others to change or view the content inside terraform files.

Is there anyway to convert this as executable or encrypted version to understand by terraform apply commamd

I don’t want anyone to view or modify the source file. At a same time i need to share with them to execute terraform apply command from individual project machine

Hi @sathishp2803,

No, there is not really any useful way to do something like that. Access to the configuration can be managed like any other source code, using whatever features of the storage/VCS you choose. The operator of Terraform however (either a user or automated system) still needs access to that configuration in order to run Terraform. Even if the configuration were encrypted at rest, Terraform would need to somehow decrypt it, and whether that is done externally or internally by Terraform itself, it would still give the operator full access to the configuration regardless offering no additional security.

Hello Bardin,

Thanks for your response.

Main objective for this requirement is, I don’t want the admin or network engineer who is running the terraform action should not change the code.

I am okay with anyone run the code who ever is having access to terraform code and platform.

Only restriction is avoid editing and reusing

Hello All,

Please help me out

Happy new year

Hi @sathishp2803,

The usual way to achieve a requirement like that is to provide a remote execution environment where Terraform runs, and give your operators access only to start Terraform running, without giving them any access to change the Terraform configuration that’s installed in that environment.

That is something you would implement outside of Terraform, rather than part of Terraform itself. For example, you could use GitHub Actions to run Terraform against an existing repository, and give your operators access to start new runs of that action but deny them access to change the configuration that it’s using.

Terraform itself cannot be a security boundary. You will need to create the security boundary around Terraform using some other technology.