HashiConf 2024 Now streaming live from Boston! Attend for free
HVD Home
HVD Home

Security hardening

Operating System

  • Primarily, we strongly recommend using operating system configurations which are compliance to the CIS benchmark for the OS.
  • Command line access to the machines should be minimized to a limited and well-known team, and access should cause SIEM/audit log to be augmented.

Application

  • Use single-sign-on (SSO) with multi-factor authentication (MFA) for all users.
  • The deployment configuration sets up TCP port restrictions for ingress to and egress from the Terraform Enterprise application and related services. These restrictions should not be altered except according to advice from HashiCorp support, a HashiCorp solutions or implementation engineer, or a certified HashiCorp partne
  • Direct SSH access to VMs should be restricted, and access should be available to designated administrators only.
  • Enable the Strict-Transport-Security response header. Terraform Enterprise allows you to restrict access to the metadata endpoint from Terraform operations, preventing Terraform workspaces from reading any data from the native AWS metadata service.
  • When performing a manual installation, set restrict_worker_metadata_access as a Docker environment variable to prevent Terraform operations from accessing the cloud instance metadata service. For additional information, please see this page.
  • The automated deployment configuration used in this guide restricts the application instances from accessing the AWS metadata service; this should not be re-enabled.
  • At the end of a deployment, there is an option to create an initial administrator for Terraform Enterprise. We recommend not creating an account and coordinating a hand-off to the operations team.
Previous

Manual Install

 Next

Next steps