Use basic authentication with the Terraform http backendrelease_1

This prevents any unauthorised access to the Terraform state.

2 files changed, 26 insertions, 2 deletions

diff --git a/app/controllers/terraform_http_backend_controller.rb b/app/controllers/terraform_http_backend_controller.rb
index 4587f8a..eeff7b0 100644
--- a/app/controllers/terraform_http_backend_controller.rb
+++ b/app/controllers/terraform_http_backend_controller.rb
@@ -19,7 +19,27 @@
 # <http://www.gnu.org/licenses/>.
 
 class TerraformHttpBackendController < ApplicationController
-  skip_before_action :verify_authenticity_token
+  skip_before_action :verify_authenticity_token, only: %w(create show destroy)
+
+  def self.credentials
+    @_credentials ||= begin
+      # Hopefully there is a simpler way of doing this, but it'll do
+      # for now.
+      verifier = ActiveSupport::MessageVerifier.new(
+        Rails.application.secrets[:secret_key_base]
+      )
+
+      {
+        name: 'terraform',
+        password: verifier.generate('tpw')
+      }
+    end
+  end
+
+  http_basic_authenticate_with(
+    **credentials,
+    only: %(create show destroy)
+  )
 
   def index
     @all_states = TerraformState.all.group_by(&:state_id)
diff --git a/lib/terraform_working_directory.rb b/lib/terraform_working_directory.rb
index 38df0c7..d8bbae3 100644
--- a/lib/terraform_working_directory.rb
+++ b/lib/terraform_working_directory.rb
@@ -43,11 +43,15 @@ class TerraformWorkingDirectory
 
     Dir.chdir(working_directory) do
       if Dir.empty?('.')
+        credentials = TerraformHttpBackendController.credentials
+
         RubyTerraform.init(
           backend: true,
           from_module: source,
           backend_config: {
-            address: terraform_backend_address
+            address: terraform_backend_address,
+            username: credentials[:name],
+            password: credentials[:password]
           },
           plugin_dir: terraform_plugin_dir
         )