From 373f1d131aebd9dc9c7cc6cf22a9f615627f2eef Mon Sep 17 00:00:00 2001 From: Christopher Baines Date: Sun, 24 Jun 2018 16:46:16 +0100 Subject: Use basic authentication with the Terraform http backend This prevents any unauthorised access to the Terraform state. --- .../terraform_http_backend_controller.rb | 22 +++++++++++++++++++++- lib/terraform_working_directory.rb | 6 +++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/app/controllers/terraform_http_backend_controller.rb b/app/controllers/terraform_http_backend_controller.rb index 4587f8a..eeff7b0 100644 --- a/app/controllers/terraform_http_backend_controller.rb +++ b/app/controllers/terraform_http_backend_controller.rb @@ -19,7 +19,27 @@ # . class TerraformHttpBackendController < ApplicationController - skip_before_action :verify_authenticity_token + skip_before_action :verify_authenticity_token, only: %w(create show destroy) + + def self.credentials + @_credentials ||= begin + # Hopefully there is a simpler way of doing this, but it'll do + # for now. + verifier = ActiveSupport::MessageVerifier.new( + Rails.application.secrets[:secret_key_base] + ) + + { + name: 'terraform', + password: verifier.generate('tpw') + } + end + end + + http_basic_authenticate_with( + **credentials, + only: %(create show destroy) + ) def index @all_states = TerraformState.all.group_by(&:state_id) diff --git a/lib/terraform_working_directory.rb b/lib/terraform_working_directory.rb index 38df0c7..d8bbae3 100644 --- a/lib/terraform_working_directory.rb +++ b/lib/terraform_working_directory.rb @@ -43,11 +43,15 @@ class TerraformWorkingDirectory Dir.chdir(working_directory) do if Dir.empty?('.') + credentials = TerraformHttpBackendController.credentials + RubyTerraform.init( backend: true, from_module: source, backend_config: { - address: terraform_backend_address + address: terraform_backend_address, + username: credentials[:name], + password: credentials[:password] }, plugin_dir: terraform_plugin_dir ) -- cgit v1.2.3