DEV Community
Follow
Take your Terraform state off the public internet (without standing up a VPN)
The Terraform state file is the most sensitive artifact in cloud management, containing infrastructure maps and potentially plaintext secrets. By default, it resides in cloud storage with a public endpoint secured only by an access key. If this key is compromised, attackers gain immediate access to the entire infrastructure. Authentication vendors, in particular, must secure their own kingdom before managing yours.
Their production state account is made inaccessible via public networks, requiring a three-phase approach to secure. The first challenge, a chicken-and-egg problem, arises because remote state requires an existing backend, which is itself infrastructure managed by Terraform. This is resolved through a two-phase bootstrap: first, local state creates the foundational storage account and network, and second, the backend is switched to remote, migrating the state.
The second trap is the "reach problem," where securing the storage account by disabling public access disconnects it from CI pipelines and users outside the virtual network. The common solution, a VPN gateway, is expensive and complex. Instead, a zero-trust connector in a container joins an identity-aware mesh, allowing authorized entities to access the private endpoint securely via the mesh. This eliminates the need for standing infrastructure, VPNs, or jump boxes.
The third challenge involves a multi-step lockdown process. Attempting to make the account private in the initial Terraform apply would lock out Terraform before a private path exists. Therefore, the lockdown is a distinct, subsequent step, executed only after the network, private endpoint, and connector are operational. This final command disables public network access, making the account accessible solely through the private mesh.
Compounding these measures, static credentials are eliminated. The CI pipeline authenticates using workload identity federation, receiving short-lived OIDC tokens for access that expires quickly. Terraform itself uses temporary directory tokens for state operations, not persistent access keys. This approach ensures that even if an attacker gains access, the credentials used are ephemeral and useless.
Ultimately, state file leaks often stem from public access and compromised keys, not encryption breaches. Removing the public endpoint eliminates the primary attack vector, rendering leaked keys ineffective without mesh access. This commitment to comprehensive security mirrors the company's product philosophy, offering robust security features to all customers, not just those on higher tiers.
