From 2dd27b4cd676a4f0a15b67b970a79e8e652cf017 Mon Sep 17 00:00:00 2001 From: James Warren Date: Wed, 27 Aug 2025 15:45:31 -0400 Subject: [PATCH] PSA-2130: Remove references to Replicated in current Security Model doc --- .../architecture/security-model-partial.mdx | 19 +++++-------------- .../architecture/security-model-partial.mdx | 19 +++++-------------- 2 files changed, 10 insertions(+), 28 deletions(-) diff --git a/content/terraform-enterprise/1.0.x/docs/partials/replicated-and-fdo/architecture/security-model-partial.mdx b/content/terraform-enterprise/1.0.x/docs/partials/replicated-and-fdo/architecture/security-model-partial.mdx index d6f8d426df..31629c6d6f 100644 --- a/content/terraform-enterprise/1.0.x/docs/partials/replicated-and-fdo/architecture/security-model-partial.mdx +++ b/content/terraform-enterprise/1.0.x/docs/partials/replicated-and-fdo/architecture/security-model-partial.mdx @@ -4,9 +4,7 @@ In addition to those listed in [HCP Terraform Security model](/terraform/cloud-d ### Infrastructure Admin -Outside of the application, administrators of the Terraform Enterprise deployment are responsible for managing the underlying infrastructure, upgrading the application, and configuring Terraform Enterprise either via the [Replicated admin console](/terraform/enterprise/deploy/replicated/install/interactive/config#system-configuration) or by editing the [application settings file](/terraform/enterprise/deploy/replicated/install/automated/automating-the-installer). - -Terraform Enterprise grants extensive permissions to this role, so we recommend limiting the number of users who are infrastructure admins in your organization. +Outside of the application, administrators of the Terraform Enterprise deployment are responsible for managing the underlying infrastructure and upgrading the application. We recommend limiting the number of users who are infrastructure admins in your organization. ### Site Admin @@ -28,23 +26,19 @@ We release security fixes, application features, and bug fixes for Terraform Ent ### You are Responsible for Availability, Backups, and Disaster Recovery -Infrastructure admins are responsible for all aspects of reliability and availability. Refer to Terraform Enterprise documentation on [monitoring](/terraform/enterprise/deploy/replicated/monitoring/monitoring), [backups and restores](/terraform/enterprise/deploy/replicated/administration/infrastructure/backup-restore), and [high availability mode (active/active)](/terraform/enterprise/deploy/replicated/administration/infrastructure/admin-cli) for more guidance on this topic. +Infrastructure admins are responsible for all aspects of reliability and availability. Refer to Terraform Enterprise documentation on [monitoring](/terraform/enterprise/deploy/manage/monitor), [backups and restores](/terraform/enterprise/deploy/manage/backup-restore), and [high availability mode (active/active)](/terraform/enterprise/deploy/configuration/storage/configure-mode) for more guidance on this topic. ### Terraform Enterprise Isolates Terraform Operations via Docker Containers Unlike HCP Terraform, Terraform Enterprise performs all Terraform operations in Docker containers on the Terraform Enterprise host. The containers are assigned to an isolated Docker network to prevent them from communicating with Terraform Enterprise backend services. However, Terraform Enterprise does not perform any egress filtering, so Terraform runs can still access available network resources. -### Terraform Enterprise Relies on Third Party Software for Licensing, Delivery, Installation, and Management - -Terraform Enterprise is built on top of a software platform developed by [Replicated](https://www.replicated.com/). The components necessary for installing Terraform Enterprise are hosted by Replicated, and software developed by Replicated is used for bootstrapping, configuring, and managing every Terraform Enterprise deployment. For more information, see [Security at Replicated](https://www.replicated.com/security/). - ## Recommendations for Securely Operating Terraform Enterprise In addition those provided in the [HCP Terraform security model](/terraform/cloud-docs/architectural-details/security-model), we recommend the following for Terraform Enterprise users. ### Run Terraform Enterprise in an Isolated Network, Limit Ingress Ports, and Restrict Access to Underlying Infrastructure -To minimize attack surface, we recommend running Terraform Enterprise in an isolated network and limiting ingress ports to only 80 and 443, as documented in [Network Requirements for Terraform Enterprise](/terraform/enterprise/deploy/replicated/requirements/network). +To minimize attack surface, we recommend running Terraform Enterprise in an isolated network and limiting ingress ports to only 80 and 443, as documented in [Network Requirements for Terraform Enterprise](/terraform/enterprise/deploy/configuration/network). Additionally, we recommend restricting access to the nodes that are running Terraform Enterprise. Terraform Enterprise can not ensure the security or integrity of your data if the underlying infrastructure is compromised. @@ -52,7 +46,7 @@ Additionally, we recommend restricting access to the nodes that are running Terr Once you are ready to use Terraform Enterprise for production workloads, we recommend enabling these optional security features. -#### Secure secondary hostnames +#### Secure Secondary Hostnames You can configure Terraform Enterprise to allow incoming connections at more than one hostname. Refer to [Configure network access](/terraform/enterprise/deploy/configuration/network) for instructions. @@ -60,10 +54,7 @@ When configuring multiple hostnames, create and distribute TLS certificates for #### Enable Strict Transport Security Header -You can configure Terraform Enterprise to set the [Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) header by: - -- Visiting the installer dashboard "Settings" page and enabling “Force TLS” under the “SSL/TLS Configuration” section. -- Setting [force_tls](/terraform/enterprise/deploy/replicated/install/automated/automating-the-installer#force_tls) in the application settings file. +You can configure Terraform Enterprise to set the [Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) header by setting [TFE_TLS_ENFORCE](/terraform/enterprise/deploy/reference/configuration#tfe_tls_enforce) in the application environment. ~> **Note:** Once properly configured, the HSTS header cannot be disabled and will prevent clients from accessing your Terraform Enterprise domain via HTTP or HTTPS using a self-signed cert. We recommend only enabling this setting for production Terraform Enterprise deployments. diff --git a/content/terraform-enterprise/v202507-1/docs/partials/replicated-and-fdo/architecture/security-model-partial.mdx b/content/terraform-enterprise/v202507-1/docs/partials/replicated-and-fdo/architecture/security-model-partial.mdx index d6f8d426df..31629c6d6f 100644 --- a/content/terraform-enterprise/v202507-1/docs/partials/replicated-and-fdo/architecture/security-model-partial.mdx +++ b/content/terraform-enterprise/v202507-1/docs/partials/replicated-and-fdo/architecture/security-model-partial.mdx @@ -4,9 +4,7 @@ In addition to those listed in [HCP Terraform Security model](/terraform/cloud-d ### Infrastructure Admin -Outside of the application, administrators of the Terraform Enterprise deployment are responsible for managing the underlying infrastructure, upgrading the application, and configuring Terraform Enterprise either via the [Replicated admin console](/terraform/enterprise/deploy/replicated/install/interactive/config#system-configuration) or by editing the [application settings file](/terraform/enterprise/deploy/replicated/install/automated/automating-the-installer). - -Terraform Enterprise grants extensive permissions to this role, so we recommend limiting the number of users who are infrastructure admins in your organization. +Outside of the application, administrators of the Terraform Enterprise deployment are responsible for managing the underlying infrastructure and upgrading the application. We recommend limiting the number of users who are infrastructure admins in your organization. ### Site Admin @@ -28,23 +26,19 @@ We release security fixes, application features, and bug fixes for Terraform Ent ### You are Responsible for Availability, Backups, and Disaster Recovery -Infrastructure admins are responsible for all aspects of reliability and availability. Refer to Terraform Enterprise documentation on [monitoring](/terraform/enterprise/deploy/replicated/monitoring/monitoring), [backups and restores](/terraform/enterprise/deploy/replicated/administration/infrastructure/backup-restore), and [high availability mode (active/active)](/terraform/enterprise/deploy/replicated/administration/infrastructure/admin-cli) for more guidance on this topic. +Infrastructure admins are responsible for all aspects of reliability and availability. Refer to Terraform Enterprise documentation on [monitoring](/terraform/enterprise/deploy/manage/monitor), [backups and restores](/terraform/enterprise/deploy/manage/backup-restore), and [high availability mode (active/active)](/terraform/enterprise/deploy/configuration/storage/configure-mode) for more guidance on this topic. ### Terraform Enterprise Isolates Terraform Operations via Docker Containers Unlike HCP Terraform, Terraform Enterprise performs all Terraform operations in Docker containers on the Terraform Enterprise host. The containers are assigned to an isolated Docker network to prevent them from communicating with Terraform Enterprise backend services. However, Terraform Enterprise does not perform any egress filtering, so Terraform runs can still access available network resources. -### Terraform Enterprise Relies on Third Party Software for Licensing, Delivery, Installation, and Management - -Terraform Enterprise is built on top of a software platform developed by [Replicated](https://www.replicated.com/). The components necessary for installing Terraform Enterprise are hosted by Replicated, and software developed by Replicated is used for bootstrapping, configuring, and managing every Terraform Enterprise deployment. For more information, see [Security at Replicated](https://www.replicated.com/security/). - ## Recommendations for Securely Operating Terraform Enterprise In addition those provided in the [HCP Terraform security model](/terraform/cloud-docs/architectural-details/security-model), we recommend the following for Terraform Enterprise users. ### Run Terraform Enterprise in an Isolated Network, Limit Ingress Ports, and Restrict Access to Underlying Infrastructure -To minimize attack surface, we recommend running Terraform Enterprise in an isolated network and limiting ingress ports to only 80 and 443, as documented in [Network Requirements for Terraform Enterprise](/terraform/enterprise/deploy/replicated/requirements/network). +To minimize attack surface, we recommend running Terraform Enterprise in an isolated network and limiting ingress ports to only 80 and 443, as documented in [Network Requirements for Terraform Enterprise](/terraform/enterprise/deploy/configuration/network). Additionally, we recommend restricting access to the nodes that are running Terraform Enterprise. Terraform Enterprise can not ensure the security or integrity of your data if the underlying infrastructure is compromised. @@ -52,7 +46,7 @@ Additionally, we recommend restricting access to the nodes that are running Terr Once you are ready to use Terraform Enterprise for production workloads, we recommend enabling these optional security features. -#### Secure secondary hostnames +#### Secure Secondary Hostnames You can configure Terraform Enterprise to allow incoming connections at more than one hostname. Refer to [Configure network access](/terraform/enterprise/deploy/configuration/network) for instructions. @@ -60,10 +54,7 @@ When configuring multiple hostnames, create and distribute TLS certificates for #### Enable Strict Transport Security Header -You can configure Terraform Enterprise to set the [Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) header by: - -- Visiting the installer dashboard "Settings" page and enabling “Force TLS” under the “SSL/TLS Configuration” section. -- Setting [force_tls](/terraform/enterprise/deploy/replicated/install/automated/automating-the-installer#force_tls) in the application settings file. +You can configure Terraform Enterprise to set the [Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) header by setting [TFE_TLS_ENFORCE](/terraform/enterprise/deploy/reference/configuration#tfe_tls_enforce) in the application environment. ~> **Note:** Once properly configured, the HSTS header cannot be disabled and will prevent clients from accessing your Terraform Enterprise domain via HTTP or HTTPS using a self-signed cert. We recommend only enabling this setting for production Terraform Enterprise deployments.