Skip to content

Encrypt plan files #2217

New issue
New issue
Open
Open
Encrypt plan files#2217
Labels
enhancementNew feature or requestsecurity
@suzuki-shunsuke

Description

@suzuki-shunsuke
suzuki-shunsuke
opened on Jan 6, 2025

Feature Overview

We stored plan files in GitHub Artifacts.

https://suzuki-shunsuke.github.io/tfaction/docs/feature/plan-file

This issue suggests to encrypt plan files somehow.
There would be some options for encryption.

Why is the feature needed?

We stored plan files in GitHub Artifacts.

https://suzuki-shunsuke.github.io/tfaction/docs/feature/plan-file

We migrated the storage from S3 or GCS to GitHub Artifacts to prevent plan files from being tampered.
But people with the read permission of the repository can access plan files.
If plan files include secret, this is security issue.
Of course, you should not store secrets in plan files basically, but the security incident can occur.
And attackers can leak secrets to plan files.

Example Code

No response

Note

Even if we encrypt plan files, attackers can decrypt them via CI.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsecurity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions