terrakube icon indicating copy to clipboard operation
terrakube copied to clipboard
verified publisher icon AzBuilder

Restrict Terraform Operations (Example: Destroy)

Open thatsk opened this issue 2 years ago • 5 comments

Feature description 💡

https://developer.hashicorp.com/terraform/cli/commands/login

Wanted to see we can restrict more auth like terraform login for preventing run from local machine

Anything else?

No response

thatsk avatar Jul 06 '23 12:07 thatsk

Can you explain a little bit more about this?

Right now when you are doing a terraform login and you want for examle run a plan, apply or destroy the terraform command will be executed remotely not in your local machine.

alfespa17 avatar Jul 06 '23 15:07 alfespa17

Even if we are doing it on local machine then appropriate permission are required otherwise mistakenly if someone run destroy then it will destroy whole stuff

thatsk avatar Jul 06 '23 15:07 thatsk

Or how to prevent unwanted actions from local terraform

thatsk avatar Jul 06 '23 15:07 thatsk

For now there is no way to prevent unwanted terraform actions if you are using terraform remote state.

You can give access to certain groups to a organization, but once you have "manage workspace" you can do anything unless you do some kind of customization inside the terrakube templates

alfespa17 avatar Jul 11 '23 21:07 alfespa17

I am using the template to restrict the deployment to only selected branches, now the new version supports a similar feature for the webhook, I am wondering for VCS workflow, should deployment and destroy be restricted to be kicked off only from the Terrakube UI? aka, only plan can be run from local. I remember this is the action TFC takes.

stanleyz avatar Jul 13 '24 10:07 stanleyz