Securing Resource Manager
Resource Manager allows you to automate installing and provisioning Oracle Cloud Infrastructure resources by committing the provisioning instructions to configuration files. These configuration files capture the step-by-step provisioning instructions using a declarative language that follows the "infrastructure-as-code" model. The provisioning instructions are executed as "jobs"; the Oracle Cloud Infrastructure resources that are provisioned when you run the jobs are organized into "stacks."
Executing jobs and provisioning stacks is gated using role-based access control (RBAC), which is enabled by Oracle Cloud Infrastructure Identity and Access Management (IAM). This gives administrators granular control over user access to Oracle Cloud Infrastructure resources and the actions that users can take on these resources.
The Resource Manager security scheme rests on three pillars:
- Security groups. Administrator-defined groups that have permission to perform specific operations on stacks and jobs. Individual users are assigned to security groups and can then perform operations that are allowed by that group. For more information about security policies, see Getting Started with Policies. See also How Policies Work and Policy Syntax. For recommended Resource Manager policies, see Policies for Managing Stacks and Jobs.
- Permission sets. Sets of permissions that are specific to jobs and stacks.
- Operations. The operations (or actions) that are allowed and the permissions that are required to perform each one.
For permission sets and operations used with Resource Manager, see Details for Resource Manager.
Potential Security Risks and Mitigations
Terraform State Files
Terraform state (.tfstate) can contain sensitive data, including resource IDs and in some cases sensitive user data like passwords. HashiCorp provides recommendations for handling Terraform state in the article Sensitive Data in State.
To control access to the Terraform state file, you can create a security policy that limits access to reading jobs, such as the following:
Allow group <group_name> to read orm-jobs in compartment
Because the permission read orm-jobs also affects other operations such as getting logs and Terraform configurations, you should segregate state files in a compartment on which a restrictive policy will not limit the ability to perform other operations.
The Resource Manager workflow typically includes
writing or generating a Terraform configuration that is then used to manage your
stack. Because the Terraform configuration can be accessed using the Resource Manager API
GetJobTfConfig, we recommend that you do not include sensitive
information in your configuration files.