HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HVD Home
HVD Home

Security hardening

Operating system

  • Primarily, we strongly recommend using operating system configurations which are compliance to the CIS benchmark for the operating system you use.
  • Limit command line access to the machines to a shortlist of well-known staff, and ensure your organization's strategic SIEM/audit log reflects all access.

Application

  • Use single-sign-on (SSO) with multi-factor authentication (MFA) for all users.
  • The deployment configuration sets up TCP port restrictions for ingress to and egress from the Terraform Enterprise application and related services. Do not alter these restrictions except according to advice from HashiCorp support, a HashiCorp solutions or implementation engineer, or a certified HashiCorp partner.
  • Enable the Strict-Transport-Security response header. Terraform Enterprise allows you to restrict access to the metadata endpoint from Terraform operations, preventing Terraform workspaces from reading any data from the native AWS metadata service.
  • When performing a manual installation, set restrict_worker_metadata_access as a Docker environment variable to prevent Terraform operations from accessing the cloud instance metadata service. For additional information, see this page(opens in new tab).
  • The automated deployment configuration used in this guide restricts the application instances from accessing the AWS metadata service. Do not re-enable this.
  • At the end of a deployment, there is an option to create an initial administrator for Terraform Enterprise. We recommend not creating an account and coordinating a hand-off to the operations team.
Previous

Manual install

 Next

Disaster recovery