Security
Last Updated: 9 November 2022
Security Information
Terrateam takes many measures to make sure customer data stays private. This includes following security best practices and various other steps listed in this document. A coordinated approach is taken to protect customer data focusing on technical and procedural solutions.
This document is an overview of Terrateam information security policies and procedures. It is not exhaustive. The below should not be relied on as a warranty of any services Terrateam provides or in any other way as amending or modifying our Terms of Service.
Terrateam will re-evaluate our information security procedures from time to time, but does not have an obligation to proactively communicate updates on this document should any changes occur. The following documents will be kept up to date and users are encouraged to occasionally review these pages:
- Privacy Policy: https://terrateam.io/privacy
- Terms of Service: https://terrateam.io/terms
Data Center Security
Terrateam uses virtual machines located in the United States in secure and shared hosting facilities with redundant and reliable access. All Terrateam virtual machines are logically segregated from other virtual machines in the hosting facility.
- All virtual machines are located in Fly.io data centers in the United States
- Virtual machines are exclusively used for Terrateam
- Redundant power, cooling, and internet connectivity
- 24/7 staffed security
- Restricted physical access with biometrics controls
Fly.io is SOC 2 Type I compliant. More information can be found here: https://fly.io/docs/about/security/
Application Security
Terrateam is a GitHub application that translates GitHub events into Terraform operations. There are two major components of the Terrateam service:
- The backend which receives GitHub events and makes decisions using the event payload
- The GitHub Actions runner which is hosted on the GitHub Actions platform and executes the jobs that the backend creates
Many security measures are put in place:
- Security best practices followed
- Security logs regularly reviewed
- Patches applied on regular intervals
- Firewalls implemented in front of all internal and external endpoints
- Security policies in place that follow the principle of least privilege
- TLS encrypted connections required for application access
- Application uses well-tested open source software
- Regular security audits
- Formal process in place to grant elevated access to systems
- Data encrypted in-transit and at-rest
- Vendor provided passwords have been changed from default
- Encrypted backups
Data Privacy
Terrateam does not access source code repositories directly except for the
Terrateam configuration file that lives within the repository. The application
will execute a git clone
against a customer repository within the GitHub
Actions runtime environment in order to perform Terrateam operations.
Customers may choose to leverage GitHub Secrets for Terrateam operations that take place within the GitHub Actions runtime environment. Terrateam does not read these secrets and they are not explicitly sent back to the Terrateam backend outside of Terraform plan files which could contain sensitive information. Terrafor plan files are necessary to store on the Terrateam backend in order for the application to operate. Plan files are encrypted at-rest and deleted as soon as they are used by their respective operation or after 14 days.
GitHub Application Permissions
The Terrateam GitHub application requires customer permissions. An explanation of each permission can be found below.
Repository permissions
Actions: Read and write
Workflows, workflow runs and artifacts.
Execute Terrateam operations.
Checks: Read-only
Checks on code.
Validate GitHub checks have passed before running a Terrateam apply.
Commit statuses: Read and write
Commit statuses.
Provide user feedback on Terrateam operations and validate commit statuses before running a Terrateam apply.
Contents: Read and write
Repository contents, commits, branches, downloads, releases, and merges.
Retrieve the Terrateam configuration file.
Issues: Read and write
Issues and related comments, assignees, labels, and milestones.
Create and update issues for drift detection.
Metadata: Read-only
Search repositories, list collaborators, and access repository metadata.
Required by GitHub.
Pull requests: Read and write
Pull requests and related comments, assignees, labels, milestones, and merges.
Trigger Terrateam operations and merge a pull request.
Secrets: Read and write
Manage Actions repository secrets.
Future implementation of a secrets management interface.
The Secrets read
permission only allows Terrateam to retrieve the secret name
without revealing its encrypted value.
Organization permissions
Members: Read-only
Organization members and teams.
Used for access control and other internal Terrateam operations.
Account permissions
Email addresses: Read-only
Manage a user's email addresses.
Account-related emails only.
GitHub Application Events
The Terrateam GitHub application requires repository event subscriptions. An explanation of each subscription can be found below.
Issue comment
Issue comment created, edited, or deleted.
Trigger Terrateam operations.
Issues
Issues opened, edited, deleted, transferred, pinned, unpinned, closed, reopened, assigned, unassigned, labeled, unlabeled, milestoned, demilestoned, locked, or unlocked.
Trigger Terrateam operations.
Pull request
Pull request assigned, auto merge disabled, auto merge enabled, closed, converted to draft, demilestoned, dequeued, edited, enqueued, labeled, locked, milestoned, opened, ready for review, reopened, review request removed, review requested, synchronized, unassigned, unlabeled, or unlocked.
Trigger Terrateam operations.
Push
Git push to a repository.
Trigger Terrateam operations.
Workflow job
Workflow job queued, requested or completed on a repository.
Track when Terrateam workflow jobs are queued, requested, or completed.
Workflow run
Workflow run requested or completed on a repository.
Track when Terrateam workflow runs are requested or completed.