Skip to content

Security

Last Updated: 9 November 2022

Security Information

Terrateam takes many measures to make sure customer data stays private. This includes following security best practices and various other steps listed in this document. A coordinated approach is taken to protect customer data focusing on technical and procedural solutions.

This document is an overview of Terrateam information security policies and procedures. It is not exhaustive. The below should not be relied on as a warranty of any services Terrateam provides or in any other way as amending or modifying our Terms of Service.

Terrateam will re-evaluate our information security procedures from time to time, but does not have an obligation to proactively communicate updates on this document should any changes occur. The following documents will be kept up to date and users are encouraged to occasionally review these pages:

Data Center Security

Terrateam uses virtual machines located in the United States in secure and shared hosting facilities with redundant and reliable access. All Terrateam virtual machines are logically segregated from other virtual machines in the hosting facility.

  • All virtual machines are located in Fly.io data centers in the United States
  • Virtual machines are exclusively used for Terrateam
  • Redundant power, cooling, and internet connectivity
  • 24/7 staffed security
  • Restricted physical access with biometrics controls

Fly.io is SOC 2 Type I compliant. More information can be found here: https://fly.io/docs/about/security/

Application Security

Terrateam is a GitHub application that translates GitHub events into Terraform operations. There are two major components of the Terrateam service:

  • The backend which receives GitHub events and makes decisions using the event payload
  • The GitHub Actions runner which is hosted on the GitHub Actions platform and executes the jobs that the backend creates

Many security measures are put in place:

  • Security best practices followed
  • Security logs regularly reviewed
  • Patches applied on regular intervals
  • Firewalls implemented in front of all internal and external endpoints
  • Security policies in place that follow the principle of least privilege
  • TLS encrypted connections required for application access
  • Application uses well-tested open source software
  • Regular security audits
  • Formal process in place to grant elevated access to systems
  • Data encrypted in-transit and at-rest
  • Vendor provided passwords have been changed from default
  • Encrypted backups

Data Privacy

Terrateam does not access source code repositories directly except for the Terrateam configuration file that lives within the repository. The application will execute a git clone against a customer repository within the GitHub Actions runtime environment in order to perform Terrateam operations.

Customers may choose to leverage GitHub Secrets for Terrateam operations that take place within the GitHub Actions runtime environment. Terrateam does not read these secrets and they are not explicitly sent back to the Terrateam backend outside of Terraform plan files which could contain sensitive information. Terrafor plan files are necessary to store on the Terrateam backend in order for the application to operate. Plan files are encrypted at-rest and deleted as soon as they are used by their respective operation or after 14 days.

GitHub Application Permissions

The Terrateam GitHub application requires customer permissions. An explanation of each permission can be found below.

Repository permissions

Actions: Read and write

Workflows, workflow runs and artifacts.

Execute Terrateam operations.

Checks: Read-only

Checks on code.

Validate GitHub checks have passed before running a Terrateam apply.

Commit statuses: Read and write

Commit statuses.

Provide user feedback on Terrateam operations and validate commit statuses before running a Terrateam apply.

Contents: Read and write

Repository contents, commits, branches, downloads, releases, and merges.

Retrieve the Terrateam configuration file.

Issues: Read and write

Issues and related comments, assignees, labels, and milestones.

Create and update issues for drift detection.

Metadata: Read-only

Search repositories, list collaborators, and access repository metadata.

Required by GitHub.

Pull requests: Read and write

Pull requests and related comments, assignees, labels, milestones, and merges.

Trigger Terrateam operations and merge a pull request.

Secrets: Read and write

Manage Actions repository secrets.

Future implementation of a secrets management interface.

The Secrets read permission only allows Terrateam to retrieve the secret name without revealing its encrypted value.

Organization permissions

Members: Read-only

Organization members and teams.

Used for access control and other internal Terrateam operations.

Account permissions

Email addresses: Read-only

Manage a user's email addresses.

Account-related emails only.

GitHub Application Events

The Terrateam GitHub application requires repository event subscriptions. An explanation of each subscription can be found below.

Issue comment

Issue comment created, edited, or deleted.

Trigger Terrateam operations.

Issues

Issues opened, edited, deleted, transferred, pinned, unpinned, closed, reopened, assigned, unassigned, labeled, unlabeled, milestoned, demilestoned, locked, or unlocked.

Trigger Terrateam operations.

Pull request

Pull request assigned, auto merge disabled, auto merge enabled, closed, converted to draft, demilestoned, dequeued, edited, enqueued, labeled, locked, milestoned, opened, ready for review, reopened, review request removed, review requested, synchronized, unassigned, unlabeled, or unlocked.

Trigger Terrateam operations.

Push

Git push to a repository.

Trigger Terrateam operations.

Workflow job

Workflow job queued, requested or completed on a repository.

Track when Terrateam workflow jobs are queued, requested, or completed.

Workflow run

Workflow run requested or completed on a repository.

Track when Terrateam workflow runs are requested or completed.