Terraform Cloud Token

ID

terraform_token

Severity

critical

Vendor

Terraform

Family

API Token

Description

Terraform is an open-source, infrastructure as code, software tool. This detector detects the three types of tokens used to interact with the API: user, teams and organization tokens.

Security

Any leakage of the Terraform Cloud Token is critical and a potential secret reported by this detector.

Examples

The following example shows a hardcoded Terraform token in a Terraform script:

terraform {
  backend "remote" {
    organization = "c@tCorp"
    hostname     = "app.terraform.io"
    noncompliant.token = "guz8wzA4aeAgkc.atlasv1.4E6e7mwJYC6LZklYvPMc9tzUL5kaq3zQ97UnNZhce4zbza1vg0vrKFkyQEGdNSfIRPp"
  }
}

Mitigation / Fix

  1. Remove the Token from the source code or committed configuration file. Avoid hardcoded secrets, and instead place the keys in a 'secrets vault'.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s).

  1. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html