Skip to content

docs(http backend): warn against using skip_cert_verification in production; surface mTLS alternatives #983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+9 −2
Open

docs(http backend): warn against using skip_cert_verification in production; surface mTLS alternatives #983

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions content/terraform/v1.13.x/docs/language/backend/http.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,13 @@ data "terraform_remote_state" "foo" {

## Configuration Variables

> **Security warning**
> `skip_cert_verification` disables TLS certificate verification and should **not** be used in production.
> Prefer configuring proper trust or **mTLS** instead. The HTTP backend already supports:
> - `client_certificate_pem` and `client_private_key_pem` for client authentication
> - `client_ca_certificate_pem` for server certificate validation
> See [Credentials and Sensitive Data](/terraform/language/backend#credentials-and-sensitive-data) for handling secrets.

!> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both the `.terraform` subdirectory and in plan files. Refer to [Credentials and Sensitive Data](/terraform/language/backend#credentials-and-sensitive-data) for details.

The following configuration options / environment variables are supported:
Expand All @@ -60,15 +67,15 @@ The following configuration options / environment variables are supported:
- `password` / `TF_HTTP_PASSWORD` - (Optional) The password for HTTP basic
authentication
- `skip_cert_verification` - (Optional) Whether to skip TLS verification.
Defaults to `false`.
Defaults to `false`. **Not recommended for production.**
- `retry_max` / `TF_HTTP_RETRY_MAX` – (Optional) The number of HTTP request
retries. Defaults to `2`.
- `retry_wait_min` / `TF_HTTP_RETRY_WAIT_MIN` – (Optional) The minimum time in
seconds to wait between HTTP request attempts. Defaults to `1`.
- `retry_wait_max` / `TF_HTTP_RETRY_WAIT_MAX` – (Optional) The maximum time in
seconds to wait between HTTP request attempts. Defaults to `30`.

For mTLS authentication, the following three options may be set:
For **mTLS** authentication (recommended in production over `skip_cert_verification`), the following three options may be set:

- `client_certificate_pem` / `TF_HTTP_CLIENT_CERTIFICATE_PEM` - (Optional) A PEM-encoded certificate used by the server to verify the client during mutual TLS (mTLS) authentication.
- `client_private_key_pem` /`TF_HTTP_CLIENT_PRIVATE_KEY_PEM` - (Optional) A PEM-encoded private key, required if client_certificate_pem is specified.
Expand Down
Loading