HashiCorp Terraform Release Key Rotation

Please note that this post, first published over a year ago, may now be out of date.

HashiCorp Terraform

In the past few days, you may have started to see a similar warning to the following when you are initialising a Terraform run:

Warning: registry.terraform.io: This version of Terraform has an outdated GPG key and is unable to verify new provider releases. Please upgrade Terraform to at least 0.12.31 to receive new provider updates. For details see: https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512

This warning is in relation to a security event (HCSEC-2021-12) that occurred on April 22, 2021. During this event a PGP key belonging to HashiCorp was potentially compromised. This has led HashiCorp to rotate the keys that they use for release signing and verification.

What you should do

There are various paths of mitigation for this warning that depend upon how you are currently using Terraform. In the post above there is a table containing affected Terraform versions, the potential impact of the key rotation and the recommended actions to take.

A big factor for users of Terraform 0.11 or 0.12 is whether you are currently pinning the version of the providers. Essentially, if you are not pinning the versions then you may start to see failed signature checks as new provider versions are released. In this situation you should upgrade to the latest patch of your Terraform minor version, and pin the version of provider used if feasible.

The main thing is to stay on the latest patch number for your minor version of Terraform. This will ensure that your infrastructure operations can continue with minimal maintenance when events like this occur.

As of writing, the latest patch versions for each minor version that should be moved to at minimum are as follows:

  • 0.15.1
  • 0.14.11
  • 0.13.7
  • 0.12.31
  • 0.11.15

Version pinning

An example of how to pin your Terraform version, in this case 0.15, or to modify your version pinning so that you only get suitable versions could look like this:

  terraform {
    # Terraform version 0.15.0 could be compromised - see HCSEC-2021-12
    required_version = "~> 0.15.1"

This will enforce that only Terraform 0.15 with a patch version of 1 or greater can be used with your configuration.

Modules may contain their own version requirements, but having this in the root of your Terraform provides an overall base rule. If a module is pinned to a particular Terraform version that is older than the patch numbers shown in the list above then you may need to take remedial action with the module in question.

Also at The Scale Factory, we updated the PGP trust anchors for the HashiCorp Downloader tool hcdl.

We offer hands-on AWS training as part of our SaaS Growth subscription, to help your team make the best use of the AWS cloud. Book a free chat to find out more.

For some topics, you can also get the same training just on the topic you need - see our Terraform training and Kubernetes training pages.

This blog is written exclusively by The Scale Factory team. We do not accept external contributions.

Free Healthcheck

Get an expert review of your AWS platform, focused on your business priorities.

Book Now

Discover how we can help you.

Consulting packages

Advice, engineering, and training, solving common SaaS problems at a fixed price.

Learn more >

Growth solutions

Complete AWS solutions, tailored to the unique needs of your SaaS business.

Learn more >

Support services

An ongoing relationship, providing access to our AWS expertise at any time.

Learn more >