HashiCorp Terraform Release Key Rotation

HashiCorp Terraform

In the past few days, you may have started to see a similar warning to the following when you are initialising a Terraform run:

Warning: registry.terraform.io: This version of Terraform has an outdated GPG key and is unable to verify new provider releases. Please upgrade Terraform to at least 0.12.31 to receive new provider updates. For details see: https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512

This warning is in relation to a security event (HCSEC-2021-12) that occurred on April 22, 2021. During this event a PGP key belonging to HashiCorp was potentially compromised. This has led HashiCorp to rotate the keys that they use for release signing and verification.

What you should do

There are various paths of mitigation for this warning that depend upon how you are currently using Terraform. In the post above there is a table containing affected Terraform versions, the potential impact of the key rotation and the recommended actions to take.

A big factor for users of Terraform 0.11 or 0.12 is whether you are currently pinning the version of the providers. Essentially, if you are not pinning the versions then you may start to see failed signature checks as new provider versions are released. In this situation you should upgrade to the latest patch of your Terraform minor version, and pin the version of provider used if feasible.

The main thing is to stay on the latest patch number for your minor version of Terraform. This will ensure that your infrastructure operations can continue with minimal maintenance when events like this occur.

As of writing, the latest patch versions for each minor version that should be moved to at minimum are as follows:

  • 0.15.1
  • 0.14.11
  • 0.13.7
  • 0.12.31
  • 0.11.15

Version pinning

An example of how to pin your Terraform version, in this case 0.15, or to modify your version pinning so that you only get suitable versions could look like this:

  terraform {
    # Terraform version 0.15.0 could be compromised - see HCSEC-2021-12
    required_version = "~> 0.15.1"

This will enforce that only Terraform 0.15 with a patch version of 1 or greater can be used with your configuration.

Modules may contain their own version requirements, but having this in the root of your Terraform provides an overall base rule. If a module is pinned to a particular Terraform version that is older than the patch numbers shown in the list above then you may need to take remedial action with the module in question.

Also at The Scale Factory, we updated the PGP trust anchors for the HashiCorp Downloader tool hcdl.

Already using Terraform for infrastructure-as-code, or keen to understand the implications? Get in touch with The Scale Factory for help and advice.