 Good afternoon. My name is Martiz Reed. I'm actually a professional, what am I? I'm a step two. I'm principal field solutions developer at Puppet. Primarily deal with enablement, both internally and externally. We're gonna walk through using Terraform safely. There's a couple of ways to find me, LinkedIn, Twitter, GitHub. Did this talk actually in Indianapolis not too long ago and haven't actually gone to check my GitHub to make sure that Terraform is being used there safely. So what is Terraform? Typically referred to as infrastructure as code, but essentially declaring infrastructure through code or those resources themselves. There's a number of popular tools out there. Some are specific to a particular public cloud. Some aren't. Terraform itself is written in Golang, declared with the HCL language and Terraform resources themselves are pretty declarative as you can see on the screen in terms of what they do. So this was to make sure we've all kind of level set. Terraform modules themselves are essentially for those that have a development background libraries or a collection of resources that are actually grouped together. Oftentimes you would use this to provide a higher level of abstraction of a resource that you commonly use. In terms of Terraform modules, there are 100 plus on the Terraform registry and then there are 4,400 ish, probably more than that now on GitHub. So this kind of sets the context for what I'm gonna talk about as it relates to Terraform modules. Simply with Terraform modules, especially those that are publicly available, people will pull them down to provide that speed. The challenge is that this often conflicts with actual security, as we'll kind of see is that this is something created by the public. So this is an example of a vault module that is available on the Terraform registry, not meant to disparage the module itself, but it is created in such a manner that is easy to consume but has issues with the security of it in terms of allowing access to SSH and other things via public to the world readable. And then you can imagine this when you start to integrate with Jenkins or Elk or Memcache, actually pulling down these modules just for regular consumption can create issues. So I propose kind of a vetting process as most with any external library to actually develop a formal process, understand the technology is kind of the biggest one for me and then also keep up with changes to the module itself so that you're not pulling in something that doesn't actually make sense. Now as we step into actually how Terraform handles secrets, this is one of the challenges some people I've realized have when they first started with Terraform. So you see a module or resource that says, hey, create a private key with Terraform. And then like if you actually read the fine print, it says essentially Terraform doesn't really do a good job of having sensitive information, but you can create those resources, but you really need to be careful. And so this is kind of one of those first gotchas that people often run into. So this is the example of the actual output of when I actually go to create the Terraform, then it spits out my private key, which for those that have used Terraform for a while like, yeah, this is what we expect. This is what Terraform is going to do. It doesn't really have a great job of handling that. But you get issues like this where somebody that's new to Terraform reports an issue that says, hey, the private key is in the state file. Like what's up with that? But then it's like, well, that's how Terraform works. And so kind of as you walk through this flow, this is where some of the challenges becomes, people often use a tool like Jenkins to deploy their infrastructure. So one of the first things is making sure that your state file is actually encrypted in some sort of manner. Then it's like, yes, state file is encrypted, we're ready to go. But what about the Jenkins console output? Is the private key showing in the console output, is that something that we also need to protect? Yes. So how do we go about addressing that and make sure it's not showing in the console output? And then additionally, you step past the console output. In the case of Jenkins, maybe those logs are also getting shipped to a Splunk tool, tool like Splunk. So now we have to make sure that's protected to or potentially redacted. So kind of you go down this potential endless cycle if you're not aware as to how it actually works. There's actually a number of open source projects out there that aim to try and address this issue. I haven't tested any of this myself. These are just here for information purposes, but it's an issue that the community is trying to address in some sort of manner. But the thing becomes there's really no perfect solution. Some people leverage sort of replacement, but I would argue that knowledge is power and knowing is half the battle, sort of go Joe. So now you have this information as part of this for those that are new to Terraform and have an idea. My name is Martes Reed. Hopefully this was helpful. There's a lot of different ways to find me. Like then Twitter, get up. Thank you.