|
1 | | -# Best Practices for Coder Security |
| 1 | +# Security - best practices |
2 | 2 |
|
3 | | -December 30, 2024 |
| 3 | +December 17, 2024 |
4 | 4 |
|
5 | 5 | --- |
6 | 6 |
|
7 | | -This best practices guide is separated into parts to help you secure your Coder |
8 | | -deployment through understanding each threat model, hardening authentication, |
9 | | -and encryption. |
| 7 | +This best practices guide is separated into parts to help you secure aspects of |
| 8 | +your Coder deployment. |
| 9 | + |
| 10 | +Each section briefly introduces each threat model, then suggests steps or |
| 11 | +concepts to help implement security improvements such as authentication and |
| 12 | +encryption. |
10 | 13 |
|
11 | 14 | As with any security guide, the steps and suggestions outlined in this document |
12 | 15 | are not meant to be exhaustive and do not offer any guarantee. |
@@ -277,16 +280,17 @@ in `.tfvars` or other files uploaded with the template. |
277 | 280 | Instead do one of the following: |
278 | 281 |
|
279 | 282 | - Store secrets in a central secrets manager. |
280 | | -- Access the secrets at build time via a Terraform provider. |
281 | 283 |
|
282 | | - This can be through |
283 | | - [Vault](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) |
284 | | - or |
285 | | - [AWS Secrets Manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret). |
| 284 | + - Access the secrets at build time via a Terraform provider. |
| 285 | + |
| 286 | + This can be through |
| 287 | + [Vault](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) |
| 288 | + or |
| 289 | + [AWS Secrets Manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret). |
286 | 290 |
|
287 | 291 | - Place secrets in `TF_VAR_*` environment variables. |
288 | | -- Provide the secrets to the relevant Provisioner Daemons and access them via |
289 | | - Terraform variables with `sensitive = true`. |
| 292 | + - Provide the secrets to the relevant Provisioner Daemons and access them via |
| 293 | + Terraform variables with `sensitive = true`. |
290 | 294 | - Use Coder parameters to accept secrets from end users at build time. |
291 | 295 |
|
292 | 296 | Coder does not attempt to obscure the contents of template files from users |
|
0 commit comments