|
1 |
| -# Best Practices for Coder Security |
| 1 | +# Security - best practices |
2 | 2 |
|
3 |
| -December 30, 2024 |
| 3 | +December 17, 2024 |
4 | 4 |
|
5 | 5 | ---
|
6 | 6 |
|
7 |
| -This best practices guide is separated into parts to help you secure your Coder |
8 |
| -deployment through understanding each threat model, hardening authentication, |
9 |
| -and encryption. |
| 7 | +This best practices guide is separated into parts to help you secure aspects of |
| 8 | +your Coder deployment. |
| 9 | + |
| 10 | +Each section briefly introduces each threat model, then suggests steps or |
| 11 | +concepts to help implement security improvements such as authentication and |
| 12 | +encryption. |
10 | 13 |
|
11 | 14 | As with any security guide, the steps and suggestions outlined in this document
|
12 | 15 | are not meant to be exhaustive and do not offer any guarantee.
|
@@ -277,16 +280,17 @@ in `.tfvars` or other files uploaded with the template.
|
277 | 280 | Instead do one of the following:
|
278 | 281 |
|
279 | 282 | - Store secrets in a central secrets manager.
|
280 |
| -- Access the secrets at build time via a Terraform provider. |
281 | 283 |
|
282 |
| - This can be through |
283 |
| - [Vault](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) |
284 |
| - or |
285 |
| - [AWS Secrets Manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret). |
| 284 | + - Access the secrets at build time via a Terraform provider. |
| 285 | + |
| 286 | + This can be through |
| 287 | + [Vault](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) |
| 288 | + or |
| 289 | + [AWS Secrets Manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret). |
286 | 290 |
|
287 | 291 | - Place secrets in `TF_VAR_*` environment variables.
|
288 |
| -- Provide the secrets to the relevant Provisioner Daemons and access them via |
289 |
| - Terraform variables with `sensitive = true`. |
| 292 | + - Provide the secrets to the relevant Provisioner Daemons and access them via |
| 293 | + Terraform variables with `sensitive = true`. |
290 | 294 | - Use Coder parameters to accept secrets from end users at build time.
|
291 | 295 |
|
292 | 296 | Coder does not attempt to obscure the contents of template files from users
|
|
0 commit comments