IaCM Security
Harness IaCM integrates robust security measures to safeguard your infrastructure state. It leverages the Harness Platform's functionalities, including Authentication, Role-Based Access Control (RBAC), Resource Groups, Pipelines, Audit Trail, Connectors, Secrets, and Licensing. These measures adhere to the stringent security protocols outlined in the Security section. For Infrastructure as Code Management (IaCM), Harness IaCM ensures:
- Data encryption in transit using TLS 1.3.
- Data encryption at rest with AES 256.
- Regular security testing and vulnerability scanning.
- Logical and physical data segmentation.
Common Security Concerns
Harness protects customer infrastructure and data through rigorous security measures. Access to systems is restricted to authorized employees using secure connections, with all activities logged and reviewed regularly. State files and sensitive information are safeguarded with strong encryption (TLS 1.3 and AES 256) and controlled access. Customers can further enhance security by integrating their identity provider and setting IP allowlists.
During the planning and execution phases, Harness ensures compliance by checking changes against organizational policies and detecting any tampering with state files before execution. These measures maintain a secure and compliant environment for managing infrastructure changes.
The operational model flow is comprised of three components:
- Defined backend
- Pipeline Execution Environment
- Harness Cloud: IaCM
All executed commands honor your defined backend, which determines where your infrastructure state is stored and how terraform and tofu operations such as apply
or destroy
are executed.
If no plan file is specified, IaCM will apply its own backend implicitly.
In your pipeline environment, IaCM ensures that all Terraform or Tofu commands operate within a controlled and secure framework, handling:
- Workspace and Configuration Setup:
- Harness IaCM retrieves the workspace configuration and associated files, including dependent IaC modules specified in your settings.
- Variable and Secret Integration:
- Variables and secret values defined in your workspace are collected and resolved, adhering to Harness Platform security protocols.
- Execution Preparation:
- All relevant configuration files and dependent modules are cloned into the pipeline environment. Secrets are integrated to facilitate interaction with your IaC-managed resources.
- IaC applications are pulled to your environment just in time for execution, ensuring that the most up-to-date configurations are applied.
- Data Management:
- A read-only copy of essential files such as the plan and state files, is uploaded to Harness Cloud to enable IaCM functionalities.
IaCM runs Terraform/Tofu commands exclusively within the pipeline environment. When using an external backend, IaCM accesses it solely with the credentials provided within the pipeline.
IaCM/Harness Cloud upholds the same rigorous security standards as the rest of the Harness Platform, as listed above. The plan
step executes against your defined backend to estimate costs and validate your plan against policies. Once validated, the plan is securely stored in Harness Cloud.
For data storage, summary information about workspaces and executions is aggregated in a secure database for easy access. State and plan files are kept in Google Cloud Storage (GCS) and are available for real-time processing, with a single bucket per customer account.
Operational model
The following diagram highlights the operational model flow and operations carried out at each stage.
Start by clicking on the first step node for more details.
- Interactive diagram
- Operational model flow steps
- Plan command honors the defined backend & operates with that alone.
- A copy of the plan is passed to provide cost estimation data.
- A copy of the plan is passed to enforce implicit policies set on the Plan File entity.
- IaCM stores a copy of the plan to provide pipeline & historical information on what has changed.
- Apply/Destroy command honours the defined backed & operates with that alone.
- A copy of the state is passed to enforce implicit policies set on the State File entity.
- IaCM stores a copy of the state file to ensure historic state tracking, resource views etc in UI.