Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add optional "signature" field for digitalocean_custom_image resources #1130

Open
Tythos opened this issue Mar 18, 2024 · 0 comments
Open

Add optional "signature" field for digitalocean_custom_image resources #1130

Tythos opened this issue Mar 18, 2024 · 0 comments
Labels
do-api Depends on changes to the DigitalOcean API

Comments

@Tythos
Copy link

Tythos commented Mar 18, 2024

Is your feature request related to a problem? Please describe.

Referencing custom images via URL is inherently insecure; a mechanism is needed to verify such network.

Describe the solution you'd like

Adding an optional "signature" field would let developers encode verification within their deployment.

Describe alternatives you've considered

One alternative might be to virtualize (or containerize) the desired runtime environment within an existing image, where (for example) cloud-init could be used to do so procedurally and with a step for verifying that reference before it is initialized. This does, however, compromise the potential advantages of performance and reduction in resource overhead from minimizing system abstraction layers.

Another alternative is to upload (or manage) the image using a spaces bucket, for which credentials would be shared internally between Terraform resources. (This is the approach I am currently exploring, but I think you'll agree it's a little more onerous than would be ideal.)

Another alternative that just occurred to me is, to manually upload the image using the DigitalOcean API via curl command (see: https://docs.digitalocean.com/products/images/custom-images/how-to/upload/ ); automation-friendly solutions are definitely advantageous here, though hardly idea when custom images resources are already supported by the Terraform provider.

Additional context

AWS and Azure both have mechanisms to verify custom image integrity:

https://docs.aws.amazon.com/signer/latest/developerguide/image-verification.html

https://learn.microsoft.com/en-us/azure/aks/image-integrity?tabs=azure-cli

GCP does not, to the best of my knowledge (and quick-searching).

@andrewsomething andrewsomething added the do-api Depends on changes to the DigitalOcean API label Mar 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
do-api Depends on changes to the DigitalOcean API
Projects
None yet
Development

No branches or pull requests

2 participants