Best practices for securing the Schematics objects

What are the best practices that you must follow in developing the Terraform templates and publishing the same in the Git repositories?

Follow these practices in developing and publishing the Terraform template in the Git repositories.

• Create Terraform template by using Terraform version1.4 or higher and current IBM Cloud provider.
• Create environment variables for all your credentials.
• Check whether pre-commit hooks are run to inspect your code meets Terraform standards, see sample repository that contains pre-commit hook.
• Check whether your repository uses Terratest framework to validate your Terraform resources and data source to provision, see sample validated Terraform repository to run Terratest.
• Check whether your repository contains gitignore for any files that are not tracked by Git remain untracked.
• Add the license file for your template.
• Do not set your sensitive variable as default in the configuration files.
• Check your secured variables or output as sensitive.
• Check that your script executions do not take more than 60 minutes, when your template is using null resources to provision or configure your resources.
• Do use only allowed list file extensions in your repository.

Can you create tfvars files with the IBM Cloud® provider templates?

tfvars file is a local variables file that you can use to store sensitive information, such as your IBM Cloud API key or classic infrastructure username when your use Terraform. However, to secure your variable data, you cannot provide tfvars file in Schematics.

How can the Terraform developers ensure that the sensitive data is not leaked in the log files?

Developers need to check whether the variable or output parameter as a sensitive to ensure that the data is not leaked in the log files.

What are the best practices that you must follow in creating a workspace for the Terraform template?

Follow these practices in creating a workspace for the Terraform template.

• Check whether you have the permissions to create a workspace.
• Check whether the location and the url endpoint are pointing to the same region when you create or update the Schematics workspace. For more information about location and endpoint, see Where is the information stored?
• Check whether you want to delete the Workspace and destroy the associated cloud resources, or both. This job cannot be undone. If you remove the workspace and keep the cloud resources, you need to manage the resources with the resource list or CLI.
• Do not use one workspace to manage an entire staging or production environment. When you deploy all your IBM Cloud resources into a single workspace, it can become difficult for various teams to coordinate updates and manage access for these resources.

How can you ensure that the sensitive data used by the Terraform automation do not leak in the logs or outputs?

You need to set the variable or output parameter as sensitive to make sure that the data is not leaked in the logs or outputs.

How can you protect the access to workspaces and its data?

As the account owner or an authorized account administrator, you can assign IBM Cloud® Identity and Access Management (IAM) service access roles to your users. The IAM service access roles determine the actions that you can set on an IBM Cloud Schematics resource, such as a workspace or an action. To avoid assigning access policies to individual users, consider creating IAM access groups.

Your workspaces and actions data store depends on the location where you create your workspace or an action. For more information, see securing your data in Schematics.

How does Schematics protect the workspace data through Terraform state file, or log files?

Follow these practices to protect your workspace data through Terraform state file, or log files.

• Use Cloud Identity and Access Management to control access to a Schematics workspace, and related IBM Cloud resources.
• Secure the source repository for your Terraform template, including access control, security settings, collaboration, and version control.
• Secure the IBM Cloud resources that you create by using the security features that are provided by the resource offering.
• Use the provided tools of your IBM Cloud resources to apply security fixes, access controls, and encryption to your resources.

You need to specify the roles and permissions to a user who controls the state file. For more information about Schematics service access roles and permissions, see Workspace Permissions andKMS permissions

What are the best practices that you must follow in creating an action for the Ansible template?

Follow these practices in creating a Schematics action for the Ansible template.

• Check whether the location and the url endpoint are pointing to the same region when you create or update the Schematics workspace. For more information about location and endpoint, see Where is the information stored?
• You cannot delete or stop a running job of your Schematics action. Wait for the job to complete, then change your settings, and click Check action, or Run action again.
• As the account owner or an authorized account administrator, you can assign IAM service access roles to your users. The IAM service access roles determine the actions that you can set on an IBM Cloud Schematics resource, such as a workspace or an action. To avoid assigning access policies to individual users, consider creating IAM access groups.

How can you protect the access to actions and its data?

As the account owner or an authorized account administrator, you can assign IAM service access roles to your users. The IAM service access roles determine the actions that you can set on an IBM Cloud Schematics resource, such as a workspace or an action. To avoid assigning access policies to individual users, consider creating IAM access groups.

Your workspaces and actions data store depends on the location where you create your workspace or an action. For more information, see securing your data in Schematics.

How does Schematics protect the action data through input credentials state file, or log files?

Follow these practices to protect your workspace data through input credentials state file, or log files.

• Use Cloud Identity and Access Management to control access to a Schematics action.
• Secure the source repository of your Terraform template, including access control, security settings, collaboration, and version control.
• Use the provided tools of your IBM Cloud resources to apply security fixes, access controls, and encryption to your resources.
• You need to specify the roles and permissions to a user who controls the state file. For more information about Schematics service access roles and permissions for
• Action permissions
• KMS permissions

Access protection by using Identity and Access Management

Create an IAM access group for your users and assign service access policies to IBM Cloud Schematics and the resources that you want your users to work with. IAM users are attached to access groups. For more information, see Setting up access for your users.

Non-repudiation by using Activity tracker

You can use IBM Cloud® Activity Tracker to track and audit how users and applications interact with IBM Cloud Schematics. You can generate and maintain an audit trail for a Schematics workspace instance events, access, events, and access audit log. For more information, see Auditing events.

Data protection by using KMS

You can safeguard and encrypt your information from corruption, compromise, or loss in Schematics by:

• KMS integration for BYOK or KYOK
• Managing data encryption
• Restrict network access for all the resources to provision by Allowing specific IP addresses.