Does anyone have experience with security publish build artifacts from users that can run the build pipeline?
We have a situation where we need to secure at least some of the data in a build artifact before it is sent to the be release.
Any thoughts, blogs, or articles I can look into ?
Don’t. There is no good way to secure the build artifact.
How do you deal with artifacts that have secrets or binaries that are sensitive ?
Either encrypt them or upload them to a secure location.
Even then, have a way to rotate keys and secrets in case they leak.
Ideally the binary is installed somewhere where the identity it runs under has access to a keystore. That way you tons need a config file with secrets.
Or have a binary with a template and only merge secrets in she deployment itself.
Can ;oy describe your process a bit more?
We have a terraform build process that is used to control deployments in different systems including Azure. That planning pipeline outputs a full terraform script which contains everything needed to build the infrastructure which of course has keys in it.
We need people to be able to see the pipeline builds but not read the data in the artifacts.
We are thinking about using a blob storage or universal artifact feed with access control as a work around but I am open to hear ideas.
It doesn’t need secrets in it… Those can be stored in a keyvault.
This is the pipeline that generates all the infrastructure.
Yeah… So have terraform generate secrets and store those in the keyvault. Then reference the keyvault as a data source.
Or prep the keyvault from the pipeline and have the infra pipeline reference it.
OK. Let me work with the engineer. We have a custom built system that sits on top of terraform which might be the source of our issue.
Ideally most connections are made internally using the service principal identity. That way you don’t need too many connection strings and passwords or tokens. But it’s hard to ban them all.
2nd best is to put them in keyvault and again leverage the identity to access the vault.
Last resort put the in the keyvault and have terraform read the secrets from the keyvault as a data source.
Where possible, have terraform actually generate the secret and then put it in the vault, so basically nobody ever has to handle the secret manually.
thanks for sharing your experience here - maybe a good topic for your next blobpost 
Yeah. I tend to hate the infra as code part. Don’t think I’ll be blogging about it soon.
