Dependency Cooldown in IaC, or The Value of Waiting

Hey folks,

Wanted to share a quick tip for the folks relying on external TF modules who are also using Renovate in their IaC systems.

The minimumReleaseAge setting is one config change that can save you a lot of pain. When the next supply chain attack comes for the Terraform/OpenTofu modules, you’ll be happy you used it.

This is a per-package setting that holds back update PRs until a release has existed for N days, where you get to set the value of N. If a bad release ships and gets reverted inside that window then you never see it and will never have a chance to merge that PR.

From the docs:

Is waiting for seven to fourteen days going to catch everything?

Nope.

But most supply chain attacks get caught in hours. Using this to provide a stabilization window is essentially cheap insurance.

If you're using Renovate and haven't set this up yet, go do it today. If you aren’t using Renovate, look for a similar setting in whatever your tool of choice is.

If you are an OpenTofu user (which we advocate), never fear. The Masterpoint team opened a feature request in the OpenTofu repository to allow setting a minimum age for modules. There’s some good discussion on that issue. If you want one more tool to help protect against supply chain attacks, please go upvote and/or comment on the issue.

May your supply chain always be secure,

Matt @ Masterpoint

PS Are you interested in being on a devops-focused podcast? Reply to me with the topic you want to discuss and I’m happy to intro you to the right podcast. Or, if you want to chat about external TF module security, grab some time on my calendar here.