Epic Goal

• Enact a strategy to comply with license changes around Terraform and handle any CVEs that may arise (within Terraform) during the process of replacing Terraform.

Two major parts:

1. Get AWS off Terraform (for ROSA)
2. Strategy for all other platforms that stay on terraform

Why is this important?

• Hashicorp will continue to backport CVE fixes to MPL versions of Terraform through the end of 2023. After that period, we will not be able to address any CVEs within Terraform through upgrades. This epic provides a strategy to use until we can remove Terraform entirely from the product.

Scenarios

1. AWS: due to FedRamp compliance within ROSA, will need to fix any medium CVE–exploitable or not.
2. Backporting (see open questions)

Acceptance Criteria

• AWS platform must be able to fix all medium CVEs, regardless of whether they are exploitable
• All other platforms must be able to handle CVEs based on our normal practices
• ...

Dependencies (internal and external)

1. If we decide to produce a ROSA-specific build (as expected), ROSA and Hive will need to be able to consume a separate installer binary.

Previous Work (Optional):

Open questions::

1. Priority of backporting CVE fixes
2. Can we get more concrete about standards for fixing CVEs
3. What would managing our own Terraform fork entail
4. Can we remove the alibaba provider? This would be helpful to decrease vulnerabilities.

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>