HashiCorp Cloud Platform
HCP Waypoint security model
This documentation explains the security model of HCP Vault Secrets. The product is built directly on top of HCP primitives, and is therefore an extension of HCP's Security Model.
Tip
For more information about the HCP platform, refer to the HCP documentation.
Key Concepts
The following information defines the key concepts and terms used for HCP Waypoint.
Templates and Applications
HCP Waypoint templates allow platform engineers to abstract and standardize application scaffolding for their developers. Developers can use these self-service templates to create and deploy their applications. These templates are backed by Terraform modules, and are provisioned in HCP Terraform when an app developer goes to create an application.
Add-ons
HCP Waypoint add-ons allow platform teams to define infrastructure resources as Terraform modules and make them available to application developers as dependencies for their applications. Developers can select add-ons which have been set up by their platform team to add to their HCP Waypoint managed applications as additional dependencies are required.
Actions
Platform teams can use HCP Waypoint actions to provide a push-button experience to enable day-two operations such as build promotions, rollbacks, and modifying feature flags. Platform teams can assign actions to a template so that when a developer creates an application using that template, those actions are automatically assigned to the application. Developers are provided with these self-service golden workflows designed by their platform teams. Additionally, actions can be parameterized such that values like request Headers can be defined with a security or authentication token to successfully make requests with, or can be used to adjust a specific value sent along with the action as a request parameter.
Agents
Platform teams can create “agent” type actions that use an HashiCorp Configuration Language (HCL) configuration file that contains action definitions and instructions for what the agent should do when developers run an action. Developers can use self-service agent type actions to trigger operations that may be running in a private environment.
Personas
The following information defines the key users, and how each of them use HCP Waypoint.
Platform Engineer
Platform Engineers create infrastructure and help bootstrap applications using templates, add-ons, and actions, which often include HCP Terraform modules, git repositories & config, and CI/CD setup. Platform engineers enable application developers to deploy their applications.
Application Developer
Application developers create new applications or services that leverage the platform infrastructure and templates created by platform engineers, without needing expertise in the underlying infrastructure.
Architecture
Some Waypoint resources and data sources can be managed and read through the HCP Terraform provider. For more information about authentication including specific security recommendations, please refer to the HCP Terraform provider documentation.
Similarly, the HCP CLI allows for some Waypoint resources and data to be managed as well. The HCP CLI supports a web browser login flow, or a non-interactive flow through the use of a service principal like the Terraform Provider. More information can be found in the HCP CLI documentation.
HCP Waypoint architecture overview diagram
The following diagram shows the flow of data in HCP Waypoint.
Threat model
HCP Waypoint is designed to help platform teams define golden patterns and workflows that developers can use to ship applications at scale.
Confidentiality and integrity of communication with Waypoint
All communications between clients and HCP Waypoint, as well as internal communication between HCP Waypoint and other HashiCorp services, including HCP Terraform, are encrypted using TLS.
Confidentiality of stored information
HCP Terraform tokens, Terraform output variables, and any variables used with Actions that are marked sensitive are encrypted using Vault Transit before saving the value in our database. In addition, the entire database and all database backups, logs, and snapshots are encrypted at rest.
Enforcement of authentication and authorization policies for data access and actions taken
HCP Waypoint enforces authorization checks for all actions taken through the UI, API, CLI, or Terraform Provider. Access to specific functionality can be restricted based on a user's role. Refer to the HCP Waypoint documentation for ore information about HCP Waypoint role-based access control. Refer to the HCP documentation for additional information about HCP's Identity and Access Management.
Reliability and availability of HCP Waypoint
The HCP Waypoint service is spread across multiple availability zones for reliability. Additionally, the database maintains read-only replicas that the primary will automatically fail over to in the event of a failure.
Additionally, we perform regular backups of the HCP Waypoint database to mitigate the risk of data loss and prepare for recovery in the event of a failure.
HCP Terraform threat model exclusions
Because of HCP Waypoint's inherent integration with HCP Terraform, the threat model considered for HCP Terraform also applies for HCP Waypoint. Users should familiarize themselves with the threat model and exclusions in the HCP Terraform architectural details.
Recommendations for secure use
We recommend the following best practices to securely operate HCP Waypoint.
Follow all HCP Terraform security recommendations
Users should ensure that they are following HCP Terraform best practices. Reference the HCP Terraform security model for these recommendations.
Follow all HCP security recommendations
Users should ensure that they are following all HCP best practices. Reference the HCP security overview for these recommendations.
Enforce strong authentication
HCP supports two factor authentication via SMS or TOTP. Organization admins may choose to configure SSO for their organization.
Generate minimally permissive HCP Terraform tokens
When generating tokens to use for connecting HCP Waypoint to HCP Terraform, users should ensure that those tokens grant the minimum permissions required for the members of their organization with access to only the necessary HCP Terraform project. An overly permissive token may allow members unintended privileges, such as viewing or managing private Terraform modules, and needs to be avoided. Reference the HCP Terraform token permissions for more information.