RE: Add support for Terraform Public Registry in ProGet (offline/air-gapped)

We have a similar setup to @mikael . While we do manually update some assets in ProGet, we also have automated processes using the ProGet Assets API. Between that, and tools such as Renovate/Dependabot it works okay.

I do agree with @mikael that proxying Terraform providers would not introduce risk. It actually helps reduce risk by ensuring the organization can be confident of which version of the providers are being used internally. Its many of the same reasons that organizations use ProGet in the first place. While I didn't mention it in my previous reply, the idea that "anyone can just upload whatever they'd like" is a major point of proxying things such as Terraform Providers. That's not likely to be open for all other teams to upload. It's quite likely, such as in our case, to be tightly controlled by a smaller team to validate what gets uploaded.

Again, I understand the balance of a specialized feed type over using the assets directory with complexity in mind. And that is something we, as a customer, do leverage with success. I just wanted to echo the thoughts @mikael as we may be in a similar environment.

As an existing customer, we haven't reached the point of considering doing IaC with ProGet ... yet. However, since it was brought up I do agree it would be helpful. Eventually we will likely make use of the existing APIs that are available. Such as the security apis, feed apis, and asset apis. Hopefully those are helpful to you @mikael.

The comment made about trying to rollback a feed that had been deleted and the original artifacts not being restored is true. However, that point is mostly irrelevant because the same exact situation occurs if one deletes the feed from the UI. One benefit of IaC in a situation like that is one of prevention. By utilizing IaC, we can engage an additional layer of review in configuration changes to tools such as ProGet. A review that is performed outside of ProGet at a textual level and informative of what is changing. While trusted administrators would be ultimately responsible, we are still human and make mistakes. IaC is a helper in reducing those mistakes and helpful in sharing knowledge of how things are configured.

To the point of IaC changes of permissions/users being more painful than the UI, that is entirely dependent upon the tool involved. We almost (again, human and making improvements) exclusively use IaC to apply permissions in our cloud resources. It works wonderfully and gives us clear indication of the config. Another benefit is we can give others outside of the admin side the ability to recommend actual changes to the permissions if need be. Responsible administrators can then review and potentially approve it or reject it with reasons. It provides a sense of shared ability within separate but closely operating teams. It also gives them easy, heavily reduced risk, read only access to the configuration.

Additionally, IaC helps from an auditing perspective immensely. The UI can be locked down to only a couple of emergency use administrators. Configuration changes being made soley via IaC gives a clear history, via git commit logs, of who made the change, what the change was and when it was implemented. While this can be done by streaming logs from tools such as ProGet to destinations like Splunk, it is incredibly useful to have that in the git history as well for teams to reference.

Admittedly these benefits are of most use to organizations with specific controls that must be adhered to. Either external regulatory requirements or by internal business security control decisions. Other organizations would not benefit from IaC of this nature.

I recognize and respect that there are no plans to do IaC of ProGet. That's a business and customer driven decision. However, it is hoped this adds positively to any other discussion of IaC configuration of ProGet.

We have a similar setup to @mikael . While we do manually update some assets in ProGet, we also have automated processes using the ProGet Assets API. Between that, and tools such as Renovate/Dependabot it works okay.

I do agree with @mikael that proxying Terraform providers would not introduce risk. It actually helps reduce risk by ensuring the organization can be confident of which version of the providers are being used internally. Its many of the same reasons that organizations use ProGet in the first place. While I didn't mention it in my previous reply, the idea that "anyone can just upload whatever they'd like" is a major point of proxying things such as Terraform Providers. That's not likely to be open for all other teams to upload. It's quite likely, such as in our case, to be tightly controlled by a smaller team to validate what gets uploaded.

Again, I understand the balance of a specialized feed type over using the assets directory with complexity in mind. And that is something we, as a customer, do leverage with success. I just wanted to echo the thoughts @mikael as we may be in a similar environment.

Thank you @atripp for looking into that a bit more, it is appreciated. If hosting Terraform providers in ProGet's assets would work I can see that being sufficient. We've done something like that with puppeteer's headless chrome browser where we set env vars to have the node package pull from ProGet rather than the internet. I'll keep that in mind as we consider Terraform and how we'd implement our internal security controls surrounding it.

We are considering the usage of Terraform internally. It hasn't happened yet as we are mostly in one specific hosting solution, and a few other internal reasons. That being said, this is a very pertinent discussion as we would be using ProGet to proxy all Terraform items, such as modules and providers. I echo what @mikael points out about proxying enabling a "controlled, repeatable, and compliant ... upstream". Its a primary reason we use products such as ProGet. While I would agree many other organizations would allow general internet access, those in governmental, medical and or financial industries would be far more likely to utilize proxying capabilities for those reasons.

Our servers that would run the Terraform plans would inherently be cutoff from general internet access. Especially cut off from github.com and similar domains given the broad nature of what is available within the github.com domain. Meaning a Terraform provider that required our servers to reach out to github would be extremely difficult to get past security's approval and would be far more welcome if made available in an internally controlled source, such as ProGet.

As an existing customer, we haven't reached the point of considering doing IaC with ProGet ... yet. However, since it was brought up I do agree it would be helpful. Eventually we will likely make use of the existing APIs that are available. Such as the security apis, feed apis, and asset apis. Hopefully those are helpful to you @mikael.

The comment made about trying to rollback a feed that had been deleted and the original artifacts not being restored is true. However, that point is mostly irrelevant because the same exact situation occurs if one deletes the feed from the UI. One benefit of IaC in a situation like that is one of prevention. By utilizing IaC, we can engage an additional layer of review in configuration changes to tools such as ProGet. A review that is performed outside of ProGet at a textual level and informative of what is changing. While trusted administrators would be ultimately responsible, we are still human and make mistakes. IaC is a helper in reducing those mistakes and helpful in sharing knowledge of how things are configured.

To the point of IaC changes of permissions/users being more painful than the UI, that is entirely dependent upon the tool involved. We almost (again, human and making improvements) exclusively use IaC to apply permissions in our cloud resources. It works wonderfully and gives us clear indication of the config. Another benefit is we can give others outside of the admin side the ability to recommend actual changes to the permissions if need be. Responsible administrators can then review and potentially approve it or reject it with reasons. It provides a sense of shared ability within separate but closely operating teams. It also gives them easy, heavily reduced risk, read only access to the configuration.

Additionally, IaC helps from an auditing perspective immensely. The UI can be locked down to only a couple of emergency use administrators. Configuration changes being made soley via IaC gives a clear history, via git commit logs, of who made the change, what the change was and when it was implemented. While this can be done by streaming logs from tools such as ProGet to destinations like Splunk, it is incredibly useful to have that in the git history as well for teams to reference.

Admittedly these benefits are of most use to organizations with specific controls that must be adhered to. Either external regulatory requirements or by internal business security control decisions. Other organizations would not benefit from IaC of this nature.

I recognize and respect that there are no plans to do IaC of ProGet. That's a business and customer driven decision. However, it is hoped this adds positively to any other discussion of IaC configuration of ProGet.

I agree the hostname aspect is problematic at times. We've seen that with npm lock files disrupting build processes because our build servers block access to the public npm registry.

Would you elaborate on what you meant by "Tags are not suitable for versioning."? As far I am aware, tags are the primary way to denote different versions of a container image. Yes, the 'latest' tag is a shortcut to the most recent build of an image. And as you mentioned, many users consider specific versioning to be important, we are one of those users. But if tags are not for versioning container images, what is?

Thank you, that did the trick.

Proget 2024.12

Can someone point me to documentation on what permission is needed for a user to gain access to the 'Projects & Builds' section of the 'Reporting & SCA' tab? Currently I have some that can see the 'Licenses' part but get a 403 when visiting the 'Projects & Builds' part.

Ahh, that was it. I explicitly enabled the license detection on that feed, reanalyzed it and noticed it found a license. That package and others are being reanalyzed and falling off that list. Thank you for that.

I believe this occurred due to some confusion in the UI. When I originally looked at the feed settings I saw this:

Which indicated to me the license detection was enabled. However when clicking 'change' that option was not ticked. Ticking that checkbox now shows the green checkmark with the same text and the rest of the license checking seems to be working as expected.

That initial text (screenshot from above) is very confusing. Because it literally says license detection enabled. Rather than 'License detection disabled', like the vulnerability detection says when it is disabled on some of our feeds. If it is possible to change that text to reflect the actual status I think that could be helpful to others.

Thank you Alana for your help it is greatly appreciated.

Thank you Alana,

That was very helpful. I appreciate it. I did query that PackageLicense23_Extended view for the 'Microsoft.Identity.Client'. It did show a lot of that package's versions having the MIT license associated with it. However it is in fact missing a record for the 4.66.0 version. Actually it is missing license records for anything after 4.63.0. I did click on 'Reanalyze Package' for the 4.66.0 version, but no change was seen in the UI or the database. I've pasted the results of the reanalysis if it may be of any help.

Package "pkg:nuget/Microsoft.Identity.Client@4.66.0" will analyzed with local data
Package originates from package gallery (https://api.nuget.org/v3/index.json); remote metadata will be used to determine latest patch version instead of local feed.
Attempting to update local package with remote metadata...
No Remote Metadata Provider was found for "https://api.nuget.org/v3/index.json"
Detecting vulnerabilities for "Microsoft.Identity.Client" version "4.66.0"...
Found 0 vulnerabilities.
Searching policies associated with feed "approved-nugets"...
Found 1 policy to use for analysis.
No policies define a latest patch, so latest patch will not be checked.

Here's the query I ran:

SELECT Package_Name,PackageType_Name,Package_Version,Title_Text,External_Id,License_Id FROM PackageLicenses_Extended WHERE Package_Name LIKE 'Microsoft.Identity.Client%' ORDER BY Package_Name,Package_Version

And here is part of the query results:

Microsoft.Identity.Client nuget 4.61.1 MIT License MIT 186
Microsoft.Identity.Client nuget 4.61.2 MIT License MIT 186
Microsoft.Identity.Client nuget 4.61.3 MIT License MIT 186
Microsoft.Identity.Client nuget 4.62.0 MIT License MIT 186
Microsoft.Identity.Client nuget 4.63.0 MIT License MIT 186
Microsoft.Identity.Client nuget 4.7.1 MIT License MIT 186

It almost looks as if ProGet is falling back to the last available license for the package. At the moment, the UI does appear to be consistent with the database data in part.

Would you have any recommendations on how to get the package license information properly updated in the database so the UI removes it from the unlicensed listing?

In Proget, we have a lot of packages that show up on the 'Unlicensed Local Packages' listing, but when we view most of them, the package states it has a known license. Is there some setting that is making this occur? For example:

Microsoft.Identity.Client 4.66.0

Is a nuget that is MIT licensed as noted on nuget.org. When I view the list of Unlicensed Local Packages, that package also shows up there. Clicking on that package and going to the metadata tab it shows 'SPDX Expression (MIT) Known type (MIT)' for license. We do not understand why this licensed package is showing up on the unlicensed listing. Why is this happening? And is there something we can do to correct it?

ProGet
Version 2024.12 (Build 10)