Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encrypt terraform state #24

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

encrypt terraform state #24

wants to merge 2 commits into from

Conversation

siddarthkay
Copy link
Contributor

@siddarthkay siddarthkay commented Jan 4, 2025
edited
Loading

fixes: #2

Summary

  • This PR encrypts terraform state backup with a hash generated from CONSUL_HTTP_TOKEN
  • Adds a helper script to decrypt terraform state backup when needed.

@siddarthkay siddarthkay self-assigned this Jan 4, 2025
@siddarthkay siddarthkay requested review from jakubgs and a team January 6, 2025 08:39
@jakubgs
Copy link
Member

jakubgs commented Jan 7, 2025

This is incorrect. We do need local backups of Terraform state. This is a disaster recovery measure.

This about a scenario in which Consul cluster is broken or unavailable, but you need to manage the state of our cloud resources using Terraform, for example scale up. Without Consul that would not be doable, but with the backup available you could decrypt it and migrate to a local state to handle necessary changes even without Consul.

@siddarthkay siddarthkay marked this pull request as draft January 7, 2025 09:40
@siddarthkay
Copy link
Contributor Author

Hmm In that case, I can encrypt the state backed up by terraform with consul's http token.
I'll use this PR for that.

@siddarthkay siddarthkay force-pushed the do-not-backup-tf-state branch from 6068723 to aa3ccbe Compare January 22, 2025 10:17
@siddarthkay siddarthkay changed the title terraform: don't backup tf state encrypt terraform state Jan 22, 2025
@siddarthkay siddarthkay marked this pull request as ready for review January 22, 2025 10:19
@siddarthkay siddarthkay requested a review from yakimant January 22, 2025 13:33
jakubgs
jakubgs approved these changes Jan 23, 2025
View reviewed changes
Copy link
Member

@jakubgs jakubgs left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested it locally, works nicely. Two notes tho:

  • I would move the decryption script to infra-utils/ansible and just reference it since it should be rarely needed.
  • The ansible/README.md should updated in the Inventory section to explain the encrypted backup and how to decrypt.

ansible/decrypt_tf_backup.py
if view_only:
print(json.dumps(state, indent=2))
else:
backup_path.write_text(json.dumps(state, indent=2))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would write the decrypted file to a new file, maybe terraform.tfstate.restored or something.

@siddarthkay
Copy link
Contributor Author

@jakubgs : One thing i worry about is if CONSUL_HTTP_TOKEN were ever to change, all backups encrypted with old token would no longer decrypt with new CONSUL_HTTP_TOKEN
What should we do to handle such a situation ?
A warning in readme is enough OR should we use another token dedicated for encrypting terraform state?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakubgs jakubgs jakubgs approved these changes

@yakimant yakimant Awaiting requested review from yakimant

Assignees

@siddarthkay siddarthkay

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Encrypt or disable Terraform state backup file
3 participants
@siddarthkay @jakubgs @yakimant