Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow encryption of tfstate file #1421

Open
woodhull opened this issue Apr 8, 2015 · 9 comments
Open

Allow encryption of tfstate file #1421

woodhull opened this issue Apr 8, 2015 · 9 comments

Comments

@woodhull
Copy link

woodhull commented Apr 8, 2015

We currently have a wrapper ruby script that decrypts the tfstate file before terraform apply runs and then encrypts the file after the run is complete.

We check the encrypted version into source control so the tfstate can be shared among the team, while storing and distributing the keys separately. We do not check in the unencrypted version of the tfstate file as it includes RDS passwords and other sensitive information. The unencrypted version is included in the gitignore file, but we keep it around so humans can inspect it.

It would be nice if each terraform user did not need to figure out how to wrap the terraform commands to manage secrets as we have, but instead there was a standard way of accomplishing this behavior.

@woodhull
Copy link
Author

woodhull commented Apr 8, 2015

Related #516

@woodhull
Copy link
Author

woodhull commented Apr 8, 2015

The obvious problem with encrypting the entire file is that we're not able to diff changes to the tfstate file.

Perhaps the user could choose through configuration between either encrypting certain specific attributes, the file as a whole, or nothing at all.

@ketzacoatl
Copy link
Contributor

Encrypting the contents of the state db would provide encrypting the state for all storage (local/remote) - it would be nice to have this type of protection (especially because details like the RDS master password is sitting in plain sight..) when the state is stored in Consul or Atlas too.

@hobbeswalsh
Copy link

I'm not sure this is the solution you're looking for, but I have a PR open to allow S3 encryption of data while at rest (see linked issue above).

@mitchellh would this be an acceptable solution, at least for the S3 part of the remote-config storage?

@ghost
Copy link

ghost commented Jan 12, 2016

https://github.com/TomPoulton/hiera-eyaml has inline encryption

@seanknox
Copy link
Contributor

seanknox commented Oct 19, 2016

@woodhull not sure if you're still dealing with this issue, but if so, would encrypting tfstate files using git-crypt suffice? git-crypt facilitates diffs. I've been using it for sharing encrypted tfstate and other files amongst teams.

Attempting to run terraform before unlocking the repo via git-crypt throws an error, which is useful feedback to an operator:

$ terraform plan
Decoding state file version failed: invalid character '\x00' looking for beginning of value
$ file terraform.tfstate
terraform.tfstate: data
$ git-crypt unlock                   
$ file terraform.tfstate                
terraform.tfstate: ASCII text, with very long lines                                      

@woodhull
Copy link
Author

We eventually settled on git-crypt like so many others.

@air3ijai

This comment was marked as off-topic.

@WhyNotHugo
Copy link

Thanks, @air3ijai

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants