terraform icon indicating copy to clipboard operation
terraform copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Allow encryption of tfstate file

Open woodhull opened this issue 9 years ago • 9 comments

We currently have a wrapper ruby script that decrypts the tfstate file before terraform apply runs and then encrypts the file after the run is complete.

We check the encrypted version into source control so the tfstate can be shared among the team, while storing and distributing the keys separately. We do not check in the unencrypted version of the tfstate file as it includes RDS passwords and other sensitive information. The unencrypted version is included in the gitignore file, but we keep it around so humans can inspect it.

It would be nice if each terraform user did not need to figure out how to wrap the terraform commands to manage secrets as we have, but instead there was a standard way of accomplishing this behavior.

woodhull avatar Apr 08 '15 00:04 woodhull

Related https://github.com/hashicorp/terraform/issues/516

woodhull avatar Apr 08 '15 00:04 woodhull

The obvious problem with encrypting the entire file is that we're not able to diff changes to the tfstate file.

Perhaps the user could choose through configuration between either encrypting certain specific attributes, the file as a whole, or nothing at all.

woodhull avatar Apr 08 '15 21:04 woodhull

Encrypting the contents of the state db would provide encrypting the state for all storage (local/remote) - it would be nice to have this type of protection (especially because details like the RDS master password is sitting in plain sight..) when the state is stored in Consul or Atlas too.

ketzacoatl avatar Apr 23 '15 06:04 ketzacoatl

I'm not sure this is the solution you're looking for, but I have a PR open to allow S3 encryption of data while at rest (see linked issue above).

@mitchellh would this be an acceptable solution, at least for the S3 part of the remote-config storage?

hobbeswalsh avatar Jun 19 '15 19:06 hobbeswalsh

https://github.com/TomPoulton/hiera-eyaml has inline encryption

ghost avatar Jan 12 '16 18:01 ghost

@woodhull not sure if you're still dealing with this issue, but if so, would encrypting tfstate files using git-crypt suffice? git-crypt facilitates diffs. I've been using it for sharing encrypted tfstate and other files amongst teams.

Attempting to run terraform before unlocking the repo via git-crypt throws an error, which is useful feedback to an operator:

$ terraform plan
Decoding state file version failed: invalid character '\x00' looking for beginning of value
$ file terraform.tfstate
terraform.tfstate: data
$ git-crypt unlock                   
$ file terraform.tfstate                
terraform.tfstate: ASCII text, with very long lines

seanknox avatar Oct 19 '16 23:10 seanknox

We eventually settled on git-crypt like so many others.

woodhull avatar Jul 19 '19 02:07 woodhull

That was implemented in OpenTofu v1.7.0

State Encryption - Protect your precious state files with end-to-end encryption.

State and Plan Encryption

air3ijai avatar May 02 '24 05:05 air3ijai

Thanks, @air3ijai

WhyNotHugo avatar May 02 '24 18:05 WhyNotHugo