terraform
terraform copied to clipboard
hashicorp
Remote state still store state locally in terraform.tfstate because of merging
terraform -v
Terraform v0.12.21 + provider.azurerm v2.0.0
When using remote state, i have this main terraform file
provider "azurerm" {
version = "~>2.0.0"
features {}
}
terraform {
backend "azurerm" {
}
}
I use a partial config file to initiate my remote storage terraform init -backend-config my_partial.hcl. All good. When I run the init it sets up correctly in my remote storage (an azure storage account), but I can see that it produces a terraform.tfstate file in the .terraform folder holding all my secrets. I think it is because terraform merges the config as stated here https://www.terraform.io/docs/backends/config.html:
The final, merged configuration is stored on disk in the .terraform directory, which should be ignored from version control. This means that sensitive information can be omitted from version control, but it will be present in plain text on local disk when running Terraform.
Is there some way of not doing this, even though i am not storing the terraform.tfstate in version control?
I think the docs is somewhat ... inconsistant, because this page https://www.terraform.io/docs/backends/state.html somewhat states that nothing is stored locally when doing remote backends
When using a non-local backend, Terraform will not persist the state anywhere on disk except in the case of a non-recoverable error where writing the state to the backend failed. This behavior is a major benefit for backends: if sensitive values are in your state, using a remote backend allows you to use Terraform without that state ever being persisted to disk.
Maybe "state" should be explained in more detail, like "state of the current environment, BUT when using partial config, the merged state will still be stored in .terraform/terraform.tfstate, thus exposing secrets if any, in the config".
I dont know, just my few cents to doing a better doc.
@mslot You're right, the documentation is a little bit unclear, thanks for pointing it out.
This is something that threw me off as well - why does it keep local state if it should use the single remote copy?
I found that the local terraform.tfstate it creates only contains the secrets to access the remote backend (in my case Azure Blob Storage), whereas the state file in Remote (in my case I called it tf.tfstate) - contains the actual state of all the infrastructure created:
The local terraform.tfstate is disposable (e.g. if you have brand new CI machines being spun up), because your Remote state env variables will refresh this state.
The only TODO here is to make sure you don't commit this .terraform... folder into Git etc, because it contains the creds for your remote state, which contains your actual infra state and all your secrets.
A more elegant way would be for Terraform to use the env-variables in memory to store this secret information I guess, but maybe there's resiliency issues on why it doesn't do that.
Thanks all! I've opened a PR here to address this issue and help clear up what is actually being stored on your local machine when you use a remote backend. We've also added some content to this docs page about sensitive credentials and how to handle them since this issue was created (separate PR; already merged), which I'm hoping you'll like as well :)
https://github.com/hashicorp/terraform/pull/31547
Let me know if anyone has feedback! @crw - could I please put this PR in engineering's queue for review?
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}