Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encrypt terraform state #24

Merged
merged 1 commit into from
Feb 6, 2025
Merged

encrypt terraform state #24

merged 1 commit into from
Feb 6, 2025

Conversation

siddarthkay
Copy link
Contributor

@siddarthkay siddarthkay commented Jan 4, 2025
edited
Loading

fixes: #2

Summary

  • This PR encrypts terraform state backup with a hash generated from CONSUL_HTTP_TOKEN

@siddarthkay siddarthkay self-assigned this Jan 4, 2025
@siddarthkay siddarthkay requested review from jakubgs and a team January 6, 2025 08:39
@jakubgs
Copy link
Member

jakubgs commented Jan 7, 2025

This is incorrect. We do need local backups of Terraform state. This is a disaster recovery measure.

This about a scenario in which Consul cluster is broken or unavailable, but you need to manage the state of our cloud resources using Terraform, for example scale up. Without Consul that would not be doable, but with the backup available you could decrypt it and migrate to a local state to handle necessary changes even without Consul.

@siddarthkay siddarthkay marked this pull request as draft January 7, 2025 09:40
@siddarthkay
Copy link
Contributor Author

Hmm In that case, I can encrypt the state backed up by terraform with consul's http token.
I'll use this PR for that.

@siddarthkay siddarthkay force-pushed the do-not-backup-tf-state branch from 6068723 to aa3ccbe Compare January 22, 2025 10:17
@siddarthkay siddarthkay changed the title terraform: don't backup tf state encrypt terraform state Jan 22, 2025
@siddarthkay siddarthkay marked this pull request as ready for review January 22, 2025 10:19
@siddarthkay siddarthkay requested a review from yakimant January 22, 2025 13:33
jakubgs
jakubgs approved these changes Jan 23, 2025
View reviewed changes
Copy link
Member

@jakubgs jakubgs left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested it locally, works nicely. Two notes tho:

  • I would move the decryption script to infra-utils/ansible and just reference it since it should be rarely needed.
  • The ansible/README.md should updated in the Inventory section to explain the encrypted backup and how to decrypt.

ansible/decrypt_tf_backup.py Outdated Show resolved Hide resolved
@siddarthkay
Copy link
Contributor Author

@jakubgs : One thing i worry about is if CONSUL_HTTP_TOKEN were ever to change, all backups encrypted with old token would no longer decrypt with new CONSUL_HTTP_TOKEN
What should we do to handle such a situation ?
A warning in readme is enough OR should we use another token dedicated for encrypting terraform state?

@jakubgs
Copy link
Member

jakubgs commented Feb 5, 2025

I think this is fine, since the Consul token history would still exist in infra-pass, so we can always recover older backups.

And overwriting existing ones with new ones encrypted with new token is also the correct behavior, so it's fine.

@siddarthkay siddarthkay force-pushed the do-not-backup-tf-state branch 2 times, most recently from 4fe6c74 to 5753765 Compare February 6, 2025 10:29
@siddarthkay siddarthkay requested a review from jakubgs February 6, 2025 10:30
jakubgs
jakubgs approved these changes Feb 6, 2025
View reviewed changes
ansible/README.md Outdated Show resolved Hide resolved
@siddarthkay siddarthkay force-pushed the do-not-backup-tf-state branch from 5753765 to ba27d4f Compare February 6, 2025 12:48
@siddarthkay siddarthkay merged commit eae044d into master Feb 6, 2025
@siddarthkay siddarthkay deleted the do-not-backup-tf-state branch February 6, 2025 13:07
@siddarthkay
Copy link
Contributor Author

I guess now this commit needs to be replicated over all infra-* repos

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakubgs jakubgs jakubgs approved these changes

@yakimant yakimant Awaiting requested review from yakimant

Assignees

@siddarthkay siddarthkay

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Encrypt or disable Terraform state backup file
3 participants
@siddarthkay @jakubgs @yakimant