top | item 37809756

(no title)

Why on earth is your state in git? The tool has built-in functionality to handle just these kinds of workflows. This reads a lot like hitting your thumb with the hammer and blaming hammers.

discuss

kasfkaj|2 years ago

Yes, this. Just supply a few flags to configure terraform backend to store the state in remote storage and encrypt it.

terraform init --backend=gcs --bucket="xxx" --prefix="my-deployment-name" --encryption_key="my-random-bits"

Hnrobert42|2 years ago

Again, that just puts a bandaid over the problem. You can’t individual audit access to or rotate secrets stored state files.

fishnchips|2 years ago

Presumably one would want to store the state in Git to get contextual diffing “for free” and possibly to avoid a dependency on another system.

Pet_Ant|2 years ago

If that then create a separate locked down Git repo just for this. Protecting your state file was a big deal when I first reading about Terraform. It was really drilled in.

Hnrobert42|2 years ago

I didn’t choose it, but my guess is that they didn’t know what they were doing.

Even so, git only exacerbated the problem of secrets being in state files.