Reputation: 33
Using Vault to encrypt remote Terraform state stored in Consul
As of today, managing secrets such as cloud provider access keys and ids is an open problem in the Terraform project (see github issue ). Whenever, we run terraform plan or terraform apply, these secrets are stored in plain text in the terraform state file. There are numerous third party redaction and encryption scripts such as terrahelp.
My question: Consul is a native backend for storing remote terraform state. Is it possible to use Vault to encrypt state files stored in Consul? I have tried searching through the Terraform backend documentation, but was not able to find any configuration flags that would allow Consul to use Vault to encrypt the state file.
Upvotes: 3
Views: 936
Answers (1)
Reputation: 3759
As much as I would like that feature, sadly I don't think that this is possible at the moment. If you want your whole statefile encrypted, then you would need to choose another backend that supports this out of the box, like s3 with bucket encryption enabled.
It would also be nice if there is an official way to hook into the statefile read/store procedure to incorporate vault encryption (or any other custom requirements) by yourself, but afaik this is also not possible.
Small site note: terraform plan does not write anything to the statefile. It is a read-only operation, as otherwise it couldn't be considered safe to use.
Upvotes: 2
Related Questions
- How to get Vault secret through Terraform?
- How to create a Hashicorp Vault user using Terraform
- fetching vault secret value using terraform
- How to use terraform with hashicorp vault for openstack?
- Consul service fails to start
- Provider Configuration for vault in terraform
- Reading vault secrets from consul-template
- Terraform and cleartext password in (remote) state file
- Config Vault Docker container with Consul Docker container
- How to setup vault on an external server