SecDevOps: Protecting Terraform state file

Terraform is one of the most used tools to deploy Infrastructure as a Service or IaaS for short, but we have to manage it in a secure way.

Some developers add the terraform state file terraform.tfstate into the repository to share it among developers easily, which turns out to be a very bad idea as in the terraform state file also credentials and private keys are stored. So, if somebody could access to the repository, it will have automatically access to our infrastructure too!

Instead of storing the terraform state file locally or publicly in the repository. We should store it remotely in a secure way to be consistent with the changes we made.

Terraform supports many remote backends to store the state file remotely: AWS S3 Bucket, Google Cloud GS, artifactory, etc. So we can store it remotely to keep consistency among team members and we define later four options to store securely any sensitive data such as private keys, private IPs addresses or passwords.

To avoid any future mistake and do not upload those files into the repository, better to add terraform.tfstate and terraform.tfvars to your .gitignore file.

# Add to .gitignore
terraform.tfstate
terraform.tfvars

Also init.tf must be password safe.

We have several options for passing safely variables to terraform containing the passwords and private keys.

Option 1: We can use environment variables to pass values, although keep in mind that can be stored in your .bash_history file.

export TF_VAR_token="abcdefgihjklmnpq"

Option 2: Use an encrypted local file with terraform variables
Option 3: Use Hashicorp Vault
Option 4: Store it in Mac OS Keychain

Be aware to store the artifactory password also in the secrets manager!

Summing up… deploy fast but don’t forget to stay safe 🙂