Terraform
In this guide, we show you how you can use the Onboardbase CLI to secure your terraform state files
Overview
The Onboardbase CLI can simplify the management of Terraform state files and provide secure encryption and decryption functionality.
This documentation will guide you through the usage of the onboardbase tf
command, which is used to manage Terraform state files and their encryption.
Installation
Before using the Onboardbase CLI, make sure you have it installed. You can follow the steps here to install the CLI
onboardbase tf
Command
onboardbase tf
CommandThe onboardbase tf
command is used for managing Terraform state files and provides encryption and decryption capabilities. It supports the following options:
Encrypting a Terraform State File
You can use the onboardbase tf:encrypt
command to encrypt a Terraform state file with a specified encryption key.
onboardbase tf:encrypt --enc-key "your encryption key" --file "path to your terraform.tfstate file"
--enc-key (Optional)
: Specify the encryption key you want to use to encrypt the Terraform state file. If a value is not passed, the CLI defaults to using your device fingerprint to encrypt the file, meaning only your device can encrypt and decrypt the TF state content.--file (Optional)
: Specify the path to the Terraform state file you want to encrypt. If this option is not provided, the CLI defaults to the standard name of Terraform state files, which isterraform.tfstate.
Decrypting a Terraform State File
You can use the onboardbase tf:decrypt
command to decrypt a Terraform state file with a given encryption key. This command also allows you to specify a custom Terraform command to run.
onboardbase tf:decrypt --enc-key "The encryption key you used to encrypt your tfstate file" --file "path to encrypted terraform.tfstate file" -- "Your Terraform command"
--enc-key (Optional)
: Specify the encryption key used to encrypt the Terraform state file. If you encrypted the file with a key other than the default, provide it here.--file (Optional)
: Specify the path to the Terraform state file you want to decrypt. If this option is not provided, the CLI defaults toterraform.tfstate
.- Terraform Command: You can include a Terraform command to run after decrypting the state file. This can be any valid Terraform command.
Using Standard Input (stdin)
The onboardbase tf
command supports reading from standard input (stdin). This is particularly useful when working with external sources, such as encrypted URLs.
In the example below, the URL provided links to a terraform state file already encrypted:
curl -s https://files.onboardbase.com/terraform.tfstate | onboardbase tf --enc-key "your encryption key" --file "-"
- To read from stdin, use - as the value for the --file argument. This instructs the CLI to read from standard input.
External Encrypted URL
When you pass an external encrypted URL to the onboardbase tf
command, the CLI performs the following actions:
- It decrypts the file from the external URL.
- Writes the decrypted file to the Terraform project.
- On exit, because the file is sourced from an external URL, it deletes the file from the external source, ensuring it remains secure.
Automatic Encryption and Decryption
The Onboardbase CLI automatically encrypts and decrypts the Terraform state file. When you use the onboardbase tf
command, it decrypts the file for your use, and upon the exit of any command you run, it re-encrypts the file.
This automatic encryption and decryption feature ensures the security of your Terraform state content without requiring manual intervention.
Manage TF State with Onboardbase Store
Create a store and get the store key and locker key from the dashboard.
Upload
onboardbase tf:upload --store-key=[STORE_KEY] --lockerKey=[LOCKER_KEY] -- file-id=auth-service-tfstate --file=terraform.tfstate
--store-key
: This is the unique key to authenticate and identify a particular store to use for the upload--locker-key(Optional)
: This is the unique locker key under a store that the file should be uploaded under.--file-id(Optional)
: A unique identifier for the file in the store. Defaults to "TF-STATE"--file(Optional)
: Path to the state file.
Download
onboardbase tf:download --store-key=[STORE_KEY] --lockerKey=[LOCKER_KEY] -- file-id=auth-service-tfstate --file=terraform.tfstate
--store-key
: This is the unique key to authenticate and identify a particular store to download from.--locker-key(Optional)
: This is the unique locker key under a store that the file can be download from, if it was uploaded to a locker within a store.--file-id(Optional)
: A unique identifier for the file in the store. Defaults to "TF-STATE"--file(Optional)
: Path to the state file.
Updated 4 months ago