thegeeklab/content/posts/2022/store-terraform-state-on-ba.../index.md

---
title: "Store Terraform State on Backblaze S3"
date: 2022-09-04T20:47:53+02:00
authors:
  - robert-kaussow
tags:
  - Sysadmin
  - Automation
resources:
  - name: feature
    src: "images/feature.jpg"
    params:
      anchor: Center
      credits: >
        [Wesley Tingey](https://unsplash.com/@wesleyphotography) on
        [Unsplash](https://unsplash.com/s/photos/file)
---

Terraform is an open source infrastructure-as-code tool for creating, modifying, and extending infrastructure in a secure and predictable way. Terraform needs to store a state about the managed infrastructure and configuration. This state is used by Terraform to map real-world resources to your configuration and track metadata. By default, this state is stored in a local file, but it can also be stored remotely.

Terraform supports multiple remote backend provider including S3. I already use Backblaze for backups and have had good experiences with it. Since Backblaze also provides an S3 Compatible API, I wanted to use it for Terraform. How to use S3 as a state backend is well [documented](https://developer.hashicorp.com/terraform/language/settings/backends/s3), but as it's focused on Amazon S3 there are a few things to take care of. A basic working configuration will look like this:

```Terraform
terraform {
  backend "s3" {
    bucket                      = "my-bucket"
    key                         = "state.json"
    skip_credentials_validation = true
    skip_region_validation      = true
    endpoint                    = "https://s3.us-west-004.backblazeb2.com"
    region                      = "us-west-004"
    access_key                  = "0041234567899990000000004"
    secret_key                  = "K001abcdefgklmnopqrstuvw"
  }
}
```

It is required to enable `skip_credentials_validation` and `skip_region_validation` because Backblaze uses a different format for these values and the validation only covers Amazon S3. For security reasons, I would recommend setting at least the `access_key` and `secret_key` parameters as environment variables instead of writing them to the Terraform file. For the credentials, it is required to create an App Key on Backblaze. After creating the Key the `keyName` need to be used as `access_key` and `applicationKey` as `secret_key`.

That's basically all. If you want to go a step further, it is possible to save the state encrypted with [Server-Side Encryption](https://www.backblaze.com/b2/docs/server_side_encryption.html) (SSE). There are two options available. The first is `SSE-B2`, where the key is managed and stored by Backblaze, which is quiet simple to configure. The second option is to use customer managed keys. Using this option, an AES-256 and base64 encoded key is used. To generate a proper key, the command `openssl rand -base64 32` can be used.

To enable encryption in the Terraform Provider, the configuration must be extended:

```Terraform
terraform {
  backend "s3" {
    ...
    encrypt                     = true
    sse_customer_key            = "fsRb1SXBjiUqBM0rw/YqvDixScWnDCZsK7BhnPTc93Y="
  }
}
```
post: Store Terraform State on Backblaze S3 2022-09-04 22:27:08 +02:00			`---`
			`title: "Store Terraform State on Backblaze S3"`
			`date: 2022-09-04T20:47:53+02:00`
			`authors:`
			`- robert-kaussow`
			`tags:`
chore: fix tag names 2022-09-05 20:51:39 +02:00			`- Sysadmin`
			`- Automation`
post: Store Terraform State on Backblaze S3 2022-09-04 22:27:08 +02:00			`resources:`
			`- name: feature`
			`src: "images/feature.jpg"`
			`params:`
			`anchor: Center`
			`credits: >`
			`[Wesley Tingey](https://unsplash.com/@wesleyphotography) on`
			`[Unsplash](https://unsplash.com/s/photos/file)`
			`---`

			`Terraform is an open source infrastructure-as-code tool for creating, modifying, and extending infrastructure in a secure and predictable way. Terraform needs to store a state about the managed infrastructure and configuration. This state is used by Terraform to map real-world resources to your configuration and track metadata. By default, this state is stored in a local file, but it can also be stored remotely.`

chore: remove unmaintained dependency prettier-plugin-go-template (#234) Reviewed-on: https://gitea.rknet.org/xoxys/thegeeklab/pulls/234 2023-07-05 20:36:04 +02:00			`Terraform supports multiple remote backend provider including S3. I already use Backblaze for backups and have had good experiences with it. Since Backblaze also provides an S3 Compatible API, I wanted to use it for Terraform. How to use S3 as a state backend is well [documented](https://developer.hashicorp.com/terraform/language/settings/backends/s3), but as it's focused on Amazon S3 there are a few things to take care of. A basic working configuration will look like this:`
post: Store Terraform State on Backblaze S3 2022-09-04 22:27:08 +02:00
			```Terraform
			`terraform {`
			`backend "s3" {`
			`bucket = "my-bucket"`
			`key = "state.json"`
			`skip_credentials_validation = true`
			`skip_region_validation = true`
			`endpoint = "https://s3.us-west-004.backblazeb2.com"`
			`region = "us-west-004"`
			`access_key = "0041234567899990000000004"`
			`secret_key = "K001abcdefgklmnopqrstuvw"`
			`}`
			`}`
			```

			It is required to enable `skip_credentials_validation` and `skip_region_validation` because Backblaze uses a different format for these values and the validation only covers Amazon S3. For security reasons, I would recommend setting at least the `access_key` and `secret_key` parameters as environment variables instead of writing them to the Terraform file. For the credentials, it is required to create an App Key on Backblaze. After creating the Key the `keyName` need to be used as `access_key` and `applicationKey` as `secret_key`.

			That's basically all. If you want to go a step further, it is possible to save the state encrypted with [Server-Side Encryption](https://www.backblaze.com/b2/docs/server_side_encryption.html) (SSE). There are two options available. The first is `SSE-B2`, where the key is managed and stored by Backblaze, which is quiet simple to configure. The second option is to use customer managed keys. Using this option, an AES-256 and base64 encoded key is used. To generate a proper key, the command `openssl rand -base64 32` can be used.

			`To enable encryption in the Terraform Provider, the configuration must be extended:`

			```Terraform
			`terraform {`
			`backend "s3" {`
			`...`
			`encrypt = true`
			`sse_customer_key = "fsRb1SXBjiUqBM0rw/YqvDixScWnDCZsK7BhnPTc93Y="`
			`}`
			`}`
			```