thegeeklab/content/posts/2022/store-terraform-state-on-backblaze-s3/index.md
Robert Kaussow 725dff258d
All checks were successful
continuous-integration/drone/push Build is passing
chore: remove unmaintained dependency prettier-plugin-go-template (#234)
Reviewed-on: #234
2023-07-05 20:36:04 +02:00

53 lines
3.0 KiB
Markdown

---
title: "Store Terraform State on Backblaze S3"
date: 2022-09-04T20:47:53+02:00
authors:
- robert-kaussow
tags:
- Sysadmin
- Automation
resources:
- name: feature
src: "images/feature.jpg"
params:
anchor: Center
credits: >
[Wesley Tingey](https://unsplash.com/@wesleyphotography) on
[Unsplash](https://unsplash.com/s/photos/file)
---
Terraform is an open source infrastructure-as-code tool for creating, modifying, and extending infrastructure in a secure and predictable way. Terraform needs to store a state about the managed infrastructure and configuration. This state is used by Terraform to map real-world resources to your configuration and track metadata. By default, this state is stored in a local file, but it can also be stored remotely.
Terraform supports multiple remote backend provider including S3. I already use Backblaze for backups and have had good experiences with it. Since Backblaze also provides an S3 Compatible API, I wanted to use it for Terraform. How to use S3 as a state backend is well [documented](https://developer.hashicorp.com/terraform/language/settings/backends/s3), but as it's focused on Amazon S3 there are a few things to take care of. A basic working configuration will look like this:
```Terraform
terraform {
backend "s3" {
bucket = "my-bucket"
key = "state.json"
skip_credentials_validation = true
skip_region_validation = true
endpoint = "https://s3.us-west-004.backblazeb2.com"
region = "us-west-004"
access_key = "0041234567899990000000004"
secret_key = "K001abcdefgklmnopqrstuvw"
}
}
```
It is required to enable `skip_credentials_validation` and `skip_region_validation` because Backblaze uses a different format for these values and the validation only covers Amazon S3. For security reasons, I would recommend setting at least the `access_key` and `secret_key` parameters as environment variables instead of writing them to the Terraform file. For the credentials, it is required to create an App Key on Backblaze. After creating the Key the `keyName` need to be used as `access_key` and `applicationKey` as `secret_key`.
That's basically all. If you want to go a step further, it is possible to save the state encrypted with [Server-Side Encryption](https://www.backblaze.com/b2/docs/server_side_encryption.html) (SSE). There are two options available. The first is `SSE-B2`, where the key is managed and stored by Backblaze, which is quiet simple to configure. The second option is to use customer managed keys. Using this option, an AES-256 and base64 encoded key is used. To generate a proper key, the command `openssl rand -base64 32` can be used.
To enable encryption in the Terraform Provider, the configuration must be extended:
```Terraform
terraform {
backend "s3" {
...
encrypt = true
sse_customer_key = "fsRb1SXBjiUqBM0rw/YqvDixScWnDCZsK7BhnPTc93Y="
}
}
```