terraform: use http backend with vault/openbao secret transit engine instead of unencrypted s3 bucket #216

New issue

Open

opened 2025-05-11 17:00:43 +00:00 by emilylange · 0 comments

emilylange commented

2025-05-11 17:00:43 +00:00

Owner

Could be considered part of #156.

Terraform state tends to be very sensitive and should not be stored unencrypted, even if the s3 bucket may be trusted.

Instead, we want to use https://github.com/nimbolus/terraform-backend with the HashiCorp Vault Transit engine, local storage (fs), in-memory lock backend (local map) and OIDC for auth.
We can always migrate the state and locks to something else like postgres later with ease.

See https://github.com/nimbolus/terraform-backend/tree/main/docs for the documentation on each of the items listed.

terraform-backend should be put right next to openbao, which at the time of writing, is on build-coord (hydra).

Could be considered part of #156. Terraform state tends to be very sensitive and should not be stored unencrypted, even if the s3 bucket may be trusted. Instead, we want to use https://github.com/nimbolus/terraform-backend with the *HashiCorp Vault Transit engine*, local storage (*fs*), in-memory lock backend (*local map*) and OIDC for auth. We can always migrate the state and locks to something else like postgres later with ease. See https://github.com/nimbolus/terraform-backend/tree/main/docs for the documentation on each of the items listed. `terraform-backend` should be put right next to openbao, which at the time of writing, is on build-coord (hydra).