Is it safe to commit terraform.tfstate to git?

[schlichtanders]

Hi there, I have a couple of secrets which I use as sensitive variables in kube.tf

• hcloud_token
• etcd_s3_access_key
• etcd_s3_secret_key

I found at terraform docs that even sensitive variables are output into terraform.tfstate .
However inspecting it myself, I find none of the three.
Does someone know what is going on here with kube-hetzner and the respective security implications?

(From a maintenance perspective it would be great if the terraform.tfstate could be commited.)

[jr-dimedis]

In general it's not recommended to commit the tfstate File to git. Of course for the security reasons you mentioned. But more for organizational reasons: the file represents the "real world" and thus there can only be one version of this file. It makes no sense to store it in git, since all users working with Terraform must have the same identical file. There is no strategy to merge different versions - there can't be different versions of the "real world".

It is recommended to store this file in a central storage like S3 and ideally with encryption at rest, because of the sensitive information stored in there.

Terraform supports this for example with a "s3" backend. And if you don't like to use Amazon services you can host a S3 instance yourself with MinIO.

[mysticaltech]

@jr-dimedis We let terraform do its thing, the only thing we do is mark things like the Hetzner token as sensitive. I think @jr-dimedis comment is pretty accurate, probably best not to commit. Here's what GPT-4 has to say about this:

---

Terraform's state file, terraform.tfstate, is used to map resources to your infrastructure. By design, it might contain sensitive information, depending on what values you are using in your Terraform configuration. When you mark a variable as sensitive in your Terraform configuration, the value will be redacted from the CLI output, but it does not prevent the value from being stored in the state file.

Starting with Terraform 0.14, a new feature allows you to mark specific values in the configuration as being "sensitive", which will cause Terraform to redact that value from the CLI output. However, this doesn't affect the storage of these values in the state.

However, you mentioned you are not seeing these secrets in your terraform.tfstate file. If these values are used only as input to a Kubernetes Secret (or similar object) and not attached to any other Terraform-managed resources, then they wouldn't necessarily appear in the state file. The state file only needs to contain the information necessary for Terraform to manage and update resources. If the sensitive values are used only to create other resources, but not directly attached to any Terraform resources, then they don't need to be stored in the state file.

Here are some options for managing state files with sensitive data:

1. Remote State: Terraform can store state remotely in a variety of backends like HashiCorp's Terraform Cloud, AWS S3, Google Cloud Storage, Azure Blob Storage, and others. With remote state, only the people who have access to the backend will have access to the state.

2. Encrypt the State File: If you are storing the state file in an object storage service like AWS S3, you can use server-side encryption to ensure that the state file is encrypted at rest.

3. State File Permissions: Ensure that the file permissions for your state file are properly set so that only the necessary people can read or write to the state file.

4. Avoid Storing Secrets in State: If possible, avoid storing secrets as part of your infrastructure code. Instead, consider using a secrets manager like HashiCorp Vault, AWS Secrets Manager, or Google Secret Manager to manage your secrets.

It's generally not recommended to commit your terraform.tfstate file into version control, especially if it contains sensitive information. This is because it's easy to accidentally expose the state file, and because state files can become large and make the repository unwieldy. Instead, consider using one of the strategies mentioned above to manage your state file.