{"id":26059671,"url":"https://github.com/orange-cloudfoundry/terraform-secure-backend","last_synced_at":"2025-04-11T06:50:17.658Z","repository":{"id":41186722,"uuid":"105177042","full_name":"orange-cloudfoundry/terraform-secure-backend","owner":"orange-cloudfoundry","description":"An http backend which store and retrieve tfstates files in a secure way by encrypt/decrypt them through credhub","archived":false,"fork":false,"pushed_at":"2019-02-26T15:17:41.000Z","size":4737,"stargazers_count":35,"open_issues_count":1,"forks_count":5,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-25T04:41:31.517Z","etag":null,"topics":["credhub","http-backend","terraform","terraform-backend"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/orange-cloudfoundry.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-09-28T17:13:27.000Z","updated_at":"2024-02-23T20:59:48.000Z","dependencies_parsed_at":"2022-09-16T23:12:17.728Z","dependency_job_id":null,"html_url":"https://github.com/orange-cloudfoundry/terraform-secure-backend","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orange-cloudfoundry%2Fterraform-secure-backend","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orange-cloudfoundry%2Fterraform-secure-backend/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orange-cloudfoundry%2Fterraform-secure-backend/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orange-cloudfoundry%2Fterraform-secure-backend/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/orange-cloudfoundry","download_url":"https://codeload.github.com/orange-cloudfoundry/terraform-secure-backend/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248358548,"owners_count":21090401,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["credhub","http-backend","terraform","terraform-backend"],"created_at":"2025-03-08T13:27:30.954Z","updated_at":"2025-04-11T06:50:17.635Z","avatar_url":"https://github.com/orange-cloudfoundry.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Terraform-secure-backend [![Build Status](https://travis-ci.org/orange-cloudfoundry/terraform-secure-backend.svg?branch=master)](https://travis-ci.org/orange-cloudfoundry/terraform-secure-backend)\n\nAn [http backend](https://www.terraform.io/docs/backends/types/http.html) which stores and retrieves tfstates files in a secure and encrypted way through [credhub](https://github.com/cloudfoundry-incubator/credhub).\n\nWhen file is too large for database use in credhub, file will be split in part and gzipped to be sent to credhub and rebuild final file when retrieving from credhub. \n\nThis backend supports [state locking](https://www.terraform.io/docs/state/locking.html).\n\n## Boshrelease\n\nYou can deploy this backend with a the boshrelease associated: https://github.com/orange-cloudfoundry/terraform-secure-backend-release/\n\n## Installation\n\nInstaller will place the latest release binary in your current working directory.\n\n### On *nix system\n\nYou can install this via the command-line with either `curl` or `wget`.\n\n#### via curl\n\n```bash\n$ bash -c \"$(curl -fsSL https://raw.github.com/orange-cloudfoundry/terraform-secure-backend/master/bin/install.sh)\"\n```\n\n#### via wget\n\n```bash\n$ bash -c \"$(wget https://raw.github.com/orange-cloudfoundry/terraform-secure-backend/master/bin/install.sh -O -)\"\n```\n\n### On windows\n\nYou can install it by downloading the `.exe` corresponding to your cpu from releases page: https://github.com/orange-cloudfoundry/terraform-secure-backend/releases .\nAlternatively, if you have a terminal interpreting shell you can also use command line script above, it will download file in your current working dir.\n\n## Commands\n\n```\nNAME:\n   terraform-secure-backend - An http server to store terraform state file securely\n\nUSAGE:\n   terraform-secure-backend [global options] command [command options] [arguments...]\n\nVERSION:\n   1.0.0\n\nCOMMANDS:\n     help, h  Shows a list of commands or help for one command\n\nGLOBAL OPTIONS:\n   --config-path value, -c value  Path to the config file (default: \"backend-config.yml\")\n   --help, -h                     show help\n   --version, -v                  print the version\n```\n\n## Run it\n\nThere is two different ways to run the server:\n1. [In local](#in-local)\n2. [In a cloud](#in-a-cloud) through [gautocloud](https://github.com/cloudfoundry-community/gautocloud) (Run with ease this server on: Kubernetes, CloudFoundry or Heroku)\n\n### In local\n\n1. Create a `backend-config.yml` file where you want to run your server, following this schema:\n\n```yaml\nhost: 0.0.0.0 # an be 127.0.0.1 too\nport: 8080 # port to listen\nchunk_size: ~ # Chunk size in number of bytes to split your tfstate inside credhub to leverage database limit (Default: 60000)\nbase_path: /terraform-secure-backend/tfstate/pouet #  Create an unique path for your tfstate on credhub\ncert: ~ # Set a path or pem cert string certificate to run your senver in tls (ignored if lets_encrypt_domains is set)\nkey: ~ # Set a path or pem key string certificate to run your senver in tls (ignored if lets_encrypt_domains is set)\nlog_level: ~ # Verbosity, can be info, debug, warning, error\nlog_json: false # set to true to see logs as json instead of plain text (useful for logsearch)\nno_color: false # set to true to not have color (this cannot be use when log_json is to true)\nlets_encrypt_domains: [] # Set a or multiple domains name to acquire a certificate from let's encrypt\nusername: user # basic auth username to secure access to this app\npassword: password # basic auth password to secure access to this app\nshow_error: true # If true, if an error occurred details will be shown in the web page as json \n\ncredhub_server: path.to.my.credhub.com # path to your credhub server (note https is enforced)\ncredhub_username: credhub_user # an UAA username with credhub.read and credhub.write scopes (this can be empty if credhub_client and credhub_secret are set)\ncredhub_password: credhub_password # an UAA password with credhub.read and credhub.write scopes  (this can be empty if credhub_client and credhub_secret are set)\ncredhub_client: ~ # an UAA client_id with credhub.read and credhub.write scopes (this can be empty if credhub_username and credhub_password are set)\ncredhub_secret: ~ # an UAA client_id with credhub.read and credhub.write scopes (this can be empty if credhub_username and credhub_password are set)\ncredhub_ca_cert: ~ # You can set the credhub ca_cert here if it's a self signed certificate\nskip_ssl_validation: false # set to true to skip ssl validation when connecting to your credhub (prefer use credhub_ca_cert for security reasons)\ncef: false # set to true to enable security event in common event format \ncef-file: ~ # set a path to a file to store security event in common event format to a file\nauth-url: ~ # specifies the authentication server for the OAuth strategy. If auth-url provided, the auth-url will be fetched from credhub server /info.\ndry-run: false # set to true to not sent to credhub state file\n```\n\n2. Run `./terraform-secure-backend` in your terminal and server is now started.\n\n### In a cloud\n  \n#### On CloudFoundry\n\n1. Create a cups service named `.*config` with the same credentials set in yaml, example:\n```json\n{\n  \"name\": \"terraform-secure\",\n  \"credhub_server\": \"path.to.my.credhub.com\",\n  \"credhub_username\": \"credhub_user\",\n  \"credhub_password\": \"credhub_password\"\n}\n```\n2. Bind it to your terraform-secure-backend instance\n\n#### On heroku or kubernetes\n\nAdd env var following this format: `.*CONFIG_OPTION`, example:\n\n```bash\nBACKEND_CONFIG_NAME=\"terraform-secure\"\nBACKEND_CONFIG_CREDHUB_SERVER=\"path.to.my.credhub.com\"\nBACKEND_CONFIG_CREDHUB_USERNAME=\"username\"\nBACKEND_CONFIG_CREDHUB_PASSWORD=\"password\"\nBACKEND_CONFIG_LETS_ENCRYPT_DOMAINS=\"mydomain1.com,mydomain2.com\"\n```\n\n## Usage in your terraform\n\nAdd in your `.tf` file a new http backend (**Note**: `\u003cdeployment name\u003e` is whatever you want, better a name which represent the name of your deployment):\n\n```hcl\nterraform {\n  backend \"http\" {\n    address = \"https://path.to.my.secure.backend.com/states/\u003cdeployment name\u003e\"\n    lock_address = \"https://path.to.my.secure.backend.com/states/\u003cdeployment name\u003e\"\n    unlock_address = \"https://path.to.my.secure.backend.com/states/\u003cdeployment name\u003e\"\n    username = \"user\"\n    password = \"password\"\n  }\n}\n```\n\n## Api\n\nThe Api implements the terraform [http backend API](https://www.terraform.io/docs/backends/types/http.html) on each `https://path.to.my.secure.backend.com/states/\u003cdeployment name\u003e`.\n\nYou can list all tfstates stored by calling: `https://path.to.my.secure.backend.com/states`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forange-cloudfoundry%2Fterraform-secure-backend","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Forange-cloudfoundry%2Fterraform-secure-backend","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forange-cloudfoundry%2Fterraform-secure-backend/lists"}