-
Notifications
You must be signed in to change notification settings - Fork 21
Integrated Terraform State Backend #285
base: develop
Are you sure you want to change the base?
Conversation
Previous version had compatibility issues with the latest version of lsof on MacOS.
This should be handled in secrethub-go instead.
Backend now returns an error when invoked on Windows 386. Support can be added later.
We'd love to get your feedback on this! If you don't want to build the binary yourself, here they are for your convenience: |
return b.respondError(http.StatusUnauthorized, "password stored at %s should be set as auth password", passwordPath), nil | ||
} | ||
if password != secret { | ||
return b.respondError(http.StatusForbidden, "provided password does not password stored at %s", passwordPath), nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
provided password does not password stored at %s
=> provided password does not match the password stored at %s
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch 👌
Here is my feedback when I try to use this backend:
The error message is confusing.
When trying to overwrite existing key with the one which was produced and stored locally (
As a solution for this, maybe
That's it for now :) Let me know when an update is coming. |
Thanks a lot for the feedback @antonbabenko! Seems like you did some really thorough testing 😀
I think you already figured out that we're a little boun to what we can do with the HTTP State Backend; that's why the
An explicit check for the existence of the directory will probably make this a bit more user-friendly.
Hmm. That's an interesting question. The reason for using a directory as input instead of the path to the secret where the state is stored, is that this directory is both used to store the state and the lock. I do not directly see a way around that. What would happen if you used the same S3 path for 2 different Terraform projects? Is that different from how this works? Or is it mainly that there is some confusion from the
You mean that it would be better to also print Or.. are you running To conclude: really great feedback! I'll get to work on the above points in the near future. Though I cannot precisely say when, I will let you know once a new iteration is done. One important question that's still on my mind: if we do some iterations (starting with the points you mentioned), how usable would you find it? |
@antonbabenko I've just updated the error message you describe in point 1 and have introduced an explicit check for the existence of the given directory, which should help with point 3. Here is the new build: |
Nice! I will try to take a look at this release and comment during next week. |
This is an MVP of intgerating a tfstate backend into the
secrethub run
command.It can be used by configuring the following backend in in terraform:
The state is served by wrapping Terraform commands in
secrethub run --tfstate
. For example:This opens up an HTTP-endpoint that Terraform can connect to. This HTTP-endpoint can only be connected to from processes that are a child of
secrethub run
. In other words: it should not be possible for another process than Terraform to connect to this endpoint and read/write the state.Though not strictly necessary, it is also possible to set a password on the listener. If the secret
path/to/state/directory/password
exists, the value of it must be set in thepassword
field of the Terraform backend. If this secret does not exist, the password field can be omitted.