When initalizing a Terraform backend, a .terraform/terraform.tfstate
file is written to disk and can include storage account secrets.
Include the Azure Storage key in the Terraform configuration.
Not ideal: the Storage access key is exposed both in the configuration and in the .terraform/terraform.tfstate
file.
Configuration:
terraform {
backend "azurerm" {
storage_account_name = "tstate"
container_name = "tstate"
key = "terraform.tfstate"
access_key = "<azure-storage-account-key>"
}
}
Init command:
terraform init
terraform.tfstate file, key is visible.
"backend": {
"type": "azurerm",
"config": {
"access_key": "<azure-storage-account-key>",
"container_name": "tstate",
"key": "terraform.tfstate",
"storage_account_name": "tstate"
},
"hash": 13235237982197025795
},
Use partial configuration and pass the Azure Storage key as a parameter to terraform init
.
Not ideal: The storage access key is still written to the .terraform/terraform.tfstate
file.
Configuration:
terraform {
backend "azurerm" {
storage_account_name = "tstate"
container_name = "tstate"
key = "terraform.tfstate"
}
}
Init command:
terraform init -backend-config="access_key=<azure-storage-account-key>"
terraform.tfstate file, key is visible.
"backend": {
"type": "azurerm",
"config": {
"access_key": "<azure-storage-account-key>",
"container_name": "tstate",
"key": "terraform.tfstate",
"storage_account_name": "tstate"
},
"hash": 13235237982197025795
},
Use partial configuration and put the Azure Storage access key in an environment variable named ARM_ACCESS_KEY
.
Most ideal: The storage access key is not written to the .terraform/terraform.tfstate file.
Configuration:
terraform {
backend "azurerm" {
storage_account_name = "tstate"
container_name = "tstate"
key = "terraform.tfstate"
}
}
Furthermore, keep the access key out of terminal history with Azure Key Vault.
ARM_ACCESS_KEY=$(az keyvault secret show --name tstate-key --vault-name billBooth --query value -o tsv)
Init command:
terraform init
terraform.tfstate file, key is not visible.
"backend": {
"type": "azurerm",
"config": {
"container_name": "tstate",
"key": "terraform.tfstate",
"storage_account_name": "tstate"
},
"hash": 3693603136239683338
},
You can also pass the access_key from a file
terraform init --backend-config=file_contalning_the_access_key.conf