So I have been starting to use gitlab-managed terraform state. I use multiple state files for each environment a module is deployed to. (Prod, staging, review/*), and it’s working amazingly well!
Now I’m looking at the security aspect of this flow. I think I read every GitLab doc on the subject so far, and from what I gather it seems every members of a gitlab project with the developer role, can read every state files stored in a project.
My question: Is there any way that I can prevent my “prod” TF State files from being read by non-maintainers for example or tie it up with protected environments?
Yes, you can turn your files into CI variables, which would be scoped by environment. Only maintainers and upwards would be able to read / change the variables.