How to restrict "prod" TF state files from being read


So I have been starting to use gitlab-managed terraform state. I use multiple state files for each environment a module is deployed to. (Prod, staging, review/*), and it’s working amazingly well!

Now I’m looking at the security aspect of this flow. I think I read every GitLab doc on the subject so far, and from what I gather it seems every members of a gitlab project with the developer role, can read every state files stored in a project.

My question: Is there any way that I can prevent my “prod” TF State files from being read by non-maintainers for example or tie it up with protected environments?


Yes, you can turn your files into CI variables, which would be scoped by environment. Only maintainers and upwards would be able to read / change the variables.

Yes, can I do the same that you can do with CI variables, but with terraform state files?

(I doubt you mean that I can put state file in CI vars)

So, you can put any file into a CI var; is there something about Terraform files that makes them different to other text files?

Absolutely. This is why there’s a “GitLab-managed Terraform state” feature with it’s own api.