How to restrict "prod" TF state files from being read

aservedio · April 24, 2022, 4:12pm

Hello,

So I have been starting to use gitlab-managed terraform state. I use multiple state files for each environment a module is deployed to. (Prod, staging, review/*), and it’s working amazingly well!

Now I’m looking at the security aspect of this flow. I think I read every GitLab doc on the subject so far, and from what I gather it seems every members of a gitlab project with the developer role, can read every state files stored in a project.

My question: Is there any way that I can prevent my “prod” TF State files from being read by non-maintainers for example or tie it up with protected environments?

Thanks!

snim2 · April 24, 2022, 6:11pm

Yes, you can turn your files into CI variables, which would be scoped by environment. Only maintainers and upwards would be able to read / change the variables.

aservedio · April 24, 2022, 6:29pm

Yes, can I do the same that you can do with CI variables, but with terraform state files?

(I doubt you mean that I can put state file in CI vars)

snim2 · April 24, 2022, 6:46pm

So, you can put any file into a CI var; is there something about Terraform files that makes them different to other text files?

aservedio · May 4, 2022, 5:39pm

Absolutely. This is why there’s a “GitLab-managed Terraform state” feature with it’s own api.