Announcing Private Plan Storage

Malcolm Matalka avatar

Malcolm Matalka

Cover for Announcing Private Plan Storage

Why User Defined Plan Storage

Executing an OpenTofu or Terraform plan operation produces a plan file. This file describes the changes that will be made to your infrastructure and needs to be stored somewhere between plan and apply operations. Plan files may contain sensitive data, such as passwords.

By default, Terrateam stores the plan in its backend. We take the following steps to secure the plan file:

  1. Plan files are encrypted
  2. Plan files are deleted as soon as they are used in an apply operation
  3. Plan files are expired and deleted after 14 days

Customer control

Some customers want more control as to where these files are stored. One of the core Terrateam values is to do right by our customers. Part of that position is our stance on security. We want to have as little access as possible to customer sensitive information. For example, leveraging GitHub Secrets allows us to never have the need to store customer secrets on our infrastructure.

Announcing Plan Storage

Customers can now specify where their OpenTofu and Terraform plan files are stored.

How it works

There is a new section storage in the Terrateam configuration file .terrateam/config.yml.

Default configuration

The default configuration will safely store your encrypted plan files on the Terrateam infrastructure.

storage:
plans:
method: terrateam

S3 configuration

If you want to store plan files on a private S3 bucket, your configuration would like something like the following:

storage:
plans:
method: s3
bucket: my-plan-bucket
region: us-east-1

The configuration above would store all Terrateam-produced plan files in a private S3 bucket called my-plan-bucket.

Custom configuration

The cmd method is the most versatile as it allows specifying any command to run to store, fetch, and delete a plan.

Here’s an example using the cmd method to implement s3 storage.

This is essentially what happens in our code when someone uses the s3 method.

storage:
plans:
method: cmd
delete: ['aws', 's3', 'rm', 's3://$PLAN_BUCKET/plans/$dir/$workspace/$date-$time-$token'],
fetch: ['aws', 's3', 'cp', 's3://$PLAN_BUCKET/plans/$dir/$workspace/$date-$time-$token', '$plan_dst_path'],
store: ['aws', 's3', 'cp', '$plan_path', 's3://$PLAN_BUCKET/plans/$dir/$workspace/$date-$time-$token'],

Documentation

For more information see the documentation.

Join the Terrateam Slack if you have any questions, comments, or suggestions.

Infrastructure as Code. Optimized.

Ready to get started?

Experience powerful infrastructure orchestration, seamlessly integrated with GitHub.