Announcing Private Plan Storage
On this page
Why User Defined Plan Storage
Executing an OpenTofu or Terraform plan
operation produces a plan file. This file describes the changes that will be made to your infrastructure and needs to be stored somewhere between plan
and apply
operations. Plan files may contain sensitive data, such as passwords.
By default, Terrateam stores the plan in its backend. We take the following steps to secure the plan file:
- Plan files are encrypted
- Plan files are deleted as soon as they are used in an
apply
operation - Plan files are expired and deleted after 14 days
Customer control
Some customers want more control as to where these files are stored. One of the core Terrateam values is to do right by our customers. Part of that position is our stance on security. We want to have as little access as possible to customer sensitive information. For example, leveraging GitHub Secrets allows us to never have the need to store customer secrets on our infrastructure.
Announcing Plan Storage
Customers can now specify where their OpenTofu and Terraform plan files are stored.
How it works
There is a new section storage
in the Terrateam configuration file .terrateam/config.yml
.
Default configuration
The default configuration will safely store your encrypted plan files on the Terrateam infrastructure.
S3 configuration
If you want to store plan files on a private S3 bucket, your configuration would like something like the following:
The configuration above would store all Terrateam-produced plan files in a private S3 bucket called my-plan-bucket
.
Custom configuration
The cmd
method is the most versatile as it allows specifying any command to run to store, fetch, and delete a plan.
Here’s an example using the cmd
method to implement s3
storage.
This is essentially what happens in our code when someone uses the s3
method.
Documentation
For more information see the documentation.
Join the Terrateam Slack if you have any questions, comments, or suggestions.