Executing an OpenTofu or Terraform
plan operation produces a plan file. This
file describes the changes that will be made to your infrastructure and needs to
be stored somewhere between
apply operations. Plan files may contain
sensitive data, such as passwords.
By default, Terrateam stores the plan in its backend. We take the following steps to secure the plan file:
Some customers want more control as to where these files are stored. One of the core Terrateam values is to do right by our customers. Part of that position is our stance on security. We want to have as little access as possible to customer sensitive information. For example, leveraging GitHub Secrets allows us to never have the need to store customer secrets on our infrastructure.
Customers can now specify where their OpenTofu and Terraform plan files are stored.
There is a new section
storage in the Terrateam configuration file
The default configuration will safely store your encrypted plan files on the Terrateam infrastructure.
storage: plans: method: terrateam
If you want to store plan files on a private S3 bucket, your configuration would like something like the following:
storage: plans: method: s3 bucket: my-plan-bucket region: us-east-1
The configuration above would store all Terrateam-produced plan files in a private S3 bucket
cmd method is the most versatile as it allows specifying any command to run
to store, fetch, and delete a plan.
Here’s an example using the
cmd method to implement
This is essentially what happens in our code when someone uses the
storage: plans: method: cmd delete: ['aws', 's3', 'rm', 's3://$PLAN_BUCKET/plans/$dir/$workspace/$date-$time-$token'], fetch: ['aws', 's3', 'cp', 's3://$PLAN_BUCKET/plans/$dir/$workspace/$date-$time-$token', '$plan_dst_path'], store: ['aws', 's3', 'cp', '$plan_path', 's3://$PLAN_BUCKET/plans/$dir/$workspace/$date-$time-$token'],
For more information see the documentation.
Join the Terrateam Slack if you have any questions, comments, or suggestions.