Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

backend/local: disable local backup of remote state #16464

Merged
merged 1 commit into from
Oct 28, 2017
Merged

backend/local: disable local backup of remote state #16464

merged 1 commit into from
Oct 28, 2017

Conversation

apparentlymart
Copy link
Contributor

Previously we forced all remote state backends to be wrapped in a BackupState wrapper that generates a local terraform.tfstate.backup file before updating the remote state.

This backup mechanism was motivated by allowing users to recover a previous state if user error caused an undesirable change such as loss of the record of one or more resources. However, it also has the downside of flushing a possibly-sensitive state to local disk in a location where users may not realize its purpose and accidentally check it into version control. Those using remote state would generally prefer that state never be flushed to local disk at all.

The use-case of recovering older states can be dealt with for remote backends by selecting a backend that has preservation of older versions as a first-class feature, such as S3 versioning or Terraform Enterprise's first-class historical state versioning mechanism.

There remains still one case where state can be flushed to local disk: if a write to the remote backend fails during terraform apply then we will still create the errored.tfstate file to allow the user to recover. This seems like a reasonable compromise because this is done only in an exceptional case, and the console output makes it very clear that this file has been created. There is no remote location where the result could be written in this case.

Fixes #15339.

@apparentlymart
backend/local: disable local backup of remote state
244131c 
Previously we forced all remote state backends to be wrapped in a
BackupState wrapper that generates a local "terraform.tfstate.backup"
file before updating the remote state.

This backup mechanism was motivated by allowing users to recover a
previous state if user error caused an undesirable change such as loss
of the record of one or more resources. However, it also has the downside
of flushing a possibly-sensitive state to local disk in a location where
users may not realize its purpose and accidentally check it into version
control. Those using remote state would generally prefer that state never
be flushed to local disk at all.

The use-case of recovering older states can be dealt with for remote
backends by selecting a backend that has preservation of older versions
as a first-class feature, such as S3 versioning or Terraform Enterprise's
first-class historical state versioning mechanism.

There remains still one case where state can be flushed to local disk: if
a write to the remote backend fails during "terraform apply" then we will
still create the "errored.tfstate" file to allow the user to recover. This
seems like a reasonable compromise because this is done only in an
_exceptional_ case, and the console output makes it very clear that this
file has been created.

Fixes #15339.
@apparentlymart apparentlymart self-assigned this Oct 26, 2017
@apparentlymart apparentlymart merged commit 671aace into master Oct 28, 2017
@tehmaspc
Copy link

Does the S3 backend currently check today if versioning is enabled on the bucket? And if not - tell the user? Just something to make using at least S3 buckets safer since versioning is not enabled by default.

@apparentlymart apparentlymart deleted the b-remote-state-backup branch February 5, 2018 19:17
@BhanuCh
Copy link

BhanuCh commented Feb 16, 2018

Is this issue fixed? does terraform still write terraform.tfstate.backup when remote state (s3)is enabled?

@ensonic
Copy link

ensonic commented May 2, 2019

Just updated to 0.11.13 but it still creates local tfstate.*.backup files. If this has only been applied to 0.12, I think it is worth a cherry pick due to security implication of local state.

@ghost
Copy link

ghost commented Jul 26, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Jul 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jbardin jbardin jbardin approved these changes

Assignees

@apparentlymart apparentlymart

Labels
bug core
Projects
None yet
Milestone
No milestone
5 participants
@apparentlymart @tehmaspc @BhanuCh @ensonic @jbardin