Terraform HTTP Backend

A state backend server that implements the Terraform HTTP backend API. This server does not handle authentication and should be used behind a reverse proxy (like nginx).

The server is rather an experiment in writing HTTP servers in C++. It is probably OK for hobby usage but not for mission-critical applications.

Build

tl;dr: see Dockerfile.

1. Install required dependencies: clang++ or g++, cmake, make.
2. Install optional dependencies: libev, ada, nanodbc, llhttp, json, libretls.
3. If you don't install the optional dependencies, the system will try to download and build them. In this case, it may need git, python3, python3-whichcraft (for Ada), unixodbc (for nanodbc), and openssl (for LibreTLS). See Dockerfile for details.
4. Build: cmake -B build -DCMAKE_BUILD_TYPE=MinSizeRel && cmake --build build.

Usage

The following environment variables control the server:

• TFHTTP_ADDRESS: IP address the server will listen on. The default value is 0.0.0.0 (listen on all IP‌ addresses).
• TFHTTP_PORT: port the server will listen on. The default value is 3000.
• TFHTTP_DSN: the data source name to request a connection to an ODBC Data Source. By default, it is Driver={SQLite3};Database=:memory: (an in-memory SQLite3 database that does not survive application restarts). You will need to have the corresponding ODBC connector installed.
• TFHTTP_HTTPS: set to 1 to enable HTTPS.
• TFHTTP_CERTIFICATE: path to the TLS certificate.
• TFHTTP_PRIVATE_KEY: path to the TLS certificate key.
• TFHTTP_CA_CERTIFICATE: path to the CA certificate.
• TFHTTP_TRUSTED_CERTIFICATE: path to the trusted certificate (used for OCSP stapling).
• TFHTTP_TLS_PROTOCOLS: a comma- or colon-delimited list of the TLS‌ protocols to use. The valid values are tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all, default, legacy, secure. See tls_config_parse_protocols(3).
• TFHTTP_TLS_CIPHERS: list of the allowed ciphers. The valid values are secure, default, compat, legacy, insecure, all, or a libssl ciper string. See tls_config_set_ciphers(3).
• TFHTTP_TLS_CURVES: a comma-separated list of the elliptic curves used during ECDHE key exchange. See tls_config_set_ecdhecurves(3).
• TFHTTP_TLS_VERIFY_CLIENT: set to 1 to enable client certificate verification, requiring the client to send a certificate.
• TFHTTP_TLS_ENABLE_DHE: set to 1 to enable DHE key exchange.

Endpoints

The server provides the following endpoints:

• GET /:project/state: fetch Terraform state for the given project. The state will be created if it does not exist.
• POST /:project/state: save Terraform state for the given project.
• DELETE /:project/state: delete Terraform state for the given project.
• LOCK /:project: lock state.
• UNLOCK /:project: unlock state.

:project is an alphanumeric string matching the [A-Za-z0-9_-]+ regular expression. This makes is possible to use this server for multiple Terraform projects.

Sample Terraform Configuration

terraform {
  backend "http" {
    address = "http://127.0.0.1:3000/myproject/state"
    lock_address = "http://127.0.0.1:3000/myproject"
    unlock_address = "http://127.0.0.1:3000/myproject"
  }
}

(More details).