2018-09-28 19:31:46 +00:00
# Mars: Terraform Remote HTTP Backend with End-to-End encryption :gift:
2018-04-07 14:22:19 +00:00
A fork of < https: / / www . terraform . io / docs / backends / types / http . html > , which changes the configuration format to:
```hcl
terraform {
backend "mars" {
address = "https://mars.com/03fa43d6-adbe-4e03-8e25-ffdf8a3e456a"
encryption_key = "${var.MARS_ENCRYPTION_KEY}"
}
}
```
The lock/unlock address can be inferred. The service can be made public as well, since the backend just needs to be a simple/dumb storage for blobs (back it by S3 perhaps?)
## Why
2018-09-28 19:31:46 +00:00
- For casual projects, Terraform Enterprise is too much
- Separate Infrastructure for Terraform State store makes sense
- Not everyone has S3 available
- Just share your UUID and the encryption key with your teammates
2018-04-09 08:29:02 +00:00
## Backend
Needs to be a public good with restrictions:
2018-09-28 19:31:46 +00:00
1. Reasonable Rate limits
2. File size limits
3. Restrict by terraform-user-agent, because why not
4. Block unencrypted data from being stored
2018-04-07 14:22:19 +00:00
## Extras
2018-09-28 19:31:46 +00:00
- This needs to be Highly Available if folks are gonna use it
- Use NaCl for crypto
- Support a breakdown into `read_encryption_key` and `write_encryption_key` for key rotation
- The encryption parts can perhaps be merged to upstream
