mirror of https://github.com/captn3m0/ideas.git
38 lines
1.2 KiB
Markdown
38 lines
1.2 KiB
Markdown
# Mars: Terraform Remote HTTP Backend with End-to-End encryption :gift:
|
|
|
|
A fork of <https://www.terraform.io/docs/backends/types/http.html>, which changes the configuration format to:
|
|
|
|
```hcl
|
|
terraform {
|
|
backend "mars" {
|
|
address = "https://mars.com/03fa43d6-adbe-4e03-8e25-ffdf8a3e456a"
|
|
encryption_key = "${var.MARS_ENCRYPTION_KEY}"
|
|
}
|
|
}
|
|
```
|
|
|
|
The lock/unlock address can be inferred. The service can be made public as well, since the backend just needs to be a simple/dumb storage for blobs (back it by S3 perhaps?)
|
|
|
|
## Why
|
|
|
|
- For casual projects, Terraform Enterprise is too much
|
|
- Separate Infrastructure for Terraform State store makes sense
|
|
- Not everyone has S3 available
|
|
- Just share your UUID and the encryption key with your teammates
|
|
|
|
## Backend
|
|
|
|
Needs to be a public good with restrictions:
|
|
|
|
1. Reasonable Rate limits
|
|
2. File size limits
|
|
3. Restrict by terraform-user-agent, because why not
|
|
4. Block unencrypted data from being stored
|
|
|
|
## Extras
|
|
|
|
- This needs to be Highly Available if folks are gonna use it
|
|
- Use NaCl for crypto
|
|
- Support a breakdown into `read_encryption_key` and `write_encryption_key` for key rotation
|
|
- The encryption parts can perhaps be merged to upstream
|