Don’t commit your terraform state to github please, especially if it contains over 20 API keys for various services, and database master passwords.

Not speaking from experience of having to do some frantic rebasing of someones PR *eye twitch*

  • 2
  • 0
    @HCC5GDKc7 Sadly it was just a locally saved file after doing terraform state pull, it was meant to be deleted after checking and never go anywhere.

    Our secrets are all encrypted before they are checked into git but the remote state file contains plaintext versions.
  • 0
    @LLAMS why isn't the remote state file in .gitignore?
  • 0
    @kwilliams Simple, because we cant make any guarantees about what someone will name the temp file when they pull the state to check something.

    It might be something as obvious as tfstate.json (OK fair enough we could filter that out and catch some)
    but it could easily be saved as a txt file or have a totally random name like testing.json

    For clarity, it was a locally saved COPY of the remote state that someone accidentally checked in.
  • 0
    @LLAMS but why are they even needing to check out production settings with arbitrary file names in the first place. 🤷‍♂️
  • 0
    @kwilliams If you do something to modify the remote state, like move something into a module or rename something, you might wanna pull the state to double check it looks the way you expect.

    Searching through the json is easier if you save the output to a local file. Who gives a shit what its called. The whole point is you will throw it away after.

    The actual file isnt the issue here. Its only a problem when you accidentally check the temporary file into VCS, which is precisely what happened.
Add Comment