Proposed: Use Multiple Terraform State Bucket Backends
Date: 25 Mar 2022
The content in this ADR may be out-of-date and needing an update. For questions, please reach out to Cloud Posse
- The proposal remains in draft and needs context updated.
Status
DRAFT
Problem
-
Terraform state backend has sensitive information e.g. RDS master credentials
-
Using multiple state backends would alleviate some of these concerns, but introduce new problems with how to manage access to the bucket as well as how remote-state lookups know where to find the state
Context
Considered Options
Option 1: Use AWS SSO with Standalone IAM Roles
Create a terraform-prod
PermissionSet
and create a terraform-non-prod
PermissionSet.
Pros
Cons
-
We create permission sets, not roles. We only create permission sets in the
aws-sso
, standalone components cannot create permission sets. -
Introducing more permission sets pollutes the global namespace with roles that are only really relevant in a couple of accounts
-
Delegation of PermissionSets cannot be given to other components
Option 2: Use Federated IAM with SAML
Option 3:
Decision
DECIDED: