Skip to main content

Proposed: Use Multiple Terraform State Bucket Backends

Date: 25 Mar 2022

Needs Update!

The content in this ADR may be out-of-date and needing an update. For questions, please reach out to Cloud Posse

  • The proposal remains in draft and needs context updated.

Status

DRAFT

Problem

  • Terraform state backend has sensitive information e.g. RDS master credentials

  • Using multiple state backends would alleviate some of these concerns, but introduce new problems with how to manage access to the bucket as well as how remote-state lookups know where to find the state

Context

Considered Options

Option 1: Use AWS SSO with Standalone IAM Roles

Create a terraform-prod PermissionSet and create a terraform-non-prod PermissionSet.

Pros

Cons

  • We create permission sets, not roles. We only create permission sets in the aws-sso, standalone components cannot create permission sets.

  • Introducing more permission sets pollutes the global namespace with roles that are only really relevant in a couple of accounts

  • Delegation of PermissionSets cannot be given to other components

Option 2: Use Federated IAM with SAML

Option 3:

Decision

DECIDED:

Consequences

References