Backend for your .tfstate

Not only does SecretHub integrate with Terraform through a provider, it can also serve as a secure backend for your .tfstate.

Because it simply treats your .tfstate like any other secret in SecretHub, you get all the security features that your .tfstate deserves without any additional setup.

To use SecretHub as a state backend, you need to run the SecretHub HTTP Proxy. You can run it as a Docker container:

docker run -it -p 127.0.0.1:8080:8080 --name secrethub -v $HOME/.secrethub:/secrethub secrethub/http-proxy

For more installation options, check out the GitHub page.

Then add the following backend configuration to your Terraform project:

terraform {
  backend "http" {
    address = "http://localhost:8080/v1beta/secrets/raw/your-username/start/terraform.tfstate"
  }
}

Note: Terraform’s provider ecosystem is very pluggable, but unfortunately Terraform backends are not. The only way to make it somewhat pluggable is through HTTP, which is why we’ve built the HTTP proxy.

We are also working on a native state backend, but it currently requires you to use our fork of Terraform so we’re sticking with the more pluggable HTTP backend for now.

Note on security: Starting the SecretHub HTTP Proxy will open up your SecretHub account on localhost:8080, so use with care. Also, when running the Docker container, make sure that it only listens on localhost by setting -p 127.0.0.1:8080:8080.

This will write your .tfstate to SecretHub at path your-username/start/terraform.tfstate. To start the state migration, run:

terraform init

Terraform will now prompt to migrate your local .tfstate to SecretHub. Afterwards, Terraform clears the local state, leaving only a local backup copy present. You can verify that the state got migrated correctly by running:

terraform state pull

Alternatively, verify it using the SecretHub CLI:

secrethub read your-username/start/terraform.tfstate

You can then safely delete the remaining .tfstate.backup file.