what's a good git-ignore policy for a terraform repository?

2,268 views
Skip to first unread message

ericd...@gmail.com

unread,
Aug 22, 2014, 4:45:14 PM8/22/14
to terrafo...@googlegroups.com
what should and shouldn't be checked in, as best practices?
e

Jack Pearkes

unread,
Aug 22, 2014, 6:08:49 PM8/22/14
to ericd...@gmail.com, terrafo...@googlegroups.com
Eric,

We recommend checking in both your plan files (*.tf) and your .tfstate files. This will allow others to modify the infrastructure. Without state, existing infrastructure won't be found.

.tfplan files can also be checked in, but note that they contain _everything_ Terraform needs to run, including any variables passed in. This includes potentially sensitive information. See more here: http://www.terraform.io/docs/commands/plan.html#toc_2

As best practice, be aware what you're checking in when it comes to secret keys and so forth.

Best,

Jack


On Fri, Aug 22, 2014 at 1:45 PM, <ericd...@gmail.com> wrote:
what should and shouldn't be checked in, as best practices?
e

--
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To post to this group, send email to terrafo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/208b963e-6be7-4407-99f4-95911c29dc99%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Eric Buth

unread,
Aug 22, 2014, 6:53:48 PM8/22/14
to Jack Pearkes, terrafo...@googlegroups.com
thanks! yes trying to avoid leaving aws keys and so on in the repository. is this to say that trstate and trstate.backup files should both be checked in but tfplan files should not?
e

Gallagher Polyn

unread,
Jan 8, 2017, 12:22:51 PM1/8/17
to Terraform
Is there any update to this approach? At the linked resource I read in Security Warning that "Future versions of Terraform will make plan files more secure."

Lowe Schmidt

unread,
Jan 9, 2017, 4:36:51 AM1/9/17
to terrafo...@googlegroups.com
More secure seems to be that the plan files are (now?) binary. 

As for state, the general approach seems to be to use remote state instead of checking it into version control.

Is there any specific problem you're having?

--
Lowe Schmidt | +46 723 867 157

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/b812ba21-704b-477b-a589-2954f546435b%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages