<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> ### Problem to solve As a DevOps engineer, in order to quickly get started with a Terraform project, I would like to use a GitLab managed Terraform state. If GitLab CI is used to manage infrastructure using Terraform, it would be convenient if the Terraform state could be stored in GitLab itself instead of having to set up a traditional remote backend (eg. on Amazon S3). [Opportunity canvas](https://docs.google.com/document/d/1zV26pZFbpJoFwUPoy5hPB9RW_rTPmcsxLIiwr6UWuOc/edit) ### Intended users * [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager) * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) ### Ideation phase Google Doc to brainstorm our ideas around this feature can be found here -> https://docs.google.com/document/d/11VTQFrgLKOGQjLeNW-Op9uPIUAHFxsH9y9DjP8oYZyY (GitLab internal for the time being). Once we came up with the complete proposal / MVP, we will extract the content to this issue/issues. ### Further details To be a viable alternative to existing options, solution would need to provide: - Locking - State history - Encryption at rest We would like to support multiple state files in a single git project. ## Development ### Iteration 1 - [x] Research API authorization to support Terraform state backend https://gitlab.com/gitlab-org/gitlab/issues/207343 - [x] encrypt/decrypt Object storage to support Terraform state backend https://gitlab.com/gitlab-org/gitlab/issues/207401 - [x] Add API endpoint for Terraform state backend https://gitlab.com/gitlab-org/gitlab/issues/207344 - [x] Connect API to Storage https://gitlab.com/gitlab-org/gitlab/-/issues/213011 - [x] Document using the Terraform http backend with GitLab API https://gitlab.com/gitlab-org/gitlab/issues/207342 - [x] Add Metrics to track Terraform state backend usage https://gitlab.com/gitlab-org/gitlab/issues/207510 - [x] Switch the feature on on gitlab.com https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/9555 ### Next iterations - [ ] Create custom GitLab Terraform backend https://gitlab.com/gitlab-org/gitlab/issues/207348 - [x] Automatically provide credentials to CI via Specialized token https://gitlab.com/gitlab-org/gitlab/-/issues/216785 - [x] Support versioning for Terraform state backend https://gitlab.com/gitlab-org/gitlab/issues/207347 - [x] Tooling for SRE to maintain, access the state objects is needed https://gitlab.com/gitlab-org/gitlab/-/issues/216571 ### Permissions and Security - Every project should be able to read only its own terraform state - We should provide a way to get the actual or previous versions of the terraform state (for recovery purposes). Do we really need this? - SRE tooling is enough - Can a project developer access the terraform state? Or only project maintainers?