134 lines
5.3 KiB
Markdown
134 lines
5.3 KiB
Markdown
# Terraform state administration (alpha)
|
|
|
|
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/2673) in GitLab 12.10.
|
|
|
|
GitLab can be used as a backend for [Terraform](../user/infrastructure/index.md) state
|
|
files. The files are encrypted before being stored. This feature is enabled by default.
|
|
|
|
The storage location of these files defaults to:
|
|
|
|
- `/var/opt/gitlab/gitlab-rails/shared/terraform_state` for Omnibus GitLab installations.
|
|
- `/home/git/gitlab/shared/terraform_state` for source installations.
|
|
|
|
These locations can be configured using the options described below.
|
|
|
|
## Using local storage
|
|
|
|
NOTE: **Note:**
|
|
This is the default configuration
|
|
|
|
To change the location where Terraform state files are stored locally, follow the steps
|
|
below.
|
|
|
|
**In Omnibus installations:**
|
|
|
|
1. To change the storage path for example to `/mnt/storage/terraform_state`, edit
|
|
`/etc/gitlab/gitlab.rb` and add the following line:
|
|
|
|
```ruby
|
|
gitlab_rails['terraform_state_enabled'] = true
|
|
gitlab_rails['terraform_state_storage_path'] = "/mnt/storage/terraform_state"
|
|
```
|
|
|
|
1. Save the file and [reconfigure GitLab](restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect.
|
|
|
|
**In installations from source:**
|
|
|
|
1. To change the storage path for example to `/mnt/storage/terraform_state`, edit
|
|
`/home/git/gitlab/config/gitlab.yml` and add or amend the following lines:
|
|
|
|
```yaml
|
|
terraform_state:
|
|
enabled: true
|
|
storage_path: /mnt/storage/terraform_state
|
|
```
|
|
|
|
1. Save the file and [restart GitLab](restart_gitlab.md#installations-from-source) for the changes to take effect.
|
|
|
|
## Using object storage **(CORE ONLY)**
|
|
|
|
Instead of storing Terraform state files on disk, we recommend the use of an object
|
|
store that is S3-compatible instead. This configuration relies on valid credentials to
|
|
be configured already.
|
|
|
|
[Read more about using object storage with GitLab](object_storage.md).
|
|
|
|
### Object storage settings
|
|
|
|
The following settings are:
|
|
|
|
- Nested under `terraform_state:` and then `object_store:` on source installations.
|
|
- Prefixed by `terraform_state_object_store_` on Omnibus GitLab installations.
|
|
|
|
| Setting | Description | Default |
|
|
|---------|-------------|---------|
|
|
| `enabled` | Enable/disable object storage | `false` |
|
|
| `remote_directory` | The bucket name where Terraform state files will be stored | |
|
|
| `connection` | Various connection options described below | |
|
|
|
|
### S3-compatible connection settings
|
|
|
|
The connection settings match those provided by [Fog](https://github.com/fog), and are as follows:
|
|
|
|
| Setting | Description | Default |
|
|
|---------|-------------|---------|
|
|
| `provider` | Always `AWS` for compatible hosts | `AWS` |
|
|
| `aws_access_key_id` | Credentials for AWS or compatible provider | |
|
|
| `aws_secret_access_key` | Credentials for AWS or compatible provider | |
|
|
| `aws_signature_version` | AWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. | 4 |
|
|
| `enable_signature_v4_streaming` | Set to true to enable HTTP chunked transfers with [AWS v4 signatures](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html). Oracle Cloud S3 needs this to be false | `true` |
|
|
| `region` | AWS region | us-east-1 |
|
|
| `host` | S3-compatible host when not using AWS. For example, `localhost` or `storage.example.com` | `s3.amazonaws.com` |
|
|
| `endpoint` | Can be used when configuring an S3-compatible service such as [MinIO](https://min.io), by entering a URL such as `http://127.0.0.1:9000` | (optional) |
|
|
| `path_style` | Set to true to use `host/bucket_name/object` style paths instead of `bucket_name.host/object`. Leave as false for AWS S3 | `false` |
|
|
| `use_iam_profile` | For AWS S3, set to true to use an IAM profile instead of access keys | `false` |
|
|
|
|
**In Omnibus installations:**
|
|
|
|
1. Edit `/etc/gitlab/gitlab.rb` and add the following lines; replacing with
|
|
the values you want:
|
|
|
|
```ruby
|
|
gitlab_rails['terraform_state_enabled'] = true
|
|
gitlab_rails['terraform_state_object_store_enabled'] = true
|
|
gitlab_rails['terraform_state_object_store_remote_directory'] = "terraform_state"
|
|
gitlab_rails['terraform_state_object_store_connection'] = {
|
|
'provider' => 'AWS',
|
|
'region' => 'eu-central-1',
|
|
'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
|
|
'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY'
|
|
}
|
|
```
|
|
|
|
NOTE: **Note:**
|
|
If you are using AWS IAM profiles, be sure to omit the AWS access key and secret access key/value pairs.
|
|
|
|
```ruby
|
|
gitlab_rails['terraform_state_object_store_connection'] = {
|
|
'provider' => 'AWS',
|
|
'region' => 'eu-central-1',
|
|
'use_iam_profile' => true
|
|
}
|
|
```
|
|
|
|
1. Save the file and [reconfigure GitLab](restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect.
|
|
|
|
**In installations from source:**
|
|
|
|
1. Edit `/home/git/gitlab/config/gitlab.yml` and add or amend the following
|
|
lines:
|
|
|
|
```yaml
|
|
terraform_state:
|
|
enabled: true
|
|
object_store:
|
|
enabled: true
|
|
remote_directory: "terraform_state" # The bucket name
|
|
connection:
|
|
provider: AWS # Only AWS supported at the moment
|
|
aws_access_key_id: AWS_ACESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: eu-central-1
|
|
```
|
|
|
|
1. Save the file and [restart GitLab](restart_gitlab.md#installations-from-source) for the changes to take effect.
|