A Terraform state backend using the http, backed by
Cloudflare Workers and R2, so it is cheap to run. Oh, and it supports locking 🔒.
The original code was moved from cmackenzie1/holster to its own repository.
You can read about the original
implementation here.
Warning
This Worker is exposed to the public internet, it is YOUR responsibility to secure it. The HTTP backend for terraform supports basic auth and/or mTLS, so pick one (or both) and use it!
- Click the "Use this template" button to create a new repository from this template.
- Create an R2 bucket in your Cloudflare account, or use an existing one.
- Update
wrangler.tomlwith your Cloudflare account ID and custom domain and bucket name. - If using basic auth, add your credentials to your worker using
wrangler secret put TFSTATE_USERNAMEandwrangler secret put TFSTATE_PASSWORD. - If using mTLS, configure your Worker to require a client certificate.
- Run
wrangler publishto deploy the Worker to your Cloudflare account. - Update your Terraform configuration to use the new backend and run
terraform init. - Profit! 🚀
terraform {
backend "http" {
address = "https://tfstate.example.com/tfstate/states/your-project-name"
lock_address = "https://tfstate.example.com/tfstate/states/your-project-name/lock"
lock_method = "LOCK" # can also be "PUT"
unlock_address = "https://tfstate.example.com/tfstate/states/your-project-name/lock"
unlock_method = "UNLOCK" # can also be "DELETE"
# If using basic auth
username = "<YOUR_USERNAME>"
password = "<YOUR_PASSWORD>"
# If using mTLS
client_certificate_pem = "<path-to-ca-cert>"
client_private_key_pem = "<path-to-client-cert>"
client_ca_certificate_pem = "<path-to-client-key>"
}
}Sometimes the default backends don't cut it. For me, I wanted a backend that supported locking that used Cloudflare R2 for storage.
The existing S3 backend doesn't support locking without DynamoDB, which is an additional cost. This Worker is a cheaper alternative, and it's fun to build things!
Cloudflare Workers and R2 are billed based on usage, with a very generous free tier. You can check the pricing for Workers here and R2 here. Overall, this can be done for very cheap, or even free :)
Got yourself in a tfstatetastrophy? The following commands may help.
NOTE: These can be destructive, so be careful!
# Get current lock info
curl https://tfstate.example.com/tfstate/states/your-project-name/lock
# Manually remove the lock
curl -X DELETE https://tfstate.example.com/tfstate/states/your-project-name/lock
# or using `terraform`
terraform force-unlock <LOCK_ID>
Double check you are using UPPER case values for lock_method and unlock_method.