A Terraform backend implementation using Cloudflare Workers.
This repo contains Cloudflare Worker as a remote state backend for Terraform. The advantage of storing this in something like Cloudflare instead of AWS S3 is that it's much easier to set up.
This backend supports state locks and an having arbitrary number of Terraform states on a single worker (using different pathnames).
- You'll need to install Terraform CLI.
- You'll also need a Cloudflare account (paid account needed due to the use of KV).
There are 2 ways to deploy:
- Using Terraform itself
- Using Wrangler
First, add your Cloudflare account ID and API token in terraform.tfvars.
(Optional)
If you wish to deploy this in your own zone, add the zone ID and URL pattern as well.
Also, uncomment the corresponding parts in variables.tf and workers.tf.
Then, update the credentials in the index.js file. IMPORTANT
When you're ready:
terraform init
terraform plan
terraform applyInstall Cloudflare Wrangler CLI
Make sure your Wrangler CLI is set up correctly by running the following (you might need to generate an API token):
wrangler configThen, update the credentials in the index.js file. IMPORTANT
Now, you'll need to create a KV namespace. Just run the following:
wrangler kv:namespace create TERRAFORMLastly, to deploy your worker, update wrangler.toml file with your account id, kv namespace id, and optionally a different project name, then run the following:
wrangler publishYou should get back a message similar to the following:
💁 JavaScript project found. Skipping unnecessary build!
✨ Successfully published your script to https://terraform-backend.ACCOUNT_NAME.workers.dev
Congrats! You're done. This will give you the url for your Terraform backend, which you should then be able to add to your terraform:
terraform {
backend "http" {
address = "https://terraform-backend.ACCOUNT_NAME.workers.dev/"
username = "CHANGE ME!"
password = "CHANGE ME!"
}
}Update: You can also use secrets if you wish.
Define the values of the secrets.
wrangler secret put TF_BACKEND_USER
wrangler secret put TF_BACKEND_PASSWDIn index.js change the hardcoded username and password to read values from the secrets.
const USERNAME = TF_BACKEND_USER;
const PASSWORD = TF_BACKEND_PASSWD;Republish the changes.
wrangler publishCaution: Changing your credentials after running terraform init is not supported as it's not straightforward. If that's needed, try taking a copy of your state before changing your credentials, then uploading it after you make the change:
# Before changing your credentials
tf state pull > state-backup.tfstate
# Change your credentials...
wrangler publish
# After changing your credentials (including in the terraform config)
tf state push state-backup.tfstate