Add a backend-specific env var for the GCS backend.
Right now, the only environment variable available is the same environment variable that will be picked up by the GCP provider. Users would like to be able to store state in separate projects or accounts or otherwise authenticate to the provider with a service account that doesn't have access to the state. This seems like a reasonable enough practice to me, and the solution seems straightforward--offer an environment variable that doesn't mean anything to the provider to configure the backend credentials. I've added GOOGLE_BACKEND_CREDENTIALS to manage just the backend credentials, and documented it appropriately.
This commit is contained in:
parent
bfbd00a23c
commit
b8752c7610
|
@ -136,6 +136,8 @@ func (b *Backend) configure(ctx context.Context) error {
|
||||||
})
|
})
|
||||||
} else if v, ok := data.GetOk("credentials"); ok {
|
} else if v, ok := data.GetOk("credentials"); ok {
|
||||||
creds = v.(string)
|
creds = v.(string)
|
||||||
|
} else if v := os.Getenv("GOOGLE_BACKEND_CREDENTIALS"); v != "" {
|
||||||
|
creds = v
|
||||||
} else {
|
} else {
|
||||||
creds = os.Getenv("GOOGLE_CREDENTIALS")
|
creds = os.Getenv("GOOGLE_CREDENTIALS")
|
||||||
}
|
}
|
||||||
|
|
|
@ -52,15 +52,27 @@ resource "template_file" "bar" {
|
||||||
|
|
||||||
The following configuration options are supported:
|
The following configuration options are supported:
|
||||||
|
|
||||||
* `bucket` - (Required) The name of the GCS bucket.
|
* `bucket` - (Required) The name of the GCS bucket. This name must be
|
||||||
This name must be globally unique.
|
globally unique. For more information, see [Bucket Naming
|
||||||
For more information, see [Bucket Naming Guidelines](https://cloud.google.com/storage/docs/bucketnaming.html#requirements).
|
Guidelines](https://cloud.google.com/storage/docs/bucketnaming.html#requirements).
|
||||||
* `credentials` / `GOOGLE_CREDENTIALS` - (Optional) Local path to Google Cloud Platform account credentials in JSON format.
|
* `credentials` / `GOOGLE_BACKEND_CREDENTIALS` / `GOOGLE_CREDENTIALS` -
|
||||||
If unset, [Google Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials) are used.
|
(Optional) Local path to Google Cloud Platform account credentials in JSON
|
||||||
The provided credentials need to have the `devstorage.read_write` scope and `WRITER` permissions on the bucket.
|
format. If unset, [Google Application Default
|
||||||
* `access_token` - (Optional) A temporary [OAuth 2.0 access token] obtained from
|
Credentials](https://developers.google.com/identity/protocols/application-default-credentials)
|
||||||
the Google Authorization server, i.e. the `Authorization: Bearer` token used to
|
are used. The provided credentials need to have the
|
||||||
authenticate HTTP requests to GCP APIs. This is an alternative to `credentials`. If both are specified, `access_token` will be used over the `credentials` field.
|
`devstorage.read_write` scope and `WRITER` permissions on the bucket.
|
||||||
* `prefix` - (Optional) GCS prefix inside the bucket. Named states for workspaces are stored in an object called `<prefix>/<name>.tfstate`.
|
**Warning**: if using the Google Cloud Platform provider as well, it will
|
||||||
* `path` - (Deprecated) GCS path to the state file of the default state. For backwards compatibility only, use `prefix` instead.
|
also pick up the `GOOGLE_CREDENTIALS` environment variable.
|
||||||
* `encryption_key` / `GOOGLE_ENCRYPTION_KEY` - (Optional) A 32 byte base64 encoded 'customer supplied encryption key' used to encrypt all state. For more information see [Customer Supplied Encryption Keys](https://cloud.google.com/storage/docs/encryption#customer-supplied).
|
* `access_token` - (Optional) A temporary [OAuth 2.0 access token] obtained
|
||||||
|
from the Google Authorization server, i.e. the `Authorization: Bearer` token
|
||||||
|
used to authenticate HTTP requests to GCP APIs. This is an alternative to
|
||||||
|
`credentials`. If both are specified, `access_token` will be used over the
|
||||||
|
`credentials` field.
|
||||||
|
* `prefix` - (Optional) GCS prefix inside the bucket. Named states for
|
||||||
|
workspaces are stored in an object called `<prefix>/<name>.tfstate`.
|
||||||
|
* `path` - (Deprecated) GCS path to the state file of the default state. For
|
||||||
|
backwards compatibility only, use `prefix` instead.
|
||||||
|
* `encryption_key` / `GOOGLE_ENCRYPTION_KEY` - (Optional) A 32 byte base64
|
||||||
|
encoded 'customer supplied encryption key' used to encrypt all state. For
|
||||||
|
more information see [Customer Supplied Encryption
|
||||||
|
Keys](https://cloud.google.com/storage/docs/encryption#customer-supplied).
|
||||||
|
|
Loading…
Reference in New Issue