This works with Terraform 1.6 and beyond. If you're using 1.5.x or earlier, try my older post on this matter
If you've got access to a Ceph instance, you can use the S3 backend to store the Terraform state. The usage is pretty much the same as for S3 itself, we just need to make sure to set the following arguments:
endpoints.s3
skip_credentials_validation
skip_region_validation
skip_requesting_account_id
skip_s3_checksum
use_path_style
endpoints.s3
should be set to the root URL served by your Ceph instance.
skip_credentials_validation
controls whether the backend validates credentials against Amazon STS. Since you can't count on STS to validate your Ceph credentials, this should be set to true
.
skip_region_validation
should be set because Ceph doesn't actually use the provided region name and can't validate it.
skip_requesting_account_id
should be set because Ceph doesn't provide the needed IAM API. It instead authenticates you using access and secret keys.
skip_s3_checksum
should be set because Ceph does not include the checksum in its validation. If Terraform tries to write state to Ceph while this isn't in place, you'll get a XAmzContentSHA256Mismatch
error.
use_path_style
controls if bucket names are specified in subdomains (e.g. mybucket.myceph.myintranet
) or in paths (e.g. myceph.myintranet/mybucket
). The path style is more compatible with Ceph, so this also should be set to true
.
Here is a copy-and-paste friendly version:
terraform {
required_version = ">= 1.6.0"
backend "s3" {
bucket = "your-bucket-name"
key = "a-key"
region = "us-east-1"
access_key = "your-access-key"
secret_key = "your-secret-key"
skip_credentials_validation = true
skip_region_validation = true
skip_requesting_account_id = true
skip_s3_checksum = true
use_path_style = true
endpoints = {
s3 = "https://hostname.for.the.ceph.instance"
}
}
}
Top comments (0)