I want to use and s3 bucket to store the tfstate file. The current plan for using terraform is to store it in version control and have a Jenkins build package up the latest config for deployment somewhere else. I want to do a terraform validate step, but I’d rather not give Jenkins the aws creds during the terraform init. Is there a way to have an option to use a local backend just for this terraform step while keeping the S3 backend? So far, my only thought is to overwrite the my backend.tf file during this validation step.
Sounds like you want to use the partial configuration option:
There are several ways to supply the remaining arguments:
- File: A configuration file may be specified via the
initcommand line. To specify a file, use the
-backend-config=PATHoption when running
terraform init. If the file contains secrets it may be kept in a secure data store, such as Vault, in which case it must be downloaded to the local disk before running Terraform.
As such, you can pass the backend configuration for the CI to initialize a local state. You can validate, but of course not plan, since you don’t have access to the actual state of the infrastructure stored in object storage.
I’m sure you have your reasons, but this does feel like an XY problem. If this were my problem, I’d ask myself if I weren’t introducing unnecessary complexity into the pipeline to satisfy an arbitrary condition.
Also take a look at
terraform init -backend=false
Damn, it was sitting right there! this is way better than my comment!