我应该将 .tfstate 文件提交到 Git 吗? [英] Should I commit .tfstate files to Git?
问题描述
我对是否将 .tfstate 文件提交到 Git 的问题有点困惑.Terraform 文档 指出:
I am a little bit puzzled on the question whether to commit .tfstate files to Git or not. The Terraform documentation states:
默认情况下,Terraform 还会将一些状态放入 terraform.tfstate 文件中.这个状态文件非常重要;它将各种资源元数据映射到实际资源 ID,以便 Terraform 知道它正在管理什么.该文件必须保存并分发给可能运行 Terraform 的任何人.我们建议将其简单地放入版本控制中,因为它通常不会太大.
Terraform also put some state into the
terraform.tfstatefile by default. This state file is extremely important; it maps various resource metadata to actual resource IDs so that Terraform knows what it is managing. This file must be saved and distributed to anyone who might run Terraform. We recommend simply putting it into version control, since it generally isn't too large.
现在,另一方面,使用 Terraform 的最佳实践 状态:
Now, on the other hand, the accepted and upvoted answer on Best practices when using Terraform states:
Terraform 配置可用于在不同的基础设施上配置许多盒子,每个盒子可能有不同的状态.因为它也可以由多人运行,所以这个状态应该在一个集中的位置(如 S3),但 不是 git.
Terraform config can be used to provision many boxes on different infrastructure, each of which could have a different state. As it can also be run by multiple people this state should be in a centralised location (like S3) but not git.
(强调的是原作者,不是我)
(Emphasis by the original author, not by me)
谁是对的,如果是,为什么?
Who is right, and if so, why?
推荐答案
TL;DR:
重要! 存储在源代码管理中可能会暴露 潜在敏感数据 并有风险针对旧版本的状态运行 Terraform.不要这样做.
Important! Storing in source control could expose potentially sensitive data and risks running Terraform against an old version of state. Don't do it.
Terraform 不再建议在源代码管理中存储状态.您的好"选项是远程的或本地的.
Terraform no longer recommends storing state in source control. Your 'good' options are remote or local.
与本地和存储在源代码管理中相比,远程状态具有显着优势.详情如下.
Remote state grants significant benefits vs both local and storing in source control. Details of these are below.
原答案:
Yevgeniy 的回答很好.随着 Terraform 更新了他们的文档以声明:
Yevgeniy's answer is a good one. The issue is somewhat less controversial now as Terraform have updated their docs to state:
Terraform 还通过以下方式将一些状态放入 terraform.tfstate 文件中默认.这个状态文件非常重要;它映射了各种资源元数据到实际资源 ID,以便 Terraform 知道什么它正在管理.此文件必须保存并分发给任何人可能会运行 Terraform.一般建议设置远程状态使用 Terraform 时.这意味着任何潜在的秘密存储在状态文件中,不会被检入到版本控制中
Terraform also puts some state into the terraform.tfstate file by default. This state file is extremely important; it maps various resource metadata to actual resource IDs so that Terraform knows what it is managing. This file must be saved and distributed to anyone who might run Terraform. It is generally recommended to setup remote state when working with Terraform. This will mean that any potential secrets stored in the state file, will not be checked into version control
因此,既定的最佳实践与官方建议之间不再存在分歧.
So there is no longer a disagreement between established best practice and official recommendations.
2019-05-17 更新
在 最新版本的文档中,这已更改为:
...默认情况下,此状态存储在名为的本地文件中terraform.tfstate",但它也可以远程存储,这很有效在团队环境中更好....
... This state is stored by default in a local file named "terraform.tfstate", but it can also be stored remotely, which works better in a team environment. ...
我不认为建议会恢复到源代码控制作为存储状态的首选方法.
I don't expect the advice will ever revert to source control being the preferred method of storing state.
尽管上面引用了文档 远程状态对于独立开发者来说仍然是有益的
远程状态允许独立开发者:
Remote state allows the solo developer to:
- Work on/run their Terraform code from several devices
- Easily backup and protect against losing the state file, depending on backend chosen
- Segregate sections of their architecture via outputs
- Automatically encrypt state file at rest, depending on backend chosen
这篇关于我应该将 .tfstate 文件提交到 Git 吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
