feat: store Terraform state in Backblaze B2

Configure an s3 backend and initialize Terraform in CI with backend config from Gitea secrets so state persists across runs and apply operations stay consistent.
2026-02-28 00:52:40 +00:00
parent c0dd091b51
commit b0768db7a7
3 changed files with 30 additions and 2 deletions
--- a/.gitea/workflows/terraform-apply.yml
+++ b/.gitea/workflows/terraform-apply.yml
@@ -20,6 +20,19 @@ jobs:
          cat > secrets.auto.tfvars << EOF
          pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
          EOF
+          cat > backend.hcl << EOF
+          bucket                      = "${{ secrets.B2_TF_BUCKET }}"
+          key                         = "terraform.tfstate"
+          region                      = "us-east-005"
+          endpoint                    = "${{ secrets.B2_TF_ENDPOINT }}"
+          access_key                  = "${{ secrets.B2_KEY_ID }}"
+          secret_key                  = "${{ secrets.B2_APPLICATION_KEY }}"
+          skip_credentials_validation = true
+          skip_metadata_api_check     = true
+          skip_region_validation      = true
+          skip_requesting_account_id  = true
+          force_path_style            = true
+          EOF

      - name: Set up Terraform
        uses: hashicorp/setup-terraform@v2
@@ -28,7 +41,7 @@ jobs:

      - name: Terraform Init
        working-directory: terraform
-        run: terraform init
+        run: terraform init -reconfigure -backend-config=backend.hcl

      - name: Terraform Plan
        working-directory: terraform
--- a/.gitea/workflows/terraform-plan.yml
+++ b/.gitea/workflows/terraform-plan.yml
@@ -22,6 +22,19 @@ jobs:
          cat > secrets.auto.tfvars << EOF
          pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
          EOF
+          cat > backend.hcl << EOF
+          bucket                      = "${{ secrets.B2_TF_BUCKET }}"
+          key                         = "terraform.tfstate"
+          region                      = "us-east-005"
+          endpoint                    = "${{ secrets.B2_TF_ENDPOINT }}"
+          access_key                  = "${{ secrets.B2_KEY_ID }}"
+          secret_key                  = "${{ secrets.B2_APPLICATION_KEY }}"
+          skip_credentials_validation = true
+          skip_metadata_api_check     = true
+          skip_region_validation      = true
+          skip_requesting_account_id  = true
+          force_path_style            = true
+          EOF
          echo "Created secrets.auto.tfvars:"
          cat secrets.auto.tfvars | sed 's/=.*/=***/'
          echo "Using token ID from terraform.tfvars:"
@@ -34,7 +47,7 @@ jobs:

      - name: Terraform Init
        working-directory: terraform
-        run: terraform init
+        run: terraform init -reconfigure -backend-config=backend.hcl

      - name: Terraform Format Check
        working-directory: terraform
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -1,4 +1,6 @@
 terraform {
+  backend "s3" {}
+
  required_providers {
    proxmox = {
      source  = "Telmate/proxmox"