<!-- // ######################################################################################## // # ██████╗ ██╗ ██╗██╗ ██╗███╗ ██╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗██████╗ # // # ██╔══██╗██║ ██║██║ ██║████╗ ██║ ██╔════╝ ██╔══██╗██╔═══██╗██║ ██║██╔══██╗ # // # ██████╔╝██║ ██║██║ ██║██╔██╗ ██║ ██║ ███╗██████╔╝██║ ██║██║ ██║██████╔╝ # // # ██╔══██╗██║ ██║██║ ██║██║╚██╗██║ ██║ ██║██╔══██╗██║ ██║██║ ██║██╔═══╝ # // # ██████╔╝╚██████╔╝╚██████╔╝██║ ╚████║ ╚██████╔╝██║ ██║╚██████╔╝╚██████╔╝██║ # // # ╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ # // # Author: Sacha Roussakis-Notter # // # Project: Vaultify # // # Description: Easily push, pull and encrypt tofu and terraform statefiles from Vault. # // ######################################################################################## --> <div align="center"> <img src="img/vaultify-logo.png" alt="Vaultify Logo" style="width: 30%;"/> </div>

                          ██╗   ██╗ █████╗ ██╗   ██╗██╗  ████████╗██╗███████╗██╗   ██╗
                          ██║   ██║██╔══██╗██║   ██║██║  ╚══██╔══╝██║██╔════╝╚██╗ ██╔╝
                          ██║   ██║███████║██║   ██║██║     ██║   ██║█████╗   ╚████╔╝ 
                          ╚██╗ ██╔╝██╔══██║██║   ██║██║     ██║   ██║██╔══╝    ╚██╔╝  
                          ╚████╔╝ ██║  ██║╚██████╔╝███████╗██║   ██║██║        ██║   
                            ╚═══╝  ╚═╝  ╚═╝ ╚═════╝ ╚══════╝╚═╝   ╚═╝╚═╝        ╚═╝   

Vaultify CLI Documentation

Overview

Vaultify is a powerful CLI tool developed in Go, designed to enhance productivity and security by storing state-files as base64 encoded strings in a secure location. It streamlines the encryption and storage of state files across multiple platforms, including HashiCorp Vault, Azure Storage Account, and soon, AWS S3 buckets. By automating the encryption and push/pull processes, Vaultify ensures your Terraform state files are securely managed and easily accessible.

NOTE: You can also refer to vaultify documentation at Vaultify to learn more.

In summary Vaultify significantly enhances the management of Terraform state files, offering a robust, secure, and cost-effective solution that goes beyond traditional methodologies. By supporting a variety of storage backends including HashiCorp Vault, Azure Storage, and future integrations with AWS S3, Vaultify provides a flexible and scalable approach to state file management. This versatility ensures that regardless of your infrastructure's complexity or the scale of your operations, Vaultify simplifies automation and streamlines workflows across multiple platforms.

<br>

---

<br>

Why Vaultify?

Vaultify was developed to tackle the significant security and access management challenges observed in large organizations, where the complexity of roles and permissions often led to inadvertent access to sensitive Terraform state files in plaintext. Addressing the need for a secure, efficient, and centralized solution for state file management, Vaultify simplifies encryption processes and integrates seamlessly with major pipeline and DevOps platforms. It supports storage options like HashiCorp Vault and Azure Storage, overcoming Vault's 1MB limitation through gzip compression to securely store larger state files. This makes Vaultify an invaluable tool for organizations aiming to enhance security, streamline workflows, and manage permissions effectively, all while keeping infrastructure deployment and pipeline processes uncomplicated.

<details> <summary>Click to read why vaultify was created indepth</summary>

Vaultify's creation was inspired by my extensive experience across large-scale organizations, where I encountered significant challenges in managing access rights and permissions for sensitive files. In these environments, the intricate overlay of roles and permissions frequently led to scenarios where individuals could inadvertently access state files in plaintext — a situation that should never occur. Moreover, the size and complexity of these organizations often meant that other teams' errors could introduce security vulnerabilities, sometimes remaining undetected until posing a tangible risk.

The objective behind developing Vaultify was to address these critical issues by providing a Command-Line Interface (CLI) tool specifically designed to simplify the encryption process of state files. This ensures that sensitive information is never left exposed in plaintext, thereby enhancing security without complicating the deployment infrastructure or the continuity of pipeline processes.

Vaultify is designed to seamlessly integrate with virtually any pipeline and DevOps platform provider, offering a versatile solution for secure state file management. The decision to include Vault as a supported storage option was motivated by the desire to centralize role-based access control (RBAC) mechanisms. Utilizing Vault allows for the consolidation of permission management in a single location, leveraging Vault's inherent security features and simplifying the oversight of access rights.

Furthermore, recognizing the potential cost implications of relying exclusively on HashiCorp Vault within enterprise licensing models, Vaultify also extends support to Azure Storage. This inclusion ensures that organizations can maintain the security of their state files, encrypted in base64, without incurring unnecessary expenses. By encrypting all state files, Vaultify significantly diminishes the risks associated with plaintext file storage and reduces potential attack surfaces, providing a comprehensive and secure state management solution.

The initial reluctance to adopt Vault for Terraform state file management was largely due to its 1MB size limit per secret, rendering it unsuitable for larger state files. This restriction posed a significant challenge for using Vault as a unified platform for state management, particularly as the size of state files tends to increase with the complexity of the infrastructure being managed.

Vaultify addresses this challenge head-on by integrating gzip compression into its operational workflow. This step significantly reduces the size of state files before they are encrypted. For example, a state file that originally sizes at 5MB can be compressed to a much smaller size, making it feasible to store within Vault's size limitations. It's important to note that while the example of compressing a 5MB file down to 200KB may be optimistic, the actual compression ratio can vary based on the content of the state files. Generally, gzip compression can result in substantial size reductions, making previously unmanageable files fit comfortably within Vault's constraints after encryption.

By overcoming Vault's size limitation, Vaultify enhances the practicality of storing Terraform state files securely within Vault. This advancement opens up avenues for organizations to centralize their infrastructure management practices, offering a secure, efficient, and consolidated solution for managing sensitive state data. Vaultify's approach not only navigates around the storage size hurdle but also capitalizes on the security and organizational benefits that Vault provides, presenting a compelling case for its adoption in managing Terraform state files across various scales of infrastructure projects.

</details> <br>

Key Features of Vaultify

| Feature | Vaultify | Traditional Methods | |----------------------------------------------|--------------------------------------------------------------------------|---------------------------------------------------------------| | Encryption of State Files | Automatically encrypts state files before storage. | State files stored in plain text or manually encrypted. | | Decryption for Use | Automatically decrypts on retrieval for immediate use. | Manual decryption required if encrypted. | | State File Management | Centralized management for push, pull, and sync of state files. | Relies on manual management or Terraform Cloud features. | | Integration with Secret Managers | Native integration with HashiCorp Vault, Azure Storage, etc. | Limited to Terraform Cloud's integration or manual setup. | | Access Control and Permissions | Leverages existing secret manager's RBAC for unified access control. | Managed separately within Terraform Cloud or storage backend. | | Version Control and History | Integrates with secret managers to utilize their versioning capabilities.| Dependent on backend capabilities or Terraform Cloud. | | Cost Optimization | Potentially reduces costs through efficient storage management. | Costs can vary based on backend and Terraform Cloud pricing. | | Simplified Workflow | Streamlines the encryption and decryption process with simple commands. | Often requires additional scripts or manual processes. | | Customizable Configuration | Flexible .vaultify/settings.json for tailored workflows. | Configuration limited to Terraform backend syntax. | | DevOps and CI/CD Integration | Designed for seamless integration into any pipeline or DevOps platform. | Requires custom integration or use of Terraform Cloud features.| | Scalability | Built to efficiently scale with project complexity and size.