tfc-backup-b2

Docker image to export variables from Terraform Cloud and back them up to a Restic repository on Backblaze B2. The image can also initialize the Restic repository on the existing Backblaze B2 bucket.

Description

During the review of a disaster recovery plan, we realized that we didn't have a record of the values we set for variables in Terraform Cloud workspaces. It would be difficult to recover from the accidental deletion of a Terraform Cloud workspace. A Perl script exports workspaces, variables, and variable sets to JSON files using the Terraform Cloud API. The JSON files are then backed up using Restic to a repository on a Backblaze B2 bucket.

Two files are created for each Terraform Cloud workspace:

• workspace-name-attributes.json
• workspace-name-variables.json

Two files are created for each Terraform Cloud Variable Set:

• varset-variable-set-name-attributes.json
• varset-variable-set-name-variables.json

Spaces in the variable set name are replaced with hyphens (-).

How to use it

1. Copy local.env.dist to local.env.
2. Set the values for the variables contained in local.env.
3. Obtain a Terraform Cloud access token. Go to https://app.terraform.io/app/settings/tokens to create an API token.
4. Add the access token as the value for ATLAS_TOKEN in local.env.
5. Create a Backblaze B2 bucket. Set the File Lifecycle to Keep only the last version.
6. Add the B2 bucket name to RESTIC_REPOSITORY in local.env.
7. Obtain a Backblaze Application Key. Restrict its access to the B2 bucket you just created. Ensure the application key has these capabilities: deleteFiles, listBuckets, listFiles, readBuckets, readFiles, writeBuckets, writeFiles.
8. Add the application key and secret to local.env as the values of B2_ACCOUNT_ID and B2_ACCOUNT_KEY respectively.
9. Initialize the Restic repository (one time only): docker run --env-file=local.env --env BACKUP_MODE=init silintl/tfc-backup-b2:latest
10. Run the Docker image: docker run --env-file=local.env silintl/tfc-backup-b2:latest

Variables

• ATLAS_TOKEN - Terraform Cloud access token
• B2_ACCOUNT_ID - Backblaze keyID
• B2_ACCOUNT_KEY - Backblaze applicationKey
• FSBACKUP_MODE - init initializes the Restic repository at $RESTIC_REPOSITORY (only do this once), backup performs a backup
• ORGANIZATION - Name of the Terraform Cloud organization to be backed up
• RESTIC_BACKUP_ARGS - additional arguments to pass to restic backup command
• RESTIC_FORGET_ARGS - additional arguments to pass to restic forget --prune command (e.g., --keep-daily 7 --keep-weekly 5 --keep-monthly 3 --keep-yearly 2)
• RESTIC_HOST - hostname to be used for the backup
• RESTIC_PASSWORD - password for the Restic repository
• RESTIC_REPOSITORY - Restic repository location (e.g., b2:bucketname:restic)
• RESTIC_TAG - tag to apply to the backup
• SOURCE_PATH - Full path to the directory to be backed up

Docker Hub

This image is built automatically on Docker Hub as silintl/tfc-backup-b2