"Outputs only" Terraform state endpoint
Proposal
GitLab should support restricting Terraform state reads to Maintainer and offer an "outputs only" version of state that is readable by lower privilege levels (e.g., Developer). This makes it possible to share outputs between projects without also sharing sensitive state, and works around Terraform not having a great story for this.
This could work by having an endpoint like https://gitlab.example/api/v4/projects/12345/terraform/outputs/STATE_NAME
that compliments the existing https://gitlab.example/api/v4/projects/12345/terraform/state/STATE_NAME
. This could transform the "real" state and not store anything, or the "outputs only" version of state could be stored as well. Either works, depending on your performance concerns.
Here is an example using jq
of transforming the state that should work fine (tested with Terraform 1.3 and 0.12):
cat terraform.tfstate | jq '{ version, terraform_version, serial, lineage, outputs, check_results, resources: [] }'
Alternatives
Alternative 1: GitLab could do nothing and just encourage users to shove these outputs into a release/pipeline artifact, and then use the existing functionality to make data "terraform_remote_state" "foo" {}
point there. This potentially means that users are pointing at old state, and doesn't really resolve the issue with leaking potentially sensitive state.
Alternative 2: GitLab could make the permissions for state read configurable and encourage users to use a release/pipeline artifact as above.
Alternative 3: GitLab could make the permissions for state read configurable and encourage users to use something like AWS Systems Manager Parameter Store or AWS Secrets Manager to make outputs available between Terraform projects. This isn't ideal because it assumes you're managing resources in a service like AWS, and you might only be managing e.g. Grafana dashboards, without AWS being involved.