This guide explains how to build and run the Terraform Backend Service using Docker and docker-compose.
- Docker Engine 20.10 or higher
- Docker Compose V2 or higher
- At least 512MB of available RAM
cp .env.docker .envEdit .env to customize your deployment if needed.
docker-compose up -dThis will:
- Build the Docker image
- Start the service in detached mode
- Map port 7777 to your host machine
- Mount the
data/directory for persistent storage
# Check service health
curl http://localhost:7777/health
# View logs
docker-compose logs -f terraform-backend
# Check container status
docker-compose psEdit .env file to configure the service:
# Port mapping (host:container)
HOST_PORT=7777
# Storage type: csv (data upload) or memory (state backend)
STORAGE_TYPE=csv
# TLS Configuration
ENABLE_TLS=false
TLS_CERT_FILE=
TLS_KEY_FILE=STORAGE_TYPE=csv
HOST_PORT=7777STORAGE_TYPE=memory
HOST_PORT=8080You can run both modes simultaneously on different ports:
# docker-compose.override.yml
version: '3.8'
services:
terraform-backend-csv:
ports:
- "7777:7777"
environment:
- STORAGE_TYPE=csv
terraform-backend-memory:
ports:
- "8080:7777"
environment:
- STORAGE_TYPE=memoryThe service uses credentials from auth.cfg file. This file is mounted into the container as read-only.
To manage credentials:
- Edit
auth.cfgon the host - Restart the container:
docker-compose restart
The service automatically reloads credentials when the file changes.
Data is persisted through Docker volumes:
./data:/app/data- CSV storage directory./auth.cfg:/app/auth.cfg:ro- Authentication configuration (read-only)
Data persists across container restarts and rebuilds.
To enable HTTPS:
-
Place your certificate files in a
certs/directory:mkdir -p certs cp your-cert.pem certs/ cp your-key.pem certs/
-
Update
.env:ENABLE_TLS=true TLS_CERT_FILE=/app/certs/your-cert.pem TLS_KEY_FILE=/app/certs/your-key.pem
-
Uncomment the volume mount in
docker-compose.yml:volumes: - ./certs:/app/certs:ro
-
Restart the service:
docker-compose restart
# Build and start in background
docker-compose up -d
# Build with no cache
docker-compose build --no-cache
# Start without rebuilding
docker-compose up -d# View logs (live)
docker-compose logs -f
# View logs for specific service
docker-compose logs -f terraform-backend
# Check container status
docker-compose ps
# Execute shell inside container
docker-compose exec terraform-backend sh
# View resource usage
docker stats terraform-backend# Stop services
docker-compose stop
# Stop and remove containers
docker-compose down
# Remove containers and volumes
docker-compose down -v
# Remove containers, volumes, and images
docker-compose down -v --rmi all# Health check
curl http://localhost:7777/health
# Upload test data (CSV mode)
curl -X POST "http://localhost:7777/api/v1/upload" \
-H "X-Org-ID: 11111111-2222-3333-4444-555555555555" \
-H "X-API-Key: demo-api-key-12345" \
-H "Content-Type: application/json" \
-d '{"resource_type": "vm_instance", "resource_name": "web-server-01", "status": "running"}'
# Retrieve data
curl "http://localhost:7777/api/v1/data" \
-H "X-Org-ID: 11111111-2222-3333-4444-555555555555" \
-H "X-API-Key: demo-api-key-12345"- Enable TLS: Always use HTTPS in production
- Change Default Credentials: Update
auth.cfgwith strong API keys - Network Isolation: Use Docker networks to isolate services
- Resource Limits: Configure CPU and memory limits in docker-compose.yml
- Read-Only Filesystem: The container uses a non-root user for security
The service includes a health check endpoint:
# Manual health check
docker-compose exec terraform-backend wget -q -O- http://localhost:7777/health
# Docker will automatically check health every 30 seconds
docker inspect terraform-backend | grep -A 10 HealthTo run multiple instances:
docker-compose up -d --scale terraform-backend=3Note: You'll need to configure a load balancer (nginx, traefik, etc.) in front of the instances.
To backup your data:
# Backup data directory
tar -czf backup-$(date +%Y%m%d).tar.gz data/
# Backup authentication config
cp auth.cfg auth.cfg.backupCheck logs:
docker-compose logs terraform-backendCommon issues:
- Port already in use: Change
HOST_PORTin.env - Missing auth.cfg: Create the file before starting
- Permission issues: Ensure
data/directory is writable
# Check if container is running
docker-compose ps
# Check container health
docker inspect terraform-backend | grep -A 10 Health
# Test from inside container
docker-compose exec terraform-backend wget -q -O- http://localhost:7777/healthVerify volume mounts:
docker inspect terraform-backend | grep -A 20 MountsEnsure the data/ directory exists and has proper permissions.
Adjust resource limits in docker-compose.yml:
deploy:
resources:
limits:
memory: 256MThe service uses a bridge network by default. To integrate with existing networks:
networks:
default:
external:
name: your-existing-networkprovider "your_provider" {
url = "http://localhost:7777"
org_id = "11111111-2222-3333-4444-555555555555"
apikey = "demo-api-key-12345"
}terraform {
backend "http" {
address = "http://localhost:8080/api/v1/state/my-infrastructure"
lock_address = "http://localhost:8080/api/v1/state/my-infrastructure/lock"
unlock_address = "http://localhost:8080/api/v1/state/my-infrastructure/lock"
lock_method = "POST"
unlock_method = "DELETE"
username = "11111111-2222-3333-4444-555555555555"
password = "demo-api-key-12345"
}
}- Main README - General service documentation
- Quick Start Guide - Getting started without Docker
- OpenAPI Specification - API documentation
For issues or questions:
- Check container logs:
docker-compose logs -f - Verify configuration in
.envanddocker-compose.yml - Test connectivity:
curl http://localhost:7777/health