Allow remote state encryption (using azurerm backend)

[ramondeklein]

I created an implementation to allow encrypted state as suggested in #29272 (comment).

Motivation

Sometimes it's hard to prevent access to the Terraform state files. Because these state files often contain sensitive data, such as client secrets, passwords, certificates, ... it is a good idea to have these state files encrypted.

Implementation details

As you can see from the commit, it is very straightforward and this approach could be used for other backend providers too. I think it's better to implement it at the provider level, because:

1. Some back-ends might have even stronger encryptions (i.e. keys can be sourced from external vaults).
2. Some back-ends don't really need encryption.
3. Implementation is pretty straightforward (especially if the cyrpto functions are moved up to a more generic level).

The implementation uses AES-256 GCM encryption with a 12-byte secure random IV, so the encryption should be secure for most environments. The actual 256-bit key is derived by creating a SHA256 of the encryption phrase, so the length and randomness of the encryption phrase actually determines the actual security.

[hashicorp-cla]

All committers have signed the CLA.

[crw]

Thanks for this submission. Although I cannot commit to having this PR reviewed at this time, we acknowledge your contribution and appreciate it! Just FYI please also see #28603 and #9556. We also had another issue opened recently that seems related to this PR: #30944. Thanks again for the submission!

[hkrutzer]

@crw can you provide some insight into the factors contributing to the duration of the review process of these proposed changes?

[crw]

@hkrutzer In this case, the review process has not been started, so we are talking here about the prioritization process.

Backends are supported by the various provider teams, as they have the means to test the backend functionality (whereas the core team usually is not setup for that). The provider teams are primarily focused on the providers, backend PRs tend to be a lower priority. This is mentioned in https://github.com/hashicorp/terraform/blob/main/.github/CONTRIBUTING.md#state-storage-backends, although the language here is not entirely accurate as things currently stand, and needs to be updated (planning to do that this week).

Additionally, given that this PR involves encryption (which implies some guarantee of the "security" of the data), the standard of care with regards to considering all of the implications of this change impose an additional weight to any potential review.

From past experiences I would expect this PR would be considered at a time when the product team is considering the secured state issue more broadly.

[joakimlemb]

Any ETA on this?

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.