OpenTofu uses persisted state data to keep track of the resources it manages. Most non-trivial OpenTofu configurations use a backend to store state remotely.
Corpus manages the OpenTofu remote state backend for all platform team repositories. State is stored in KMS-encrypted Cloud Storage buckets created and managed by pt-corpus.
OpenTofu uses persisted state data to keep track of the resources it manages. Most non-trivial OpenTofu configurations use a backend to store state remotely. This lets multiple people access the state data and work together on that collection of infrastructure resources.
State Encryption
All state buckets use Customer Managed Encryption Keys (CMEK) via Cloud KMS in addition to OpenTofu's native state encryption. Both layers of encryption are required for all platform repositories.
OpenTofu state is managed exclusively in GitHub Actions via the reusable workflows in pt-techne-opentofu-workflows. Local development environments do not have access to remote state or the KMS keys required to decrypt it.
