Infrastructure as Code with Terraform [Part 7]
Hola Friends! :) When working with Terraform, state management is one of the most critical aspects of infrastructure as code. The Terraform state file (terraform.tfstate) acts as a single source of truth, keeping track of all deployed resources. However, improper state handling can lead to configuration drift, accidental data loss, or infrastructure misalignment.
In this blog, we’ll dive deep into Terraform state management, exploring best practices, advanced techniques, and practical solutions to ensure your infrastructure remains secure, scalable, and efficient
1. What is Terraform State?
Terraform uses a state file (terraform.tfstate) to map infrastructure resources to their real-world counterparts. This state file allows Terraform to:
✅ Track resource changes across deployments.
✅ Prevent unintended modifications by knowing what’s already deployed.
✅ Enable collaboration by allowing teams to work on the same infrastructure.
✅ Detect drift if manual changes occur outside Terraform.
Without proper state management, Terraform can lose track of resources, re-create existing infrastructure, or fail to apply changes correctly.
2. Local vs. Remote Terraform State
Local State (Not Recommended for Teams 🚫)
By default, Terraform stores the state file locally in your project directory. While this works for solo projects, it becomes problematic when working in teams.
Remote State (Recommended ✅)
For team collaboration and security, it's best to store the Terraform state in remote backends like:
Amazon S3 (with DynamoDB locking)
Azure Blob Storage
Google Cloud Storage (GCS)
Terraform Cloud
HashiCorp Consul
How to Configure Remote State with State with S3
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "env/dev/terraform.tfstate"
region = "us-east-1"
encrypt = true
dynamodb_table = "terraform-lock" # Enables state locking
}
}
This setup:
🔒 Encrypts state at rest.
🔄 Uses DynamoDB for state locking, preventing simultaneous edits.
📂 Maintains separate states for different environments (e.g., dev, prod).
3. Terraform State Locking
In team environments, multiple engineers might apply changes at the same time. To avoid conflicts, Terraform uses state locking, which prevents simultaneous modifications.
🔹 Terraform Cloud and S3+DynamoDB automatically enable state locking.
🔹 If a process is interrupted, you may need to manually unlock the state:
terraform force-unlock <LOCK_ID>
⚠️ Warning: Use this only if you're sure no one else is making changes.
4. Key Terraform State Commands
a) View All Managed Resources
terraform state list
Shows all infrastructure resources Terraform tracks.
b) Inspect a Specific Resource
terraform state show aws_instance.web_server
Displays details about a deployed resource.
c) Rename a Resource in the State File
terraform state mv aws_instance.old_name aws_instance.new_name
Moves a resource within the state file without redeploying it.
d) Remove a Resource from the State File (without destroying it)
terraform state rm aws_s3_bucket.example
This makes Terraform "forget" the resource, but it remains in the cloud.
5. Handling Terraform State Drift
State drift happens when infrastructure is manually changed outside Terraform (e.g., modifying an EC2 instance directly in AWS). To detect drift:
terraform plan -detailed-exitcode
Exit Code
0→ No changes detected ✅Exit Code
2→ Drift detected ⚠️
To reconcile drift and bring the infrastructure back to its defined state:
terraform apply
6. Splitting Terraform State for Large Environments
As infrastructure grows, a single Terraform state file can become unmanageable. A better approach is to split state files by resource type or environment.
Example: Organizing State by Resource Type
network/terraform.tfstate → VPC, subnets
compute/terraform.tfstate → EC2, Kubernetes
database/terraform.tfstate → RDS, Redis
Each module has its own state file and backend configuration:
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "network/terraform.tfstate"
region = "us-east-1"
}
}
This improves performance, security, and maintainability.
7. Terraform State Versioning & Backup
To prevent accidental state corruption or deletion, enable versioning for your remote state storage.
Enable Versioning in S3
aws s3api put-bucket-versioning --bucket my-terraform-state --versioning-configuration Status=Enabled
This allows rollback to previous state versions if needed.
8. Encrypting Terraform State for Security
To prevent unauthorized access, always encrypt Terraform state.
Enable S3 Encryption
terraform {
backend "s3" {
encrypt = true
}
}
For added security, use IAM roles and restrict state file access.
9. Terraform State Best Practices
✅ Use Remote State – Never store Terraform state locally in teams.
✅ Enable State Locking – Prevent race conditions with DynamoDB or Terraform Cloud.
✅ Regularly Backup State – Enable versioning to restore previous states.
✅ Restrict State Access – Use IAM policies to limit permissions.
✅ Run terraform plan Before apply – Always preview changes to avoid breaking infrastructure.
✅ Use Workspaces for Environments – Avoid maintaining separate configurations for dev, staging, and prod.
Terraform state is the backbone of infrastructure management, and handling it properly ensures scalability, security, and collaboration. By following best practices—such as using remote state, enabling encryption, and detecting drift—you can maintain a robust, automated infrastructure with minimal risk.
A book to read
“You cannot teach a man anything; you can only help him to find it within himself.”
~ Dale Carnegie
Aaqib Ahmad
Senior DevOps Engineer