Why you should not store terraform state file(.tfstate) inside Git Repository?

calendar Dec 27, 2022 · 5 min read  ·
Share on: linkedin copy

It is generally not recommended to commit .tfstate files to Git or any other version control system. .tfstate files contain sensitive information about the infrastructure managed by Terraform, including the current state of resources and the configurations used to create them. If these files are committed to version control and made publicly available, they could potentially be accessed by unauthorized users, posing a security risk.

Instead of committing .tfstate files to version control, it is recommended to store them remotely using a backend such as S3, Azure Storage, or Google Cloud Storage. This allows you to version and track changes to your infrastructure configurations without exposing sensitive information. You can then use tools such as terraform init and terraform workspace to manage the state of your infrastructure.

Table of Content

  1. Top 10 Reasons why you should store .tfstate files remotely using a backend
  2. How to migrate .tfstate file from Git Repo to remote backend?
  3. Conclusion

Top 10 Reasons why you should store .tfstate files remotely using a backend

Here are my TOP-10 pick for storing .tfstate files remotely using a backend:

  1. Security: By storing .tfstate files remotely, you can keep sensitive information about your infrastructure out of version control and away from unauthorized users.

  2. Collaboration: Storing .tfstate files remotely allows multiple team members to access and modify the state of the infrastructure, improving collaboration and coordination.

  3. Versioning: By storing .tfstate files remotely, you can version and track changes to your infrastructure configurations, helping you to better understand how your infrastructure evolves over time.

  4. Disaster recovery: In the event of a disaster, storing .tfstate files remotely can help you to recover your infrastructure more quickly and easily.

  5. Improved reliability: Remotely storing .tfstate files can help to improve the reliability of your infrastructure, as it allows you to more easily track and manage changes to resources.

  6. Ease of use: Using a backend to store .tfstate files can simplify the process of managing state, as it eliminates the need to manually manage and track state files.

  7. Centralized management: Storing .tfstate files remotely allows you to centralize the management of your infrastructure state, making it easier to maintain and update resources.

  8. Improved performance: Storing .tfstate files remotely can improve the performance of Terraform, as it reduces the size and complexity of the .tfstate file and allows for more efficient management of resources.

  9. Improved scalability: By storing .tfstate files remotely, you can more easily scale your infrastructure as your needs grow and change.

  10. Improved flexibility: Remotely storing .tfstate files allows you to more easily switch between different environments and configurations, improving the flexibility of your infrastructure.

Here is sample screenshot of my terraform.tfstate file -

Terraform do not store .tfstate in Git Repository


How to migrate .tfstate file from Git Repo to the remote backend?

It is very common for the developer to commit and push the .tfstate file on the public GitHub Repository, in such cases you use the following steps to move the state file to the remote backend -

  1. Choose a backend: First, you will need to choose a backend to use for storing your state file. Terraform supports a variety of backends, including AWS S3, Google Cloud Storage, and Azure Storage.

Google Cloud Storage :

1#backend.tf 
2
3terraform {
4  backend "gcs" {
5    bucket  = "my-state-bucket"
6    prefix  = "path/to/state/file"
7  }
8}

In the above example -

  1. bucket - Specifies the name of the Google Cloud Storage bucket where the state file will be stored
  2. prefix - Specifies the path to the state file within the bucket

To use this configuration, you will need to have a Google Cloud Storage bucket set up and the gcloud command-line tool installed on your machine.

AWS S3 Bucket :

1#backend.tf
2
3terraform {
4  backend "s3" {
5    bucket = "my-state-bucket"
6    key    = "path/to/state/file.tfstate"
7  }
8}

In the above example -

  1. bucket - Specifies the name of the S3 bucket where the state file will be stored
  2. prefix - specifies the path to the state file within the bucket

Azure Storage remote backed :

 1#backend.tf
 2
 3terraform {
 4  backend "azurerm" {
 5    storage_account_name = "mystorageaccount"
 6    container_name       = "mycontainer"
 7    key                  = "path/to/state/file.tfstate"
 8    resource_group_name  = "myresourcegroup"
 9  }
10}

In the above example -

  1. storage_account_name - Specifies the name of the Azure Storage account where the state file will be stored
  2. container_name - Specifies the name of the container within the storage account where the state file will be stored
  3. key - Specifies the path to the state file within the container
  4. resource_group_name - Specifies the name of the resource group where the storage account is located.

Migrate the state file from Git to the remote backend using terraform state push

To migrate the state file from Git to the remote backend, you can use the terraform state push command. For example:

1terraform state push mystate.tfstate

This will upload the state file to the specified remote backend. For example -

  1. If you are using Google Cloud then the .tfstate file will be pushed to Google Cloud storage,
  2. If you are using AWS then .tfstate file will be pushed to AWS S3 bucket
  3. If you are using Azure then .tfstate file will be pushed to Azure Storage

Conclusion

I hope this article will help you to understand the importance of storing the .tfstate file remotely. For a more detailed example please refer to the blog post - Terraform state locking using DynamoDB (aws_dynamodb_table)

Posts in this Series