Why you should not store terraform state file(.tfstate) inside Git Repository?
It is generally not recommended to commit .tfstate
files to Git or any other version control system. .tfstate
files contain sensitive information about the infrastructure managed by Terraform, including the current state of resources and the configurations used to create them. If these files are committed to version control and made publicly available, they could potentially be accessed by unauthorized users, posing a security risk.
Instead of committing .tfstate
files to version control, it is recommended to store them remotely using a backend such as S3, Azure Storage, or Google Cloud Storage. This allows you to version and track changes to your infrastructure configurations without exposing sensitive information. You can then use tools such as terraform init
and terraform workspace
to manage the state of your infrastructure.
Table of Content
- Top 10 Reasons why you should store .tfstate files remotely using a backend
- How to migrate .tfstate file from Git Repo to remote backend?
- Conclusion
Top 10 Reasons why you should store .tfstate files remotely using a backend
Here are my TOP-10 pick for storing .tfstate
files remotely using a backend:
-
Security: By storing
.tfstate
files remotely, you can keep sensitive information about your infrastructure out of version control and away from unauthorized users. -
Collaboration: Storing
.tfstate
files remotely allows multiple team members to access and modify the state of the infrastructure, improving collaboration and coordination. -
Versioning: By storing
.tfstate
files remotely, you can version and track changes to your infrastructure configurations, helping you to better understand how your infrastructure evolves over time. -
Disaster recovery: In the event of a disaster, storing
.tfstate
files remotely can help you to recover your infrastructure more quickly and easily. -
Improved reliability: Remotely storing
.tfstate
files can help to improve the reliability of your infrastructure, as it allows you to more easily track and manage changes to resources. -
Ease of use: Using a backend to store
.tfstate
files can simplify the process of managing state, as it eliminates the need to manually manage and track state files. -
Centralized management: Storing
.tfstate
files remotely allows you to centralize the management of your infrastructure state, making it easier to maintain and update resources. -
Improved performance: Storing
.tfstate
files remotely can improve the performance of Terraform, as it reduces the size and complexity of the.tfstate
file and allows for more efficient management of resources. -
Improved scalability: By storing
.tfstate
files remotely, you can more easily scale your infrastructure as your needs grow and change. -
Improved flexibility: Remotely storing
.tfstate
files allows you to more easily switch between different environments and configurations, improving the flexibility of your infrastructure.
Here is sample screenshot of my terraform.tfstate
file -
How to migrate .tfstate file from Git Repo to the remote backend?
It is very common for the developer to commit and push the .tfstate
file on the public GitHub Repository, in such cases you use the following steps to move the state file to the remote backend -
- Choose a backend: First, you will need to choose a backend to use for storing your state file. Terraform supports a variety of backends, including AWS S3, Google Cloud Storage, and Azure Storage.
Google Cloud Storage :
1#backend.tf
2
3terraform {
4 backend "gcs" {
5 bucket = "my-state-bucket"
6 prefix = "path/to/state/file"
7 }
8}
In the above example -
bucket
- Specifies the name of the Google Cloud Storage bucket where the state file will be storedprefix
- Specifies the path to the state file within the bucket
To use this configuration, you will need to have a Google Cloud Storage bucket set up and the gcloud command-line tool installed on your machine.
AWS S3 Bucket :
1#backend.tf
2
3terraform {
4 backend "s3" {
5 bucket = "my-state-bucket"
6 key = "path/to/state/file.tfstate"
7 }
8}
In the above example -
bucket
- Specifies the name of the S3 bucket where the state file will be storedprefix
- specifies the path to the state file within the bucket
Azure Storage remote backed :
1#backend.tf
2
3terraform {
4 backend "azurerm" {
5 storage_account_name = "mystorageaccount"
6 container_name = "mycontainer"
7 key = "path/to/state/file.tfstate"
8 resource_group_name = "myresourcegroup"
9 }
10}
In the above example -
storage_account_name
- Specifies the name of the Azure Storage account where the state file will be storedcontainer_name
- Specifies the name of the container within the storage account where the state file will be storedkey
- Specifies the path to the state file within the containerresource_group_name
- Specifies the name of the resource group where the storage account is located.
Migrate the state file from Git to the remote backend using terraform state push
To migrate the state file from Git to the remote backend, you can use the terraform state push command. For example:
1terraform state push mystate.tfstate
This will upload the state file to the specified remote backend. For example -
- If you are using Google Cloud then the
.tfstate
file will be pushed to Google Cloud storage, - If you are using AWS then
.tfstate
file will be pushed to AWS S3 bucket - If you are using Azure then
.tfstate
file will be pushed to Azure Storage
Conclusion
I hope this article will help you to understand the importance of storing the .tfstate
file remotely. For a more detailed example please refer to the blog post - Terraform state locking using DynamoDB (aws_dynamodb_table)
Posts in this Series
- Securing Sensitive Data in Terraform
- Boost Your AWS Security with Terraform : A Step-by-Step Guide
- How to Load Input Data from a File in Terraform?
- Can Terraform be used to provision on-premises infrastructure?
- Fixing the Terraform Error creating IAM Role. MalformedPolicyDocument Has prohibited field Resource
- In terraform how to handle null value with default value?
- Terraform use module output variables as inputs for another module?
- How to Reference a Resource Created by a Terraform Module?
- Understanding Terraform Escape Sequences
- How to fix private-dns-enabled cannot be set because there is already a conflicting DNS domain?
- Use Terraform to manage AWS IAM Policies, Roles and Users
- How to split Your Terraform main.tf File into Multiple Files
- How to use Terraform variable within variable
- Mastering the Terraform Lookup Function for Dynamic Keys
- Copy files to EC2 and S3 bucket using Terraform
- Troubleshooting Error creating EC2 Subnet InvalidSubnet Range The CIDR is Invalid
- Troubleshooting InvalidParameter Security group and subnet belong to different networks
- Managing strings in Terraform: A comprehensive guide
- How to use terraform depends_on meta argument?
- What is user_data in Terraform?
- Why you should not store terraform state file(.tfstate) inside Git Repository?
- How to import existing resource using terraform import comand?
- Terraform - A detailed guide on setting up ALB(Application Load Balancer) and SSL?
- Testing Infrastructure as Code with Terraform?
- How to remove a resource from Terraform state?
- What is Terraform null Resource?
- In terraform how to skip creation of resource if the resource already exist?
- How to setup Virtual machine on Google Cloud Platform
- How to use Terraform locals?
- Terraform Guide - Docker Containers & AWS ECR(elastic container registry)?
- How to generate SSH key in Terraform using tls_private_key?
- How to fix-Terraform Error acquiring the state lock ConditionalCheckFiledException?
- Terraform Template - A complete guide?
- How to use Terragrunt?
- Terraform and AWS Multi account Setup?
- Terraform and AWS credentials handling?
- How to fix-error configuring S3 Backend no valid credential sources for S3 Backend found?
- Terraform state locking using DynamoDB (aws_dynamodb_table)?
- Managing Terraform states?
- Securing AWS secrets using HashiCorp Vault with Terraform?
- How to use Workspaces in Terraform?
- How to run specific terraform resource, module, target?
- How Terraform modules works?
- Secure AWS EC2s & GCP VMs with Terraform SSH Keys!
- What is terraform provisioner?
- Is terraform destroy needed before terraform apply?
- How to fix terraform error Your query returned no results. Please change your search criteria and try again?
- How to use Terraform Data sources?
- How to use Terraform resource meta arguments?
- How to use Terraform Dynamic blocks?
- Terraform - How to nuke AWS resources and save additional AWS infrastructure cost?
- Understanding terraform count, for_each and for loop?
- How to use Terraform output values?
- How to fix error configuring Terraform AWS Provider error validating provider credentials error calling sts GetCallerIdentity SignatureDoesNotMatch?
- How to fix Invalid function argument on line in provider credentials file google Invalid value for path parameter no file exists
- How to fix error value for undeclared variable a variable named was assigned on the command line?
- What is variable.tf and terraform.tfvars?
- How to use Terraform Variables - Locals,Input,Output
- Terraform create EC2 Instance on AWS
- How to fix Error creating service account googleapi Error 403 Identity and Access Management (IAM) API has not been used in project before or it is disabled
- Install terraform on Ubuntu 20.04, CentOS 8, MacOS, Windows 10, Fedora 33, Red hat 8 and Solaris 11