Terraform State Management: Remote State, Locking, and Workspaces

Why State Management Is Critical

The Terraform state maps your HCL configuration to real cloud resources. If the state is lost or becomes inconsistent, Terraform can no longer manage your infrastructure.

Remote State: S3 + DynamoDB

Local state works for individuals — but in teams, you need remote state.

• S3 Backend: Store state in a versioned, encrypted S3 bucket.
• DynamoDB Locking: Prevents two team members from running apply simultaneously.
• Encryption: Server-side encryption (SSE-S3 or SSE-KMS) for state at rest.

State Structure

• One State per Environment: Separate state files for dev, staging, and production — a failed apply in dev must not affect production.
• Workspaces vs. Directories: Workspaces share code with different state files. Directories provide stronger isolation. We prefer directories for production.
• State Granularity: Networking, compute, and application in separate states — reduces blast radius and plan times.

Emergency Procedures

• State Backup: Enable S3 versioning — every apply automatically creates a backup.
• Import: terraform import to adopt existing resources into the state.
• State Surgery: terraform state rm and terraform state mv for refactoring — always with a prior backup.