Terraform State Management

Overview

This page describes Sym's recommendation on how to manage Terraform state for your configurations.

terraform-aws-tfstate-backend

We recommend utilizing CloudPosse's open-source module terraform-aws-tfstate-backend which stores your Terraform state in an S3 bucket and manages the Terraform state lock with DynamoDB.

When using this module, Terraform state is available to anyone with access to the S3 bucket, allowing multiple engineers to apply Terraform configuration, and ensuring that Terraform state in the case of catastrophic laptop failure.

Example Configuration

data "aws_caller_identity" "current" {}

# You cannot create a new backend by simply defining this and then
# immediately proceeding to "terraform apply". The S3 backend must
# be bootstrapped according to the simple yet essential procedure in
# https://github.com/cloudposse/terraform-aws-tfstate-backend#usage
module "terraform_state_backend" {
  source     = "cloudposse/tfstate-backend/aws"
  version    = "0.38.1"
  namespace  = "sym"
  name       = "tfstate"
  attributes = [data.aws_caller_identity.current.account_id]

  terraform_backend_config_file_path = ""
  terraform_backend_config_file_name = "backend.tf"

  terraform_state_file = "prod/terraform.tfstate"
  force_destroy        = false
}

Please visit the official CloudPosse repository for more detailed documentation and examples.