State Management

Secure and configure Terraform state using remote backends.

Language / Topic

Terraform

Rules

State Management · balanced balanced

- Never store `.tfstate` in source control; use a `.gitignore` immediately

- Configure a remote backend (e.g., S3 + DynamoDB for AWS or Azure Blob Storage) with state locking enabled

- Split large states into smaller, logical workspaces or distinct state files to minimize blast radius

- Use central remote backends like AWS S3 with DynamoDB locking, or Terraform Cloud, to maintain consistency among team members

- Avoid monolithic state files; break architecture down by environment (dev, staging, prod) and domain (networking vs application)

- Pass sensitive variables exclusively via environment variables or secret managers to prevent accidental hardcoding in plaintext state