Terraform Remote State File on AWS S3

On By insidepacketIn Terraform

Every time you apply your Terraform template, Terraform will records the current infrastructure status in Terraform state file. By default, the state files are stored locally. Terraform will keep 2 state files for each Terraform template: one is for the current state (terraform.tfstate) and the other is for the second latest version of Terraform state (terraform.tfstate.backup).

In enterprise environment,  the common practise of managing Terraform state files is:

  1. Store the state files in a shared location;
  2. Store all versions of Terraform state file,  which will enable you to rollback to any older version instead of only the second latest version;
  3. Encryption of the state files;

Terraform has offered a built-in support for remote state storage.Currently, Terraform supports a few of remote storage including Aamzon S3, Azure, HashiCorp Consul  and Atlas.

Amazon S3 meet almost all of our requirements:

  1. Aamzon S3 supports encryption (AES-256);
  2. Amazon S3 will stores every version of the state files;
  3. When Terraform talks to ASW s3, TLS (Transport Layer Security) is used;

So here I will shows you how to use Amazon S3 as Terraform remote stage.

Step 1: creata a S3 bucket;

resource “aws_s3_bucket” “my-terraform-state” {
bucket = “my-terraform-state.davidwzhang.com”
versioning {
enabled = true
}

lifecycle {
prevent_destroy = true
}
}

output “s3_bukcet_arn” {
value = “${aws_s3_bucket.my-terraform-state.arn}”
}

AmazonS3

Step 2: configure your Terraform template to use S3 bucket

terraform remote config -backend=s3 -backend-config=”bucket=my-terraform-state.davidwzhang.com” -backend-config=”key=terraform/vpc.tfstate” -backend-config=”region=ap-southeast-2″ -backend-config=”encrypt=true”

AmazonS3-2

Now you can log in your AWS console and check the Terraform state file on ASW s3.

AmazonS3-3

Please note Terraform will still store the current and the second latest state file locally as normal. These state files are stored in the newly created sub-folder .terraform under the Terraform template folder.

[dzhang@localhost vpc]$ ls -al
total 20
-rw-rw-r–. 1 dzhang dzhang 1547 Mar 19 17:15 ~
drwxrwxr-x. 3 dzhang dzhang 74 Mar 20 22:00 .
drwxrwxr-x. 10 dzhang dzhang 4096 Mar 20 21:41 ..
drwxr-xr-x. 2 dzhang dzhang 61 Mar 19 17:10 .terraform
-rw-r–r–. 1 dzhang dzhang 3064 Mar 20 22:00 vpc.tf

[dzhang@localhost .terraform]$ ls -al

total 20
drwxr-xr-x. 2 dzhang dzhang 61 Mar 19 17:10 .
drwxrwxr-x. 3 dzhang dzhang 74 Mar 20 22:00 ..
-rw-rw-r–. 1 dzhang dzhang 750 Mar 24 21:06 terraform.tfstate
-rw-rw-r–. 1 dzhang dzhang 14213 Mar 24 21:05 terraform.tfstate.backup

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s