Skip to main content
HashnodeIresh's Blog

Command Palette

Search for a command to run...

L4. Understanding Terraform State: Remote Backend and State Locking – A Beginner’s Guide

Updated
4 min read
I
Iresh Ekanayaka

Terraform is a powerful tool for automating infrastructure as code, but to use it effectively, it's important to understand how it manages the infrastructure it creates - through Terraform state.

This guide explains what a Terraform state file is, why it matters, the challenges of local state management, how to use a remote backend like AWS S3, and how to implement state locking using DynamoDB - all tailored for beginners and students.

🌱 What is Terraform State?

Terraform keeps track of your real-world infrastructure using a file called terraform.tfstate.

Whenever you apply a Terraform configuration, Terraform:

  1. Provisions the resources you defined (e.g., EC2 instances, VPCs, etc.)

  2. Saves metadata about those resources in the state file.

This file is the single source of truth for Terraform. Without it, Terraform wouldn’t know what has already been created, updated, or deleted.

🧠 Why is Terraform State Important?

Imagine this: You create an EC2 instance using Terraform. Later, you want to add a tag. If Terraform doesn't know the instance already exists (because there’s no state file), it will try to create a new instance instead of updating the existing one. ❌

With the state file, Terraform can:

  • Compare your current config with the real infrastructure.

  • Determine what to add, change, or delete.

  • Safely manage updates and ensure idempotency (the ability to run the same script multiple times without unintended changes).

⚠️ The Drawbacks of Local State Files

While the local state file works, it comes with serious issues:

1. Sensitive Data Exposure

The state file can include secrets, such as API keys, passwords, and sensitive resource details. If it's stored on a local machine or pushed to a Git repository, anyone with access can read them.

2. Team Collaboration Challenges

If multiple people are working on the same Terraform project:

  • Everyone must remember to share or sync the updated state file.

  • Forgetting to do so causes drift between actual infrastructure and Terraform’s understanding.

  • Multiple versions of the state file can lead to resource conflicts or duplication.

☁️ Solution: Using Remote Backends

Terraform offers remote backends to solve these problems. One of the most popular backends is AWS S3.

🔧 How Does It Help?

  • Your state file is stored in S3, not on your local machine.

  • It’s always up-to-date since Terraform writes to S3 directly when changes are applied.

  • You can restrict access to the S3 bucket using IAM policies.

✅ Setting Up S3 as a Remote Backend

  1. Create an S3 bucket (manually or using Terraform):
resource "aws_s3_bucket" "tf_backend" {
  bucket = "my-unique-terraform-backend-bucket"
}
  1. Configure your backend in backend.tf:
terraform {
  backend "s3" {
    bucket = "my-unique-terraform-backend-bucket"
    key    = "statefiles/terraform.tfstate"
    region = "us-east-1"
  }
}
  1. Initialize the backend:
terraform init

Terraform will now store the state file in S3 instead of your local disk. 🎉

🔒 What About State Locking?

Here’s a new concern:

What if two people run terraform apply at the same time?

That could cause a race condition, where both changes conflict or overwrite each other.

🚪 Enter State Locking with DynamoDB

Terraform can lock the state file using AWS DynamoDB, ensuring that only one person can modify infrastructure at a time.

🔐 Setting Up DynamoDB for Locking

  1. Create a DynamoDB Table:
resource "aws_dynamodb_table" "tf_locks" {
  name         = "terraform-locks"
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "LockID"

  attribute {
    name = "LockID"
    type = "S"
  }
}
  1. Update your backend.tf to include locking configuration:
terraform {
  backend "s3" {
    bucket         = "my-unique-terraform-backend-bucket"
    key            = "statefiles/terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "terraform-locks"
  }
}
  1. Re-initialize to apply backend changes:
terraform init

Now, Terraform uses the DynamoDB table to lock and unlock the state file safely. Only one terraform apply can run at a time.

🧪 Testing It Out

You can test your setup like this:

  1. Write a simple EC2 instance configuration in main.tf.

  2. Run:

terraform init
terraform apply

  1. Observe that your state is no longer stored locally, but in S3.

  2. Terraform now uses DynamoDB to lock the state during apply operations.

🚀 Summary

Here’s what we’ve covered:

  • Terraform State tracks your infrastructure.

  • Local state files pose risks: sensitive data exposure and sync issues.

  • ☁️ Remote backends (like S3) solve these problems.

  • 🔒 State locking with DynamoDB prevents conflicting changes.

This setup is production-grade and a must-know for anyone planning to work in a team or manage infrastructure securely using Terraform.

🧰 Bonus: Useful Terraform Commands

terraform init       # Initializes the backend and providers
terraform plan       # Shows what changes will be made
terraform apply      # Applies the changes
terraform show       # Displays the current state
terraform destroy    # Destroys the resources

Got questions or need help? Leave a comment or explore the official Terraform Backend Docs for more.

Happy coding! 🌍⚙️

1 views

More from this blog

Iresh's Blog

20 posts