Hey everyone 👋
If you're working with Terraform and using Git to version your infrastructure code (which you absolutely should!), there's one simple file that can save you from major headaches:
➡️ .gitignore
When I first started with Terraform, I was focused on writing .tf files and deploying resources. But I quickly learned that if you don’t handle .gitignore properly, you can accidentally leak sensitive info — and clutter your repo with auto-generated noise.
Let me walk you through it the way I wish someone had done for me 👇
🧹 Think of It Like a “Do Not Pack” List
You’re moving houses. You label boxes you want to move — clothes, books, tech.
But you don’t pack everything. You leave out garbage, pizza boxes, and broken cables.
.gitignore is your "Do Not Pack" list for Git — telling it what not to commit.
💣 What Happens If You Don’t Use It?
Terraform creates a lot of behind-the-scenes files — like plugin folders, state files, and even crash logs.
If you push them to Git:
- Your repo gets bloated 💾
- Secrets might be exposed 😱
- Other devs will see things they shouldn’t 👀
⚠️ Common Terraform Files You Should Ignore
| 📂 File or Folder | ⚠️ Why It Should Be Ignored |
|---|---|
.terraform/ |
Contains downloaded provider binaries and plugin data — recreated with terraform init
|
terraform.tfstate |
Stores your actual infrastructure state — including cleartext secrets |
terraform.tfstate.backup |
A backup copy of your state — same risks as above |
*.tfvars |
May include environment-specific variables like passwords, API keys, etc. |
crash.log |
Only created on errors — not useful for version control |
✍️ Example .gitignore File for Terraform
# Ignore Terraform system files
.terraform/
*.tfstate
*.tfstate.backup
*.tfvars
crash.log
💡 Pro tip: You can grab a prebuilt Terraform .gitignore from GitHub’s github/gitignore repo.
🔬 Quick Lab Recap: Setting It Up
In the demo I followed:
- Cloned a sample Terraform repo containing
demo.tf - Created an
example.tfvarsfile with this content:
username = "admin"
password = "password"
- Ran
terraform initandterraform apply - Noticed these files appeared:
.terraform/terraform.tfstateexample.tfvars
Then created a .gitignore file with the entries listed above.
After that, running git status showed:
✅ Git ignored all the sensitive/noisy files
✅ Only .gitignore was being staged
🧠 Why This Matters (Especially for Teams)
Without .gitignore, you might:
- Accidentally leak credentials in
tfstatefiles - Share huge plugin binaries no one needs
- Cause version conflicts from files that change every run
💡 Analogy: Committing Terraform system files is like sending your dirty laundry to your boss instead of just the project folder.
✅ Final Checklist
| ✅ Good Practice | ❌ Bad Practice |
|---|---|
Use .gitignore to keep your repo clean |
Commit .tfstate or .tfvars files |
| Store secrets securely (not in Git) | Hardcode passwords in .tf files |
| Push only the code — not the mess | Include local .terraform/ or crash logs |
🧩 Final Thoughts
Using .gitignore isn’t just about being tidy — it’s about:
- Keeping your infrastructure secure
- Making your repo easier to work with
- Protecting your team from accidentally leaking secrets
It’s a small file with a big job. And once you understand it, it becomes second nature in every Terraform project.
If you’re working with Terraform, I’d love to hear your .gitignore setup or lessons you’ve learned. Drop a comment or connect with me on LinkedIn — let’s keep building clean, secure infrastructure together ☁️🧠
Top comments (0)