Introduction:
Terraform uses a state file with .tfstate extension to provision infrastructure. I compares the actual aws state with what is desirable state and accordingly creates the infrastructure. Now this state file is very much important because it contains all the details about the infrastructure configurations. It also contains some important details like passwords, IDs public ips, etc. So safety of this file is always important. By default this file is created locally on the laptop you are working, and it is totally fine if you are working solo. But if you are working in a team there are several problems.
Problems with terraform state file.
First of all, "Emailing the State" problem. f you create a server, the state file on your laptop knows about it. If your colleague wants to update that server, they don't know it exists because the state file is on your computer. You would have to email the file to them (which is messy and dangerous).
Then there is state conflict problem. If you and your colleague entered the terraform apply command at the same time. You try to change the server name. They try to delete the server. Terraform has no way to stop this. The infrastructure enters a corrupted state, or the last person to save overwrites the other's work.
Also the Terraform state file is written in plain text. It can contain sensitive data in it like access keys. Security of this file also a problem.
The Solution: Remote Backend
Remote Backend simply means storing the state file into a remote location typically a cloud location instead of storing it locally on your laptop. When you are using AWS as provider for your terraform you use S3 bucket as the remote backend location. This solves two problems. The "Emailing the state" problem is now solved because everyone who is working on the project can access this file from there laptop without you needing to send it to them. It also solves the problem of security.
The only problem remaining is of "State Conflict", because this is the single source of truth and anyone with permissions can access it, meaning two or multiple colleagues can access it at the same time creating the state conflict. For this terraform uses conflict of state locking.
State Locking
It is a mechanism that prevents two or more people modifying the infrastructure at the same time. When you run terraform apply Terraform locks the state file, ensuring no one else could run the terraform apply command at the same time. When the command gets completed it releases the lock. This completely prevents race conditions and corruptions.
The Mechanism:
To Store the state file into remote backend we use S3 because it is highly durable. If something goes wrong you can easily rewind the file. Also S3 offers built in locking mechanism.
Code block for the Remote Backend code in terraform:
terraform {
backend "s3" {
bucket = "my-state-bucket"
key = "prod/terraform.tfstate"
region = "us-east-1"
use_lockfile = true
encrypt = true
}
}
Conclusion
Remote backend and state locking is a powerful and much helpful concept in terraform that makes sure the state file is safe and it prevents the corruption of file, making the infrastructure consistent.
Top comments (0)