Handling Terraform State Files in Multi-Environment Deployments

Contents

What is Terraform State File?

The state file is important because:

• It records the current state of resources deployed by Terraform.
• It helps Terraform detect drift (changes made outside of Terraform).
• It ensures efficient planning and updates, preventing unnecessary modifications.

By default, Terraform stores the state file locally, but in production environments, it is best practice to store it in a remote backend to enable collaboration, prevent data loss, and improve security.

What is Terraform Backend?

A backend in Terraform determines how and where the state file is stored. It allows Terraform to:

• Store state files remotely (e.g., AWS S3, Google Cloud Storage, Azure Blob Storage).
• Enable state locking to prevent simultaneous modifications.
• Facilitate team collaboration by allowing multiple users to work with the same infrastructure.

Types of Terraform Backends

Terraform supports various backends, including:

• Local Backend - Stores the state file on the local filesystem (not recommended for team collaboration).
• Remote Backends - Store the state file in a cloud storage service with access control and locking. Often used remote backends:
  • AWS S3 (with or without DynamoDB for state locking)
  • Google Cloud Storage (GCS)
  • Azure Blob Storage
  • Terraform Cloud (offers enhanced collaboration features)

With understanding of Terraform state files and backends, let's explore different strategies for managing state files across multiple environments.

Back to Top

Options for Handling Terraform State Files in Multi-Environment Deployments

Managing Terraform state files across multiple environments (e.g., development, staging, production) or multiple projects can be challenging. Below, we explore different approaches to handling Terraform state files in multi-environment deployments, along with their pros and cons.

Option 1: A Separate State File Per Environment

In this approach, each environment has its own dedicated state file stored separately in a remote backend.

1a. Implementation with a single root module

Example project folder structure:

backend.tf contains common backend configuration parameters, such as backend type. It may look like this for a GCS backend:

Backend configuration files (*.config) contain environment-specific parameters with the goal of separating state files by specifying different buckets or prefixes. For example:

Before deploying an environment run terraform init -reconfigure with a -backend-config flag identifying the proper backend config file:

Important:
terraform init creates a local .terraform/terraform.tfstate file containing the most recent backend configuration. This file is different and entirely separate from the remote backend terraform.tfstate file that contains state data about your infrastructure. Terraform relies on the backend configuration data from the local .terraform/terraform.tfstate file for all subsequent terraform init and terraform apply commands. Therefore, it is critical to explicitly initiate the proper backend when switching between environments.

Pros

• Each environment has a separate state file stored in a remote backend.
• Flexible backend configuration allowing for different access controls per environment.

Cons

• Extra measures are required to reduce the risk of unintended changes when switching between environments.

1b. Implementation with a separate root module per environment

Example project folder structure:

Each environment folder contains a dedicated backend configuration file. For example, backend.tf for the dev environment may look like this:

To deploy, navigate to the respective folder and run terraform commands:

Pros

• Backend configurations are fully independent.
• Each environment has a separate state file stored in a remote backend.

Cons

• Requires some code duplication.

Back to Top

Option 2: Using Terraform Workspaces

Terraform workspaces simplify state file management and allow multiple states to be stored within the same backend.

Implementation with a single root module

Example project folder structure:

A single backend.tf file defines common GCS backend configuration for all environments:

Terraform stores all state files in the same GCS bucket and assigns file names using the following pattern: <prefix>/<workspace_name>.tfstate.

Use terraform workspace commands to switch between environments:

Pros

• Each environment has a separate state file stored in a remote backend.
• Relatively simple to set up and operate.

Cons

• Workspaces are not ideal for strict environment isolation. Risk of misapplying changes still remains.

Back to Top

Option 3: Single State File for All Environments

In this configuration a single state file stores information for all environments.

Implementation

Example project folder structure:

Example Google Cloud Storage (GCS) backend configuration:

Pros

• Simple to setup and straightforward to operate.
• No need to manage multiple backends or workspaces.

Cons

• Harder to scale and manage as infrastructure complexity grows.
• High risk of accidental changes across environments.

This approach is not recommended for larger projects because it lacks strict environment isolation.

Back to Top

Choosing the Right Approach

Selecting the optimal Terraform project structure and state management strategy depends on many factors, including team size and experience, infrastructure complexity, CI/CD integration, security requirements, etc. There is no single right approach. You will need to take into account your particular situation, complete your own assessment, or just try a couple of different options.

That said, for most teams, the solution with a separate root module and a separate state file per environment (Option 1b) provides the best balance between security, scalability, and maintainability. On the other hand, Terraform workspaces (Option 2) can be a good starting point for smaller teams or less complex environments.

Back to Top