Terraformcloud~5 mins

State encryption at rest in Terraform - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you use Terraform to manage infrastructure, it saves information about your resources in a state file. Encrypting this state file while it is stored keeps your sensitive data safe from unauthorized access.

When you store Terraform state files in a remote backend like AWS S3 and want to protect sensitive data.

When multiple team members access the same Terraform state and you want to ensure data privacy.

When compliance rules require encryption of all stored data including infrastructure state.

When you want to prevent accidental exposure of secrets stored in the Terraform state file.

When using cloud storage backends that support encryption features to secure your state.

Config File - main.tf

main.tf

terraform {
  backend "s3" {
    bucket         = "example-terraform-state"
    key            = "state/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
  }
}

provider "aws" {
  region = "us-east-1"
}

This Terraform configuration sets up an S3 backend to store the state file remotely.

The encrypt = true option ensures that the state file is encrypted at rest using AWS S3 server-side encryption.

The bucket specifies where the state file is stored, key is the path inside the bucket, and region is the AWS region.

Commands

Initializes the Terraform working directory and configures the backend to use the S3 bucket with encryption enabled.

Terminal

terraform init

Expected OutputExpected

Initializing the backend... Successfully configured the backend "s3"! Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure.

Shows the changes Terraform will make to your infrastructure without applying them. This confirms the backend is set and ready.

Terminal

terraform plan

Expected OutputExpected

No changes. Infrastructure is up-to-date. This means that Terraform did not detect any differences between your configuration and real physical resources.

Applies the Terraform configuration to create or update infrastructure and saves the encrypted state file in the S3 bucket.

Terminal

terraform apply -auto-approve

Expected OutputExpected

aws_s3_bucket.example: Creating... aws_s3_bucket.example: Creation complete after 2s [id=example-terraform-state] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

→

-auto-approve - Automatically approves the apply step without prompting for confirmation.

Verifies that the S3 bucket storing the Terraform state has encryption enabled at rest.

Terminal

aws s3api get-bucket-encryption --bucket example-terraform-state

Expected OutputExpected

{ "ServerSideEncryptionConfiguration": { "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] } }

Key Concept

If you remember nothing else from this pattern, remember: enabling encryption on your Terraform state backend protects sensitive data stored in the state file.

Common Mistakes

Not setting the 'encrypt' option to true in the S3 backend configuration.

The state file will be stored unencrypted, exposing sensitive information to anyone with access to the bucket.

Always include 'encrypt = true' in the backend block to enable server-side encryption.

Using a local backend instead of a remote backend with encryption for team environments.

Local state files are not encrypted by default and are harder to share securely among team members.

Use a remote backend like S3 with encryption enabled to securely share state.

Not verifying the bucket encryption settings after setup.

Misconfiguration can leave the bucket without encryption even if 'encrypt = true' is set in Terraform.

Use AWS CLI or cloud console to confirm encryption is active on the bucket.

Summary

Configure the Terraform backend to use an S3 bucket with 'encrypt = true' to enable state encryption at rest.

Run 'terraform init' to initialize the backend and 'terraform apply' to save the encrypted state file.

Verify encryption settings on the S3 bucket to ensure your state file is protected.