Terraformcloud~30 mins

State encryption at rest in Terraform - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Encrypt Terraform State at Rest

📖 Scenario: You are managing infrastructure using Terraform. To keep your infrastructure state safe, you want to encrypt the Terraform state file when stored remotely.This is like locking your important documents in a safe so only you can open them.

🎯 Goal: Create a Terraform backend configuration that stores the state file in an AWS S3 bucket with encryption enabled to protect the state at rest.

📋 What You'll Learn

Use an aws_s3_bucket resource named tf_state_bucket with versioning enabled

Configure the S3 bucket to use server-side encryption with AWS managed keys (SSE-S3)

Set up a Terraform backend block to use the S3 bucket tf_state_bucket for remote state storage

Enable encryption in the backend configuration

💡 Why This Matters

🌍 Real World

Encrypting Terraform state files protects sensitive infrastructure data from unauthorized access when stored remotely.

💼 Career

Cloud engineers and DevOps professionals must secure infrastructure state files to maintain compliance and security best practices.

Progress0 / 4 steps

Create an AWS S3 bucket for Terraform state

Create an aws_s3_bucket resource named tf_state_bucket with the bucket name my-terraform-state-bucket and enable versioning by adding an aws_s3_bucket_versioning resource named tf_state_bucket_versioning for the same bucket.

Terraform

# Your code here to create the S3 bucket and enable versioning

Need a hint?

Use resource "aws_s3_bucket" "tf_state_bucket" to create the bucket and resource "aws_s3_bucket_versioning" "tf_state_bucket_versioning" to enable versioning.

Add server-side encryption configuration to the S3 bucket

Add a server_side_encryption_configuration block inside the aws_s3_bucket resource tf_state_bucket to enable server-side encryption using AWS managed keys (SSE-S3).

Terraform

resource "aws_s3_bucket" "tf_state_bucket" {
  bucket = "my-terraform-state-bucket"
  acl    = "private"
  # Add server-side encryption configuration here
}

resource "aws_s3_bucket_versioning" "tf_state_bucket_versioning" {
  bucket = aws_s3_bucket.tf_state_bucket.id
  versioning_configuration {
    status = "Enabled"
  }
}

Need a hint?

Inside the bucket resource, add server_side_encryption_configuration with sse_algorithm = "AES256" to enable SSE-S3 encryption.

Configure Terraform backend to use the encrypted S3 bucket

Add a terraform block with a backend configuration using s3. Set bucket to my-terraform-state-bucket, key to terraform.tfstate, and region to us-east-1. Enable encryption by setting encrypt to true.

Terraform

resource "aws_s3_bucket" "tf_state_bucket" {
  bucket = "my-terraform-state-bucket"
  acl    = "private"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

resource "aws_s3_bucket_versioning" "tf_state_bucket_versioning" {
  bucket = aws_s3_bucket.tf_state_bucket.id
  versioning_configuration {
    status = "Enabled"
  }
}

terraform {
  # Add backend configuration here
}

Need a hint?

Use a terraform block with backend "s3" and set encrypt = true to enable encryption of the state file.

Finalize and validate the Terraform state encryption setup

Ensure the full Terraform configuration includes the aws_s3_bucket with encryption, versioning, and the terraform backend block with encryption enabled. Confirm the bucket name is my-terraform-state-bucket and the backend key is terraform.tfstate.

Terraform

# Review and finalize your Terraform configuration here

Need a hint?

Check that all parts are included: bucket with encryption, versioning, and backend with encryption enabled.