Terraformcloud~5 mins

State file encryption in Terraform - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Terraform saves information about your infrastructure in a state file. Encrypting this file keeps your infrastructure details safe from unauthorized access.

When you store Terraform state files remotely and want to protect sensitive data.

When multiple team members access the same Terraform state and you want to ensure data privacy.

When compliance rules require encryption of infrastructure data at rest.

When using cloud storage services like AWS S3 to hold your Terraform state file.

When you want to prevent accidental exposure of secrets stored in the state file.

Config File - main.tf

main.tf

terraform {
  backend "s3" {
    bucket         = "example-terraform-state"
    key            = "prod/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "example-terraform-lock"
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "example" {
  bucket = "example-bucket-terraform"
  acl    = "private"
}

This configuration sets up Terraform to store its state file in an AWS S3 bucket named example-terraform-state. The encrypt = true line ensures the state file is encrypted at rest using AWS S3 server-side encryption. The dynamodb_table is used for state locking to prevent concurrent changes. The AWS provider is configured for the us-east-1 region, and a simple S3 bucket resource is declared.

Commands

Initializes Terraform, sets up the backend with encryption enabled, and prepares the working directory.

Terminal

terraform init

Expected OutputExpected

Initializing the backend... Successfully configured the backend "s3". Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration, run "terraform init" again to reinitialize your working directory.

Applies the Terraform configuration, creating the S3 bucket and saving the encrypted state file remotely.

Terminal

terraform apply -auto-approve

Expected OutputExpected

aws_s3_bucket.example: Creating... aws_s3_bucket.example: Creation complete after 2s [id=example-bucket-terraform] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

→

-auto-approve - Automatically approves the apply without prompting for confirmation.

Checks that the S3 bucket used for the Terraform state file has encryption enabled.

Terminal

aws s3api get-bucket-encryption --bucket example-terraform-state

Expected OutputExpected

{ "ServerSideEncryptionConfiguration": { "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] } }

Key Concept

If you remember nothing else from this pattern, remember: enabling encryption on your Terraform state backend protects sensitive infrastructure data from unauthorized access.

Common Mistakes

Not setting the 'encrypt = true' flag in the backend configuration.

The state file will be stored unencrypted, exposing sensitive data.

Always include 'encrypt = true' in your backend block when using S3 to ensure encryption at rest.

Using a backend without state locking like DynamoDB.

Multiple users can overwrite the state file simultaneously, causing conflicts and corruption.

Configure a DynamoDB table for state locking to prevent concurrent state changes.

Summary

Configure the Terraform backend with 'encrypt = true' to enable state file encryption in S3.

Run 'terraform init' to initialize the backend with encryption settings.

Apply your Terraform configuration to create resources and save the encrypted state file remotely.

Verify encryption by checking the S3 bucket's server-side encryption settings.