Terraform Remote State - state file location

Question

I'm using Terraform with AWS and S3/Dynamo for the remote state of all our modules. This works fine and is great.

But where are you going to save your state file for the module, where you create the S3 bucket and the DynamoDB (for the remote state)?

It sounds like a "Chicken or the egg" problem. Should I upload the state file to the GIT repository, even if I shouldn't store it there?

Normally this state is no longer touched, but it would be cleaner if all developers could access the state, wouldn't it? What are your best practices?

Answer 1

You should never upload a state file to any repository. It is a chicken and egg problem. You would first have to deploy S3 and DynamoDB which would create a local state file. Then, since you have an S3 bucket, you can add the backend configuration block [1]. This should be followed by terraform init which will ask you if you want to migrate the state to the remote backend [2] and that is it. After that you will have the state file saved in the S3 bucket.

More information here:

[1] https://www.terraform.io/docs/language/settings/backends/s3.html#example-configuration

[2] https://www.terraform.io/docs/language/settings/backends/configuration.html#initialization.

Answer 2

This begs the question, what happens if you need to destroy/rebuild your state bucket/DDB?

Its a more sensible approach to have a tightly controlled master account manually configured with a bucket and DDB. From there you have a base to create an account vending machine to set up new accounts with state bucket, DDB, baseline config and IAM etc.