1

I'm using Terraform with AWS and S3/Dynamo for the remote state of all our modules. This works fine and is great.

But where are you going to save your state file for the module, where you create the S3 bucket and the DynamoDB (for the remote state)?

It sounds like a "Chicken or the egg" problem. Should I upload the state file to the GIT repository, even if I shouldn't store it there?

Normally this state is no longer touched, but it would be cleaner if all developers could access the state, wouldn't it? What are your best practices?

Sven
  • 13
  • 3
  • You should *never* upload a state file to any repository. It is a chicken and egg problem. You would first have to deploy S3 and DynamoDB which would create a local state file. Then, since you have an S3 bucket, you can add the backend configuration block. This should be followed by `terraform init` which will ask you if you want to migrate the state to the remote backend and that is it. After that you will have the state file saved in the S3 bucket. :) – Marko E Oct 26 '21 at 08:26
  • You have to craete S3 and DDb before hand. Not sure what is your issue with that? – Marcin Oct 26 '21 at 08:26
  • That was surprisingly easy, we didn't have the idea of copying the state file to it afterwards via the backend configuration. That was quick, thank you very much! – Sven Oct 26 '21 at 08:33
  • I'll post it as an answer so others can see it @Sven. – Marko E Oct 26 '21 at 08:44

2 Answers2

2

You should never upload a state file to any repository. It is a chicken and egg problem. You would first have to deploy S3 and DynamoDB which would create a local state file. Then, since you have an S3 bucket, you can add the backend configuration block [1]. This should be followed by terraform init which will ask you if you want to migrate the state to the remote backend [2] and that is it. After that you will have the state file saved in the S3 bucket.

More information here:

[1] https://www.terraform.io/docs/language/settings/backends/s3.html#example-configuration

[2] https://www.terraform.io/docs/language/settings/backends/configuration.html#initialization.

Marko E
  • 13,362
  • 2
  • 19
  • 28
0

This begs the question, what happens if you need to destroy/rebuild your state bucket/DDB?

Its a more sensible approach to have a tightly controlled master account manually configured with a bucket and DDB. From there you have a base to create an account vending machine to set up new accounts with state bucket, DDB, baseline config and IAM etc.

imchockers
  • 66
  • 5
  • Agreed, but what scenario do you envision in which you would have to remove the bucket and/or DynamoDB table? – Marko E Oct 26 '21 at 10:25
  • 1
    "The goal here is to isolate that chicken-egg problem to a situation where the chicken won't be laying any more eggs so to speak - you only need to set up the remote state once and rarely is it changed." - https://stackoverflow.com/a/69645431/4800344 – Ermiya Eskandary Oct 26 '21 at 13:11
  • It's a good point, other than deleting the account entirely you probably wouldn't ever need to remove the remote state resources. But if that's the case, is there any value in keeping them in your remote state? There would be manual work required either way in that scenario. – imchockers Oct 26 '21 at 21:29
  • Well if you're migrating from Terraform to something else you'd want to delete that stuff. :P – Manius Nov 04 '22 at 14:32