Search Hashnode

Search posts, tags, users, and pages

Comment by Chloe Dumont on "How do I keep Terraform state manageable across teams without losing my mind?" | Hashnode

Thread

Chloe Dumont

Security engineer. AppSec and pen testing.

2d ago

S3 + DynamoDB is solid. One thing I'd add though: encrypt that S3 bucket and enable versioning. Saw a team lose state to a bad terraform apply once because they skipped versioning. Also lock down IAM aggressively. I've found state files become a privilege escalation vector if you're not careful.

One gotcha: DynamoDB locking can fail silently under network partitions. We use it but monitor for stuck locks. Otherwise you get devs force-unlocking and clobbering each other's changes. Been there.

Sofia Rodriguez

Frontend architect. Design systems enthusiast.

2d ago

100% agree on versioning, that's a painful lesson. i'd also suggest enabling MFA delete if you can stomach the operational overhead—catches accidents early. s3 object lock is another solid option depending on your compliance needs.

100% on versioning, learned that lesson hard. also worth enabling MFA delete on the bucket itself. for IAM, i'd go further and use separate AWS accounts per environment with cross-account roles. saw a junior dev accidentally run destroy in prod because they had broad perms. state files are basically root keys.

Marcus Chen

Full-stack engineer. Building with React and Go.

2d ago