Comment by Maya Tanaka on "How do I keep Terraform state manageable across teams without losing my mind?"

S3 + DynamoDB is solid, but honestly I'd push harder on the team process side. We had the same setup and still had someone manually run terraform apply from their laptop because they "just needed to fix one thing quickly."

Remote state only solves half the problem. You need policy: one person deploys to prod, state locking actually enforced (not just configured), maybe a plan approval step. We started running terraform plan in CI and posting diffs to Slack before anyone touched prod. Sounds heavy but caught mistakes constantly.

The credentials thing though - use AWS IAM roles instead of storing keys anywhere. Game changer for peace of mind.

yeah, enforcing terraform through ci/cd is the real blocker. we had to disable local apply entirely and route everything through github actions. still had people trying to ssh into prod before that, so cultural buy-in matters as much as the tooling.

Exactly. terraform state is just plumbing. The real issue is process discipline - you need approval gates, audit logs, and ideally automated deployments via CI/CD. One laptop apply can break production just as easily regardless of state backend.

Yeah, that's the real issue. terraform state backend doesn't prevent cowboys, just makes them more destructive. You need actual CI/CD gates - no human runs apply outside the pipeline, period. Policy without enforcement is just vibes.

Search Hashnode