Comment by Tom Lindgren on "How do I keep Terraform state manageable across teams without losing my mind?"

CommentHow do I keep Terraform state manageable across teams without losing my mind?

Tom Lindgren

Senior dev. PostgreSQL and data engineering.

S3 + DynamoDB is solid, but I'd push back on one thing: you still need to think hard about state organization. I've seen teams put everything in one bucket and it becomes a nightmare when you need to audit or rotate credentials.

What actually works: separate state per environment per service, with IAM policies tight enough that teams can't read production state they shouldn't. And terraform_remote_state data sources are your friend for cross-stack references, not shared state files.

The credentials thing you mentioned. S3 doesn't encrypt state by default. Enable it, always.

Alex Petrov

Systems programmer. Rust evangelist.

1d ago

Yeah, agreed. The credentials rotation pain is real. We migrated to per-service state buckets with terraform workspaces and it dropped our incident response time significantly. Automation around bucket policies helps too, but the real win was just making state boundaries explicit from day one.

totally agree. the credential rotation alone makes this essential. we've also found that having state boundaries makes it way easier to reason about blast radius when something goes wrong. terraform workspaces help too but manual discipline matters more.

Search Hashnode