Getting Started - AWS [Updated for 0.12]

Remote State Storage

You have now seen how to build, change, and destroy infrastructure from a local machine. This is great for testing and development, but in production environments it is considered a best practice to store state elsewhere than your local machine. The best way to do this is by running Terraform in a remote environment with shared access to state.

Terraform supports team-based workflows with a feature known as remote backends. Remote backends allow Terraform to use a shared storage space for state data, so any member of your team can use Terraform to manage the same infrastructure.

Depending on the features you wish to use, Terraform has multiple remote backend options. HashiCorp recommends using Terraform Cloud. Terraform Cloud offers free state management with no limits on users, workspaces, locking, and HashiCorp Vault encryption.

Terraform Cloud also offers HashiCorp's commercial solutions and with a free version which acts as a remote backend. Terraform Cloud allows teams to easily version, audit, and collaborate on infrastructure changes. Each proposed change generates a Terraform plan which can be reviewed and collaborated on as a team. When a proposed change is accepted, the Terraform logs are stored, resulting in a linear history of infrastructure states to help with auditing and policy enforcement. Additional benefits to running Terraform remotely include moving access credentials off of developer machines and freeing local machines from long-running Terraform processes.

How to Store State Remotely

First, we'll use Terraform Cloud as our backend. Terraform Cloud offers free remote state management. Terraform Cloud is the recommended best practice for remote state storage.

If you don't have an account, please sign up here for this guide. For more information on Terraform Cloud, view our getting started guide.

When you sign up for Terraform Cloud, you'll create an organization. Make a note of the organization's name.

Next, configure the backend in your configuration with the organization name, and a new workspace name of your choice:

terraform {
  backend "remote" {
    organization = "<ORG_NAME>"

    workspaces {
      name = "Example-Workspace"
    }
  }
}

You'll also need a user token to authenticate with Terraform Cloud. You can generate one on the user settings page:

User Token

Copy the user token to your clipboard, and create a Terraform CLI Configuration file. This file is This file is located at %APPDATA%\terraform.rc on Windows systems, and ~/.terraformrc on other systems.

Paste the user token into that file like so:

credentials "app.terraform.io" {
  token = "REPLACE_ME"
}

Save and close this file, we don't need it again. You can read more about configuring Terraform Cloud in the documentation.

Now that you've configured your remote backend, run terraform init to setup Terraform. It should ask if you want to migrate your state to Terraform Cloud.

$ terraform init

Initializing the backend...
Do you want to copy existing state to the new backend?
  Pre-existing state was found while migrating the previous "local" backend to the
  newly configured "remote" backend. No existing state was found in the newly
  configured "remote" backend. Do you want to copy this state to the new "remote"
  backend? Enter "yes" to copy and "no" to start with an empty state.

  Enter a value:

Say "yes" and Terraform will copy your state:

...

  Enter a value: yes

Releasing state lock. This may take a few moments...

Successfully configured the backend "remote"! Terraform will automatically
use this backend unless the backend configuration changes.

...

Now, if you run terraform apply, Terraform should state that there are no changes:

$ terraform apply
# ...

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, Terraform
doesn't need to do anything.

Terraform is now storing your state remotely in Terraform Cloud. Remote state storage makes collaboration easier and keeps state and secret information off your local disk. Remote state is loaded only in memory when it is used.

If you want to move back to local state, you can remove the backend configuration block from your configuration and run terraform init again. Terraform will once again ask if you want to migrate your state back to local.

Terraform Enterprise

Terraform Cloud offers commercial solutions which combines a predictable and reliable shared run environment with tools to help you work together on Terraform configurations and modules.

Although Terraform Cloud can act as a standard remote backend to support Terraform runs on local machines, it works even better as a remote run environment. It supports two main workflows for performing Terraform runs:

  • A VCS-driven workflow, in which it automatically queues plans whenever changes are committed to your configuration's VCS repo.
  • An API-driven workflow, in which a CI pipeline or other automated tool can upload configurations directly.

For a hands-on introduction to Terraform Cloud, follow the Terraform Cloud getting started guides for our free offering as well as Terraform Cloud for Teams and Governance.