Configure S3/GCS Remote State Backend

Beginner10 min

Set up a remote state backend with S3 or GCS for team collaboration, state locking, and disaster recovery.

Prerequisites

-Terraform installed
-AWS or GCP credentials configured

Steps

Create the S3 bucket for state storage

Create a versioned, encrypted S3 bucket to store Terraform state files.

$ aws s3api create-bucket --bucket my-tf-state-bucket --region us-east-1 aws s3api put-bucket-versioning --bucket my-tf-state-bucket --versioning-configuration Status=Enabled aws s3api put-bucket-encryption --bucket my-tf-state-bucket --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'

Enable versioning to recover from accidental state corruption or deletion.

Create a DynamoDB table for state locking

Create a DynamoDB table to enable state locking, preventing concurrent operations.

$ aws dynamodb create-table --table-name tf-state-lock --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --billing-mode PAY_PER_REQUEST

Configure the backend in Terraform

Add the S3 backend configuration to your Terraform code.

$ cat <<'EOF' > backend.tf terraform { backend "s3" { bucket = "my-tf-state-bucket" key = "global/terraform.tfstate" region = "us-east-1" dynamodb_table = "tf-state-lock" encrypt = true } } EOF

Initialize the backend

Run terraform init to configure the backend and migrate any existing local state.

$ terraform init

If you have existing local state, Terraform will ask if you want to migrate it. Answer 'yes' to preserve your resources.

Verify the backend is working

Confirm that state is being stored remotely and locking is functional.

$ terraform state list && aws s3 ls s3://my-tf-state-bucket/global/

Full Script

full-script.sh

#!/bin/bash
set -euo pipefail

# Terraform Remote Backend Setup (AWS S3 + DynamoDB)

BUCKET_NAME="${1:?Usage: $0 <bucket-name> [region]}"
REGION="${2:-us-east-1}"
TABLE_NAME="tf-state-lock"

echo "==> Creating S3 bucket: ${BUCKET_NAME}..."
if [ "$REGION" = "us-east-1" ]; then
  aws s3api create-bucket --bucket "$BUCKET_NAME" --region "$REGION"
else
  aws s3api create-bucket --bucket "$BUCKET_NAME" --region "$REGION" --create-bucket-configuration LocationConstraint="$REGION"
fi

echo "==> Enabling versioning..."
aws s3api put-bucket-versioning --bucket "$BUCKET_NAME" --versioning-configuration Status=Enabled

echo "==> Enabling encryption..."
aws s3api put-bucket-encryption --bucket "$BUCKET_NAME" --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'

echo "==> Blocking public access..."
aws s3api put-public-access-block --bucket "$BUCKET_NAME" --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

echo "==> Creating DynamoDB lock table: ${TABLE_NAME}..."
aws dynamodb create-table   --table-name "$TABLE_NAME"   --attribute-definitions AttributeName=LockID,AttributeType=S   --key-schema AttributeName=LockID,KeyType=HASH   --billing-mode PAY_PER_REQUEST   --region "$REGION" 2>/dev/null || echo "Table may already exist"

echo ""
echo "==> Backend ready. Add this to your Terraform config:"
cat <<EOF

terraform {
  backend "s3" {
    bucket         = "$BUCKET_NAME"
    key            = "global/terraform.tfstate"
    region         = "$REGION"
    dynamodb_table = "$TABLE_NAME"
    encrypt        = true
  }
}
EOF

echo ""
echo "Then run: terraform init"

FAQ

Discussion

Loading comments...

#!/bin/bash set -euo pipefail # Terraform Remote Backend Setup (AWS S3 + DynamoDB) BUCKET_NAME="${1:?Usage: $0 <bucket-name> [region]}" REGION="${2:-us-east-1}" TABLE_NAME="tf-state-lock" echo "==> Creating S3 bucket: ${BUCKET_NAME}..." if [ "$REGION" = "us-east-1" ]; then aws s3api create-bucket --bucket "$BUCKET_NAME" --region "$REGION" else aws s3api create-bucket --bucket "$BUCKET_NAME" --region "$REGION" --create-bucket-configuration LocationConstraint="$REGION" fi echo "==> Enabling versioning..." aws s3api put-bucket-versioning --bucket "$BUCKET_NAME" --versioning-configuration Status=Enabled echo "==> Enabling encryption..." aws s3api put-bucket-encryption --bucket "$BUCKET_NAME" --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}' echo "==> Blocking public access..." aws s3api put-public-access-block --bucket "$BUCKET_NAME" --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true echo "==> Creating DynamoDB lock table: ${TABLE_NAME}..." aws dynamodb create-table --table-name "$TABLE_NAME" --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --billing-mode PAY_PER_REQUEST --region "$REGION" 2>/dev/null || echo "Table may already exist" echo "" echo "==> Backend ready. Add this to your Terraform config:" cat <<EOF terraform { backend "s3" { bucket = "$BUCKET_NAME" key = "global/terraform.tfstate" region = "$REGION" dynamodb_table = "$TABLE_NAME" encrypt = true } } EOF echo "" echo "Then run: terraform init"