117 reads New Story

Terraform State Management: A Deep Dive Beyond the Basics for Azure Deployments

by Ritesh Modi5mMarch 27th, 2025

Too Long; Didn't Read

State Management is extremely crucial for success of Infrastructure as Code using Terraform. Terraform state is important because the state file contains all the sensitive information in plain text format. It should be protected and secured heavily with all authentication, authorization, confidentiality and integrity. Having Terra Form state in a single developer’s machine will not let other manage the environment.

Coin Mentioned

featured image - Terraform State Management: A Deep Dive Beyond the Basics for Azure Deployments

Without state management, Terraform is as good as normal CLI commands... so think about it now !

Normally, while developing Terraform scripts, state management is the last topic on most developers' minds. Only after development is complete does the thinking process related to state management start. This is not an optimal practice. State management is extremely crucial for the success of infrastructure as code using Terraform.

State management is important because the state file contains all the sensitive information in plain text format. It cannot be stored as part of the code in any version control system. It should be protected and secured heavily with all authentication, authorization, confidentiality and integrity.

State should also be stored centrally if multiple developers and operators are involved in managing the environment provisioned through Terraform. Having the Terraform state in a single developer’s machine will not let others manage the environment.

Terraform also uses this state to check which resources need to be added, removed or updated. There are more secondary reasons why Terraform state is important however, it is equally important to have a strategy to manage Terraform state in a way that allows

Collaboration between teams and developers
Ability for Terraform to access and manage the resources
Treat it as a highly secure and confidential resource containing sensitive information to be protected at any cost.

Let’s get into the details of state management in Terraform with Azure Cloud

Strategy: Hierarchical State Organization

Most developers start with a simple Azure Storage backend configuration:

terraform {
  backend "azurerm" {
    resource_group_name  = "terraform-state-rg"
    storage_account_name = "tfstate0123456789"
    container_name       = "tfstate"
    key                  = "prod.terraform.tfstate"
  }
}

This strategy can be implemented with dynamic backend configuration:

locals {
  environment = terraform.workspace
  region      = "eastus2"
  component   = "networking"
}

terraform {
  backend "azurerm" {
    resource_group_name  = "terraform-state-rg"
    storage_account_name = "tfstate0123456789"
    container_name       = "tfstate"
    key                  = "${local.environment}/${local.region}/${local.component}/terraform.tfstate"
  }
}

This hierarchical approach provides several benefits:

Logical organization that maps to your Azure architecture
Clearer separation of concerns
Easier disaster recovery
Better alignment with team structures

Strategy: Multi-Workspace State Isolation for Development Teams

For large engineering teams, workspace-based isolation provides better control:

# Create development workspace for Team A
terraform workspace new team_a_dev

# Create development workspace for Team B
terraform workspace new team_b_dev

# List available workspaces
terraform workspace list

The workspaces can be combined with Azure RBAC for granular access control:

# Create a custom role for Team A state access
az role definition create --role-definition '{
    "Name": "Team A Terraform State Access",
    "Description": "Can read and write Team A terraform state",
    "Actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/lease/action"
    ],
    "DataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/lease/action"
    ],
    "AssignableScopes": [
        "/subscriptions/{subscription-id}/resourceGroups/terraform-state-rg"
    ]
}'

# Assign the role to Team A
az role assignment create \
  --role "Team A Terraform State Access" \
  --assignee-object-id {team-a-group-id} \
  --scope "/subscriptions/{subscription-id}/resourceGroups/terraform-state-rg/providers/Microsoft.Storage/storageAccounts/tfstate0123456789/blobServices/default/containers/tfstate/blobs/team_a_dev"

Strategy: State Encryption

While Azure Storage provides encryption at rest, sensitive environments might require additional protection:

# Generate a customer-managed key in Azure Key Vault
resource "azurerm_key_vault_key" "terraform_state_key" {
  name         = "terraform-state-encryption-key"
  key_vault_id = azurerm_key_vault.terraform_kv.id
  key_type     = "RSA"
  key_size     = 2048
  key_opts     = ["decrypt", "encrypt", "sign", "verify"]
}

# Configure the storage account to use this key
resource "azurerm_storage_account_customer_managed_key" "terraform_state" {
  storage_account_id = azurerm_storage_account.terraform_state.id
  key_vault_id       = azurerm_key_vault.terraform_kv.id
  key_name           = azurerm_key_vault_key.terraform_state_key.name
}

For even more sensitive environments, we can implement client-side encryption as well:

# pre-commit hook example
import json
import os
from cryptography.fernet import Fernet

# Encrypt state before it's pushed to remote
def encrypt_state():
    # Read encryption key from secure location
    with open('.terraform-key', 'rb') as key_file:
        key = key_file.read()
    
    fernet = Fernet(key)
    
    # Read the state file
    with open('.terraform/terraform.tfstate', 'rb') as state_file:
        state_data = state_file.read()
    
    # Encrypt the state
    encrypted_state = fernet.encrypt(state_data)
    
    # Write encrypted state
    with open('.terraform/terraform.tfstate.encrypted', 'wb') as encrypted_file:
        encrypted_file.write(encrypted_state)
    
    print("State encrypted successfully")

if __name__ == "__main__":
    encrypt_state()

Conclusion

Effective state management is the foundation of successful Terraform deployments in Azure. The strategies outlined here move beyond basic storage configuration to address enterprise concerns:

Security: Multi-layered protection for sensitive state data
Governance: Controlled access and monitoring across teams
Resilience: Backup, versioning, and disaster recovery
Scalability: Patterns for growing beyond a single team or application

By implementing these advanced techniques, you can build a state management approach that supports even the most complex Azure deployments while maintaining security and operational efficiency.

Remember that state files are the single source of truth for your infrastructure – treat them with the same care you would apply to your most critical database or application code.