Skip to content
Baseline Terraform remote state setup with locking for AWS
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



This module provides the necessary infrastructure for storing remote Terraform state. This includes an S3 bucket for storing the state files, a KMS key for encrypting the state at rest, and a DynamoDB table for handling state locking.

You can read more about Terraform state here and backends here. We are using the S3 backend.


All Terraform and scripts assume you have the AWS CLI tools installed. On the Mac, you can install them via Homebrew:

brew install awscli


All of the Terraform assumes that you have configured your AWS credentials the following way:


aws_access_key_id = …
aws_secret_access_key = …


[profile ops]

[profile ops-tools]
source_profile = ops
role_arn = arn:aws:iam::[TOOLS_ACCOUNT_ID]:role/Ops

[profile ops-dev]
source_profile = ops
role_arn = arn:aws:iam::[DEV_ACCOUNT_ID]:role/Ops

[profile ops-stage]
source_profile = ops
role_arn = arn:aws:iam::[STAGE_ACCOUNT_ID]:role/Ops

[profile ops-prod]
source_profile = ops
role_arn = arn:aws:iam::[PROD_ACCOUNT_ID]:role/Ops

You can configure using aws configure or edit the files directly.


To bootstrap remote-state, run:

terraform init
terraform plan -out plan
terraform apply plan

Once the infrastructure has been created, uncomment the terraform > backend block and update the details for the new environment you've just bootstrapped.


terraform init
terraform plan -out plan
terraform apply plan

You will be asked during init whether you want to move your local state to the remote backend. Do so.

You can’t perform that action at this time.