IaC Core
State & drift
Lesson 2 of 5
What you'll learn
- Understand why Terraform needs a state file at all
- See why production state belongs in a remote, locked backend
- Recognize drift as the divergence between state and live reality
Terraform's plan is desired - state, so it needs a memory of what it last built. That memory is the state file: a JSON map from your resource addresses to real-world IDs and attributes. Without it, Terraform couldn't tell a resource it should update from one it should create.
terraform {
backend "s3" {
bucket = "acme-tf-state"
key = "prod/network.tfstate"
region = "us-east-1"
dynamodb_table = "acme-tf-locks"
}
}
Remote state is non-negotiable for teams
Local terraform.tfstate works solo and breaks the moment two engineers apply at once. A remote backend (S3, GCS, Terraform Cloud) stores state centrally and a lock (DynamoDB above) serializes applies so two runs can't corrupt each other.
terraform plan -refresh-only # reconcile state with live reality
terraform state list # what Terraform thinks it manages
Drift: when reality moves on its own
When someone edits infrastructure by hand in the console, state still reflects the old values — that gap is drift. A refresh detects it; your next plan then shows what Terraform would do to pull reality back to your declared config.
State is the source of truth, not reality
Terraform trusts its state. Hand-edit a resource and Terraform will happily revert it on the next apply — or, worse, plan a destroy because it no longer recognizes what's there.
Run it. Compare recorded state to observed reality and report each drifted attribute.
What is drift in Terraform?
Saved on this device. Sign in to sync your progress everywhere.