• Matt's Memos
  • Posts
  • You Should Store Your IaC State Files In Object Storage

You Should Store Your IaC State Files In Object Storage

Reasons include, but are not limited to, durability, versioning, RBAC, and location permanence.

Author

Matt Gowie
February 25, 2025

Hey folks,

We tell all of our clients to use S3 or the equivalent object store from their cloud provider as storage for their Terraform and OpenTofu state.

We always advise avoiding alternatives like:

  • third party vendors

  • relational databases

  • local state (oof, please avoid this option)

There are 3 reasons for strongly recommending an object store as the solution for state file storage:

  1. Object storage is highly available and highly durable. Services like AWS S3 are replicated almost 10 times and the number of nines for durability is the highest SLA that I’ve seen in the industry. This means you don’t need to worry about losing data and you can count on getting access to that data when you need it.

  2. Versioning, encryption at rest, and RBAC are solved problems. If you're already using the cloud, then these problems are handled for you. These are all important aspects of IaC state management that need to be resolved. Leaning on an existing system where this is taken care of decreases complexity.

  3. You own your state and it is in a centralized location that is very unlikely to change. We see this with some customers where they end up storing their state in their vendor’s storage (Terraform Cloud for example). After a time, they bring us in to migrate them away from that vendor. Now, instead of just migrating code operating on state, they also need to migrate their state to another system. This becomes another migration task and pain point. On the other hand, you’re very unlikely as an organization to migrate to another cloud (this comes up periodically and 90% of the time I'd say it's a mistake). As a result, if you start off with your state being in object storage in your cloud, then it’s very likely to live there forever. This means you can change the tools, vendors, or solutions surrounding your IaC with less pain.

Those are my reasons for advising clients to use an object store like S3 for their IaC state files.

Where do you store your state? If it's not in object storage, why not?

Matt @ Masterpoint

PS Speaking of migrations, we wrote a post about how to migrate off Terraform Cloud.