Backends are responsible for storing state and providing an API for state locking. State locking is optional.
Despite the state being stored remotely, all Terraform commands such as
terraform console, the
terraform state operations,
terraform taint, and more will continue to work as if the state was local.
Backends determine where state is stored. For example, the local (default) backend stores state in a local JSON file on disk. The Consul backend stores the state within Consul. Both of these backends happen to provide locking: local via system APIs and Consul via locking APIs.
When using a non-local backend, Terraform will not persist the state anywhere on disk except in the case of a non-recoverable error where writing the state to the backend failed. This behavior is a major benefit for backends: if sensitive values are in your state, using a remote backend allows you to use Terraform without that state ever being persisted to disk.
In the case of an error persisting the state to the backend, Terraform will write the state locally. This is to prevent data loss. If this happens the end user must manually push the state to the remote backend once the error is resolved.
You can still manually retrieve the state from the remote state using the
terraform state pull command. This will load your remote state and output it to stdout. You can choose to save that to a file or perform any other operations.
You can also manually write state with
terraform state push. This is extremely dangerous and should be avoided if possible. This will overwrite the remote state. This can be used to do manual fixups if necessary.
When manually pushing state, Terraform will attempt to protect you from some potentially dangerous situations:
Differing lineage: The "lineage" is a unique ID assigned to a state when it is created. If a lineage is different, then it means the states were created at different times and its very likely you're modifying a different state. Terraform will not allow this.
Higher serial: Every state has a monotonically increasing "serial" number. If the destination state has a higher serial, Terraform will not allow you to write it since it means that changes have occurred since the state you're attempting to write.
Both of these protections can be bypassed with the
-force flag if you're confident you're making the right decision. Even if using the
-force flag, we recommend making a backup of the state with
terraform state pull prior to forcing the overwrite.
For more information on state locking, view the page dedicated to state locking.
© 2018 HashiCorpLicensed under the MPL 2.0 License.