Gruntwork recommendations on state file management - in a multi-account setup
In response to customers asking about how to manage state files when they use multiple AWS accounts. --- <ins datetime="2023-06-22T00:42:25Z"> <p><a href="https://support.gruntwork.io/hc/requests/110288">Tracked in ticket #110288</a></p> </ins>
We strongly recommend keeping one state file per account/region - for the following reasons: **Secrets** Terraform state files contain sensitive information. Therefore, it is crucial to exercise caution when sharing your secrets, especially the production account secrets. **Principle of least privilege** The principle of least privilege emphasizes the importance of granting only the necessary access within a single AWS account. While accidentally granting excessive permissions can occur, it is more challenging to do so across multiple accounts. **Mental separation** Maintaining a mental separation between different environments simplifies the thought process. For example, associating all development-related resources with the dev account and all production-related resources with the prod account reduces errors. It becomes easier to determine appropriate access levels by thinking, "This person has access to prod, so they can access this," rather than trying to navigate a single account with a mix of environments. **Simple authentication** Simpler authentication is achieved when terraform code only requires authentication with a single account. If the terraform state is stored in a different account, each deployment would necessitate authentication to multiple accounts, leading to complexity. **Smaller blast radius** Using multiple accounts reduces the potential impact of mistakes, creating a smaller blast radius. With separate accounts, if an error occurs in one account, it is less likely to affect others. In contrast, having all state files in a single account increases the risk of unintentionally altering the state files for all environments simultaneously, which can be highly problematic. **Compliance requirements** Compliance requirements such as those outlined by PCI (Payment Card Industry), often demand strict separation between "in scope" and "out of scope" entities. Combining state files from PCI and non-PCI environments would likely violate compliance standards and is generally discouraged.