Terraform keeps the metadata and dependencies of real resources in tfstate. When no backend is specified, the local state file (terraform.tfstate) is used by default.
Local operation is great for quick experiments, but you need to watch out for team use, confidentiality, and availability requirements. The Associate exam tests whether you understand the nature, limits, and safe migration paths of local state.
When you don't explicitly declare a backend, Terraform creates terraform.tfstate (JSON) in the working directory and stores the IDs, attributes, and dependencies of managed resources there. This is essential for computing diffs against the real world and for references (data sources, outputs).
The local backend does not provide state locking. In other words, there is no protection when multiple processes update the same state at the same time. It does not fit team workflows or automated concurrent runs.
tfstate can contain secret-equivalent values. With the local backend nothing is encrypted, so you depend on OS file permissions and disk encryption. A .gitignore entry is mandatory to avoid accidentally committing it to VCS.
Local state flow
Minimal setup (no backend declared = local) and basic commands
# main.tf(例)
resource "null_resource" "example" {}
# 初期化と差分
terraform init
terraform plan
terraform apply
# ステートの確認
terraform state list
terraform state show null_resource.exampleLocal state fits personal experiments, short-lived sandboxes, and ephemeral CI runs (build clean and tear down every time). As long as you don't share the state, the simple setup lets you move fast.
On the other hand, when a team operates on the same environment (the same state), the constraints around locking, auditing, and backup are heavy. Remote backends (S3+DynamoDB, Terraform Cloud/Enterprise, etc.) are the standard choice in production.
| Backend | Locking | Shareability | Backup ease |
|---|---|---|---|
| Local (default) | None | Effectively no (hand-off is discouraged) | Manual copy or state pull/push |
| S3 + DynamoDB | DynamoDB lock available | Share by URL, controlled with IAM | Versioning and lifecycle rules |
| Terraform Cloud/Enterprise | Built-in locking | Workspaces shared inside the organization | Automatic backup and history |
Prevent accidental VCS commits (recommended .gitignore)
# .gitignore
terraform.tfstate
terraform.tfstate.backup
.crash.log
.terraform/
*.tfplan
# ステートに派生する一時ファイルも除外
The biggest risk is concurrent execution. Because the local backend has no lock, two terraform apply runs updating the same tfstate at once can overwrite each other or produce inconsistencies. That leads to duplicated resources or mistaken deletions.
tfstate is also plain JSON and may contain confidential data. Tight access permissions (e.g. chmod 600), disk encryption, and proper management of backup files are mandatory. And once you accidentally commit it to VCS, there is no going back.
When you change resource addresses during refactoring (extracting into modules, introducing for_each, etc.), the safe approach is to reconcile state with commands like terraform state mv / rm / import, not by editing tfstate directly.
Minimum file protection and safe refactoring
# ファイル権限の強化(Unix系)
chmod 600 terraform.tfstate terraform.tfstate.backup || true
# リソースアドレス変更時の安全な移動
terraform state mv aws_instance.web module.app.aws_instance.web
# 不要エントリの削除(実体リソースは消さない)
terraform state rm aws_security_group.legacy
# 既存リソースの取り込み
terraform import aws_s3_bucket.logs my-logs-bucketTaking backups of the state before and after apply makes recovery from corruption straightforward. In addition to cp-based copies, terraform state pull gives you a safe snapshot of the current state.
To restore, use terraform state push to apply the backup. Sticking to state commands for minimal changes is safer than editing JSON directly. Run the restore from a single process on a single machine to avoid version drift and conflicts.
Backup and restore in practice
# バックアップの取得(ローカル/リモート双方で有効)
terraform state pull > backup-$(date +%Y%m%d%H%M%S).tfstate
# ローカルバックエンドへの復旧
terraform state push backup-20240101090000.tfstate
# ファイルコピーによる簡易バックアップ
cp terraform.tfstate terraform.tfstate.backup
# 計画ファイルの保存
terraform plan -out=tfplan
# 内容確認
terraform show -json tfplan > tfplan.jsonFor team workflows and production, move to a remote backend that gives you locking, sharing, and auditing. S3+DynamoDB offers object versioning plus table-level locking; Terraform Cloud gives you built-in locking and history.
To migrate, add a backend block and run terraform init -migrate-state. Prepare the right credentials (IAM for S3/DynamoDB, a token for Terraform Cloud) and verify consistency afterwards with terraform state list.
Example migration to S3+DynamoDB
# backend設定(versions等は省略)
terraform {
backend "s3" {
bucket = "my-tfstate-bucket"
key = "envs/prod/terraform.tfstate"
region = "ap-northeast-1"
dynamodb_table = "my-tf-locks"
encrypt = true
}
}
# 事前準備(例)
# - S3: バージョニング有効、暗号化
# - DynamoDB: パーティションキー=LockID のテーブル
# - IAM: S3/DynamoDBへの適切な権限
# マイグレーション
terraform init -migrate-state
# 検証
terraform state list
terraform planThe exam tends to ask about the purpose of state, the default local behavior, whether locking exists, how to handle confidential data, backup and restore, and the benefits of remote backends and the migration process. Be sure you can pick the right CLI command for each task.
Refresher on the commands you'll see most
# ステート操作
terraform state list
terraform state show <address>
terraform state mv <from> <to>
terraform state rm <address>
terraform state pull > backup.tfstate
# 計画と適用
terraform plan -out=planfile
terraform apply planfileAssociate
問題 1
Two engineers, working in the same directory with the local backend (terraform.tfstate), are about to run terraform apply almost simultaneously. Which is the most appropriate countermeasure?
正解: B
The local backend does not provide state locking, so it cannot prevent concurrent-execution conflicts. For team workflows, the right answer is to migrate to a remote backend that provides locking and sharing (S3+DynamoDB or Terraform Cloud/Enterprise). The -lock flag only takes effect on lock-capable backends. Workspaces and plan files are not substitutes for proper locking.
Is local state encrypted?
No. terraform.tfstate is stored as plain JSON, and encryption depends on the backend. With the local backend, you must rely on OS file permissions and disk encryption, and you must never commit the file to VCS.
Can a team safely share local state?
Generally not recommended. For locking, auditing, and backups, use a remote backend such as S3+DynamoDB or Terraform Cloud. If you must run with local state temporarily, the bare minimum is to never share the same state file across people (split per environment).
Is it OK to edit tfstate directly?
Avoid it except in emergencies. To keep state consistent, use commands like terraform state mv / rm / import. Direct edits carry a high risk of corruption and should be the last resort. Always take a backup before editing.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
HCL Syntax: Terraform's Configuration Language (2026)
HCL2 fundamentals for Terraform — blocks, attributes, expres...
Terraform Authoring & Operations Pro: Complete Guide (2026)
Tactics for the Terraform Pro exam — module authoring, works...
Terraform Providers: Plugin Management Fundamentals (2026)
Provider mechanics — required_providers, versions, mirrors, ...
Terraform Resource Blocks: Declarative Infra Units (2026)
Resource block fundamentals — addresses, references, common ...
Terraform Data Sources: Read-Only External Data (2026)
Data source basics — declaration, refresh behavior, dependen...