Articles

Manage Infrastructure with Terraform: State, Modules, and Workspaces (2026)

April 16, 2026 4 min read

Terraform’s state file is not a snapshot of your infrastructure, but a mapping of your infrastructure to your Terraform configuration.

Let’s see this in action. Imagine you have a simple Terraform configuration to create an AWS S3 bucket:

# main.tf
provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-unique-bucket-name-12345"
  acl    = "private"

  tags = {
    Environment = "Dev"
    ManagedBy   = "Terraform"
  }
}

When you run terraform apply, Terraform creates the S3 bucket in AWS. Crucially, it also generates a file named terraform.tfstate. This file looks something like this (simplified):

{
  "version": 4,
  "terraform_version": "1.5.7",
  "serial": 1,
  "lineage": "...",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "aws_s3_bucket",
      "name": "my_bucket",
      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "acceleration_status": "Suspended",
            "acl": "private",
            "arn": "arn:aws:s3:::my-unique-bucket-name-12345",
            "bucket": "my-unique-bucket-name-12345",
            "bucket_domain_name": "my-unique-bucket-name-12345.s3.amazonaws.com",
            "bucket_regional_domain_name": "my-unique-bucket-name-12345.s3.us-east-1.amazonaws.com",
            "// ... many more attributes ...",
            "tags": {
              "Environment": "Dev",
              "ManagedBy": "Terraform"
            },
            "versioning": []
          },
          "sensitive_attributes": [],
          "private": "...",
          "dependencies": []
        }
      ]
    }
  ]
}

This terraform.tfstate file is the critical link. It tells Terraform: "This S3 bucket, named my-unique-bucket-name-12345, is managed by the aws_s3_bucket.my_bucket resource in my configuration. Here are all its current attributes as of the last apply."

When you run terraform plan or terraform apply again, Terraform doesn’t just look at your main.tf. It first reads the terraform.tfstate file to understand what already exists and how it corresponds to your code. Then, it compares the current state of your infrastructure (by querying the AWS API) with the desired state defined in your .tf files, and then it consults the state file to reconcile any differences. The state file is the authoritative record of what Terraform believes it manages.

Modules are essentially reusable Terraform configurations. They allow you to package up infrastructure components (like a VPC, a database, or an application stack) into a self-contained unit that can be easily shared and reused across different projects or environments. Instead of copying and pasting dozens of lines of HCL, you can simply module block:

# main.tf
module "my_app_backend" {
  source = "./modules/app-backend" # Local path to module
  // or source = "github.com/myorg/terraform-aws-app-backend?ref=v1.2.0" # Remote module

  instance_type = "t3.medium"
  desired_capacity = 3
  environment = "Production"
}

When Terraform encounters a module, it treats the resources defined within that module just like any other resource, but it adds a prefix based on the module’s name. The state file will reflect this, showing resources like module.my_app_backend.aws_instance.app_server.

Workspaces provide a way to manage multiple distinct states for a single configuration. Think of them as isolated environments for your Terraform code. This is incredibly useful for managing different stages of your application (dev, staging, production) or different environments for the same application.

When you initialize Terraform (terraform init), it creates a default workspace named default. If you run terraform apply without specifying a workspace, it operates on the default state.

You can create new workspaces with terraform workspace new staging. Now, if you run terraform apply, Terraform will create a new state file (or more accurately, a new entry in your remote state backend) associated with the staging workspace. You can switch between them using terraform workspace select production. Each workspace will have its own terraform.tfstate (or equivalent in a remote backend), meaning your dev infrastructure won’t interfere with your production infrastructure, even though they use the same configuration files.

The most surprising thing about Terraform’s state file is that it doesn’t just store what resources you’ve created; it stores the exact attributes of those resources as Terraform last knew them. This includes sensitive data if you haven’t configured encryption properly.

When you use a remote state backend like S3 with DynamoDB for locking, Terraform doesn’t store the state file as a single JSON blob. Instead, the backend organizes the state into a structured format that allows for efficient locking and concurrent access. For S3, it’s typically a single object in a bucket, but the DynamoDB table is used to manage locks, preventing multiple users from applying changes simultaneously. The actual data within the S3 object can still contain sensitive information if not encrypted at rest.

Understanding how Terraform uses state, how modules encapsulate reusable patterns, and how workspaces isolate environments is key to managing complex infrastructure reliably.

The next concept you’ll likely grapple with is how to manage sensitive data securely within your Terraform state.

Want structured learning?

Take the full DevOps & Platform Engineering course →