Scalr Terraform State Management: Features and Functionality

Terraform requires a state file to keep track of managed infrastructure and configuration. Effective management of this state file, including its security, availability, and versioning, is important for Terraform operations. Scalr provides features for Terraform state management.

Scalr offers a managed backend for Terraform state, which includes security and versioning. It also allows integration with other storage solutions. This document outlines Scalr's capabilities for handling Terraform state.

Scalr-Managed State Storage

Scalr provides a managed state storage solution with the following characteristics:

• AES-256 Encryption: State files managed by Scalr are encrypted at rest using AES-256. This protects infrastructure data from unauthorized access.
• State Versioning and Rollback: Scalr versions state files automatically. This creates a history of the state, allowing users to inspect previous versions and revert to a prior state if necessary.

Automatic State Locking with Scalr Backend

To prevent corruption and conflicts from concurrent operations on the same Terraform state, Scalr implements automatic state locking when its managed backend is used.

• When a Terraform operation (e.g., plan or apply) starts in a Scalr workspace, Scalr locks the state file.
• This action prevents other users or processes from modifying the state simultaneously, which helps maintain data integrity.
• The lock is released upon completion of the operation.

This locking mechanism is a built-in feature of the Scalr backend.

Option to Use External Backends

Scalr allows users to employ other backends supported by Terraform if the Scalr-managed backend is not preferred.

• Disable Scalr Backend Per Workspace: The Scalr-managed backend can be disabled for individual workspaces. This permits configuration of Terraform to use alternative backends such as Amazon S3, Azure Blob Storage, Google Cloud Storage, or HashiCorp Consul.
• External Backend Locking: If an external backend is used, state locking is handled by that specific backend. For example, an S3 bucket configured with DynamoDB for locking will use those AWS services for concurrency management. Terraform interacts with the chosen backend's locking mechanism.

terraform import Support

Scalr supports the terraform import command. This function allows users to bring existing infrastructure, not initially created by Terraform, under Terraform management. The state of these imported resources can be stored in Scalr's managed backend or a configured external backend. The state is accessible for inspection and management.

State Storage in Customer-Owned Buckets with Scalr Backend

Scalr offers the option to store state in a customer-owned storage bucket while still utilizing the Scalr backend's management features.

This approach provides:

• Customer control over the storage bucket (e.g., an S3 bucket within the customer's AWS account).
• Continued use of Scalr features such as encryption (which can be layered with bucket-level encryption), state versioning metadata management, UI integration, and access controls.

This option can be used to meet specific compliance, data sovereignty, or data governance requirements.

State Export Methods

Terraform state data managed by Scalr can be accessed or exported through several methods:

1. Terraform CLI: The terraform state pull command can be used to retrieve the current state file to a local machine.
2. Scalr API: Scalr's API allows programmatic access to and export of state files, which can be used for automation or integration.
3. Customer-Owned Bucket: If state is stored in a customer-owned bucket, the data resides directly within the customer's infrastructure, potentially negating the need for a separate export step from Scalr.

Conclusion

Scalr provides a set of features for managing Terraform state. These include a secure, versioned, and locked managed backend, along with the option to use external backends or store state in customer-owned buckets. These capabilities are designed to support various operational requirements for infrastructure as code management.