Terraform State Management in Azure: Don’t Let Your Backend Bite You

Your Terraform state file is the source of truth for your infrastructure. Lose it, and you might as well be deploying blindfolded. But how could you manage it properly in Azure?

Terraform needs a state file to track the real-world infrastructure vs what your code says should exist. If that state file disappears, gets corrupted, or is being fought over by multiple deployments, you’re in for a world of pain.

Some common state management nightmares:

• State locked by another process—your team is stuck waiting.
• Local state files—lost when a laptop dies or a repo gets cleaned.
• Accidental overwrites—because Terraform doesn’t merge state files.
• Exposed secrets—because state files store sensitive data in plaintext.

So, how can we prevent these? Enter stage left Azure Storage and Terraform Workspaces.

Instead of managing state locally (which is a terrible idea), use Azure Storage as a remote backend:

1. Create a storage account (in a secure resource group).
2. Create a storage container for your Terraform state files.
3. Enable versioning & locking (so nothing gets lost or corrupted).
4. Use RBAC to make sure only the right people can access it.

Example Terraform Backend Config (backend.tf):

This makes sure all Terraform runs use the same state file, eliminating local mishaps and making collaboration seamless.

Terraform workspaces help you manage multiple environments (Dev, Test, Prod) without needing separate backend configurations.

• Single storage backend, multiple logical environments.
• Fewer hardcoded paths & duplicate state files.
• Easy switching between environments.

Creating & Using Workspaces

Each workspace gets a separate state file inside the same backend. Terraform will automatically manage the state for different environments under unique keys, e.g.:

• tfstates/dev.terraform.tfstate
• tfstate/test.terraform.tfstate
• tfstate/prod.terraform.tfstate

Using the “key” value we can even nest further with the use of additional folders, for example key = “vwan/terraform.tfstate” would result in a path of tfstatebackend/tfstate/vwan/dev.terraform.tfstate

1. State Locking Issues? Use Azure Blob Storage state locking to prevent race conditions.
2. Accidentally Destroying Resources? Double-check workspaces before running terraform apply.
3. State File Corruption? Enable Azure Blob versioning to roll back if needed.
4. Secrets in State Files? Use Terraform Cloud or Vault to encrypt sensitive data, or even use the new 1.10+ Ephemeral values to ensure the secret value is never stored in the state.

By using Azure Storage for your backend and Terraform workspaces for environment management, you avoid:

✅ Lost or overwritten state files.

✅ Teams tripping over each other’s changes.

✅ Accidental infrastructure deletions.