Problem Statement
The Terraform configuration in infrastructure/terraform/ uses only local state storage. This means every team member and CI pipeline operates on their own isolated state — there is no shared source of truth for infrastructure. State conflicts, duplicate resource creation, and unrecoverable state loss are inevitable in a team environment.
Evidence
infrastructure/terraform/providers.tf — No backend "s3" {} block; Terraform defaults to local stateinfrastructure/terraform/workspaces.tf — Multi-environment workspace config exists but without remote state, workspace isolation is limited to local files- No
terraform { backend "s3" { ... } } configuration anywhere in the codebase
- No DynamoDB table for state locking
Impact
Team members cannot safely run Terraform concurrently. CI/CD pipelines cannot reliably detect drift. State file loss would result in manual reconstruction of all infrastructure resources. No audit trail of who applied which changes.
Proposed Solution
- Create an S3 bucket for Terraform state storage (via a separate bootstrap script or a minimal Terraform config)
- Configure DynamoDB table for state locking to prevent concurrent modifications
- Add
backend "s3" configuration to providers.tf with environment-specific key prefixes (e.g., vertexchain/terraform/dev/terraform.tfstate)
- Configure state encryption with KMS or AES-256
- Enable bucket versioning for state file history and rollback capability
- Update CI/CD pipelines to use the same remote state backend
- Document the bootstrap process for new developers
Technical Requirements
- S3 bucket must have versioning enabled for state history
- DynamoDB table must have a primary key of
LockID (String) for Terraform locking
- Must support multi-environment state isolation (dev/staging/prod)
- State encryption must be enabled at rest (AES-256 or KMS)
- Access to the state bucket must be restricted via IAM policies
- CI/CD workflows must authenticate to the state backend via OIDC or GitHub Actions secrets
Acceptance Criteria
terraform init configures remote state backendterraform apply locks state via DynamoDB- Concurrent
terraform plan from two terminals shows locking in action
- State file version history is accessible in S3 bucket
- CI pipeline uses remote state and can plan/apply infrastructure changes
terraform workspace select dev/staging/prod uses separate state keys- New developer can bootstrap with documented one-time setup
File Inventory
infrastructure/terraform/providers.tfinfrastructure/terraform/workspaces.tfinfrastructure/scripts/bootstrap-state.sh (new)
Dependencies
None.
Testing Strategy
- Manual: run
terraform init and verify backend switch
- Manual: run concurrent terraform operations and verify locking
- CI: verify pipeline can plan against remote state
Security Considerations
S3 bucket must have public access blocked. IAM policies must restrict state access to authorized principals. DynamoDB table must be encrypted. State files may contain sensitive values (database passwords, API keys) — consider using KMS encryption or a dedicated secrets backend.
Definition of Done
Problem Statement
The Terraform configuration in
infrastructure/terraform/uses only local state storage. This means every team member and CI pipeline operates on their own isolated state — there is no shared source of truth for infrastructure. State conflicts, duplicate resource creation, and unrecoverable state loss are inevitable in a team environment.Evidence
infrastructure/terraform/providers.tf— Nobackend "s3" {}block; Terraform defaults to local stateinfrastructure/terraform/workspaces.tf— Multi-environment workspace config exists but without remote state, workspace isolation is limited to local filesterraform { backend "s3" { ... } }configuration anywhere in the codebaseImpact
Team members cannot safely run Terraform concurrently. CI/CD pipelines cannot reliably detect drift. State file loss would result in manual reconstruction of all infrastructure resources. No audit trail of who applied which changes.
Proposed Solution
backend "s3"configuration toproviders.tfwith environment-specific key prefixes (e.g.,vertexchain/terraform/dev/terraform.tfstate)Technical Requirements
LockID(String) for Terraform lockingAcceptance Criteria
terraform initconfigures remote state backendterraform applylocks state via DynamoDBterraform planfrom two terminals shows locking in actionterraform workspace select dev/staging/produses separate state keysFile Inventory
infrastructure/terraform/providers.tfinfrastructure/terraform/workspaces.tfinfrastructure/scripts/bootstrap-state.sh(new)Dependencies
None.
Testing Strategy
terraform initand verify backend switchSecurity Considerations
S3 bucket must have public access blocked. IAM policies must restrict state access to authorized principals. DynamoDB table must be encrypted. State files may contain sensitive values (database passwords, API keys) — consider using KMS encryption or a dedicated secrets backend.
Definition of Done