May I ask what is the proper way to store Terraform state. We are currently testing out Terraform at my job and it just uses a s3 bucket with exception turned on. Thanks
Oh we do, too. My beef with it is how easy it is for a user on the account to go and read your state due to a lax IAM or bucket policy.
My advice: check and make sure your bucket policy you use for the state has an explicit deny (resource *, principal *) and then you explicitly allow only the user / role that requires access to the TF state.
Things to watch out for are providers that store sensitive info in your state. For example, if you use Vault and you read a secret out of Vault with Terraform then the secret will be saved in your Terraform state which, painting with broad strokes, largely invalidates the purpose of Vault. Lots of providers do this, some are getting better about not requiring sensitive info to be saved in the state or included in the config.
