Terraform State Migration: A Practical Guide

By /

This post is about how to move entries from one state file to another, in this case, when they are stored on GCP. In the end, it doesn’t matter where they’re stored because we’re going to use push and pull to make local copies, move the entries we want, and then push the altered state files to their destinations.

This is a work in progress but the following will guide you through the core concepts.

Let’s Begin!

Create tf1 and tf2 and configure their backend.tf files with bucket and pathing
tf1:
backend.tf

terraform {
 backend "gcs" {
   bucket = "your-gcs-tfstate"
   prefix  = "terraform/state/tf1"
 }
}


main.tf

provider "google" {
    project = "${terraform.workspace}"
}

provider "google-beta" {
  project = "${terraform.workspace}"
}


enable-secret-manager.tf

resource "google_project_service" "enable-secretmanager" {
  project = "${terraform.workspace}"
  service = "secretmanager.googleapis.com"
  timeouts {
    create = "2m"
    update = "2m"
  }
  disable_dependent_services = false
  disable_on_destroy = false
}

tf2:
backend.tf

terraform {
 backend "gcs" {
   bucket = "your-gcs-tfstate"
   prefix  = "terraform/state/tf2"
 }
}


main.tf

provider "google" {
    project = "${terraform.workspace}"
}

provider "google-beta" {
  project = "${terraform.workspace}"
}

Perform terraform init on tf1:

gcloud auth application-default login
terraform init
terraform workspace new your-project-name
terraform apply
This will enable the secret manager in the project under tf1's state

Check tf1’s state:

terraform state list
google_project_service.enable-secretmanager

Perform terraform init on tf2:

check the state (terraform state list) and to verify that it is empty

# from tf2/
terraform init

# check the state file to see that it's empty
terraform state list

# create your workspace
terraform workspace new your-project-name

# verify the state is empty
terraform state list


Pro Tip:
I’ve had no luck moving items between remotes. This is when we use pull and push.

Move the secret manager from tf1 to tf2

from tf1/
terraform state pull > ../tf1.state


from tf2/
terraform state pull > ../tf2.state

Look at both state files, notice their structure.

Move time:

terraform state mv -dry-run -state=tf1.state -state-out=tf2.state \
google_project_service.enable-secretmanager google_project_service.enable-secretmanager

check there are no errors in the output

Now actually move it:

terraform state mv -state=tf1.state -state-out=tf2.state \
google_project_service.enable-secretmanager google_project_service.enable-secretmanager

review the tf*.state files, note there is a backup.

from tf1/

terraform state push ../tf1.state
terraform state list

from tf2/

terraform state push ../tf2.state
terraform state list


Move the ‘enable-secret-manager.tf’ from tf1 to tf2:

from tf1/

mv enable-secret-manager.tf ../tf2/

terraform apply

You should see that no modifications to the state were detected. This is exactly what we wanted!

from tf2/

terraform apply

You should see that no modifications to the state were detected. This is exactly what we wanted since tf2 is where the enable-secret-manager.tf is managed now.

Thanks!

Thx to Joey for helping me research options for how we could achieve this.

Related Posts

Scroll to Top