How to Recover from a Corrupted Terraform State File

The Terraform state file (terraform.tfstate) is the single source of truth for your managed infrastructure. A corrupted or lost state file is one of the most critical incidents you can face. Here is how to handle it.

Prevention First: Enable Remote Backend with Versioning

The best recovery strategy is prevention. Always use a remote backend (like AWS S3) with versioning enabled.

terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "prod/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-state-lock"

    # Enable versioning on the S3 bucket in AWS console or via config
  }
}

With versioning enabled, you can roll back to a previous healthy state in seconds.

Recovery Option 1: Restore from Version History

If you are using S3 with versioning:

  1. Go to the S3 console and navigate to your state file.
  2. Click Show versions.
  3. Download a previous healthy version of the .tfstate file.
  4. Upload it back to replace the corrupted one.
  5. Run terraform plan to verify drift.

Recovery Option 2: Use terraform import

If the state is completely lost with no backup, manually re-import each resource:

# Re-import an existing AWS EC2 instance into state
terraform import aws_instance.web i-0abc12345def67890

# Re-import an S3 bucket
terraform import aws_s3_bucket.data my-existing-bucket-name

# Re-import an RDS instance
terraform import aws_db_instance.postgres my-db-identifier

You will need to do this for every resource in your configuration, which is tedious but recoverable.

Recovery Option 3: terraform state pull / push

# Pull the current remote state locally
terraform state pull > backup.tfstate

# Push a fixed state back to remote
terraform state push fixed.tfstate

Inspect and Fix State Manually

# List all resources in state
terraform state list

# Show details of a specific resource
terraform state show aws_instance.web

# Remove a resource from state (without destroying it)
terraform state rm aws_instance.web

Key Takeaway

Always use a remote backend with versioning and state locking (DynamoDB for S3). If disaster strikes, restore from version history first. If no backup exists, use terraform import to rebuild the state resource by resource.

(Visited 1 times, 1 visits today)