Remote-state & credential security

Protect the crown jewels.

Advanced14 min · lesson 11 of 12

Terragrunt inherits Terraform’s security model and concentrates one part of it: the remote state backend, now shared across your whole estate, holds the state for every unit — and state can contain secrets in plaintext. So the state bucket (and its lock table) is a crown-jewel asset: lock it down with least-privilege access, enable versioning for recovery, turn on encryption at rest, and, where the backend supports it, prefer client-side/state encryption (OpenTofu) so the contents are ciphertext, not just the object.

root.hcl (hardened backend)
remote_state {
backend = "s3"
config = {
bucket = "acme-tf-state"
key = "${path_relative_to_include()}/terraform.tfstate"
region = "us-east-1"
encrypt = true # SSE on the bucket
dynamodb_table = "tf-locks" # locking, no concurrent applies
# bucket policy: least-privilege, versioned, access-logged
}
}

Credentials across accounts

Because Terragrunt spans accounts, credential handling matters: generate provider config that assumes a per-account role (short-lived, scoped) rather than embedding static keys, and give each environment the least privilege it needs. In CI, use OIDC to obtain short-lived cloud credentials per run, exactly as the CI/CD course prescribes. The wrapper makes it easy to apply many accounts — which makes scoping each account’s role correctly all the more important.

account.hcl
generate "provider" {
path = "provider.tf"
if_exists = "overwrite"
contents = <<EOF
provider "aws" {
region = "us-east-1"
assume_role { role_arn = "arn:aws:iam::${local.account_id}:role/terragrunt-deploy" }
}
EOF
}
The shared state backend is the whole estate’s crown jewels
One backend now holds state for every unit across every account, so read access to that bucket can expose secrets from your entire estate and write access can hijack what Terraform manages everywhere. Apply the tightest possible access controls, versioning, and encryption to the state bucket and lock table, keep them out of CI logs, and treat them as the single most sensitive resource Terragrunt touches.