Terraform on AWS
by Sergey Okinchuk
What State Is and Why It ExistsRemote State and Backends
Chapter 3: State
Topic 15

The State File Anatomy

StateInternals

The state file is JSON with a defined structure: a handful of top-level fields — version, serial, lineage, terraform_version — followed by a list of resource instances and their recorded attributes. You rarely touch it directly, but reading it once demystifies a lot of Terraform's behavior.

Knowing the anatomy is also what makes later state surgery safe rather than terrifying. When you understand why serial increments, what lineage protects against, and where the secrets live, the operations that move and remove resources stop feeling like open-heart surgery on a file you do not understand.

Top-Level Fields

Every state file opens with bookkeeping. version is the state format version; terraform_version records which binary last wrote it; serial is an integer that increments on every write; and lineage is a UUID generated when the state is first created and carried forever after, identifying this particular state's history.

terraform.tfstate — top-level fields
{
  "version": 4,
  "terraform_version": "1.10.5",
  "serial": 17,
  "lineage": "a1b2c3d4-5e6f-7890-abcd-ef0123456789",
  "outputs": { },
  "resources": [ ]
}

Resources and Instances

The resources array holds one entry per resource block, each carrying a mode (managed for resources, data for data sources), a type, a name, the provider that owns it, and an instances list. A plain resource has one instance; a resource with count or for_each has one per key. Each instance carries the full bag of resolved attributes — every value the provider returned after creating the object.

A managed resource with one instance
{
  "mode": "managed",
  "type": "aws_db_instance",
  "name": "primary",
  "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
  "instances": [
    {
      "schema_version": 2,
      "attributes": {
        "id": "db-XYZ",
        "username": "admin",
        "password": "S3cr3t-in-plaintext"
      },
      "dependencies": ["aws_db_subnet_group.main"]
    }
  ]
}

Sensitive Values in State

Look again at that password field. It sits in the state file in plaintext, exactly as the provider returned it — regardless of whether you marked it sensitive in the config. The sensitive flag governs CLI output, not storage: it stops the value printing in a plan or an output, and does nothing to the bytes on disk. RDS passwords, generated private keys, and random_password results all land here in the clear, which is the entire reason state must be treated as a secret.

Dependencies and Metadata

Each instance also records the dependencies Terraform inferred and a schema_version for the resource. The dependency list lets Terraform reconstruct destroy order even if you later remove the references from your config. The schema version drives state upgrades: when a provider changes how it stores a resource, it bumps the schema version and supplies a migration that Terraform runs on read, which is why a state written by a much newer provider can fail to load on an old one.

Serial and Lineage in Practice

These two fields are how Terraform refuses to clobber state. Before writing, it checks that the serial it is about to overwrite is the one it read — if someone else wrote in between, the serial moved and Terraform rejects the stale write. lineage guards a different failure: copy a state file from an unrelated project over this one and the UUID will not match, so Terraform warns it is looking at a different state history rather than silently treating it as the same stack. Let Terraform manage both; hand-editing them is how you get a backend to reject your file.

Common Mistakes
  • Assuming a value marked sensitive in config is encrypted in state — it is only hidden from CLI output, still plaintext on disk.
  • Hand-editing an attribute value without bumping serial, so the backend rejects or mis-orders the write.
  • Copying a state file between unrelated projects and breaking lineage, so Terraform warns it is now a different state history.
  • Reading secrets straight out of a state file in a shared location, not realizing every attribute the provider returned is sitting there in the clear.
  • Ignoring a schema_version mismatch and downgrading the provider, then watching state fail to load because the upgrade can't run in reverse.
Best Practices
  • Rely on a remote backend with encryption at rest rather than trusting config-level sensitive to protect state contents.
  • Treat serial and lineage as backend-managed bookkeeping; let Terraform write them and never hand-edit them.
  • Inspect state with terraform show -json or terraform state show instead of opening the raw file.
  • Keep secrets out of Terraform-managed resources where you can — reference a secrets manager at runtime so the value never lands in state.
  • Pin provider versions so a stray upgrade does not silently bump schema_version and strand teammates on an older binary.
Comparable tools Pulumi state is similarly structured JSON with checkpoints CloudFormation hides its state entirely inside the service OpenTofu adds optional client-side state encryption Terraform lacks

Knowledge Check

What does the serial field track?

  • A counter that increments on every write, used to detect and reject a stale overwrite
  • The total number of resources currently tracked in the state file
  • The exact Terraform version that originally created this state file
  • A checksum of the entire file contents that Terraform uses to verify its integrity on every read

A RDS password is marked sensitive = true in the config. How is it stored in state?

  • In plaintext — sensitive only hides it from CLI output, it does not encrypt state
  • Encrypted in state with a key that is derived from the lineage UUID
  • Replaced with a one-way hash that Terraform can still compare against later
  • Omitted entirely, because values marked sensitive are never written to the state file at all

What does lineage protect against?

  • Mistakenly overwriting one stack's state with a state file from an unrelated history
  • Two engineers applying concurrently against the very same backend
  • A provider upgrade silently changing the resource schema out from under your configuration
  • Secrets being written into the state file in readable plaintext

What is the safe way to inspect what an attribute holds in state?

  • Run terraform state show or terraform show -json rather than opening the raw file
  • Open the raw JSON in an editor and edit the attribute value in place
  • Delete the lineage field to force Terraform to re-read the attribute value from AWS
  • Decrement the serial so that the next plan refreshes that one resource

You got correct