How to Use Terraform Cloud State Management for GitHub Workflows
Executive technology leader responsible for platform reliability, cloud operations, security posture, and enterprise technology risk within an investor-backed fintech environment. I lead technology operations at the intersection of engineering execution, governance, and business outcomes — ensuring platforms are scalable, resilient, and trusted by investors, regulators, and clients.
Currently VP of DevOps at InvestorFlow, where I focus on building board-ready technology operations, strengthening risk and resilience, and shaping long-term platform strategy to support growth and regulatory confidence.
When starting with Terraform, the question that comes up quickly is where to store your state file. Storing this locally is an initial option when testing Terraform or starting a new project. Still, other locations are necessary once you start introducing CI/CD and securing your state.
There was an approach to using Cloud storage options to store state. For example, working with Azure, you would have used Blob storage for your state files. But this article is looking at a better solution: Terraform Cloud. The platform has a huge number of benefits and features, but when just starting with Terraform with a low maturity level, I would recommend using Terraform Cloud for storing your state files so you and your CI/CD can access them securely.
Setup Terraform Cloud Workspace
First, make sure you are registered with Terraform Cloud. It’s free to sign up, and you can use many features within the free quota.
Once you are signed up, you can select workspaces and create a new workspace. Here, select the CLI-Driven Workflow.
In the next window, give your workspace a name and select Create.
Once created, select Settings and then General. Here, you want to set the Execution Mode to Local (custom). This will prevent your CI/CD from running the code on the Cloud platform. Instead, use your preferred local method. For example, we will run the Terraform job on GitHub in this article. Click Save once set.
Go back to the main site, outside of the workspace, and select Settings. Here, choose API tokens and Team Tokens, and then Create a team token.
Select the team, which may only be Owners if this is the first time using Terraform Cloud, and set the expiration time. Once ready, select Create and store the token for later usage.
Backend Configuration
Within your Terraform code, you must set a backend in the configuration. For this, you need to set the cloud organisation as the one you created on the Terraform Cloud signup. Then, you must set workspaces to the name of the workspace you configured above. This is an example of what it could look like:
terraform {
required_version = ">= 1.0.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.54.0"
}
}
cloud {
organization = "your-organization-name"
workspaces {
name = "your-workspace-name"
}
}
}
GitHub Configuration
Store the API token you created earlier as a repository secret in your repository. Give it the name TFC_Token.
Now, within your GitHub Workflow, you need to set the following environment variables when triggering the Terraform Init, Plan, and Apply steps:
- name: Terraform Init
id: init
run: terraform init
env:
TF_TOKEN_app_terraform_io: ${{ secrets.TFC_TOKEN }}
working-directory: .
- name: Terraform Plan
id: plan
run: terraform plan -no-color
env:
TF_TOKEN_app_terraform_io: ${{ secrets.TFC_TOKEN }}
continue-on-error: true
working-directory: .
- name: Terraform Apply
id: apply
run: terraform apply -auto-approve -no-color
env:
TF_TOKEN_app_terraform_io: ${{ secrets.TFC_TOKEN }}
continue-on-error: true
working-directory: .
Please ensure you use these steps in your workflow in the way you want a plan and apply them to execute. Do not copy and paste the above into a workflow, as it would not provide an appropriate execution.
When you trigger your workflow, it stores the state file in Terraform Cloud within the workspace you provided in the config.
