How do you configure an AWS S3 backend with DynamoDB state locking?

Difficulty: unrated

Source: bregman-arie/devops-exercises by Arie Bregman

Answer

Use a remote backend when you need a shared, durable source of truth. A minimal configuration looks like:

terraform {
  required_version = ">= 1.6.0"

  backend "s3" {
    bucket         = "my-tfstate-bucket"
    key            = "prod/network/terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "tf-locks"
    encrypt        = true
  }
}

Create the S3 bucket with versioning, default encryption, and block public access before enabling the backend.
Provision a DynamoDB table with the primary key LockID so Terraform can acquire locks.
Use IAM least privilege policies that allow only state operations on the bucket and table to reduce blast radius.