Scalr

How Scalr Manages Terraform State

Discover Scalr’s Terraform state management: secure backends, RBAC, versioning, drift alerts, and collaborative workflows for reliable IaC.

Sebastian Stadil

3 min read
Reviewed for accuracy by Ryan Fee on June 6, 2025.

Terraform requires a state file to keep track of managed infrastructure and configuration. Effective management of this state file, including its security, availability, and versioning, is important for Terraform operations. Scalr provides multiple options for Terraform state management.

Scalr offers a managed backend for Terraform state, which includes security and versioning. It also allows integration with other storage solutions. This document outlines Scalr's capabilities for handling Terraform state.

Scalr-Managed State Storage

Scalr provides a managed state storage solution with the following characteristics:

  • AES-256 Encryption: State files managed by Scalr are encrypted at rest using AES-256. This protects infrastructure data from unauthorized access.
  • State Versioning and Rollback: Scalr versions state files automatically. This creates a history of the state, allowing users to inspect previous versions and revert to a prior state if necessary.

Automatic State Locking with Scalr Backend

To prevent corruption and conflicts from concurrent operations on the same Terraform state, Scalr implements automatic state locking when its managed backend is used.

  • When a Terraform operation (e.g., plan or apply) starts in a Scalr workspace, Scalr locks the state file.
  • This action prevents other users or processes from modifying the state simultaneously, which helps maintain data integrity.
  • The lock is released upon completion of the operation.

This locking mechanism is a built-in feature of the Scalr backend.

State Storage in Customer-Owned Buckets with Scalr Backend

Scalr offers the option to store state in a customer-owned storage bucket while still utilizing the Scalr backend's management features. This feature is referred to as storage profiles in Scalr.

This approach provides:

  • Customer control over the storage bucket (e.g., an S3 bucket within the customer's AWS account).
  • Continued use of Scalr features such as encryption (which can be layered with bucket-level encryption), state versioning metadata management, UI integration, and access controls.

This option can be used to meet specific compliance, data sovereignty, or data governance requirements.

Option to Use Other Remote Backends

Scalr allows users to employ other remote backends supported by Terraform if the Scalr-managed backend is not preferred.

  • Disable Scalr Backend Per Workspace: The Scalr-managed backend can be disabled for individual workspaces or environments. This permits configuration of Terraform to use alternative backends such as Amazon S3, Azure Blob Storage, Google Cloud Storage, or HashiCorp Consul.
  • External Backend Locking: If an external backend is used, state locking is handled by that specific backend. For example, an S3 bucket configured with DynamoDB for locking will use those AWS services for concurrency management. Terraform interacts with the chosen backend's locking mechanism.

Terraform State Commands

Since Scalr is a remote operations backend, the native Terraform or OpenTofu CLI can be used to interact with state. Users also have the option to the use Scalr CLI or API to interact with state. Before using the native CLI to interact with Scalr, the remote backend block must be added to the code:

terraform {
  backend "remote" {
    hostname = "my-account.scalr.io"
    organization = "<ID of environment>"
    workspaces {
      name = "<workspace-name>"
    }
  }
}

Here are a couple of example commands:

Import

The use case to import resources into remote backend state is very straight forward as this works exactly as you would expect it to without the remote backend. All you have to do is define the resource and ADDRESS ID. For example, I want to import an AWS instance (i-0d13d5591a41e11234) to the resource aws_instance.scalr. This is done by running the following command:

terraform import aws_instance.scalr i-0d13d5591a411234

Export

Terraform state data managed by Scalr can be accessed or exported through several methods:

  • Terraform CLI: The terraform state pull command can be used to retrieve the current state file to a local machine: terraform state pull> terraform.tfstate
  • Scalr API: Scalr's API allows programmatic access to and export of state files, which can be used for automation or integration.
  • Customer-Owned Bucket: If state is stored in a customer-owned bucket, the data resides directly within the customer's infrastructure, potentially negating the need for a separate export step from Scalr.

Remove

Resources can be removed directly from state by using the terraform state rm command: 

terraform state rm
At least one address is required.

Usage: terraform [global options] state rm [options] ADDRESS...

Conclusion

Scalr provides a set of features for managing Terraform state. These include a secure, versioned, and locked managed backend, along with the option to use external backends or store state in customer-owned buckets. These capabilities are designed to support various operational requirements for infrastructure as code management.