Terraform .gitignore Configuration

Q: What should a Terraform .gitignore Configuration .gitignore include?

Terraform's .gitignore requirements are security-critical because state files and variable files often contain infrastructure secrets, database passwords, and cloud provider credentials in plaintext. Essential Terraform ignore patterns: .terraform/ *.tfstate *.tfstate.* *.tfplan crash.log crash.*.log *.tfvars *.tfvars.json override.tf override.tf.json *_override.tf *_override.tf.json .terraformrc terraform.rc Why each pattern matters: - .terraform/ — The provider plugin and module cache di

Secure .gitignore for Terraform and OpenTofu projects. Covers .terraform directory, state files, tfvars with secrets, plan files, and crash log files.

DevOps

Detailed Explanation

Terraform's .gitignore requirements are security-critical because state files and variable files often contain infrastructure secrets, database passwords, and cloud provider credentials in plaintext.

Essential Terraform ignore patterns:

.terraform/
*.tfstate
*.tfstate.*
*.tfplan
crash.log
crash.*.log
*.tfvars
*.tfvars.json
override.tf
override.tf.json
*_override.tf
*_override.tf.json
.terraformrc
terraform.rc

Why each pattern matters:

.terraform/ — The provider plugin and module cache directory. This can be hundreds of megabytes as it contains downloaded provider binaries (AWS, Azure, GCP). Regenerated by terraform init.
*.tfstate and *.tfstate.* — Critical security concern. Terraform state files contain the complete current state of your infrastructure, including resource IDs, IP addresses, database connection strings, and sometimes passwords in plaintext. Never commit state files. Use a remote backend (S3, GCS, Terraform Cloud, Azure Blob Storage).
*.tfplan — Saved execution plan files. These are binary and machine-specific.
*.tfvars — Variable definition files that typically contain secrets like API keys and service account credentials. Always ignore by default and use environment variables or a secrets manager for sensitive values.
crash.log — Terraform crash reports that may contain sensitive state data in the stack trace.
override.tf and *_override.tf — Terraform override files used for local testing. These modify resource definitions and should not be shared.
.terraformrc and terraform.rc — CLI configuration files that may contain Terraform Cloud API tokens.

What TO commit:

*.tf — Your infrastructure-as-code definitions.
.terraform.lock.hcl — The dependency lockfile for providers. Like package-lock.json, this ensures all team members use identical provider versions.
terraform.tfvars.example — A template showing required variables without actual secret values.

Remote state is mandatory for teams. Without it, two developers running terraform apply simultaneously can corrupt your infrastructure state irreversibly.

Use Case

An infrastructure team needs to migrate their Terraform state from local files to an S3 backend and ensure state files with AWS credentials are never committed to git.

Try It — .gitignore Generator

Open full tool →

Terraform .gitignore Configuration

Detailed Explanation

Use Case

Try It — .gitignore Generator

Related Topics