I'd like to contribute to this thread.
- This will most likely be AWS S3+DynamoDB unless you are using Terraform Cloud.
- Separate infrastructure (network + RBAC) of production and non-prod backends.
- Plan to disable access to state files (network access and RBAC) from outside of a designated network (e.g. deployment agent pool).
- Do not keep Terraform backend infrastructure with the run-time environment. Use separate
account.
- Enable object versioning on your Terraform backends to avoid losing changes and state-files, and in order to maintain Terraform state history.
In some special cases, manual access to Terraform state files will be required. Things like refactoring, breaking changes or fixing defects will require running Terraform state operations by operations personnel. For such occasions, plan extraordinary controlled access to the Terraform state using bastion host, VPN etc.
Check a longer best practices blog that covers this in details including guidelines for CI/CD pipelines.
