Take your Terraform state off the public internet (without standing up a VPN)

Your Terraform state file is the single most sensitive artifact in your cloud. It is a complete map of every resource you run, and depending on your providers it also holds secrets in plaintext: connection strings, generated passwords, keys. By default that file lives in a cloud storage account with a public endpoint, locked down with nothing more than an access key. If that key leaks, the attacker doesn't have to enumerate your infrastructure. You handed them the diagram.

We sell authentication. An auth vendor that leaves the keys to its own kingdom on the open internet has no business holding yours. So our production state account has no public surface at all. Getting there has three traps, and we walked into the shape of each one before getting it right.

Trap one: the chicken and egg

Remote state needs a backend that already exists before Terraform can run. But the backend is itself infrastructure, and you'd like Terraform to manage it. You cannot use the storage account to store the state of the storage account that doesn't exist yet.

The way out is a deliberate two-phase bootstrap. Phase one runs with local state and creates exactly the foundation: the state storage account, the network it will live in, and the access path. Phase two flips the backend block from local to remote and migrates the now-existing state file up into the account it just created. From that point on, that bootstrap layer manages itself remotely like everything else. It's a few minutes of feeling like you're standing on a ladder you're still building, and then it's done forever.