Skip to content

Backup and restore a Terraform state

Backup the tfstate

Assume that we have the my-stack Terraform object with its .spec.workspace set to "default".

kubectl get terraform

NAME       READY     STATUS         AGE
my-stack   Unknown   Initializing   28s

We can backup its tfstate out of the cluster, like this:

WORKSPACE=default
NAME=my-stack

kubectl get secret tfstate-${WORKSPACE}-${NAME} \
  -ojsonpath='{.data.tfstate}' \
  | base64 -d | gzip -d > terraform.tfstate

If you use a custom backend, these secrets will not be present and you will have to backup your custom backend in GCS or S3.

Restore the tfstate

To restore the tfstate file or import an existing tfstate file to the cluster, we can use the following operation:

gzip terraform.tfstate

WORKSPACE=default
NAME=my-stack

kubectl create secret \
  generic tfstate-${WORKSPACE}-${NAME} \
  --from-file=tfstate=terraform.tfstate.gz \
  --dry-run=client -o=yaml \
  | yq e '.metadata.annotations["encoding"]="gzip"' - \
  > tfstate-${WORKSPACE}-${NAME}.yaml

kubectl apply -f tfstate-${WORKSPACE}-${NAME}.yaml