원클릭으로
state-management
Manage Terraform remote state — backend setup, state isolation, locking, import, mv, and state surgery.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Manage Terraform remote state — backend setup, state isolation, locking, import, mv, and state surgery.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Production-grade GitHub Actions workflows — reusable workflows, OIDC cloud auth, caching, matrix builds, and environment protection rules. Use when the user creates, reviews, or debugs CI/CD pipelines in .github/workflows, or asks about GitHub Actions deployment, OIDC authentication, or workflow optimization.
Systematic diagnosis of Kubernetes pod failures — CrashLoopBackOff, OOMKilled, Pending, ImagePullBackOff, and service connectivity issues. Use when the user encounters pods not starting, container restart loops, scheduling failures, or service unreachability in a K8s cluster.
Implement distributed tracing with OpenTelemetry, Tempo/Jaeger — instrumentation, sampling, and trace-to-log correlation. Use when the user asks about distributed tracing, OpenTelemetry setup, span instrumentation, trace propagation, or connecting traces to logs and metrics.
Design reusable React components with compound patterns, controlled/uncontrolled hybrids, typed prop APIs, async state handling, and ARIA accessibility. Use when the user creates, refactors, or reviews React components, or mentions props, hooks, .tsx files, component APIs, or accessible UI patterns.
Apply STRIDE threat modeling to system designs, identify IDOR and authorization vulnerabilities, and build threat matrices for security reviews. Use when the user designs a new system, reviews an architecture, prepares for a security audit, or asks about common API vulnerabilities like IDOR or broken access control.
Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.
| name | state-management |
| type | skill |
| description | Manage Terraform remote state — backend setup, state isolation, locking, import, mv, and state surgery. |
| related-rules | ["state-management.md","iac-standards.md"] |
| allowed-tools | Read, Write, Edit, Bash |
Expertise: Remote backends, state isolation, import, mv, rm, state surgery, cross-stack references.
When setting up a new Terraform backend, debugging state lock, importing manually-created resources, or safely moving resources between state files.
# AWS S3 + DynamoDB lock
terraform {
backend "s3" {
bucket = "mycompany-terraform-state"
key = "${var.environment}/${var.component}/terraform.tfstate"
region = "us-east-1"
encrypt = true
kms_key_id = "alias/terraform-state"
dynamodb_table = "terraform-state-lock"
}
}
# GCS (GCP) — built-in locking, no separate lock table needed
terraform {
backend "gcs" {
bucket = "mycompany-terraform-state"
prefix = "${var.environment}/${var.component}"
}
}
# Terraform Cloud / HCP Terraform
terraform {
cloud {
organization = "mycompany"
workspaces { name = "production-network" }
}
}
state/
├── staging/
│ ├── network/terraform.tfstate
│ ├── k8s-cluster/terraform.tfstate
│ └── databases/terraform.tfstate
└── production/
├── network/terraform.tfstate
├── k8s-cluster/terraform.tfstate
└── databases/terraform.tfstate
Rule: Staging and production must use separate state files (separate key/prefix, ideally separate bucket).
terraform_remote_state)# ✅ Publish outputs to SSM Parameter Store
resource "aws_ssm_parameter" "vpc_id" {
name = "/${var.environment}/network/vpc_id"
type = "String"
value = aws_vpc.this.id
}
# ✅ Consume in another stack via data source
data "aws_ssm_parameter" "vpc_id" {
name = "/${var.environment}/network/vpc_id"
}
resource "aws_subnet" "app" {
vpc_id = data.aws_ssm_parameter.vpc_id.value
}
# 1. Write the resource block in .tf first
resource "aws_s3_bucket" "legacy" {
bucket = "my-legacy-bucket"
}
# 2. Import the existing resource
terraform import aws_s3_bucket.legacy my-legacy-bucket
# 3. Run plan — should show no changes if .tf matches reality
terraform plan # should be: "No changes."
# Safe rename using moved{} block (Terraform 1.1+) — no CLI required
moved {
from = aws_instance.web
to = aws_instance.this["web-01"]
}
# After apply, remove the moved{} block
# Manual state mv (use when moved{} block is not applicable)
# ALWAYS take a backup first
terraform state pull > backup-$(date +%Y%m%d-%H%M%S).tfstate
terraform state mv \
'aws_security_group.old_name' \
'aws_security_group.new_name'
# List all resources in state
terraform state list
# Show a specific resource's state
terraform state show 'aws_instance.this["web-01"]'
# Remove a resource from state WITHOUT destroying it (use when managed outside TF)
terraform state rm 'aws_s3_bucket.legacy'
# Force-unlock a stuck state lock (use only when lock is genuinely stale)
terraform force-unlock <LOCK_ID>
# Lock ID from error message: "Error acquiring the state lock"
# Pull state for manual inspection
terraform state pull | jq '.resources[] | {type: .type, name: .name}'
# Replace a resource (force-recreate without destroy first)
terraform apply -replace='aws_instance.this["web-01"]'
# Error: "Error acquiring the state lock" + lock ID
# Check DynamoDB for stale lock:
aws dynamodb get-item \
--table-name terraform-state-lock \
--key '{"LockID": {"S": "mycompany-terraform-state/production/network/terraform.tfstate"}}'
# Verify no apply is actually running before force-unlock
# Only force-unlock if you are certain no other process holds the lock
terraform force-unlock <LOCK_ID_FROM_ERROR>