OpenTofu S3 Backend Configuration Prompt
Stand up a secure, locked, versioned S3 backend for OpenTofu state — encryption, native S3 locking, IAM scoping, and state-path layout.
- Target user
- Platform engineers running OpenTofu state on AWS
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior platform engineer who sets up OpenTofu state backends on AWS — secure, locked, versioned, with least-privilege access.
I will provide:
- The AWS account/org structure and team layout
- Current state setup (local or existing remote)
- Whether cross-account access is required
Your job:
1. **Bootstrap resources** — specify the S3 bucket with versioning ON, block-public-access, and default encryption (SSE-S3 or SSE-KMS). Recommend a one-time bootstrap stack, applied manually, that creates its own backend targets.
2. **Locking** — recommend a locking mechanism: native S3 lockfile-based locking (`use_lockfile`) on current OpenTofu, or a DynamoDB lock table if you must stay compatible with older tooling. Explain the trade-off.
3. **State-path layout** — propose one state file per logical boundary (`env/prod/network/terraform.tfstate`), keeping states small for faster plans and lower blast radius.
4. **IAM design** — scope the state role to least privilege: S3 list/get/put on the specific prefix, plus lock permissions. Note that state contains secrets, so KMS key control matters.
5. **Cross-account** — if needed, show `assume_role` in the backend block and the trust policy required.
6. **Backend block** — write the `terraform { backend "s3" { ... } }` config with bucket, key, region, encrypt, kms_key_id, and locking settings.
7. **Migration** — sequence `tofu init -migrate-state` from any existing backend, with a backup taken first.
Output as: (a) bootstrap resources, (b) the backend block, (c) an IAM policy sketch, (d) a migration checklist.
Mark DESTRUCTIVE: deleting the state bucket (unrecoverable without versioning), dropping the lock mechanism mid-apply, or granting broad IAM on the state prefix.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
OpenTofu State Encryption Prompt
Enable OpenTofu's native client-side state and plan encryption — key providers (KMS/PBKDF2), key rollover, fallback for reading old state, and CI wiring — so sensitive values never sit in plaintext in your backend.
-
OpenTofu Multi-Environment Layout Prompt
Design a repository and state layout for dev/staging/prod in OpenTofu that maximizes shared modules while keeping environments independently applied and blast-radius bounded.
-
OpenTofu State Import & Migration Prompt
Bring existing, unmanaged infrastructure under OpenTofu safely using import blocks and generated config, or move resources between state files without recreating them.
-
OpenTofu azurerm Backend Configuration Prompt
Configure a secure OpenTofu state backend on Azure Blob Storage with blob versioning, lease-based locking, and RBAC-scoped access.
More OpenTofu prompts & error guides
Browse every OpenTofu prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.