Terraform .gitignore Template & Security Guide
Complete Terraform .gitignore template for Infrastructure as Code. Secure your .tfvars, ignore .terraform/ directory, and follow DevOps best practices.
🔒 Security Critical
Never commit sensitive files! Always ignore .tfvars, terraform.tfstate, and any files containing secrets, API keys, or credentials.
🚀 Terraform .gitignore Template (2025)
# Terraform .gitignore Template - Updated 2025 # Local .terraform directories **/.terraform/* # .tfstate files *.tfstate *.tfstate.* # Crash log files crash.log crash.*.log # Exclude all .tfvars files, which are likely to contain sensitive data *.tfvars *.tfvars.json # Ignore override files as they are usually used to override resources locally override.tf override.tf.json *_override.tf *_override.tf.json # Include override files you do wish to add to version control using negation # The commented out entries below show how to achieve this: # !example_override.tf # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan *.tfplan # Ignore CLI configuration files .terraformrc terraform.rc # Ignore Mac .DS_Store files .DS_Store # Ignore Terraform lock file (optional, see note below) .terraform.lock.hcl # Ignore Terraform Cloud/Enterprise run data .terraform/ # Ignore backup files *.backup *.bak # Ignore log files *.log # Ignore temporary files *.tmp *.temp # Ignore IDE and editor files .vscode/ .idea/ *.swp *.swo *~ # Ignore OS generated files Thumbs.db ehthumbs.db Desktop.ini $RECYCLE.BIN/ # Ignore terragrunt cache .terragrunt-cache/ # Ignore Terraform workspaces terraform.tfstate.d/ # Ignore provider cache .terraform.d/ # Ignore custom Terraform modules (if using local development) # modules/ # .terraform-modules/ # Ignore environment-specific files .env .env.local .env.*.local # Ignore terraform documentation terraform-docs.yml .terraform-docs.yml
🔐 Critical Files to Always Ignore
🚨 Security Sensitive
*.tfvars- Variable files with secrets*.tfstate- State files with sensitive data.env- Environment variablesterraform.rc- CLI configurationcrash.log- May contain sensitive info
⚡ Cache & Temporary
.terraform/- Provider cache*.tfplan- Plan output files.terragrunt-cache/- Terragrunt cacheoverride.tf- Local overrides*.backup- Backup files
🤔 Should You Ignore .terraform.lock.hcl?
✅ Commit Lock File (Recommended)
- • Ensures consistent provider versions
- • Team members use same dependencies
- • Reproducible infrastructure builds
- • Official Terraform recommendation
- • CI/CD pipeline consistency
Remove from .gitignore: Comment out or delete the.terraform.lock.hcl line
⚠️ Ignore Lock File (Edge Cases)
- • Multi-platform development issues
- • Different team OS requirements
- • Frequent provider updates needed
- • Experimental development setup
Keep in .gitignore: Leave the.terraform.lock.hcl line as-is
💡 Terraform Security Best Practices
1. Use terraform.tfvars.example
Create a template file with dummy values for team members:
# terraform.tfvars.example (commit this) aws_region = "us-west-2" environment = "production" database_password = "your-password-here" # terraform.tfvars (ignore this) aws_region = "us-west-2" environment = "production" database_password = "actual-secret-password"
2. Use Remote State Backend
Store terraform.tfstate remotely (S3, Terraform Cloud) instead of locally. This ensures state files are never accidentally committed and enables team collaboration.
3. Environment-Specific .tfvars
Use separate variable files for each environment:
# All ignored in .gitignore dev.tfvars staging.tfvars production.tfvars # Use with: terraform apply -var-file="dev.tfvars"
🔧 Common Terraform .gitignore Issues
Problem: Terraform state already committed
If you accidentally committed terraform.tfstate files:
# Remove from tracking but keep locally git rm --cached *.tfstate git rm --cached *.tfstate.* # Update .gitignore and commit git add .gitignore git commit -m "Remove terraform state from tracking"
Problem: .terraform directory taking up space
The .terraform directory can become large. Clean it up and ensure it's ignored:
# Clean local cache rm -rf .terraform/ # Reinitialize terraform init # Verify .terraform/ is in .gitignore
Problem: Sensitive data in plan files
Always ignore .tfplan files as they can contain sensitive information from your infrastructure state.
🏗️ Terragrunt Additional Ignores
If you're using Terragrunt, add these additional patterns:
# Terragrunt specific ignores .terragrunt-cache/ terragrunt.hcl.backup .terragrunt/
🛠️ Use Our Terraform Tools
❓ Terraform .gitignore FAQ
Should I commit terraform.tfstate files?
Never! State files contain sensitive information about your infrastructure and can include secrets. Always use remote state backends (S3, Terraform Cloud, etc.) and ignore *.tfstate in your .gitignore.
Can I share .tfvars files safely?
Only if they contain no sensitive data. Create terraform.tfvars.example with dummy values for the team, but always ignore actual .tfvars files. Use environment variables or secure secret management instead.
What about provider credentials?
Never hardcode credentials in .tf files. Use environment variables, AWS profiles, or CI/CD secrets. Ignore any files containing actual credentials like .aws/credentials.
Should override.tf files be ignored?
Yes, override files are typically used for local development and testing. They can contain temporary configurations that shouldn't be shared with the team.