Hi,
I am trying to run a command terraform state mv -state="/tmp/terraform_state_migration/src.tfstate" -state-out="/tmp/terraform_state_migration/dst.tfstate" "module.esearch-subnet" "module.esearch-subnet" after I pull src and dst’s tfstate to local.
First, I try to run this command under src/ active terraform directory and it requires me to give it access to remote s3 backend, which I am confused because I thought when I give -state and -state-out flags, it should use these local state files to do operation, and after I grant the access, I run this command, it still just change local files instead of remote files. The behavior is what I expect, but it is just scary that it requires s3 access.
Then I did some research that I believe for any terraform command run under active terraform directory, it will access .terraform/terraform.tfstate under it, which is s3 at the case, and that’s the part I think it needs s3 access.
So, I tried to run the mv command again under a non-terraform directory, which is /tmp/terraform_state_migration/, and it works perfectly without complaining it needs s3 access.
Can anyone explains to me if my guess is correct and what is the best practice I should do here? Because I do not want to give s3 access to it as I don’t want it to change my remote state without I know silently, which is dangerous.
Thanks very much!