HighFile-scope Plug & play

Terraform state must use a remote backend with locking

Configure a remote backend with state locking (e.g., S3 + DynamoDB table or AzureRM blob with leases). Do not use local backend for shared environments.

Add to Mesrai Open workspace

Why this matters

Remote, locked state prevents concurrent writes and corruption during team applies.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

terraform {
 backend "local" {
 path = "./terraform.tfstate"
 }
}

Prefer

terraform {
 backend "s3" {
 bucket = "org-tf-state"
 key = "prod/network/terraform.tfstate"
 region = "us-east-1"
 dynamodb_table = "tf-state-locks"
 encrypt = true
 }
}

More snippets

Good

backend "s3" { dynamodb_table = "tf-state-locks" }

Bad

backend "local" { path = "state.tfstate" }

Related rules

From the same buckets as this rule.

Critical
Disallow public ingress without explicit allowlist
For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.
infra-as-codesecurity-hardening+1
Critical
Pods must run as non-root with read-only root filesystem
Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.
infra-as-codesecurity-hardening+1
Critical
Pulumi TS: secrets must use Config.requireSecret
In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.
infra-as-codesecrets-credentials+1

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret