Terraform state is the part of the tool nobody warns you about until it bites you. Locking, drift, and the day someone force-unlocked our production state.
Locking is not optional
Remote state with a DynamoDB lock table isn’t a nice-to-have — it’s what stops two engineers from applying at the same time and corrupting state. We learned this after a corrupted state file cost us an afternoon of manual reconciliation.
Drift happens quietly
Anything changed by hand in the console — a security group rule, an IAM policy — drifts silently until the next plan surfaces it, often as a surprising destroy-and-recreate. We now run a scheduled drift-detection plan in CI and alert on any diff.
The force-unlock incident
Someone hit a stuck lock during an incident and ran force-unlock without checking whether another apply was actually still running. It was. We now require a second engineer to confirm before anyone force-unlocks state, no exceptions.