TFLint vs Checkov vs OPA: Terraform Policy & Security Comparison

---

Terraform Backend Comparison: S3, AzureRM, Local

Terraform backends define where state files are stored, crucial for managing infrastructure.

S3 Backend (AWS)

• Remote state storage: AWS S3 bucket
• State locking: DynamoDB table (external dependency)
• Encryption: S3 Server-Side Encryption (SSE-S3, KMS)
• Team collaboration: Excellent, shared state across teams
• Cost: S3 storage, DynamoDB usage fees
• Use case: AWS cloud environments, multi-region deployments

terraform {
  backend "s3" {
    bucket         = "my-company-tf-state"
    key            = "prod/vpc/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-lock"
  }
}

AzureRM Backend (Azure Blob Storage)

• Remote state storage: Azure Storage Account Blob Container
• State locking: Built-in functionality
• Encryption: Azure Storage Service Encryption (MS-managed, CMK)
• Team collaboration: Excellent, shared state
• Cost: Azure Storage account charges
• Use case: Azure cloud environments, enterprise projects

terraform {
  backend "azurerm" {
    resource_group_name  = "rg-terraform-states"
    storage_account_name = "tfstatesa001"
    container_name       = "tfstate"
    key                  = "prod/vpc/terraform.tfstate"
  }
}

Local Backend

• State storage: terraform.tfstate file in local directory
• State locking: None
• Encryption: None, plaintext on local disk
• Team collaboration: Poor, no shared state, prone to conflicts
• Cost: Free
• Use case: Learning, local testing, single-user environments

terraform {
  backend "local" {
    path = "terraform.tfstate"
  }
}

Backend Feature Overview

Feature	S3 Backend	AzureRM Backend	Local Backend
State Storage	AWS S3	Azure Blob	Local filesystem
State Locking	DynamoDB (external)	Built-in	None
Encryption	S3 SSE, KMS	Azure Storage	None
Collaboration	Excellent	Excellent	Poor
Cost	Low	Low	Free

Select backend based on cloud provider, team needs, and security requirements.