Introduction

State files stored in an s3 bucket are encrypted. When a workspace is deleted a key component of the encryption is also deleted, and the state file cannot be decrypted.
There may be cases where you would like to retrieve the state file of a deleted workspace. If you have s3 versioning turned on and have a DB backup prior to the deletion you may be able to recover the state file by recreating the environment and retrieving the state file from the recreated environment.

Procedure

Recreate the TFE environment from the s3 bucket and the DB snapshot

• copy the s3 entire contents from the current bucket to a new bucket

The following is an example of copying/syncing two s3 buckets

   aws s3 sync --quiet s3://current-bucket s3://new-bucket

• create a DB instance from a previous snapshot - make sure you use a DB snapshot for a period which includes the deleted workspaces.
• install a TFE instance, make sure to install a TFE version which is the same as your DB snapshot. Please seeInteractive Terraform Enterprise InstallationorAutomated Terraform Enterprise Installationon step to install your TFE environment.

Please make sure to use theEncryption Password(enc_password) from your current environment, and point theObject Storage(s3_bucket) andPostgreSQL Configuration(pg_netloc) to the newly created s3 bucket and RDS instance.

Once the environment is up and running you should be able to see the workspaces which were deleted.

Restoring a deleted state file

on TFE

• Go to theStatestab of a the workspace you require.
• Click on the state file you will like to retrieve.
• record the state id (sv-xxxxxxxxxxxxxxxx)

in AWS console

• go to the current s3 bucket, click on "Show versions", and look for the state id in the "states" folder under "archivistterraform".
• "Download" the encrypted state file (xxxxxxxxx-yyyy-zzzz-ccccccccccc) which was deleted. The version id in s3 will show as "null"

  archivistterraform/states/<state id>/<hash>/xxxxxxxxx-yyyy-zzzz-ccccccccccc

• recreate the structure(directories) in the new s3 bucket in the same location, and upload the state file.

on TFE

• Press the "Download" in the states view where you got the state id.

After the state file is downloaded from the new TFE environment, please check the contents of the state file.

Recreating the workspace

• recreate the workspace with the same name as was previously used
• migrate the state file using the steps out lined in this KB article Migrate Workspace State Using the Terraform Enterprise API