Terraform reads backend configuration before loading managed resources.
That ordering creates a bootstrap boundary.
The S3 bucket used for remote state must already exist before Terraform can migrate state into it. Beginners often miss this because backend blocks look like normal Terraform configuration, but backend initialization happens earlier in the workflow.
This lesson walks through a complete S3 backend example using:
- S3 versioning
- Public access blocking
- AES256 encryption
- Native S3 lockfiles
terraform init -migrate-state
The focus is operational behavior, not memorizing syntax.
One corrupted state file can disconnect Terraform from real infrastructure.