How do you secure Terraform state management in production?

    // Example of securing Terraform state management
    // Use a remote backend such as AWS S3 with encryption enabled

    terraform {
        backend "s3" {
            bucket         = "my-terraform-state-bucket"
            key            = "terraform/state"
            region         = "us-west-2"
            encrypt        = true
            dynamodb_table = "terraform-locks"
        }
    }

    // Set up IAM policies to restrict access to the S3 bucket
    resource "aws_iam_policy" "s3_policy" {
        name   = "TerraformS3Access"
        policy = jsonencode({
            Version = "2012-10-17"
            Statement = [
                {
                    Effect = "Allow"
                    Action = [
                        "s3:GetObject",
                        "s3:PutObject",
                        "s3:DeleteObject",
                    ]
                    Resource = "${aws_s3_bucket.my_bucket.arn}/*"
                },
            ]
        })
    }