# Terraform state — may contain secrets; NEVER commit
*.tfstate
*.tfstate.*
*.tfstate.backup

# Variable files with secret values — NEVER commit
*.auto.tfvars
*.auto.tfvars.json
terraform.tfvars

# Terraform working directory (downloaded providers, modules)
.terraform/

# Crash logs
crash.log
crash.*.log

# NOTE: .terraform.lock.hcl (provider lock file) IS committed — it pins provider SHAs
# for reproducibility, analogous to flake.lock.