12 KiB
layout | page_title | sidebar_current | description |
---|---|---|---|
language | Backend Type: azurerm | docs-backends-types-standard-azurerm | Terraform can store state remotely in Azure Blob Storage. |
azurerm
Kind: Standard (with state locking)
Stores the state as a Blob with the given Key within the Blob Container within the Blob Storage Account. This backend also supports state locking and consistency checking via native capabilities of Azure Blob Storage.
-> Note: By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting use_microsoft_graph
to true
. The default for this will change in Terraform 1.2, so that MSAL authentication is used by default.
Example Configuration
When authenticating using the Azure CLI or a Service Principal (either with a Client Certificate or a Client Secret):
terraform {
backend "azurerm" {
resource_group_name = "StorageAccount-ResourceGroup"
storage_account_name = "abcd1234"
container_name = "tfstate"
key = "prod.terraform.tfstate"
}
}
When authenticating using Managed Service Identity (MSI):
terraform {
backend "azurerm" {
resource_group_name = "StorageAccount-ResourceGroup"
storage_account_name = "abcd1234"
container_name = "tfstate"
key = "prod.terraform.tfstate"
use_msi = true
subscription_id = "00000000-0000-0000-0000-000000000000"
tenant_id = "00000000-0000-0000-0000-000000000000"
}
}
When authenticating using Azure AD Authentication:
terraform {
backend "azurerm" {
storage_account_name = "abcd1234"
container_name = "tfstate"
key = "prod.terraform.tfstate"
use_azuread_auth = true
subscription_id = "00000000-0000-0000-0000-000000000000"
tenant_id = "00000000-0000-0000-0000-000000000000"
}
}
-> Note: When using AzureAD for Authentication to Storage you also need to ensure the Storage Blob Data Owner
role is assigned.
When authenticating using the Access Key associated with the Storage Account:
terraform {
backend "azurerm" {
storage_account_name = "abcd1234"
container_name = "tfstate"
key = "prod.terraform.tfstate"
# rather than defining this inline, the Access Key can also be sourced
# from an Environment Variable - more information is available below.
access_key = "abcdefghijklmnopqrstuvwxyz0123456789..."
}
}
When authenticating using a SAS Token associated with the Storage Account:
terraform {
backend "azurerm" {
storage_account_name = "abcd1234"
container_name = "tfstate"
key = "prod.terraform.tfstate"
# rather than defining this inline, the SAS Token can also be sourced
# from an Environment Variable - more information is available below.
sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..."
}
}
-> NOTE: When using a Service Principal or an Access Key - we recommend using a Partial Configuration for the credentials.
Data Source Configuration
When authenticating using a Service Principal (either with a Client Certificate or a Client Secret):
data "terraform_remote_state" "foo" {
backend = "azurerm"
config = {
storage_account_name = "terraform123abc"
container_name = "terraform-state"
key = "prod.terraform.tfstate"
}
}
When authenticating using Managed Service Identity (MSI):
data "terraform_remote_state" "foo" {
backend = "azurerm"
config = {
resource_group_name = "StorageAccount-ResourceGroup"
storage_account_name = "terraform123abc"
container_name = "terraform-state"
key = "prod.terraform.tfstate"
use_msi = true
subscription_id = "00000000-0000-0000-0000-000000000000"
tenant_id = "00000000-0000-0000-0000-000000000000"
}
}
When authenticating using AzureAD Authentication:
data "terraform_remote_state" "foo" {
backend = "azurerm"
config = {
storage_account_name = "terraform123abc"
container_name = "terraform-state"
key = "prod.terraform.tfstate"
use_azuread_auth = true
subscription_id = "00000000-0000-0000-0000-000000000000"
tenant_id = "00000000-0000-0000-0000-000000000000"
}
}
-> Note: When using AzureAD for Authentication to Storage you also need to ensure the Storage Blob Data Owner
role is assigned.
When authenticating using the Access Key associated with the Storage Account:
data "terraform_remote_state" "foo" {
backend = "azurerm"
config = {
storage_account_name = "terraform123abc"
container_name = "terraform-state"
key = "prod.terraform.tfstate"
# rather than defining this inline, the Access Key can also be sourced
# from an Environment Variable - more information is available below.
access_key = "abcdefghijklmnopqrstuvwxyz0123456789..."
}
}
When authenticating using a SAS Token associated with the Storage Account:
data "terraform_remote_state" "foo" {
backend = "azurerm"
config = {
storage_account_name = "terraform123abc"
container_name = "terraform-state"
key = "prod.terraform.tfstate"
# rather than defining this inline, the SAS Token can also be sourced
# from an Environment Variable - more information is available below.
sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..."
}
}
Configuration variables
The following configuration options are supported:
-
storage_account_name
- (Required) The Name of the Storage Account. -
container_name
- (Required) The Name of the Storage Container within the Storage Account. -
key
- (Required) The name of the Blob used to retrieve/store Terraform's State file inside the Storage Container. -
environment
- (Optional) The Azure Environment which should be used. This can also be sourced from theARM_ENVIRONMENT
environment variable. Possible values arepublic
,china
,german
,stack
andusgovernment
. Defaults topublic
. -
endpoint
- (Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from theARM_ENDPOINT
environment variable.
~> NOTE: An endpoint
should only be configured when using Azure Stack.
snapshot
- (Optional) Should the Blob used to store the Terraform Statefile be snapshotted before use? Defaults tofalse
. This value can also be sourced from theARM_SNAPSHOT
environment variable.
When authenticating using the Managed Service Identity (MSI) - the following fields are also supported:
-
resource_group_name
- (Required) The Name of the Resource Group in which the Storage Account exists. -
msi_endpoint
- (Optional) The path to a custom Managed Service Identity endpoint which is automatically determined if not specified. This can also be sourced from theARM_MSI_ENDPOINT
environment variable. -
subscription_id
- (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from theARM_SUBSCRIPTION_ID
environment variable. -
tenant_id
- (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from theARM_TENANT_ID
environment variable. -
use_microsoft_graph
- (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults tofalse
.
-> Note: By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting use_microsoft_graph
to true
. The default for this will change in Terraform 1.2, so that MSAL authentication is used by default.
use_msi
- (Optional) Should Managed Service Identity authentication be used? This can also be sourced from theARM_USE_MSI
environment variable.
When authenticating using a SAS Token associated with the Storage Account - the following fields are also supported:
sas_token
- (Optional) The SAS Token used to access the Blob Storage Account. This can also be sourced from theARM_SAS_TOKEN
environment variable.
When authenticating using the Storage Account's Access Key - the following fields are also supported:
access_key
- (Optional) The Access Key used to access the Blob Storage Account. This can also be sourced from theARM_ACCESS_KEY
environment variable.
When authenticating using AzureAD Authentication - the following fields are also supported:
use_azuread_auth
- (Optional) Should AzureAD Authentication be used to access the Blob Storage Account. This can also be sourced from theARM_USE_AZUREAD
environment variable.
-> Note: When using AzureAD for Authentication to Storage you also need to ensure the Storage Blob Data Owner
role is assigned.
use_microsoft_graph
- (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults tofalse
.
-> Note: By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting use_microsoft_graph
to true
. The default for this will change in Terraform 1.2, so that MSAL authentication is used by default.
When authenticating using a Service Principal with a Client Certificate - the following fields are also supported:
-
resource_group_name
- (Required) The Name of the Resource Group in which the Storage Account exists. -
client_id
- (Optional) The Client ID of the Service Principal. This can also be sourced from theARM_CLIENT_ID
environment variable. -
client_certificate_password
- (Optional) The password associated with the Client Certificate specified inclient_certificate_path
. This can also be sourced from theARM_CLIENT_CERTIFICATE_PASSWORD
environment variable. -
client_certificate_path
- (Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal. This can also be sourced from theARM_CLIENT_CERTIFICATE_PATH
environment variable. -
subscription_id
- (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from theARM_SUBSCRIPTION_ID
environment variable. -
tenant_id
- (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from theARM_TENANT_ID
environment variable. -
use_microsoft_graph
- (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults tofalse
.
-> Note: By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting use_microsoft_graph
to true
. The default for this will change in Terraform 1.2, so that MSAL authentication is used by default.
When authenticating using a Service Principal with a Client Secret - the following fields are also supported:
-
resource_group_name
- (Required) The Name of the Resource Group in which the Storage Account exists. -
client_id
- (Optional) The Client ID of the Service Principal. This can also be sourced from theARM_CLIENT_ID
environment variable. -
client_secret
- (Optional) The Client Secret of the Service Principal. This can also be sourced from theARM_CLIENT_SECRET
environment variable. -
subscription_id
- (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from theARM_SUBSCRIPTION_ID
environment variable. -
tenant_id
- (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from theARM_TENANT_ID
environment variable. -
use_microsoft_graph
- (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults tofalse
.
-> Note: By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting use_microsoft_graph
to true
. The default for this will change in Terraform 1.2, so that MSAL authentication is used by default.