297 lines
12 KiB
Markdown
297 lines
12 KiB
Markdown
---
|
|
layout: "language"
|
|
page_title: "Backend Type: azurerm"
|
|
sidebar_current: "docs-backends-types-standard-azurerm"
|
|
description: |-
|
|
Terraform can store state remotely in Azure Blob Storage.
|
|
|
|
---
|
|
|
|
# azurerm
|
|
|
|
**Kind: Standard (with state locking)**
|
|
|
|
Stores the state as a Blob with the given Key within the Blob Container within [the Blob Storage Account](https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction). This backend also supports state locking and consistency checking via native capabilities of Azure Blob Storage.
|
|
|
|
-> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default.
|
|
|
|
## Example Configuration
|
|
|
|
When authenticating using the Azure CLI or a Service Principal (either with a Client Certificate or a Client Secret):
|
|
|
|
```hcl
|
|
terraform {
|
|
backend "azurerm" {
|
|
resource_group_name = "StorageAccount-ResourceGroup"
|
|
storage_account_name = "abcd1234"
|
|
container_name = "tfstate"
|
|
key = "prod.terraform.tfstate"
|
|
}
|
|
}
|
|
```
|
|
|
|
---
|
|
|
|
When authenticating using Managed Service Identity (MSI):
|
|
|
|
```hcl
|
|
terraform {
|
|
backend "azurerm" {
|
|
resource_group_name = "StorageAccount-ResourceGroup"
|
|
storage_account_name = "abcd1234"
|
|
container_name = "tfstate"
|
|
key = "prod.terraform.tfstate"
|
|
use_msi = true
|
|
subscription_id = "00000000-0000-0000-0000-000000000000"
|
|
tenant_id = "00000000-0000-0000-0000-000000000000"
|
|
}
|
|
}
|
|
```
|
|
|
|
---
|
|
|
|
When authenticating using Azure AD Authentication:
|
|
|
|
```hcl
|
|
terraform {
|
|
backend "azurerm" {
|
|
storage_account_name = "abcd1234"
|
|
container_name = "tfstate"
|
|
key = "prod.terraform.tfstate"
|
|
use_azuread_auth = true
|
|
subscription_id = "00000000-0000-0000-0000-000000000000"
|
|
tenant_id = "00000000-0000-0000-0000-000000000000"
|
|
}
|
|
}
|
|
```
|
|
|
|
-> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned.
|
|
|
|
---
|
|
|
|
When authenticating using the Access Key associated with the Storage Account:
|
|
|
|
```hcl
|
|
terraform {
|
|
backend "azurerm" {
|
|
storage_account_name = "abcd1234"
|
|
container_name = "tfstate"
|
|
key = "prod.terraform.tfstate"
|
|
|
|
# rather than defining this inline, the Access Key can also be sourced
|
|
# from an Environment Variable - more information is available below.
|
|
access_key = "abcdefghijklmnopqrstuvwxyz0123456789..."
|
|
}
|
|
}
|
|
```
|
|
|
|
---
|
|
|
|
When authenticating using a SAS Token associated with the Storage Account:
|
|
|
|
```hcl
|
|
terraform {
|
|
backend "azurerm" {
|
|
storage_account_name = "abcd1234"
|
|
container_name = "tfstate"
|
|
key = "prod.terraform.tfstate"
|
|
|
|
# rather than defining this inline, the SAS Token can also be sourced
|
|
# from an Environment Variable - more information is available below.
|
|
sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..."
|
|
}
|
|
}
|
|
```
|
|
|
|
-> **NOTE:** When using a Service Principal or an Access Key - we recommend using a [Partial Configuration](/docs/language/settings/backends/configuration.html#partial-configuration) for the credentials.
|
|
|
|
## Data Source Configuration
|
|
|
|
When authenticating using a Service Principal (either with a Client Certificate or a Client Secret):
|
|
|
|
```hcl
|
|
data "terraform_remote_state" "foo" {
|
|
backend = "azurerm"
|
|
config = {
|
|
storage_account_name = "terraform123abc"
|
|
container_name = "terraform-state"
|
|
key = "prod.terraform.tfstate"
|
|
}
|
|
}
|
|
```
|
|
|
|
---
|
|
|
|
When authenticating using Managed Service Identity (MSI):
|
|
|
|
```hcl
|
|
data "terraform_remote_state" "foo" {
|
|
backend = "azurerm"
|
|
config = {
|
|
resource_group_name = "StorageAccount-ResourceGroup"
|
|
storage_account_name = "terraform123abc"
|
|
container_name = "terraform-state"
|
|
key = "prod.terraform.tfstate"
|
|
use_msi = true
|
|
subscription_id = "00000000-0000-0000-0000-000000000000"
|
|
tenant_id = "00000000-0000-0000-0000-000000000000"
|
|
}
|
|
}
|
|
```
|
|
|
|
---
|
|
|
|
When authenticating using AzureAD Authentication:
|
|
|
|
```hcl
|
|
data "terraform_remote_state" "foo" {
|
|
backend = "azurerm"
|
|
config = {
|
|
storage_account_name = "terraform123abc"
|
|
container_name = "terraform-state"
|
|
key = "prod.terraform.tfstate"
|
|
use_azuread_auth = true
|
|
subscription_id = "00000000-0000-0000-0000-000000000000"
|
|
tenant_id = "00000000-0000-0000-0000-000000000000"
|
|
}
|
|
}
|
|
```
|
|
|
|
-> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned.
|
|
|
|
---
|
|
|
|
When authenticating using the Access Key associated with the Storage Account:
|
|
|
|
```hcl
|
|
data "terraform_remote_state" "foo" {
|
|
backend = "azurerm"
|
|
config = {
|
|
storage_account_name = "terraform123abc"
|
|
container_name = "terraform-state"
|
|
key = "prod.terraform.tfstate"
|
|
|
|
# rather than defining this inline, the Access Key can also be sourced
|
|
# from an Environment Variable - more information is available below.
|
|
access_key = "abcdefghijklmnopqrstuvwxyz0123456789..."
|
|
}
|
|
}
|
|
```
|
|
|
|
---
|
|
|
|
When authenticating using a SAS Token associated with the Storage Account:
|
|
|
|
```hcl
|
|
data "terraform_remote_state" "foo" {
|
|
backend = "azurerm"
|
|
config = {
|
|
storage_account_name = "terraform123abc"
|
|
container_name = "terraform-state"
|
|
key = "prod.terraform.tfstate"
|
|
|
|
# rather than defining this inline, the SAS Token can also be sourced
|
|
# from an Environment Variable - more information is available below.
|
|
sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..."
|
|
}
|
|
}
|
|
```
|
|
|
|
## Configuration variables
|
|
|
|
The following configuration options are supported:
|
|
|
|
* `storage_account_name` - (Required) The Name of [the Storage Account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account).
|
|
|
|
* `container_name` - (Required) The Name of [the Storage Container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) within the Storage Account.
|
|
|
|
* `key` - (Required) The name of the Blob used to retrieve/store Terraform's State file inside the Storage Container.
|
|
|
|
* `environment` - (Optional) The Azure Environment which should be used. This can also be sourced from the `ARM_ENVIRONMENT` environment variable. Possible values are `public`, `china`, `german`, `stack` and `usgovernment`. Defaults to `public`.
|
|
|
|
* `endpoint` - (Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from the `ARM_ENDPOINT` environment variable.
|
|
|
|
~> **NOTE:** An `endpoint` should only be configured when using Azure Stack.
|
|
|
|
* `snapshot` - (Optional) Should the Blob used to store the Terraform Statefile be snapshotted before use? Defaults to `false`. This value can also be sourced from the `ARM_SNAPSHOT` environment variable.
|
|
|
|
---
|
|
|
|
When authenticating using the Managed Service Identity (MSI) - the following fields are also supported:
|
|
|
|
* `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists.
|
|
|
|
* `msi_endpoint` - (Optional) The path to a custom Managed Service Identity endpoint which is automatically determined if not specified. This can also be sourced from the `ARM_MSI_ENDPOINT` environment variable.
|
|
*
|
|
* `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable.
|
|
|
|
* `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable.
|
|
|
|
* `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `false`.
|
|
|
|
-> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default.
|
|
|
|
* `use_msi` - (Optional) Should Managed Service Identity authentication be used? This can also be sourced from the `ARM_USE_MSI` environment variable.
|
|
|
|
---
|
|
|
|
When authenticating using a SAS Token associated with the Storage Account - the following fields are also supported:
|
|
|
|
* `sas_token` - (Optional) The SAS Token used to access the Blob Storage Account. This can also be sourced from the `ARM_SAS_TOKEN` environment variable.
|
|
|
|
---
|
|
|
|
When authenticating using the Storage Account's Access Key - the following fields are also supported:
|
|
|
|
* `access_key` - (Optional) The Access Key used to access the Blob Storage Account. This can also be sourced from the `ARM_ACCESS_KEY` environment variable.
|
|
|
|
---
|
|
|
|
When authenticating using AzureAD Authentication - the following fields are also supported:
|
|
|
|
* `use_azuread_auth` - (Optional) Should AzureAD Authentication be used to access the Blob Storage Account. This can also be sourced from the `ARM_USE_AZUREAD` environment variable.
|
|
|
|
-> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned.
|
|
|
|
* `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `false`.
|
|
|
|
-> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default.
|
|
|
|
---
|
|
|
|
When authenticating using a Service Principal with a Client Certificate - the following fields are also supported:
|
|
|
|
* `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists.
|
|
|
|
* `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable.
|
|
|
|
* `client_certificate_password` - (Optional) The password associated with the Client Certificate specified in `client_certificate_path`. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PASSWORD` environment variable.
|
|
|
|
* `client_certificate_path` - (Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PATH` environment variable.
|
|
|
|
* `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable.
|
|
|
|
* `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable.
|
|
|
|
* `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `false`.
|
|
|
|
-> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default.
|
|
|
|
---
|
|
|
|
When authenticating using a Service Principal with a Client Secret - the following fields are also supported:
|
|
|
|
* `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists.
|
|
|
|
* `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable.
|
|
|
|
* `client_secret` - (Optional) The Client Secret of the Service Principal. This can also be sourced from the `ARM_CLIENT_SECRET` environment variable.
|
|
|
|
* `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable.
|
|
|
|
* `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable.
|
|
|
|
* `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `false`.
|
|
|
|
-> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default.
|