terraform/website/docs/language/settings/backends/remote.mdx

244 lines
9.7 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
page_title: 'Backend Type: remote'
description: >-
Terraform can store the state and run operations remotely, making it easier to
version and work with in a team.
---
# remote
-> **Note:** The remote backend was introduced in Terraform v0.11.13 and Terraform Enterprise v201809-1. As of Terraform v1.1.0 and Terraform Enterprise v202201-1, **we recommend using the Terraform Cloud's built-in [`cloud` integration](/language/settings/terraform-cloud)** instead of this backend. The `cloud` option includes an improved user experience and more features.
The remote backend is unique among all other Terraform backends because it can both store state snapshots and execute operations for Terraform Cloud's [CLI-driven run workflow](/cloud-docs/run/cli). It used to be called an "enhanced" backend.
When using full remote operations, operations like `terraform plan` or `terraform apply` can be executed in Terraform
Cloud's run environment, with log output streaming to the local terminal. Remote plans and applies use variable values from the associated Terraform Cloud workspace.
You can also use Terraform Cloud with local operations, in which case only state is stored in the Terraform Cloud backend.
## Command Support
Currently the remote backend supports the following Terraform commands:
- `apply`
- `console` (supported in Terraform >= v0.11.12)
- `destroy`
- `fmt`
- `get`
- `graph` (supported in Terraform >= v0.11.12)
- `import` (supported in Terraform >= v0.11.12)
- `init`
- `output`
- `plan`
- `providers`
- `show`
- `state` (supports all sub-commands: list, mv, pull, push, rm, show)
- `taint`
- `untaint`
- `validate`
- `version`
- `workspace`
## Workspaces
The remote backend can work with either a single remote Terraform Cloud workspace, or with multiple similarly-named remote workspaces (like `networking-dev` and `networking-prod`). The `workspaces` block of the backend configuration
determines which mode it uses:
- To use a single remote Terraform Cloud workspace, set `workspaces.name` to the
remote workspace's full name (like `networking-prod`).
- To use multiple remote workspaces, set `workspaces.prefix` to a prefix used in
all of the desired remote workspace names. For example, set
`prefix = "networking-"` to use Terraform cloud workspaces with
names like `networking-dev` and `networking-prod`. This is helpful when
mapping multiple Terraform CLI [workspaces](/language/state/workspaces)
used in a single Terraform configuration to multiple Terraform Cloud
workspaces.
The backend configuration requires either `name` or `prefix`. Omitting both or
setting both results in a configuration error.
If previous state is present when you run `terraform init` and the corresponding
remote workspaces are empty or absent, Terraform will create workspaces and
update the remote state accordingly. However, if your workspace requires variables or a specific version of Terraform for remote operations, we
recommend that you create your remote workspaces on Terraform Cloud before
running any remote operations against them.
### Workspace Names
Terraform uses shortened names without the common prefix to interact with workspaces on the command line. For example, if `prefix = "networking-"`, use `terraform workspace select prod` to switch to the Terraform CLI workspace `prod` within the current configuration. However, remote Terraform operations such as `plan` and `apply` for that Terraform CLI workspace will take place in the Terraform Cloud workspace `networking-prod`.
Because of this, the [`terraform.workspace`](/language/state/workspaces#current-workspace-interpolation) interpolation expression produces different results depending on whether a remote workspace is configured to perform operations locally or remotely. For example, in a remote workspace called `networking-prod` created with `prefix = "networking-"` the expression produces the following:
- For local operations, `terraform.workspace` = `prod`
- For remote operations, `terraform.workspace`= `networking-prod`
Prior to Terraform version 1.1.0, Terraform Cloud workspaces used only the single `default` Terraform CLI workspace internally. So if a Terraform configuration used `terraform.workspace` to return `dev` or `prod`, remote runs in Terraform Cloud would always evaluate it as `default`, regardless of
which workspace you set with the `terraform workspace select` command. Therefore, we do not recommend using `terraform.workspace` in Terraform configurations that use Terraform 1.0.x or earlier and run remote operations against Terraform Cloud workspaces.
### Determining Run Environment
If you need to determine whether a run is local or remote in your Terraform configuration, we recommend using [Terraform Cloud run environment variables](/cloud-docs/run/run-environment#environment-variables). The example below uses `TFC_RUN_ID`.
```
output "current_workspace_name" {
value = terraform.workspace
}
variable "TFC_RUN_ID" {
type = string
default = ""
}
output "remote_execution_determine" {
value = "Remote run environment? %{if var.TFC_RUN_ID != ""}Yes%{else}No this is local%{endif}!"
}
```
## Example Configurations
-> **Note:** We recommend omitting the token from the configuration, and instead using
[`terraform login`](/cli/commands/login) or manually configuring
`credentials` in the [CLI config file](/cli/config/config-file#credentials).
### Basic Configuration
```hcl
# Using a single workspace:
terraform {
backend "remote" {
hostname = "app.terraform.io"
organization = "company"
workspaces {
name = "my-app-prod"
}
}
}
# Using multiple workspaces:
terraform {
backend "remote" {
hostname = "app.terraform.io"
organization = "company"
workspaces {
prefix = "my-app-"
}
}
}
```
### Using CLI Input
```hcl
# main.tf
terraform {
required_version = "~> 0.12.0"
backend "remote" {}
}
```
Backend configuration file:
```hcl
# config.remote.tfbackend
workspaces { name = "workspace" }
hostname = "app.terraform.io"
organization = "company"
```
Running `terraform init` with the backend file:
```sh
terraform init -backend-config=config.remote.tfbackend
```
### Data Source Configuration
```hcl
data "terraform_remote_state" "foo" {
backend = "remote"
config = {
organization = "company"
workspaces = {
name = "workspace"
}
}
}
```
## Configuration variables
The following configuration options are supported:
- `hostname` - (Optional) The remote backend hostname to connect to. Defaults
to app.terraform.io.
- `organization` - (Required) The name of the organization containing the
targeted workspace(s).
- `token` - (Optional) The token used to authenticate with the remote backend.
We recommend omitting the token from the configuration, and instead using
[`terraform login`](/cli/commands/login) or manually configuring
`credentials` in the
[CLI config file](/cli/config/config-file#credentials).
- `workspaces` - (Required) A block specifying which remote workspace(s) to use.
The `workspaces` block supports the following keys:
- `name` - (Optional) The full name of one remote workspace. When configured,
only the default workspace can be used. This option conflicts with `prefix`.
- `prefix` - (Optional) A prefix used in the names of one or more remote
workspaces, all of which can be used with this configuration. The full
workspace names are used in Terraform Cloud, and the short names
(minus the prefix) are used on the command line for Terraform CLI workspaces.
If omitted, only the default workspace can be used. This option conflicts with `name`.
-> **Note:** You must use the `name` key when configuring a `terraform_remote_state`
data source that retrieves state from another Terraform Cloud workspace. The `prefix` key is only
intended for use when configuring an instance of the remote backend.
## Command Line Arguments
For configurations that include a `backend "remote"` block, commands that
make local modifications to Terraform state and then push them back up to
the remote workspace accept the following option to modify that behavior:
- `-ignore-remote-version` - Override checking that the local and remote
Terraform versions agree, making an operation proceed even when there is
a mismatch.
Normally state-modification operations require using a local version of
Terraform CLI which is compatible with the Terraform version selected
for the remote workspace as part of its settings. This is to avoid the
local operation creating a new state snapshot which the workspace's
remote execution environment would then be unable to decode.
Overriding this check can result in a Terraform Cloud workspace that is
no longer able to complete remote operations, so we recommend against
using this option.
## Excluding Files from Upload with .terraformignore
-> **Version note:** `.terraformignore` support was added in Terraform 0.12.11.
When executing a remote `plan` or `apply` in a [CLI-driven run](/cloud-docs/run/cli),
an archive of your configuration directory is uploaded to Terraform Cloud. You can define
paths to ignore from upload via a `.terraformignore` file at the root of your configuration directory. If this file is not present, the archive will exclude the following by default:
- `.git/` directories
- `.terraform/` directories (exclusive of `.terraform/modules`)
The `.terraformignore` file can include rules as one would include in a
[`.gitignore` file](https://git-scm.com/book/en/v2/Git-Basics-Recording-Changes-to-the-Repository#_ignoring)
- Comments (starting with `#`) or blank lines are ignored
- End a pattern with a forward slash `/` to specify a directory
- Negate a pattern by starting it with an exclamation point `!`
Note that unlike `.gitignore`, only the `.terraformignore` at the root of the configuration
directory is considered.