Backend Type: azurerm

Stores the state as a Blob with the given Key within the Blob Container within the Blob Storage Account.

This backend supports state locking and consistency checking with Azure Blob Storage native capabilities.

Example Configuration​

When authenticating using the Azure CLI or a Service Principal (either with a Client Certificate or a Client Secret):

terraform {
  backend "azurerm" {
    resource_group_name  = "StorageAccount-ResourceGroup"
    storage_account_name = "abcd1234"
    container_name       = "tfstate"
    key                  = "prod.terraform.tfstate"
  }
}

When authenticating using Managed Service Identity (MSI):

terraform {
  backend "azurerm" {
    resource_group_name  = "StorageAccount-ResourceGroup"
    storage_account_name = "abcd1234"
    container_name       = "tfstate"
    key                  = "prod.terraform.tfstate"
    use_msi              = true
    subscription_id      = "00000000-0000-0000-0000-000000000000"
    tenant_id            = "00000000-0000-0000-0000-000000000000"
  }
}

When authenticating using OpenID Connect (OIDC):

terraform {
  backend "azurerm" {
    resource_group_name  = "StorageAccount-ResourceGroup"
    storage_account_name = "abcd1234"
    container_name       = "tfstate"
    key                  = "prod.terraform.tfstate"
    use_oidc             = true
    subscription_id      = "00000000-0000-0000-0000-000000000000"
    tenant_id            = "00000000-0000-0000-0000-000000000000"
  }
}

When authenticating using Azure AD Authentication:

terraform {
  backend "azurerm" {
    storage_account_name = "abcd1234"
    container_name       = "tfstate"
    key                  = "prod.terraform.tfstate"
    use_azuread_auth     = true
    subscription_id      = "00000000-0000-0000-0000-000000000000"
    tenant_id            = "00000000-0000-0000-0000-000000000000"
  }
}

When authenticating using the Access Key associated with the Storage Account:

terraform {
  backend "azurerm" {
    storage_account_name = "abcd1234"
    container_name       = "tfstate"
    key                  = "prod.terraform.tfstate"

    # rather than defining this inline, the Access Key can also be sourced
    # from an Environment Variable - more information is available below.
    access_key = "abcdefghijklmnopqrstuvwxyz0123456789..."
  }
}

When authenticating using a SAS Token associated with the Storage Account:

terraform {
  backend "azurerm" {
    storage_account_name = "abcd1234"
    container_name       = "tfstate"
    key                  = "prod.terraform.tfstate"

    # rather than defining this inline, the SAS Token can also be sourced
    # from an Environment Variable - more information is available below.
    sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..."
  }
}

Data Source Configuration​

When authenticating using a Service Principal (either with a Client Certificate or a Client Secret):

data "terraform_remote_state" "foo" {
  backend = "azurerm"
  config = {
    storage_account_name = "tofu123abc"
    container_name       = "tofu-state"
    key                  = "prod.terraform.tfstate"
  }
}

When authenticating using Managed Service Identity (MSI):

data "terraform_remote_state" "foo" {
  backend = "azurerm"
  config = {
    resource_group_name  = "StorageAccount-ResourceGroup"
    storage_account_name = "tofu123abc"
    container_name       = "tofu-state"
    key                  = "prod.terraform.tfstate"
    use_msi              = true
    subscription_id      = "00000000-0000-0000-0000-000000000000"
    tenant_id            = "00000000-0000-0000-0000-000000000000"
  }
}

When authenticating using OpenID Connect (OIDC):

data "terraform_remote_state" "foo" {
  backend = "azurerm"
  config = {
    resource_group_name  = "StorageAccount-ResourceGroup"
    storage_account_name = "tofu123abc"
    container_name       = "tofu-state"
    key                  = "prod.terraform.tfstate"
    use_oidc             = true
    subscription_id      = "00000000-0000-0000-0000-000000000000"
    tenant_id            = "00000000-0000-0000-0000-000000000000"
  }
}

When authenticating using AzureAD Authentication:

data "terraform_remote_state" "foo" {
  backend = "azurerm"
  config = {
    storage_account_name = "tofu123abc"
    container_name       = "tofu-state"
    key                  = "prod.terraform.tfstate"
    use_azuread_auth     = true
    subscription_id      = "00000000-0000-0000-0000-000000000000"
    tenant_id            = "00000000-0000-0000-0000-000000000000"
  }
}

When authenticating using the Access Key associated with the Storage Account:

data "terraform_remote_state" "foo" {
  backend = "azurerm"
  config = {
    storage_account_name = "tofu123abc"
    container_name       = "tofu-state"
    key                  = "prod.terraform.tfstate"

    # rather than defining this inline, the Access Key can also be sourced
    # from an Environment Variable - more information is available below.
    access_key = "abcdefghijklmnopqrstuvwxyz0123456789..."
  }
}

When authenticating using a SAS Token associated with the Storage Account:

data "terraform_remote_state" "foo" {
  backend = "azurerm"
  config = {
    storage_account_name = "tofu123abc"
    container_name       = "tofu-state"
    key                  = "prod.terraform.tfstate"

    # rather than defining this inline, the SAS Token can also be sourced
    # from an Environment Variable - more information is available below.
    sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..."
  }
}

Configuration Variables​

The following configuration options are supported:

• storage_account_name - (Required) The Name of the Storage Account.

• container_name - (Required) The Name of the Storage Container within the Storage Account.

• key - (Required) The name of the Blob used to retrieve/store OpenTofu's State file inside the Storage Container.

• environment - (Optional) The Azure Environment which should be used. This can also be sourced from the ARM_ENVIRONMENT environment variable. Possible values are public, china, german, stack and usgovernment. Defaults to public.

• endpoint - (Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from the ARM_ENDPOINT environment variable.

  Note

  An endpoint should only be configured when using Azure Stack.

• metadata_host - (Optional) The Hostname of the Azure Metadata Service (for example management.azure.com), used to obtain the Cloud Environment when using a Custom Azure Environment. This can also be sourced from the ARM_METADATA_HOSTNAME Environment Variable.

• snapshot - (Optional) Should the Blob used to store the OpenTofu Statefile be snapshotted before use? Defaults to false. This value can also be sourced from the ARM_SNAPSHOT environment variable.

When authenticating using the Managed Service Identity (MSI) - the following fields are also supported:

• resource_group_name - (Required) The Name of the Resource Group in which the Storage Account exists.

• msi_endpoint - (Optional) The path to a custom Managed Service Identity endpoint which is automatically determined if not specified. This can also be sourced from the ARM_MSI_ENDPOINT environment variable.

• subscription_id - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable.

• tenant_id - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the ARM_TENANT_ID environment variable.

• use_msi - (Optional) Should Managed Service Identity authentication be used? This can also be sourced from the ARM_USE_MSI environment variable.

When authenticating using a Service Principal with OpenID Connect (OIDC) - the following fields are also supported:

• oidc_request_url - (Optional) The URL for the OIDC provider from which to request an ID token. This can also be sourced from the ARM_OIDC_REQUEST_URL or ACTIONS_ID_TOKEN_REQUEST_URL environment variables.

• oidc_request_token - (Optional) The bearer token for the request to the OIDC provider. This can also be sourced from the ARM_OIDC_REQUEST_TOKEN or ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variables.

• oidc_token - (Optional) The ID token when authenticating using OpenID Connect (OIDC). This can also be sourced from the ARM_OIDC_TOKEN environment variable.

• oidc_token_file_path - (Optional) The path to a file containing an ID token when authenticating using OpenID Connect (OIDC). This can also be sourced from the ARM_OIDC_TOKEN_FILE_PATH environment variable.

• use_oidc - (Optional) Should OIDC authentication be used? This can also be sourced from the ARM_USE_OIDC environment variable.

When authenticating using a SAS Token associated with the Storage Account - the following fields are also supported:

• sas_token - (Optional) The SAS Token used to access the Blob Storage Account. This can also be sourced from the ARM_SAS_TOKEN environment variable.

When authenticating using the Storage Account's Access Key - the following fields are also supported:

• access_key - (Optional) The Access Key used to access the Blob Storage Account. This can also be sourced from the ARM_ACCESS_KEY environment variable.

When authenticating using AzureAD Authentication - the following fields are also supported:

• use_azuread_auth - (Optional) Should AzureAD Authentication be used to access the Blob Storage Account. This can also be sourced from the ARM_USE_AZUREAD environment variable.

  Note

  When using AzureAD for Authentication to Storage you also need to ensure the Storage Blob Data Owner role is assigned.

When authenticating using a Service Principal with a Client Certificate - the following fields are also supported:

• resource_group_name - (Required) The Name of the Resource Group in which the Storage Account exists.

• client_id - (Optional) The Client ID of the Service Principal. This can also be sourced from the ARM_CLIENT_ID environment variable.

• client_certificate_password - (Optional) The password associated with the Client Certificate specified in client_certificate_path. This can also be sourced from the ARM_CLIENT_CERTIFICATE_PASSWORD environment variable.

• client_certificate_path - (Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal. This can also be sourced from the ARM_CLIENT_CERTIFICATE_PATH environment variable.

• subscription_id - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable.

• tenant_id - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the ARM_TENANT_ID environment variable.

When authenticating using a Service Principal with a Client Secret - the following fields are also supported:

• resource_group_name - (Required) The Name of the Resource Group in which the Storage Account exists.

• client_id - (Optional) The Client ID of the Service Principal. This can also be sourced from the ARM_CLIENT_ID environment variable.

• client_secret - (Optional) The Client Secret of the Service Principal. This can also be sourced from the ARM_CLIENT_SECRET environment variable.

• subscription_id - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable.

• tenant_id - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the ARM_TENANT_ID environment variable.