Skip to main content

Backend Type: http

Stores the state using a simple REST client.

State will be fetched via GET, updated via POST, and purged with DELETE. The method used for updating is configurable.

This backend optionally supports state locking. When locking support is enabled it will use LOCK and UNLOCK requests providing the lock info in the body. The endpoint should return a 423: Locked or 409: Conflict with the holding lock info when it's already taken, 200: OK for success. Any other status will be considered an error. The ID of the holding lock info will be added as a query parameter to state updates requests.

Example Usage

Code Block
terraform {
backend "http" {
address = "http://myrest.api.com/foo"
lock_address = "http://myrest.api.com/foo"
unlock_address = "http://myrest.api.com/foo"
}
}

Data Source Configuration

Code Block
data "terraform_remote_state" "foo" {
backend = "http"
config = {
address = "http://my.rest.api.com"
}
}

Configuration Variables

The following configuration options / environment variables are supported:

  • address / TF_HTTP_ADDRESS - (Required) The address of the REST endpoint
  • update_method / TF_HTTP_UPDATE_METHOD - (Optional) HTTP method to use when updating state. Defaults to POST.
  • lock_address / TF_HTTP_LOCK_ADDRESS - (Optional) The address of the lock REST endpoint. Defaults to disabled.
  • lock_method / TF_HTTP_LOCK_METHOD - (Optional) The HTTP method to use when locking. Defaults to LOCK.
  • unlock_address / TF_HTTP_UNLOCK_ADDRESS - (Optional) The address of the unlock REST endpoint. Defaults to disabled.
  • unlock_method / TF_HTTP_UNLOCK_METHOD - (Optional) The HTTP method to use when unlocking. Defaults to UNLOCK.
  • username / TF_HTTP_USERNAME - (Optional) The username for HTTP basic authentication
  • password / TF_HTTP_PASSWORD - (Optional) The password for HTTP basic authentication
  • headers - (Optional) Map of additional headers to be included in the HTTP requests sent to the backend. Defaults to [].
  • skip_cert_verification - (Optional) Whether to skip TLS verification. Defaults to false.
  • retry_max / TF_HTTP_RETRY_MAX – (Optional) The number of HTTP request retries. Defaults to 2.
  • retry_wait_min / TF_HTTP_RETRY_WAIT_MIN – (Optional) The minimum time in seconds to wait between HTTP request attempts. Defaults to 1.
  • retry_wait_max / TF_HTTP_RETRY_WAIT_MAX – (Optional) The maximum time in seconds to wait between HTTP request attempts. Defaults to 30.

For mTLS authentication, the following three options may be set:

  • client_certificate_pem / TF_HTTP_CLIENT_CERTIFICATE_PEM - (Optional) A PEM-encoded certificate used by the server to verify the client during mutual TLS (mTLS) authentication.
  • client_private_key_pem /TF_HTTP_CLIENT_PRIVATE_KEY_PEM - (Optional) A PEM-encoded private key, required if client_certificate_pem is specified.
  • client_ca_certificate_pem / TF_HTTP_CLIENT_CA_CERTIFICATE_PEM - (Optional) A PEM-encoded CA certificate chain used by the client to verify server certificates during TLS authentication.