github.com/iaas-resource-provision/iaas-rpc@v1.0.7-0.20211021023331-ed21f798c408/website/docs/language/settings/backends/azurerm.html.md (about) 1 --- 2 layout: "language" 3 page_title: "Backend Type: azurerm" 4 sidebar_current: "docs-backends-types-standard-azurerm" 5 description: |- 6 Terraform can store state remotely in Azure Blob Storage. 7 8 --- 9 10 # azurerm 11 12 **Kind: Standard (with state locking)** 13 14 Stores the state as a Blob with the given Key within the Blob Container within [the Blob Storage Account](https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction). This backend also supports state locking and consistency checking via native capabilities of Azure Blob Storage. 15 16 ## Example Configuration 17 18 When authenticating using the Azure CLI or a Service Principal (either with a Client Certificate or a Client Secret): 19 20 ```hcl 21 terraform { 22 backend "azurerm" { 23 resource_group_name = "StorageAccount-ResourceGroup" 24 storage_account_name = "abcd1234" 25 container_name = "tfstate" 26 key = "prod.resource_state.json" 27 } 28 } 29 ``` 30 31 --- 32 33 When authenticating using Managed Service Identity (MSI): 34 35 ```hcl 36 terraform { 37 backend "azurerm" { 38 storage_account_name = "abcd1234" 39 container_name = "tfstate" 40 key = "prod.resource_state.json" 41 use_msi = true 42 subscription_id = "00000000-0000-0000-0000-000000000000" 43 tenant_id = "00000000-0000-0000-0000-000000000000" 44 } 45 } 46 ``` 47 48 --- 49 50 When authenticating using Azure AD Authentication: 51 52 ```hcl 53 terraform { 54 backend "azurerm" { 55 storage_account_name = "abcd1234" 56 container_name = "tfstate" 57 key = "prod.resource_state.json" 58 use_azuread_auth = true 59 subscription_id = "00000000-0000-0000-0000-000000000000" 60 tenant_id = "00000000-0000-0000-0000-000000000000" 61 } 62 } 63 ``` 64 65 -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned. 66 67 --- 68 69 When authenticating using the Access Key associated with the Storage Account: 70 71 ```hcl 72 terraform { 73 backend "azurerm" { 74 storage_account_name = "abcd1234" 75 container_name = "tfstate" 76 key = "prod.resource_state.json" 77 78 # rather than defining this inline, the Access Key can also be sourced 79 # from an Environment Variable - more information is available below. 80 access_key = "abcdefghijklmnopqrstuvwxyz0123456789..." 81 } 82 } 83 ``` 84 85 --- 86 87 When authenticating using a SAS Token associated with the Storage Account: 88 89 ```hcl 90 terraform { 91 backend "azurerm" { 92 storage_account_name = "abcd1234" 93 container_name = "tfstate" 94 key = "prod.resource_state.json" 95 96 # rather than defining this inline, the SAS Token can also be sourced 97 # from an Environment Variable - more information is available below. 98 sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..." 99 } 100 } 101 ``` 102 103 -> **NOTE:** When using a Service Principal or an Access Key - we recommend using a [Partial Configuration](/docs/language/settings/backends/configuration.html#partial-configuration) for the credentials. 104 105 ## Data Source Configuration 106 107 When authenticating using a Service Principal (either with a Client Certificate or a Client Secret): 108 109 ```hcl 110 data "terraform_remote_state" "foo" { 111 backend = "azurerm" 112 config = { 113 storage_account_name = "terraform123abc" 114 container_name = "terraform-state" 115 key = "prod.resource_state.json" 116 } 117 } 118 ``` 119 120 --- 121 122 When authenticating using Managed Service Identity (MSI): 123 124 ```hcl 125 data "terraform_remote_state" "foo" { 126 backend = "azurerm" 127 config = { 128 storage_account_name = "terraform123abc" 129 container_name = "terraform-state" 130 key = "prod.resource_state.json" 131 use_msi = true 132 subscription_id = "00000000-0000-0000-0000-000000000000" 133 tenant_id = "00000000-0000-0000-0000-000000000000" 134 } 135 } 136 ``` 137 138 --- 139 140 When authenticating using AzureAD Authentication: 141 142 ```hcl 143 data "terraform_remote_state" "foo" { 144 backend = "azurerm" 145 config = { 146 storage_account_name = "terraform123abc" 147 container_name = "terraform-state" 148 key = "prod.resource_state.json" 149 use_azuread_auth = true 150 subscription_id = "00000000-0000-0000-0000-000000000000" 151 tenant_id = "00000000-0000-0000-0000-000000000000" 152 } 153 } 154 ``` 155 156 -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned. 157 158 --- 159 160 When authenticating using the Access Key associated with the Storage Account: 161 162 ```hcl 163 data "terraform_remote_state" "foo" { 164 backend = "azurerm" 165 config = { 166 storage_account_name = "terraform123abc" 167 container_name = "terraform-state" 168 key = "prod.resource_state.json" 169 170 # rather than defining this inline, the Access Key can also be sourced 171 # from an Environment Variable - more information is available below. 172 access_key = "abcdefghijklmnopqrstuvwxyz0123456789..." 173 } 174 } 175 ``` 176 177 --- 178 179 When authenticating using a SAS Token associated with the Storage Account: 180 181 ```hcl 182 data "terraform_remote_state" "foo" { 183 backend = "azurerm" 184 config = { 185 storage_account_name = "terraform123abc" 186 container_name = "terraform-state" 187 key = "prod.resource_state.json" 188 189 # rather than defining this inline, the SAS Token can also be sourced 190 # from an Environment Variable - more information is available below. 191 sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..." 192 } 193 } 194 ``` 195 196 ## Configuration variables 197 198 The following configuration options are supported: 199 200 * `storage_account_name` - (Required) The Name of [the Storage Account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account). 201 202 * `container_name` - (Required) The Name of [the Storage Container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) within the Storage Account. 203 204 * `key` - (Required) The name of the Blob used to retrieve/store Terraform's State file inside the Storage Container. 205 206 * `environment` - (Optional) The Azure Environment which should be used. This can also be sourced from the `ARM_ENVIRONMENT` environment variable. Possible values are `public`, `china`, `german`, `stack` and `usgovernment`. Defaults to `public`. 207 208 * `endpoint` - (Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from the `ARM_ENDPOINT` environment variable. 209 210 ~> **NOTE:** An `endpoint` should only be configured when using Azure Stack. 211 212 * `snapshot` - (Optional) Should the Blob used to store the Terraform Statefile be snapshotted before use? Defaults to `false`. This value can also be sourced from the `ARM_SNAPSHOT` environment variable. 213 214 --- 215 216 When authenticating using the Managed Service Identity (MSI) - the following fields are also supported: 217 218 * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable. 219 220 * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable. 221 222 * `msi_endpoint` - (Optional) The path to a custom Managed Service Identity endpoint which is automatically determined if not specified. This can also be sourced from the `ARM_MSI_ENDPOINT` environment variable. 223 224 * `use_msi` - (Optional) Should Managed Service Identity authentication be used? This can also be sourced from the `ARM_USE_MSI` environment variable. 225 226 --- 227 228 When authenticating using a SAS Token associated with the Storage Account - the following fields are also supported: 229 230 * `sas_token` - (Optional) The SAS Token used to access the Blob Storage Account. This can also be sourced from the `ARM_SAS_TOKEN` environment variable. 231 232 --- 233 234 When authenticating using the Storage Account's Access Key - the following fields are also supported: 235 236 * `access_key` - (Optional) The Access Key used to access the Blob Storage Account. This can also be sourced from the `ARM_ACCESS_KEY` environment variable. 237 238 --- 239 240 When authenticating using AzureAD Authentication - the following fields are also supported: 241 242 * `use_azuread_auth` - (Optional) Should AzureAD Authentication be used to access the Blob Storage Account. This can also be sourced from the `ARM_USE_AZUREAD` environment variable. 243 244 -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned. 245 246 --- 247 248 When authenticating using a Service Principal with a Client Certificate - the following fields are also supported: 249 250 * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists. 251 252 * `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable. 253 254 * `client_certificate_password` - (Optional) The password associated with the Client Certificate specified in `client_certificate_path`. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PASSWORD` environment variable. 255 256 * `client_certificate_path` - (Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PATH` environment variable. 257 258 * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable. 259 260 * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable. 261 262 --- 263 264 When authenticating using a Service Principal with a Client Secret - the following fields are also supported: 265 266 * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists. 267 268 * `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable. 269 270 * `client_secret` - (Optional) The Client Secret of the Service Principal. This can also be sourced from the `ARM_CLIENT_SECRET` environment variable. 271 272 * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable. 273 274 * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable.