github.com/jaredpalmer/terraform@v1.1.0-alpha20210908.0.20210911170307-88705c943a03/website/docs/language/settings/backends/azurerm.html.md (about) 1 --- 2 layout: "language" 3 page_title: "Backend Type: azurerm" 4 sidebar_current: "docs-backends-types-standard-azurerm" 5 description: |- 6 Terraform can store state remotely in Azure Blob Storage. 7 8 --- 9 10 # azurerm 11 12 **Kind: Standard (with state locking)** 13 14 Stores the state as a Blob with the given Key within the Blob Container within [the Blob Storage Account](https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction). This backend also supports state locking and consistency checking via native capabilities of Azure Blob Storage. 15 16 ## Example Configuration 17 18 When authenticating using the Azure CLI or a Service Principal (either with a Client Certificate or a Client Secret): 19 20 ```hcl 21 terraform { 22 backend "azurerm" { 23 resource_group_name = "StorageAccount-ResourceGroup" 24 storage_account_name = "abcd1234" 25 container_name = "tfstate" 26 key = "prod.terraform.tfstate" 27 } 28 } 29 ``` 30 31 --- 32 33 When authenticating using Managed Service Identity (MSI): 34 35 ```hcl 36 terraform { 37 backend "azurerm" { 38 resource_group_name = "StorageAccount-ResourceGroup" 39 storage_account_name = "abcd1234" 40 container_name = "tfstate" 41 key = "prod.terraform.tfstate" 42 use_msi = true 43 subscription_id = "00000000-0000-0000-0000-000000000000" 44 tenant_id = "00000000-0000-0000-0000-000000000000" 45 } 46 } 47 ``` 48 49 --- 50 51 When authenticating using Azure AD Authentication: 52 53 ```hcl 54 terraform { 55 backend "azurerm" { 56 storage_account_name = "abcd1234" 57 container_name = "tfstate" 58 key = "prod.terraform.tfstate" 59 use_azuread_auth = true 60 subscription_id = "00000000-0000-0000-0000-000000000000" 61 tenant_id = "00000000-0000-0000-0000-000000000000" 62 } 63 } 64 ``` 65 66 -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned. 67 68 --- 69 70 When authenticating using the Access Key associated with the Storage Account: 71 72 ```hcl 73 terraform { 74 backend "azurerm" { 75 storage_account_name = "abcd1234" 76 container_name = "tfstate" 77 key = "prod.terraform.tfstate" 78 79 # rather than defining this inline, the Access Key can also be sourced 80 # from an Environment Variable - more information is available below. 81 access_key = "abcdefghijklmnopqrstuvwxyz0123456789..." 82 } 83 } 84 ``` 85 86 --- 87 88 When authenticating using a SAS Token associated with the Storage Account: 89 90 ```hcl 91 terraform { 92 backend "azurerm" { 93 storage_account_name = "abcd1234" 94 container_name = "tfstate" 95 key = "prod.terraform.tfstate" 96 97 # rather than defining this inline, the SAS Token can also be sourced 98 # from an Environment Variable - more information is available below. 99 sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..." 100 } 101 } 102 ``` 103 104 -> **NOTE:** When using a Service Principal or an Access Key - we recommend using a [Partial Configuration](/docs/language/settings/backends/configuration.html#partial-configuration) for the credentials. 105 106 ## Data Source Configuration 107 108 When authenticating using a Service Principal (either with a Client Certificate or a Client Secret): 109 110 ```hcl 111 data "terraform_remote_state" "foo" { 112 backend = "azurerm" 113 config = { 114 storage_account_name = "terraform123abc" 115 container_name = "terraform-state" 116 key = "prod.terraform.tfstate" 117 } 118 } 119 ``` 120 121 --- 122 123 When authenticating using Managed Service Identity (MSI): 124 125 ```hcl 126 data "terraform_remote_state" "foo" { 127 backend = "azurerm" 128 config = { 129 resource_group_name = "StorageAccount-ResourceGroup" 130 storage_account_name = "terraform123abc" 131 container_name = "terraform-state" 132 key = "prod.terraform.tfstate" 133 use_msi = true 134 subscription_id = "00000000-0000-0000-0000-000000000000" 135 tenant_id = "00000000-0000-0000-0000-000000000000" 136 } 137 } 138 ``` 139 140 --- 141 142 When authenticating using AzureAD Authentication: 143 144 ```hcl 145 data "terraform_remote_state" "foo" { 146 backend = "azurerm" 147 config = { 148 storage_account_name = "terraform123abc" 149 container_name = "terraform-state" 150 key = "prod.terraform.tfstate" 151 use_azuread_auth = true 152 subscription_id = "00000000-0000-0000-0000-000000000000" 153 tenant_id = "00000000-0000-0000-0000-000000000000" 154 } 155 } 156 ``` 157 158 -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned. 159 160 --- 161 162 When authenticating using the Access Key associated with the Storage Account: 163 164 ```hcl 165 data "terraform_remote_state" "foo" { 166 backend = "azurerm" 167 config = { 168 storage_account_name = "terraform123abc" 169 container_name = "terraform-state" 170 key = "prod.terraform.tfstate" 171 172 # rather than defining this inline, the Access Key can also be sourced 173 # from an Environment Variable - more information is available below. 174 access_key = "abcdefghijklmnopqrstuvwxyz0123456789..." 175 } 176 } 177 ``` 178 179 --- 180 181 When authenticating using a SAS Token associated with the Storage Account: 182 183 ```hcl 184 data "terraform_remote_state" "foo" { 185 backend = "azurerm" 186 config = { 187 storage_account_name = "terraform123abc" 188 container_name = "terraform-state" 189 key = "prod.terraform.tfstate" 190 191 # rather than defining this inline, the SAS Token can also be sourced 192 # from an Environment Variable - more information is available below. 193 sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..." 194 } 195 } 196 ``` 197 198 ## Configuration variables 199 200 The following configuration options are supported: 201 202 * `storage_account_name` - (Required) The Name of [the Storage Account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account). 203 204 * `container_name` - (Required) The Name of [the Storage Container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) within the Storage Account. 205 206 * `key` - (Required) The name of the Blob used to retrieve/store Terraform's State file inside the Storage Container. 207 208 * `environment` - (Optional) The Azure Environment which should be used. This can also be sourced from the `ARM_ENVIRONMENT` environment variable. Possible values are `public`, `china`, `german`, `stack` and `usgovernment`. Defaults to `public`. 209 210 * `endpoint` - (Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from the `ARM_ENDPOINT` environment variable. 211 212 ~> **NOTE:** An `endpoint` should only be configured when using Azure Stack. 213 214 * `snapshot` - (Optional) Should the Blob used to store the Terraform Statefile be snapshotted before use? Defaults to `false`. This value can also be sourced from the `ARM_SNAPSHOT` environment variable. 215 216 --- 217 218 When authenticating using the Managed Service Identity (MSI) - the following fields are also supported: 219 220 * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists. 221 222 * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable. 223 224 * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable. 225 226 * `msi_endpoint` - (Optional) The path to a custom Managed Service Identity endpoint which is automatically determined if not specified. This can also be sourced from the `ARM_MSI_ENDPOINT` environment variable. 227 228 * `use_msi` - (Optional) Should Managed Service Identity authentication be used? This can also be sourced from the `ARM_USE_MSI` environment variable. 229 230 --- 231 232 When authenticating using a SAS Token associated with the Storage Account - the following fields are also supported: 233 234 * `sas_token` - (Optional) The SAS Token used to access the Blob Storage Account. This can also be sourced from the `ARM_SAS_TOKEN` environment variable. 235 236 --- 237 238 When authenticating using the Storage Account's Access Key - the following fields are also supported: 239 240 * `access_key` - (Optional) The Access Key used to access the Blob Storage Account. This can also be sourced from the `ARM_ACCESS_KEY` environment variable. 241 242 --- 243 244 When authenticating using AzureAD Authentication - the following fields are also supported: 245 246 * `use_azuread_auth` - (Optional) Should AzureAD Authentication be used to access the Blob Storage Account. This can also be sourced from the `ARM_USE_AZUREAD` environment variable. 247 248 -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned. 249 250 --- 251 252 When authenticating using a Service Principal with a Client Certificate - the following fields are also supported: 253 254 * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists. 255 256 * `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable. 257 258 * `client_certificate_password` - (Optional) The password associated with the Client Certificate specified in `client_certificate_path`. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PASSWORD` environment variable. 259 260 * `client_certificate_path` - (Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PATH` environment variable. 261 262 * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable. 263 264 * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable. 265 266 --- 267 268 When authenticating using a Service Principal with a Client Secret - the following fields are also supported: 269 270 * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists. 271 272 * `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable. 273 274 * `client_secret` - (Optional) The Client Secret of the Service Principal. This can also be sourced from the `ARM_CLIENT_SECRET` environment variable. 275 276 * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable. 277 278 * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable.