github.com/muratcelep/terraform@v1.1.0-beta2-not-internal-4/website/docs/language/settings/backends/azurerm.html.md (about) 1 --- 2 layout: "language" 3 page_title: "Backend Type: azurerm" 4 sidebar_current: "docs-backends-types-standard-azurerm" 5 description: |- 6 Terraform can store state remotely in Azure Blob Storage. 7 8 --- 9 10 # azurerm 11 12 **Kind: Standard (with state locking)** 13 14 Stores the state as a Blob with the given Key within the Blob Container within [the Blob Storage Account](https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction). This backend also supports state locking and consistency checking via native capabilities of Azure Blob Storage. 15 16 -> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default. 17 18 ## Example Configuration 19 20 When authenticating using the Azure CLI or a Service Principal (either with a Client Certificate or a Client Secret): 21 22 ```hcl 23 terraform { 24 backend "azurerm" { 25 resource_group_name = "StorageAccount-ResourceGroup" 26 storage_account_name = "abcd1234" 27 container_name = "tfstate" 28 key = "prod.terraform.tfstate" 29 } 30 } 31 ``` 32 33 --- 34 35 When authenticating using Managed Service Identity (MSI): 36 37 ```hcl 38 terraform { 39 backend "azurerm" { 40 resource_group_name = "StorageAccount-ResourceGroup" 41 storage_account_name = "abcd1234" 42 container_name = "tfstate" 43 key = "prod.terraform.tfstate" 44 use_msi = true 45 subscription_id = "00000000-0000-0000-0000-000000000000" 46 tenant_id = "00000000-0000-0000-0000-000000000000" 47 } 48 } 49 ``` 50 51 --- 52 53 When authenticating using Azure AD Authentication: 54 55 ```hcl 56 terraform { 57 backend "azurerm" { 58 storage_account_name = "abcd1234" 59 container_name = "tfstate" 60 key = "prod.terraform.tfstate" 61 use_azuread_auth = true 62 subscription_id = "00000000-0000-0000-0000-000000000000" 63 tenant_id = "00000000-0000-0000-0000-000000000000" 64 } 65 } 66 ``` 67 68 -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned. 69 70 --- 71 72 When authenticating using the Access Key associated with the Storage Account: 73 74 ```hcl 75 terraform { 76 backend "azurerm" { 77 storage_account_name = "abcd1234" 78 container_name = "tfstate" 79 key = "prod.terraform.tfstate" 80 81 # rather than defining this inline, the Access Key can also be sourced 82 # from an Environment Variable - more information is available below. 83 access_key = "abcdefghijklmnopqrstuvwxyz0123456789..." 84 } 85 } 86 ``` 87 88 --- 89 90 When authenticating using a SAS Token associated with the Storage Account: 91 92 ```hcl 93 terraform { 94 backend "azurerm" { 95 storage_account_name = "abcd1234" 96 container_name = "tfstate" 97 key = "prod.terraform.tfstate" 98 99 # rather than defining this inline, the SAS Token can also be sourced 100 # from an Environment Variable - more information is available below. 101 sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..." 102 } 103 } 104 ``` 105 106 -> **NOTE:** When using a Service Principal or an Access Key - we recommend using a [Partial Configuration](/docs/language/settings/backends/configuration.html#partial-configuration) for the credentials. 107 108 ## Data Source Configuration 109 110 When authenticating using a Service Principal (either with a Client Certificate or a Client Secret): 111 112 ```hcl 113 data "terraform_remote_state" "foo" { 114 backend = "azurerm" 115 config = { 116 storage_account_name = "terraform123abc" 117 container_name = "terraform-state" 118 key = "prod.terraform.tfstate" 119 } 120 } 121 ``` 122 123 --- 124 125 When authenticating using Managed Service Identity (MSI): 126 127 ```hcl 128 data "terraform_remote_state" "foo" { 129 backend = "azurerm" 130 config = { 131 resource_group_name = "StorageAccount-ResourceGroup" 132 storage_account_name = "terraform123abc" 133 container_name = "terraform-state" 134 key = "prod.terraform.tfstate" 135 use_msi = true 136 subscription_id = "00000000-0000-0000-0000-000000000000" 137 tenant_id = "00000000-0000-0000-0000-000000000000" 138 } 139 } 140 ``` 141 142 --- 143 144 When authenticating using AzureAD Authentication: 145 146 ```hcl 147 data "terraform_remote_state" "foo" { 148 backend = "azurerm" 149 config = { 150 storage_account_name = "terraform123abc" 151 container_name = "terraform-state" 152 key = "prod.terraform.tfstate" 153 use_azuread_auth = true 154 subscription_id = "00000000-0000-0000-0000-000000000000" 155 tenant_id = "00000000-0000-0000-0000-000000000000" 156 } 157 } 158 ``` 159 160 -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned. 161 162 --- 163 164 When authenticating using the Access Key associated with the Storage Account: 165 166 ```hcl 167 data "terraform_remote_state" "foo" { 168 backend = "azurerm" 169 config = { 170 storage_account_name = "terraform123abc" 171 container_name = "terraform-state" 172 key = "prod.terraform.tfstate" 173 174 # rather than defining this inline, the Access Key can also be sourced 175 # from an Environment Variable - more information is available below. 176 access_key = "abcdefghijklmnopqrstuvwxyz0123456789..." 177 } 178 } 179 ``` 180 181 --- 182 183 When authenticating using a SAS Token associated with the Storage Account: 184 185 ```hcl 186 data "terraform_remote_state" "foo" { 187 backend = "azurerm" 188 config = { 189 storage_account_name = "terraform123abc" 190 container_name = "terraform-state" 191 key = "prod.terraform.tfstate" 192 193 # rather than defining this inline, the SAS Token can also be sourced 194 # from an Environment Variable - more information is available below. 195 sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..." 196 } 197 } 198 ``` 199 200 ## Configuration variables 201 202 The following configuration options are supported: 203 204 * `storage_account_name` - (Required) The Name of [the Storage Account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account). 205 206 * `container_name` - (Required) The Name of [the Storage Container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) within the Storage Account. 207 208 * `key` - (Required) The name of the Blob used to retrieve/store Terraform's State file inside the Storage Container. 209 210 * `environment` - (Optional) The Azure Environment which should be used. This can also be sourced from the `ARM_ENVIRONMENT` environment variable. Possible values are `public`, `china`, `german`, `stack` and `usgovernment`. Defaults to `public`. 211 212 * `endpoint` - (Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from the `ARM_ENDPOINT` environment variable. 213 214 ~> **NOTE:** An `endpoint` should only be configured when using Azure Stack. 215 216 * `snapshot` - (Optional) Should the Blob used to store the Terraform Statefile be snapshotted before use? Defaults to `false`. This value can also be sourced from the `ARM_SNAPSHOT` environment variable. 217 218 --- 219 220 When authenticating using the Managed Service Identity (MSI) - the following fields are also supported: 221 222 * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists. 223 224 * `msi_endpoint` - (Optional) The path to a custom Managed Service Identity endpoint which is automatically determined if not specified. This can also be sourced from the `ARM_MSI_ENDPOINT` environment variable. 225 * 226 * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable. 227 228 * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable. 229 230 * `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `false`. 231 232 -> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default. 233 234 * `use_msi` - (Optional) Should Managed Service Identity authentication be used? This can also be sourced from the `ARM_USE_MSI` environment variable. 235 236 --- 237 238 When authenticating using a SAS Token associated with the Storage Account - the following fields are also supported: 239 240 * `sas_token` - (Optional) The SAS Token used to access the Blob Storage Account. This can also be sourced from the `ARM_SAS_TOKEN` environment variable. 241 242 --- 243 244 When authenticating using the Storage Account's Access Key - the following fields are also supported: 245 246 * `access_key` - (Optional) The Access Key used to access the Blob Storage Account. This can also be sourced from the `ARM_ACCESS_KEY` environment variable. 247 248 --- 249 250 When authenticating using AzureAD Authentication - the following fields are also supported: 251 252 * `use_azuread_auth` - (Optional) Should AzureAD Authentication be used to access the Blob Storage Account. This can also be sourced from the `ARM_USE_AZUREAD` environment variable. 253 254 -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned. 255 256 * `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `false`. 257 258 -> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default. 259 260 --- 261 262 When authenticating using a Service Principal with a Client Certificate - the following fields are also supported: 263 264 * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists. 265 266 * `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable. 267 268 * `client_certificate_password` - (Optional) The password associated with the Client Certificate specified in `client_certificate_path`. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PASSWORD` environment variable. 269 270 * `client_certificate_path` - (Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PATH` environment variable. 271 272 * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable. 273 274 * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable. 275 276 * `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `false`. 277 278 -> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default. 279 280 --- 281 282 When authenticating using a Service Principal with a Client Secret - the following fields are also supported: 283 284 * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists. 285 286 * `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable. 287 288 * `client_secret` - (Optional) The Client Secret of the Service Principal. This can also be sourced from the `ARM_CLIENT_SECRET` environment variable. 289 290 * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable. 291 292 * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable. 293 294 * `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `false`. 295 296 -> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default.