github.com/muratcelep/terraform@v1.1.0-beta2-not-internal-4/website/docs/language/settings/backends/azurerm.html.md (about)

     1  ---
     2  layout: "language"
     3  page_title: "Backend Type: azurerm"
     4  sidebar_current: "docs-backends-types-standard-azurerm"
     5  description: |-
     6    Terraform can store state remotely in Azure Blob Storage.
     7  
     8  ---
     9  
    10  # azurerm
    11  
    12  **Kind: Standard (with state locking)**
    13  
    14  Stores the state as a Blob with the given Key within the Blob Container within [the Blob Storage Account](https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction). This backend also supports state locking and consistency checking via native capabilities of Azure Blob Storage.
    15  
    16  -> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default. 
    17  
    18  ## Example Configuration
    19  
    20  When authenticating using the Azure CLI or a Service Principal (either with a Client Certificate or a Client Secret):
    21  
    22  ```hcl
    23  terraform {
    24    backend "azurerm" {
    25      resource_group_name  = "StorageAccount-ResourceGroup"
    26      storage_account_name = "abcd1234"
    27      container_name       = "tfstate"
    28      key                  = "prod.terraform.tfstate"
    29    }
    30  }
    31  ```
    32  
    33  ---
    34  
    35  When authenticating using Managed Service Identity (MSI):
    36  
    37  ```hcl
    38  terraform {
    39    backend "azurerm" {
    40      resource_group_name  = "StorageAccount-ResourceGroup"
    41      storage_account_name = "abcd1234"
    42      container_name       = "tfstate"
    43      key                  = "prod.terraform.tfstate"
    44      use_msi              = true
    45      subscription_id      = "00000000-0000-0000-0000-000000000000"
    46      tenant_id            = "00000000-0000-0000-0000-000000000000"
    47    }
    48  }
    49  ```
    50  
    51  ---
    52  
    53  When authenticating using Azure AD Authentication:
    54  
    55  ```hcl
    56  terraform {
    57    backend "azurerm" {
    58      storage_account_name = "abcd1234"
    59      container_name       = "tfstate"
    60      key                  = "prod.terraform.tfstate"
    61      use_azuread_auth     = true
    62      subscription_id      = "00000000-0000-0000-0000-000000000000"
    63      tenant_id            = "00000000-0000-0000-0000-000000000000"
    64    }
    65  }
    66  ```
    67  
    68  -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned.
    69  
    70  ---
    71  
    72  When authenticating using the Access Key associated with the Storage Account:
    73  
    74  ```hcl
    75  terraform {
    76    backend "azurerm" {
    77      storage_account_name = "abcd1234"
    78      container_name       = "tfstate"
    79      key                  = "prod.terraform.tfstate"
    80  
    81      # rather than defining this inline, the Access Key can also be sourced
    82      # from an Environment Variable - more information is available below.
    83      access_key = "abcdefghijklmnopqrstuvwxyz0123456789..."
    84    }
    85  }
    86  ```
    87  
    88  ---
    89  
    90  When authenticating using a SAS Token associated with the Storage Account:
    91  
    92  ```hcl
    93  terraform {
    94    backend "azurerm" {
    95      storage_account_name = "abcd1234"
    96      container_name       = "tfstate"
    97      key                  = "prod.terraform.tfstate"
    98  
    99      # rather than defining this inline, the SAS Token can also be sourced
   100      # from an Environment Variable - more information is available below.
   101      sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..."
   102    }
   103  }
   104  ```
   105  
   106  -> **NOTE:** When using a Service Principal or an Access Key - we recommend using a [Partial Configuration](/docs/language/settings/backends/configuration.html#partial-configuration) for the credentials.
   107  
   108  ## Data Source Configuration
   109  
   110  When authenticating using a Service Principal (either with a Client Certificate or a Client Secret):
   111  
   112  ```hcl
   113  data "terraform_remote_state" "foo" {
   114    backend = "azurerm"
   115    config = {
   116      storage_account_name = "terraform123abc"
   117      container_name       = "terraform-state"
   118      key                  = "prod.terraform.tfstate"
   119    }
   120  }
   121  ```
   122  
   123  ---
   124  
   125  When authenticating using Managed Service Identity (MSI):
   126  
   127  ```hcl
   128  data "terraform_remote_state" "foo" {
   129    backend = "azurerm"
   130    config = {
   131      resource_group_name  = "StorageAccount-ResourceGroup"
   132      storage_account_name = "terraform123abc"
   133      container_name       = "terraform-state"
   134      key                  = "prod.terraform.tfstate"
   135      use_msi              = true
   136      subscription_id      = "00000000-0000-0000-0000-000000000000"
   137      tenant_id            = "00000000-0000-0000-0000-000000000000"
   138    }
   139  }
   140  ```
   141  
   142  ---
   143  
   144  When authenticating using AzureAD Authentication:
   145  
   146  ```hcl
   147  data "terraform_remote_state" "foo" {
   148    backend = "azurerm"
   149    config = {
   150      storage_account_name = "terraform123abc"
   151      container_name       = "terraform-state"
   152      key                  = "prod.terraform.tfstate"
   153      use_azuread_auth     = true
   154      subscription_id      = "00000000-0000-0000-0000-000000000000"
   155      tenant_id            = "00000000-0000-0000-0000-000000000000"
   156    }
   157  }
   158  ```
   159  
   160  -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned.
   161  
   162  ---
   163  
   164  When authenticating using the Access Key associated with the Storage Account:
   165  
   166  ```hcl
   167  data "terraform_remote_state" "foo" {
   168    backend = "azurerm"
   169    config = {
   170      storage_account_name = "terraform123abc"
   171      container_name       = "terraform-state"
   172      key                  = "prod.terraform.tfstate"
   173  
   174      # rather than defining this inline, the Access Key can also be sourced
   175      # from an Environment Variable - more information is available below.
   176      access_key = "abcdefghijklmnopqrstuvwxyz0123456789..."
   177    }
   178  }
   179  ```
   180  
   181  ---
   182  
   183  When authenticating using a SAS Token associated with the Storage Account:
   184  
   185  ```hcl
   186  data "terraform_remote_state" "foo" {
   187    backend = "azurerm"
   188    config = {
   189      storage_account_name = "terraform123abc"
   190      container_name       = "terraform-state"
   191      key                  = "prod.terraform.tfstate"
   192  
   193      # rather than defining this inline, the SAS Token can also be sourced
   194      # from an Environment Variable - more information is available below.
   195      sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..."
   196    }
   197  }
   198  ```
   199  
   200  ## Configuration variables
   201  
   202  The following configuration options are supported:
   203  
   204  * `storage_account_name` - (Required) The Name of [the Storage Account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account).
   205  
   206  * `container_name` - (Required) The Name of [the Storage Container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) within the Storage Account.
   207  
   208  * `key` - (Required) The name of the Blob used to retrieve/store Terraform's State file inside the Storage Container.
   209  
   210  * `environment` - (Optional) The Azure Environment which should be used. This can also be sourced from the `ARM_ENVIRONMENT` environment variable. Possible values are `public`, `china`, `german`, `stack` and `usgovernment`. Defaults to `public`.
   211  
   212  * `endpoint` - (Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from the `ARM_ENDPOINT` environment variable.
   213  
   214  ~> **NOTE:** An `endpoint` should only be configured when using Azure Stack.
   215  
   216  * `snapshot` - (Optional) Should the Blob used to store the Terraform Statefile be snapshotted before use? Defaults to `false`. This value can also be sourced from the `ARM_SNAPSHOT` environment variable.
   217  
   218  ---
   219  
   220  When authenticating using the Managed Service Identity (MSI) - the following fields are also supported:
   221  
   222  * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists.
   223  
   224  * `msi_endpoint` - (Optional) The path to a custom Managed Service Identity endpoint which is automatically determined if not specified. This can also be sourced from the `ARM_MSI_ENDPOINT` environment variable.
   225  * 
   226  * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable.
   227  
   228  * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable.
   229  
   230  * `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `false`.
   231  
   232  -> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default.
   233  
   234  * `use_msi` - (Optional) Should Managed Service Identity authentication be used? This can also be sourced from the `ARM_USE_MSI` environment variable.
   235  
   236  ---
   237  
   238  When authenticating using a SAS Token associated with the Storage Account - the following fields are also supported:
   239  
   240  * `sas_token` - (Optional) The SAS Token used to access the Blob Storage Account. This can also be sourced from the `ARM_SAS_TOKEN` environment variable.
   241  
   242  ---
   243  
   244  When authenticating using the Storage Account's Access Key - the following fields are also supported:
   245  
   246  * `access_key` - (Optional) The Access Key used to access the Blob Storage Account. This can also be sourced from the `ARM_ACCESS_KEY` environment variable.
   247  
   248  ---
   249  
   250  When authenticating using AzureAD Authentication - the following fields are also supported:
   251  
   252  * `use_azuread_auth` - (Optional) Should AzureAD Authentication be used to access the Blob Storage Account. This can also be sourced from the `ARM_USE_AZUREAD` environment variable.
   253  
   254  -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned.
   255  
   256  * `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `false`.
   257  
   258  -> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default.
   259  
   260  ---
   261  
   262  When authenticating using a Service Principal with a Client Certificate - the following fields are also supported:
   263  
   264  * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists.
   265  
   266  * `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable.
   267  
   268  * `client_certificate_password` - (Optional) The password associated with the Client Certificate specified in `client_certificate_path`. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PASSWORD` environment variable.
   269  
   270  * `client_certificate_path` - (Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PATH` environment variable.
   271  
   272  * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable.
   273  
   274  * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable.
   275  
   276  * `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `false`.
   277  
   278  -> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default.
   279  
   280  ---
   281  
   282  When authenticating using a Service Principal with a Client Secret - the following fields are also supported:
   283  
   284  * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists.
   285  
   286  * `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable.
   287  
   288  * `client_secret` - (Optional) The Client Secret of the Service Principal. This can also be sourced from the `ARM_CLIENT_SECRET` environment variable.
   289  
   290  * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable.
   291  
   292  * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable.
   293  
   294  * `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `false`.
   295  
   296  -> **Note:** By default the Azure Backend uses ADAL for authentication which is deprecated in favour of MSAL - MSAL can be used by setting `use_microsoft_graph` to `true`. **The default for this will change in Terraform 1.2**, so that MSAL authentication is used by default.