| --- |
| page_title: 'Backend Type: azurerm' |
| description: Terraform can store state remotely in Azure Blob Storage. |
| --- |
| |
| # azurerm |
| |
| Stores the state as a Blob with the given Key within the Blob Container within [the Blob Storage Account](https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction). |
| |
| This backend supports state locking and consistency checking with Azure Blob Storage native capabilities. |
| |
| -> **Note:** In Terraform 1.2 the Azure Backend uses MSAL (and Microsoft Graph) rather than ADAL (and Azure Active Directory Graph) for authentication by default - you can disable this by setting `use_microsoft_graph` to `false`. **This setting will be removed in Terraform 1.3, due to Microsoft's deprecation of ADAL**. |
| |
| ## Example Configuration |
| |
| When authenticating using the Azure CLI or a Service Principal (either with a Client Certificate or a Client Secret): |
| |
| ```hcl |
| terraform { |
| backend "azurerm" { |
| resource_group_name = "StorageAccount-ResourceGroup" |
| storage_account_name = "abcd1234" |
| container_name = "tfstate" |
| key = "prod.terraform.tfstate" |
| } |
| } |
| ``` |
| |
| *** |
| |
| When authenticating using Managed Service Identity (MSI): |
| |
| ```hcl |
| terraform { |
| backend "azurerm" { |
| resource_group_name = "StorageAccount-ResourceGroup" |
| storage_account_name = "abcd1234" |
| container_name = "tfstate" |
| key = "prod.terraform.tfstate" |
| use_msi = true |
| subscription_id = "00000000-0000-0000-0000-000000000000" |
| tenant_id = "00000000-0000-0000-0000-000000000000" |
| } |
| } |
| ``` |
| |
| *** |
| |
| When authenticating using OpenID Connect (OIDC): |
| |
| ```hcl |
| terraform { |
| backend "azurerm" { |
| resource_group_name = "StorageAccount-ResourceGroup" |
| storage_account_name = "abcd1234" |
| container_name = "tfstate" |
| key = "prod.terraform.tfstate" |
| use_oidc = true |
| subscription_id = "00000000-0000-0000-0000-000000000000" |
| tenant_id = "00000000-0000-0000-0000-000000000000" |
| } |
| } |
| ``` |
| |
| *** |
| |
| When authenticating using Azure AD Authentication: |
| |
| ```hcl |
| terraform { |
| backend "azurerm" { |
| storage_account_name = "abcd1234" |
| container_name = "tfstate" |
| key = "prod.terraform.tfstate" |
| use_azuread_auth = true |
| subscription_id = "00000000-0000-0000-0000-000000000000" |
| tenant_id = "00000000-0000-0000-0000-000000000000" |
| } |
| } |
| ``` |
| |
| -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned. |
| |
| *** |
| |
| When authenticating using the Access Key associated with the Storage Account: |
| |
| ```hcl |
| terraform { |
| backend "azurerm" { |
| storage_account_name = "abcd1234" |
| container_name = "tfstate" |
| key = "prod.terraform.tfstate" |
| |
| # rather than defining this inline, the Access Key can also be sourced |
| # from an Environment Variable - more information is available below. |
| access_key = "abcdefghijklmnopqrstuvwxyz0123456789..." |
| } |
| } |
| ``` |
| |
| *** |
| |
| When authenticating using a SAS Token associated with the Storage Account: |
| |
| ```hcl |
| terraform { |
| backend "azurerm" { |
| storage_account_name = "abcd1234" |
| container_name = "tfstate" |
| key = "prod.terraform.tfstate" |
| |
| # rather than defining this inline, the SAS Token can also be sourced |
| # from an Environment Variable - more information is available below. |
| sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..." |
| } |
| } |
| ``` |
| |
| -> **NOTE:** When using a Service Principal or an Access Key - we recommend using a [Partial Configuration](/language/settings/backends/configuration#partial-configuration) for the credentials. |
| |
| ## Data Source Configuration |
| |
| When authenticating using a Service Principal (either with a Client Certificate or a Client Secret): |
| |
| ```hcl |
| data "terraform_remote_state" "foo" { |
| backend = "azurerm" |
| config = { |
| storage_account_name = "terraform123abc" |
| container_name = "terraform-state" |
| key = "prod.terraform.tfstate" |
| } |
| } |
| ``` |
| |
| *** |
| |
| When authenticating using Managed Service Identity (MSI): |
| |
| ```hcl |
| data "terraform_remote_state" "foo" { |
| backend = "azurerm" |
| config = { |
| resource_group_name = "StorageAccount-ResourceGroup" |
| storage_account_name = "terraform123abc" |
| container_name = "terraform-state" |
| key = "prod.terraform.tfstate" |
| use_msi = true |
| subscription_id = "00000000-0000-0000-0000-000000000000" |
| tenant_id = "00000000-0000-0000-0000-000000000000" |
| } |
| } |
| ``` |
| |
| *** |
| |
| When authenticating using OpenID Connect (OIDC): |
| |
| ```hcl |
| data "terraform_remote_state" "foo" { |
| backend = "azurerm" |
| config = { |
| resource_group_name = "StorageAccount-ResourceGroup" |
| storage_account_name = "terraform123abc" |
| container_name = "terraform-state" |
| key = "prod.terraform.tfstate" |
| use_oidc = true |
| subscription_id = "00000000-0000-0000-0000-000000000000" |
| tenant_id = "00000000-0000-0000-0000-000000000000" |
| } |
| } |
| ``` |
| |
| *** |
| |
| When authenticating using AzureAD Authentication: |
| |
| ```hcl |
| data "terraform_remote_state" "foo" { |
| backend = "azurerm" |
| config = { |
| storage_account_name = "terraform123abc" |
| container_name = "terraform-state" |
| key = "prod.terraform.tfstate" |
| use_azuread_auth = true |
| subscription_id = "00000000-0000-0000-0000-000000000000" |
| tenant_id = "00000000-0000-0000-0000-000000000000" |
| } |
| } |
| ``` |
| |
| -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned. |
| |
| *** |
| |
| When authenticating using the Access Key associated with the Storage Account: |
| |
| ```hcl |
| data "terraform_remote_state" "foo" { |
| backend = "azurerm" |
| config = { |
| storage_account_name = "terraform123abc" |
| container_name = "terraform-state" |
| key = "prod.terraform.tfstate" |
| |
| # rather than defining this inline, the Access Key can also be sourced |
| # from an Environment Variable - more information is available below. |
| access_key = "abcdefghijklmnopqrstuvwxyz0123456789..." |
| } |
| } |
| ``` |
| |
| *** |
| |
| When authenticating using a SAS Token associated with the Storage Account: |
| |
| ```hcl |
| data "terraform_remote_state" "foo" { |
| backend = "azurerm" |
| config = { |
| storage_account_name = "terraform123abc" |
| container_name = "terraform-state" |
| key = "prod.terraform.tfstate" |
| |
| # rather than defining this inline, the SAS Token can also be sourced |
| # from an Environment Variable - more information is available below. |
| sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..." |
| } |
| } |
| ``` |
| |
| ## Configuration Variables |
| |
| !> **Warning:** We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, Terraform will include these values in both the `.terraform` subdirectory and in plan files. Refer to [Credentials and Sensitive Data](/language/settings/backends/configuration#credentials-and-sensitive-data) for details. |
| |
| |
| The following configuration options are supported: |
| |
| * `storage_account_name` - (Required) The Name of [the Storage Account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account). |
| |
| * `container_name` - (Required) The Name of [the Storage Container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) within the Storage Account. |
| |
| * `key` - (Required) The name of the Blob used to retrieve/store Terraform's State file inside the Storage Container. |
| |
| * `environment` - (Optional) The Azure Environment which should be used. This can also be sourced from the `ARM_ENVIRONMENT` environment variable. Possible values are `public`, `china`, `german`, `stack` and `usgovernment`. Defaults to `public`. |
| |
| * `endpoint` - (Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from the `ARM_ENDPOINT` environment variable. |
| |
| ~> **NOTE:** An `endpoint` should only be configured when using Azure Stack. |
| |
| * `snapshot` - (Optional) Should the Blob used to store the Terraform Statefile be snapshotted before use? Defaults to `false`. This value can also be sourced from the `ARM_SNAPSHOT` environment variable. |
| |
| *** |
| |
| When authenticating using the Managed Service Identity (MSI) - the following fields are also supported: |
| |
| * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists. |
| |
| * `msi_endpoint` - (Optional) The path to a custom Managed Service Identity endpoint which is automatically determined if not specified. This can also be sourced from the `ARM_MSI_ENDPOINT` environment variable. |
| |
| * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable. |
| |
| * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable. |
| |
| * `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `true`. |
| |
| -> **Note:** In Terraform 1.2 the Azure Backend uses MSAL (and Microsoft Graph) rather than ADAL (and Azure Active Directory Graph) for authentication by default - you can disable this by setting `use_microsoft_graph` to `false`. **This setting will be removed in Terraform 1.3, due to Microsoft's deprecation of ADAL**. |
| |
| * `use_msi` - (Optional) Should Managed Service Identity authentication be used? This can also be sourced from the `ARM_USE_MSI` environment variable. |
| |
| *** |
| |
| When authenticating using a Service Principal with OpenID Connect (OIDC) - the following fields are also supported: |
| |
| * `oidc_request_url` - (Optional) The URL for the OIDC provider from which to request an ID token. This can also be sourced from the `ARM_OIDC_REQUEST_URL` or `ACTIONS_ID_TOKEN_REQUEST_URL` environment variables. |
| |
| * `oidc_request_token` - (Optional) The bearer token for the request to the OIDC provider. This can also be sourced from the `ARM_OIDC_REQUEST_TOKEN` or `ACTIONS_ID_TOKEN_REQUEST_TOKEN` environment variables. |
| |
| * `use_oidc` - (Optional) Should OIDC authentication be used? This can also be sourced from the `ARM_USE_OIDC` environment variable. |
| |
| ~> **Note:** When using OIDC for authentication, `use_microsoft_graph` must be set to `true` (which is the default). |
| |
| *** |
| |
| When authenticating using a SAS Token associated with the Storage Account - the following fields are also supported: |
| |
| * `sas_token` - (Optional) The SAS Token used to access the Blob Storage Account. This can also be sourced from the `ARM_SAS_TOKEN` environment variable. |
| |
| *** |
| |
| When authenticating using the Storage Account's Access Key - the following fields are also supported: |
| |
| * `access_key` - (Optional) The Access Key used to access the Blob Storage Account. This can also be sourced from the `ARM_ACCESS_KEY` environment variable. |
| |
| *** |
| |
| When authenticating using AzureAD Authentication - the following fields are also supported: |
| |
| * `use_azuread_auth` - (Optional) Should AzureAD Authentication be used to access the Blob Storage Account. This can also be sourced from the `ARM_USE_AZUREAD` environment variable. |
| |
| -> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned. |
| |
| * `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `true`. |
| |
| -> **Note:** In Terraform 1.2 the Azure Backend uses MSAL (and Microsoft Graph) rather than ADAL (and Azure Active Directory Graph) for authentication by default - you can disable this by setting `use_microsoft_graph` to `false`. **This setting will be removed in Terraform 1.3, due to Microsoft's deprecation of ADAL**. |
| |
| *** |
| |
| When authenticating using a Service Principal with a Client Certificate - the following fields are also supported: |
| |
| * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists. |
| |
| * `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable. |
| |
| * `client_certificate_password` - (Optional) The password associated with the Client Certificate specified in `client_certificate_path`. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PASSWORD` environment variable. |
| |
| * `client_certificate_path` - (Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PATH` environment variable. |
| |
| * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable. |
| |
| * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable. |
| |
| * `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `true`. |
| |
| -> **Note:** In Terraform 1.2 the Azure Backend uses MSAL (and Microsoft Graph) rather than ADAL (and Azure Active Directory Graph) for authentication by default - you can disable this by setting `use_microsoft_graph` to `false`. **This setting will be removed in Terraform 1.3, due to Microsoft's deprecation of ADAL**. |
| |
| *** |
| |
| When authenticating using a Service Principal with a Client Secret - the following fields are also supported: |
| |
| * `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists. |
| |
| * `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable. |
| |
| * `client_secret` - (Optional) The Client Secret of the Service Principal. This can also be sourced from the `ARM_CLIENT_SECRET` environment variable. |
| |
| * `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable. |
| |
| * `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable. |
| |
| * `use_microsoft_graph` - (Optional) Should MSAL be used for authentication instead of ADAL, and should Microsoft Graph be used instead of Azure Active Directory Graph? Defaults to `true`. |
| |
| -> **Note:** In Terraform 1.2 the Azure Backend uses MSAL (and Microsoft Graph) rather than ADAL (and Azure Active Directory Graph) for authentication by default - you can disable this by setting `use_microsoft_graph` to `false`. **This setting will be removed in Terraform 1.3, due to Microsoft's deprecation of ADAL**. |