Remote state file

  3 minute read  

Create an Azure storage account

The three commands below when run in AZ CLI will create a resource group, storage account, and blob container. Use AZ LOGIN in the terminal to first authenticate to Azure.

Create resource group

az group create --name <RESOURCE_GROUP_NAME> --location <LOCATION>

Create storage account

az storage account create --resource-group <RESOURCE_GROUP_NAME> --name <STORAGE_ACCOUNT_NAME> --sku Standard_LRS --encryption-services blob

Create blob container

az storage container create --name <CONTAINER_NAME> --account-name <STORAGE_ACCOUNT_NAME>

Configure Terraform to use the Azure storage account

To configure Terraform to use Azure storage you need the following variable values in the Terraform config files, or via the Terraform CLI command, but in the config file is easier.

  • storage_account_name is the name of the Azure storage account
  • container_name is the name of the blob container
  • key is the name of the state file for this particular build
  • access_key is the storage account access key so you can access the blob container and blob

The storage account access_key is a high-value asset and should remain secure It is used by Terraform to CRUD Terraform state files. So whilst you could store it as a permanent environment variable you should avoid doing so. Instead, you should store the access key in an Azure key vault and retrieve the key from the key vault each time you need it.

(Best practice) Retrieve the access_key from Azure Key vault and temporarily save it as a variable Running the following will retrieve the access_key from an Azure key vault and then store it temporarily (per shell session) as a variable that Terraform will read. Of course, you will need to create an Azure Key Vault and have saved the storage account access_key to it as a secret first.

$env:ARM_ACCESS_KEY=$(az keyvault secret show --name <access key secret> --vault-name <azure key vault name> --query value -o tsv)

(Less secure alternative) Retrieve the storage account access key storage account and save it as an environment variable Running the following will retrieve the access key from the storage account and store it as a permanent environment variable called ACCOUNT_KEY.

ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query '[0].value' -o tsv)

Add the backend details to the Terraform configuration

Use the following example in your provider block to configure Terraform to use an Azure storage account for the state file.

  • RESOURCE_GROUP_NAME - the name of the RG where the storage account is
  • STORAGE_ACCOUNT_NAME - the name of the storage account
  • CONTAINER_NAME - the name of the blob container
  • KEY - the name of the state file for this particular build

This example can be used when using Azure CLI or a service principal (certificate or client secret)

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.0.0" 
    }
  }

  backend "azurerm" {
    resource_group_name   = "RESOURCE_GROUP_NAME"
    storage_account_name  = "STORAGE_ACCOUNT_NAME"
    container_name        = "CONTAINER_NAME"
    key                   = "KEY.tfstate"
  }
}

References

Hashicorp AzureRM backend Microsoft Store Terraform state in Azure Storage

Last modified July 21, 2024: update (e2ae86c)