- OpenTF Settings
- Backends
- oss
Backend Type: oss
Stores the state as a given key in a given bucket on Stores
Alibaba Cloud OSS.
This backend also supports state locking and consistency checking via
Alibaba Cloud Table Store, which can be enabled by setting
the tablestore_table
field to an existing TableStore table name.
This backend supports state locking via TableStore.
Example Configuration
terraform {
backend "oss" {
bucket = "bucket-for-opentf-state"
prefix = "path/mystate"
key = "version-1.tfstate"
region = "cn-beijing"
tablestore_endpoint = "https://opentf-remote.cn-hangzhou.ots.aliyuncs.com"
tablestore_table = "statelock"
}
}
This assumes we have a OSS Bucket created called bucket-for-opentf-state
,
a OTS Instance called opentf-remote
and
a OTS TableStore called statelock
. The
OpenTF state will be written into the file path/mystate/version-1.tfstate
. The TableStore
must have a primary key named LockID
of type String
.
Data Source Configuration
To make use of the OSS remote state in another configuration, use the
terraform_remote_state
data
source.
terraform {
backend "oss" {
bucket = "remote-state-dns"
prefix = "mystate/state"
key = "terraform.tfstate"
region = "cn-beijing"
}
}
The terraform_remote_state
data source will return all of the root outputs
defined in the referenced remote state, an example output might look like:
data "terraform_remote_state" "network" {
backend = "oss"
config = {
bucket = "remote-state-dns"
key = "terraform.tfstate"
prefix = "mystate/state"
region = "cn-beijing"
}
outputs = {}
workspace = "default"
}
Configuration Variables
We recommend using environment variables to supply credentials and other sensitive data. If you use -backend-config
or hardcode these values directly in your configuration, OpenTF will include these values in both the .terraform
subdirectory and in plan files. Refer to Credentials and Sensitive Data for details.
The following configuration options or environment variables are supported:
access_key
- (Optional) Alibaba Cloud access key. It supports environment variablesALICLOUD_ACCESS_KEY
andALICLOUD_ACCESS_KEY_ID
.secret_key
- (Optional) Alibaba Cloud secret access key. It supports environment variablesALICLOUD_SECRET_KEY
andALICLOUD_ACCESS_KEY_SECRET
.security_token
- (Optional) STS access token. It supports environment variableALICLOUD_SECURITY_TOKEN
.ecs_role_name
- (Optional, Available in 0.12.14+) The RAM Role Name attached on a ECS instance for API operations. You can retrieve this from the 'Access Control' section of the Alibaba Cloud console.region
- (Optional) The region of the OSS bucket. It supports environment variablesALICLOUD_REGION
andALICLOUD_DEFAULT_REGION
.endpoint
- (Optional) A custom endpoint for the OSS API. It supports environment variablesALICLOUD_OSS_ENDPOINT
andOSS_ENDPOINT
.bucket
- (Required) The name of the OSS bucket.prefix
- (Opeional) The path directory of the state file will be stored. Default to "env:".key
- (Optional) The name of the state file. Defaults toterraform.tfstate
.tablestore_endpoint
/ALICLOUD_TABLESTORE_ENDPOINT
- (Optional) A custom endpoint for the TableStore API.tablestore_table
- (Optional) A TableStore table for state locking and consistency. The table must have a primary key namedLockID
of typeString
.sts_endpoint
- (Optional, Available in 1.0.11+) Custom endpoint for the AliCloud Security Token Service (STS) API. It supports environment variableALICLOUD_STS_ENDPOINT
.encrypt
- (Optional) Whether to enable server side encryption of the state file. If it is true, OSS will use 'AES256' encryption algorithm to encrypt state file.acl
- (Optional) Object ACL to be applied to the state file.shared_credentials_file
- (Optional, Available in 0.12.8+) This is the path to the shared credentials file. It can also be sourced from theALICLOUD_SHARED_CREDENTIALS_FILE
environment variable. If this is not set and a profile is specified,~/.aliyun/config.json
will be used.profile
- (Optional, Available in 0.12.8+) This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from theALICLOUD_PROFILE
environment variable.assume_role_role_arn
- (Optional, Available in 1.1.0+) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports the environment variableALICLOUD_ASSUME_ROLE_ARN
. OpenTF executes configuration on account with provided credentials.assume_role_policy
- (Optional, Available in 1.1.0+) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use this policy to grant permissions that exceed those of the role that is being assumed.assume_role_session_name
- (Optional, Available in 1.1.0+) The session name to use when assuming the role. If omitted, 'opentf' is passed to the AssumeRole call as session name. It supports environment variableALICLOUD_ASSUME_ROLE_SESSION_NAME
.assume_role_session_expiration
- (Optional, Available in 1.1.0+) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud uses its own default value). It supports environment variableALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION
.assume_role
- (Deprecated as of 1.1.0+, Available in 0.12.6+) If provided with a role ARN, will attempt to assume this role using the supplied credentials. It will be ignored whenassume_role_role_arn
is specified.Deprecated in favor of flattening assumerole* options
role_arn
- (Required) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports the environment variableALICLOUD_ASSUME_ROLE_ARN
. OpenTF executes configuration on account with provided credentials.policy
- (Optional) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use this policy to grant permissions that exceed those of the role that is being assumed.session_name
- (Optional) The session name to use when assuming the role. If omitted, 'opentf' is passed to the AssumeRole call as session name. It supports environment variableALICLOUD_ASSUME_ROLE_SESSION_NAME
.session_expiration
- (Optional) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud uses its own default value). It supports environment variableALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION
.
If you want to store state in the custom OSS endpoint, you can specify an environment variable OSS_ENDPOINT
, like "oss-cn-beijing-internal.aliyuncs.com"