1---
2layout: "language"
3page_title: "Backend Type: azurerm"
4sidebar_current: "docs-backends-types-standard-azurerm"
5description: |-
6  Terraform can store state remotely in Azure Blob Storage.
7
8---
9
10# azurerm
11
12**Kind: Standard (with state locking)**
13
14Stores the state as a Blob with the given Key within the Blob Container within [the Blob Storage Account](https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction). This backend also supports state locking and consistency checking via native capabilities of Azure Blob Storage.
15
16## Example Configuration
17
18When authenticating using the Azure CLI or a Service Principal (either with a Client Certificate or a Client Secret):
19
20```hcl
21terraform {
22  backend "azurerm" {
23    resource_group_name  = "StorageAccount-ResourceGroup"
24    storage_account_name = "abcd1234"
25    container_name       = "tfstate"
26    key                  = "prod.terraform.tfstate"
27  }
28}
29```
30
31---
32
33When authenticating using Managed Service Identity (MSI):
34
35```hcl
36terraform {
37  backend "azurerm" {
38    storage_account_name = "abcd1234"
39    container_name       = "tfstate"
40    key                  = "prod.terraform.tfstate"
41    use_msi              = true
42    subscription_id      = "00000000-0000-0000-0000-000000000000"
43    tenant_id            = "00000000-0000-0000-0000-000000000000"
44  }
45}
46```
47
48---
49
50When authenticating using Azure AD Authentication:
51
52```hcl
53terraform {
54  backend "azurerm" {
55    storage_account_name = "abcd1234"
56    container_name       = "tfstate"
57    key                  = "prod.terraform.tfstate"
58    use_azuread_auth     = true
59    subscription_id      = "00000000-0000-0000-0000-000000000000"
60    tenant_id            = "00000000-0000-0000-0000-000000000000"
61  }
62}
63```
64
65-> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned.
66
67---
68
69When authenticating using the Access Key associated with the Storage Account:
70
71```hcl
72terraform {
73  backend "azurerm" {
74    storage_account_name = "abcd1234"
75    container_name       = "tfstate"
76    key                  = "prod.terraform.tfstate"
77
78    # rather than defining this inline, the Access Key can also be sourced
79    # from an Environment Variable - more information is available below.
80    access_key = "abcdefghijklmnopqrstuvwxyz0123456789..."
81  }
82}
83```
84
85---
86
87When authenticating using a SAS Token associated with the Storage Account:
88
89```hcl
90terraform {
91  backend "azurerm" {
92    storage_account_name = "abcd1234"
93    container_name       = "tfstate"
94    key                  = "prod.terraform.tfstate"
95
96    # rather than defining this inline, the SAS Token can also be sourced
97    # from an Environment Variable - more information is available below.
98    sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..."
99  }
100}
101```
102
103-> **NOTE:** When using a Service Principal or an Access Key - we recommend using a [Partial Configuration](/docs/language/settings/backends/configuration.html#partial-configuration) for the credentials.
104
105## Data Source Configuration
106
107When authenticating using a Service Principal (either with a Client Certificate or a Client Secret):
108
109```hcl
110data "terraform_remote_state" "foo" {
111  backend = "azurerm"
112  config = {
113    storage_account_name = "terraform123abc"
114    container_name       = "terraform-state"
115    key                  = "prod.terraform.tfstate"
116  }
117}
118```
119
120---
121
122When authenticating using Managed Service Identity (MSI):
123
124```hcl
125data "terraform_remote_state" "foo" {
126  backend = "azurerm"
127  config = {
128    storage_account_name = "terraform123abc"
129    container_name       = "terraform-state"
130    key                  = "prod.terraform.tfstate"
131    use_msi              = true
132    subscription_id      = "00000000-0000-0000-0000-000000000000"
133    tenant_id            = "00000000-0000-0000-0000-000000000000"
134  }
135}
136```
137
138---
139
140When authenticating using AzureAD Authentication:
141
142```hcl
143data "terraform_remote_state" "foo" {
144  backend = "azurerm"
145  config = {
146    storage_account_name = "terraform123abc"
147    container_name       = "terraform-state"
148    key                  = "prod.terraform.tfstate"
149    use_azuread_auth     = true
150    subscription_id      = "00000000-0000-0000-0000-000000000000"
151    tenant_id            = "00000000-0000-0000-0000-000000000000"
152  }
153}
154```
155
156-> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned.
157
158---
159
160When authenticating using the Access Key associated with the Storage Account:
161
162```hcl
163data "terraform_remote_state" "foo" {
164  backend = "azurerm"
165  config = {
166    storage_account_name = "terraform123abc"
167    container_name       = "terraform-state"
168    key                  = "prod.terraform.tfstate"
169
170    # rather than defining this inline, the Access Key can also be sourced
171    # from an Environment Variable - more information is available below.
172    access_key = "abcdefghijklmnopqrstuvwxyz0123456789..."
173  }
174}
175```
176
177---
178
179When authenticating using a SAS Token associated with the Storage Account:
180
181```hcl
182data "terraform_remote_state" "foo" {
183  backend = "azurerm"
184  config = {
185    storage_account_name = "terraform123abc"
186    container_name       = "terraform-state"
187    key                  = "prod.terraform.tfstate"
188
189    # rather than defining this inline, the SAS Token can also be sourced
190    # from an Environment Variable - more information is available below.
191    sas_token = "abcdefghijklmnopqrstuvwxyz0123456789..."
192  }
193}
194```
195
196## Configuration variables
197
198The following configuration options are supported:
199
200* `storage_account_name` - (Required) The Name of [the Storage Account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account).
201
202* `container_name` - (Required) The Name of [the Storage Container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) within the Storage Account.
203
204* `key` - (Required) The name of the Blob used to retrieve/store Terraform's State file inside the Storage Container.
205
206* `environment` - (Optional) The Azure Environment which should be used. This can also be sourced from the `ARM_ENVIRONMENT` environment variable. Possible values are `public`, `china`, `german`, `stack` and `usgovernment`. Defaults to `public`.
207
208* `endpoint` - (Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from the `ARM_ENDPOINT` environment variable.
209
210~> **NOTE:** An `endpoint` should only be configured when using Azure Stack.
211
212* `snapshot` - (Optional) Should the Blob used to store the Terraform Statefile be snapshotted before use? Defaults to `false`. This value can also be sourced from the `ARM_SNAPSHOT` environment variable.
213
214---
215
216When authenticating using the Managed Service Identity (MSI) - the following fields are also supported:
217
218* `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable.
219
220* `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable.
221
222* `msi_endpoint` - (Optional) The path to a custom Managed Service Identity endpoint which is automatically determined if not specified. This can also be sourced from the `ARM_MSI_ENDPOINT` environment variable.
223
224* `use_msi` - (Optional) Should Managed Service Identity authentication be used? This can also be sourced from the `ARM_USE_MSI` environment variable.
225
226---
227
228When authenticating using a SAS Token associated with the Storage Account - the following fields are also supported:
229
230* `sas_token` - (Optional) The SAS Token used to access the Blob Storage Account. This can also be sourced from the `ARM_SAS_TOKEN` environment variable.
231
232---
233
234When authenticating using the Storage Account's Access Key - the following fields are also supported:
235
236* `access_key` - (Optional) The Access Key used to access the Blob Storage Account. This can also be sourced from the `ARM_ACCESS_KEY` environment variable.
237
238---
239
240When authenticating using AzureAD Authentication - the following fields are also supported:
241
242* `use_azuread_auth` - (Optional) Should AzureAD Authentication be used to access the Blob Storage Account. This can also be sourced from the `ARM_USE_AZUREAD` environment variable.
243
244-> **Note:** When using AzureAD for Authentication to Storage you also need to ensure the `Storage Blob Data Owner` role is assigned.
245
246---
247
248When authenticating using a Service Principal with a Client Certificate - the following fields are also supported:
249
250* `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists.
251
252* `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable.
253
254* `client_certificate_password` - (Optional) The password associated with the Client Certificate specified in `client_certificate_path`. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PASSWORD` environment variable.
255
256* `client_certificate_path` - (Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PATH` environment variable.
257
258* `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable.
259
260* `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable.
261
262---
263
264When authenticating using a Service Principal with a Client Secret - the following fields are also supported:
265
266* `resource_group_name` - (Required) The Name of the Resource Group in which the Storage Account exists.
267
268* `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable.
269
270* `client_secret` - (Optional) The Client Secret of the Service Principal. This can also be sourced from the `ARM_CLIENT_SECRET` environment variable.
271
272* `subscription_id` - (Optional) The Subscription ID in which the Storage Account exists. This can also be sourced from the `ARM_SUBSCRIPTION_ID` environment variable.
273
274* `tenant_id` - (Optional) The Tenant ID in which the Subscription exists. This can also be sourced from the `ARM_TENANT_ID` environment variable.
275