COS
Stores the state as an object in a configurable prefix in a given bucket on Tencent Cloud Object Storage (COS).
This backend supports state locking. Storing your state in a COS bucket requires the following permissions:
CreateTag
,DeleteTag
, andDescribeTags
on the tag keytencentcloud-terraform-lock
Put
,Get
, andDelete
files for the specified bucket's prefix
Warning! It is highly recommended that you enable Object Versioning on the COS bucket to allow for state recovery in the case of accidental deletions and human error.
Example Configuration
This assumes we have a COS Bucket created named bucket-for-terraform-state-1258798060
,
Terraform state will be written into the file terraform/state/terraform.tfstate
.
Data Source Configuration
To make use of the COS remote state in another configuration, use the terraform_remote_state
data source.
Configuration Variables
Warning: We recommend using environment variables to supply credentials and other sensitive data. If you use -backend-config
or hardcode these values directly in your configuration, Terraform will include these values in both the .terraform
subdirectory and in plan files. Refer to Credentials and Sensitive Data for details.
The following configuration options or environment variables are supported:
secret_id
- (Optional) Secret id of Tencent Cloud. It supports environment variablesTENCENTCLOUD_SECRET_ID
.secret_key
- (Optional) Secret key of Tencent Cloud. It supports environment variablesTENCENTCLOUD_SECRET_KEY
.security_token
- (Optional) TencentCloud Security Token of temporary access credentials. It supports environment variablesTENCENTCLOUD_SECURITY_TOKEN
.region
- (Optional) The region of the COS bucket. It supports environment variablesTENCENTCLOUD_REGION
.bucket
- (Required) The name of the COS bucket. You shall manually create it first.prefix
- (Optional) The directory for saving the state file in bucket. Default to "env:".key
- (Optional) The path for saving the state file in bucket. Defaults toterraform.tfstate
.encrypt
- (Optional) Whether to enable server side encryption of the state file. If it is true, COS will use 'AES256' encryption algorithm to encrypt state file.acl
- (Optional) Object ACL to be applied to the state file, allowsprivate
andpublic-read
. Defaults toprivate
.accelerate
- (Optional) Whether to enable global Acceleration. Defaults tofalse
.endpoint
- (Optional) The Custom Endpoint for the COS backend. It supports the environment variableTENCENTCLOUD_ENDPOINT
.domain
- (Optional) The root domain of the API request. Defaults totencentcloudapi.com
. It supports the environment variableTENCENTCLOUD_DOMAIN
.
Assume Role
If provided with an assume role, Terraform will attempt to assume this role using the supplied credentials.
Assume role can be provided by adding an assume_role
block in the cos backend block.
assume_role
- (Optional) Theassume_role
block. If provided, terraform will attempt to assume this role using the supplied credentials.
The details of assume_role
block as following:
role_arn
- (Required) The ARN of the role to assume. It can be sourced from theTENCENTCLOUD_ASSUME_ROLE_ARN
.session_name
- (Required) The session name to use when making the AssumeRole call. It can be sourced from theTENCENTCLOUD_ASSUME_ROLE_SESSION_NAME
.session_duration
- (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can be sourced from theTENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION
.policy
- (Optional) A more restrictive policy when making the AssumeRole call. Its content must not containsprincipal
elements. Notice: more syntax references, please refer to: policies syntax logic.
Usage:
In addition, these assume_role
configurations can also be provided by environment variables.
Usage:
Shared credentials
You can use Tencent Cloud credentials to specify your credentials. The default location is $HOME/.tccli
on Linux and macOS, And "%USERPROFILE%\.tccli"
on Windows. You can optionally specify a different location in the Terraform configuration by providing the shared_credentials_dir
argument or using the TENCENTCLOUD_SHARED_CREDENTIALS_DIR
environment variable. This method also supports a profile
configuration and matching TENCENTCLOUD_PROFILE
environment variable:
shared_credentials_dir
- (Optional) The directory of the shared credentials. It can also be sourced from theTENCENTCLOUD_SHARED_CREDENTIALS_DIR
environment variable. If not set this defaults to ~/.tccli.profile
- (Optional) The profile name as set in the shared credentials. It can also be sourced from theTENCENTCLOUD_PROFILE
environment variable. If not set, the default profile created withtccli configure
will be used.
Usage:
On Linux/MacOS
On Windows
In addition, these shared_credentials_dir
, profile
configurations can also be provided by environment variables.
Usage:
Cam role name
If provided with a Cam role name, Terraform will just access the metadata URL: http://metadata.tencentyun.com/latest/meta-data/cam/security-credentials/<cam_role_name>
to obtain the STS credential. The CVM Instance Role also can be set using the TENCENTCLOUD_CAM_ROLE_NAME
environment variables.
cam_role_name
- (Optional) The name of the CVM instance CAM role. It can be sourced from theTENCENTCLOUD_CAM_ROLE_NAME
environment variable.
Usage:
It can also be authenticated together with method Assume role. Authentication process: Perform CAM authentication first, then proceed with Assume role authentication.
Usage:
In addition, these cam_role_name
configurations can also be provided by environment variables.
Usage:
Endpoint
If provided with an endpoint URL, Terraform will attempt to access the COS backend by the endpoint
configuration or the environment variable TENCENTCLOUD_ENDPOINT
.
A typical endpoint looks like this: http://cos-internal.{Region}.tencentcos.cn
. Both HTTP and HTTPS are accepted.
Usage: