Skip to main content

Backend Type: http

Stores the state using a simple REST client.

State will be fetched via GET, updated via POST, and purged with DELETE. The method used for updating is configurable.

This backend optionally supports state locking. When locking support is enabled it will use LOCK and UNLOCK requests providing the lock info in the body. The endpoint should return a 423: Locked or 409: Conflict with the holding lock info when it's already taken, 200: OK for success. Any other status will be considered an error. The ID of the holding lock info will be added as a query parameter to state updates requests.

Example Usage

terraform {
backend "http" {
address = "http://myrest.api.com/foo"
lock_address = "http://myrest.api.com/foo"
unlock_address = "http://myrest.api.com/foo"
}
}

Data Source Configuration

data "terraform_remote_state" "foo" {
backend = "http"
config = {
address = "http://my.rest.api.com"
}
}

Configuration Variables

Warning

We recommend using environment variables to supply credentials and other sensitive data. If you use -backend-config or hardcode these values directly in your configuration, OpenTF will include these values in both the .terraform subdirectory and in plan files. Refer to Credentials and Sensitive Data for details.

The following configuration options / environment variables are supported:

  • address / TF_HTTP_ADDRESS - (Required) The address of the REST endpoint
  • update_method / TF_HTTP_UPDATE_METHOD - (Optional) HTTP method to use when updating state. Defaults to POST.
  • lock_address / TF_HTTP_LOCK_ADDRESS - (Optional) The address of the lock REST endpoint. Defaults to disabled.
  • lock_method / TF_HTTP_LOCK_METHOD - (Optional) The HTTP method to use when locking. Defaults to LOCK.
  • unlock_address / TF_HTTP_UNLOCK_ADDRESS - (Optional) The address of the unlock REST endpoint. Defaults to disabled.
  • unlock_method / TF_HTTP_UNLOCK_METHOD - (Optional) The HTTP method to use when unlocking. Defaults to UNLOCK.
  • username / TF_HTTP_USERNAME - (Optional) The username for HTTP basic authentication
  • password / TF_HTTP_PASSWORD - (Optional) The password for HTTP basic authentication
  • skip_cert_verification - (Optional) Whether to skip TLS verification. Defaults to false.
  • retry_max / TF_HTTP_RETRY_MAX – (Optional) The number of HTTP request retries. Defaults to 2.
  • retry_wait_min / TF_HTTP_RETRY_WAIT_MIN – (Optional) The minimum time in seconds to wait between HTTP request attempts. Defaults to 1.
  • retry_wait_max / TF_HTTP_RETRY_WAIT_MAX – (Optional) The maximum time in seconds to wait between HTTP request attempts. Defaults to 30.

For mTLS authentication, the following three options may be set:

  • client_certificate_pem / TF_HTTP_CLIENT_CERTIFICATE_PEM - (Optional) A PEM-encoded certificate used by the server to verify the client during mutual TLS (mTLS) authentication.
  • client_private_key_pem /TF_HTTP_CLIENT_PRIVATE_KEY_PEM - (Optional) A PEM-encoded private key, required if client_certificate_pem is specified.
  • client_ca_certificate_pem / TF_HTTP_CLIENT_CA_CERTIFICATE_PEM - (Optional) A PEM-encoded CA certificate chain used by the client to verify server certificates during TLS authentication.