jprdonnelly/opentf
1
0
Fork 0
mirror of https://github.com/opentffoundation/opentf.git synced 2026-04-05 06:01:56 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
temp-cli-refactor
opentf/website/docs/language/settings/backends/cos.mdx
Janos a15a6c9657 Versioned docs: replacing docs links with relative variants (#1537) 
Signed-off-by: Janos <86970079+janosdebugs@users.noreply.github.com>
Signed-off-by: Damian Stasik <920747+damianstasik@users.noreply.github.com>
Signed-off-by: Roman Grinovski <roman.grinovski@gmail.com>
Co-authored-by: Damian Stasik <920747+damianstasik@users.noreply.github.com>
Co-authored-by: Roman Grinovski <roman.grinovski@gmail.com>
2024-04-24 13:24:30 +02:00

114 lines
5.2 KiB
Plaintext
Raw Permalink Blame History

---
sidebar_label: cos
description: >-
OpenTofu can store the state remotely, making it easier to version and work
with in a team.
---
# Backend Type: COS
Stores the state as an object in a configurable prefix in a given bucket on [Tencent Cloud Object Storage](https://intl.cloud.tencent.com/product/cos) (COS).
This backend supports [state locking](../../../language/state/locking.mdx). Storing your state in a COS bucket requires the following permissions:
- `CreateTag`, `DeleteTag`, and `DescribeTags` on the tag key `tencentcloud-terraform-lock`
- `Put`, `Get`, and `Delete` files for the specified bucket's prefix
:::warning
It is highly recommended that you enable [Object Versioning](https://intl.cloud.tencent.com/document/product/436/19883)
on the COS bucket to allow for state recovery in the case of accidental deletions and human error.
:::
## Example Configuration
```hcl
terraform {
backend "cos" {
region = "ap-guangzhou"
bucket = "bucket-for-tofu-state-1258798060"
prefix = "tofu/state"
}
}
```
This assumes we have a [COS Bucket](https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/cos_bucket) created named `bucket-for-tofu-state-1258798060`,
OpenTofu state will be written into the file `tofu/state/terraform.tfstate`.
## Data Source Configuration
To make use of the COS remote state in another configuration, use the [`terraform_remote_state` data source](../../../language/state/remote-state-data.mdx).
```hcl
data "terraform_remote_state" "foo" {
backend = "cos"
config = {
region = "ap-guangzhou"
bucket = "bucket-for-tofu-state-1258798060"
prefix = "tofu/state"
}
}
```
## Configuration Variables
:::danger Warning
We recommend using environment variables to supply credentials and other sensitive data. If you use `-backend-config` or hardcode these values directly in your configuration, OpenTofu will include these values in both the `.terraform` subdirectory and in plan files. Refer to [Credentials and Sensitive Data](../../../language/settings/backends/configuration.mdx#credentials-and-sensitive-data) for details.
:::
The following configuration options or environment variables are supported:
- `secret_id` - (Optional) Secret id of Tencent Cloud. It supports environment variables `TENCENTCLOUD_SECRET_ID`.
- `secret_key` - (Optional) Secret key of Tencent Cloud. It supports environment variables `TENCENTCLOUD_SECRET_KEY`.
- `security_token` - (Optional) TencentCloud Security Token of temporary access credentials. It supports environment variables `TENCENTCLOUD_SECURITY_TOKEN`.
- `region` - (Optional) The region of the COS bucket. It supports environment variables `TENCENTCLOUD_REGION`.
- `bucket` - (Required) The name of the COS bucket. You shall manually create it first.
- `prefix` - (Optional) The directory for saving the state file in bucket. Default to "env:".
- `key` - (Optional) The path for saving the state file in bucket. Defaults to `terraform.tfstate`.
- `encrypt` - (Optional) Whether to enable server side encryption of the state file. If it is true, COS will use 'AES256' encryption algorithm to encrypt state file.
- `acl` - (Optional) Object ACL to be applied to the state file, allows `private` and `public-read`. Defaults to `private`.
- `accelerate` - (Optional) Whether to enable global Acceleration. Defaults to `false`.
### Assume Role
If provided with an assume role, OpenTofu will attempt to assume this role using the supplied credentials.
Assume role can be provided by adding an `assume_role` block in the cos backend block.
- `assume_role` - (Optional) The `assume_role` block. If provided, OpenTofu will attempt to assume this role using the supplied credentials.
The details of `assume_role` block as following:
- `role_arn` - (Required) The ARN of the role to assume. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN`.
- `session_name` - (Required) The session name to use when making the AssumeRole call. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`.
- `session_duration` - (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION`.
- `policy` - (Optional) A more restrictive policy when making the AssumeRole call. Its content must not contains `principal` elements. Notice: more syntax references, please refer to: [policies syntax logic](https://intl.cloud.tencent.com/document/product/598/10603).
Usage:
```hcl
terraform {
backend "cos" {
region = "ap-guangzhou"
bucket = "bucket-for-tofu-state-{appid}"
prefix = "tofu/state"
assume_role {
role_arn = "qcs::cam::uin/xxx:roleName/yyy"
session_name = "my-session-name"
session_duration = 3600
}
}
}
```
In addition, these `assume_role` configurations can also be provided by environment variables.
Usage:
```shell
$ export TENCENTCLOUD_SECRET_ID="my-secret-id"
$ export TENCENTCLOUD_SECRET_KEY="my-secret-key"
$ export TENCENTCLOUD_REGION="ap-guangzhou"
$ export TENCENTCLOUD_ASSUME_ROLE_ARN="qcs::cam::uin/xxx:roleName/yyy"
$ export TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME="my-session-name"
$ export TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION=3600
$ tofu plan
```
Reference in New Issue View Git Blame Copy Permalink