Skip to main content

Backend Type: COS

Stores the state as an object in a configurable prefix in a given bucket on Tencent Cloud Object Storage (COS).

This backend supports state locking. Storing your state in a COS bucket requires the following permissions:

  • CreateTag, DeleteTag, and DescribeTags on the tag key tencentcloud-terraform-lock
  • Put, Get, and Delete files for the specified bucket's prefix

Example Configuration

Code Block
terraform {
backend "cos" {
region = "ap-guangzhou"
bucket = "bucket-for-tofu-state-1258798060"
prefix = "tofu/state"
}
}

This assumes we have a COS Bucket created named bucket-for-tofu-state-1258798060, OpenTofu state will be written into the file tofu/state/terraform.tfstate.

Data Source Configuration

To make use of the COS remote state in another configuration, use the terraform_remote_state data source.

Code Block
data "terraform_remote_state" "foo" {
backend = "cos"

config = {
region = "ap-guangzhou"
bucket = "bucket-for-tofu-state-1258798060"
prefix = "tofu/state"
}
}

Configuration Variables

The following configuration options or environment variables are supported:

  • secret_id - (Optional) Secret id of Tencent Cloud. It supports environment variables TENCENTCLOUD_SECRET_ID.
  • secret_key - (Optional) Secret key of Tencent Cloud. It supports environment variables TENCENTCLOUD_SECRET_KEY.
  • security_token - (Optional) TencentCloud Security Token of temporary access credentials. It supports environment variables TENCENTCLOUD_SECURITY_TOKEN.
  • region - (Optional) The region of the COS bucket. It supports environment variables TENCENTCLOUD_REGION.
  • bucket - (Required) The name of the COS bucket. You shall manually create it first.
  • prefix - (Optional) The directory for saving the state file in bucket. Default to "env:".
  • key - (Optional) The path for saving the state file in bucket. Defaults to terraform.tfstate.
  • encrypt - (Optional) Whether to enable server side encryption of the state file. If it is true, COS will use 'AES256' encryption algorithm to encrypt state file.
  • acl - (Optional) Object ACL to be applied to the state file, allows private and public-read. Defaults to private.
  • accelerate - (Optional) Whether to enable global Acceleration. Defaults to false.

Assume Role

If provided with an assume role, OpenTofu will attempt to assume this role using the supplied credentials. Assume role can be provided by adding an assume_role block in the cos backend block.

  • assume_role - (Optional) The assume_role block. If provided, OpenTofu will attempt to assume this role using the supplied credentials.

The details of assume_role block as following:

  • role_arn - (Required) The ARN of the role to assume. It can be sourced from the TENCENTCLOUD_ASSUME_ROLE_ARN.
  • session_name - (Required) The session name to use when making the AssumeRole call. It can be sourced from the TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME.
  • session_duration - (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can be sourced from the TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION.
  • policy - (Optional) A more restrictive policy when making the AssumeRole call. Its content must not contains principal elements. Notice: more syntax references, please refer to: policies syntax logic.

Usage:

Code Block
terraform {
backend "cos" {
region = "ap-guangzhou"
bucket = "bucket-for-tofu-state-{appid}"
prefix = "tofu/state"
assume_role {
role_arn = "qcs::cam::uin/xxx:roleName/yyy"
session_name = "my-session-name"
session_duration = 3600
}
}
}

In addition, these assume_role configurations can also be provided by environment variables.

Usage:

Code Block
$ export TENCENTCLOUD_SECRET_ID="my-secret-id"
$ export TENCENTCLOUD_SECRET_KEY="my-secret-key"
$ export TENCENTCLOUD_REGION="ap-guangzhou"
$ export TENCENTCLOUD_ASSUME_ROLE_ARN="qcs::cam::uin/xxx:roleName/yyy"
$ export TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME="my-session-name"
$ export TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION=3600
$ tofu plan