- OpenTofu Settings
- Backends
- cos
Backend Type: COS
Stores the state as an object in a configurable prefix in a given bucket on Tencent Cloud Object Storage (COS).
This backend supports state locking. Storing your state in a COS bucket requires the following permissions:
CreateTag
,DeleteTag
, andDescribeTags
on the tag keytencentcloud-terraform-lock
Put
,Get
, andDelete
files for the specified bucket's prefix
It is highly recommended that you enable Object Versioning on the COS bucket to allow for state recovery in the case of accidental deletions and human error.
Example Configuration
This assumes we have a COS Bucket created named bucket-for-tofu-state-1258798060
,
OpenTofu state will be written into the file tofu/state/terraform.tfstate
.
Data Source Configuration
To make use of the COS remote state in another configuration, use the terraform_remote_state
data source.
Configuration Variables
We recommend using environment variables to supply credentials and other sensitive data. If you use -backend-config
or hardcode these values directly in your configuration, OpenTofu will include these values in both the .terraform
subdirectory and in plan files. Refer to Credentials and Sensitive Data for details.
The following configuration options or environment variables are supported:
secret_id
- (Optional) Secret id of Tencent Cloud. It supports environment variablesTENCENTCLOUD_SECRET_ID
.secret_key
- (Optional) Secret key of Tencent Cloud. It supports environment variablesTENCENTCLOUD_SECRET_KEY
.security_token
- (Optional) TencentCloud Security Token of temporary access credentials. It supports environment variablesTENCENTCLOUD_SECURITY_TOKEN
.region
- (Optional) The region of the COS bucket. It supports environment variablesTENCENTCLOUD_REGION
.bucket
- (Required) The name of the COS bucket. You shall manually create it first.prefix
- (Optional) The directory for saving the state file in bucket. Default to "env:".key
- (Optional) The path for saving the state file in bucket. Defaults toterraform.tfstate
.encrypt
- (Optional) Whether to enable server side encryption of the state file. If it is true, COS will use 'AES256' encryption algorithm to encrypt state file.acl
- (Optional) Object ACL to be applied to the state file, allowsprivate
andpublic-read
. Defaults toprivate
.accelerate
- (Optional) Whether to enable global Acceleration. Defaults tofalse
.
Assume Role
If provided with an assume role, OpenTofu will attempt to assume this role using the supplied credentials.
Assume role can be provided by adding an assume_role
block in the cos backend block.
assume_role
- (Optional) Theassume_role
block. If provided, OpenTofu will attempt to assume this role using the supplied credentials.
The details of assume_role
block as following:
role_arn
- (Required) The ARN of the role to assume. It can be sourced from theTENCENTCLOUD_ASSUME_ROLE_ARN
.session_name
- (Required) The session name to use when making the AssumeRole call. It can be sourced from theTENCENTCLOUD_ASSUME_ROLE_SESSION_NAME
.session_duration
- (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can be sourced from theTENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION
.policy
- (Optional) A more restrictive policy when making the AssumeRole call. Its content must not containsprincipal
elements. Notice: more syntax references, please refer to: policies syntax logic.
Usage:
In addition, these assume_role
configurations can also be provided by environment variables.
Usage: