- OpenTofu Settings
- Backends
- http
Backend Type: http
Stores the state using a simple REST client.
State will be fetched via GET, updated via POST, and purged with DELETE. The method used for updating is configurable.
This backend optionally supports state locking. When locking support is enabled it will use LOCK and UNLOCK requests providing the lock info in the body. The endpoint should return a 423: Locked or 409: Conflict with the holding lock info when it's already taken, 200: OK for success. Any other status will be considered an error. The ID of the holding lock info will be added as a query parameter to state updates requests.
Example Usage
terraform {
backend "http" {
address = "http://myrest.api.com/foo"
lock_address = "http://myrest.api.com/foo"
unlock_address = "http://myrest.api.com/foo"
}
}
Data Source Configuration
data "terraform_remote_state" "foo" {
backend = "http"
config = {
address = "http://my.rest.api.com"
}
}
Configuration Variables
We recommend using environment variables to supply credentials and other sensitive data. If you use -backend-config
or hardcode these values directly in your configuration, OpenTofu will include these values in both the .terraform
subdirectory and in plan files. Refer to Credentials and Sensitive Data for details.
The following configuration options / environment variables are supported:
address
/TF_HTTP_ADDRESS
- (Required) The address of the REST endpointupdate_method
/TF_HTTP_UPDATE_METHOD
- (Optional) HTTP method to use when updating state. Defaults toPOST
.lock_address
/TF_HTTP_LOCK_ADDRESS
- (Optional) The address of the lock REST endpoint. Defaults to disabled.lock_method
/TF_HTTP_LOCK_METHOD
- (Optional) The HTTP method to use when locking. Defaults toLOCK
.unlock_address
/TF_HTTP_UNLOCK_ADDRESS
- (Optional) The address of the unlock REST endpoint. Defaults to disabled.unlock_method
/TF_HTTP_UNLOCK_METHOD
- (Optional) The HTTP method to use when unlocking. Defaults toUNLOCK
.username
/TF_HTTP_USERNAME
- (Optional) The username for HTTP basic authenticationpassword
/TF_HTTP_PASSWORD
- (Optional) The password for HTTP basic authenticationskip_cert_verification
- (Optional) Whether to skip TLS verification. Defaults tofalse
.retry_max
/TF_HTTP_RETRY_MAX
– (Optional) The number of HTTP request retries. Defaults to2
.retry_wait_min
/TF_HTTP_RETRY_WAIT_MIN
– (Optional) The minimum time in seconds to wait between HTTP request attempts. Defaults to1
.retry_wait_max
/TF_HTTP_RETRY_WAIT_MAX
– (Optional) The maximum time in seconds to wait between HTTP request attempts. Defaults to30
.
For mTLS authentication, the following three options may be set:
client_certificate_pem
/TF_HTTP_CLIENT_CERTIFICATE_PEM
- (Optional) A PEM-encoded certificate used by the server to verify the client during mutual TLS (mTLS) authentication.client_private_key_pem
/TF_HTTP_CLIENT_PRIVATE_KEY_PEM
- (Optional) A PEM-encoded private key, required if client_certificate_pem is specified.client_ca_certificate_pem
/TF_HTTP_CLIENT_CA_CERTIFICATE_PEM
- (Optional) A PEM-encoded CA certificate chain used by the client to verify server certificates during TLS authentication.