Terraform state backend¶
This repo provisions two separate state backends, each with its own storage account and container. State is stored in Azure Blob Storage and authenticated via Azure AD (OIDC).
State backends¶
| Backend | Storage account | Resource group | Container | State key |
|---|---|---|---|---|
| Shared | stjersalprojcore |
rg-jersal-projects-shared |
tfstate-shared |
shared.tfstate |
| Site | stjersalprojcoresite |
rg-jersal-site-sc |
tfstate-site |
site.tfstate |
Both backends use:
- Authentication: Azure AD (
use_azuread_auth = true/ARM_USE_OIDC) - Storage tier: Standard LRS
- TLS: Minimum version 1.2
- Blob versioning: Enabled
- Delete retention: 30 days
Bootstrap¶
State backends must be provisioned before any terraform/envs/* configurations can run. CI handles this automatically, but for local use:
# Shared backend
cd terraform/backend/shared
terraform init -backend-config=backend.hcl
terraform apply -var="subscription_id=<subscription-id>"
# Site backend
cd terraform/backend/site
terraform init -backend-config=backend.hcl
terraform apply -var="subscription_id=<subscription-id>"
Bootstrap order
The backend configurations use local state (no remote backend) since they
create the very storage accounts that will hold remote state. Run these
before initializing terraform/envs/*.
Adding a new backend¶
When adding new infrastructure (e.g., the hub SWA), follow the same pattern:
- Create
terraform/backend/<name>/with storage account and container resources - Create
terraform/envs/<name>/with a backend block pointing to the new storage - Add corresponding CI workflows