In this post, I want to show you how to configure terraform to use an Azure storage account to store and protect your tfstate file. To manage the infrastructure and configuration, Terraform writes the status of resources to a tfstate file. By default, this file is called “terraform. tfstate” and is stored locally in JSON format but can also be stored remotely. It is created by Terraform the first time the terraform plan command is run and will use it each time it is run to compare its state with that of the target infrastructure and return the preview of the changes to be made.

Storing the tfstate file in an Azure storage account gives us several advantages, such as:

  • State locking: Terraform creates a file lock on the state file when running terraform apply, preventing other terraform executions against this state file.
  • Encryption at rest: data stored in an Azure blob is encrypted before being persisted.
  • Redundancy: The data in Azure Blob Storage is always replicated to ensure durability and high availability.


  • This tutorial assumes that you already have a Microsoft Azure account configured.
  • You can use an existing Storage Account, or you can create a new one. If you want to know how to create a Storage Account using PowerShell, check out this link.

Create a container

The first thing we need to do is create a container in our storage account to locate the tfstate file. To perform this task, we can use Powershell or Azure CLI. In the following examples, I used variables for a more straightforward reading of the code and code reuse.

Azure PowerShell Workaround

To create a container in the storage account, use the New-AzStorageContainer cmdlet with the following syntax.

Azure CLI Workaround

In this case, you used the Azure Cloud Shell bash console. To create a container on the storage account, use the following command.

Terraform Backend block

To store the state file in the blob container created in the previous step, you should include the backend block in your “” file. The configuration data of this block depends on the authentication method used.

Service Principal

If you use this authentication method, you should specify the following values.

Managed Service Identity

If you use Managed Service Identity as an authentication method, specify the following values in the “backend” block.

 Storage Account Access Key

If you prefer a Storage Account Access Key as an authentication method, you should define the following values in the backend block.

Storage Account SAS Token

And finally, if the authentication method used by you is a SAS Token, the backend block should contain the following values.

Create and apply a Terraform execution plan

In this example, I will run it from my Azure cloud shell session, and my configuration file looks like this.

Initialize configuration

You should use the following command to create the “” file in the Azure cloud shell.

And paste or write the content of your local “” file and then run the following commands.

azure terraform backend

If configuration file validation is correct, you can run the following commands.

azure terraform backend

Once the terraform plan command is executed, the state file is created in the container defined in the configuration file. To see the contents of the state file, you should use the following command.

azure terraform backend

As you can see, the state file has no defined resources yet. Once the following command is run, the newly created resource will be registered.

azure terraform backend

Reverse a Terraform execution plan

if you want to delete the resource group created in this example, you can use the following command

Thanks for reading my post. I hope you find it helpful.

If you want to learn more about Terraform backends, check out this link.