atmos terraform backend
Use these commands to manage Terraform state backend infrastructure. This solves the Terraform bootstrap problem by automatically provisioning backend storage with secure defaults, making it compatible with any Terraform-managed backend.
Usage
atmos terraform backend <subcommand> [options]
Available Subcommands
create <component>- Provision backend infrastructure for a component
list- List all backends in a stack
describe <component>- Show backend configuration from stack
update <component>- Update backend configuration (idempotent)
delete <component>- Delete backend infrastructure (requires --force)
Creating Backends
Provision backend infrastructure for a component in a specific stack:
atmos terraform backend create <component> --stack <stack>
The backend must have provision.backend.enabled: true in its stack configuration.
Examples
Create Backend
Provision an S3 bucket with secure defaults:
atmos terraform backend create vpc --stack dev
This creates an S3 bucket (if it doesn't exist) with:
- Versioning enabled
- AES-256 encryption
- Public access blocked
- Resource tags applied
List Backends
Show all backend configurations in a stack:
atmos terraform backend list --stack dev
Describe Backend Configuration
View a component's backend configuration from the stack:
atmos terraform backend describe vpc --stack dev
atmos terraform backend describe vpc --stack dev --format json
Update Backend
Apply configuration changes to existing backend (idempotent):
atmos terraform backend update vpc --stack dev
Delete Backend
Remove backend infrastructure (requires --force for safety):
atmos terraform backend delete vpc --stack dev --force
Provision Multiple Backends
atmos terraform backend create vpc --stack dev
atmos terraform backend create eks --stack dev
atmos terraform backend create rds --stack dev
Arguments
component- The Atmos component name (required for create, describe, update, delete)
Flags
--stack/-s- Atmos stack name (required). Can also be set via
ATMOS_STACKenvironment variable --identity/-i- Identity to use for authentication. Overrides component's default identity. Use without value to select interactively
--format/-f- Output format for list and describe commands:
table,yaml,json(default: varies by command) --force- Force deletion without confirmation (delete command only)
Authentication
Backend commands support both global and component-level authentication, consistent with regular Terraform commands.
Component-Level Identity
Components can specify their own authentication identity with a default:
# stacks/dev.yaml
components:
terraform:
vpc:
# Component-level auth configuration
auth:
identities:
vpc-deployer:
default: true # Used automatically for this component
kind: aws/permission-set
via:
provider: aws-sso
principal:
name: "NetworkAdmin"
account:
name: "network-dev"
With this configuration, backend commands automatically use the vpc-deployer identity:
# Automatically uses vpc-deployer identity
atmos terraform backend create vpc --stack dev
atmos terraform backend delete vpc --stack dev --force
Identity Flag Override
The --identity flag overrides the component's default identity:
# Override component default with admin identity
atmos terraform backend create vpc --stack dev --identity admin
Global Identity
Without component-level auth, backend commands use global auth configuration from atmos.yaml or the --identity flag.
See Authentication and Identity for complete auth configuration details.
How It Works
Manual Provisioning
When you run atmos terraform backend create:
- Load Configuration - Atmos loads the component's stack configuration
- Check Provisioning - Verifies
provision.backend.enabled: trueis set - Select Provisioner - Chooses provisioner based on
backend_type(s3, gcs, azurerm) - Check Existence - Verifies if backend already exists (idempotent)
- Provision - Creates backend with hardcoded security defaults if needed
- Apply Settings - Configures versioning, encryption, access controls, and tags
Automatic Provisioning
Backends are also provisioned automatically when running Terraform commands if provision.backend.enabled: true:
# Backend provisioned automatically before terraform init
atmos terraform plan vpc --stack dev
atmos terraform apply vpc --stack dev
The automatic flow:
Auth Setup (TerraformPreHook)
↓
Backend Provisioning (if enabled)
↓
Terraform Init
↓
Terraform Command
Solving the Terraform Bootstrap Problem
Terraform has a chicken-and-egg problem: you need infrastructure to store state, but you need state to manage infrastructure. Atmos solves this by:
- Automatic Detection - Reads backend configuration from stack manifests
- Secure Defaults - Creates backend with hardcoded security settings
- Idempotent Operations - Safe to run multiple times
- Terraform Compatible - Works with any Terraform-managed backend
This eliminates manual backend setup and makes Terraform backends work like any other infrastructure resource.
Configuration
Enable backend provisioning in your stack manifest:
# stacks/dev.yaml
components:
terraform:
vpc:
backend_type: s3 # Must be at component level
backend:
bucket: acme-ue1-dev-tfstate
key: vpc/terraform.tfstate
region: us-east-1
use_lockfile: true # Enable native S3 locking (Terraform 1.10+)
provision:
backend:
enabled: true # Enable automatic provisioning
Configuration Hierarchy
The provision.backend configuration supports Atmos's deep-merge system and can be specified at multiple levels in the stack hierarchy. This provides flexibility to set defaults at high levels and override at component level.
Global Default (Organization-Level)
Enable provisioning for all components in an organization:
# stacks/orgs/acme/_defaults.yaml
terraform:
provision:
backend:
enabled: true
All components in this organization will inherit provision.backend.enabled: true unless explicitly overridden.
Environment-Level Configuration
Set different provisioning policies per environment:
# stacks/orgs/acme/plat/dev/_defaults.yaml
terraform:
provision:
backend:
enabled: true # Auto-provision in dev
# stacks/orgs/acme/plat/prod/_defaults.yaml
terraform:
provision:
backend:
enabled: false # Pre-provisioned backends in prod
Component Inheritance
Use metadata.inherits to share provision configuration:
# stacks/catalog/vpc/defaults.yaml
components:
terraform:
vpc/defaults:
provision:
backend:
enabled: true
# stacks/dev.yaml
components:
terraform:
vpc:
metadata:
inherits: [vpc/defaults]
# Inherits provision.backend.enabled: true