Generate Terraform Backend
The backend section generates Terraform backend configuration files (backend.tf.json)
for your components. Define backend settings once in your stacks and Atmos generates
the appropriate files for each environment.
How It Worksβ
When you run any atmos terraform command, Atmos:
- Reads your
backendandbackend_typeconfiguration from the stack - Deep-merges settings from all inherited stack manifests
- Generates a
backend.tf.jsonfile in the component directory - Terraform uses this file to configure state storage
This separation means your Terraform modules stay cleanβno hardcoded backend configuration in your source code.
Add backend.tf.json to your .gitignore since these files are generated automatically by Atmos and should not be committed to version control:
# Atmos generated files
backend.tf.json
Some automation systems may require the generated file to be committedβin those cases,
committing backend.tf.json is acceptable.
Use Casesβ
- State Management: Configure S3, Azure Blob, GCS, or other backends for remote state storage.
- Environment Isolation: Use different state storage per environment or account.
- State Locking: Configure native locking (
use_lockfile) or DynamoDB for legacy setups. - Remote State Access: Configure
remote_state_backendfor cross-component state references.
Configuration Scopesβ
Backend settings can be defined at multiple levels, with more specific scopes overriding broader ones:
| Scope | Example File | Effect |
|---|---|---|
| Organization | stacks/orgs/acme/_defaults.yaml | All components inherit |
| Account/Stage | stacks/orgs/acme/plat/prod/_defaults.yaml | Override for prod |
| Component-type | Under terraform: in any stack | All Terraform components |
| Component | Under components.terraform.<name>: | Single component |
Component-Type Levelβ
Backend settings defined under terraform apply to all Terraform components:
- Stack Configuration
- Generated File
terraform:
backend_type: s3
backend:
s3:
bucket: acme-ue1-root-tfstate
region: us-east-1
encrypt: true
use_lockfile: true
{
"terraform": {
"backend": {
"s3": {
"bucket": "acme-ue1-root-tfstate",
"region": "us-east-1",
"encrypt": true,
"use_lockfile": true,
"key": "ue1/prod/vpc/terraform.tfstate"
}
}
}
}
Component Levelβ
Backend settings within a component override the defaults:
- Stack Configuration
- Generated File
components:
terraform:
special-component:
backend_type: s3
backend:
s3:
bucket: acme-ue1-prod-special-tfstate
key: "special/terraform.tfstate"
{
"terraform": {
"backend": {
"s3": {
"bucket": "acme-ue1-prod-special-tfstate",
"key": "special/terraform.tfstate"
}
}
}
}
Backend Typesβ
Atmos supports all Terraform backend types. Configure using backend_type and the corresponding configuration under backend.
S3 Backendβ
The most common backend for AWS environments. We recommend using use_lockfile: true for native S3 state locking (Terraform 1.10+, OpenTofu 1.8+) instead of DynamoDB:
- Stack Configuration
- Generated File
terraform:
backend_type: s3
backend:
s3:
bucket: acme-ue1-root-tfstate
region: us-east-1
key: "{{ .environment }}/{{ .stage }}/{{ .component }}/terraform.tfstate"
encrypt: true
use_lockfile: true # Native S3 locking (Terraform 1.10+)
{
"terraform": {
"backend": {
"s3": {
"bucket": "acme-ue1-root-tfstate",
"region": "us-east-1",
"key": "ue1/prod/vpc/terraform.tfstate",
"encrypt": true,
"use_lockfile": true
}
}
}
}
S3 Backend with Assume Roleβ
For cross-account access, configure the backend to assume a role:
- Stack Configuration
- Generated File
terraform:
backend_type: s3
backend:
s3:
bucket: acme-ue1-root-tfstate
region: us-east-1
key: "{{ .environment }}/{{ .stage }}/{{ .component }}/terraform.tfstate"
encrypt: true
use_lockfile: true
assume_role:
role_arn: "arn:aws:iam::{{ .vars.state_account_id }}:role/TerraformStateAccess"
session_name: "atmos-{{ .component }}"
{
"terraform": {
"backend": {
"s3": {
"bucket": "acme-ue1-root-tfstate",
"region": "us-east-1",
"key": "ue1/prod/vpc/terraform.tfstate",
"encrypt": true,
"use_lockfile": true,
"assume_role": {
"role_arn": "arn:aws:iam::123456789012:role/TerraformStateAccess",
"session_name": "atmos-vpc"
}
}
}
}
}
S3 Backend with DynamoDB Locking (Legacy)β
For Terraform versions before 1.10, use DynamoDB for state locking:
terraform:
backend_type: s3
backend:
s3:
bucket: acme-ue1-root-tfstate
region: us-east-1
key: "{{ .environment }}/{{ .stage }}/{{ .component }}/terraform.tfstate"
dynamodb_table: acme-ue1-root-tfstate-lock
encrypt: true
Azure Blob Backendβ
For Azure environments:
- Stack Configuration
- Generated File
terraform:
backend_type: azurerm
backend:
azurerm:
resource_group_name: terraform-state-rg
storage_account_name: tfstateaccount
container_name: tfstate
key: "{{ .environment }}/{{ .stage }}/{{ .component }}/terraform.tfstate"
{
"terraform": {
"backend": {
"azurerm": {
"resource_group_name": "terraform-state-rg",
"storage_account_name": "tfstateaccount",
"container_name": "tfstate",
"key": "ue1/prod/vpc/terraform.tfstate"
}
}
}
}
GCS Backendβ
For Google Cloud environments:
- Stack Configuration
- Generated File
terraform:
backend_type: gcs
backend:
gcs:
bucket: acme-terraform-state
prefix: "{{ .environment }}/{{ .stage }}/{{ .component }}"
{
"terraform": {
"backend": {
"gcs": {
"bucket": "acme-terraform-state",
"prefix": "ue1/prod/vpc"
}
}
}
}
Terraform Cloud / Enterpriseβ
For Terraform Cloud or Enterprise:
- Stack Configuration
- Generated File
terraform:
backend_type: remote
backend:
remote:
hostname: app.terraform.io
organization: acme
workspaces:
name: "{{ .namespace }}-{{ .environment }}-{{ .stage }}-{{ .component }}"
Or using the newer cloud backend:
terraform:
backend_type: cloud
backend:
cloud:
organization: acme
workspaces:
name: "{{ .namespace }}-{{ .environment }}-{{ .stage }}-{{ .component }}"
{
"terraform": {
"backend": {
"remote": {
"hostname": "app.terraform.io",
"organization": "acme",
"workspaces": {
"name": "acme-ue1-prod-vpc"
}
}
}
}
}
Local Backendβ
For development or single-user scenarios:
- Stack Configuration
- Generated File
terraform:
backend_type: local
backend:
local:
path: "{{ .component }}/terraform.tfstate"
{
"terraform": {
"backend": {
"local": {
"path": "vpc/terraform.tfstate"
}
}
}
}
Remote State Backendβ
The remote_state_backend configuration is separate from backend and controls how other components can read this component's state:
terraform:
# Where this component stores its state
backend_type: s3
backend:
s3:
bucket: acme-ue1-root-tfstate
region: us-east-1
# How other components read this component's state
remote_state_backend_type: s3
remote_state_backend:
s3:
bucket: acme-ue1-root-tfstate
region: us-east-1
This separation allows for scenarios like:
- Using Terraform Cloud for operations but S3 for remote state access
- Different credentials for writing vs. reading state
- Custom remote state configurations
Backend Provisioningβ
Atmos can automatically provision S3 backend infrastructure before running Terraform commands, solving the bootstrap problem of "how do I create state storage before I can use Terraform?"
Enable Automatic Provisioningβ
terraform:
backend_type: s3
backend:
s3:
bucket: acme-ue1-dev-tfstate
region: us-east-1
use_lockfile: true
provision:
backend:
enabled: true # Automatically create backend if it doesn't exist
When provision.backend.enabled is true, Atmos will:
- Check if the backend exists before running Terraform
- Create it with secure defaults (versioning, encryption, public access blocked)
- Proceed with normal Terraform operations
See Backend Provisioning for complete documentation.
Examplesβ
Environment-Specific State Bucketsβ
stacks/orgs/acme/plat/dev/_defaults.yaml
stacks/orgs/acme/plat/prod/_defaults.yaml
Dynamic State Keys with Templatesβ
stacks/orgs/acme/_defaults.yaml
Component-Specific Backend Overrideβ
stacks/orgs/acme/plat/prod/us-east-1.yaml
Multi-Cloud Configurationβ
stacks/orgs/acme/aws/_defaults.yaml
stacks/orgs/acme/azure/_defaults.yaml
Workspace Configurationβ
For backends that support workspaces, you can configure workspace patterns:
terraform:
backend_type: remote
backend:
remote:
organization: acme
workspaces:
prefix: "acme-"
components:
terraform:
vpc:
terraform_workspace: "{{ .environment }}-{{ .stage }}-vpc"
See Terraform Workspaces for detailed workspace configuration.
Best Practicesβ
-
Use Remote State: Always use a remote backend for team environments to enable collaboration and state locking.
-
Enable Encryption: Always enable encryption for backends that support it (S3, Azure Blob, GCS).
-
Configure State Locking: Use
use_lockfile: truefor S3 (Terraform 1.10+), blob leases for Azure, or built-in locking for other backends. -
Organize State Keys: Use a consistent key structure that includes environment, stage, and component information.
-
Separate Sensitive State: Consider using separate state buckets or additional encryption for components managing secrets.
-
Use Templates: Leverage Go templates for dynamic backend configuration based on context variables.
Relatedβ
- Terraform Backend Configuration - Component-level backend defaults
- Terraform Backends - Conceptual overview and inheritance
- Backend Provisioning - Automatic backend creation
- Remote State - Reading state from other components
- Terraform Workspaces
