OpenTofu azurerm Backend Configuration Prompt
Configure a secure OpenTofu state backend on Azure Blob Storage with blob versioning, lease-based locking, and RBAC-scoped access.
- Target user
- Platform engineers running OpenTofu state on Azure
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior platform engineer who sets up OpenTofu state backends on Azure — secure, versioned, with RBAC-scoped access.
I will provide:
- The Azure subscription/management-group structure and team layout
- Current state setup (local or existing remote)
- Auth model (managed identity, service principal, OIDC from CI)
Your job:
1. **Bootstrap resources** — specify a storage account with blob versioning and soft delete enabled, a dedicated container for state, and infrastructure encryption. Recommend a one-time bootstrap.
2. **Locking** — explain that the `azurerm` backend locks via blob lease; there is no separate lock table.
3. **Auth** — recommend OIDC/managed identity over stored account keys; if using a service principal, scope it tightly. Show `use_azuread_auth = true` where appropriate.
4. **Access model** — grant `Storage Blob Data Contributor` on just the state container, not the whole subscription.
5. **State-path layout** — one state key per logical boundary; keep states small.
6. **Backend block** — write the `terraform { backend "azurerm" { resource_group_name, storage_account_name, container_name, key } }` config.
7. **Migration** — sequence `tofu init -migrate-state`, with a backup first.
Output as: (a) bootstrap resources, (b) the backend block, (c) an RBAC note, (d) a migration checklist.
Mark DESTRUCTIVE: deleting the storage account/container, disabling soft delete, or granting subscription-wide roles.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
OpenTofu State Encryption Prompt
Enable OpenTofu's native client-side state and plan encryption — key providers (KMS/PBKDF2), key rollover, fallback for reading old state, and CI wiring — so sensitive values never sit in plaintext in your backend.
-
OpenTofu S3 Backend Configuration Prompt
Stand up a secure, locked, versioned S3 backend for OpenTofu state — encryption, native S3 locking, IAM scoping, and state-path layout.
-
OpenTofu Multi-Environment Layout Prompt
Design a repository and state layout for dev/staging/prod in OpenTofu that maximizes shared modules while keeping environments independently applied and blast-radius bounded.
-
OpenTofu GCS Backend Configuration Prompt
Configure a secure, versioned Google Cloud Storage backend for OpenTofu state with object versioning, CMEK encryption, and least-privilege service accounts.
More OpenTofu prompts & error guides
Browse every OpenTofu prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.