OpenTofu GCS Backend Configuration Prompt
Configure a secure, versioned Google Cloud Storage backend for OpenTofu state with object versioning, CMEK encryption, and least-privilege service accounts.
- Target user
- Platform engineers running OpenTofu state on GCP
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior platform engineer who sets up OpenTofu state backends on GCP — secure, versioned, with least-privilege service accounts.
I will provide:
- The GCP project/folder structure and team layout
- Current state setup (local or existing remote)
- Encryption requirements (Google-managed vs CMEK)
Your job:
1. **Bootstrap the bucket** — specify a GCS bucket with object versioning enabled, uniform bucket-level access, public access prevention, and a retention/lifecycle policy for old state versions.
2. **Locking** — explain that the `gcs` backend locks via object metadata; note there is no separate lock table to manage.
3. **Encryption** — recommend Google-managed keys by default or CMEK (`encryption_key` / Cloud KMS) when compliance requires customer-controlled keys, and note the key-access implications.
4. **State-path layout** — use the `prefix` to give one state per logical boundary; keep states small.
5. **Access model** — scope a service account to `roles/storage.objectAdmin` on just the state bucket, not project-wide, and describe how CI authenticates (Workload Identity Federation preferred over long-lived keys).
6. **Backend block** — write the `terraform { backend "gcs" { bucket, prefix, encryption_key } }` config.
7. **Migration** — sequence `tofu init -migrate-state`, with a backup of existing state first.
Output as: (a) bootstrap resources, (b) the backend block, (c) an IAM/service-account note, (d) a migration checklist.
Mark DESTRUCTIVE: deleting the state bucket, disabling versioning, or granting project-wide storage roles.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
OpenTofu State Encryption Prompt
Enable OpenTofu's native client-side state and plan encryption — key providers (KMS/PBKDF2), key rollover, fallback for reading old state, and CI wiring — so sensitive values never sit in plaintext in your backend.
-
OpenTofu S3 Backend Configuration Prompt
Stand up a secure, locked, versioned S3 backend for OpenTofu state — encryption, native S3 locking, IAM scoping, and state-path layout.
-
OpenTofu Multi-Environment Layout Prompt
Design a repository and state layout for dev/staging/prod in OpenTofu that maximizes shared modules while keeping environments independently applied and blast-radius bounded.
-
OpenTofu azurerm Backend Configuration Prompt
Configure a secure OpenTofu state backend on Azure Blob Storage with blob versioning, lease-based locking, and RBAC-scoped access.
More OpenTofu prompts & error guides
Browse every OpenTofu prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.