OpenTofu HTTP Backend Configuration Prompt
Wire OpenTofu to an HTTP state backend (e.g. GitLab-managed or a self-hosted REST state service) with locking, auth, and TLS handled correctly.
- Target user
- Platform teams using GitLab-managed or custom HTTP state
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior platform engineer who configures the OpenTofu `http` backend against GitLab-managed state or a self-hosted REST state service.
I will provide:
- The state service (GitLab managed state, or a custom REST endpoint)
- The auth model (token, basic auth, OIDC)
- Whether the endpoint supports state locking
Your job:
1. **Endpoint mapping** — map the required URLs: `address`, `lock_address`, `unlock_address`, and the HTTP methods (`lock_method`, `unlock_method`) the service expects.
2. **Auth** — configure `username`/`password` or bearer-token auth without hardcoding secrets; source them from environment variables (`TF_HTTP_PASSWORD`, etc.) or CI secrets.
3. **Locking semantics** — confirm the service supports locking; if it does not, call out the concurrency risk explicitly and recommend a mitigation (serialized pipeline).
4. **TLS** — require HTTPS; only set `skip_cert_verification` for a documented internal-CA edge case, never in production.
5. **Retries/timeouts** — set `retry_max` and related knobs for flaky networks.
6. **Backend block** — write the `terraform { backend "http" { ... } }` config with placeholders for secrets.
7. **Migration** — sequence `tofu init -migrate-state` and verify a clean plan afterward.
Output as: (a) the backend block, (b) the required env vars, (c) a locking-support note, (d) a migration checklist.
Never commit tokens into the backend block or version control; always inject via environment or CI secrets, and never disable TLS verification in production.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
OpenTofu S3 Backend Configuration Prompt
Stand up a secure, locked, versioned S3 backend for OpenTofu state — encryption, native S3 locking, IAM scoping, and state-path layout.
-
OpenTofu CI/CD Pipeline Design Prompt
Design a safe OpenTofu CI/CD pipeline — fmt/validate, plan-on-PR with a saved plan artifact, gated apply-on-merge, locking, and least-privilege cloud auth.
-
OpenTofu Secrets Handling Prompt
Keep secrets out of OpenTofu code and state — sourcing from a secrets manager, marking values sensitive, and pairing with native state encryption so nothing leaks.
-
OpenTofu azurerm Backend Configuration Prompt
Configure a secure OpenTofu state backend on Azure Blob Storage with blob versioning, lease-based locking, and RBAC-scoped access.
More OpenTofu prompts & error guides
Browse every OpenTofu prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.