Terraform Backend Repository

JFrog Artifactory Documentation


Did you know?

Each Terraform configuration can specify a backend, which defines where and how operations are performed including where the snapshots are stored and more. Terraform uses persistent State data to keep track of the resources it manages and includes information on how real-world infrastructure objects correspond to the resources in a configuration. All users working on the collection of infrastructure resources need access to the same state data. For more information, see Terraform States.

State Locking

Terraform automatically locks all your operations that have the capability to change the State to prevent others from acquiring the lock and potentially damaging your state. To learn how Artifactory supports State Locking, see Viewing State and Lock Information and History

JFrog Terraform Backend Repository Meets the Hashicorp Standards

In the first half of 2022, Hashicorp announced the deprecation of a number of legacy providers, including the legacy artifactory provider, which served as a basic backend that only stored States in a generic JFrog repository, created and maintained by Hashicorp.

To avoid confusion, please note that the official JFrog Artifactory Terraform Backend repository, described in this article, is unaffected by the Hashicorp artifactory backend provider deprecation action.

As part of JFrog's alignment with the common Hashicorp main practices, the JFrog Terraform Backend repository supports the official Hashicorp enterprise-grade Terraform backend provider, and supports features such as locking, encoding of the data, smart comparisons, and additional common practices.

Federated Repositories Not Supported for Artifactory Backend Repositories

It is not possible to connect a Terraform Backend repository to a Federated repository. This limitation prevents inconsistencies in the system state, which could lead to unexpected behavior or errors.

From JFrog Artifactory 7.38.4, the Terraform Backend repository serves as a dedicated Remote State Storage Provider. It works together with and in parallel to the Terraform registry, which also serves as the dedicated Terraform registry for hosting your modules and providers in the JFrog Platform. For more information, see Terraform Backends.

Each Terraform Module can have an associated Backend that defines how operations are executed and a state file that tracks the resources created by your configuration and maps them to real-world resources. Certain backends support multiple named workspaces, allowing multiple states to be associated with a single configuration. The configuration still has only one backend, but multiple distinct instances of that configuration can be deployed without configuring a new backend or changing authentication credentials.

Terraform Backend Repository Structure

The Terraform Backend repository is a directory with a collection of workspaces consisting of these main coordinates;

  • backend: Set as Remote by definition

  • hostname: Your Artifactory domain name

  • organization: Backend Artifactory Repository name

  • prefix: Allows users to add a user-defined prefix when working with multiple workspace under the same prefix.

terraform {
  backend "remote" {
    hostname = "my_artifactory_domain.org"
    organization = "backend repository name"
    workspaces {
          prefix = "my-prefix-"   
Setting up a Local Terraform Backend Repository

Local repositories enable you to deploy Terraform Backend Zip files. Artifactory calculates the metadata for all file and indexes them to allow users to download these packages through the Terraform CLI.

  1. To create a Terraform Backend local repository, navigate to the Administration module.

  2. Navigate to Repositories|Repositories|Local|New Local Repository and select Terraform BE as the Package Type.

    terraform_backend_local repo.png
Setting Up Artifactory as the Remote State and Locking Provider
Generating an Access Token

To use Artifactory with your Terraform CLI, you will need to generate an access token using the following two methods:

Generating an Access Token Using Browser Login
  1. Natively run the Terraform login to your Artifactory domain to generate an access token and save it in the Credentials file ( ~/.terraform.d/credentials.tfrc.json.). When you run the login, the following page opens.


    The Terraform command line login process is displayed.

  2. You are routed to the JFrog Platform login page and the following page opens.

  3. Click Approve. The following message is displayed.

  4. Close the page and return to the command line to view the success message.

  5. Next, perform a one-time edit to the  ~/.terraformrc file to ensure that the CLI searches for the providers only in the Artifactory. For this purpose, we recommend only pointing to the Terraform Virtual repository.

Manually Generating an Identity Token
  1. Generate an identity token that you can use to connect Artifactory to the Terraform CLI. For more details, please refer to User Profile - Identity Token.Introduction to the User Profile

  2. Create a file named 'credentials.tfrc.json~/.terraformrc' in your Terraform directory, ('~/.terraform.d/credentials.tfrc.json ').

  3. Update the identity token you generated in the credentials.tfrc.json file, as in the example below:

    #cat ~/.terraform.d/credentials.tfrc.json
        "credentials": {
            "ARTIFACTORY-DOMAIN": {
                "token": "IDENTITY-TOKEN"


If you have added the access token in credentials.tfrc.json, you do not need to login again using Terraform login servername.jfrog.io.

Viewing Individual Terraform Workspace Information

Artifactory lets you view selected metadata of a Terraform Backend workspace directly from the UI.

In the Artifact Repository Browser, select your local Terraform Backend repository and scroll down to find and select the package you want to inspect.

The metadata is displayed in the Terraform Info tab, or viewed in the Packages view.

Viewing State and Lock Information and History

Artifactory automatically generates a state.json file when a workspace.json is deployed. The latest file is declared as the state.latest.json and all previous states are renamed with a timestamp indicating the time they were created, for example, state.1640018380463.json.