​

Terraform HTTP Backend Proxy (prefix /v1/backend/)

• GET — download tfstate
• POST — upload/update tfstate
• PUT — upload/update tfstate (alias)
• LOCK — acquire lock
• UNLOCK — release lock

• Lock ID is provided by client (Terraform) and sent in headers and ?ID= query.
• Backend must verify lock ownership before writes and unlocks.

• Natural IDs: myapp/prod.
• Single-segment encoding: myapp__prod.

• Custom verbs must be explicitly registered (Echo: e.Add("LOCK"...), e.Add("UNLOCK"...)).

• If you prefer to use Terraform’s native S3 backend against OpenTaco, use the S3‑compatible shim at /s3. It accepts SigV4‑signed requests and maps to the same tfstate/lock semantics (including .tflock). See Backend Service → S3‑compatible shim for configuration.

• On every POST/PUT to /v1/backend/{id}, OpenTaco updates dependency edges in the system graph workspace (__opentaco_system):
  • As source: recomputes in_digest for edges that read an output from {id}.
  • As target: acknowledges by copying out_digest ← in_digest for edges that point to {id}.
• Updates are batched under a lock; failures don’t block the user’s write.