• Stars
    star
    146
  • Rank 252,769 (Top 5 %)
  • Language HCL
  • License
    MIT License
  • Created over 5 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A terraform module to set up remote state management with S3 backend for your account.

terraform-aws-remote-state-s3-backend

Github Actions Releases

Terraform Module Registry

A terraform module to set up remote state management with S3 backend for your account. It creates an encrypted S3 bucket to store state files and a DynamoDB table for state locking and consistency checking. Resources are defined following best practices as described in the official document and ozbillwang/terraform-best-practices.

Features

  • Create a S3 bucket to store remote state files.
  • Encrypt state files with KMS.
  • Enable bucket replication and object versioning to prevent accidental data loss.
  • Automatically transit non-current versions in S3 buckets to AWS S3 Glacier to optimize the storage cost.
  • Optionally you can set to expire aged non-current versions(disabled by default).
  • Optionally you can set fixed S3 bucket name to be user friendly(false by default).
  • Create a DynamoDB table for state locking, encryption is optional.
  • Optionally create an IAM policy to allow permissions which Terraform needs.

Usage

The module outputs terraform_iam_policy which can be attached to IAM users, groups or roles running Terraform. This will allow the entity accessing remote state files and the locking table. This can optionally be disabled with terraform_iam_policy_create = false

provider "aws" {
  region = "us-east-1"
}

provider "aws" {
  alias  = "replica"
  region = "us-west-1"
}

module "remote_state" {
  source = "nozaq/remote-state-s3-backend/aws"

  providers = {
    aws         = aws
    aws.replica = aws.replica
  }
}

resource "aws_iam_user" "terraform" {
  name = "TerraformUser"
}

resource "aws_iam_user_policy_attachment" "remote_state_access" {
  user       = aws_iam_user.terraform.name
  policy_arn = module.remote_state.terraform_iam_policy.arn
}

Note that you need to provide two providers, one for the main state bucket and the other for the bucket to which the main state bucket is replicated to. Two providers must point to different AWS regions.

Once resources are created, you can configure your terraform files to use the S3 backend as follows.

terraform {
  backend "s3" {
    bucket         = "THE_NAME_OF_THE_STATE_BUCKET"
    key            = "some_environment/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    kms_key_id     = "THE_ID_OF_THE_KMS_KEY"
    dynamodb_table = "THE_ID_OF_THE_DYNAMODB_TABLE"
  }
}

THE_NAME_OF_THE_STATE_BUCKET, THE_ID_OF_THE_DYNAMODB_TABLE and THE_ID_OF_THE_KMS_KEY can be replaced by state_bucket.bucket, dynamodb_table.id and kms_key.id in outputs from this module respectively.

See the official document for more detail.

Compatibility

Requirements

Name Version
terraform >= 1.1.4
aws >= 4.3

Providers

Name Version
aws >= 4.3
aws.replica >= 4.3

Inputs

Name Description Type Required
dynamodb_enable_server_side_encryption Whether or not to enable encryption at rest using an AWS managed KMS customer master key (CMK) bool no
dynamodb_table_billing_mode Controls how you are charged for read and write throughput and how you manage capacity. string no
dynamodb_table_name The name of the DynamoDB table to use for state locking. string no
enable_replication Set this to true to enable S3 bucket replication in another region bool no
iam_policy_attachment_name The name of the attachment. string no
iam_policy_name If override_iam_policy_name is true, use this policy name instead of dynamic name with policy_prefix string no
iam_policy_name_prefix Creates a unique name beginning with the specified prefix. string no
iam_role_arn Use IAM role of specified ARN for s3 replication instead of creating it. string no
iam_role_name If override_iam_role_name is true, use this role name instead of dynamic name with role_prefix string no
iam_role_name_prefix Creates a unique name beginning with the specified prefix. string no
iam_role_permissions_boundary Use permissions_boundary with the replication IAM role. string no
kms_key_alias The alias for the KMS key as viewed in AWS console. It will be automatically prefixed with alias/ string no
kms_key_deletion_window_in_days Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. number no
kms_key_description The description of the key as viewed in AWS console. string no
kms_key_enable_key_rotation Specifies whether key rotation is enabled. bool no
noncurrent_version_expiration Specifies when noncurrent object versions expire. See the aws_s3_bucket document for detail.
object({
days = number
})
no
noncurrent_version_transitions Specifies when noncurrent object versions transitions. See the aws_s3_bucket document for detail.
list(object({
days = number
storage_class = string
}))
no
override_iam_policy_name override iam policy name to disable policy_prefix and create policy with static name bool no
override_iam_role_name override iam role name to disable role_prefix and create role with static name bool no
override_s3_bucket_name override s3 bucket name to disable bucket_prefix and create bucket with static name bool no
override_terraform_iam_policy_name override terraform iam policy name to disable policy_prefix and create policy with static name bool no
replica_bucket_prefix Creates a unique replica bucket name beginning with the specified prefix. string no
s3_bucket_force_destroy A boolean that indicates all objects should be deleted from S3 buckets so that the buckets can be destroyed without error. These objects are not recoverable. bool no
s3_bucket_name If override_s3_bucket_name is true, use this bucket name instead of dynamic name with bucket_prefix string no
s3_bucket_name_replica If override_s3_bucket_name is true, use this bucket name for replica instead of dynamic name with bucket_prefix string no
s3_logging_target_bucket The name of the bucket for log storage. The "S3 log delivery group" should have Objects-write und ACL-read permissions on the bucket. string no
s3_logging_target_prefix The prefix to apply on bucket logs, e.g "logs/". string no
state_bucket_prefix Creates a unique state bucket name beginning with the specified prefix. string no
tags A mapping of tags to assign to resources. map(string) no
terraform_iam_policy_create Specifies whether to terraform IAM policy is created. bool no
terraform_iam_policy_name If override_terraform_iam_policy_name is true, use this policy name instead of dynamic name with policy_prefix string no
terraform_iam_policy_name_prefix Creates a unique name beginning with the specified prefix. string no

Outputs

Name Description
dynamodb_table The DynamoDB table to manage lock states.
kms_key The KMS customer master key to encrypt state buckets.
kms_key_alias The alias of the KMS customer master key used to encrypt state bucket and dynamodb.
kms_key_replica The KMS customer master key to encrypt replica bucket and dynamodb.
replica_bucket The S3 bucket to replicate the state S3 bucket.
state_bucket The S3 bucket to store the remote state file.
terraform_iam_policy The IAM Policy to access remote state environment.

More Repositories

1

terraform-aws-secure-baseline

Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices.
HCL
1,088
star
2

awesome-yubikey

Curated list of awesome Yubikey resources, open source projects, tools and tutorials.
63
star
3

amazon-linux-cis

Bootstrap script for Amazon Linux to comply CIS Amazon Linux Benchmark v2.0.0
Python
58
star
4

shogi-rs

A Bitboard-based shogi library in Rust. Board representation, move generation/validation and time control utilities.
Rust
43
star
5

terraform-aws-lambda-auto-package

A terraform module to define a lambda function which source files are automatically built and packaged for lambda deployment.
HCL
27
star
6

terraform-aws-secure-vpc

A terraform module to create a VPC with secure default configurations.
HCL
16
star
7

csa-rs

A Shogi game serialization/deserialization library in CSA format.
Rust
8
star
8

pre-commit-deno

pre-commit git hooks for Deno projects.
5
star
9

security-organizations-jp

日本国内のセキュリティ関連機関・団体をまとめていきます。
4
star
10

usi-rs

A library to handle type-safe communication with USI-compatible shogi engines.
Rust
4
star
11

terraform-deployment-with-environments-example

An example Terraform project demonstrating continuous deployment pipeline using GitHub Actions' environment function.
HCL
3
star
12

usi-run

A command line utility for running games between USI compliant Shogi engines.
Rust
2
star
13

terraform-google-parked-domain-baseline

A terraform module to set up DNS records to harden the parked(unused) domain using GCP Cloud DNS.
HCL
2
star
14

terraform-cloudflare-parked-domain-baseline

A terraform module to set up DNS records to harden the parked(unused) domain using Cloudflare DNS.
HCL
1
star
15

terraform-aws-parked-domain-baseline

A terraform module to set up DNS records to harden the parked(unused) domain using AWS Route53.
HCL
1
star