terraform-aws-remote-state-s3-backend

Terraform Module Registry

A terraform module to set up remote state management with S3 backend for your account. It creates an encrypted S3 bucket to store state files and a DynamoDB table for state locking and consistency checking. Resources are defined following best practices as described in the official document and ozbillwang/terraform-best-practices.

Features

Create a S3 bucket to store remote state files.
Encrypt state files with KMS.
Enable bucket replication and object versioning to prevent accidental data loss.
Automatically transit non-current versions in S3 buckets to AWS S3 Glacier to optimize the storage cost.
Optionally you can set to expire aged non-current versions(disabled by default).
Create a DynamoDB table for state locking.
Optionally create an IAM policy to allow permissions which Terraform needs.

Usage

The module outputs terraform_iam_policy which can be attached to IAM users, groups or roles running Terraform. This will allow the entity accessing remote state files and the locking table. This can optionally be disabled with terraform_iam_policy_create = false

provider "aws" {
  region = "us-east-1"
}

provider "aws" {
  alias  = "replica"
  region = "us-west-1"
}

module "remote_state" {
  source = "nozaq/remote-state-s3-backend/aws"

  providers = {
    aws         = aws
    aws.replica = aws.replica
  }
}

resource "aws_iam_user" "terraform" {
  name = "TerraformUser"
}

resource "aws_iam_user_policy_attachment" "remote_state_access" {
  user       = aws_iam_user.terraform.name
  policy_arn = module.remote_state.terraform_iam_policy.arn
}

Note that you need to provide two providers, one for the main state bucket and the other for the bucket to which the main state bucket is replicated to. Two providers must point to different AWS regions.

Once resources are created, you can configure your terraform files to use the S3 backend as follows.

terraform {
  backend "s3" {
    bucket  = "THE_NAME_OF_THE_STATE_BUCKET"
    key     = "some_environment/terraform.tfstate"
    region  = "us-east-1"
    encrypt = true
    kms_key_id = "THE_ID_OF_THE_KMS_KEY"
  }
}

THE_NAME_OF_THE_STATE_BUCKET and THE_ID_OF_THE_KMS_KEY can be replaced by state_bucket.bucket and kms_key.id in outputs from this module respectively.

See the official document for more detail.

Requirements

Name	Version
terraform	>= 0.12

Providers

Name	Version
aws	n/a
aws.replica	n/a

Inputs

Name	Description	Type	Default	Required
dynamodb_table_billing_mode	Controls how you are charged for read and write throughput and how you manage capacity.	`string`	`"PAY_PER_REQUEST"`	no
dynamodb_table_name	The name of the DynamoDB table to use for state locking.	`string`	`"tf-remote-state-lock"`	no
iam_policy_attachment_name	The name of the attachment.	`string`	`"tf-iam-role-attachment-replication-configuration"`	no
iam_policy_name_prefix	Creates a unique name beginning with the specified prefix.	`string`	`"tf-remote-state-replication-policy"`	no
iam_role_arn	Use IAM role of specified ARN for s3 replication instead of creating it.	`any`	`null`	no
iam_role_name_prefix	Creates a unique name beginning with the specified prefix.	`string`	`"tf-remote-state-replication-role"`	no
kms_key_deletion_window_in_days	Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days.	`number`	`30`	no
kms_key_description	The description of the key as viewed in AWS console.	`string`	`"The key used to encrypt the remote state bucket."`	no
kms_key_enable_key_rotation	Specifies whether key rotation is enabled.	`bool`	`true`	no
noncurrent_version_expiration	Specifies when noncurrent object versions expire. See the aws_s3_bucket document for detail.	object({ days = number })	`null`	no
noncurrent_version_transitions	Specifies when noncurrent object versions transitions. See the aws_s3_bucket document for detail.	list(object({ days = number storage_class = string }))	[ { "days": 7, "storage_class": "GLACIER" } ]	no
replica_bucket_prefix	Creates a unique replica bucket name beginning with the specified prefix.	`string`	`"tf-remote-state-replica"`	no
s3_bucket_force_destroy	A boolean that indicates all objects should be deleted from S3 buckets so that the buckets can be destroyed without error. These objects are not recoverable.	`bool`	`false`	no
state_bucket_prefix	Creates a unique state bucket name beginning with the specified prefix.	`string`	`"tf-remote-state"`	no
tags	A mapping of tags to assign to resources.	`map`	{ "Terraform": "true" }	no
terraform_iam_policy_create	Specifies whether to terraform IAM policy is created.	`bool`	`true`	no
terraform_iam_policy_name_prefix	Creates a unique name beginning with the specified prefix.	`string`	`"terraform"`	no

Outputs

Name	Description
dynamodb_table	The DynamoDB table to manage lock states.
kms_key	The KMS customer master key to encrypt state buckets.
replica_bucket	The S3 bucket to replicate the state S3 bucket.
state_bucket	The S3 bucket to store the remote state file.
terraform_iam_policy	The IAM Policy to access remote state environment.

millionpoundhat / terraform-aws-remote-state-s3-backend Goto Github PK