Terraform module to provision an S3 bucket to store terraform.tfstate file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.
We have a tfstate S3 Bucket per account
-
Versions:
<= 0.x.y
(Terraform 0.11.x compatible) -
Versions:
>= 1.x.y
(Terraform 0.12.x compatible)
Name | Version |
---|---|
terraform | >= 0.13.2 |
aws | ~> 3.0 |
Name | Version |
---|---|
aws.main_region | ~> 3.0 |
aws.secondary_region | ~> 3.0 |
time | n/a |
No modules.
Name | Type |
---|---|
aws_dynamodb_table.with_server_side_encryption | resource |
aws_dynamodb_table.without_server_side_encryption | resource |
aws_iam_policy.bucket_replication | resource |
aws_iam_policy_attachment.bucket_replication | resource |
aws_iam_role.bucket_replication | resource |
aws_s3_bucket.default | resource |
aws_s3_bucket.replication_bucket | resource |
aws_s3_bucket_policy.bucket_replication | resource |
aws_s3_bucket_policy.default | resource |
aws_s3_bucket_policy.default-ssl-vpc | resource |
aws_s3_bucket_public_access_block.default | resource |
time_sleep.wait_30_secs | resource |
aws_iam_policy_document.default-ssl | data source |
aws_iam_policy_document.default-ssl-vpc | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
acl | The canned ACL to apply to the S3 bucket | string |
"private" |
no |
additional_tag_map | Additional tags for appending to each tag map | map(string) |
{} |
no |
attributes | Additional attributes (e.g. state ) |
list(string) |
[ |
no |
block_public_acls | Whether Amazon S3 should block public ACLs for this bucket. | bool |
false |
no |
block_public_policy | Whether Amazon S3 should block public bucket policies for this bucket. | bool |
false |
no |
bucket_replication_enabled | Enable/Disable replica for S3 bucket (for cross region replication purpose) | bool |
false |
no |
context | Default context to use for passing state between label invocations | map(string) |
{} |
no |
delimiter | Delimiter to be used between namespace , environment , stage , name and attributes |
string |
"-" |
no |
enable_server_side_encryption | Enable DynamoDB server-side encryption | bool |
true |
no |
enforce_ssl_requests | Enable/Disable replica for S3 bucket (for cross region replication purpose) | bool |
false |
no |
enforce_vpc_requests | Enable/Disable VPC endpoint for S3 bucket | bool |
false |
no |
environment | Environment, e.g. 'prod', 'staging', 'dev', 'pre-prod', 'UAT' | string |
"" |
no |
force_destroy | A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable | bool |
false |
no |
ignore_public_acls | Whether Amazon S3 should ignore public ACLs for this bucket. | bool |
false |
no |
label_order | The naming order of the id output and Name tag | list(string) |
[] |
no |
logging | Bucket access logging configuration. | object({ |
null |
no |
mfa_delete | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; hashicorp/terraform-provider-aws#629 ) | bool |
false |
no |
name | Solution name, e.g. 'app' or 'jenkins' | string |
"terraform" |
no |
namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | string |
"" |
no |
read_capacity | DynamoDB read capacity units | number |
5 |
no |
regex_replace_chars | Regex to replace chars with empty string in namespace , environment , stage and name . By default only hyphens, letters and digits are allowed, all other chars are removed |
string |
"/[^a-zA-Z0-9-]/" |
no |
restrict_public_buckets | Whether Amazon S3 should restrict public bucket policies for this bucket. | bool |
false |
no |
stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | string |
"" |
no |
tags | Additional tags (e.g. map('BusinessUnit','XYZ') |
map(string) |
{} |
no |
vpc_ids_list | VPC id to access the S3 bucket vía vpc endpoint. The VPCe must be in the same AWS Region as the bucket. | list(string) |
[] |
no |
write_capacity | DynamoDB write capacity units | number |
5 |
no |
Name | Description |
---|---|
dynamodb_table_arn | DynamoDB table ARN |
dynamodb_table_id | DynamoDB table ID |
dynamodb_table_name | DynamoDB table name |
s3_bucket_arn | S3 bucket ARN |
s3_bucket_domain_name | S3 bucket domain name |
s3_bucket_id | S3 bucket ID |
#
# Terraform aws tfstate backend
#
provider "aws" {
region = "us-east-1
alias = "main_region"
}
provider "aws" {
region = "us-west-1"
alias = "secondary_region"
}
# The following creates a Terraform State Backend with Bucket Replication enabled
module "terraform_state_backend_with_replication" {
source = "../../"
namespace = "binbash"
stage = "test"
name = "terraform"
attributes = ["state"]
region = "us-east-1"
bucket_replication_enabled = true
providers = {
aws.main_region = aws.main_region
aws.secondary_region = aws.secondary_region
}
}
# The module below creates a Terraform State Backend without bucket replication
module "terraform_state_backend" {
source = "../../"
namespace = "binbash"
stage = "test"
name = "terraform-test"
attributes = ["state"]
region = "us-east-1"
# By default replication is disabled but it shows below for the sake of the example
bucket_replication_enabled = false
# Notice that even though replication is not enabled, we still need to pass a secondary_region provider
providers = {
aws.main_region = aws.main_region
aws.secondary_region = aws.main_region
}
}
When using the enforce_vpc_requests = true
please consider the following
AWS VPC gateway endpoint limitations
Name | Description | Type | Default | Required |
---|---|---|---|---|
enforce_vpc_requests | Enable/Disable VPC endpoint for S3 bucket | bool |
false |
no |
vpc_ids_list | VPC id to access the S3 bucket vía vpc endpoint. The VPCe must be in the same AWS Region as the bucket. | list(string) |
[] |
no |
- You cannot use an AWS prefix list ID in an outbound rule in a network ACL to allow or deny outbound traffic to the service specified in an endpoint. If your network ACL rules restrict traffic, you must specify the CIDR block (IP address range) for the service instead. You can, however, use an AWS prefix list ID in an outbound security group rule. For more information, see Security groups.
- Endpoints are supported within the same Region only. You cannot create an endpoint between a VPC and a service in a different Region.
- Endpoints support IPv4 traffic only.
- You cannot transfer an endpoint from one VPC to another, or from one service to another.
- You have a quota on the number of endpoints you can create per VPC. For more information, see VPC endpoints.
- Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, AWS Direct Connect connection, or ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.
- You must enable DNS resolution in your VPC, or if you're using your own DNS server, ensure that DNS requests to the required service (such as Amazon S3) are resolved correctly to the IP addresses maintained by AWS.
In order to get the full automated potential of the
Binbash Leverage DevOps Automation Code Library
you should initialize all the necessary helper Makefiles.
You must execute the make init-makefiles
command at the root context
╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make
Available Commands:
- init-makefiles initialize makefiles
You'll get all the necessary commands to automatically operate this module via a dockerized approach, example shown below
╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make
Available Commands:
- circleci-validate-config ## Validate A CircleCI Config (https
- format-check ## The terraform fmt is used to rewrite tf conf files to a canonical format and style.
- format ## The terraform fmt is used to rewrite tf conf files to a canonical format and style.
- tf-dir-chmod ## run chown in ./.terraform to gran that the docker mounted dir has the right permissions
- version ## Show terraform version
- init-makefiles ## initialize makefiles
╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make format-check
docker run --rm -v /home/delivery/Binbash/repos/Leverage/terraform/terraform-aws-backup-by-tags:"/go/src/project/":rw -v :/config -v /common.config:/common-config/common.config -v ~/.ssh:/root/.ssh -v ~/.gitconfig:/etc/gitconfig -v ~/.aws/bb:/root/.aws/bb -e AWS_SHARED_CREDENTIALS_FILE=/root/.aws/bb/credentials -e AWS_CONFIG_FILE=/root/.aws/bb/config --entrypoint=/bin/terraform -w "/go/src/project/" -it binbash/terraform-awscli-slim:0.12.28 fmt -check
- pipeline-job (NOTE: Will only run after merged PR)
- releases
- changelog