Skip to content

Latest commit

 

History

History
89 lines (71 loc) · 6.4 KB

README.md

File metadata and controls

89 lines (71 loc) · 6.4 KB

Bootstrapping AWS accounts for Terraform backend

This Terraform module bootstraps an AWS account by creating an S3 bucket and a DynamoDB table, which are essential components for storing remote Terraform state files. Access to the S3 bucket is restricted to IAM users and roles passed in as iam_principals input variable list.

🐔🥚

Usage

module "bootstrap" {
  source = "./"

  region               = "eu-west-1"
  iam_principals       = ["arn:aws:iam::123456789012:user/example-user"]
}

Assumptions and notes

  • <account id>-<region name>-state - This bucket is to store the state files.
  • <account id>-<region name>-state-logs - This bucket stores the access logs of the first bucket
  • The state file for the S3 backend resources (S3 bucket, DynamoDB table and other ancillaries) is stored in s3://11111111111111111-eu-west-1-state/s3-backend-state/terraform.tfstate
  • When running terraform init in the Terraform code base that will have its state stored in these buckets, backend-config flags will need adding. E.g.
terraform init \  
  -backend-config=dynamodb_table=<region name>-state-locks \
  -backend-config=bucket=<account id>-<region name>-state \
  -backend-config=key=<environment name>/<module name>/terraform.tfstate

Requirements

Name Version
terraform >= 1.0
aws >= 5.52.0

Providers

Name Version
aws 5.52.0

Modules

No modules.

Resources

Name Type
aws_dynamodb_table.terraform_locks resource
aws_s3_bucket.terraform_state resource
aws_s3_bucket.terraform_state_bucket_logs resource
aws_s3_bucket_lifecycle_configuration.terraform_state resource
aws_s3_bucket_lifecycle_configuration.terraform_state_bucket_logs resource
aws_s3_bucket_logging.terraform_state resource
aws_s3_bucket_ownership_controls.terraform_state resource
aws_s3_bucket_ownership_controls.terraform_state_bucket_logs resource
aws_s3_bucket_policy.terraform_state resource
aws_s3_bucket_policy.terraform_state_bucket_logs resource
aws_s3_bucket_public_access_block.terraform_state resource
aws_s3_bucket_public_access_block.terraform_state_bucket_logs resource
aws_s3_bucket_server_side_encryption_configuration.terraform_state resource
aws_s3_bucket_server_side_encryption_configuration.terraform_state_bucket_logs resource
aws_s3_bucket_versioning.terraform_state resource
aws_s3_bucket_versioning.terraform_state_bucket_logs resource
aws_caller_identity.current data source
aws_iam_policy_document.terraform_state_bucket data source
aws_iam_policy_document.terraform_state_bucket_logs data source

Inputs

Name Description Type Default Required
enable_s3_bucket_versioning Whether or not to enable bucket versioning on the state S3 bucket bool true no
iam_principals A list of IAM user or role ARNs that will have access to the state S3 bucket list(string) n/a yes
logs_bucket_kms_key_id The KMS key ID used to encrypt the S3 state logs bucket. Uses AWS-managed key if not specified. string "" no
region_name Name of the region that the state file is responsible for string n/a yes
state_bucket_kms_key_id The KMS key ID used to encrypt the S3 state bucket. Uses AWS-managed key if not specified. string "" no

Outputs

Name Description
dynamodb_table_arn The ARN of the DynamoDB table
s3_logging_bucket_arn The ARN of the S3 logging bucket
s3_state_bucket_arn The ARN of the S3 bucket