Skip to content

Instantly share code, notes, and snippets.

@tom-butler

tom-butler/remote-state-provisioner.tf

Created August 21, 2017 00:27
Show Gist options
  • Save tom-butler/b0e782545f0886f923ad2af994cdf9d9 to your computer and use it in GitHub Desktop.
Save tom-butler/b0e782545f0886f923ad2af994cdf9d9 to your computer and use it in GitHub Desktop.
Download ZIP
Terraform remote-state-provisioner
Raw
remote-state-provisioner.tf
#==============================================================
# remote-state.tf
#==============================================================
# This file is used to set variables that are passed to sub
# modules to build our stack
#--------------------------------------------------------------
# Global Config
#--------------------------------------------------------------
# Variables used in the global config
variable "region" {
description = "The AWS region we want to build this stack in"
default = "ap-southeast-2"
}
variable "owner" {
description = "A group email address to be used in tags"
default = "autobots@ga.gov.au"
}
provider "aws" {
region = "${var.region}"
}
# Data source used to retrieve the AWS account ID
data "aws_caller_identity" "current" {}
#--------------------------------------------------------------
# Remote State Infrastructure
#--------------------------------------------------------------
# Create the remote objects that terraform will use to store
# state - an S3 bucket and a DynamoDB table.
resource "aws_s3_bucket" "terraform_state" {
bucket = "tfstate-${data.aws_caller_identity.current.account_id}"
acl = "private"
tags {
Name = "terraform-state"
owner = "${var.owner}"
created_by = "remote-state-provisioner"
}
}
resource "aws_dynamodb_table" "terraform_statelock" {
name = "terraform-lock"
read_capacity = 20
write_capacity = 20
hash_key = "LockID"
attribute {
name = "LockID"
type = "S"
}
tags {
Name = "terraform-state-locking"
owner = "${var.owner}"
created_by = "remote-state-provisioner"
}
}
# Outputs
output "account_id" {
value = "${data.aws_caller_identity.current.account_id}"
}
output "bucket_id" {
value = "${aws_s3_bucket.terraform_state.id}"
}
output "dynamodb_lock_table" {
value = "${aws_dynamodb_table.terraform_statelock.id}"
}
@tom-butler
Copy link
Author

tom-butler commented Aug 21, 2017
edited

  1. Install dependancies:

  1. Create a service user to run the Terraform Scripts

    1. Sign into the AWS Console
    2. Click Services
    3. Under Security, Identity and Compliance Select IAM
    4. Select Users
    5. Click Add user
    6. Give the account a username in the format: svcTF
    7. Select Programmatic access
    8. Click Next:Permissions
    9. Select: Attach existing Policies Directly
    10. Click Create Policy (it will open in a new tab)
    11. Next to Create Your Own Policy, Click Select
    12. Set the name to be <appname>TerraformRunner
    13. Copy the policy from the policies folder and paste it in the Policy Document field
    14. Click Create Policy
    15. Change tabs back to the User creation Tab
    16. In the AWS Console click Refresh (not the browser refresh button)
    17. Search for your new policy by it's name
    18. Click the checkbox on the left of the policy
    19. Click Next:Review (down the bottom)
    20. Click create user
    21. Copy the access key id and secret access key
    22. For a dev machine run aws configure
    23. For a bitbucket pipeline set the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

  2. Download and run using terraform apply

You will see a bucket_id and dynamodb_lock_table, this can be used in your terraform remote state configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment