Terraform resources for a remote backend on AWS using a S3 bucket (with logging and enforced server side encryption) and a DynamoDB table.
variable bucket { | |
description = "AWS S3 bucket name to use for state storage" | |
type = string | |
} | |
variable dynamodb_table { | |
description = "AWS DynamoDB table name to use for state locking" | |
type = string | |
} | |
variable encrypt { | |
description = "(Not Used) AWS S3 bucket enable Server-Side Encryption" | |
default = true | |
type = bool | |
} | |
variable region { | |
description = "AWS Region name of the S3 bucket" | |
type = string | |
} | |
data "aws_canonical_user_id" "current" {} | |
data "aws_iam_policy_document" "terraform_state" { | |
statement { | |
effect = "Deny" | |
principals { | |
identifiers = ["*"] | |
type = "AWS" | |
} | |
actions = [ | |
"s3:PutObject", | |
] | |
resources = [ | |
"arn:aws:s3:::${var.bucket}/*", | |
] | |
condition { | |
test = "StringNotEquals" | |
variable = "s3:x-amz-server-side-encryption" | |
values = [ | |
"AES256", | |
] | |
} | |
} | |
statement { | |
effect = "Deny" | |
principals { | |
identifiers = ["*"] | |
type = "AWS" | |
} | |
actions = [ | |
"s3:PutObject", | |
] | |
resources = [ | |
"arn:aws:s3:::${var.bucket}/*", | |
] | |
condition { | |
test = "Null" | |
variable = "s3:x-amz-server-side-encryption" | |
values = [ | |
"true", | |
] | |
} | |
} | |
} | |
locals { | |
bucket_logs = "${var.bucket}-logs" | |
} | |
resource "aws_dynamodb_table" "terraform_state_lock" { | |
name = var.dynamodb_table | |
billing_mode = "PAY_PER_REQUEST" | |
hash_key = "LockID" | |
attribute { | |
name = "LockID" | |
type = "S" | |
} | |
server_side_encryption { | |
enabled = true | |
} | |
} | |
resource "aws_s3_bucket" "terraform_state_logs" { | |
bucket = local.bucket_logs | |
acl = "log-delivery-write" | |
force_destroy = false | |
region = var.region | |
lifecycle_rule { | |
enabled = true | |
id = "log" | |
prefix = "log/" | |
transition { | |
days = 30 | |
storage_class = "STANDARD_IA" | |
} | |
} | |
server_side_encryption_configuration { | |
rule { | |
apply_server_side_encryption_by_default { | |
sse_algorithm = "AES256" | |
} | |
} | |
} | |
versioning { | |
enabled = true | |
} | |
} | |
resource "aws_s3_bucket" "terraform_state" { | |
bucket = var.bucket | |
acl = "private" | |
force_destroy = false | |
policy = data.aws_iam_policy_document.terraform_state.json | |
region = var.region | |
server_side_encryption_configuration { | |
rule { | |
apply_server_side_encryption_by_default { | |
sse_algorithm = "AES256" | |
} | |
} | |
} | |
logging { | |
target_bucket = aws_s3_bucket.terraform_state_logs.id | |
target_prefix = "log/" | |
} | |
versioning { | |
enabled = true | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment