Skip to content

Instantly share code, notes, and snippets.

@xinau
Created April 6, 2020 23:25
Show Gist options
  • Save xinau/6f0a76504063d48d60b3583469ea79ed to your computer and use it in GitHub Desktop.
Save xinau/6f0a76504063d48d60b3583469ea79ed to your computer and use it in GitHub Desktop.
Terraform resources for a remote backend on AWS using a S3 bucket (with logging and enforced server side encryption) and a DynamoDB table.
variable bucket {
description = "AWS S3 bucket name to use for state storage"
type = string
}
variable dynamodb_table {
description = "AWS DynamoDB table name to use for state locking"
type = string
}
variable encrypt {
description = "(Not Used) AWS S3 bucket enable Server-Side Encryption"
default = true
type = bool
}
variable region {
description = "AWS Region name of the S3 bucket"
type = string
}
data "aws_canonical_user_id" "current" {}
data "aws_iam_policy_document" "terraform_state" {
statement {
effect = "Deny"
principals {
identifiers = ["*"]
type = "AWS"
}
actions = [
"s3:PutObject",
]
resources = [
"arn:aws:s3:::${var.bucket}/*",
]
condition {
test = "StringNotEquals"
variable = "s3:x-amz-server-side-encryption"
values = [
"AES256",
]
}
}
statement {
effect = "Deny"
principals {
identifiers = ["*"]
type = "AWS"
}
actions = [
"s3:PutObject",
]
resources = [
"arn:aws:s3:::${var.bucket}/*",
]
condition {
test = "Null"
variable = "s3:x-amz-server-side-encryption"
values = [
"true",
]
}
}
}
locals {
bucket_logs = "${var.bucket}-logs"
}
resource "aws_dynamodb_table" "terraform_state_lock" {
name = var.dynamodb_table
billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID"
attribute {
name = "LockID"
type = "S"
}
server_side_encryption {
enabled = true
}
}
resource "aws_s3_bucket" "terraform_state_logs" {
bucket = local.bucket_logs
acl = "log-delivery-write"
force_destroy = false
region = var.region
lifecycle_rule {
enabled = true
id = "log"
prefix = "log/"
transition {
days = 30
storage_class = "STANDARD_IA"
}
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
versioning {
enabled = true
}
}
resource "aws_s3_bucket" "terraform_state" {
bucket = var.bucket
acl = "private"
force_destroy = false
policy = data.aws_iam_policy_document.terraform_state.json
region = var.region
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
logging {
target_bucket = aws_s3_bucket.terraform_state_logs.id
target_prefix = "log/"
}
versioning {
enabled = true
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment