This terraform module implements what is described in the Terraform S3 Backend documentation.
S3 Encryption is enabled and Public Access policies used to ensure security.
This module is expected to be deployed to a 'master' AWS account so that you can start using remote state as soon as possible. As this module creates the remote state backend, its statefile needs to be commited to git as it cannot be stored remotely. No sensetive information should be present in this file.
It is also expected that you check the statefile for this module into git to avoid the chicken and egg problem.
The following resources will be created:
- Encrypted S3 Bucket - Used to store Terraform state files
- This bucket
- Block public acls
- Block public policy
- Ignore public acls
- Restrict public buckets
- This bucket
- AWS DynamoDB Table - Used for workspace locking
- Identity and Access Management (IAM) - Backend All - Role that Allows access to all Terraform workspaces
- Identity and Acesss Management (IAM) - Backend restricted - These roles are limited to their specific workspace through the use of S3 resource permissions
| Name | Resource | Description |
|---|---|---|
| <prefix>-terraform-backend | S3 Bucket | Used to store Terraform state files |
| terraform-lock | DynamoDB Table | Used for workspace locking |
| terraform-backend | IAM Role | Role created that has access to all terraform workspaces |
| terraform-backend-<workspace> | IAM Role | Role created that only has access to the specified workspace |
| Name | Version |
|---|---|
| terraform | >= 0.13.0 |
| aws | >=4.0.0 |
| Name | Version |
|---|---|
| aws | >=4.0.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| assume_policy | A map that allows you to specify additional AWS principles that will be added to the backend roles assume role policy | map(string) |
{} |
no |
| bucket_prefix | A prefix applied to the S3 bucket created to ensure a unique name. | string |
n/a | yes |
| bucket_sse_algorithm | Encryption algorithm to use on the S3 bucket. Currently only AES256 is supported | string |
"AES256" |
no |
| kms_master_key_alias | The alias of the KMS key to use for S3 server-side encryption. If not provided, S3-managed encryption keys will be used. | string |
"alias/aws/s3" |
no |
| workspaces | A list of terraform workspaces that IAM Roles/Policy will be created for | list(string) |
n/a | yes |
| Name | Description |
|---|---|
| dynamo_lock_table | n/a |
| iam_roles | n/a |
| state_bucket_arn | n/a |
The assume_role_policy by default will be set to the current account ID. This is primarily so can you can use the roles while your 'identity' account is under construction. Once your identity account is available you should specify the required assume_role_policy and the default will be removed.
Due to terraform lookup() only supporting string returns this cant be a list and needs to be specified as a string with principles seperated by commas in the event multiple entries are required.
assume_policy = {
prod = "arn:aws:iam::xxxxxxxxxxxx:root,arn:aws:iam::yyyyyyyyyyyy:root"
nonprod = "arn:aws:iam::xxxxxxxxxxxx:root,arn:aws:iam::yyyyyyyyyyyy:root"
sandpit = "arn:aws:iam::xxxxxxxxxxxx:root,arn:aws:iam::yyyyyyyyyyyy:root"
}
Module managed by DNX Solutions.
Apache 2 Licensed. See LICENSE for full details.