/cloudformation-terraform-state-backend

Cloudformation template to create Terraform state S3 backend

Primary LanguagejqMIT LicenseMIT

Terraform Backend Cloudformation Template

Launch Stack

This Cloudformation template creates an S3 bucket and DynamoDB table suitable for a Terraform S3 State Backend. Using this template avoids the problem of needing to use a Terraform module to create a state backend before you have a state backend for that module.

Features

  • Encrypts Terraform state using a dedicated KMS key.
  • Creates a dedicated IAM role with only the permissions needed to manage Terraform state.
  • Sets up access logging for the state bucket using CloudTrail.

Parameters

  • AdminConditionTag (String): If Enabled, principals will need to have the tag "Repository" with a value containing Repository in order to assume the role.
  • AdminPrincipal (String): IAM principal allowed to assume the state management role as a human operator; defaults to the current AWS account.
  • ExecutionConditionTag (String): If Enabled, principals will need to have the tag "Repository" with a value containing Repository in order to assume the role.
  • ExecutionPrincipal (String): IAM principal allowed to assume the state management for running Terraform; defaults to the current AWS account.
  • LogsArchiveInDays (Number): Number of days after which logs are moved to glacier storage
  • LogsDeleteInDays (Number): Number of days after which logs are deleted
  • LogsGroup (String): Set to Disabled to disable the Cloudwatch log group
  • LogsObjectLockInDays (Number): Number of days for which log objects are locked
  • Name (String): Name of the S3 bucket, DynamoDB table, and IAM role; Defaults to "terraform-state-AWS_ACCOUNT_ID"
  • NoncurrentVersionExpirationInDays (Number): Number of days after which older state versions are purged
  • Repository (String): Value for the Repository tag; defaults to Name.
  • SSOPermissionSet (String): If provided, IAM roles created from this permission set will be allowed to access Terraform state.
  • StateVpcId (String): If provided, state can access only from the given VPC.

Resources

  • KMSKey (AWS::KMS::Key): KMS key used to encrypt Terraform state
  • KMSKeyAlias (AWS::KMS::Alias): Alias for the KMS key
  • LockTable (AWS::DynamoDB::Table): DynamoDB table to lock Terraform
  • Role (AWS::IAM::Role): IAM role for managing Terraform state
  • StateBucket (AWS::S3::Bucket): Bucket containing Terraform state
  • StateBucketPolicy (AWS::S3::BucketPolicy): Policy requiring encryption
  • StateTrail (AWS::CloudTrail::Trail): trail logging data events for
  • TrailBucket (AWS::S3::Bucket): Bucket for Terraform state Cloudtrail
  • TrailBucketPolicy (AWS::S3::BucketPolicy): Policy to allow Cloudtrail
  • TrailLogGroup (AWS::Logs::LogGroup): CloudWatch log group for state changes
  • TrailRole (AWS::IAM::Role): IAM role assumed by CloudTrail to write state logs

Outputs

  • KmsKeyAlias: Alias of the KMS key used to encrypt Terraform state
  • KmsKeyId: ID of the KMS key used to encrypt Terraform state
  • LockTableName: Name of the DynamoDB table used to lock Terraform state
  • LogGroup: CloudWatch log group for state changes
  • Region: Region in which the S3 state backend resources are created
  • RoleArn: ARN of the IAM role capable of managing Terraform state
  • StateBucketName: Name of the S3 bucket containing Terraform state

Capabilities:

  • CAPABILITY_NAMED_IAM: Required to create the dedicated IAM role.

Cost:

The KMS key provisioned for this stack will cost $1/month. Additional charges for KMS, DynamoDB, S3, and Cloudtrail may occur but are insignificant.

Use in Control Tower

If you've deployed Customizations for Control Tower, you can include this template in your customized package.

In your manifest, apply the template to any accounts which will contain resources managed by Terraform:

- name: TerraformStateBackend
  description: Create a Terraform state backend in each account
  deploy_method: stack_set
  deployment_targets:
    organizational_units:
    - Workloads
  resource_file: https://s3.us-east-1.amazonaws.com/terraform-state-backend-templates/branch/main/terraform-state-backend.template
  regions:
  - us-west-2

Upload your customized package and you'll have a Terraform state backend automatically created in any of your workload accounts.

Contributing

Please see CONTRIBUTING.md.

License

This template is Copyright © 2021 Joe Ferris and thoughtbot. It is free software, and may be redistributed under the terms specified in the LICENSE file.

About thoughtbot

thoughtbot

This repo is maintained and funded by thoughtbot, inc. The names and logos for thoughtbot are trademarks of thoughtbot, inc.

We love open source software! See our other projects. We are available for hire.