Merge pull request #2 from DefendableDesign/remote-tfstate

Remote tfstate

README.md

@@ -10,16 +10,15 @@ The Terraform code:
 
 # How to get started
 1. Install [Terraform](https://www.terraform.io/downloads.html)
-2. Download and unpack the [latest release](https://github.com/DefendableDesign/DD-AWS/releases), or clone the whole repo.
-3. [Configure AWS credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html)
-4. Set a region (defaults to Sydney):
-    - Edit `main.tf` to set an explicit `region` (refer to [AWS documentation for supported regions](http://docs.aws.amazon.com/general/latest/gr/rande.html#awsconfig_region))
-4. **[Optional]** Enable auto-response for the `restricted_ports` module:
-    - Edit `main.tf` and change `enable_auto_response` from `"false"` to `"true"`
-5. Prepare Terraform:
-    - `terraform init`
-    - `terraform get`
+1. Download and unpack the [latest release](https://github.com/DefendableDesign/DD-AWS/releases), or clone the whole repo.
+1. [Configure AWS credentials](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html)
+1. **[Optional]** Enable auto-response for remediating violations:
+    - Edit `terraform.tfvars` and change `enable_auto_response` from `"false"` to `"true"`
+1. Set a region (defaults to Sydney):
+    - Edit `terraform.tfvars` and change `region` to your preferred AWS region (refer to [AWS documentation for supported regions](http://docs.aws.amazon.com/general/latest/gr/rande.html#awsconfig_region))
+1. Run `./setup_remote_tfstate.ps1` to create an S3 bucket for storing your Terraform state
+1. Check the Terraform plan:
     - `terraform plan`
         - Check the output of terraform plan to see what changes will be made to your AWS account.
-6. Go live:
-    - `terraform apply`
+1. Go live:
+    - `terraform apply`

main.tf

@@ -2,6 +2,13 @@ provider "aws" {
     region  = "${var.region}"
 }
 
+terraform {
+    backend "s3" {
+        encrypt = true
+        key = "DD_Terraform/terraform.tfstate"
+    }
+}
+
 module "config_setup" {
     source = "./config_setup"
 }
@@ -20,7 +27,7 @@ module "restricted_ports" {
     source = "./restricted_ports"
     config_is_setup = "${module.config_setup.is_complete}"
     prohibited_ports = "22,1433,3306,3389"
-    enable_auto_response = "false"
+    enable_auto_response = "${var.enable_auto_response}"
 }
 
 module "s3_public_read" {

setup_remote_tfstate.ps1

@@ -0,0 +1,41 @@
+#Determine Region
+$region = @(Get-DefaultAWSRegion).Region
+If ($region -eq $null) {
+    $region = Read-Host -Prompt 'Enter the AWS region for your Terraform state S3 bucket'
+}
+
+#Determine AWS Account ID
+Try {
+    $accountId = @(get-ec2securitygroup -GroupNames "default" -Region $region)[0].OwnerId
+}
+Catch {
+    Write-Host "Error determining AWS Account ID"
+    Break
+}
+
+#Define Bucket Name
+$bucketName = "dd-tfstate-{0}" -f $accountId
+
+#Create Bucket
+Try {
+    Write-Host "Creating Terraform state S3 bucket: $bucketName"
+    New-S3Bucket -BucketName $bucketName -Region $region -ErrorAction 'SilentlyContinue'
+}
+Catch [System.AggregateException]{
+    $safeToIgnore = $Error[0].Exception.ToString().Contains("Your previous request to create the named bucket succeeded and you already own it")
+    If ($safeToIgnore) {
+        Write-Host "Using existing bucket: $bucketName."
+    } Else {
+        Write-Host "Error creating S3 bucket: $bucketName."
+        Break
+    }
+}
+
+#Enable versioning
+Write-Host "Enabling versioning."
+Write-S3BucketVersioning -BucketName $bucketName -Region $region -VersioningConfig_Status Enabled
+
+#Initialise Terraform
+terraform init `
+    -backend-config="bucket=$bucketName" `
+    -backend-config="region=$region"

terraform.tfvars

@@ -0,0 +1,2 @@
+region = "ap-southeast-2"
+enable_auto_response = "false"

variables.tf

@@ -1,3 +1,7 @@
 variable "region" {
   default = "ap-southeast-2"
 }
+
+variable "enable_auto_response" {
+  default = "false"
+}