Based on https://github.com/rhythmictech/terraform-aws-backend work.
This module creates:
- S3 bucket to host Terraform state file with versioning enabled
- KMS key for encrypt S3 bucket
- DynamoDB table for managing Terraform state locking
Useful for bootstrapping a new environment. This module supports cross-account state management, using a centralized account that holds the S3 bucket and KMS key.
Note: A centralized DynamoDB locking table is not supported because terraform cannot assume more than one IAM role per execution.
module "backend" {
source = "git::ssh://git@github.com/mhmdio/terraform-aws-backend"
bucket = "project-tfstate"
region = "us-east-1"
table = "tf-locktable"
}Managing state across accounts requires additional configuration to ensure that the S3 bucket is appropriately accessible and the KMS key is usable.
The following module declaration will create an S3 bucket and KMS key that are accessible to the root account (and users with the AdministratorAccess managed role) in the target account:
module "backend" {
source = "git::ssh://git@github.com/mhmdio/terraform-aws-backend"
allowed_account_ids = ["123456789012"]
bucket = "012345678901-us-east-1-tfstate"
region = "us-east-1"
}In the target account, use this declaration to import the module:
module "backend" {
source = "git::ssh://git@github.com/mhmdio/terraform-aws-backend"
kms_key_id = "arn:aws:kms:us-east-1:012345678901:key/59381274-af42-8521-04af-ab0acfe3d521"
region = "us-east-1"
remote_bucket = "012345678901-us-east-1-tfstate"
}The module will automatically write to the source account S3 bucket using the KMS key with cross-account access.
Access to the source S3 bucket is done based on a prefix that matches the AWS Account ID. Therefore, target accounts must use a workspace_key_prefix that matches the account ID, such as in the following sample backend-config values:
bucket = "012345678901-us-east-1-tf-state"
key = "project.tfstate"
workspace_key_prefix = "123456789012"
region = "us-east-1"| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | ~> 3.65.0 |
| Name | Version |
|---|---|
| aws | 3.65.0 |
No modules.
| Name | Type |
|---|---|
| aws_dynamodb_table.this | resource |
| aws_kms_alias.this | resource |
| aws_kms_key.this | resource |
| aws_s3_bucket.this | resource |
| aws_s3_bucket_policy.this | resource |
| aws_s3_bucket_public_access_block.this | resource |
| aws_caller_identity.current | data source |
| aws_default_tags.current | data source |
| aws_iam_policy_document.key | data source |
| aws_iam_policy_document.this | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| region | AWS region to use | any |
n/a | yes |
| allowed_account_ids | Account IDs that are allowed to access the bucket/KMS key | list(string) |
[] |
no |
| kms_key_id | ARN for KMS key for all encryption operations. | string |
"" |
no |
| logging_target_bucket | The name of the bucket that will receive the log objects | string |
null |
no |
| logging_target_prefix | A key prefix for log objects | string |
"AccessLogs/" |
no |
| remote_bucket | If specified, the remote bucket will be used for the backend. A new bucket will not be created | string |
"" |
no |
| tags | Mapping of any extra tags you want added to resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| kms_key_arn | ARN of KMS Key for S3 bucket |
| s3_bucket_backend | S3 bucket |