This repo shows how to configure a Gradle project to download and execute the correct Terraform binary for the platform you're executing on.
The project runs against AWS and stores it's .tfstate in an S3 bucket.
- AWS account ID/alias
- JDK 8+ available on the path of any machine that needs to run Gradle/TF tasks
Never use the "root account" of an AWS account to do stuff.
- Go to IAM and create user.
- enable
password- store your password somewhere safe
- don't enable
access key- do it in IAM after logging in as the user - attach user directly to
AdministratorAccess
- enable
- Immediately log out of your root account
- sign in as the IAM user (will need your Account ID)
- In IAM console, find the new user and create an
access key- save access key to
~/.config/tf-download/aws.credentials
- save access key to
[default]
aws_access_key_id=AKIAXXX
aws_secret_access_key=XXX
Either create the bucket manually, or run the Gradle task
- in S3 console, create a new bucket to store the Terraform state file
- leave
ACLs disabled, leaveblock all public access- TF will access the bucket via the access key from
gradle.properties - privacy of this file is important because TF may store secrets in there
- TF will access the bucket via the access key from
- enable
bucket versioning- eventually, everyone mess up their state file - having history is helpful
Note that you won't be able to run this task without changing the bucket name
because AWS S3 buckets must be globally unique.
May want to change the region too, see
S3Util.
./gradlew createS3StateBucket- only need to run this once