This module provisions a S3 bucket for remote state storage and a DynamoDB table for state locking.
The S3 bucket is created with versioning, server-side encryption, and logging enabled. Bucket access logs are stored in separate S3 bucket.
module "remote_state" {
source = "https://github.com/dirgapeter/tf-remote.git?ref=0.0.1"
project = "simple"
environment = "dev"
}
See variables.tf
for additional configurable variables.
In outputs there is config_backend with generated terraform configuration.
output "config_backend" {
description = "Backend configuration."
value = "${module.remote_state.config_backend}"
}
terraform output config_backend > backend.tf
After that terraform init
must be execute to initialize backend.
For read-only access you can use output config_data:
terraform output config_data > backend_data.tf
Note: Your backend configuration cannot contain interpolated variables. This is because this configuration is initialized prior to Terraform parsing these variables.
terraform {
backend "s3" {
region = "eu-west-1"
encrypt = true
bucket = "simple-dev-tf-remote-state"
key = "terraform.tfstate"
dynamodb_table = "simple-dev-tf-remote-state-lock"
}
}
data "terraform_remote_state" "state" {
backend "s3"
config = {
region = "eu-west-1"
encrypt = true
bucket = "simple-dev-tf-remote-state"
key = "terraform.tfstate"
dynamodb_table = "simple-dev-tf-remote-state-lock"
}
}
Two IAM groups are created. One for full access and one for read-only access.
Name | Version |
---|---|
aws | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
dynamodb_billing_mode | The DynamoDB billing mode. PAY_PER_REQUEST or PROVISIONED | string |
"PAY_PER_REQUEST" |
no |
environment | Environment of the remote state. Also used as a prefix in names of related resources. | string |
n/a | yes |
logging_prefix | A prefix in names for logging bucket | string |
"logs/" |
no |
manage_iam_role | Defines whether this module should generate and manage iam role for access | bool |
true |
no |
manage_kms_keys | Defines whether this module should generate and manage its own kms keys | bool |
false |
no |
manage_log_bucket | Defines whether this module should generate and manage its own s3 bucket for logging | bool |
true |
no |
path | State file name, i.e. terraform | string |
"terraform" |
no |
project | Project of the remote state. Also used as a prefix in names of related resources. | string |
n/a | yes |
suffix | A suffix in names with delimiter '-' included | string |
"-tf-remote-state" |
no |
tags | A map of tags to add to all resources. | map(string) |
{} |
no |
Name | Description |
---|---|
bucket_id | n/a |
config_backend | Terraform excerpt with state backend configuration. |
config_data | Terraform data excerpt with state backend configuration. |
MIT