Awesome
terraform-aws-statebucket
Terraform module to provision a secure terraform state bucket for team use of IAC.
It's 100% Open Source and licensed under the APACHE2.
Versions
| Terraform Version | Statebucket Release |
|---|---|
| 0.12.x | 0.3.0 |
| 0.11.x | 0.2.25 |
Usage
Include this repository as a module in your existing Terraform code:
module statebucket {
source = "JamesWoolfenden/statebucket/aws"
version = "0.3.1"
}
Set-up as per example.
Use the generated remote_state.tf and change the bucket key for each subsequent service as required
terraform {
...
backend "s3" {
...
key = "<your-service>/<provider-service>/terraform.tfstate"
...
}
}
Instructions
When working with Terraform as part of a team, instead of a local terraform.tfstate file, a shared remote state store is required, for AWS this is a S3 bucket. But if we want to automate everything via Terraform? Traditionally we would have to create the initial bucket by hand via the console or by the cli and the resource unmanaged. The module and example solves the issue of creating a state bucket in Terraform using Terraform itself.
Chicken then Egg
The Makefile in folder examples\examplesA has a number of tasks, one specifically to create the initial bucket:
make first
This makes the lock DB table, the state (S3) bucket, fills out and creates the remote_state.tf file and then copies the state from the local disk to the bucket.PHEW. The State of the bucket is now managed along with any future resources.
On the second and subsequent runs you use:
make build
Features
This module implements state locking via DynamoDB, Versioning on files within the bucket and finally MFA Based deletes of the bucket itself.
The module also uses a tagging based on the map variable common_tags scheme.
This Scheme here uses as a minimum (see examplea.auto.tfvars):
common_tags = {
application = "terraform"
module = "statebucket"
environment = "develop"
authors = "James Woolfenden, Oliver Smit"
}
Costs
Monthly cost estimate
Project: .
Name Monthly Qty Unit Monthly Cost
module.statebucket.aws_dynamodb_table.dynamodb-state-lock
├─ Write capacity unit (WCU) 14,600 WCU-hours $11.27
├─ Read capacity unit (RCU) 14,600 RCU-hours $2.25
├─ Data storage Cost depends on usage: $0.30 per GB-months
├─ Point-In-Time Recovery (PITR) backup storage Cost depends on usage: $0.24 per GB-months
├─ On-demand backup storage Cost depends on usage: $0.12 per GB-months
├─ Table data restored Cost depends on usage: $0.18 per GB
└─ Streams read request unit (sRRU) Cost depends on usage: $0.000000237 per sRRUs
module.statebucket.aws_s3_bucket.state_bucket
└─ Standard
├─ Storage Cost depends on usage: $0.02 per GB-months
├─ PUT, COPY, POST, LIST requests Cost depends on usage: $0.0053 per 1k requests
├─ GET, SELECT, and all other requests Cost depends on usage: $0.00042 per 1k requests
├─ Select data scanned Cost depends on usage: $0.00225 per GB-months
└─ Select data returned Cost depends on usage: $0.0008 per GB-months
PROJECT TOTAL $13.53
Requirements
No requirements.
Providers
| Name | Version |
|---|---|
| <a name="provider_aws"></a> aws | n/a |
| <a name="provider_local"></a> local | n/a |
| <a name="provider_template"></a> template | n/a |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| aws_dynamodb_table.dynamodb-state-lock | resource |
| aws_s3_bucket.state_bucket | resource |
| aws_s3_bucket_acl.state_bucket | resource |
| aws_s3_bucket_public_access_block.state_bucket | resource |
| aws_s3_bucket_server_side_encryption_configuration.state_bucket | resource |
| aws_s3_bucket_versioning.state_bucket | resource |
| local_file.remote_state | resource |
| aws_caller_identity.current | data source |
| aws_region.current | data source |
| template_file.remote_state | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| <a name="input_acl"></a> acl | Not Likely/Unwise to want a public state bucket, but here's the option | string | "private" | no |
| <a name="input_force_destroy"></a> force_destroy | Set force_destroy property - unlikely to anything else but may want rid of at some point | bool | false | no |
| <a name="input_sse_algorithm"></a> sse_algorithm | The type of encryption algorithm to use | string | "aws:kms" | no |
Outputs
| Name | Description |
|---|---|
| <a name="output_bucket_domain_name"></a> bucket_domain_name | The FQDN for the bucket |
| <a name="output_statebucket"></a> statebucket | The state bucket details |
Policy
This is the policy required to build this project:
<!-- BEGINNING OF PRE-COMMIT-PIKE DOCS HOOK -->The Terraform resource required is:
resource "aws_iam_policy" "terraform_pike" {
name_prefix = "terraform_pike"
path = "/"
description = "Pike Autogenerated policy from IAC"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:ListTagsOfResource",
"dynamodb:UpdateTable",
"dynamodb:UpdateTimeToLive"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration"
],
"Resource": "*"
}
]
})
}
Checkov Security tests
This module is scanned by Checkov - https://checkov.io and has 2 exclusions added:
#checkov:skip=CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
#checkov:skip=CKV_AWS_52: "Ensure S3 bucket has MFA delete enabled"
These are added because access logging was not required, and that MFA delete was unsuitable and difficult to automate.
Related Projects
Check out these related projects.
- terraform-aws-s3 - S3 buckets
Help
Got a question?
File a GitHub issue.
Contributing
Bug Reports & Feature Requests
Please use the issue tracker to report any bugs or file feature requests.
Copyrights
Copyright © 2019-2022 James Woolfenden
License
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Contributors
<br/>James Woolfenden<br/>
<br/>Oliver Smit