An S3 bucket with DynamoDB compatible for use as a Terraform Backend.
This module mostly enforces safe and known best practices:
- Use our S3 module with locked down permissions.
- Setup DynamoDB compatible for use in backend and using PAY PER REQUEST to minize cost.
In case multiple Terraform projects are used on the same account they should be differentiated by var.name. Creating seperate modules increases seperation without increasing cost because all resources are either pay per use by default (S3) or configured to do so (DynamoDB).
The KMS key should be provided externally as these incur a monthly 1 dollar cost. See var.kms_key_arn for this.
Run pre-commit install to install any guardrails implemented using pre-commit.
See pre-commit installation on how to install pre-commit.
This backendrole provides the TerraForm backend dynamodb and S3 bucket.
The role is used for any cross-account setups but should also be used for any inaccount setups as well when possible. Currently our landing-zone depends on this module. But we will also use if for stack accounts and perhaps later for inaccount landingzones as well.
To use this module:
- The S3 bucket name is provided by the output
terraform_backend_s3_id. - The DynamoDB name is provided by the output
terraform_backend_dynamodb_name.
Example backend.tf file:
Replace bucket and dynamodb_table accordingly. Set role_arn to same role as your account provider.
terraform {
backend "s3" {
role_arn = "arn:aws:iam::<account_id>:role/OrganizationAccountAccessRole"
session_name = "TerraformStateUpdate"
bucket = "See step 1)"
key = "terraform.tf"
region = "eu-central-1"
dynamodb_table = "See step 2)"
}
}| Name | Version |
|---|---|
| aws | 4.57.0 |
| Name | Source | Version |
|---|---|---|
| backend | [email protected]:TechNative-B-V/terraform-aws-module-s3.git/ | 3b39341b8f0ca25423f97ed3107411d6a4c6493f |
| state_lock | [email protected]:TechNative-B-V/terraform-aws-module-dynamodb.git/ | 5fb90ad50328a36290b6572d5b56e9ff691e4385 |
| Name | Type |
|---|---|
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| kms_key_arn | KMS key to use for encrypting EBS volumes. | string |
null |
no |
| name | Name to allow this module to be deployed multiple times in the same account. | string |
"" |
no |
| Name | Description |
|---|---|
| terraform_backend_dynamodb_name | n/a |
| terraform_backend_s3_id | n/a |