init, working s3 backend

2024-03-02 12:59:10 +01:00 · 2024-03-02 12:59:10 +01:00 · 949356cf4c
parent 9e3bb97f3e
commit 949356cf4c
5 changed files with 121 additions and 0 deletions
--- a/main.tf
+++ b/main.tf
@ -0,0 +1,57 @@
+# Thanks to https://blog.gruntwork.io/how-to-manage-terraform-state-28f5697e68fa
+
+resource "aws_s3_bucket" "terraform_state" {
+  bucket = "omnicognate-terraform-state"
+ 
+  # Prevent accidental deletion of this S3 bucket
+  lifecycle {
+    prevent_destroy = true
+  }
+  tags = merge(
+    { Name = "${var.resource_name_prefix}-aws_s3_bucket" },
+    var.common_tags,
+  )
+}
+
+resource "aws_s3_bucket_versioning" "enabled" {
+  bucket = aws_s3_bucket.terraform_state.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+  
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+  bucket = aws_s3_bucket.terraform_state.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+  
+}
+
+resource "aws_s3_bucket_public_access_block" "public_access" {
+  bucket                  = aws_s3_bucket.terraform_state.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+  
+}
+
+resource "aws_dynamodb_table" "terraform_locks" {
+  name         = "omnicognate-terraform-locks"
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "LockID"
+
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+  tags = merge(
+    { Name = "${var.resource_name_prefix}-aws_dynamodb_table" },
+    var.common_tags,
+  )
+}
--- a/outputs.tf
+++ b/outputs.tf
@ -0,0 +1,9 @@
+output "s3_bucket_arn" {
+  value       = aws_s3_bucket.terraform_state.arn
+  description = "The ARN of the S3 bucket"
+}
+
+output "dynamodb_table_name" {
+  value       = aws_dynamodb_table.terraform_locks.name
+  description = "The name of the DynamoDB table"
+}
--- a/providers.tf
+++ b/providers.tf
@ -0,0 +1,24 @@
+terraform {
+    backend "s3" {
+        bucket         = "omnicognate-terraform-state"
+        key            = "global/s3/terraform.tfstate"
+        region         = "eu-north-1"
+        dynamodb_table = "omnicognate-terraform-locks"
+        encrypt        = true
+    }
+    required_version = ">= 1.0.0"
+    required_providers {
+        aws = {
+            source  = "hashicorp/aws"
+            version = ">= 4.0.0"
+        }
+    }
+}
+provider "aws" {
+    region = var.aws_region
+    # using aws-vault to assume a role
+    assume_role {
+        duration = "1h" 
+        role_arn = var.role_arn 
+  }
+}
--- a/terraform.tfvars.example
+++ b/terraform.tfvars.example
@ -0,0 +1,5 @@
+# === user vars ===
+role_arn = ""
+
+# === required core vars ===
+aws_region = "eu-north-1"
--- a/variables.tf
+++ b/variables.tf
@ -0,0 +1,26 @@
+# === General ===
+
+variable "resource_name_prefix" {
+  type        = string
+  description = "Resource name prefix used for tagging and naming AWS resources"
+  default = "tf-state"
+}
+
+variable "aws_region" {
+  type        = string
+  description = "AWS region where Vault will be deployed"
+  default = "eu-north-1"
+}
+
+variable "role_arn" {
+  type        = string
+  description = "The assumed role to use for this project."
+}
+
+variable "common_tags" {
+  type        = map(string)
+  description = "(Optional) Map of common tags for all taggable AWS resources."
+  default     = {
+    "project" = "tf-state-on-s3"
+  }
+}