DevOps
/
my-terraform-s3-backend
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

DynamoDB table fix for Terraform locks

This commit is contained in:
matthieu42morin 2024-03-02 17:10:44 +01:00
parent 1915f7cfb5
commit 9da183258d
4 changed files with 32 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.terraform.lock.hcl
View File

@ -3,7 +3,7 @@
provider "registry.terraform.io/hashicorp/aws" { provider "registry.terraform.io/hashicorp/aws" {
version = "5.39.0" version = "5.39.0"
constraints = ">= 4.0.0" constraints = ">= 5.0.0"
hashes = [ hashes = [
"h1:isoOv/JipnnPD3j8Df6XwGU1i4egjlygrgBv0RfsZ7g=", "h1:isoOv/JipnnPD3j8Df6XwGU1i4egjlygrgBv0RfsZ7g=",
"zh:01e405306470ed784bc9d38dbaeff394bd2c0f7d58e5592c5d0165c87d84e4b0", "zh:01e405306470ed784bc9d38dbaeff394bd2c0f7d58e5592c5d0165c87d84e4b0",

32
main.tf
View File

@ -14,15 +14,16 @@ resource "aws_s3_bucket" "terraform_state" {
} }
resource "aws_s3_bucket_versioning" "enabled" { resource "aws_s3_bucket_versioning" "enabled" {
bucket = aws_s3_bucket.terraform_state.id bucket = aws_s3_bucket.terraform_state.bucket
versioning_configuration { versioning_configuration {
status = "Enabled" status = "Enabled"
mfa_delete = "Disabled"
} }
} }
resource "aws_s3_bucket_server_side_encryption_configuration" "default" { resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
bucket = aws_s3_bucket.terraform_state.id bucket = aws_s3_bucket.terraform_state.bucket
rule { rule {
apply_server_side_encryption_by_default { apply_server_side_encryption_by_default {
@ -33,7 +34,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
} }
resource "aws_s3_bucket_public_access_block" "public_access" { resource "aws_s3_bucket_public_access_block" "public_access" {
bucket = aws_s3_bucket.terraform_state.id bucket = aws_s3_bucket.terraform_state.bucket
block_public_acls = true block_public_acls = true
block_public_policy = true block_public_policy = true
ignore_public_acls = true ignore_public_acls = true
@ -41,15 +42,40 @@ resource "aws_s3_bucket_public_access_block" "public_access" {
} }
# DynamoBD CMK
resource "aws_kms_key" "dynamodb" {
description = "DynamoDB Table Server side encryption"
enable_key_rotation = true
key_usage = "ENCRYPT_DECRYPT"
}
resource "aws_kms_alias" "dynamodb" {
name = format("alias/%s-dynamodb-CMK", var.resource_name_prefix,)
target_key_id = aws_kms_key.dynamodb.key_id
}
resource "aws_dynamodb_table" "terraform_locks" { resource "aws_dynamodb_table" "terraform_locks" {
name = "omnicognate-terraform-locks" name = "omnicognate-terraform-locks"
billing_mode = "PAY_PER_REQUEST" billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID" hash_key = "LockID"
depends_on = [ aws_s3_bucket_versioning.enabled ]
attribute { attribute {
name = "LockID" name = "LockID"
type = "S" type = "S"
} }
server_side_encryption {
enabled = true
kms_key_arn = aws_kms_key.dynamodb.arn
}
point_in_time_recovery {
enabled = true
}
lifecycle {
prevent_destroy = true
}
tags = merge( tags = merge(
{ Name = "${var.resource_name_prefix}-aws_dynamodb_table" }, { Name = "${var.resource_name_prefix}-aws_dynamodb_table" },
var.common_tags, var.common_tags,

4
providers.tf
View File

@ -8,7 +8,7 @@ terraform {
required_providers { required_providers {
aws = { aws = {
source = "hashicorp/aws" source = "hashicorp/aws"
version = ">= 4.0.0" version = ">= 5.0.0"
} }
} }
} }
@ -16,7 +16,7 @@ provider "aws" {
region = var.aws_region region = var.aws_region
# using aws-vault to assume a role # using aws-vault to assume a role
assume_role { assume_role {
duration = "1h" duration = "3600s"
role_arn = var.role_arn role_arn = var.role_arn
} }
} }

BIN
s3remote.tfplan Normal file
View File

Binary file not shown.