forked from cloudposse/terraform-aws-tfstate-backend
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.yaml
211 lines (172 loc) · 7.34 KB
/
README.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
---
#
# This is the canonical configuration for the `README.md`
# Run `make readme` to rebuild the `README.md`
#
# Name of this project
name: terraform-aws-tfstate-backend
# Logo for this project
#logo: docs/logo.png
# License of this project
license: "APACHE2"
# Canonical GitHub repo
github_repo: cloudposse/terraform-aws-tfstate-backend
# Tags of this project
tags:
- aws
- terraform
- terraform-modules
- terraform-state
- terraform-state-backend
- remote-state
- s3
# Categories of this project
categories:
- terraform-modules/state
- terraform-modules/state-backend
# Badges to display
badges:
- name: "Latest Release"
image: "https://img.shields.io/github/release/cloudposse/terraform-aws-tfstate-backend.svg"
url: "https://github.com/cloudposse/terraform-aws-tfstate-backend/releases/latest"
- name: "Slack Community"
image: "https://slack.cloudposse.com/badge.svg"
url: "https://slack.cloudposse.com"
related:
- name: "terraform-aws-dynamodb"
description: "Terraform module that implements AWS DynamoDB with support for AutoScaling"
url: "https://github.com/cloudposse/terraform-aws-dynamodb"
- name: "terraform-aws-dynamodb-autoscaler"
description: "Terraform module to provision DynamoDB autoscaler"
url: "https://github.com/cloudposse/terraform-aws-dynamodb-autoscaler"
# Short description of this project
description: |-
Terraform module to provision an S3 bucket to store `terraform.tfstate` file and a DynamoDB table to lock the state file
to prevent concurrent modifications and state corruption.
The module supports the following:
1. Forced server-side encryption at rest for the S3 bucket
2. S3 bucket versioning to allow for Terraform state recovery in the case of accidental deletions and human errors
3. State locking and consistency checking via DynamoDB table to prevent concurrent operations
4. DynamoDB server-side encryption
https://www.terraform.io/docs/backends/types/s3.html
__NOTE:__ The operators of the module (IAM Users) must have permissions to create S3 buckets and DynamoDB tables when performing `terraform plan` and `terraform apply`
__NOTE:__ This module cannot be used to apply changes to the `mfa_delete` feature of the bucket. Changes regarding mfa_delete can only be made manually using the root credentials with MFA of the AWS Account where the bucket resides. Please see: https://github.com/terraform-providers/terraform-provider-aws/issues/62
# How to use this project
usage: |-
### Create
Follow this procedure just once to create your deployment.
1. Add the `terraform_state_backend` module to your `main.tf` file. The
comment will help you remember to follow this procedure in the future:
```hcl
# You cannot create a new backend by simply defining this and then
# immediately proceeding to "terraform apply". The S3 backend must
# be bootstrapped according to the simple yet essential procedure in
# https://github.com/cloudposse/terraform-aws-tfstate-backend#usage
module "terraform_state_backend" {
source = "cloudposse/tfstate-backend/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
namespace = "eg"
stage = "test"
name = "terraform"
attributes = ["state"]
terraform_backend_config_file_path = "."
terraform_backend_config_file_name = "backend.tf"
force_destroy = false
}
# Your Terraform configuration
module "another_module" {
source = "....."
}
```
Module inputs `terraform_backend_config_file_path` and
`terraform_backend_config_file_name` control the name of the backend
definition file. Note that when `terraform_backend_config_file_path` is
empty (the default), no file is created.
1. `terraform init`. This downloads Terraform modules and providers.
1. `terraform apply -auto-approve`. This creates the state bucket and DynamoDB locking
table, along with anything else you have defined in your `*.tf` file(s). At
this point, the Terraform state is still stored locally.
Module `terraform_state_backend` also creates a new `backend.tf` file
that defines the S3 state backend. For example:
```hcl
backend "s3" {
region = "us-east-1"
bucket = "< the name of the S3 state bucket >"
key = "terraform.tfstate"
dynamodb_table = "< the name of the DynamoDB locking table >"
profile = ""
role_arn = ""
encrypt = true
}
```
Henceforth, Terraform will also read this newly-created backend definition
file.
1. `terraform init -force-copy`. Terraform detects that you want to move your
Terraform state to the S3 backend, and it does so per `-auto-approve`. Now the
state is stored in the S3 bucket, and the DynamoDB table will be used to lock
the state to prevent concurrent modification.
This concludes the one-time preparation. Now you can extend and modify your
Terraform configuration as usual.
### Destroy
Follow this procedure to delete your deployment.
1. In `main.tf`, change the `terraform_state_backend` module arguments as
follows:
```hcl
module "terraform_state_backend" {
# ...
terraform_backend_config_file_path = ""
force_destroy = true
}
```
1. `terraform apply -target module.terraform_state_backend -auto-approve`.
This implements the above modifications by deleting the `backend.tf` file
and enabling deletion of the S3 state bucket.
1. `terraform init -force-copy`. Terraform detects that you want to move your
Terraform state from the S3 backend to local files, and it does so per
`-auto-approve`. Now the state is once again stored locally and the S3
state bucket can be safely deleted.
1. `terraform destroy`. This deletes all resources in your deployment.
1. Examine local state file `terraform.tfstate` to verify that it contains
no resources.
<br/>
![s3-bucket-with-terraform-state](images/s3-bucket-with-terraform-state.png)
### Bucket Replication (Disaster Recovery)
To enable S3 bucket replication in this module, set `s3_replication_enabled` to `true` and populate `s3_replica_bucket_arn` with the ARN of an existing bucket.
```hcl
module "terraform_state_backend" {
source = "cloudposse/tfstate-backend/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
namespace = "eg"
stage = "test"
name = "terraform"
attributes = ["state"]
terraform_backend_config_file_path = "."
terraform_backend_config_file_name = "backend.tf"
force_destroy = false
s3_replication_enabled = true
s3_replica_bucket_arn = "arn:aws:s3:::eg-test-terraform-tfstate-replica"
}
```
include:
- "docs/targets.md"
- "docs/terraform.md"
# Contributors to this project
contributors:
- name: "Andriy Knysh"
github: "aknysh"
- name: "Erik Osterman"
github: "osterman"
- name: "Maarten van der Hoef"
github: "maartenvanderhoef"
- name: "Vladimir"
github: "SweetOps"
- name: "Chris Weyl"
github: "rsrchboy"
- name: "John McGehee"
github: "jmcgeheeiv"
- name: "Oliver L Schoenborn"
github: "schollii"
- name: "RB"
github: "nitrocode"