Creates a backend S3 bucket and DynamoDB table for managing Terraform state. Note that when bootstrapping a new environment, it is typically easier to use a separate method for creating the bucket and lock table. This module is intended to create a backend in an AWS account that is already Terraform-managed. This is useful to store the state for other accounts externally, which is always preferred.
Breaking Changes
Previous versions of this module had support for cross-account management in a way that proved awkward for many uses cases and made it more difficult than it should've to fully secure the tfstate between accounts. Version 4.x and later eliminates support for this and refocuses the module on using centralized tfstate buckets with cross-account role assumption for execution of terraform. As a result, many variable names have changed and functionality has been dropped. Upgrade to this version at your own peril.
module "backend" {
source = "rhythmictech/backend/aws"
bucket = "project-tfstate"
region = "us-east-1"
table = "tf-locktable"
}
To use this bucket to manage the state for other AWS accounts, you must create IAM roles in those accounts and allow the users who run Terraform to assume them.
See Use AssumeRole to Provision AWS Resources Across Accounts for more information on this pattern.
| Name | Version |
|---|---|
| terraform | >= 0.14 |
| aws | >= 4.0 |
| local | >= 2.0 |
| random | >= 3.0 |
| Name | Version |
|---|---|
| aws | 4.28.0 |
| local | 2.2.3 |
| random | 3.4.1 |
No modules.
| Name | Type |
|---|---|
| aws_dynamodb_table.this | resource |
| aws_kms_alias.this | resource |
| aws_kms_key.this | resource |
| aws_s3_bucket.this | resource |
| aws_s3_bucket_lifecycle_configuration.this | resource |
| aws_s3_bucket_logging.this | resource |
| aws_s3_bucket_ownership_controls.this | resource |
| aws_s3_bucket_public_access_block.this | resource |
| aws_s3_bucket_server_side_encryption_configuration.this | resource |
| aws_s3_bucket_versioning.this | resource |
| local_file.assumerole_addrole | resource |
| local_sensitive_file.assumerole_tfassumerole | resource |
| random_password.external_id | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.key | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| assumerole_role_attach_policies | Policy ARNs to attach to role (can be managed or custom but must exist) | list(string) |
[ |
no |
| assumerole_role_external_id | External ID to attach to role (this is required, a random ID will be generated if not specified here) | string |
null |
no |
| assumerole_role_name | Name of role to create in assumerole template | string |
"Terraform" |
no |
| assumerole_stack_name | Name of CloudFormation stack | string |
"tf-assumerole" |
no |
| bucket_name | Name of bucket to hold tf state | string |
n/a | yes |
| create_assumerole_template | If true, create a CloudFormation template that can be run against accounts to create an assumable role | bool |
false |
no |
| dynamo_locktable_name | Name of lock table for terraform | string |
"tf-locktable" |
no |
| kms_alias_name | Name of KMS Alias | string |
null |
no |
| kms_key_id | ARN for KMS key for all encryption operations (a key will be created if this is not provided) | string |
null |
no |
| lifecycle_rules | lifecycle rules to apply to the bucket (set to null to skip lifecycle rules) | list(object( |
[ |
no |
| logging_target_bucket | The name of the bucket that will receive the log objects (logging will be disabled if null) | string |
null |
no |
| logging_target_prefix | A key prefix for log objects | string |
null |
no |
| tags | Mapping of any extra tags you want added to resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| kms_key_arn | ARN of KMS Key for S3 bucket |
| s3_bucket_backend | S3 bucket |