Skip to content
/ terraform-aws-tfstate Public

Terraform Module to create Terraform state storage backend based on AWS S3 and DynamoDB for state locking.

squareops.com

License

Apache-2.0 license
22 stars 13 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

squareops/terraform-aws-tfstate

BranchesTags

Repository files navigation

AWS tfstate Terraform module

squareops_avatar

SquareOps Technologies Your DevOps Partner for Accelerating cloud journey.


Terraform module to create Remote State Storage resources for workload deployment on AWS Cloud.

Usage Example

module "backend" {
  source                       = "squareops/tfstate/aws"
  logging                      = true
  bucket_name                  = "production-tfstate-bucket" #unique global s3 bucket name
  environment                  = "prod"
  force_destroy                = true
  versioning_enabled           = true
  cloudwatch_logging_enabled   = true
  log_retention_in_days        = 90
  log_bucket_lifecycle_enabled = true
  s3_ia_retention_in_days      = 90
  s3_galcier_retention_in_days = 180
}

Refer examples for more details.

IAM Permissions

The required IAM permissions to create resources from this module can be found here

Important Note

Terraform state locking is a mechanism used to prevent multiple users from simultaneously making changes to the same Terraform state, which could result in conflicts and data loss. A state lock is acquired and maintained by Terraform while it is making changes to the state, and other instances of Terraform are unable to make changes until the lock is released.

An Amazon S3 bucket and a DynamoDB table can be used as a remote backend to store and manage the Terraform state file, and also to implement state locking. The S3 bucket is used to store the state file, while the DynamoDB table is used to store the lock information, such as who acquired the lock and when. Terraform will check the lock state in the DynamoDB table before making changes to the state file in the S3 bucket, and will wait or retry if the lock is already acquired by another instance. This provides a centralized and durable mechanism for managing the Terraform state and ensuring that changes are made in a controlled and safe manner.

Additionally, you may have a log bucket configured to store CloudTrail and CloudWatch logs. This log bucket can have a bucket lifecycle policy in place to automatically manage the lifecycle of log data. For example, log data can be transitioned to Amazon S3 Glacier for long-term storage after a certain period, and eventually to Amazon S3 Infrequent Access storage. This helps in optimizing storage costs and ensures that log data is retained according to your organization's compliance requirements.

Security & Compliance

Security scanning is graciously provided by Prowler. Proowler is the leading fully hosted, cloud-native solution providing continuous cluster security and compliance.

In this module, we have implemented the following CIS Compliance checks for S3:

Benchmark Description Status
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket Enabled for S3 created using this module.
Ensure the S3 bucket CloudTrail logs to is not publicly accessible Enabled for S3 created using this module.

Requirements

Name Version
terraform >= 1.0
aws >= 4.9

Providers

Name Version
aws >= 4.9