SquareOps Technologies Your DevOps Partner for Accelerating cloud journey.
Terraform module to create Remote State Storage resources for workload deployment on AWS Cloud.
module "backend" {
source = "squareops/tfstate/aws"
logging = true
bucket_name = "production-tfstate-bucket" #unique global s3 bucket name
environment = "prod"
force_destroy = true
versioning_enabled = true
cloudwatch_logging_enabled = true
log_retention_in_days = 90
log_bucket_lifecycle_enabled = true
s3_ia_retention_in_days = 90
s3_galcier_retention_in_days = 180
}
Refer examples for more details.
The required IAM permissions to create resources from this module can be found here
Terraform state locking is a mechanism used to prevent multiple users from simultaneously making changes to the same Terraform state, which could result in conflicts and data loss. A state lock is acquired and maintained by Terraform while it is making changes to the state, and other instances of Terraform are unable to make changes until the lock is released.
An Amazon S3 bucket and a DynamoDB table can be used as a remote backend to store and manage the Terraform state file, and also to implement state locking. The S3 bucket is used to store the state file, while the DynamoDB table is used to store the lock information, such as who acquired the lock and when. Terraform will check the lock state in the DynamoDB table before making changes to the state file in the S3 bucket, and will wait or retry if the lock is already acquired by another instance. This provides a centralized and durable mechanism for managing the Terraform state and ensuring that changes are made in a controlled and safe manner.
Additionally, you may have a log bucket configured to store CloudTrail and CloudWatch logs. This log bucket can have a bucket lifecycle policy in place to automatically manage the lifecycle of log data. For example, log data can be transitioned to Amazon S3 Glacier for long-term storage after a certain period, and eventually to Amazon S3 Infrequent Access storage. This helps in optimizing storage costs and ensures that log data is retained according to your organization's compliance requirements.
Security scanning is graciously provided by Prowler. Proowler is the leading fully hosted, cloud-native solution providing continuous cluster security and compliance.
In this module, we have implemented the following CIS Compliance checks for S3:
Benchmark | Description | Status |
---|---|---|
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | Enabled for S3 created using this module. | ✔ |
Ensure the S3 bucket CloudTrail logs to is not publicly accessible | Enabled for S3 created using this module. | ✔ |
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 4.9 |
Name | Version |
---|---|
aws | >= 4.9 |