{"id":48026335,"url":"https://github.com/binbashar/terraform-aws-tfstate-backend","last_synced_at":"2026-04-04T13:50:39.620Z","repository":{"id":40535794,"uuid":"177150879","full_name":"binbashar/terraform-aws-tfstate-backend","owner":"binbashar","description":null,"archived":false,"fork":false,"pushed_at":"2024-01-24T15:47:46.000Z","size":738,"stargazers_count":5,"open_issues_count":0,"forks_count":5,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-05-01T09:52:02.283Z","etag":null,"topics":["bb-le-mod-terraform","binbash-terraform","terraform"],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/binbashar.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null},"funding":{"github":"binbashar"}},"created_at":"2019-03-22T14:04:16.000Z","updated_at":"2024-04-28T00:12:00.000Z","dependencies_parsed_at":"2023-02-17T20:31:35.448Z","dependency_job_id":"d6d2cf4d-f515-44f2-8350-f39c6b09225a","html_url":"https://github.com/binbashar/terraform-aws-tfstate-backend","commit_stats":null,"previous_names":[],"tags_count":33,"template":false,"template_full_name":null,"purl":"pkg:github/binbashar/terraform-aws-tfstate-backend","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/binbashar%2Fterraform-aws-tfstate-backend","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/binbashar%2Fterraform-aws-tfstate-backend/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/binbashar%2Fterraform-aws-tfstate-backend/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/binbashar%2Fterraform-aws-tfstate-backend/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/binbashar","download_url":"https://codeload.github.com/binbashar/terraform-aws-tfstate-backend/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/binbashar%2Fterraform-aws-tfstate-backend/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31402276,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T10:20:44.708Z","status":"ssl_error","status_checked_at":"2026-04-04T10:20:06.846Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bb-le-mod-terraform","binbash-terraform","terraform"],"created_at":"2026-04-04T13:50:39.518Z","updated_at":"2026-04-04T13:50:39.590Z","avatar_url":"https://github.com/binbashar.png","language":"HCL","funding_links":["https://github.com/sponsors/binbashar"],"categories":[],"sub_categories":[],"readme":"\u003ca href=\"https://github.com/binbashar\"\u003e\n    \u003cimg src=\"https://raw.githubusercontent.com/binbashar/le-ref-architecture-doc/master/docs/assets/images/logos/binbash-leverage-banner.png\" width=\"1032\" align=\"left\" alt=\"Binbash\"/\u003e\n\u003c/a\u003e\n\u003cbr clear=\"left\"/\u003e\n\n# Terraform Module: Terraform Backend\n## Overview\nTerraform module to provision an S3 bucket to store terraform.tfstate file and a\nDynamoDB table to lock the state file to prevent concurrent modifications and state corruption.\n\n\u003cdiv align=\"left\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/binbashar/terraform-aws-tfstate-backend/master/figures/binbash-aws-s3-backend.png\" alt=\"leverage\" width=\"330\"/\u003e\n\u003c/div\u003e\n\n### AWS Org implementation example\n\nWe have a tfstate S3 Bucket per account\n\u003cdiv align=\"left\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/binbashar/terraform-aws-tfstate-backend/master/figures/binbash-aws-s3-backend-complete.png\" alt=\"leverage\" width=\"730\"/\u003e\n\u003c/div\u003e\n\n## Releases\n- **Versions:** `\u003c= 0.x.y` (Terraform 0.11.x compatible)\n    - eg: https://registry.terraform.io/modules/binbashar/tfstate-backend/aws/0.0.1\n\n- **Versions:** `\u003e= 1.x.y` (Terraform 0.12.x compatible)\n    - eg: https://registry.terraform.io/modules/binbashar/tfstate-backend/aws/1.0.0\n\n\u003c!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.1.9 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | ~\u003e 5.0 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | 5.21.0 |\n| \u003ca name=\"provider_aws.primary\"\u003e\u003c/a\u003e [aws.primary](#provider\\_aws.primary) | 5.21.0 |\n| \u003ca name=\"provider_aws.secondary\"\u003e\u003c/a\u003e [aws.secondary](#provider\\_aws.secondary) | 5.21.0 |\n| \u003ca name=\"provider_local\"\u003e\u003c/a\u003e [local](#provider\\_local) | 2.4.0 |\n| \u003ca name=\"provider_time\"\u003e\u003c/a\u003e [time](#provider\\_time) | 0.9.1 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_cloudwatch_metric_alarm.dynamodb_capacity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |\n| [aws_dynamodb_table.with_server_side_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |\n| [aws_dynamodb_table.without_server_side_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |\n| [aws_iam_policy.bucket_replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy_attachment.bucket_replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |\n| [aws_iam_role.bucket_replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_kms_key.primary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |\n| [aws_kms_key_policy.primary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy) | resource |\n| [aws_kms_key_policy.secondary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy) | resource |\n| [aws_kms_replica_key.secondary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_key) | resource |\n| [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |\n| [aws_s3_bucket.replication_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |\n| [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |\n| [aws_s3_bucket_lifecycle_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |\n| [aws_s3_bucket_lifecycle_configuration.replication_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |\n| [aws_s3_bucket_notification.bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |\n| [aws_s3_bucket_ownership_controls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |\n| [aws_s3_bucket_policy.bucket_replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |\n| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |\n| [aws_s3_bucket_policy.default-ssl-vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |\n| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |\n| [aws_s3_bucket_public_access_block.replication_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |\n| [aws_s3_bucket_replication_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_replication_configuration) | resource |\n| [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |\n| [aws_s3_bucket_server_side_encryption_configuration.replication_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |\n| [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |\n| [aws_s3_bucket_versioning.replication_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |\n| [aws_sns_topic.topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |\n| [aws_sqs_queue.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |\n| [local_file.backend_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |\n| [time_sleep.wait_30_secs](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |\n| [aws_caller_identity.primary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_caller_identity.secondary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_iam_policy_document.bucket_replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.default-ssl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.default-ssl-vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.primary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.secondary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_acl\"\u003e\u003c/a\u003e [acl](#input\\_acl) | The canned ACL to apply to the S3 bucket | `string` | `\"private\"` | no |\n| \u003ca name=\"input_additional_tag_map\"\u003e\u003c/a\u003e [additional\\_tag\\_map](#input\\_additional\\_tag\\_map) | Additional tags for appending to each tag map | `map(string)` | `{}` | no |\n| \u003ca name=\"input_attributes\"\u003e\u003c/a\u003e [attributes](#input\\_attributes) | Additional attributes (e.g. `state`) | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"state\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_backend_config_filename\"\u003e\u003c/a\u003e [backend\\_config\\_filename](#input\\_backend\\_config\\_filename) | Name of the backend configuration file to generate. | `string` | `\"backend.tf\"` | no |\n| \u003ca name=\"input_backend_config_filepath\"\u003e\u003c/a\u003e [backend\\_config\\_filepath](#input\\_backend\\_config\\_filepath) | Directory where the backend configuration file should be generated. | `string` | `\"\"` | no |\n| \u003ca name=\"input_backend_config_profile\"\u003e\u003c/a\u003e [backend\\_config\\_profile](#input\\_backend\\_config\\_profile) | AWS profile to use when interfacing the backend infrastructure. | `string` | `\"\"` | no |\n| \u003ca name=\"input_backend_config_role_arn\"\u003e\u003c/a\u003e [backend\\_config\\_role\\_arn](#input\\_backend\\_config\\_role\\_arn) | ARN of the AWS role to assume when interfacing the backend infrastructure, if any. | `string` | `\"\"` | no |\n| \u003ca name=\"input_backend_config_state_file\"\u003e\u003c/a\u003e [backend\\_config\\_state\\_file](#input\\_backend\\_config\\_state\\_file) | Name of the state file in the S3 bucket to use. | `string` | `\"terraform.tfstate\"` | no |\n| \u003ca name=\"input_backend_config_template_file\"\u003e\u003c/a\u003e [backend\\_config\\_template\\_file](#input\\_backend\\_config\\_template\\_file) | Path to the template file to use when generating the backend configuration. | `string` | `\"\"` | no |\n| \u003ca name=\"input_billing_mode\"\u003e\u003c/a\u003e [billing\\_mode](#input\\_billing\\_mode) | DynamoDB billing mode. Can be PROVISIONED or PAY\\_PER\\_REQUEST | `string` | `\"PAY_PER_REQUEST\"` | no |\n| \u003ca name=\"input_block_public_acls\"\u003e\u003c/a\u003e [block\\_public\\_acls](#input\\_block\\_public\\_acls) | Whether Amazon S3 should block public ACLs for this bucket. | `bool` | `true` | no |\n| \u003ca name=\"input_block_public_policy\"\u003e\u003c/a\u003e [block\\_public\\_policy](#input\\_block\\_public\\_policy) | Whether Amazon S3 should block public bucket policies for this bucket. | `bool` | `true` | no |\n| \u003ca name=\"input_bucket_lifecycle_enabled\"\u003e\u003c/a\u003e [bucket\\_lifecycle\\_enabled](#input\\_bucket\\_lifecycle\\_enabled) | Enable/Disable bucket lifecycle | `bool` | `true` | no |\n| \u003ca name=\"input_bucket_lifecycle_expiration\"\u003e\u003c/a\u003e [bucket\\_lifecycle\\_expiration](#input\\_bucket\\_lifecycle\\_expiration) | Number of days after which to expunge the objects | `number` | `90` | no |\n| \u003ca name=\"input_bucket_lifecycle_transition_glacier\"\u003e\u003c/a\u003e [bucket\\_lifecycle\\_transition\\_glacier](#input\\_bucket\\_lifecycle\\_transition\\_glacier) | Number of days after which to move the data to the GLACIER storage class | `number` | `60` | no |\n| \u003ca name=\"input_bucket_lifecycle_transition_standard_ia\"\u003e\u003c/a\u003e [bucket\\_lifecycle\\_transition\\_standard\\_ia](#input\\_bucket\\_lifecycle\\_transition\\_standard\\_ia) | Number of days after which to move the data to the STANDARD\\_IA storage class | `number` | `30` | no |\n| \u003ca name=\"input_bucket_replication_enabled\"\u003e\u003c/a\u003e [bucket\\_replication\\_enabled](#input\\_bucket\\_replication\\_enabled) | Enable/Disable replica for S3 bucket (for cross region replication purpose) | `bool` | `true` | no |\n| \u003ca name=\"input_bucket_replication_name\"\u003e\u003c/a\u003e [bucket\\_replication\\_name](#input\\_bucket\\_replication\\_name) | Set custom name for S3 Bucket Replication | `string` | `\"replica\"` | no |\n| \u003ca name=\"input_bucket_replication_name_suffix\"\u003e\u003c/a\u003e [bucket\\_replication\\_name\\_suffix](#input\\_bucket\\_replication\\_name\\_suffix) | Set custom suffix for S3 Bucket Replication IAM Role/Policy | `string` | `\"bucket-replication\"` | no |\n| \u003ca name=\"input_context\"\u003e\u003c/a\u003e [context](#input\\_context) | Default context to use for passing state between label invocations | `map(string)` | `{}` | no |\n| \u003ca name=\"input_create_kms_key\"\u003e\u003c/a\u003e [create\\_kms\\_key](#input\\_create\\_kms\\_key) | Whether to create a KMS key | `bool` | `true` | no |\n| \u003ca name=\"input_delimiter\"\u003e\u003c/a\u003e [delimiter](#input\\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes` | `string` | `\"-\"` | no |\n| \u003ca name=\"input_dynamodb_monitoring\"\u003e\u003c/a\u003e [dynamodb\\_monitoring](#input\\_dynamodb\\_monitoring) | DynamoDB monitoring settings. | `any` | `{}` | no |\n| \u003ca name=\"input_enable_point_in_time_recovery\"\u003e\u003c/a\u003e [enable\\_point\\_in\\_time\\_recovery](#input\\_enable\\_point\\_in\\_time\\_recovery) | Enable DynamoDB point in time recovery | `bool` | `true` | no |\n| \u003ca name=\"input_enable_server_side_encryption\"\u003e\u003c/a\u003e [enable\\_server\\_side\\_encryption](#input\\_enable\\_server\\_side\\_encryption) | Enable DynamoDB server-side encryption | `bool` | `true` | no |\n| \u003ca name=\"input_enforce_ssl_requests\"\u003e\u003c/a\u003e [enforce\\_ssl\\_requests](#input\\_enforce\\_ssl\\_requests) | Enable/Disable replica for S3 bucket (for cross region replication purpose) | `bool` | `false` | no |\n| \u003ca name=\"input_enforce_vpc_requests\"\u003e\u003c/a\u003e [enforce\\_vpc\\_requests](#input\\_enforce\\_vpc\\_requests) | Enable/Disable VPC endpoint for S3 bucket | `bool` | `false` | no |\n| \u003ca name=\"input_environment\"\u003e\u003c/a\u003e [environment](#input\\_environment) | Environment, e.g. 'prod', 'staging', 'dev', 'pre-prod', 'UAT' | `string` | `\"\"` | no |\n| \u003ca name=\"input_force_destroy\"\u003e\u003c/a\u003e [force\\_destroy](#input\\_force\\_destroy) | A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable | `bool` | `false` | no |\n| \u003ca name=\"input_ignore_public_acls\"\u003e\u003c/a\u003e [ignore\\_public\\_acls](#input\\_ignore\\_public\\_acls) | Whether Amazon S3 should ignore public ACLs for this bucket. | `bool` | `true` | no |\n| \u003ca name=\"input_kms_key_deletion_windows\"\u003e\u003c/a\u003e [kms\\_key\\_deletion\\_windows](#input\\_kms\\_key\\_deletion\\_windows) | The number of days after which the KMS key is deleted after destruction of the resource, must be between 7 and 30 days | `number` | `7` | no |\n| \u003ca name=\"input_kms_key_rotation\"\u003e\u003c/a\u003e [kms\\_key\\_rotation](#input\\_kms\\_key\\_rotation) | Specifies whether key rotation is enabled | `bool` | `true` | no |\n| \u003ca name=\"input_label_order\"\u003e\u003c/a\u003e [label\\_order](#input\\_label\\_order) | The naming order of the id output and Name tag | `list(string)` | `[]` | no |\n| \u003ca name=\"input_logging\"\u003e\u003c/a\u003e [logging](#input\\_logging) | Bucket access logging configuration. | \u003cpre\u003eobject({\u003cbr\u003e    bucket_name = string\u003cbr\u003e    prefix      = string\u003cbr\u003e  })\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_mfa_delete\"\u003e\u003c/a\u003e [mfa\\_delete](#input\\_mfa\\_delete) | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | `bool` | `false` | no |\n| \u003ca name=\"input_mfa_secret\"\u003e\u003c/a\u003e [mfa\\_secret](#input\\_mfa\\_secret) | The numbers displayed on the MFA device when applying. Necessary when mfa\\_delete is true. | `string` | `\"\"` | no |\n| \u003ca name=\"input_mfa_serial\"\u003e\u003c/a\u003e [mfa\\_serial](#input\\_mfa\\_serial) | The serial number of the MFA device to use. Necessary when mfa\\_delete is true. | `string` | `\"\"` | no |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `\"terraform\"` | no |\n| \u003ca name=\"input_namespace\"\u003e\u003c/a\u003e [namespace](#input\\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `\"\"` | no |\n| \u003ca name=\"input_notifications_events\"\u003e\u003c/a\u003e [notifications\\_events](#input\\_notifications\\_events) | List of events to enable notifications for | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"s3:ObjectCreated:*\",\u003cbr\u003e  \"s3:ObjectRemoved:*\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_notifications_sns\"\u003e\u003c/a\u003e [notifications\\_sns](#input\\_notifications\\_sns) | Whether to enable SNS notifications | `bool` | `true` | no |\n| \u003ca name=\"input_notifications_sqs\"\u003e\u003c/a\u003e [notifications\\_sqs](#input\\_notifications\\_sqs) | Wether to enable SQS notifications | `bool` | `false` | no |\n| \u003ca name=\"input_read_capacity\"\u003e\u003c/a\u003e [read\\_capacity](#input\\_read\\_capacity) | DynamoDB read capacity units | `number` | `5` | no |\n| \u003ca name=\"input_regex_replace_chars\"\u003e\u003c/a\u003e [regex\\_replace\\_chars](#input\\_regex\\_replace\\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`. By default only hyphens, letters and digits are allowed, all other chars are removed | `string` | `\"/[^a-zA-Z0-9-]/\"` | no |\n| \u003ca name=\"input_replica_logging\"\u003e\u003c/a\u003e [replica\\_logging](#input\\_replica\\_logging) | Bucket access logging configuration. | \u003cpre\u003eobject({\u003cbr\u003e    bucket_name = string\u003cbr\u003e    prefix      = string\u003cbr\u003e  })\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_restrict_public_buckets\"\u003e\u003c/a\u003e [restrict\\_public\\_buckets](#input\\_restrict\\_public\\_buckets) | Whether Amazon S3 should restrict public bucket policies for this bucket. | `bool` | `true` | no |\n| \u003ca name=\"input_stage\"\u003e\u003c/a\u003e [stage](#input\\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `\"\"` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |\n| \u003ca name=\"input_vpc_ids_list\"\u003e\u003c/a\u003e [vpc\\_ids\\_list](#input\\_vpc\\_ids\\_list) | VPC id to access the S3 bucket vía vpc endpoint. The VPCe must be in the same AWS Region as the bucket. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_write_capacity\"\u003e\u003c/a\u003e [write\\_capacity](#input\\_write\\_capacity) | DynamoDB write capacity units | `number` | `5` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_dynamodb_table_arn\"\u003e\u003c/a\u003e [dynamodb\\_table\\_arn](#output\\_dynamodb\\_table\\_arn) | DynamoDB table ARN |\n| \u003ca name=\"output_dynamodb_table_id\"\u003e\u003c/a\u003e [dynamodb\\_table\\_id](#output\\_dynamodb\\_table\\_id) | DynamoDB table ID |\n| \u003ca name=\"output_dynamodb_table_name\"\u003e\u003c/a\u003e [dynamodb\\_table\\_name](#output\\_dynamodb\\_table\\_name) | DynamoDB table name |\n| \u003ca name=\"output_s3_bucket_arn\"\u003e\u003c/a\u003e [s3\\_bucket\\_arn](#output\\_s3\\_bucket\\_arn) | S3 bucket ARN |\n| \u003ca name=\"output_s3_bucket_domain_name\"\u003e\u003c/a\u003e [s3\\_bucket\\_domain\\_name](#output\\_s3\\_bucket\\_domain\\_name) | S3 bucket domain name |\n| \u003ca name=\"output_s3_bucket_id\"\u003e\u003c/a\u003e [s3\\_bucket\\_id](#output\\_s3\\_bucket\\_id) | S3 bucket ID |\n\u003c!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n\n## Usage\n\n```terraform\n#\n# Terraform aws tfstate backend\n#\n\nprovider \"aws\" {\n  region  = \"us-east-1\n}\n\nprovider \"aws\" {\n  region  = \"us-west-1\"\n  alias   = \"secondary\"\n}\n\n# The following creates a Terraform State Backend with Bucket Replication and all security nd compliance enhacements enabled\nmodule \"terraform_state_backend_with_replication\" {\n  source        = \"../../\"\n  namespace     = \"binbash\"\n  stage         = \"test\"\n  name          = \"terraform\"\n  attributes    = [\"state\"]\n\n  bucket_replication_enabled = true\n\n  providers = {\n    aws.primary   = aws\n    aws.secondary = aws.secondary\n  }\n}\n\n# The module below creates a Terraform State Backend without bucket replication\nmodule \"terraform_state_backend\" {\n  source        = \"../../\"\n  namespace     = \"binbash\"\n  stage         = \"test\"\n  name          = \"terraform-test\"\n  attributes    = [\"state\"]\n\n  # By default replication is disabled but it shows below for the sake of the example\n  bucket_replication_enabled = false\n\n  # Notice that even though replication is not enabled, we still need to pass a secondary provider\n  providers = {\n    aws.primary   = aws\n    aws.secondary = aws.secondary\n  }\n\n  # If you are moving from a previus version and want to avoid all or some of the security and compliance features you can use this example. However, we encourage to use this enhacements.\nmodule \"terraform_state_backend_with_replication\" {\n  source        = \"../../\"\n  namespace     = \"binbash\"\n  stage         = \"test\"\n  name          = \"terraform\"\n  attributes    = [\"state\"]\n\n  bucket_replication_enabled = true\n\n  ## Avoid changes\n  # General\n  create_kms_key = false\n  # S3\n  block_public_acls = false\n  ignore_public_acls = false\n  block_public_policy = false\n  restrict_public_buckets = false\n  notifications_sns = false\n  notifications_sqs = false\n  bucket_lifecycle_enabled = false\n  # DynamoDB\n  enable_point_in_time_recovery = false\n  billing_mode                  = \"PROVISIONED\"\n\n  providers = {\n    aws.primary   = aws\n    aws.secondary = aws.secondary\n  }\n}\n\n}\n```\n\n### Generating the backend configuration automatically\n\nIf you choose to include this module in your own Terraform configuration to\nprovision the backend supporting infrastructure, you can generate the backend\nconfiguration file automatically with this module.\n\nTo do so, use this module as usual, but provide at least the following input:\n\n- `backend_config_filepath = \".\"`\n\nBy default, this will make it so a `backend.tf` file with the backend\nconfiguration is generated in the current working directory. Once you have\nprovisioned the infrastructure with `terraform init \u0026\u0026 terraform apply`, you\ncan copy over Terraform's state file to the backend bucket with the following\ncommand:\n\n```bash\nterraform init -force-copy\n```\n\nAfterwards, your Terraform state will have been copied over to the S3 bucket\nand Terraform is now ready to use it as a backend.\n\nRefer to the list of `backend_config_*` inputs for more information on how to\ntailor this behavior to your use case.\n\n---\n\n## Important consideration\nWhen using the `enforce_vpc_requests = true` please consider the following\n[AWS VPC gateway endpoint limitations](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html#vpc-endpoints-limitations)\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| enforce\\_vpc\\_requests | Enable/Disable VPC endpoint for S3 bucket | `bool` | `false` | no |\n| vpc\\_ids\\_list | VPC id to access the S3 bucket vía vpc endpoint. The VPCe must be in the same AWS Region as the bucket. | `list(string)` | `[]` | no |\n\n\n#### To use gateway endpoints, you need to be aware of the current limitations\n\n- You cannot use an AWS prefix list ID in an outbound rule in a network ACL to allow or deny outbound traffic\n to the service specified in an endpoint. If your network ACL rules restrict traffic, you must specify the CIDR\n block (IP address range) for the service instead. You can, however, use an AWS prefix list ID in an outbound\n security group rule. For more information, see Security groups.\n- Endpoints are supported within the same Region only. You cannot create an endpoint between a VPC and a\n  service in a different Region.\n- Endpoints support IPv4 traffic only.\n- You cannot transfer an endpoint from one VPC to another, or from one service to another.\n- You have a quota on the number of endpoints you can create per VPC. For more information, see VPC endpoints.\n- Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection,\n VPC peering connection, transit gateway, AWS Direct Connect connection, or ClassicLink connection in your VPC\n cannot use the endpoint to communicate with resources in the endpoint service.\n- You must enable DNS resolution in your VPC, or if you're using your own DNS server, ensure that\n DNS requests to the required service (such as Amazon S3) are resolved correctly to the IP addresses\n maintained by AWS.\n\n## Binbash Leverage | DevOps Automation Code Library Integration\n\nIn order to get the full automated potential of the\n[Binbash Leverage DevOps Automation Code Library](https://leverage.binbash.com.ar/how-it-works/code-library/code-library/)  \nyou should initialize all the necessary helper **Makefiles**.\n\n#### How?\nYou must execute the `make init-makefiles` command  at the root context\n\n```shell\n╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17\n╰─⠠⠵ make\nAvailable Commands:\n - init-makefiles     initialize makefiles\n\n```\n\n### Why?\nYou'll get all the necessary commands to automatically operate this module via a dockerized approach,\nexample shown below\n\n```shell\n╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17\n╰─⠠⠵ make\nAvailable Commands:\n - circleci-validate-config  ## Validate A CircleCI Config (https\n - format-check        ## The terraform fmt is used to rewrite tf conf files to a canonical format and style.\n - format              ## The terraform fmt is used to rewrite tf conf files to a canonical format and style.\n - tf-dir-chmod        ## run chown in ./.terraform to gran that the docker mounted dir has the right permissions\n - version             ## Show terraform version\n - init-makefiles      ## initialize makefiles\n```\n\n```shell\n╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17\n╰─⠠⠵ make format-check\ndocker run --rm -v /home/delivery/Binbash/repos/Leverage/terraform/terraform-aws-backup-by-tags:\"/go/src/project/\":rw -v :/config -v /common.config:/common-config/common.config -v ~/.ssh:/root/.ssh -v ~/.gitconfig:/etc/gitconfig -v ~/.aws/bb:/root/.aws/bb -e AWS_SHARED_CREDENTIALS_FILE=/root/.aws/bb/credentials -e AWS_CONFIG_FILE=/root/.aws/bb/config --entrypoint=/bin/terraform -w \"/go/src/project/\" -it binbash/terraform-awscli-slim:0.12.28 fmt -check\n```\n\n# Release Management\n### CircleCi PR auto-release job\n\n\u003cdiv align=\"left\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/binbashar/terraform-aws-tfstate-backend/master/figures/circleci.png\"\n   alt=\"leverage-circleci\" width=\"130\"/\u003e\n\u003c/div\u003e\n\n- [**pipeline-job**](https://circleci.com/gh/binbashar/terraform-aws-tfstate-backend) (**NOTE:** Will only run after merged PR)\n- [**releases**](https://github.com/binbashar/terraform-aws-tfstate-backend/releases)\n- [**changelog**](https://github.com/binbashar/terraform-aws-tfstate-backend/blob/master/CHANGELOG.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbinbashar%2Fterraform-aws-tfstate-backend","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbinbashar%2Fterraform-aws-tfstate-backend","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbinbashar%2Fterraform-aws-tfstate-backend/lists"}