https://github.com/wearetechnative/terraform-aws-module-terraform-backend
Module to setup Terraform backend
https://github.com/wearetechnative/terraform-aws-module-terraform-backend
Last synced: 5 months ago
JSON representation
Module to setup Terraform backend
- Host: GitHub
- URL: https://github.com/wearetechnative/terraform-aws-module-terraform-backend
- Owner: wearetechnative
- License: apache-2.0
- Created: 2023-10-18T20:39:21.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-01-14T12:49:35.000Z (over 1 year ago)
- Last Synced: 2025-03-26T10:48:35.362Z (about 1 year ago)
- Language: HCL
- Size: 166 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Terraform AWS [Terraform Backend]
An S3 bucket with DynamoDB compatible for use as a Terraform Backend.
This module mostly enforces safe and known best practices:
- Use our S3 module with locked down permissions.
- Setup DynamoDB compatible for use in backend and using PAY PER REQUEST to minize cost.
In case multiple Terraform projects are used on the same account they should be differentiated by `var.name`. Creating seperate modules increases seperation without increasing cost because all resources are either pay per use by default (S3) or configured to do so (DynamoDB).
The KMS key should be provided externally as these incur a monthly 1 dollar cost. See `var.kms_key_arn` for this.
[](https://www.technative.nl)
## How does it work
### First use when you cloned this repository
Run `pre-commit install` to install any guardrails implemented using pre-commit.
See [pre-commit installation](https://pre-commit.com/#install) on how to install pre-commit.
## Usage
This backendrole provides the TerraForm backend dynamodb and S3 bucket.
The role is used for any cross-account setups but should also be used for any inaccount setups as well when possible. Currently our landing-zone depends on this module. But we will also use if for stack accounts and perhaps later for inaccount landingzones as well.
To use this module:
1. The S3 bucket name is provided by the output `terraform_backend_s3_id`.
2. The DynamoDB name is provided by the output `terraform_backend_dynamodb_name`.
Example backend.tf file:
Replace `bucket` and `dynamodb_table` accordingly. Set `role_arn` to same role as your account provider.
```ruby
terraform {
backend "s3" {
role_arn = "arn:aws:iam:::role/OrganizationAccountAccessRole"
session_name = "TerraformStateUpdate"
bucket = "See step 1)"
key = "terraform.tf"
region = "eu-central-1"
dynamodb_table = "See step 2)"
}
}
```
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | 4.57.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [backend](#module\_backend) | git@github.com:TechNative-B-V/terraform-aws-module-s3.git/ | 3b39341b8f0ca25423f97ed3107411d6a4c6493f |
| [state\_lock](#module\_state\_lock) | git@github.com:TechNative-B-V/terraform-aws-module-dynamodb.git/ | 5fb90ad50328a36290b6572d5b56e9ff691e4385 |
## Resources
| Name | Type |
|------|------|
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key to use for encrypting EBS volumes. | `string` | `null` | no |
| [name](#input\_name) | Name to allow this module to be deployed multiple times in the same account. | `string` | `""` | no |
## Outputs
| Name | Description |
|------|-------------|
| [terraform\_backend\_dynamodb\_name](#output\_terraform\_backend\_dynamodb\_name) | n/a |
| [terraform\_backend\_s3\_id](#output\_terraform\_backend\_s3\_id) | n/a |