terraform-aws-tfstate-backend

Terraform module to provision an S3 bucket to store terraform.tfstate file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.

Terraform AWS TF State Backend

GitHub Repo https://github.com/cloudposse/terraform-aws-tfstate-backend
Terraform Module terraform-aws-tfstate-backend
Release Release
Build Status Build Status

The module supports the following:

  1. Forced server-side encryption at rest for the S3 bucket
  2. S3 bucket versioning to allow for Terraform state recovery in the case of accidental deletions and human errors
  3. State locking and consistency checking via DynamoDB table to prevent concurrent operations
  4. DynamoDB server-side encryption

https://www.terraform.io/docs/backends/types/s3.html

Note

The operators of the module (IAM Users) must have permissions to create S3 buckets and DynamoDB tables when performing terraform plan and terraform apply

Usage

HCL

module "terraform_state_backend" {
  source                           = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=master"
  domain_name                      = "example.com"
  proces_domain_validation_options = "true"
  ttl                              = "300"
}

Tip

First, create the bucket and table without any state enabled (Terraform will use the local file system to store state).

You can then import the bucket and table by using terraform import and store the state file into the bucket.

Once the bucket and table have been created, configure the backend

HCL

module "terraform_state_backend" {
  source                           = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=master"
  domain_name                      = "example.com"
  proces_domain_validation_options = "true"
  ttl                              = "300"
}

Initialize the backend with terraform init.

After terraform apply, terraform.tfstate file will be stored in the bucket, and the DynamoDB table will be used to lock the state to prevent concurrent modifications.

Terraform Apply Output

Variables

Name Default Description Required
namespace Namespace (e.g. cp or cloudposse) Yes
write_capacity 5 DynamoDB write capacity units No
stage Stage (e.g. prod, dev, staging) Yes
region us-east-1 AWS Region the S3 bucket should reside in Yes
name terraform Name (e.g. app, cluster, or terraform) No
attributes ["state"] Additional attributes (e.g. policy or role) No
tags {} Additional tags (e.g. `map(“BusinessUnit”,“XYZ”) No
delimiter - Delimiter to be used between namespace, stage, name, and attributes No
acl private The canned ACL to apply to the S3 bucket No
read_capacity 5 DynamoDB read capacity units No

Outputs

Name Description
s3_bucket_domain_name S3 bucket domain name
s3_bucket_id 3 bucket ID
s3_bucket_arn S3 bucket ARN
dynamodb_table_id DynamoDB table ID
dynamodb_table_arn DynamoDB table ARN
dynamodb_table_name DynamoDB table name