Skip to content

Latest commit

 

History

History
127 lines (103 loc) · 6.03 KB

File metadata and controls

127 lines (103 loc) · 6.03 KB

Bootstrap Terraform backend

Terraform Backends defines where Terraform's state snapshots are stored. Amazon S3 Backend stores the Terraform state as a given key in a given bucket on Amazon S3. This backend also supports state locking and consistency checking via Dynamo DB.

In a multi-account environment using AWS Organizations, it is a best practice to have a tooling account where Terraform backend resources are created. The Terraformer principal in the tooling account should be able to assume a Terraformer role with appropriate permissions to create the resources in the other account(s).

This is an example Terraform bootstrap script, which bootstraps the Terraform Backend as well as provisions the delegated access to multiple-accounts.

Prerequisites

  • Modify terraform.tfvars. Make sure to provide desired values for:
    • region --> Target AWS Region
    • s3_statebucket_name --> Globally unique Amazon S3 bucket name
    • dynamo_locktable_name --> DynamoDB table name used for state locking
  • Modify provider.tf.
    • Comment out the backend section.
        # backend "s3" {
        #   ...
        # }
      
    • Verify/modify provider as needed.
      provider "aws" {
        region  = var.region
        profile = "tooling-admin"
        alias   = "tooling"
      }
      ...
      
    • Make sure that all the profile specified in all the provider sections exists in .aws/config file. e.g.
      [profile tooling-admin]
      aws_access_key_id=<your-access-key-id>
      aws_secret_access_key=<your-secret-access-key>
      region=us-east-1
      output=json
      
      [profile nw-admin]
      aws_access_key_id=<your-access-key-id>
      aws_secret_access_key=<your-secret-access-key>
      region=us-east-1
      output=json
      
      [profile sec-admin]
      aws_access_key_id=<your-access-key-id>
      aws_secret_access_key=<your-secret-access-key>
      region=us-east-1
      output=json
      
      [profile dev-admin]
      aws_access_key_id=<your-access-key-id>
      aws_secret_access_key=<your-secret-access-key>
      region=us-east-1
      output=json
      
      [profile test-admin]
      aws_access_key_id=<your-access-key-id>
      aws_secret_access_key=<your-secret-access-key>
      region=us-east-1
      output=json
      
  • Modify outputs.tf.
    • Make sure to output all the role_arn created for delegated access.

Execution

  • cd to examples/bootstrap folder.
  • Make sure you are using the correct AWS Profile that has permission to provision the target resources. e.g. "tooling-admin"
    • aws sts get-caller-identity
  • Execute terraform init to initialize Terraform.
  • Execute terraform plan and verify the changes.
  • Execute terraform apply and approve the changes.
  • Switch to using Amazon S3 backend by un-commenting the backend "S3" section within provider.tf
    • Modify backend "S3" section with correct values for region, bucket, dynamodb_table, and key. Use provided values as guidance.
  • Execute terraform init to re-initialize Terraform with new backend.
    • This will ask you to move your state to Amazon S3. Enter 'yes'.
  • Once you have your Terraform state on Amazon S3, you can continue to make updates to bootstrap as needed, using the Amazon S3 as backend.

Requirements

Name Version
terraform >= v1.3.9
aws >= 4.56.0

Providers

No providers.

Modules

Name Source Version
bootstrap ../../modules/aws/bootstrap n/a
bootstrap_dev_account_access ../../modules/aws/bootstrap n/a
bootstrap_network_account_access ../../modules/aws/bootstrap n/a
bootstrap_sec_account_access ../../modules/aws/bootstrap n/a
bootstrap_test_account_access ../../modules/aws/bootstrap n/a

Resources

No resources.

Inputs

Name Description Type Default Required
region The AWS Region e.g. us-east-1 for the environment string n/a yes
s3_statebucket_name Globally unique name of the S3 bucket used for storing Terraform state files. string n/a yes
tags Mandatory tags for the resources map(string) n/a yes
dynamo_locktable_name Name of the DynamoDB table used for Terraform state locking. string "" no

Outputs

Name Description
backend_config Define the backend configuration with following values
dev_account_role_arn Delegated Role ARN for dev account
network_account_role_arn Delegated Role ARN for network account
sec_account_role_arn Delegated Role ARN for sec account
test_account_role_arn Delegated Role ARN for test account