Terraform Backends defines where Terraform's state snapshots are stored. Amazon S3 Backend stores the Terraform state as a given key in a given bucket on Amazon S3. This backend also supports state locking and consistency checking via Dynamo DB.
In a multi-account environment using AWS Organizations, it is a best practice to have a tooling account where Terraform backend resources are created.
The Terraformer principal in the tooling account should be able to assume a Terraformer role with appropriate permissions to create the resources in the other account(s).
This is an example Terraform bootstrap script, which bootstraps the Terraform Backend as well as provisions the delegated access to multiple-accounts.
- Modify
terraform.tfvars. Make sure to provide desired values for:region--> Target AWS Regions3_statebucket_name--> Globally unique Amazon S3 bucket namedynamo_locktable_name--> DynamoDB table name used for state locking
- Modify
provider.tf.- Comment out the
backendsection.# backend "s3" { # ... # } - Verify/modify
provideras needed.provider "aws" { region = var.region profile = "tooling-admin" alias = "tooling" } ... - Make sure that all the
profilespecified in all theprovidersections exists in.aws/configfile. e.g.[profile tooling-admin] aws_access_key_id=<your-access-key-id> aws_secret_access_key=<your-secret-access-key> region=us-east-1 output=json [profile nw-admin] aws_access_key_id=<your-access-key-id> aws_secret_access_key=<your-secret-access-key> region=us-east-1 output=json [profile sec-admin] aws_access_key_id=<your-access-key-id> aws_secret_access_key=<your-secret-access-key> region=us-east-1 output=json [profile dev-admin] aws_access_key_id=<your-access-key-id> aws_secret_access_key=<your-secret-access-key> region=us-east-1 output=json [profile test-admin] aws_access_key_id=<your-access-key-id> aws_secret_access_key=<your-secret-access-key> region=us-east-1 output=json
- Comment out the
- Modify
outputs.tf.- Make sure to output all the
role_arncreated for delegated access.
- Make sure to output all the
- cd to
examples/bootstrapfolder. - Make sure you are using the correct AWS Profile that has permission to provision the target resources. e.g. "tooling-admin"
aws sts get-caller-identity
- Execute
terraform initto initialize Terraform. - Execute
terraform planand verify the changes. - Execute
terraform applyand approve the changes. - Switch to using Amazon S3 backend by un-commenting the
backend "S3"section withinprovider.tf- Modify
backend "S3"section with correct values forregion,bucket,dynamodb_table, andkey. Use provided values as guidance.
- Modify
- Execute
terraform initto re-initialize Terraform with new backend.- This will ask you to move your state to Amazon S3. Enter 'yes'.
- Once you have your Terraform state on Amazon S3, you can continue to make updates to bootstrap as needed, using the Amazon S3 as backend.
| Name | Version |
|---|---|
| terraform | >= v1.3.9 |
| aws | >= 4.56.0 |
No providers.
| Name | Source | Version |
|---|---|---|
| bootstrap | ../../modules/aws/bootstrap | n/a |
| bootstrap_dev_account_access | ../../modules/aws/bootstrap | n/a |
| bootstrap_network_account_access | ../../modules/aws/bootstrap | n/a |
| bootstrap_sec_account_access | ../../modules/aws/bootstrap | n/a |
| bootstrap_test_account_access | ../../modules/aws/bootstrap | n/a |
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| region | The AWS Region e.g. us-east-1 for the environment | string |
n/a | yes |
| s3_statebucket_name | Globally unique name of the S3 bucket used for storing Terraform state files. | string |
n/a | yes |
| tags | Mandatory tags for the resources | map(string) |
n/a | yes |
| dynamo_locktable_name | Name of the DynamoDB table used for Terraform state locking. | string |
"" |
no |
| Name | Description |
|---|---|
| backend_config | Define the backend configuration with following values |
| dev_account_role_arn | Delegated Role ARN for dev account |
| network_account_role_arn | Delegated Role ARN for network account |
| sec_account_role_arn | Delegated Role ARN for sec account |
| test_account_role_arn | Delegated Role ARN for test account |