Initial setup of a terrarite backend using terraform

Question

Initial setup of a terrarite backend using terraform

I'm just starting to work with terraform and would like to use AWS S3 as a backend to store the status of my projects.

terraform {
    backend "s3" {
      bucket = "tfstate"
      key = "app-state"
      region = "us-east-1"
    }
}

I feel it makes sense to configure my S3 bucket, IAM groups, and policies for the internal storage infrastructure using terraform.

If I configure my backend state before I apply my initial terraform infrastructure, he reasonably complains that the backend container has not yet been created. So, I have a question, how can I configure my internal terraform server using terraform while maintaining my state for the internal server monitored by terraform. It seems to be a problem with nesting dolls.

I have some thoughts on how to write a script around this, for example, check if a recycle bin or some state exists, then download terraform and finally copy terraform tfstate to s3 from the local file system after the first run. But before embarking on this time-consuming path, I thought that I had to make sure that I did not miss something obvious

+26

amazon-s3 terraform

Jed schneider Dec 20 '17 at 19:23

source share

7 answers

Austin Davis · Answer 1 · 2018-01-20T23:59:25+0000

To set this up using the remote terraform state, I usually have a separate folder with the name remote-statein my dev and prod terraform folder.

The following file will main.tfconfigure your remote state for what you published:

provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "terraform_state" {
  bucket = "tfstate"

  versioning {
    enabled = true
  }

  lifecycle {
    prevent_destroy = true
  }
}

resource "aws_dynamodb_table" "terraform_state_lock" {
  name           = "app-state"
  read_capacity  = 1
  write_capacity = 1
  hash_key       = "LockID"

  attribute {
    name = "LockID"
    type = "S"
  }
}

, cd remote-state, terraform init && terraform apply - . - bucket DynamodBB, .

djt · Answer 2 · 2017-12-25T05:58:34+0000

, terraform , .

, terraform " ", , , .

, script. , :

s3
Ira terraform , .

(), , , , . , script .

script . , , , , ..

Matt Lavin · Answer 3 · 2018-10-14T21:01:43+0000

, , :

provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "terraform_state" {
  bucket = "tfstate"

  versioning {
    enabled = true
  }

  lifecycle {
    prevent_destroy = true
  }
}

resource "aws_dynamodb_table" "terraform_state_lock" {
  name           = "app-state"
  read_capacity  = 1
  write_capacity = 1
  hash_key       = "LockID"

  attribute {
    name = "LockID"
    type = "S"
  }
}

resource "aws_s3_bucket_policy" "terraform_state" {
  bucket = "${aws_s3_bucket.terraform_state.id}"
  policy =<<EOF
{
  "Version": "2012-10-17",
  "Id": "RequireEncryption",
   "Statement": [
    {
      "Sid": "RequireEncryptedTransport",
      "Effect": "Deny",
      "Action": ["s3:*"],
      "Resource": ["arn:aws:s3:::${aws_s3_bucket.terraform_state.bucket}/*"],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      },
      "Principal": "*"
    },
    {
      "Sid": "RequireEncryptedStorage",
      "Effect": "Deny",
      "Action": ["s3:PutObject"],
      "Resource": ["arn:aws:s3:::${aws_s3_bucket.terraform_state.bucket}/*"],
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      },
      "Principal": "*"
    }
  ]
}
EOF
}

Lev · Answer 4 · 2018-10-13T19:35:47+0000

, , S3, IAM . terraform init S3.

, , . "" (VPC, Subnets, IGW, NAT ..) .

samstav · Answer 5 · 2018-10-24T23:14:23+0000

terraform / , :

https://github.com/samstav/terraform-aws-backend

README , :

# conf.tf

module "backend" {
  source         = "github.com/samstav/terraform-aws-backend"
  backend_bucket = "terraform-state-bucket"
}

(, terraform {}):

terraform get -update
terraform init -backend=false
terraform plan -out=backend.plan -target=module.backend
terraform apply backend.plan

terraform {}:

# conf.tf

terraform {
  backend "s3" {
    bucket         = "terraform-state-bucket"
    key            = "states/terraform.tfstate"
    dynamodb_table = "terraform-lock"
  }
}

:

terraform init -reconfigure

victor h damian chicon · Answer 6 · 2019-06-15T12:29:59+0000

.


# first init plan apply cycle 
# Configure the AWS Provider
# https://www.terraform.io/docs/providers/aws/index.html
provider "aws" {
  version = "~> 2.0"
  region  = "us-east-1"
}

resource "aws_s3_bucket" "terraform_remote_state" {
  bucket = "terraform-remote-state"
  acl    = "private"

  tags = {
    Name        = "terraform-remote-state"
    Environment = "Dev"
  }
}

# add this sniped and execute the 
# the second init plan apply cycle
# https://www.terraform.io/docs/backends/types/s3.html

terraform {
  backend "s3" {
    bucket = "terraform-remote-state"
    key    = "path/to/my/key"
    region = "us-east-1"
  }
}

Harshit Singh · Answer 7 · 2018-05-11T17:59:16+0000

, terraform , - , terraform S3, . ,

Terraform, S3 Bucket
terraform,
terraform , terraform , .
local-exec provisioner , terraform, terraform , terraform, terraform

Initial setup of a terrarite backend using terraform

More articles: