Skip to content

Module Banner

terraform-aws-arc-bootstrap

Module: sourcefuse/arc-bootstrap/aws

Registry: https://registry.terraform.io/modules/sourcefuse/arc-bootstrap/aws

Category: Infrastructure / State Management

Source: https://github.com/sourcefuse/terraform-aws-arc-bootstrap

Latest Release Last Updated Terraform GitHub Actions

Quality Gate

Overview

Creates an S3 bucket and DynamoDB table for Terraform remote state storage with encryption, versioning, and access controls.

image search api


What It Does

  • S3 bucket with versioning, SSE, and public access block
  • DynamoDB table for state locking
  • Bucket lifecycle policies
  • Optional bucket logging and inventory
  • Bucket policy enforcing encrypted transport

For more information about this repository and its usage, please see Terraform AWS BOOTSTRAP Usage Guide.

Quickstart

  1. Define the Module

Initially, it's essential to define a Terraform module, which is organized as a distinct directory encompassing Terraform configuration files. Within this module directory, input variables and output values must be defined in the variables.tf and outputs.tf files, respectively. The following illustrates an example directory structure:

1
2
3
4
bootstrap/
|-- main.tf
|-- variables.tf
|-- outputs.tf
  1. Define Input Variables

Inside the variables.tf or in *.tfvars file, you should define values for the variables that the module requires.

  1. Use the Module in Your Main Configuration In your main Terraform configuration file (e.g., main.tf), you can use the module. Specify the source of the module, and version, For Example
1
2
3
4
5
6
7
module "bootstrap" {
  source  = "sourcefuse/arc-bootstrap/aws"
  # version = "x.x.x"  # we recommend pinning the module to a specific version

  bucket_name              = var.bucket_name
  dynamodb_name            = var.dynamodb_name
}

Required Inputs

Name Type Description
bucket_name string S3 bucket name for state files
dynamodb_name string DynamoDB table name for state locking
## Key Outputs
Name Description
bucket_id S3 bucket ID
bucket_arn S3 bucket ARN
dynamodb_id DynamoDB table ID
## Full Variable & Output Reference

The complete inputs/outputs reference is auto-generated below.

  1. Output Values

Inside the outputs.tf file of the module, you can define output values that can be referenced in the main configuration. For example:

1
2
3
4
5
6
7
output "bucket_id" {
  value = module.bootstrap.bucket_id
}

output "bucket_name" {
  value = module.bootstrap.bucket_name
}
  1. Execute Terraform Commands

After defining your main configuration, navigate to the directory containing your Terraform files and run the following commands:

1
2
terraform init
terraform apply
  1. Review and Confirm

Terraform will display a plan showing the changes it intends to make. Review the plan and confirm by typing 'yes' when prompted.

  1. Migrating local state to backend

After the initial apply of terraform, you can add backend section to migrate Terraforn state to S3 bucket 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
terraform {
  required_version = ">= 1.4"

  backend "s3" {
    region         = "us-east-1"
    key            = "terraform-bootstrap/terraform.tfstate"
    bucket         = "terraformbucketexample"
    dynamodb_table = "terraform-lock"
    encrypt        = true
  }
}

Then run terraform init to initialize the new backend:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
Initializing modules...

Initializing the backend...
Do you want to migrate all workspaces to "aws"?
  Both the existing "local" backend and the newly configured "aws" backend
  support workspaces. When migrating between backends, Terraform will copy
  all workspaces (with the same names). THIS WILL OVERWRITE any conflicting
  states in the destination.

  Terraform initialization doesn't currently migrate only select workspaces.
  If you want to migrate a select number of workspaces, you must manually
  pull and push those states.

  If you answer "yes", Terraform will migrate all states. If you answer
  "no", Terraform will abort.

Our local state has now been migrated to the new backend. It is now safe to remove the local terraform.tfstate.

Requirements

Name Version
terraform >= 1.4, < 2.0.0
aws >= 4.0, < 6.0.0

Providers

Name Version
aws 5.58.0

Modules

No modules.

Resources

Name Type
aws_dynamodb_table.terraform_state_lock resource
aws_s3_bucket.private resource
aws_s3_bucket_acl.this resource
aws_s3_bucket_analytics_configuration.private_analytics_config resource
aws_s3_bucket_cors_configuration.this resource
aws_s3_bucket_inventory.inventory resource
aws_s3_bucket_lifecycle_configuration.this resource
aws_s3_bucket_logging.this resource
aws_s3_bucket_ownership_controls.this resource
aws_s3_bucket_policy.this resource
aws_s3_bucket_public_access_block.public_access_block resource
aws_s3_bucket_server_side_encryption_configuration.example resource
aws_s3_bucket_versioning.this resource
aws_caller_identity.current data source
aws_iam_policy_document.policy data source
aws_partition.current data source

Inputs

Name Description Type Default Required
abort_incomplete_multipart_upload_days Specifies the number of days after initiating a multipart upload when the multipart upload must be completed. number 14 no
bucket_key_enabled Whether or not to use Amazon S3 Bucket Keys for SSE-KMS. bool false no
bucket_name The name of the bucket. string n/a yes
cors_rules List of maps containing rules for Cross-Origin Resource Sharing. list(any) [] no
dynamo_kms_master_key_id The Default ID of an AWS-managed customer master key (CMK) for Amazon Dynamo string null no
dynamodb_hash_key The attribute to use as the hash (partition) key. string "LockID" no
dynamodb_name The name of the table, this needs to be unique within a region. string n/a yes
enable_analytics Enables storage class analytics on the bucket. bool true no
enable_bucket_force_destroy A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. bool false no
enable_bucket_inventory If set to true, Bucket Inventory will be enabled. bool false no
enable_bucket_logging Enable bucket activity logging. bool false no
enable_dynamodb_point_in_time_recovery Whether to enable point-in-time recovery - note that it can take up to 10 minutes to enable for new tables. bool true no
enable_s3_public_access_block Bool for toggling whether the s3 public access block resource should be enabled. bool true no
enable_versioning Enable versioning. Once you version-enable a bucket, it can never return to an unversioned state. bool true no
expiration Specifies a period in the object's expire. list(any) 
[
  {
    "expired_object_delete_marker": true
  }
]
 no
inventory_bucket_format The format for the inventory file. Default is ORC. Options are ORC or CSV. string "ORC" no
kms_master_key_id The AWS KMS master key ID used for the SSE-KMS encryption. string "" no
logging_bucket_name The S3 bucket to send S3 access logs. string "" no
logging_bucket_target_prefix To specify a key prefix for log objects. string "" no
mfa_delete mfa_delete is disabled bool false no
noncurrent_version_expiration Number of days until non-current version of object expires number 365 no
noncurrent_version_transitions Non-current version transition blocks list(any) 
[
  {
    "days": 30,
    "storage_class": "STANDARD_IA"
  }
]
 no
schedule_frequency The S3 bucket inventory frequency. Defaults to Weekly. Options are 'Weekly' or 'Daily'. string "Weekly" no
sse_algorithm The server-side encryption algorithm to use. Valid values are AES256 and aws:kms string "AES256" no
tags A mapping of tags to assign to the bucket. map(string) 
{
  "Module": "terraform-aws-arc-bootstrap",
  "TerraformManaged": "true"
}
 no
transitions Current version transition blocks list(any) [] no

Outputs

Name Description
bucket_arn Bucket's ARN
bucket_id Bucket's ID
bucket_name Bucket's Name
dynamodb_arn DynamoDB's ARN
dynamodb_id DynamoDB's ID
dynamodb_name DynamoDB's Name

Development

Versioning

While Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch

For Example

1
git commit -m "your commit message #major"
By specifying this , it will bump the version and if you don't specify this in your commit message then by default it will consider patch and will bump that accordingly

Prerequisites

Configurations

  • Configure pre-commit hooks 
    1
    pre-commit install
  • Execute pre-commit 
    1
    pre-commit run -a

Contributing

See CONTRIBUTING.md for commit conventions and development setup.

Authors

This project is authored by: - SourceFuse ARC Team