initial commit

Author: nex9

.gitignore

@@ -0,0 +1,7 @@
+.DS_Store
+.vscode
+*.tfstate
+*.tfstate.*
+terraform
+**/.terraform/*
+crash.log

README.md

@@ -0,0 +1,3 @@
+# S3 Backend Module
+
+This module will deploy and S3 remote backend for Terraform

iam.tf

@@ -0,0 +1,66 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  principal_arns = var.principal_arns != null ? var.principal_arns : [data.aws_caller_identity.current.arn]
+}
+
+resource "aws_iam_role" "iam_role" {
+  name = "${local.namespace}-tf-assume-role"
+
+  assume_role_policy = <<-EOF
+  {
+    "Version": "2021-10-17",
+    "Statement": [
+      {
+        "Action": "sts:AssumeRole",
+        "Principal": {
+          "AWS": ${jsonencode(local.principal_arns)}
+        },
+        "Effect": "Allow"
+      }
+    ]
+  }
+  EOF
+
+  tags = {
+    ResourceGroup = local.namespace
+  }
+}
+
+data "aws_iam_policy_document" "policy_doc" {
+  statement {
+    actions = [
+      "s3:ListBucket",
+    ]
+    resources = [
+      aws_s3_bucket.s3_bucket.arn
+    ]
+  }
+
+  statement {
+    actions = ["s3.GetObject", "s3:PutObject", "s3:DeleteObject"]
+    resources = [
+      "${aws_s3_bucket.s3_bucket.arn}/*",
+    ]
+  }
+
+  statement {
+    actions = [
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:DeleteItem"
+    ]
+    resources = [aws_dynamodb_table.dynamodb_table.arn]
+  }
+}
+
+resource "aws_iam_policy" "iam_policy" {
+  name = "${local.namespace}-tf-policy"
+  path = "/"
+  policy = data.aws_iam_policy_document.policy_doc.json
+}
+
+resource "aws_iam_role_policy_attachment" "policy_attach" {
+  role = aws_iam_role.iam_role.name
+  policy_arn = aws_iam_policy.iam_policy.arn
+}

main.tf

@@ -0,0 +1,80 @@
+data "aws_region" "current" {}
+
+resource random_string "rand" {
+  length  = 24
+  upper   = false
+  special = false
+}
+
+locals {
+  namespace = substr(join("-", [var.namespace, random_string.rand.result]), 0, 24)
+}
+
+resource "aws_resourcegroups_group" "resourcegroups_group" {
+  name = "${local.namespace}-group"
+
+  resource_query {
+    query = <<-JSON
+{
+  "ResourceTypeFilters": [
+    "AWS::AllSupported"
+  ],
+  "TagFilters": [
+    {
+      "Key": "ResourceGroup",
+      "Values": ["${local.namespace}"]
+    }
+  ]
+} 
+JSON
+
+  }
+}
+
+resource "aws_kem_key" "kms_key" {
+  tags = {
+    ResourceGroup = local.namespace
+  }
+}
+
+resource "aws_s3_bucket" "s3_bucket" {
+  bucket = "${local.namespace}-state-bucket"
+  force_destroy = var.force_destroy_state
+  versioning {
+    enabled = true
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "aws:kms"
+        kms_master_key_id = aws_kem_key.kms_key.arn
+      }
+    }
+  }
+  tags = {
+    ResourceGroup = local.namespace
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "s3_bucket" {
+  bucket = aws_s3_bucket.s3_bucket.id
+
+  block_public_acls = true
+  block_public_policy = true
+  ignore_public_acls = true
+  restrict_public_buckets = true
+}
+
+resource "aws_dynamodb_table" "dynamodb_table" {
+  name = "${local.namespace}-state-lock"
+  hash_key = "LockID"
+  billing_mode = "PAY_PER_REQUEST"
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+  tags = {
+    ResourceGroup = local.namespace
+  }
+}

outputs.tf

@@ -0,0 +1,8 @@
+output "config" {
+  value = {
+    bucket = aws_s3_bucket.s3_bucket.bucket
+    region = data.aws_region.current.name
+    role_arn = aws_iam_role.iam_role.arn
+    dynamodb_table = aws_dynamodb_table.dynamodb_table.name
+  }
+}

variables.tf

@@ -0,0 +1,19 @@
+variable "namespace" {
+  type        = string
+  default     = "s3backend"
+  description = "The project napespace to user for unique resource naming"
+}
+
+variable "principal_arns" {
+  type        = list(string)
+  default     = null
+  description = "A list of pricipal arns allowed to assume the IAM role"
+}
+
+variable "force_destroy_state" {
+  type        = bool
+  default     = true
+  description = "Force destroy the s3 bucket containing state files"
+}
+
+

versions.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_version = ">= 0.15"
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "~> 3.28"
+    }
+    random = {
+      source = "hashicorp/random"
+      version = "~> 3.0"
+    }
+  }
+}