Move backend to S3

2025-01-29 15:47:09 +01:00 · 2022-09-07 12:31:36 +02:00 · 2022-09-07 12:31:36 +02:00 · 03b202d38d
commit 03b202d38d
parent cb623de6bb
8 changed files with 103 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -2,16 +2,24 @@
 Simple demo of using Terraform in an AWS environment created for learning purposes.

 ## Used AWS services
+* [S3](https://aws.amazon.com/s3/)
+* [DynamoDB](https://aws.amazon.com/dynamodb/)
 * [VPC](https://aws.amazon.com/vpc/)
 * [EC2](https://aws.amazon.com/ec2/)
 * [Application Load Balancer](https://aws.amazon.com/elasticloadbalancing/application-load-balancer/)

 ## Operation
-This terraform configuration creates VPC and public and private networks with Internet access via IGW and NAT Gateway. A bastion host is created in one of the public networks, from which we can access an autoscaling group of EC2 instances located in the private network. The group hosts a simple web application and scales according to CPU usage. In front of the application is an ALB that directs traffic appropriately.
+This terraform configuration creates VPC and public and private networks with Internet access via IGW and NAT Gateway. A bastion host is created in one of the public networks, from which we can access an autoscaling group of EC2 instances located in the private network. The group hosts a simple web application and scales according to CPU usage. In front of the application is an ALB that directs traffic appropriately. The main infrastructure configuration uses the S3 remote backend with DynamoDB state locking.

-## Prerequirements
-* EC2 key pair created
-* Completed terraform.tfvars file
+## Usage
+### Prerequirements
+* EC2 key pair created in AWS console
+
+### Infra setup
+1. Complete terraform.tfvars files (`./backend/terraform.tfvars` and `./prod/terraform.tfvars`)
+2. Initialize and apply terraform config from the `backend` dir. This will create an S3 bucket and DynamoDB table to use remote state.
+3. Complete backend block in `prod/versions.tf` with the data you saw in the output from the previous step.
+4. Initialize and apply terraform config from the `prod` dir. This will create the rest of infrastructure.

 ## Future work
-* Move state to S3 bucket and create state locking via DynamoDB
+[x] Move state to S3 bucket and create state locking via DynamoDB
--- a/backend/main.tf
+++ b/backend/main.tf
@ -0,0 +1,25 @@
+provider "aws" {
+  region = var.REGION
+}
+
+provider "aws" {
+  alias  = "replica"
+  region = var.REGION_REPLICA
+}
+
+module "remote_state" {
+  source = "nozaq/remote-state-s3-backend/aws"
+
+  providers = {
+    aws         = aws
+    aws.replica = aws.replica
+  }
+
+  override_s3_bucket_name = true
+  s3_bucket_name          = var.S3_STATE_BUCKET_NAME
+  s3_bucket_name_replica  = var.S3_STATE_BUCKET_REPLICA_NAME
+
+  kms_key_alias = var.STATE_KMS_KEY_ALIAS
+
+  dynamodb_table_name = var.STATE_DYNAMODB_TABLE_NAME
+}
--- a/backend/outputs.tf
+++ b/backend/outputs.tf
@ -0,0 +1,11 @@
+output "s3_state_bucket" {
+  value = module.remote_state.state_bucket.id
+}
+
+output "dynamodb_state_lock_table_name" {
+  value = module.remote_state.dynamodb_table.name
+}
+
+output "kms_state_key_id" {
+  value = module.remote_state.kms_key.id
+}
--- a/backend/terraform.tfvars.example
+++ b/backend/terraform.tfvars.example
@ -0,0 +1,10 @@
+# general
+REGION         = "eu-west-3"
+REGION_REPLICA = "eu-north-1"
+
+S3_STATE_BUCKET_NAME         = "demo-state-bucket-98017casd"
+S3_STATE_BUCKET_REPLICA_NAME = "demo-state-bucket-replica-98017casd"
+
+STATE_KMS_KEY_ALIAS = "demo-state-kms-key"
+
+STATE_DYNAMODB_TABLE_NAME = "demo-state-lock"
--- a/backend/variables.tf
+++ b/backend/variables.tf
@ -0,0 +1,24 @@
+# general
+variable "REGION" {
+  type = string
+}
+
+variable "REGION_REPLICA" {
+  type = string
+}
+
+variable "S3_STATE_BUCKET_NAME" {
+  type = string
+}
+
+variable "S3_STATE_BUCKET_REPLICA_NAME" {
+  type = string
+}
+
+variable "STATE_KMS_KEY_ALIAS" {
+  type = string
+}
+
+variable "STATE_DYNAMODB_TABLE_NAME" {
+  type = string
+}
--- a/backend/versions.tf
+++ b/backend/versions.tf
@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.3"
+    }
+  }
+}
--- a/prod/terraform.tfvars.example
+++ b/prod/terraform.tfvars.example
@ -1,10 +1,10 @@
 # general
-REGION      = "eu-west-3"
+REGION       = "eu-west-3"
 PROJECT_NAME = "demo"

 # vpc
-DEMO_VPC_CIDR                 = "10.0.0.0/24"
-DEMO_VPC_AVAILABILITY_ZONES   = ["eu-west-3a", "eu-west-3b"]
+DEMO_VPC_CIDR                  = "10.0.0.0/24"
+DEMO_VPC_AVAILABILITY_ZONES    = ["eu-west-3a", "eu-west-3b"]
 DEMO_VPC_PRIVATE_SUBNETS_CIDRS = ["10.0.0.0/28", "10.0.0.16/28"]
 DEMO_VPC_PUBLIC_SUBNETS_CIDRS  = ["10.0.0.32/28", "10.0.0.48/28"]

--- a/prod/versions.tf
+++ b/prod/versions.tf
@ -5,4 +5,13 @@ terraform {
      version = "~> 3"
    }
  }
+
+  backend "s3" {
+    bucket         = "demo-state-bucket-98017casd"
+    key            = "tf-aws-demo/prod/terraform.tfstate"
+    region         = "eu-west-3"
+    encrypt        = true
+    kms_key_id     = "9bb018d4-3ef8-496e-884c-154478d7f8b2"
+    dynamodb_table = "demo-state-lock"
+  }
 }