add the option to use remote S3 backend for storing tfstate

RADAR-base · Sep 5, 2024 · 8baef13 · 8baef13
1 parent ceda98b
commit 8baef13
Show file tree

Hide file tree

Showing 10 changed files with 256 additions and 0 deletions.
diff --git a/.github/workflows/backend.yaml b/.github/workflows/backend.yaml
@@ -0,0 +1,33 @@
+name: TF Validate Backend
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+env:
+  TERRAFORM_VERSION: 1.7.5
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./backend
+    steps:
+        - name: Checkout
+          uses: actions/checkout@v3
+        - name: Setup Terraform
+          uses: hashicorp/setup-terraform@v2
+          with:
+            terraform_version: ${{ env.TERRAFORM_VERSION }}
+        - name: Init
+          run: |
+            rm -rf .terraform
+            terraform init -backend=false
+        - name: Format
+          run: terraform fmt -check
+        - name: Validate
+          run: terraform validate -no-color
diff --git a/backend/.terraform.lock.hcl b/backend/.terraform.lock.hcl
diff --git a/backend/backend.tf b/backend/backend.tf
@@ -0,0 +1,92 @@
+resource "aws_s3_bucket" "backend" {
+  count = var.enable_backend ? 1 : 0
+
+  bucket = var.backend_bucket_name
+  tags   = merge(tomap({ "Name" : "${var.eks_cluster_name}-${var.backend_bucket_name}" }), var.common_tags)
+}
+
+resource "aws_s3_bucket_ownership_controls" "backend" {
+  count = var.enable_backend ? 1 : 0
+
+  bucket = aws_s3_bucket.backend[0].id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+
+  depends_on = [aws_s3_bucket.backend]
+}
+
+resource "aws_s3_bucket_acl" "backend" {
+  count = var.enable_backend ? 1 : 0
+
+  bucket = aws_s3_bucket.backend[0].id
+  acl    = "private"
+
+  depends_on = [aws_s3_bucket_ownership_controls.backend]
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "backend" {
+  count = var.enable_backend ? 1 : 0
+
+  bucket = aws_s3_bucket.backend[0].id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_dynamodb_table" "backend" {
+  count = var.enable_backend ? 1 : 0
+
+  name           = var.backend_state_locking
+  hash_key       = "LockID"
+  billing_mode   = "PROVISIONED"
+  read_capacity  = 1
+  write_capacity = 1
+
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+
+  tags = merge(tomap({ "Name" : "${var.eks_cluster_name}-backend-state-locking" }), var.common_tags)
+}
+
+resource "aws_iam_policy" "backend" {
+  count = var.enable_backend ? 1 : 0
+
+  name        = "${var.eks_cluster_name}-backend-access"
+  path        = "/${var.eks_cluster_name}/"
+  description = "Allow backend TF state access for admin users of ${var.eks_cluster_name} cluster"
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : "s3:ListBucket",
+        "Resource" : "arn:aws:s3:::${var.backend_bucket_name}"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:GetObject",
+          "s3:PutObject"
+        ],
+        "Resource" : "arn:aws:s3:::${var.backend_bucket_name}/*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "dynamodb:DeleteItem",
+          "dynamodb:GetItem",
+          "dynamodb:PutItem"
+        ],
+        "Resource" : "arn:aws:dynamodb:::table/${var.backend_state_locking}"
+      }
+    ]
+  })
+  tags = merge(tomap({ "Name" : "${var.eks_cluster_name}-backend-access" }), var.common_tags)
+}
diff --git a/backend/outputs.tf b/backend/outputs.tf
@@ -0,0 +1,11 @@
+output "backend_bucket_name" {
+  value = var.backend_bucket_name
+}
+
+output "backend_state_locking" {
+  value = var.backend_state_locking
+}
+
+output "backend_aws_region" {
+  value = var.AWS_REGION
+}
diff --git a/backend/provider.tf b/backend/provider.tf
@@ -0,0 +1,6 @@
+provider "aws" {
+  region     = var.AWS_REGION
+  access_key = var.AWS_ACCESS_KEY_ID
+  secret_key = var.AWS_SECRET_ACCESS_KEY
+  token      = var.AWS_SESSION_TOKEN
+}
diff --git a/backend/terraform.tfvars b/backend/terraform.tfvars
@@ -0,0 +1 @@
+enable_backend = true
diff --git a/backend/variables.tf b/backend/variables.tf
@@ -0,0 +1,60 @@
+variable "AWS_REGION" {
+  type        = string
+  description = "Target AWS region"
+  default     = "eu-west-2"
+}
+
+variable "AWS_ACCESS_KEY_ID" {
+  type        = string
+  description = "AWS access key associated with an IAM account"
+  sensitive   = true
+}
+
+variable "AWS_SECRET_ACCESS_KEY" {
+  type        = string
+  description = "AWS secret key associated with the access key"
+  sensitive   = true
+}
+
+variable "AWS_SESSION_TOKEN" {
+  type        = string
+  description = "Session token for temporary security credentials from AWS STS"
+  default     = ""
+  sensitive   = true
+}
+
+variable "eks_cluster_name" {
+  type        = string
+  description = "EKS cluster name"
+
+  validation {
+    condition     = length(var.eks_cluster_name) > 0
+    error_message = "The cluster name cannot be empty."
+  }
+}
+
+variable "common_tags" {
+  type        = map(string)
+  description = "Common tags associated to resources created"
+  default = {
+    Project     = "radar-base"
+    Environment = "dev"
+  }
+}
+
+variable "enable_backend" {
+  type        = bool
+  description = "Do you need backend for storing TF state? [true, false]"
+}
+
+variable "backend_bucket_name" {
+  type        = string
+  description = "Default name for the S3 bucket for storing TF state"
+  default     = "radar-base-dev-cluster-1-infrastructure"
+}
+
+variable "backend_state_locking" {
+  type        = string
+  description = "Default name for the DynamoDB table for TF state locking"
+  default     = "radar-base-dev-cluster-1-infrastructure-state-locking"
+}
diff --git a/backend/versions.tf b/backend/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0.0, < 6.0.0"
+    }
+  }
+  required_version = ">= 1.7.0"
+}
diff --git a/cluster/versions.tf b/cluster/versions.tf
@@ -13,5 +13,15 @@ terraform {
       version = "~> 1.14.0"
     }
   }
+
+  # Uncomment the following backend block to enable remote TF state persistance.
+  # Replace placeholder values with actual output values from the "backend" workspace.
+  # backend "s3" {
+  #   bucket         = "[backend_bucket_name]"
+  #   key            = "cluster/terraform.tfstate"
+  #   region         = "[backend_aws_region]"
+  #   dynamodb_table = "[backend_state_locking]"
+  # }
+
   required_version = ">= 1.7.0"
 }
diff --git a/config/versions.tf b/config/versions.tf
@@ -17,5 +17,15 @@ terraform {
       version = "~> 1.14.0"
     }
   }
+
+  # Uncomment the following backend block to enable remote TF state persistance.
+  # Replace placeholder values with actual output values from the "backend" workspace.
+  # backend "s3" {
+  #   bucket         = "[backend_bucket_name]"
+  #   key            = "config/terraform.tfstate"
+  #   region         = "[backend_aws_region]"
+  #   dynamodb_table = "[backend_state_locking]"
+  # }
+
   required_version = ">= 1.7.0"
 }