Last active
March 12, 2020 20:22
-
-
Save distractdiverge/c825925a12c1fd32d50d7faf9ca9d69d to your computer and use it in GitHub Desktop.
Cloudformation Script to create resources for Remote State Storage in Terraform
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: Creates the required resources to use as the state backend for Terraform | |
| Parameters: | |
| AccountId: | |
| Type: Number | |
| Description: The AWS Account Number | |
| BucketName: | |
| Type: String | |
| Description: The Bucket Name for the S3 bucket to store the state | |
| DynamoDbTableName: | |
| Type: String | |
| Description: The Name of the DynamoDB to store the remote state. | |
| Resources: | |
| TerraformLocks: | |
| Type: AWS::DynamoDB::Table | |
| Properties: | |
| TableName: !Ref DynamoDbTableName | |
| AttributeDefinitions: | |
| - | |
| AttributeName: "LockID" | |
| AttributeType: "S" | |
| KeySchema: | |
| - | |
| AttributeName: "LockID" | |
| KeyType: "HASH" | |
| ProvisionedThroughput: | |
| ReadCapacityUnits: 5 | |
| WriteCapacityUnits: 5 | |
| TerraformState: | |
| Type: AWS::S3::Bucket | |
| Properties: | |
| BucketName: !Ref BucketName | |
| TerraformRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| AWS: !Sub arn:aws:iam::${AccountId}:root | |
| Action: | |
| - sts:AssumeRole | |
| TerraformPolicy: | |
| Type: AWS::IAM::Policy | |
| Properties: | |
| PolicyName: TerraformStatePolicy | |
| PolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: Allow | |
| Resource: !GetAtt [TerraformState, Arn] | |
| Action: | |
| - s3:ListBucket | |
| - Effect: Allow | |
| Resource: !Join ["", [!GetAtt [TerraformState, Arn], "/*"]] | |
| Action: | |
| - s3:GetObject | |
| - s3:PutObject | |
| - Effect: Allow | |
| Resource: !GetAtt [TerraformLocks, Arn] | |
| Action: | |
| - dynamodb:GetItem | |
| - dynamodb:PutItem | |
| - dynamodb:DeleteItem | |
| Roles: [!Ref TerraformRole] | |
| Outputs: | |
| RoleId: | |
| Description: The logical ID of the IAM Role | |
| Value: !Ref TerraformRole | |
| RoleArn: | |
| Description: The ARN of the IAM Role | |
| Value: !GetAtt [TerraformRole, Arn] | |
| StateBucketName: | |
| Description: The S3 Bucket Name for storing Terraform State | |
| Value: !Ref TerraformState | |
| LockDynamoDbTable: | |
| Description: The DynamoDB Tablename for storing Terraform Locks | |
| Value: !Ref TerraformLocks |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment