From 0d265904f8de0b5d890968bcb98ede434a0cdd2e Mon Sep 17 00:00:00 2001 From: Sam Stavinoha Date: Fri, 22 Nov 2019 20:13:33 -0600 Subject: [PATCH 1/3] 0.12 upgrade --- main.tf | 72 ++++++++++++++++++++++++++-------------------------- outputs.tf | 15 +++++++---- variables.tf | 10 +++++--- versions.tf | 4 +++ 4 files changed, 56 insertions(+), 45 deletions(-) create mode 100644 versions.tf diff --git a/main.tf b/main.tf index 447290b..1dd7d04 100644 --- a/main.tf +++ b/main.tf @@ -33,53 +33,53 @@ terraform { required_version = ">= 0.9.0" } -data "aws_caller_identity" "current" {} +data "aws_caller_identity" "current" { +} resource "aws_dynamodb_table" "tf_backend_state_lock_table" { - count = "${var.dynamodb_lock_table_enabled ? 1 : 0}" - name = "${var.dynamodb_lock_table_name}" - read_capacity = "${var.lock_table_read_capacity}" - write_capacity = "${var.lock_table_write_capacity}" - hash_key = "LockID" - stream_enabled = "${var.dynamodb_lock_table_stream_enabled}" - stream_view_type = "${var.dynamodb_lock_table_stream_enabled ? var.dynamodb_lock_table_stream_view_type : ""}" + count = var.dynamodb_lock_table_enabled ? 1 : 0 + name = var.dynamodb_lock_table_name + read_capacity = var.lock_table_read_capacity + write_capacity = var.lock_table_write_capacity + hash_key = "LockID" + stream_enabled = var.dynamodb_lock_table_stream_enabled + stream_view_type = var.dynamodb_lock_table_stream_enabled ? var.dynamodb_lock_table_stream_view_type : "" attribute { name = "LockID" type = "S" } - tags { - Description = "Terraform state locking table for account ${data.aws_caller_identity.current.account_id}." + tags = { + Description = "Terraform state locking table for account ${data.aws_caller_identity.current.account_id}." ManagedByTerraform = "true" - TerraformModule = "terraform-aws-backend" + TerraformModule = "terraform-aws-backend" } lifecycle { prevent_destroy = true } - } resource "aws_s3_bucket" "tf_backend_bucket" { - bucket = "${var.backend_bucket}" - acl = "private" + bucket = var.backend_bucket + acl = "private" versioning { enabled = true } logging { - target_bucket = "${aws_s3_bucket.tf_backend_logs_bucket.id}" + target_bucket = aws_s3_bucket.tf_backend_logs_bucket.id target_prefix = "log/" } - tags { - Description = "Terraform S3 Backend bucket which stores the terraform state for account ${data.aws_caller_identity.current.account_id}." + tags = { + Description = "Terraform S3 Backend bucket which stores the terraform state for account ${data.aws_caller_identity.current.account_id}." ManagedByTerraform = "true" - TerraformModule = "terraform-aws-backend" + TerraformModule = "terraform-aws-backend" } server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { - kms_master_key_id = "${var.kms_key_id}" - sse_algorithm = "${var.kms_key_id == "" ? "AES256" : "aws:kms"}" + kms_master_key_id = var.kms_key_id + sse_algorithm = var.kms_key_id == "" ? "AES256" : "aws:kms" } } } @@ -90,68 +90,68 @@ resource "aws_s3_bucket" "tf_backend_bucket" { data "aws_iam_policy_document" "tf_backend_bucket_policy" { statement { - sid = "RequireEncryptedTransport" + sid = "RequireEncryptedTransport" effect = "Deny" actions = [ "s3:*", ] resources = [ - "${aws_s3_bucket.tf_backend_bucket.arn}/*" + "${aws_s3_bucket.tf_backend_bucket.arn}/*", ] condition { - test = "Bool" + test = "Bool" variable = "aws:SecureTransport" values = [ false, ] } principals { - type = "*" + type = "*" identifiers = ["*"] } } statement { - sid = "RequireEncryptedStorage" + sid = "RequireEncryptedStorage" effect = "Deny" actions = [ "s3:PutObject", ] resources = [ - "${aws_s3_bucket.tf_backend_bucket.arn}/*" + "${aws_s3_bucket.tf_backend_bucket.arn}/*", ] condition { - test = "StringNotEquals" + test = "StringNotEquals" variable = "s3:x-amz-server-side-encryption" values = [ - "${var.kms_key_id == "" ? "AES256" : "aws:kms" }" + var.kms_key_id == "" ? "AES256" : "aws:kms", ] } principals { - type = "*" + type = "*" identifiers = ["*"] } } } - resource "aws_s3_bucket_policy" "tf_backend_bucket_policy" { - bucket = "${aws_s3_bucket.tf_backend_bucket.id}" - policy = "${data.aws_iam_policy_document.tf_backend_bucket_policy.json}" + bucket = aws_s3_bucket.tf_backend_bucket.id + policy = data.aws_iam_policy_document.tf_backend_bucket_policy.json } resource "aws_s3_bucket" "tf_backend_logs_bucket" { bucket = "${var.backend_bucket}-logs" - acl = "log-delivery-write" + acl = "log-delivery-write" versioning { enabled = true } - tags { - Purpose = "Logging bucket for ${var.backend_bucket}" + tags = { + Purpose = "Logging bucket for ${var.backend_bucket}" ManagedByTerraform = "true" - TerraformModule = "terraform-aws-backend" + TerraformModule = "terraform-aws-backend" } lifecycle { prevent_destroy = true } } + diff --git a/outputs.tf b/outputs.tf index 64b31a3..42cdfa1 100644 --- a/outputs.tf +++ b/outputs.tf @@ -12,21 +12,26 @@ */ output "s3_backend_bucket_name" { - value = "${ join("", aws_s3_bucket.tf_backend_bucket.*.id, aws_s3_bucket.tf_backend_bucket.*.id)}" + value = join( + "", + aws_s3_bucket.tf_backend_bucket.*.id, + aws_s3_bucket.tf_backend_bucket.*.id, + ) } output "dynamodb_lock_table_name" { - value = "${aws_dynamodb_table.tf_backend_state_lock_table.*.id}" + value = aws_dynamodb_table.tf_backend_state_lock_table.*.id } output "dynamodb_lock_table_arn" { - value = "${aws_dynamodb_table.tf_backend_state_lock_table.*.arn}" + value = aws_dynamodb_table.tf_backend_state_lock_table.*.arn } output "dynamodb_lock_stream_arn" { - value = "${aws_dynamodb_table.tf_backend_state_lock_table.*.stream_arn}" + value = aws_dynamodb_table.tf_backend_state_lock_table.*.stream_arn } output "dynamodb_lock_stream_label" { - value = "${aws_dynamodb_table.tf_backend_state_lock_table.*.stream_label}" + value = aws_dynamodb_table.tf_backend_state_lock_table.*.stream_label } + diff --git a/variables.tf b/variables.tf index 3f9b562..7822de3 100644 --- a/variables.tf +++ b/variables.tf @@ -1,12 +1,13 @@ -variable "backend_bucket" {} +variable "backend_bucket" { +} variable "dynamodb_lock_table_enabled" { - default = 1 + default = 1 description = "Affects terraform-aws-backend module behavior. Set to false or 0 to prevent this module from creating the DynamoDB table to use for terraform state locking and consistency. More info on locking for aws/s3 backends: https://www.terraform.io/docs/backends/types/s3.html. More information about how terraform handles booleans here: https://www.terraform.io/docs/configuration/variables.html" } variable "dynamodb_lock_table_stream_enabled" { - default = 0 + default = 0 description = "Affects terraform-aws-backend module behavior. Set to false or 0 to disable DynamoDB Streams for the table. More info on DynamoDB streams: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Streams.html. More information about how terraform handles booleans here: https://www.terraform.io/docs/configuration/variables.html" } @@ -28,6 +29,7 @@ variable "lock_table_write_capacity" { variable "kms_key_id" { # Default to absent/blank to use the default aws/s3 aws kms master key - default = "" + default = "" description = "The AWS KMS master key ID used for the SSE-KMS encryption on the tf state s3 bucket. If the kms_key_id is specified, the bucket default encryption key management method will be set to aws-kms. If the kms_key_id is not specified (the default), then the default encryption key management method will be set to aes-256 (also known as aws-s3 key management). The default aws/s3 AWS KMS master key is used if this element is absent (the default)." } + diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} From 15d3d8453f233305801da80149511ea8eb7c20ff Mon Sep 17 00:00:00 2001 From: Sam Stavinoha Date: Fri, 22 Nov 2019 20:15:39 -0600 Subject: [PATCH 2/3] update variable types --- variables.tf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/variables.tf b/variables.tf index 7822de3..ca80621 100644 --- a/variables.tf +++ b/variables.tf @@ -2,12 +2,14 @@ variable "backend_bucket" { } variable "dynamodb_lock_table_enabled" { - default = 1 + type = bool + default = true description = "Affects terraform-aws-backend module behavior. Set to false or 0 to prevent this module from creating the DynamoDB table to use for terraform state locking and consistency. More info on locking for aws/s3 backends: https://www.terraform.io/docs/backends/types/s3.html. More information about how terraform handles booleans here: https://www.terraform.io/docs/configuration/variables.html" } variable "dynamodb_lock_table_stream_enabled" { - default = 0 + type = bool + default = false description = "Affects terraform-aws-backend module behavior. Set to false or 0 to disable DynamoDB Streams for the table. More info on DynamoDB streams: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Streams.html. More information about how terraform handles booleans here: https://www.terraform.io/docs/configuration/variables.html" } @@ -20,10 +22,12 @@ variable "dynamodb_lock_table_name" { } variable "lock_table_read_capacity" { + type = number default = 1 } variable "lock_table_write_capacity" { + type = number default = 1 } From a477f839ca7f68397ead46219f20d88453dededc Mon Sep 17 00:00:00 2001 From: Sam Stavinoha Date: Fri, 22 Nov 2019 20:18:43 -0600 Subject: [PATCH 3/3] remove old required version block --- main.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/main.tf b/main.tf index 1dd7d04..d3b2e71 100644 --- a/main.tf +++ b/main.tf @@ -29,10 +29,6 @@ * */ -terraform { - required_version = ">= 0.9.0" -} - data "aws_caller_identity" "current" { }