feat: add terraform s3 backend

Author: rivhar

.tf-branch-deploy.yml

@@ -6,6 +6,10 @@ production-environments:
 environments:
   dev:
     working-directory: ./terraform/modules
+    backend-configs:
+      paths:
+        - ./terraform/config/terraform_backend.conf
     var-files:
       paths:
         - ./terraform/config/terraform_config.tfvars
+      

terraform/config/terraform_backend.conf

@@ -0,0 +1,5 @@
+bucket = "cirrus-tfstate-store"
+key    = "global/s3/terraform.tfstate"
+region = "us-east-1"
+dynamodb_table = "terraform-running-locks"
+encrypt = true

terraform/config/terraform_config.tfvars

@@ -1,4 +1,5 @@
 env                         = "dev"
+terraform_state_bucket_name = "cirrus-tfstate-store"
 code_store_bucket           = "code-utility-store-bucket"
 cloudtrail_logs_bucket_name = "cloudtrail-logs-store-bucket"
 

terraform/modules/backend.tf

@@ -0,0 +1,98 @@
+terraform {
+  backend "s3" {
+  }
+}
+
+resource "aws_s3_bucket" "terraform_state" {
+  bucket = var.terraform_state_bucket_name
+}
+
+resource "aws_s3_bucket_policy" "terraform_state_policy" {
+  bucket = aws_s3_bucket.terraform_state.id
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Id      = "DenyInsecureConnections",
+    Statement = [
+      {
+        Sid       = "HTTPSOnly",
+        Effect    = "Deny",
+        Principal = "*",
+        Action    = "s3:*",
+        Resource = [
+          aws_s3_bucket.terraform_state.arn,
+          "${aws_s3_bucket.terraform_state.arn}/*"
+        ],
+        Condition = {
+          Bool = {
+            "aws:SecureTransport" = "false"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_s3_bucket_versioning" "terraform_state_versioning" {
+  bucket = aws_s3_bucket.terraform_state.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "terraform_state_encryption" {
+  bucket = aws_s3_bucket.terraform_state.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "terraform_state_lifecycle" {
+  depends_on = [aws_s3_bucket_versioning.terraform_state_versioning]
+
+  bucket = aws_s3_bucket.terraform_state.id
+
+  rule {
+    id     = "ExpireOldVersions"
+    status = "Enabled"
+
+    noncurrent_version_expiration {
+      noncurrent_days = 7
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "terraform_state_public_access" {
+  bucket = aws_s3_bucket.terraform_state.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_dynamodb_table" "terraform_locks" {
+  name                        = "terraform-running-locks"
+  billing_mode                = "PAY_PER_REQUEST"
+  hash_key                    = "LockID"
+  deletion_protection_enabled = true
+
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+
+  point_in_time_recovery {
+    enabled = true
+  }
+
+  server_side_encryption {
+    enabled = true
+  }
+
+  tags = {
+    Name = "TerraformLocks"
+  }
+}

terraform/modules/variables.tf

@@ -3,6 +3,11 @@ variable "env" {
   type        = string
 }
 
+variable "terraform_state_bucket_name" {
+  description = "S3 backend bucket name for Terraform state."
+  type        = string
+}
+
 variable "api_gateway_name" {
   description = "The name of the API Gateway."
   type        = string