Terraform is a popular infrastructure provisioning tool. It works with AWS well. DevOps engineer may across the case where he/she needs to set up remote state for terraform. It can be done via AWS S3 bucket and Amazon DynamoDB. In order to make the life easy, anyone can use the below script to create remote state setup easily. What you need to do is, follow these steps once you log into AWS cloudshell.
mkdir 07012024
cd 07012024/
pwd
git clone https://github.com/arambage0/cloud-infra-wyoc.git
ls -ltr
cd cloud-infra-wyoc/
cd scripts/tf-backend/
chmod u+x create_tf_backend.sh
./create_tf_backend.sh --region eu-west-1 --bucket-name my-wyoc-s3-bucket-a --dynamodb-table-name my-wyoc-state-lock-a
The command options values that you can select as you prefer.
./create_tf_backend.sh --region <REGION_CODE> --bucket-name <BUCKET_NAME> --dynamodb-table-name <DYNAMODB_TABLE_NAME>
I have mentioned below the real execution that I have done in my AWS account cloudshell.
Essentially, script creates the s3 bucket with versioning enabled and dynamodb table in pay per request mode.
Okay. It looks all good. Let's run the simple terraform code provisioning s3 bucket to see that terraform remote backend setup works.
Let's follow these steps
mkdir demo-07012024
cd demo-07012024
touch main.tf outputs.tf variables.tf config.tf
vim config.tf
provider "aws" {
region = "eu-west-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.32"
}
}
required_version = ">= 1.4.5"
}
terraform {
backend "s3" {
bucket = "my-wyoc-s3-bucket-a"
key = "terraform/saga-infra.tfstate"
region = "eu-west-1"
dynamodb_table = "my-wyoc-state-lock-a"
}
}
To explain about corelation between and config.tf file, the highlighted one are the AWS resources that was created by create_tf_backend.sh script.
backend "s3" {
bucket = "my-wyoc-s3-bucket-a"
key = "terraform/saga-infra.tfstate"
region = "eu-west-1"
dynamodb_table = "my-wyoc-state-lock-a"
}
Let's run the terraform commands to reconfigure the backend. Because I already run the terraform init command. Here I wanted to show the output how it looks like when you configure remote state pointing to s3 backend.
Below is the output once the terraform init -reconfigure command ran.
Output shown that --> "Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes."
[root@jenkin-slave-node provision_s3_bucket]# terraform init -reconfigure
Initializing the backend...
**Successfully configured the backend "s3"! **Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Using previously-installed hashicorp/aws v5.82.2
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
[root@jenkin-slave-node provision_s3_bucket]#
Let's run simple S3 bucket provisioning. Follow these steps.
- Add the below code block to main.tf file
resource "aws_s3_bucket" "my_bucket" {
bucket = "my-unique-bucket-name-wyoc-08012025"
tags = {
Name = "MyS3Bucket"
Environment = "Production"
}
}
- Save it and run below commands in order.
terraform init
terraform plan
terraform apply -auto-approve
What we can see was that execution was successful.The key observations are
- terraform state file created in the s3 bucket configured (my-wyoc-s3-bucket-a) .
- the bucket we configure terraform to provision is created successfully which means terraform is working correctly with s3 and dynamodb remote backend.
Moreover, we can list and describe resources from terraform commands which retrive details from remote s3 backend. Run following commands to get the output.
terraform state list
terraform state show aws_s3_bucket.my_bucket
terraform state show command gave the following output.
# aws_s3_bucket.my_bucket:
resource "aws_s3_bucket" "my_bucket" {
arn = "arn:aws:s3:::my-unique-bucket-name-wyoc-08012025"
bucket = "my-unique-bucket-name-wyoc-08012025"
bucket_domain_name = "my-unique-bucket-name-wyoc-08012025.s3.amazonaws.com"
bucket_regional_domain_name = "my-unique-bucket-name-wyoc-08012025.s3.eu-west-1.amazonaws.com"
force_destroy = false
hosted_zone_id = "Z1BKCSDXD74EZPE"
id = "my-unique-bucket-name-wyoc-08012025"
object_lock_enabled = false
region = "eu-west-1"
request_payer = "BucketOwner"
tags = {
"Environment" = "Production"
"Name" = "MyS3Bucket"
}
tags_all = {
"Environment" = "Production"
"Name" = "MyS3Bucket"
}
grant {
id = "b178b9a2113d356e6a8885a371b72aa6834022341f5abc23619128125eda218ad"
permissions = [
"FULL_CONTROL",
]
type = "CanonicalUser"
}
server_side_encryption_configuration {
rule {
bucket_key_enabled = false
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
versioning {
enabled = false
mfa_delete = false
}
}
In this blog, we have learned
- create terrafrom remote backend using AWS S3 and AWS DynamoDB.
- Configure it in terraform config.tf file.
- Initialize terraform backend and execute pretty simple s3 bucket provisioning.
One bonus point is, there is a way to configure backend configurations taken out of .tf file which is a good practice. There are two ways that we can do.
- Via TV_VAR bash variables and terraform init -backend-config option
- Via config file and terraform init -backend-config option
Option One Steps
- Add following code to config.tf file. We called them terraform backend partial configuration.
provider "aws" {
region = "eu-west-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.32"
}
}
required_version = ">= 1.4.5"
}
terraform {
backend "s3" {
}
}
- Most possibly, you may set below code snippet in CI/CD pipeline which runs terraform code. For simplicity, I have added into simple bash script, set the execution permissions and execute the script.
Script in github
https://github.com/arambage0/cloud-infra-wyoc/blob/main/scripts/tf-backend/tf_init_config.sh
chmo u+x tf_init_config.sh
./tf_init_config.sh
#!/bin/bash
# TF_VAR variables that exposed your real configurations
export TF_VAR_s3_bucket="my-wyoc-s3-bucket-a"
export TF_VAR_s3_key="terraform/saga-infra.tfstate"
export TF_VAR_s3_region="eu-west-1"
export TF_VAR_dynamodb_table="my-wyoc-state-lock-a"
# Terraform init
terraform init -backend-config="bucket=${TF_VAR_s3_bucket}" -backend-config="key=${TF_VAR_s3_key}" -backend-config="region=${TF_VAR_s3_region}" -backend-config="dynamodb_table=${TF_VAR_dynamodb_table}"
This steps set the TF backend.
- Next step to run terraform plan command.
- Run the terraform apply command.
Option Two Steps
- Add the following code to the configuration file. Please note add your own specific configs that you have created.
vim tfstate_config.properties
# state.config
bucket = "my-wyoc-s3-bucket-a"
key = "terraform/saga-infra.tfstate"
region = "eu-west-1"
dynamodb_table= "my-wyoc-state-lock-a"
- Run the terraform command below.
terraform init -backend-config="./tfstate_config.properties"
- Next step to run terraform plan command.
- Run the terraform apply command.
Hope this will be helpful for you. Happy learning. Have a nice day.
Top comments (0)