DEV Community

Nuwan Arambage
Nuwan Arambage

Posted on • Edited on

Terraform in AWS | Provision TF backend using AWS S3 and DynamoDB

Terraform is a popular infrastructure provisioning tool. It works with AWS well. DevOps engineer may across the case where he/she needs to set up remote state for terraform. It can be done via AWS S3 bucket and Amazon DynamoDB. In order to make the life easy, anyone can use the below script to create remote state setup easily. What you need to do is, follow these steps once you log into AWS cloudshell.

mkdir 07012024
cd 07012024/
pwd
git clone https://github.com/arambage0/cloud-infra-wyoc.git
ls -ltr
cd cloud-infra-wyoc/
cd scripts/tf-backend/
chmod u+x create_tf_backend.sh
./create_tf_backend.sh --region eu-west-1 --bucket-name my-wyoc-s3-bucket-a --dynamodb-table-name my-wyoc-state-lock-a

The command options values that you can select as you prefer.

./create_tf_backend.sh --region <REGION_CODE> --bucket-name <BUCKET_NAME> --dynamodb-table-name <DYNAMODB_TABLE_NAME>

I have mentioned below the real execution that I have done in my AWS account cloudshell.

Image description

Essentially, script creates the s3 bucket with versioning enabled and dynamodb table in pay per request mode.

Image description

Image description

Okay. It looks all good. Let's run the simple terraform code provisioning s3 bucket to see that terraform remote backend setup works.

Let's follow these steps

mkdir demo-07012024
cd demo-07012024
touch main.tf outputs.tf variables.tf config.tf
vim config.tf

provider "aws" {
  region = "eu-west-1"
}



terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.32"
    }
  }

  required_version = ">= 1.4.5"

}

terraform {

  backend "s3" {
    bucket         = "my-wyoc-s3-bucket-a"
    key            = "terraform/saga-infra.tfstate"
    region         = "eu-west-1"
    dynamodb_table = "my-wyoc-state-lock-a"
  }
}

Enter fullscreen mode Exit fullscreen mode

To explain about corelation between and config.tf file, the highlighted one are the AWS resources that was created by create_tf_backend.sh script.

backend "s3" {
bucket = "my-wyoc-s3-bucket-a"
key = "terraform/saga-infra.tfstate"
region = "eu-west-1"
dynamodb_table = "my-wyoc-state-lock-a"
}

Let's run the terraform commands to reconfigure the backend. Because I already run the terraform init command. Here I wanted to show the output how it looks like when you configure remote state pointing to s3 backend.

Below is the output once the terraform init -reconfigure command ran.

Output shown that --> "Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes."

[root@jenkin-slave-node provision_s3_bucket]# terraform init -reconfigure

Initializing the backend...

**Successfully configured the backend "s3"! **Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Using previously-installed hashicorp/aws v5.82.2

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
[root@jenkin-slave-node provision_s3_bucket]#
Enter fullscreen mode Exit fullscreen mode

Let's run simple S3 bucket provisioning. Follow these steps.

  1. Add the below code block to main.tf file
resource "aws_s3_bucket" "my_bucket" {
  bucket  = "my-unique-bucket-name-wyoc-08012025"
  tags    = {
    Name          = "MyS3Bucket"
    Environment    = "Production"
  }
}
Enter fullscreen mode Exit fullscreen mode
  1. Save it and run below commands in order.

terraform init
terraform plan
terraform apply -auto-approve

What we can see was that execution was successful.The key observations are

  1. terraform state file created in the s3 bucket configured (my-wyoc-s3-bucket-a) .

Image description

  1. the bucket we configure terraform to provision is created successfully which means terraform is working correctly with s3 and dynamodb remote backend.

Image description

Moreover, we can list and describe resources from terraform commands which retrive details from remote s3 backend. Run following commands to get the output.

terraform state list
terraform state show aws_s3_bucket.my_bucket

terraform state show command gave the following output.

# aws_s3_bucket.my_bucket:
resource "aws_s3_bucket" "my_bucket" {
    arn                         = "arn:aws:s3:::my-unique-bucket-name-wyoc-08012025"
    bucket                      = "my-unique-bucket-name-wyoc-08012025"
    bucket_domain_name          = "my-unique-bucket-name-wyoc-08012025.s3.amazonaws.com"
    bucket_regional_domain_name = "my-unique-bucket-name-wyoc-08012025.s3.eu-west-1.amazonaws.com"
    force_destroy               = false
    hosted_zone_id              = "Z1BKCSDXD74EZPE"
    id                          = "my-unique-bucket-name-wyoc-08012025"
    object_lock_enabled         = false
    region                      = "eu-west-1"
    request_payer               = "BucketOwner"
    tags                        = {
        "Environment" = "Production"
        "Name"        = "MyS3Bucket"
    }
    tags_all                    = {
        "Environment" = "Production"
        "Name"        = "MyS3Bucket"
    }

    grant {
        id          = "b178b9a2113d356e6a8885a371b72aa6834022341f5abc23619128125eda218ad"
        permissions = [
            "FULL_CONTROL",
        ]
        type        = "CanonicalUser"
    }

    server_side_encryption_configuration {
        rule {
            bucket_key_enabled = false

            apply_server_side_encryption_by_default {
                sse_algorithm = "AES256"
            }
        }
    }

    versioning {
        enabled    = false
        mfa_delete = false
    }
}

Enter fullscreen mode Exit fullscreen mode

In this blog, we have learned

  1. create terrafrom remote backend using AWS S3 and AWS DynamoDB.
  2. Configure it in terraform config.tf file.
  3. Initialize terraform backend and execute pretty simple s3 bucket provisioning.

One bonus point is, there is a way to configure backend configurations taken out of .tf file which is a good practice. There are two ways that we can do.

  1. Via TV_VAR bash variables and terraform init -backend-config option
  2. Via config file and terraform init -backend-config option

Option One Steps

  1. Add following code to config.tf file. We called them terraform backend partial configuration.
provider "aws" {
  region = "eu-west-1"
}

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.32"
    }
  }

  required_version = ">= 1.4.5"

}

terraform {

  backend "s3" {
  }

 }
Enter fullscreen mode Exit fullscreen mode
  1. Most possibly, you may set below code snippet in CI/CD pipeline which runs terraform code. For simplicity, I have added into simple bash script, set the execution permissions and execute the script.

Script in github

https://github.com/arambage0/cloud-infra-wyoc/blob/main/scripts/tf-backend/tf_init_config.sh

chmo u+x tf_init_config.sh
./tf_init_config.sh

#!/bin/bash

# TF_VAR variables that exposed your real configurations
export TF_VAR_s3_bucket="my-wyoc-s3-bucket-a"
export TF_VAR_s3_key="terraform/saga-infra.tfstate"
export TF_VAR_s3_region="eu-west-1"
export TF_VAR_dynamodb_table="my-wyoc-state-lock-a"

# Terraform init 
terraform init   -backend-config="bucket=${TF_VAR_s3_bucket}" -backend-config="key=${TF_VAR_s3_key}" -backend-config="region=${TF_VAR_s3_region}" -backend-config="dynamodb_table=${TF_VAR_dynamodb_table}"

Enter fullscreen mode Exit fullscreen mode

This steps set the TF backend.

  1. Next step to run terraform plan command.
  2. Run the terraform apply command.

Option Two Steps

  1. Add the following code to the configuration file. Please note add your own specific configs that you have created.

vim tfstate_config.properties

# state.config
bucket = "my-wyoc-s3-bucket-a"
key    = "terraform/saga-infra.tfstate"
region = "eu-west-1"
dynamodb_table= "my-wyoc-state-lock-a"
Enter fullscreen mode Exit fullscreen mode
  1. Run the terraform command below.

terraform init -backend-config="./tfstate_config.properties"

  1. Next step to run terraform plan command.
  2. Run the terraform apply command.

Hope this will be helpful for you. Happy learning. Have a nice day.

Top comments (0)