breaking: refactoring (#2)

.tflint.hcl

@@ -0,0 +1,23 @@
+config {
+  format = "compact"
+  module = false
+  force  = false
+}
+
+# Enable all rules, always. The bundled plugin uses only recommended.
+plugin "terraform" {
+  enabled = true
+  preset  = "all"
+}
+
+# Enforces module version pinning.
+rule "terraform_module_pinned_source" {
+  enabled = true
+  style   = "semver"
+}
+
+# Enforces naming conventions.
+rule "terraform_naming_convention" {
+  enabled = true
+  format  = "snake_case"
+}

README.md

@@ -11,13 +11,9 @@ What does the module provide?
 ## Usage
 
 ```hcl
-module "module_name" {
-  source  = "github.com/opsd-io/module_name"
-  version = ">= 0.1.0"
-
-  # Variables
-  variable_name     = foo
-  variable_password = bar
+module "tfstate_backend" {
+  source      = "github.com/opsd-io/terraform-module-aws-backend?ref=VERSION"
+  bucket_name = "my-infrastructure-terraform-state"
 }
 ```
 
@@ -29,36 +25,67 @@ module "module_name" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.20.0 |
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.20.0 |
 
 ## Modules
 
 No modules.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_dynamodb_table.state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
+| [aws_iam_policy.state_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_kms_alias.state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_s3_bucket.state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_ownership_controls.state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
+| [aws_s3_bucket_public_access_block.state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_iam_policy_document.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.s3bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.state_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name of the S3 Bucket to use for state storage. | `string` | n/a | yes |
+| <a name="input_bucket_server_side_encryption"></a> [bucket\_server\_side\_encryption](#input\_bucket\_server\_side\_encryption) | If true, enables S3 bucket server-side encryption. | `bool` | `true` | no |
+| <a name="input_bucket_tags"></a> [bucket\_tags](#input\_bucket\_tags) | A map of tags to assign to the bucket. | `map(string)` | `{}` | no |
+| <a name="input_common_tags"></a> [common\_tags](#input\_common\_tags) | A map of tags to assign to every resource in this module. | `map(string)` | `{}` | no |
+| <a name="input_dynamodb_table_name"></a> [dynamodb\_table\_name](#input\_dynamodb\_table\_name) | The name of DynamoDB Table to use for state locking and consistency. | `string` | `null` | no |
+| <a name="input_dynamodb_table_tags"></a> [dynamodb\_table\_tags](#input\_dynamodb\_table\_tags) | A map of tags to assign to the table. | `map(string)` | `{}` | no |
+| <a name="input_iam_policy_name"></a> [iam\_policy\_name](#input\_iam\_policy\_name) | The name of the IAM policy to provide Terraform state access. | `string` | `null` | no |
+| <a name="input_iam_policy_path"></a> [iam\_policy\_path](#input\_iam\_policy\_path) | Path in which to create the policy. | `string` | `"/"` | no |
+| <a name="input_iam_policy_tags"></a> [iam\_policy\_tags](#input\_iam\_policy\_tags) | A map of tags to assign to the IAM policy. | `map(string)` | `{}` | no |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_bucket_arn"></a> [bucket\_arn](#output\_bucket\_arn) | The ARN of the S3 Bucket. |
+| <a name="output_bucket_name"></a> [bucket\_name](#output\_bucket\_name) | The name of the S3 Bucket to use for state storage. |
+| <a name="output_dynamodb_table_arn"></a> [dynamodb\_table\_arn](#output\_dynamodb\_table\_arn) | The ARN of the DynamoDB Table. |
+| <a name="output_dynamodb_table_name"></a> [dynamodb\_table\_name](#output\_dynamodb\_table\_name) | The name of DynamoDB Table to use for state locking and consistency. |
+| <a name="output_region"></a> [region](#output\_region) | The region of the state storage resources. |
+| <a name="output_state_access_policy_arn"></a> [state\_access\_policy\_arn](#output\_state\_access\_policy\_arn) | The ARN of the state access policy providing Terraform state access. |
+| <a name="output_state_access_policy_name"></a> [state\_access\_policy\_name](#output\_state\_access\_policy\_name) | The name of the state access policy providing Terraform state access. |
 <!-- END_TF_DOCS -->
 
 ## Examples of usage
 
 Do you want to see how the module works? See all the [usage examples](examples).
 
-## Related modules
-
-The list of related modules (if present).
-
 ## Contributing
 
 If you are interested in contributing to the project, see see our [guide](https://github.com/opsd-io/contribution).

backend-bucket.tf

@@ -0,0 +1,87 @@
+## S3 Bucket for state storage.
+
+resource "aws_s3_bucket" "state" {
+  bucket = var.bucket_name
+  tags   = merge(var.common_tags, var.bucket_tags)
+}
+
+resource "aws_s3_bucket_ownership_controls" "state" {
+  bucket = aws_s3_bucket.state.id
+  rule {
+    object_ownership = "BucketOwnerEnforced" # ACLs disabled.
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "state" {
+  bucket                  = aws_s3_bucket.state.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_versioning" "state" {
+  bucket = aws_s3_bucket.state.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+## S3 Bucket encryption.
+
+resource "aws_kms_key" "state" {
+  count                   = var.bucket_server_side_encryption ? 1 : 0
+  description             = "Terraform state encryption key - ${var.bucket_name} bucket."
+  deletion_window_in_days = 14
+}
+
+resource "aws_kms_alias" "state" {
+  count         = var.bucket_server_side_encryption ? 1 : 0
+  name          = "alias/${var.bucket_name}"
+  target_key_id = aws_kms_key.state[0].key_id
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "state" {
+  count  = var.bucket_server_side_encryption ? 1 : 0
+  bucket = aws_s3_bucket.state.bucket
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.state[0].arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+## Access policy.
+
+data "aws_iam_policy_document" "s3bucket" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+    ]
+    resources = [aws_s3_bucket.state.arn]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:DeleteObject",
+    ]
+    resources = ["${aws_s3_bucket.state.arn}/*.tfstate"]
+  }
+  dynamic "statement" {
+    # Only if bucket_server_side_encryption=true we need access to KMS.
+    for_each = var.bucket_server_side_encryption ? [0] : []
+    content {
+      effect = "Allow"
+      actions = [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:GenerateDataKey",
+      ]
+      resources = [aws_kms_key.state[0].arn]
+    }
+  }
+}

backend-dynamodb.tf

@@ -0,0 +1,29 @@
+## DynamoDB Table for state locking.
+
+resource "aws_dynamodb_table" "state" {
+  name         = coalesce(var.dynamodb_table_name, "${var.bucket_name}-locks")
+  tags         = merge(var.common_tags, var.dynamodb_table_tags)
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "LockID"
+
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+
+}
+
+## Access policy.
+
+data "aws_iam_policy_document" "dynamodb" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "dynamodb:DescribeTable",
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:DeleteItem",
+    ]
+    resources = [aws_dynamodb_table.state.arn]
+  }
+}

examples/basic/main.tf

@@ -0,0 +1,44 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.20"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+resource "random_pet" "bucket" {
+}
+
+module "tfstate_backend" {
+  source = "github.com/opsd-io/terraform-module-aws-backend"
+
+  bucket_name = "terraform-state-${random_pet.bucket.id}"
+  common_tags = {
+    Env = "Testing"
+  }
+  iam_policy_path = "/devops/"
+}
+
+output "tfstate_backend" {
+  value = module.tfstate_backend
+}
+
+output "backend_config" {
+  value     = <<-EOF
+    terraform {
+      backend "s3" {
+        # Use ${module.tfstate_backend.state_access_policy_arn} policy to access it.
+        region         = "${module.tfstate_backend.region}"
+        bucket         = "${module.tfstate_backend.bucket_name}"
+        dynamodb_table = "${module.tfstate_backend.dynamodb_table_name}"
+      }
+    }
+  EOF
+  sensitive = false
+
+}

examples/basic/override.tf

@@ -0,0 +1,3 @@
+module "tfstate_backend" {
+  source = "../../"
+}