- Have AWS CLI installed
- Have Terraform Cli installed
- Have AWS account credentials exported/configured with sufficient rights to create and destroy stuff
-
Clone this repository
-
Make sure you're making changes to the right AWS account. Execute this command to see who you are authenticated as
aws sts get-caller-identity
- Change aws region and bucket name to what you need.
- Open
./main.tf - Change
aws-regioninlocalsto the region you want - Change
terraform_state_bucket_nameto the bucket name that makes sense for your project. Bucket name must be unique across all of AWS - Change
regionandbucketinbackendconfiguration a few lines above to match the values you just set inlocals. Keep backend configuration commented out for now
- Terraform init for the first time
terraform init
- Terraform apply to create s3 bucket, dynamodb table and a secret in KMS for encypting data in s3
terraform apply
-> Do you want to perform these actions?
yes
- Uncomment the s3 backend provider code in
./main.tf, cause now we created all infrastructure to be able to switch to new backend
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
backend "s3" {
region = "eu-central-1"
bucket = "terraform-state-for-my-org"
dynamodb_table = "terraform-state-lock"
kms_key_id = "alias/terraform-bucket-key"
key = "org-shared-state/terraform.tfstate"
encrypt = true
}
}
- Terraform init once again cause we're using new backend
terraform init
-> Do you want to copy existing state to the new backend?
yes
- Just as a test, do terraform apply and see 0 changes
terraform apply
- Now you can add your terraform code at the bottom of
main.tf
- Make sure you're making changes to the right AWS account. Execute this command to see who you are authenticated as
aws sts get-caller-identity
- Comment out the backend configuration in
./main.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
# backend "s3" {
# region = "eu-central-1"
# bucket = "terraform-state-for-my-org"
# dynamodb_table = "terraform-state-lock"
# kms_key_id = "alias/terraform-bucket-key"
# key = "org-shared-state/terraform.tfstate"
# encrypt = true
# }
}
- Move state from s3 backend to local backend
terraform init -migrate-state
-> Do you want to copy existing state to the new backend?
yes
- Make the s3 bucket that stores state as destroyable
In ./backend/main.tf change prevent_destroy = true to prevent_destroy = false in s3 bucket resource
- Delete all content of all versions in the bucket.
You have 2 options:
a) via AWS console, go to s3, select the bucket and click EMPTY BUCKET
b) via AWS CLI:
Run the command after
replacing <YOUR BUCKET NAME> with your bucket name in 2 places.
aws s3api delete-objects --bucket <YOUR BUCKET NAME> \
--delete "$(aws s3api list-object-versions \
--bucket "<YOUR BUCKET NAME>" \
--output=json \
--query='{Objects: Versions[].{Key:Key,VersionId:VersionId}}')"
- Run terraform destroy
terraform destroy
-> Do you really want to destroy all resources?
yes