rhythmictech
diff --git a/‎.pre-commit-config.yaml
Lines changed: 1 addition & 1 deletion b/‎.pre-commit-config.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.terraform.lock.hcl
Lines changed: 25 additions & 0 deletions b/‎.terraform.lock.hcl
Lines changed: 25 additions & 0 deletions
diff --git a/‎README.md
Lines changed: 31 additions & 51 deletions b/‎README.md
Lines changed: 31 additions & 51 deletions
diff --git a/‎kms.tf
Lines changed: 9 additions & 28 deletions b/‎kms.tf
Lines changed: 9 additions & 28 deletions
@@ -1,7 +1,7 @@
 exclude: ".terraform"
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.72.1
+    rev: v1.74.1
     hooks:
       - id: terraform_docs
         always_run: true
 
@@ -1,71 +1,47 @@
 # terraform-aws-backend
-[![](https://github.com/rhythmictech/terraform-aws-backend/workflows/pre-commit-check/badge.svg)](https://github.com/rhythmictech/terraform-aws-backend/actions) <a href="https://twitter.com/intent/follow?screen_name=RhythmicTech"><img src="https://img.shields.io/twitter/follow/RhythmicTech?style=social&logo=RhythmicTech" alt="follow on Twitter"></a>
 
-Creates a backend S3 bucket and DynamoDB table for managing Terraform state. Useful for bootstrapping a new
-environment. This module supports cross-account state management, using a centralized account that holds the S3 bucket and KMS key.
+[![tflint](https://github.com/rhythmictech/terraform-aws-backend/workflows/tflint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-backend/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster)
+[![tfsec](https://github.com/rhythmictech/terraform-aws-backend/workflows/tfsec/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-backend/actions?query=workflow%3Atfsec+event%3Apush+branch%3Amaster)
+[![yamllint](https://github.com/rhythmictech/terraform-aws-backend/workflows/yamllint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-backend/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster)
+[![misspell](https://github.com/rhythmictech/terraform-aws-backend/workflows/misspell/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-backend/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster)
+[![pre-commit-check](https://github.com/rhythmictech/terraform-aws-backend/workflows/pre-commit-check/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-aws-backend/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster)
+<a href="https://twitter.com/intent/follow?screen_name=RhythmicTech"><img src="https://img.shields.io/twitter/follow/RhythmicTech?style=social&logo=twitter" alt="follow on Twitter"></a>
 
-_Note: A centralized DynamoDB locking table is not supported because terraform cannot assume more than one IAM role per execution._
+Creates a backend S3 bucket and DynamoDB table for managing Terraform state. Note that when bootstrapping a new environment, it is typically easier to use a separate method for creating the bucket and lock table. This module is intended to create a backend in an AWS account that is already Terraform-managed. This is useful to store the state for other accounts externally, which is always preferred.
+
+*Breaking Changes*
+
+Previous versions of this module had support for cross-account management in a way that proved awkward for many uses cases and made it more difficult than it should've to fully secure the tfstate between accounts. Version 4.x and later eliminates support for this and refocuses the module on using centralized tfstate buckets with cross-account role assumption for execution of terraform. As a result, many variable names have changed and functionality has been dropped. Upgrade to this version at your own peril.
 
 ## Usage
 ```
 module "backend" {
-  source    = "git::ssh://[email protected]/rhythmictech/terraform-aws-backend"
+  source    = "rhythmictech/backend/aws"
+  
   bucket    = "project-tfstate"
   region    = "us-east-1"
   table     = "tf-locktable"
 }
-
 ```
 
 ## Cross Account State Management
-Managing state across accounts requires additional configuration to ensure that the S3 bucket is appropriately accessible and the KMS key is usable.
-
-The following module declaration will create an S3 bucket and KMS key that are accessible to the root account (and users with the AdministratorAccess managed role) in the target account:
-
-```yaml
-module "backend" {
-  source    = "git::ssh://[email protected]/rhythmictech/terraform-aws-backend"
-  allowed_account_ids = ["123456789012"]
-  bucket              = "012345678901-us-east-1-tfstate"
-  region              = "us-east-1"
-}
-```
-
-In the target account, use this declaration to import the module:
+To use this bucket to manage the state for other AWS accounts, you must create IAM roles in those accounts and allow the users who run Terraform to assume them.
 
-```yaml
-module "backend" {
-  source    = "git::ssh://[email protected]/rhythmictech/terraform-aws-backend"
-  kms_key_id               = "arn:aws:kms:us-east-1:012345678901:key/59381274-af42-8521-04af-ab0acfe3d521"
-  region                   = "us-east-1"
-  remote_bucket            = "012345678901-us-east-1-tfstate"
-}
-```
-
-The module will automatically write to the source account S3 bucket using the KMS key with cross-account access.
-
-Access to the source S3 bucket is done based on a prefix that matches the AWS Account ID. Therefore, target accounts must use a `workspace_key_prefix` that matches the account ID, such as in the following sample backend-config values:
-
-```
-bucket               = "012345678901-us-east-1-tf-state"
-key                  = "project.tfstate"
-workspace_key_prefix = "123456789012"
-region               = "us-east-1"
-```
+See [Use AssumeRole to Provision AWS Resources Across Accounts](https://learn.hashicorp.com/tutorials/terraform/aws-assumerole) for more information on this pattern.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.15.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 3.15.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.28.0 |
 
 ## Modules
 
@@ -79,23 +55,27 @@ No modules.
 | [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
+| [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.versioning_example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_canonical_user_id.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source |
 | [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_allowed_account_ids"></a> [allowed\_account\_ids](#input\_allowed\_account\_ids) | Account IDs that are allowed to access the bucket/KMS key | `list(string)` | `[]` | no |
-| <a name="input_bucket"></a> [bucket](#input\_bucket) | Name of bucket to create (do not provide if using `remote_bucket`) | `string` | `""` | no |
-| <a name="input_kms_alias_name"></a> [kms\_alias\_name](#input\_kms\_alias\_name) | Name of KMS Alias | `string` | `""` | no |
-| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | ARN for KMS key for all encryption operations. | `string` | `""` | no |
-| <a name="input_logging_target_bucket"></a> [logging\_target\_bucket](#input\_logging\_target\_bucket) | The name of the bucket that will receive the log objects | `string` | `null` | no |
-| <a name="input_logging_target_prefix"></a> [logging\_target\_prefix](#input\_logging\_target\_prefix) | A key prefix for log objects | `string` | `"TFStateLogs/"` | no |
-| <a name="input_remote_bucket"></a> [remote\_bucket](#input\_remote\_bucket) | If specified, the remote bucket will be used for the backend. A new bucket will not be created | `string` | `""` | no |
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Name of bucket to create | `string` | n/a | yes |
+| <a name="input_kms_alias_name"></a> [kms\_alias\_name](#input\_kms\_alias\_name) | Name of KMS Alias | `string` | `null` | no |
+| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | ARN for KMS key for all encryption operations (a key will be created if this is not provided) | `string` | `null` | no |
+| <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | lifecycle rules to apply to the bucket (set to null to skip lifecycle rules) | <pre>list(object(<br>    {<br>      id                            = string<br>      enabled                       = bool<br>      prefix                        = string<br>      expiration                    = number<br>      noncurrent_version_expiration = number<br>  }))</pre> | <pre>[<br>  {<br>    "enabled": true,<br>    "expiration": 90,<br>    "id": "tfstate-expire",<br>    "noncurrent_version_expiration": 90,<br>    "prefix": null<br>  }<br>]</pre> | no |
+| <a name="input_logging_target_bucket"></a> [logging\_target\_bucket](#input\_logging\_target\_bucket) | The name of the bucket that will receive the log objects (logging will be disabled if null) | `string` | `null` | no |
+| <a name="input_logging_target_prefix"></a> [logging\_target\_prefix](#input\_logging\_target\_prefix) | A key prefix for log objects | `string` | `null` | no |
 | <a name="input_table"></a> [table](#input\_table) | Name of Dynamo Table to create | `string` | `"tf-locktable"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Mapping of any extra tags you want added to resources | `map(string)` | `{}` | no |
 
 
@@ -3,49 +3,30 @@ data "aws_iam_policy_document" "key" {
     actions   = ["kms:*"]
     effect    = "Allow"
     resources = ["*"]
+
     principals {
       type        = "AWS"
       identifiers = ["arn:aws:iam::${local.account_id}:root"]
     }
   }
-
-  dynamic "statement" {
-    for_each = var.allowed_account_ids
-
-    content {
-      effect    = "Allow"
-      resources = ["*"]
-      actions = [
-        "kms:Encrypt*",
-        "kms:Decrypt*",
-        "kms:ReEncrypt*",
-        "kms:GenerateDataKey*",
-        "kms:DescribeKey",
-      ]
-      principals {
-        type        = "AWS"
-        identifiers = ["arn:aws:iam::${statement.value}:root"]
-      }
-    }
-  }
 }
 
 resource "aws_kms_key" "this" {
-  count                   = var.kms_key_id == "" ? 1 : 0
+  count = var.kms_key_id == "" ? 1 : 0
+
   deletion_window_in_days = 7
   description             = "Terraform State KMS key"
   enable_key_rotation     = true
   policy                  = data.aws_iam_policy_document.key.json
-  tags = merge(
-    {
-      "Name" = var.kms_alias_name != "" ? var.kms_alias_name : "tf_backend_key"
-    },
-    var.tags
-  )
+
+  tags = merge(var.tags, {
+    "Name" = var.kms_alias_name != null ? var.kms_alias_name : "tf_backend_key"
+  })
 }
 
 resource "aws_kms_alias" "this" {
-  count         = var.kms_key_id == "" ? 1 : 0
+  count = var.kms_key_id == "" ? 1 : 0
+
   name          = "alias/${var.kms_alias_name != "" ? var.kms_alias_name : "tf_backend_key"}"
   target_key_id = aws_kms_key.this[0].id
 }