Terraform state bucket for workload account deployments (#69)

paulschwarzenberger · web-flow · commit 66193beb252d · 2025-07-30T16:52:20.000+01:00
diff --git a/docs/architecture.md b/docs/architecture.md
@@ -17,6 +17,7 @@ However, as CloudFormation is a declarative syntax for provisioning resources, e
 - Deployment helper SNS topic
 - Deployment helper Lambda function
 - AWS Backup Service-linked IAM Role
+- S3 Terraform state bucket for deployments to workload accounts
 
 ## Central account resources per deployment
 
diff --git a/docs/index.md b/docs/index.md
@@ -27,7 +27,6 @@ module "immutable_aws_backup" {
 
   central_account_resource_name_prefix = "immutable-aws-backup-"
   member_account_resource_name_prefix  = "orgdeploy-immutable-aws-backup-"
-  terraform_state_bucket_name          = "my-terraform-state-bucket"
 
   deployments = {
     "website-service" = {
diff --git a/examples/tags/main.tf b/examples/tags/main.tf
@@ -5,7 +5,6 @@ module "aws_backup" {
 
   central_account_resource_name_prefix = local.resource_name_prefix
   member_account_resource_name_prefix  = "org-${local.resource_name_prefix}"
-  terraform_state_bucket_name          = var.terraform_state_bucket
   deployments = {
     "ca-prod" = {
       backup_targets                  = [module.ou_data_lookup.by_name_path["Workloads / Serverless / CA / RSA CA"].id]
diff --git a/examples/tags/variables.tf b/examples/tags/variables.tf
diff --git a/main.tf b/main.tf
@@ -20,6 +20,7 @@ module "deployment_helper" {
   }
   deployment_regions                                 = local.deployment_regions
   lambda_function_name                               = join("", [var.central_account_resource_name_prefix, "deployment-helper"])
+  central_account_resource_name_prefix               = var.central_account_resource_name_prefix
   member_account_deployment_helper_role_arn_patterns = [for i in local.member_account_deployment_helper_role_names : join("", ["arn:", local.partition_id, ":iam::*:role/", i])]
   terraform_state_bucket_name                        = var.terraform_state_bucket_name
 }
diff --git a/modules/deployment-helper/iam.tf b/modules/deployment-helper/iam.tf
@@ -24,7 +24,7 @@ module "lambda_role" {
           "s3:GetBucketLocation",
           "s3:ListBucket"
         ]
-        Resource : "arn:${var.current.partition}:s3:::${var.terraform_state_bucket_name}"
+        Resource : local.terraform_state_bucket_arn
       },
       {
         Effect : "Allow"
@@ -33,7 +33,7 @@ module "lambda_role" {
           "s3:PutObject",
           "s3:DeleteObject"
         ]
-        Resource : "arn:${var.current.partition}:s3:::${var.terraform_state_bucket_name}/*"
+        Resource : "${local.terraform_state_bucket_arn}/*"
       },
       {
         Effect : "Allow"
diff --git a/modules/deployment-helper/locals.tf b/modules/deployment-helper/locals.tf
@@ -0,0 +1,13 @@
+locals {
+  bucket_prefix = "${lower(var.central_account_resource_name_prefix)}tf-state-"
+
+  terraform_state_bucket_name = (
+    var.terraform_state_bucket_name != "" ? var.terraform_state_bucket_name :
+    module.tf_state_bucket[0].s3_bucket_name
+  )
+
+  terraform_state_bucket_arn = (
+    var.terraform_state_bucket_name != "" ? "arn:${var.current.partition}:s3:::${var.terraform_state_bucket_name}" :
+    module.tf_state_bucket[0].s3_bucket_arn
+  )
+}
diff --git a/modules/deployment-helper/regional.tf b/modules/deployment-helper/regional.tf
@@ -9,5 +9,5 @@ module "deployment_helper_regional" {
   }
   lambda_function_name        = var.lambda_function_name
   lambda_role_arn             = module.lambda_role.role.arn
-  terraform_state_bucket_name = var.terraform_state_bucket_name
+  terraform_state_bucket_name = local.terraform_state_bucket_name
 }
diff --git a/modules/deployment-helper/s3.tf b/modules/deployment-helper/s3.tf
@@ -0,0 +1,6 @@
+module "tf_state_bucket" {
+  source = "../s3"
+  count  = var.terraform_state_bucket_name == "" ? 1 : 0
+
+  bucket_prefix = local.bucket_prefix
+}
diff --git a/modules/deployment-helper/variables.tf b/modules/deployment-helper/variables.tf
@@ -17,6 +17,11 @@ variable "lambda_function_name" {
   type        = string
 }
 
+variable "central_account_resource_name_prefix" {
+  type        = string
+  description = "Prefix to be used for resource names in the central account."
+}
+
 variable "member_account_deployment_helper_role_arn_patterns" {
   description = "The patterns to use to restrict role assumption to the member account Deployment Helper roles."
   type        = list(string)
diff --git a/modules/s3/main.tf b/modules/s3/main.tf
@@ -0,0 +1,73 @@
+resource "aws_s3_bucket" "bucket" {
+  bucket_prefix = var.bucket_prefix
+  force_destroy = var.force_destroy
+
+  tags = var.tags
+}
+
+resource "aws_s3_bucket_versioning" "bucket" {
+  bucket = aws_s3_bucket.bucket.id
+
+  versioning_configuration {
+    status = var.versioning
+  }
+}
+
+resource "aws_s3_bucket_logging" "bucket" {
+  count = var.log_bucket == "" ? 0 : 1
+
+  bucket = aws_s3_bucket.bucket.id
+
+  target_bucket = var.log_bucket
+  target_prefix = "${aws_s3_bucket.bucket.id}/"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "kms" {
+  count = var.kms_key_arn != "" ? 1 : 0
+
+  bucket = aws_s3_bucket.bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = var.kms_key_arn
+      sse_algorithm     = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3" {
+  count = var.kms_key_arn == "" ? 1 : 0
+
+  bucket = aws_s3_bucket.bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "bucket" {
+  bucket                  = aws_s3_bucket.bucket.id
+  block_public_acls       = var.block_public_acls
+  block_public_policy     = var.block_public_policy
+  ignore_public_acls      = var.ignore_public_acls
+  restrict_public_buckets = var.restrict_public_buckets
+  skip_destroy            = var.bpa_skip_destroy
+}
+
+resource "aws_s3_bucket_policy" "bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  policy = templatefile("${path.module}/templates/secure-transport.json", {
+    bucket_name = aws_s3_bucket.bucket.id,
+  })
+  depends_on = [aws_s3_bucket_public_access_block.bucket]
+}
+
+resource "aws_s3_bucket_ownership_controls" "bucket" {
+  bucket = aws_s3_bucket.bucket.id
+
+  rule {
+    object_ownership = var.object_ownership
+  }
+}
diff --git a/modules/s3/outputs.tf b/modules/s3/outputs.tf
@@ -0,0 +1,14 @@
+output "s3_bucket_name" {
+  value = aws_s3_bucket.bucket.id
+}
+output "s3_bucket_arn" {
+  value = aws_s3_bucket.bucket.arn
+}
+
+output "s3_bucket_domain_name" {
+  value = aws_s3_bucket.bucket.bucket_domain_name
+}
+
+output "s3_bucket_regional_domain_name" {
+  value = aws_s3_bucket.bucket.bucket_regional_domain_name
+}
diff --git a/modules/s3/templates/secure-transport.json b/modules/s3/templates/secure-transport.json
@@ -0,0 +1,21 @@
+{
+  "Id": "secure-transport-${bucket_name}",
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowSSLRequestsOnly",
+      "Action": "s3:*",
+      "Effect": "Deny",
+      "Resource": [
+        "arn:aws:s3:::${bucket_name}",
+        "arn:aws:s3:::${bucket_name}/*"
+      ],
+      "Condition": {
+        "Bool": {
+          "aws:SecureTransport": "false"
+        }
+      },
+      "Principal": "*"
+    }
+  ]
+}
diff --git a/modules/s3/variables.tf b/modules/s3/variables.tf
@@ -0,0 +1,81 @@
+variable "bucket_prefix" {
+  type        = string
+  description = "S3 Terraform state bucket name prefix, e.g. aws-backup-tf-state-"
+
+  validation {
+    condition     = length(var.bucket_prefix) <= 37
+    error_message = "bucket name prefix must be less than or equal to 37 characters"
+  }
+}
+
+variable "kms_key_arn" {
+  type        = string
+  description = "ARN of KMS key for S3 bucket encryption, if omitted, S3 managed key will be used"
+  default     = ""
+}
+
+variable "log_bucket" {
+  type        = string
+  description = "Enter name of log bucket to enable access logs"
+  default     = ""
+}
+
+variable "force_destroy" {
+  description = "destroy S3 bucket on Terraform destroy even with objects in bucket"
+  default     = true
+}
+
+variable "object_ownership" {
+  type        = string
+  description = "manage S3 bucket ownership controls"
+  default     = "BucketOwnerEnforced"
+  validation {
+    condition     = contains(["BucketOwnerPreferred", "ObjectWriter", "BucketOwnerEnforced"], var.object_ownership)
+    error_message = "object_ownership must be one of BucketOwnerPreferred, ObjectWriter, or BucketOwnerEnforced."
+  }
+}
+
+variable "block_public_acls" {
+  type        = bool
+  description = "Block public ACLs on the S3 bucket"
+  default     = true
+}
+
+variable "block_public_policy" {
+  type        = bool
+  description = "Block public bucket policies on the S3 bucket"
+  default     = true
+}
+
+variable "ignore_public_acls" {
+  type        = bool
+  description = "Ignore public ACLs on the S3 bucket"
+  default     = true
+}
+
+variable "restrict_public_buckets" {
+  type        = bool
+  description = "Restrict public bucket policies on the S3 bucket"
+  default     = true
+}
+
+variable "bpa_skip_destroy" {
+  type        = bool
+  description = "Skip destroy of S3 block public access configuration"
+  default     = true
+}
+
+variable "versioning" {
+  type        = string
+  description = "Enable versioning"
+  default     = "Enabled"
+  validation {
+    condition     = contains(["Enabled", "Suspended", "Disabled"], var.versioning)
+    error_message = "versioning must be one of Enabled, Suspended, or Disabled."
+  }
+}
+
+variable "tags" {
+  type    = map(string)
+  default = {}
+}
diff --git a/variables.tf b/variables.tf
@@ -46,5 +46,6 @@ variable "member_account_resource_name_prefix" {
 
 variable "terraform_state_bucket_name" {
   type        = string
-  description = "Name of the S3 bucket used for storing Terraform state files for custom Terraform deployments."
+  description = "Name of S3 bucket for custom Terraform deployments, if left at default, S3 bucket will be created"
+  default     = ""
 }

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ module "deployment_helper" {`
`20`	`20`	`}`
`21`	`21`	`deployment_regions = local.deployment_regions`
`22`	`22`	`lambda_function_name = join("", [var.central_account_resource_name_prefix, "deployment-helper"])`
	`23`	`+ central_account_resource_name_prefix = var.central_account_resource_name_prefix`
`23`	`24`	`member_account_deployment_helper_role_arn_patterns = [for i in local.member_account_deployment_helper_role_names : join("", ["arn:", local.partition_id, ":iam::*:role/", i])]`
`24`	`25`	`terraform_state_bucket_name = var.terraform_state_bucket_name`
`25`	`26`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ module "lambda_role" {`
`24`	`24`	`"s3:GetBucketLocation",`
`25`	`25`	`"s3:ListBucket"`
`26`	`26`	`]`
`27`		`- Resource : "arn:${var.current.partition}:s3:::${var.terraform_state_bucket_name}"`
	`27`	`+ Resource : local.terraform_state_bucket_arn`
`28`	`28`	`},`
`29`	`29`	`{`
`30`	`30`	`Effect : "Allow"`
`@@ -33,7 +33,7 @@ module "lambda_role" {`
`33`	`33`	`"s3:PutObject",`
`34`	`34`	`"s3:DeleteObject"`
`35`	`35`	`]`
`36`		`- Resource : "arn:${var.current.partition}:s3:::${var.terraform_state_bucket_name}/*"`
	`36`	`+ Resource : "${local.terraform_state_bucket_arn}/*"`
`37`	`37`	`},`
`38`	`38`	`{`
`39`	`39`	`Effect : "Allow"`
Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,5 @@ module "deployment_helper_regional" {`
`9`	`9`	`}`
`10`	`10`	`lambda_function_name = var.lambda_function_name`
`11`	`11`	`lambda_role_arn = module.lambda_role.role.arn`
`12`		`- terraform_state_bucket_name = var.terraform_state_bucket_name`
	`12`	`+ terraform_state_bucket_name = local.terraform_state_bucket_name`
`13`	`13`	`}`