init: copied modules from lawndale-infra

remote-state/bucket.tf

@@ -0,0 +1,55 @@
+resource "aws_kms_key" "this" {
+  description             = "Enryption key for S3 remote terraform state"
+  deletion_window_in_days = 30
+}
+
+data "aws_iam_policy_document" "force_secure_transport" {
+  statement {
+    sid     = "ForceSecureTransport"
+    actions = ["s3:*"]
+    effect  = "Deny"
+    resources = [
+      module.states_bucket.s3_bucket_arn,
+      "${module.states_bucket.s3_bucket_arn}/*"
+    ]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+  }
+}
+
+module "states_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket = local.bucket_name
+
+  versioning = {
+    enabled = true
+  }
+
+  server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        kms_master_key_id = aws_kms_key.this.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  acl                     = "private"
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
+  attach_policy = true
+  policy        = data.aws_iam_policy_document.force_secure_transport.json
+
+  create_bucket = true
+}

remote-state/dynamo.tf

@@ -0,0 +1,23 @@
+locals {
+  dynamodb_lock_key_id = "LockID"
+}
+
+resource "aws_dynamodb_table" "lock" {
+  name     = local.table_name
+  hash_key = local.dynamodb_lock_key_id
+
+  billing_mode   = var.table_billing_mode
+  write_capacity = var.table_write_capacity
+  read_capacity  = var.table_read_capacity
+
+  attribute {
+    name = local.dynamodb_lock_key_id
+    type = "S"
+  }
+
+  server_side_encryption {
+    enabled     = var.table_encryption_at_rest
+    kms_key_arn = aws_kms_key.this.arn
+  }
+
+}

remote-state/locals.tf

@@ -0,0 +1,14 @@
+data "aws_region" "current" {}
+
+locals {
+  region_name = data.aws_region.current.name
+
+  default_bucket_name = try("${var.name_prefix}-${local.region_name}-states", "")
+  bucket_name         = var.bucket_name_override != null ? var.bucket_name_override : local.default_bucket_name
+
+  default_table_name = try("${var.name_prefix}-${local.region_name}-tf-state-locks", "")
+  table_name         = var.table_name_override != null ? var.table_name_override : local.default_table_name
+
+  default_terraform_iam_policy_name = "terraforming-${local.table_name}"
+  terraform_iam_policy_name         = local.default_terraform_iam_policy_name
+}

remote-state/outputs.tf

@@ -0,0 +1,19 @@
+output "kms_key" {
+  value = aws_kms_key.this
+}
+
+output "lock_table" {
+  value = aws_dynamodb_table.lock
+}
+
+output "terraform_policy" {
+  value = aws_iam_policy.terraform
+}
+
+output "bucket_name" {
+  value = local.bucket_name
+}
+
+output "lock_table_name" {
+  value = local.table_name
+}

remote-state/policy.tf

@@ -0,0 +1,48 @@
+data "aws_iam_policy_document" "access_state" {
+  statement {
+    effect    = "Allow"
+    actions   = ["s3:ListBucket", "s3:GetBucketVersioning"]
+    resources = [module.states_bucket.s3_bucket_arn]
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["s3:GetObject", "s3:PutObject"]
+    resources = ["${module.states_bucket.s3_bucket_arn}/*"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:DeleteItem",
+      "dynamodb:DescribeTable",
+    ]
+    resources = [aws_dynamodb_table.lock.arn]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:ListKeys"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:GenerateDataKey",
+    ]
+    resources = [aws_kms_key.this.arn]
+  }
+}
+
+resource "aws_iam_policy" "terraform" {
+  name   = local.terraform_iam_policy_name
+  policy = data.aws_iam_policy_document.access_state.json
+}

remote-state/provider.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.9"
+    }
+  }
+}

remote-state/variables.tf

@@ -0,0 +1,59 @@
+## Naming
+
+variable "name_prefix" {
+  description = "Resource names prefixed by this string."
+
+  type     = string
+  nullable = true
+  default  = null
+}
+
+## Bucket options
+
+variable "bucket_name_override" {
+  description = "Explicit name for the remote state bucket. If not specified, the bucket will be named as {name_prefix}-{region_name}-states"
+
+  type     = string
+  nullable = true
+  default  = null
+}
+
+
+## DynamoDB Table for locks
+
+variable "table_name_override" {
+  description = "Explicit name for the remote state lock DynamoDB table. If not specified, the table will be named as {name_prefix}-{region_name}-tf-state-locks"
+
+  type     = string
+  nullable = true
+  default  = null
+}
+
+
+variable "table_encryption_at_rest" {
+  description = "Wheather or not apply encryption at rest for the DynamoDB."
+
+  type    = bool
+  default = false
+}
+
+variable "table_billing_mode" {
+  description = "Table billing mode. Can be PAY_PER_REQUEST or PROVISIONED"
+  type        = string
+
+  default = "PAY_PER_REQUEST"
+}
+
+variable "table_write_capacity" {
+  description = "(Optional) The number of write units for the lock table. If the billing_mode is PROVISIONED, this field is required"
+  type        = number
+
+  default = 0
+}
+
+variable "table_read_capacity" {
+  description = "(Optional) The number of read units for this table. If the billing_mode is PROVISIONED, this field is required"
+  type        = number
+
+  default = 0
+}