Merge pull request #29063 from moskyb/s3-backend-kms-permissioning-note
Add a note to the docs on the S3 backend around permissions needed for encrypted state storage
This commit is contained in:
commit
daad109067
|
@ -18,7 +18,7 @@ the `dynamodb_table` field to an existing DynamoDB table name.
|
||||||
A single DynamoDB table can be used to lock multiple remote state files. Terraform generates key names that include the values of the `bucket` and `key` variables.
|
A single DynamoDB table can be used to lock multiple remote state files. Terraform generates key names that include the values of the `bucket` and `key` variables.
|
||||||
|
|
||||||
~> **Warning!** It is highly recommended that you enable
|
~> **Warning!** It is highly recommended that you enable
|
||||||
[Bucket Versioning](http://docs.aws.amazon.com/AmazonS3/latest/UG/enable-bucket-versioning.html)
|
[Bucket Versioning](https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html)
|
||||||
on the S3 bucket to allow for state recovery in the case of accidental deletions and human error.
|
on the S3 bucket to allow for state recovery in the case of accidental deletions and human error.
|
||||||
|
|
||||||
## Example Configuration
|
## Example Configuration
|
||||||
|
@ -74,7 +74,7 @@ attached to users/groups/roles (like the example above) or resource policies
|
||||||
attached to bucket objects (which look similar but also require a `Principal` to
|
attached to bucket objects (which look similar but also require a `Principal` to
|
||||||
indicate which entity has those permissions). For more details, see Amazon's
|
indicate which entity has those permissions). For more details, see Amazon's
|
||||||
documentation about
|
documentation about
|
||||||
[S3 access control](https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html).
|
[S3 access control](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html).
|
||||||
|
|
||||||
### DynamoDB Table Permissions
|
### DynamoDB Table Permissions
|
||||||
|
|
||||||
|
@ -187,12 +187,12 @@ The following configuration is required:
|
||||||
|
|
||||||
The following configuration is optional:
|
The following configuration is optional:
|
||||||
|
|
||||||
* `acl` - (Optional) [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to be applied to the state file.
|
* `acl` - (Optional) [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl) to be applied to the state file.
|
||||||
* `encrypt` - (Optional) Enable [server side encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) of the state file.
|
* `encrypt` - (Optional) Enable [server side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) of the state file.
|
||||||
* `endpoint` - (Optional) Custom endpoint for the AWS S3 API. This can also be sourced from the `AWS_S3_ENDPOINT` environment variable.
|
* `endpoint` - (Optional) Custom endpoint for the AWS S3 API. This can also be sourced from the `AWS_S3_ENDPOINT` environment variable.
|
||||||
* `force_path_style` - (Optional) Enable path-style S3 URLs (`https://<HOST>/<BUCKET>` instead of `https://<BUCKET>.<HOST>`).
|
* `force_path_style` - (Optional) Enable path-style S3 URLs (`https://<HOST>/<BUCKET>` instead of `https://<BUCKET>.<HOST>`).
|
||||||
* `kms_key_id` - (Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state.
|
* `kms_key_id` - (Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state. Note that if this value is specified, Terraform will need `kms:Encrypt`, `kms:Decrypt` and `kms:GenerateDataKey` permissions on this KMS key.
|
||||||
* `sse_customer_key` - (Optional) The key to use for encrypting state with [Server-Side Encryption with Customer-Provided Keys (SSE-C)](https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html). This is the base64-encoded value of the key, which must decode to 256 bits. This can also be sourced from the `AWS_SSE_CUSTOMER_KEY` environment variable, which is recommended due to the sensitivity of the value. Setting it inside a terraform file will cause it to be persisted to disk in `terraform.tfstate`.
|
* `sse_customer_key` - (Optional) The key to use for encrypting state with [Server-Side Encryption with Customer-Provided Keys (SSE-C)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html). This is the base64-encoded value of the key, which must decode to 256 bits. This can also be sourced from the `AWS_SSE_CUSTOMER_KEY` environment variable, which is recommended due to the sensitivity of the value. Setting it inside a terraform file will cause it to be persisted to disk in `terraform.tfstate`.
|
||||||
* `workspace_key_prefix` - (Optional) Prefix applied to the state path inside the bucket. This is only relevant when using a non-default workspace. Defaults to `env:`.
|
* `workspace_key_prefix` - (Optional) Prefix applied to the state path inside the bucket. This is only relevant when using a non-default workspace. Defaults to `env:`.
|
||||||
|
|
||||||
### DynamoDB State Locking
|
### DynamoDB State Locking
|
||||||
|
@ -246,7 +246,7 @@ Your administrative AWS account will contain at least the following items:
|
||||||
* Optionally, one or more [IAM groups](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html)
|
* Optionally, one or more [IAM groups](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html)
|
||||||
to differentiate between different groups of users that have different
|
to differentiate between different groups of users that have different
|
||||||
levels of access to the other AWS accounts.
|
levels of access to the other AWS accounts.
|
||||||
* An [S3 bucket](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html)
|
* An [S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingBucket.html)
|
||||||
that will contain the Terraform state files for each workspace.
|
that will contain the Terraform state files for each workspace.
|
||||||
* A [DynamoDB table](http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.CoreComponents.html#HowItWorks.CoreComponents.TablesItemsAttributes)
|
* A [DynamoDB table](http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.CoreComponents.html#HowItWorks.CoreComponents.TablesItemsAttributes)
|
||||||
that will be used for locking to prevent concurrent operations on a single
|
that will be used for locking to prevent concurrent operations on a single
|
||||||
|
|
Loading…
Reference in New Issue