This repository was archived by the owner on Feb 5, 2024. It is now read-only.
This repository was archived by the owner on Feb 5, 2024. It is now read-only.
Lock down Terraform State #67
Description
In spirit of terraform-aws-serverless where you guys lock everything down as much as possible, how about changing aws/bootstrap.yml to incorporate the limited restrictions needed for terraform:
https://www.terraform.io/docs/backends/types/s3.html
S3 Bucket Permissions
Terraform will need the following AWS IAM permissions on
the target backend bucket:
s3:ListBucketonarn:aws:s3:::mybuckets3:GetObjectonarn:aws:s3:::mybucket/path/to/my/keys3:PutObjectonarn:aws:s3:::mybucket/path/to/my/key
This is seen in the following AWS IAM Statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket"
},
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::mybucket/path/to/my/key"
}
]
}DynamoDB Table Permissions
If you are using state locking, Terraform will need the following AWS IAM
permissions on the DynamoDB table (arn:aws:dynamodb:::table/mytable):
dynamodb:GetItemdynamodb:PutItemdynamodb:DeleteItem
This is seen in the following AWS IAM Statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem"
],
"Resource": "arn:aws:dynamodb:*:*:table/mytable"
}
]
}Reactions are currently unavailable