0

Context

After reading a lot about Terraform and playing with it in minor projects, I'd like to start using it in a real, production environment.

As the environment is mostly in AWS, I'd go for the S3 backend, but I'm open to change this.

Task

I'd like to have separate Terraform projects (states) per infrastucture layer. Clearly, the top layers should be able to access to output of lower layers. I can use the Terraform remote state data source to get this data.

I've seen different setups around the internet.

Setup #1

|–globals
|–modules
|-infrastucture1
| |-layer1
| | |-layer2

Setup #1

|–globals
|–modules
|-infrastucture1
| |-layer1
| |-layer2

Setup #3

Everything above has its separate git repo.

Question

  • What would be the recommended code organisation for this?
  • What access rights do I have to add to the lower layers' S3 buckets to keep their state safe, but still allow Terraform remote state to access it?
Akasha
  • 71
  • 1
  • 6

1 Answers1

0
>What would be the recommended code organisation for this?

First let me just say that there is no common rule but is depedent to your needs. However I would suggest against using a seperate git repo for each and every module, since this will lead to great amounts of duplication and will have no intrinsic value.

The 2nd setup that you specified seems to be used in most places I've worked and is also common in many repos.

Here is a sample from the Gruntwork blog that utilizes a similar organization. https://www.gruntwork.io/infrastructure-as-code-library/v0.17.1/module-ecs

Here is a sample from a quite well known repo in github https://github.com/airbnb/streamalert/tree/master/terraform 

>What access rights do I have to add to the lower layers' S3 buckets to keep their >state safe, but still allow Terraform remote state to access it?

I do not really understand in what sense do you want to keep their state "safe". But since you are mentioning access right for the s3 bucket I will advise like amazon does to actually enable versioning and MFA delete.

The following link includes all the best practices by amazon to acomplish s3 bucket security. https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html

This link is the how to guide on s3 bucket permissions https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example1.html

If you want, you can also utilize signed-urls for your backend, althought I reckon that this is not they way to work on terraform.

Peter Es
  • 36
  • 3