OpenTofu is a Terraform fork, created as an initiative of Gruntwork, Spacelift, Harness, Env0, Scalr, and others, in response to HashiCorp’s switch from an open-source license to the BUSL. This project provides the necessary scripts and AWS CloudFormation templates to set up a secure and robust Amazon S3 remote backend for OpenTofu.
- Prerequisites
- Setup
- Usage
- CloudFormation Stack Details
- Outputs
- Security
- Contributing
- License
- Contact
Before running the bootstrap script, ensure you have the following:
- AWS CLI installed and configured
- OpenTofu CLI installed
- Valid AWS credentials for an Role, see Use an IAM role in the AWS CLI, having at least the following permissions:
Click here to view the minimum permission which are required to execute the code
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonS3",
"Effect": "Allow",
"Action": [
"s3:PutEncryptionConfiguration",
"s3:PutBucketLogging",
"s3:PutLifecycleConfiguration",
"s3:PutBucketPolicy",
"s3:ListBucket",
"s3:PutBucketVersioning",
"cloudformation:ExecuteChangeSet",
"s3:CreateBucket",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPublicAccessBlock",
"s3:GetLifecycleConfiguration",
"s3:GetEncryptionConfiguration",
"s3:ListTagsForResource",
"s3:TagResource",
"s3:GetIntelligentTieringConfiguration",
"s3:UntagResource",
"s3:GetBucketAcl",
"s3:ListAccessPoints",
"s3:GetAccountPublicAccessBlock",
"s3:PutBucketPublicAccessBlock"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "S3Object",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::*/*"
},
{
"Sid": "DynamoDB",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"dynamodb:CreateTable",
"dynamodb:PutItem",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"dynamodb:UpdateContinuousBackups",
"dynamodb:DescribeContinuousBackups",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Resource": [
"*"
]
},
{
"Sid": "KMS",
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:CreateAlias",
"kms:PutKeyPolicy",
"kms:ListAliases",
"kms:ListKeys",
"kms:TagResource",
"kms:UntagResource",
"kms:DescribeKey",
"kms:ListGrants",
"kms:Encrypt",
"kms:TagResource",
"kms:UntagResource",
"kms:CreateKey",
"kms:ListKeyPolicies",
"kms:GetKeyPolicy",
"kms:PutKeyPolicy",
"kms:EnableKey",
"kms:CreateGrant",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"*"
]
},
{
"Sid": "CloudFormation",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:TagResource",
"cloudformation:UntagResource",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:GetTemplateSummary"
],
"Resource": [
"*"
]
}
]
}Clone the repository and navigate to the bootstrap directory:
git clone https://github.com/aws-samples/bootstrap-amazon-s3-remote-backend-for-open-tofu.gitThe bootstrap.sh script is used to initialize and apply the OpenTofu backend infrastructure.
To deploy the OpenTofu infrastructure, execute the subsequent command. The region argument is optional and defaults to eu-central-1:
bash bootstrap/bootstrap.sh <aws-region>This script performs the following actions:
- Deploys the bootstrap.yaml CloudFormation template.
- Retrieves and prints out the S3 bucket and DynamoDB table names.
- Initializes and applies OpenTofu backend configuration.
bootstrap.sh: Shell script to orchestrate the bootstrap process.bootstrap.yaml: CloudFormation template that defines the required AWS resources.
The bootstrap.yaml template will create:
- Two Amazon S3 Buckets:
- one for OpenTofu state remote storage, and
- one for access logs.
- One Amazon KMS Key for S3 bucket encryption.
- One Amazon DynamoDB Table for state locking.
Resources come with retain policies to prevent accidental deletion.
- The user assumes an Amazon IAM role with the sufficient permissions provided above.
- The user deploys the OpenTofu Amazon S3 remote backend using the assumed Amazon IAM role
- The user deploys infrastructure using OpenTofu which stores the remote state on Amazon S3.
After running the script, it will output the names of:
- The Amazon S3 bucket for the OpenTofu backend.
- The AWS DynamoDB table for the OpenTofu backend.
The CloudFormation template is designed with security in mind:
- Encryption is enforced on the Amazon S3 bucket using an Amazon KMS Key.
- Public access is blocked for all Amazon S3 buckets.
- Deletion policies are set to retain to prevent data loss.
This project is licensed under the MIT License - see the LICENSE file for details.
This project is licensed under the MIT License - see the LICENSE file for details.
This project uses OpenTofu as a key dependency. OpenTofu is an open-source software project licensed under the Mozilla Public License 2.0 (MPL-2.0).
- License: Mozilla Public License 2.0 (MPL-2.0)
- OpenTofu Project Link: https://github.com/opentofu/opentofu
- MPL-2.0 License Details: Mozilla Public License v2.0
We adhere to the terms and conditions of the MPL-2.0 license for the OpenTofu component within our project. Please refer to the provided links for more information on OpenTofu and its license.