Terraform remote state for multi-account AWS: complete setup
Terraform remote state for multi-account AWS: complete setup Local state is a trap. Two engineers run apply simultaneously and state diverges. Here's the complete remote state setup. Architecture S3 Bucket (management account) project-alpha/prod/terraform.tfstate project-alpha/staging/terraform.tfstate DynamoDB Table: terraform-state-locks (LockID key) Bootstrap (run once per management account) resource "aws_s3_bucket" "state" { bucket = "my-org-terraform-state-${data.aws_caller_identity.current.account_id}" } resource "aws_s3_bucket_versioning" "state" { bucket = aws_s3_bucket . state . id versioning_configuration { status = "Enabled" } } resource "aws_s3_bucket_server_side_encryption_configuration" "state" { bucket = aws_s3_bucket . state . id rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } } } resource "aws_s3_bucket_public_access_block" "state" { bucket = aws_s3_bucket . state . id block_public_acls = true ; block_public_policy = true ignore_public_acls
Continue reading on Dev.to DevOps
Opens in a new tab
